Wednesday, November 28, 2007

Slovak News Agency Reports That Smuggled Enriched Uranium Has Been Seized in Operation in East of Country

Slovak and Hungarian police have seized a kilo of radioactive material and arrested three people in a joint operation on 28 November, according to a report in the Irish Times.

Slovak police spokesman Martin Korch said the material was being examined and did not confirm a report carried by the Slovak news agency SITA that it was enriched uranium. "This one kilogramme should have been sold for $1 million US dollars," spokesman Martin Korch said. The spokesman said the police raid took place along the eastern part of the two central European countries' common frontier, near their borders with Ukraine. "Three people have been taken into custody, two in Slovakia one in Hungary," he said. "Further information will be provided tomorrow."

Uranium enrichment can yield either fuel for nuclear power stations, or be used for nuclear warheads.

For an informative report on the smuggling of nuclear material, including case studies, contact David.
Click here to learn more about the potential effects of a crude radioactive dispersal device.

Handhelds, Laptops Increase IT Security Worries, Survey Finds

The increasing mobility of workers is creating big security headaches for information technology staffers, according to a new report. Portable devices, especially personal digital assistants and laptop PCs, are the leading concern, the Computing Technology Industry Association (CompTIA) found in its study, released Nov. 5.

Approximately 60 percent of the organizations surveyed said security issues related to the use of handheld devices for data access and transfer have increased during the past 12 months.

Organizations that do not train their mobile workers in security fundamentals are doing themselves a great disservice. Nearly 90 percent of organizations that have implemented awareness training for remote and mobile workers believe that the number of security breaches they’ve encountered has been reduced.

Read on here.

To discuss information secuity awareness seminars and workshops for your staff, please contact Janet.

How to Terror-Proof Shopping Centres and Other Buildings (According to BBC News)


Cannons to stop potential vehicle bombs in London?

Technology that screens people walking into airports, to tell in a split second whether an individual carries explosives or traces of explosives?

Protective water walls that spring up from the pavement?

Click here for more.

Security Management Training


This week has seen the 16 delegates attending the university accredited Security Management Stage 1 Course move into the more intensive period of the training programme.

While week 1 focussed on the core issues of security risk management, security operational management and physical security design, week two has included a day-long workshop on Protection against Explosive Devices, Crisis Management, Special Event Security, Security Investigations, Drug and Alcohol Misuse, and Leadership.

In addition, delegates have been engrossed in a detailed security design project, which will culminate in simulated management presentations on Friday.

The nest Security Management Stage 1 Course takes place 31 March – 11 April 2008. Contact Janet for details.

Insider Fraud - The Enemy Within

Some key findings of Experian’s latest report into insider fraud:

Of 127 organisations surveyed by CIFAS, the UK's fraud prevention service, only two had not experienced insider fraud.

Organised criminal gangs are increasingly involved in cases of insider fraud. Their activities include convincing or coercing existing employees to act on their behalf, or infiltrating the organisation with an inside person, often a temporary worker. They are particularly interested in compromising the organisation’s customers.

Criminals have been known to hang around pubs and cafes near target organisations seeking disgruntled employees, while ‘smoke free’ legislation has had the unfortunate effect of providing gangs with the opportunity to target staff taking cigarette breaks on the street.

The lack of employee recruitment checks and controls in some organisations lies at the heart of the employee fraud problem. The research showed the importance of companies ensuring that the checks they carry out on potential employees are more rigorous than those they undertake when opening new accounts for customers.

The full report can be downloaded here.

Tuesday, November 27, 2007

"MI5 - Not Nine to Five"

The BBC has been given unprecedented access to speak to real spies about their jobs. Click here to read more.......

Monday, November 26, 2007

Laptop Theft - A Recovery Solution?

Millions of people worldwide have had their data potentially compromised by laptop thefts in recent months. It is now impossible to ignore the growing identity theft crisis, much of it caused by laptop thefts from high profile corporations, government agencies, universities and healthcare institutions.

A multi-layered security strategy is required to protect computer hardware and the data on it. With a few proactive data security steps, organizations can avoid the potential lawsuits, fines, public scrutiny and loss of business that a lost or stolen computer can cause.

Over 97% of stolen laptops are never recovered, but Absolute Software have come up with what seems to be a reasonable solution, by configuring laptops so that, if stolen, they broadcast their location as soon as they are reconnected to the Internet, allowing law enforcement to take action to recover the equipment.

Absolute Software’s site provides some useful general tips for better laptop security. Click here.

Can You Trust Your Security Guards?

Two Australian pilots were found handcuffed to a tree in a Papua New Guinea swamp last week after their plane was hijacked by the plane's security guard, who made off with millions of dollars in cash, police said on Tuesday.

The pilots were flying two million dollars in cash from the capital Port Moresby to a bank in Western Province on Monday when the two security guards accompanying them pulled out their guns and demanded they land.

Don’t Give Away Your Most Secret Company Data

To be absolutely be sure that there is no data left on your hard drives when they are disposed of, your IT Department needs to do more than just reformat the drives, as there is plenty of software available on the internet that can recover files from reformatted drives.

Luckily, there are also plenty of programs available on the internet which can cleanse drives of all data, in accordance with US department of Defense Standard 5220.22-M, which stipulates what is called a “low level format”.

If you are in the UK, don't exclude the possibility that, following the HMRC scandal, investigative journalists may try to target old hard drives your organization disposes of, with the aim of exposing you by recreating customer data.

Read how to destroy data beyond recovery at:

http://www.pcworld.com/article/id,110338/article.html

http://www.techsoup.org/learningcenter/software/page5726.cfm

However, the simpler option may be to use a physical destructor!

Before Selecting Antiterrorism or Anti-Ramraiding Vehicle Blockers.....


Vehicle blockers are used both to protect against moving vehicle bombs and ramraiders. Specifications for blockers vary, and their strength will depend on a number of factors, including the materials used, method of manufacture and the way in which they are mounted. Type of barrier (eg bollard, beam, rising wedge etc) is less of an indication as to stopping power.

In the US, anti-terrorism barriers should conform to the “K” rating appropriate to the design threat reference determined for a specific facility. “K” ratings are indicated in ARC Training slide, above.

In the UK, Publicly Available Specification (PAS) 68 has been prepared to address the needs of organizations who wish to have assurance that vehicle blockers will provide the level of impact resistance that they seek. The standard has been developed because of the need for a comparative means of assessing the performance of the many different types of vehicle barriers now available.

PAS 68:2007 specifies a classification system for the performance of vehicle security barriers and their supporting foundations when subjected to a single horizontal impact. In the course of the standard three alternative assessment methods of determining the performance classification of vehicle security barriers are given:

* The vehicle impact method
* The pendulum method (only suitable for testing bollards at lower energy levels)
* The design method.

PAS 68 identifies impact test tolerances and vehicle performance criteria that need to be met in order to conform to it. Design guidance is provided in PAS 69:2006.

Two Former Heads of Security for Leading UK Retailers Launch Retail and Supply Chain Security Management Training Course

Two former heads of security with UK based retailers are combining with ARC Training International Limited to deliver a training programme for retail and supply chain security managers.

Barry Vincent MSc and Mike Goodman MSc, both now consultants, are to offer a training programme to upskill security managers in retail, or those with a non-security background who have found themselves leading teams to address security and related issues. The course will also provide a grounding for security providers who seek to better understand the market in which they are trying to sell their products and services.

The 3-day Retail and Supply Chain Management Course will take place 2-4 June 2008. For more details contact Janet.

For the full story, published in Professional Security, click here.

Get Your Business Contingency and Continuity Plans in Order Now – Nuclear Attack Inevitable, Warns Scottish Police CBRN Chief

Get You Business Contingency and Continuity Plans in Order Now – Scottish Police CBRN Defence Chief Issues Bleakest Ever Official Warning of the Inevitability of a Terrorist Nuclear Attack.

A nuclear attack by terrorists causing widespread panic, chaos and death is inevitable and will happen soon, a senior Scottish police officer has warned in a report published by the Scottish Sunday Herald.

Ian Dickinson, who leads the police response to chemical, biological and nuclear threats in Scotland, has painted the bleakest picture yet of the dangers the world now faces. Efforts to prevent terrorist groups from obtaining materials that could be made into radioactive dirty bombs - or even crude nuclear explosives - are bound to fail, he said. And the result will be horror on an unprecedented scale.

Dickinson's nightmare analysis was backed up by Dr Frank Barnaby, a nuclear consultant who used to work at the Aldermaston Atomic Weapons Establishment in Berkshire. "The amazing thing is that this hasn't happened already," he told the Sunday Herald. "We should expect it any minute. It's an obvious thing for a terrorist to do. A primitive nuclear explosion would simply eliminate the centre of a city like Glasgow or Edinburgh."

Richard Hoskins, from the International Atomic Energy Agency's Office of Nuclear Security in Vienna, revealed that there had been 1266 confirmed incidents in which radioactive materials had been stolen or lost around the world since 1993.

"As the terrorists look for the next spectacular attack, we know that al-Qaeda in Iraq is calling on nuclear scientists to join in the jihad," said William Nye, director of counter-terrorism and intelligence at the Home Office in London.

For the text of the full Sunday herald report click here.

Sunday, November 25, 2007

Spring on the Island of Love?


The 5-Star luxury Elysium Resort Paphos, Cyprus, will be the venue for the next Security Surveying and Design Course, 11-15 March 2008, conducted by Peter Horsburgh CPP PSP. This is an ideal venue to bring along the family for a relaxing break.

If you can’t make this course, Peter will be conducting a further Security Surveying and Design Course in the UK, 21-25 April.

For further information and to reserve a place, please contact Janet.

For further information on the Elysium Resort click here, but first turn down the volume on your speakers!

Check Out the UK Security Standard for Your Specialism

An increasing number of security sector occupational standards, produced by Skills for Security, are now making their way onto the Skills for Business website. The standards are free to download, and are a good way to benchmark performance against a generic job description.

To access the security-related standards produced to date click here.

Majority of Information Security Budgets Now Under the Control of the IT Department, New Study Reveals

Organizations worldwide are investing in infrastructure but lagging in implementation, measurement and review of security and privacy policies according to the 5th annual Global State of Information Security Survey 2007, a worldwide study by CIO magazine, CSO magazine and PricewaterhouseCoopers.

The study, which is the largest of its kind, represents responses of 7,200 IT, security and business executives in more than 119 countries across all industries. The results show that India has made major gains since 2006 with information security practices and safeguards while China lags behind the rest of the world in almost all privacy safeguards.

Other findings show that IT is taking budgetary control in 2007, with the majority of information security budgets now coming directly from the IT department.

Read on here.

Terrorism and Energy Security

The Memorial Institute for the Prevention of Terrorism has some very useful freely downloadable publications, accessible by clicking on the link below:

http://www.mipt.org/terrorism/MIPT-Publications.asp

One, entitled Terrorism and Energy Security, makes a particularly interesting read. The report focuses not just on practical issues to secure the oil industry, but on the issue of energy security in general, which it defines as:

Energy security refers to the continued, reliable availability of such energy sources in sufficient quantities at reasonably stable and acceptable costs to importing countries and consumers. By implication, it also means the security of those infrastructures that lie between the point the energy is extracted and the consumer – pumps, pipelines, refineries, ships, trucks, storage tanks, gas stations, etc.

To download the Terrorism and Energy Security report click here.

Protecting Critical Infrastructure

In the late 1990’s six members of the IRA were jailed for plotting to bomb six national grid electricity sub-stations. Had the attacks been successful, London would have suffered widespread loss of electricity for several months, and the damage to the UK economy would have been inestimable.

Historically, critical infrastructure has had a very physical feel – it could be seen. And physical security was usually the remedy to security threats. But now the protection of critical infrastructure has moved from defending “things” to defending “processes”. And many of the most potent threats have migrated to domains outside the traditional security management arena.

The US Government Accountability Office concludes: Critical infrastructure control systems face increasing risks due to cyber threats, system vulnerabilities, and the serious potential impact of attacks as demonstrated by reported incidents. Threats can be intentional or unintentional, targeted or non-targeted, and can come from a variety of sources including foreign governments, criminal groups, terrorists, and disgruntled organization insiders. Control systems are more vulnerable to cyber attacks than in the past for several reasons, including their increased connectivity to other systems and the Internet.

Critical infrastructure owners face both technical and organizational challenges to securing control systems, and significant security vulnerability exposures exist largely due to lack of user awareness of how easy it is for those with malicious intent to break into and take control of such systems.

Click here for a copy of a recent US Government report on the subject.

Friday, November 23, 2007

Pandemics - Bugs and Business Continuity

Latest news in bio security from the UK indicates that there may have been a further leak of 'foot and mouth' disease from a government laboratory. This disease causes devastation amongst livestock and is proving extremely difficult to control once established amongst animal populations.

Coincidentally, the UK health secretary has revealed plans to protect vulnerable people against an influenza outbreak this winter.

Pandemics such as bird flu can spread just as easily as foot and mouth and influenza and the potential effects can only be estimated at the moment.

You need to think about this - do you have business continuity plan for pandemics or even bio-terrorism attacks? Perhaps you should...

Wednesday, November 21, 2007

Work-Based Learning Corporate Security Management MSc in Asia

Final preparations are underway for the forthcoming December Security Management Stage 3 Course in Bangladesh, hosted by BAT and Grameenphone. The course will be delivered by Phil Wood MBE CPP.

This will be the third of three security management courses held in Bangladesh, with many of the 14 participants working towards their MSc Work-Based Learning Studies (Corporate Security Management).

Upon completion of the SM3 course participants who have progressed through SM1 and SM2 will be half way to achieving their degree from Middlesex University, and will now progress to the final distance-learning stages.

For further information on security management training courses which lead to an MSc please contact Janet.

Security Consultancy an Increasingly Important Business for ARC Training

Since adding security consultancy to its portfolio of services just this year, ARC Training is about to embark on its fifth major project, this time for a global corporate HQ in mainland Europe.

Peter Horsburgh CPP PSP, who leads the Consultancy Division, is well qualified to deliver consultancy in a wide range of security management contexts. As a former twice head of corporate security, requiring the management of complex projects, Peter is ARC’s lead trainer on the very popular 5-day Security Surveying and Course and also the Physical Security Professional Certification (ASIS) course, designed to enhance managers’ abilities to specify security systems and manage the associated projects.

ARC can deploy an extensive range of consultants in a wide variety of security management specialisms. Contact David for more information.

Security Management Training Focus


The cheerful dispositions of the sixteen delegates currently attending Security Management Stage 1 are matched by their capacity for hard work.

Wednesday was spent studying Physical Security, and today will be a day-long workshop on Information and IT Security - a very hot topic in the UK at the moment following the recent HMRC data loss, which has been described as the biggest data security incident in history. The workshop, which is open to outside day delegates, will cover, among other things: how to secure data, how to manage peripheral storage devices and portable media, and means to encrypt sensitive data, especially before sharing with other parties!

Phil Wood MBE CPP, the course leader, is delighted with the delegates’ enthusiasm and standard of active participation. The first assessment milestone occurs on Friday, when syndicates have to apply their learning and present their detailed security risk assessments for the course project, Sumatran Tiger, based around a major expanding multi-billion dollar industrial project in South East Asia.

Then, the delegates get a well-deserved weekend rest, before returning for a very intensive final week.

Tuesday, November 20, 2007

University-Accredited Security Management Training in the UK

Sixteen delegates currently attending the postgraduate Security Management Stage 1 Course have spent the first three days engrossed in Security Risk Analysis, Security Operations Management and Security Design, three “bedrock” subjects for any successful security management programme.

One of the challenges presented during the Security Operations Management session was how to better integrate security into the business and get better business “buy-in”. Participants offered the following suggestions:

• Security needs to have strong representation and local, business-embedded points of accountability across the business. Security should not be seen as the sole remit of the security manager.
• The security management recruitment strategy should place high priority on recruiting those who have strong interpersonal and influencing skills.
• Education and awareness programmes and campaigns using a range of available means.
• Development of on-line security tools for specific use at business line level.
• Involving the business in security surveys, especially through interviewing.
• Speaking the language of business – "money" and "business growth".
• Offering personal security advice to employees, whether in an “on-duty” or “off-duty” context.
• Involving line managers in the risk assessment team – or having a cross-functional security risk management committee
• Identifying a lead role for security managers in crisis management and contingency planning
• Awareness of the need to “go the extra mile” to dispelling stereotypical perceptions of the authoritarian “company cop”.

The course includes delegates from UK, Kuwait, Nigeria, Trinidad and Tobago, United Arab Emirates, Sudan, Qatar, Greece, Saudi Arabia and Oman, representing sectors as diverse as oil and gas, manufacturing, logistics, security printing, water utilities and shipping.

The next Security Management Stage 1 Course takes place 31 March – 11 April. Contact Janet for information and to reserve a place.

More than 50% of Computer Users Have Illegally Piggy-Backed onto Somebody Else’s Wi-Fi - Risking a 5 Year Prison Sentence!

More than half of all computer users in the UK have illegally logged onto somebody else’s wi-fi connection, according to the Sunday Times, despite this being a criminal offence under which anyone convicted could face a fine of £1000 and up to five years in prison!

Police regard wi-fi freeloading as a serious offence because IT intruders can download illegal pornography or hide their tracks when accessing sites that promote terrorism, without fear of being caught. The investigation trail invariably leads to the owner of the wi-fi connection, not the piggy-backing surfer.

In the US the first prosecution for wi-fi piggybacking occurred in 2005 when police arrested Benjamin Smith III in Florida. Later in the same year in the UK Gregory Straszkiewicz was fined £500 and given a 12-month conditional discharge after using a laptop to piggyback a residential wi-fi from his car in London. There have been ten subsequent arrests in the UK.

Unprecedented Data Loss Prompts Resignations - Don't Let This Happen to Your Organisation!

The Chairman of the UK Revenue and Customs has resigned following the loss, in an internal mail system, of two CDs containing confidential personal details of 25 million taxpayers.

This is the third high-profile data loss case concerning Revenue and Customs in recent weeks. In October another CD went missing, exposing customer details to identify theft. Revenue and Customs refused at that time to comment on whether the data was encrypted. Also in October, a laptop containing confidential customer data was stolen from an employee’s car, a type of incident which has recently be described by the UK Information Commissioner as “gross negligence” on the part of the laptop owner.

Do not jeopardise the job of your own CEO (and your own job!) by allowing this to happen in your organisation. Security safeguards are relatively straightforward to implement. For example, ensure that there are security protocols in place for identifying and labelling sensitive computer data, downloading such data to portable media and for sharing and mailing with outside agencies. At very least, this should include 256-bit encryption of anything which could be deemed as personal identify information.

Ensure, also, that all such information on laptops or employees’ home computers is protected with at least 256-bit encryption, which is relatively inexpensive.

Security managers seeking to gain a greater understanding of information protection, laptop security and encryption may wish attend the regular Information and IT Security Workshops, which are part of ARC Training’s Security Management Stage 1 Course. Forthcoming dates for the Information and IT Security Workshops are:

7 April 2008
11 August 2008
24 November 2008

Monday, November 19, 2007

Surveillance Tagging for Children – Possible Business Applications

Surveillance Tagging for Children – Possible Business Applications:

- Radio frequency identification, whereby an alarm will be activated if a tagged child wanders beyond a reader. Tags cost around £40 and a reader up to £300.

- For ultra-surveillance, there is the "personal companion" - a gadget which enables parents to tail their offspring when they leave the house. It uses satellites and mobile phone technology, and parents can be updated via their computer or mobile phone.

Devices such as the latter are also being used to tag courier items and mail bags. Can you think of additional business uses for either of the above technologies?

Cyberloafers - Stealing Your Time and Profits!

New research, published by the Centre for the Study of Media Technology and Culture (CSMTC), reveals that over a quarter of the UK workforce spends nearly five hours a week using the internet for personal reasons during work time, and nearly five percent spend over 24 hours every week looking at non-work-related material on the web.

Online purchasing and Instant Messaging were identified as two of the biggest distractions for workers, although the research found that 80% believe that communicating with family and friends through Instant Messaging actually improves their productivity. A further 87% of respondents admitted to making private purchases during working hours.

Another major distraction is the upsurge in popularity of social networking sites such as 'Facebook'.More than 70% of businesses including banks and law firms have already banned the sites by putting internet filters in place.

A spokesman for Scotland Yard said: 'Access to some of these sites is blocked as there is no business need for employees to visit them.' The study also found that some companies are prepared to take action to try to contain the problem of 'cyberloafing' by using surveillance technology or limiting access to the Internet. However, in an interesting development, some organisations, such as the Trade Unions Council (TUC), are criticising the implementation of 'cyberloafing' restrictions 'Better to invest a little time in working out sensible conduct guidelines, so that there don't need to be any nasty surprises for staff or employers,' said the TUC.

Employee abuse of IT services is one of many subjects addressed in the IT and Information Security Workshop, which forms part of the Security Management Stage 1 Course.

Forthcoming workshop dates are:

22 November 2007
7 April 2008
11 August 2008
24 November 2008


Contact Janet for details.

Security Guard Caught Staging Raid on His Own Van!

A Security guard was jailed for 12 years recently for staging a £90,000 raid on his own van. The “raid” took place as staff were refilling cash machines in Birmingham, UK. The guard claims he has a gun thrust in his face, but police traced calls from his mobile phone to two accomplices.

It is not the deliberate policy of the blog to assist criminals in planning their acts, but wouldn’t it have been a better idea to attack somebody else’s van? There is less chance of being recognised by work colleagues.

Some basic tips for armed hold-up survival can be found at:



Sunday, November 18, 2007

Forensic Analysis of a Suspect Employee's Computer Has Proven to Be a “Quick Kill” on Many Investigations


"IT vulnerability is the corporate jugular vein."

"Many organisations are hopelessly unprepared to tackle internal IT crimes such as fraud and information theft."

"Information theft is predominantly an insider risk, with vastly more confidential information removed from the workplace by employees than by hackers."

"No hacker, virus writer or other cyber deviant have ever come close to causing the collapse of any major institution. By contrast ther disasters which befell Bairings, Daiwa, BCCI, Worldcom, Enron, Tyco, Xerox, Orange County and Allied Irish Bank were all the result of internal fraud, corruption or unsupervised speculation, committed by trusted employees."

"Profound and irreversible mistakes have been made by organisations investigating IT-based fraud because initial actions taken at the scene were fundamentally wrong and ill-advised."

"Business is increasingly litigious. Electronic disclosure, where computer evidence is routinely introduced in litigation, is gaining a foothold in many national jurisdictions."

"Forensic analysis of a suspect’s computer has proven to be a “quick kill” on many investigations."

These are all extracts from Ed Wilding’s ground-breaking book: Information Risk and Security. Ed will be conducting a 2-day IT Security and Incident Response Course, 24-25 January 2008.

The course is intended for those whose role may in some way involve the detection and investigation of internal crimes committed against or using company IT resources. No prior IT knowledge is required and the course is ideally suited to Security Managers and investigators. Contact Janet for details.

Italy and USA Make the “Top 10” Kidnap League Table for October


According to international kidnap and ransom experts, Clayton Consultants, India was the country in which most kidnaps were reported in October 2007. Nigeria and Mexico, which grab most of the news headlines, were 4th and 5th respectively, beaten by Venezuela (2nd) and Nepal (3rd). Both Italy and the USA were also featured in the Top 10 List, in 8th and 9th positions respectively.

The monthly Clayton K&R Extortion Monitor publishes details of known incidents of kidnap, but cannot be taken as a true indicator of employee or business travel kidnap risk since the nature and targets of kidnap vary from country to country.

The reports do not include data from Iraq.

Monitors can be downloaded from:

http://www.claytonconsultants.com/

ARC Training conducts a one-day Kidnap Risk Reduction and Response Workshop twice yearly. 2008 dates are 14 May and 24 September. For details contact Janet.

Kidnap risk reduction is also covered in ARC Training’s one-day Business Travel Security Workshop, which can be delivered at your premises to your at-risk staff on request.

Unlimited Fines for Individuals Who Lose Laptops Containing Sensitive Personal Data?

The UK Information Commissioner, Richard Thomas, is seeking the introduction of a new criminal offence under which employees who lose laptops with unencrypted sensitive personal data could face unlimited fines.

The legislation would be aimed initially at healthcare workers who might, for example, leave a laptop in a car from where it is stolen. This, according to Thomas, constitutes “gross negligence”. Thomas added that anyone holding sensitive personal data on a laptop should know the basics of encryption.

A second proposed law would empower officers of the Commissioner’s office to inspect companies without consent to monitor their compliance with data protection laws.

Security managers seeking to gain a greater understanding of information protection, laptop security and encryption may wish attend the regular Information and IT Security Workshops, which are part of ARC Training’s Security Management Stage 1 Course. Forthcoming dates for the Information and IT Security Workshops are:

22 November 2007
7 April 2008
11 August 2008
24 November 2008

Determining Which Perimeter Intrusion Detection System to Specify

Perimeter intrusion detection systems (PIDS) have to deal with a wide range of environmental conditions, while detecting stealthy human motion and ignoring nuisance events.

Imagine detecting a person moving in a stealthy fashion, perhaps crawling, through an open perimeter in the midst of a heavy rain with poor visibility over uneven terrain, while ensuring that alarms are not triggered by rain or wind. Today, good sensors perform these tasks quite well.

The core challenge is specifying the correct sensor for a specific environment. Asking a supplier for advice is one option, but if the the supplier is tied into a particular product they will sometimes try to convince you that they have exactly the right product for you. In the experience of ARC consultants, many hundreds of PID systems worldwide are working less than satisfactorily because the wrong system has been specified for a given location.

PIDS are covered in detail in the following 2008 ARC Training programmes:

- Specifying Security Systems, 21-25 July

- Security Management Stage 1, 31 March – 11 April , 4-15 August 2, 17-28 November

- ASIS PSP Review Course, 27-31 October

- ASIS CPP Review Course, 28 April – 2 May 2008, 27-31 October

In the interim, read about taut wire, infrared, acoustic, vibration, contact barrier, RF, microwave, electrostatic, VMD, seismic and ground radar sensors at:

2008 Training at the Landmark Burj Al-Arab Hotel, Dubai

The fantastic Burj Al-Arab Hotel in Dubai will be the venue for the forthcoming 3-day Crisis Management and Business Continuity Management Workshop, 17-19 February 2008, conducted by ARC Deputy Director of Training, Phillip Wood MBE CPP.

The course is being arranged by ARC’s Arabian Gulf representative, Precept Management Consultancy. For more information please contact Precept.

Wednesday, November 14, 2007

Business Continuity – Some Continuity Errors

According to a business survey by SunGard Availability Services, almost half of UK businesses are facing difficulty in embedding business continuity management into their organisational culture.

Whilst 56 percent of respondents believe that their business continuity management policy is generally ‘good’, 44 percent recognised that they were failing to entrench it into the fabric of their organisation. 86 organisations responded, but none was currently fully compliant with BS 25999, the new British Standard for business continuity management. To make matters worse, 41 percent of respondents felt that their business continuity plans were compromised by inadequate testing and review processes.

Perhaps the most important observations were made by Ron Miller, managing consultant at SunGard Availability Services, who said: “…business continuity management cannot and must not be the sole preserve of the IT department. Instead it needs to permeate through the whole business and be woven into the fabric of the organisation, with input and leadership from the highest level."

If your plans are lacking continuity elements, ARC can help you to improve them, with one-day BCM workshops available either as part of our Security Management Stage 2 Course or in-house at your location. For further details contact Janet.

Also, you can follow this link to Sungard’s excellent BCM site where you can undertake a self assessment of your BCM preparedness against the the current British Standard, BS 25999.

Be Careful What Your Employees are Looking at on the Web - Inciting Terrorism by Using the Internet to Become a Criminal Offence in the EU – Reuters

Inciting, recruiting and training for terrorism on the internet will be made a criminal offence, punishable by minimum sentences throughout the European Union under new proposals, according to Reuters.

The European Commission will propose expanded EU legislation to fight what it says is growing use of the internet as a "virtual training camp" for terrorists as part of a package of measures. It is likely that the measures could be approved within days.

Justice and Security Commissioner Franco Frattini proposes creating an EU offence of "public provocation to commit a terrorist offence", that would apply to incitement even if it did not lead to an actual attack.

The report comes at a time when British intelligence services are warning that there are at least 2,000 people in the UK who pose a threat to national security because of their support for terrorism, the head of MI5 has said. This represents a 20% rise since 2006.

London Tops the UK League for ID Fraud, Reports Sky News

Source: Sky News

London - the UK's financial capital - is also the country's number one location for identity fraud, a study has revealed.

Figures showed 19 of the 20 postcode areas in Britain worst affected by the crime are inside the M25 - and the other one is just outside, in Maidenhead. CIFAS, an industry body that helps companies share information to fight fraud, compiled the list.

Its 270 members managed to foil attempts at fraud worth £741m over the nine months to October - but it is estimated that losses from stolen identities total nearly £2bn a year.

One of the fastest-growing areas of identity theft is called "current address fraud", which sees the victim scammed by someone living at the same address as them. The crook applies for and uses products in the name of the victim - who could be a next-door neighbour in their block of flats - and then intercepts their post.

Internet Drives Companies’ Critical Information beyond the Security of Corporate Data Management Systems

Over the last ten years, information technology has brought new levels of business opportunities and productivity gains. IT has become a strategic business growth engine, opening up doors to new customers, enabling new products and services, and improving customer experiences. However, as more and more business is driven across the Internet, it also places critical information beyond the security of data management systems.

In the current environment a security breach has the potential to impact a business’s bottom line damaging its reputation, customer loyalty and profitability, and personal identity information is at the top of the IT attack shopping list for organised criminals.

A paper, produced by Oracle, presents an overview of the security considerations that need to be taken into account in order to secure data. It is an excellent guide for “generalist” security managers seeking to gain a better understanding of IT and data security issues. Obviously, it concludes with an Oracle solution, but since readers of this blog are generally not IT security budget holders, this techie bit can be ignored.

Contact David to get hold of a copy.

Cut Through the Jargon and Specify CCTV with Confidence

A recent press release for a new CCTV camera reads:

The high resolution imagery allows the network camera to substitute up to twenty four analogue cameras, thereby reducing the total cost of installation. Power is drawn from a low cost Power-over-Ethernet switch removing the need to supply a separate power supply. The camera delivers full motion progressive scan 1600 x 1200 video at 22 fps with all four channels in parallel. It can also offer 88fps with 800 x 600 resolution. Onboard real-time motion detection with size and sensitivity controls for up to 64 separate motion detection zones per channel is supplied as standard. Advanced features include concurrent transmission of different frame formats and simultaneous delivery of multiple zoomed and full field of view video streams at full frame rates. The software also allows for post-event zoom-in capability from archived footage, concurrent full field of view and high-quality zoom.

Sounds fantastic but can it do what you want it to do – augment manpower, reduce crime and detect adversaries?

Join security management colleagues from around the world in learning how to interpret technical specifications and to specifying security systems that match the performance requirements of your specific risk circumstances on ARC’s new Specifying Security Technology Course, 21-25 July 2008. Contact David for details.

(Alternatively, spend thousands of dollars on cameras that you don’t need!)

Tuesday, November 13, 2007

Professionals Gather in Lagos, Nigeria, for Security Management Training


Monday 12th November saw the start of the first ever ‘open’ Security Coordination and Management Course in Nigeria. Locally hosted by Cardinal Security Services, this internationally recognised five-day security management programme is being attended by 16 security professionals from leading companies in the petrochemical, financial and services sectors.

Silvester Ibeh, Managing Director of Cardinal Security Services, recognised the need to bring high quality security management development onto the local market and is partnering with ARC Training International in this venture.

Peter Horsburgh CPP, PSP, the course leader, said ‘We were delighted to be able to take this opportunity to contribute to the growth of our fellow security professionals in Nigeria. The widespread support for this course demonstrates that companies in this region have a real commitment to excellence and to the development of their people.’

Time to Equip Security Guards with Armoured Vehicles and Large Calibre Weapons

Planned security upgrades to US nuclear facilities, which include equipping guards with armoured vehicles and large-calibre weapons are behind schedule, according to the New York Times.

The latest design basis threat for US nuclear facilities envisages an attack on a facility by a “large and more capable group of attackers”. Utilising large groups of attackers poses significant problems for a terrorist group, not least because the chances of the mission being compromised by intelligence services are that much greater, but 9/11 is testament to Al-Qaeda’s determination to attempt this if it can be justified by the desired end result. And a nuclear release in a Western country would certainly fit Al-Qaeda’s strategy.

But it may not be necessary to attack such a facility if Al-Qaeda can get hold of the some of the allegedly 40kg of weapons-useable uranium which has been stolen from facilities worldwide over the past decade or so.

A report by the US-based Stanford Database on Nuclear Smuggling, Theft and Orphan Radiation Sources identified 700 illicit radioactive material trafficking incidents during the period 1991-2002. The report cites insiders as posing the greatest threat. Insiders, according to the report, “include civilian employees at facilities that house nuclear material or radiation sources, military personnel, and security guards.

For example, out of seven known thefts or attempted diversions of weapons-usable fissile material (Podolsk in 1992, Andreeva Guba in 1993, Sevmorput in 1993, Electrostal in 1994 and 1995, Sukhumi in 1992-1997, and the Chelyabinsk region in 1998), six were committed by insiders.” In one instance the Russian FSB foiled a plot to steal a quantity of materisl sufficient to build a viable nuclear device.

Contact David if you would like a copy of the SDNS report Nuclear Smuggling Chains: Suppliers, Intermediaries, and End-Users.

UK Police Classifications of Kidnap

Conventional Kidnap – The abduction or holding of a hostage with the intention of extorting money or other valuables; or securing some substantial concession for the hostage’s safe return.

Tiger Kidnap – The abduction or holding of a hostage (or claim of having done so) with the intention of forcing an employee, relative or another to facilitate the immediate theft of any valuables; or concede some other form of ransom from any institution or business organisation.

Tiger kidnaps are a growth industry in Northern Ireland. See:

http://news.bbc.co.uk/1/hi/northern_ireland/6920668.stm

http://news.bbc.co.uk/1/hi/northern_ireland/6124272.stm

http://news.bbc.co.uk/1/hi/uk/4743532.stm

Criminal Vendetta – At present, these are the most common types of kidnappings in the UK and can be associated with the use of extreme violence and torture. It is likely that the offender is known to the victim / hostage as well as the motive behind the offence, although the motive may not always be shared with the Police. In some cases, the victim will have tried to resolve the situation themselves and informing the police will be the last resort. The demand may be economic or could be commodity based (i.e. drugs) and may be more concerned with the principle rather than the monetary value.

People Trafficking – These incidents are often unreported due to the immigration status of the victim / hostage and furthermore, the hostage may not necessarily want the Police involved due to the fear of repatriation. Similarly these offences are often characterised by the use of extreme violence / torture or rape and hostages may be forced to work in the sex industry.
International – With these types of kidnap the hostage is taken abroad and consequently there is a lack of control over all aspects of the investigation for UK Police. Due to this, there is a need for international co-operation from foreign law enforcement.

The classification does not cover Express Kidnap; a particular risk to business travellers. See:

ARC Training conducts a one-day Kidnap Risk Reduction and Response Workshop twice yearly. 2008 dates are 14 May and 24 September. For details contact Janet.
Kidnap risk reduction is also covered in ARC Training’s one-day Business Travel Security Workshop, which can be delivered at your premises to your at-risk staff on request.

Another Warning about the “Insider Threat” - This Time from the FBI

FBI Director Robert Mueller delivered a stark warning this week to organisations which have become dependent on the Internet.

"If we lose the Internet, we do not simply lose the ability to e-mail or to surf the Web. We lose access to our data. We lose our connectivity. We lose our intellectual property. We lose our security. What happens when the so-called 'Invisible Man' locks us out of our own homes, our offices, and our information?"

"The threat is not limited to hackers on the outside. Insiders present a significant problem. Contractors may take the appropriate security measures, but what about those with whom they subcontract and their subs?”

Mueller drew particular attention to the threat from terrorists, cyber blockades, botnets and hackers.

The insider threat, particularly in regard to IT sabotage, is a recurring concern of those organisations which make up critical national infrastructure.

For the full news article, click here.

Terror Threat to Shopping Malls, Warns FBI

The lead up to the holiday season is again accompanied by a renewed warning of terrorist threats against shopping malls.

The FBI is this week warning that Al-Qaeda may be preparing a series of holiday attacks on US shopping malls in Los Angeles and Chicago. The alert says Al-Qaeda "hopes to disrupt the U.S. economy and has been planning the attack for the past two years."

A useful guideline on protecting shopping malls against terrorist attack can be downloaded from the UK Police site http://www.nactso.gov.uk/
Protection against Explosive Devices is the subject of a one-day workshop delivered by ARC Training on 26 November 2007. Contact Janet for details.

Al-Qaeda-Linked Arrests in Nigeria

The International Herald Tribune is reporting that Nigerian security agents have arrested several Nigerian men in the north of the country who allegedly had materials for making explosives, and evidence has linked them to the al-Qaeda terror network, according to a senior security official.

The official said the suspects had been on the verge of carrying out attacks when they were detained, and demonstrated a photograph of materials allegedly seized from the suspects showing four bags of fertilizer, seven sticks of dynamite, a combat rifle and detonators.

Osama bin Laden is reported in one of his messages to have named oil-rich Nigeria as a country ripe for liberation from Western influence, and periodically the U.S. Embassy in Nigeria issues terror attack warnings.

According to the BBC, Nigeria has not suffered a terrorist attack and despite occasional arrests of suspected Islamic militants there is no evidence of al-Qaeda in Nigeria.

Monday, November 12, 2007

“An Extremely Worthwhile Investment of My Time”


“The whole course will be of vital importance”

“An extremely worthwhile investment of my time”

“The investigation role-play was extremely valuable”

“A great learning curve”

These were some of the comments made by delegates attending ARC Training’s new 4-day Investigating and Interviewing Skills Course, conducted by investigations specialists Linx International.

The course, which was delivered by Angus Darroch-Warren and David Gill, covered the essentials of security investigations, including how to manage an investigation, investigation methodology, how to prepare a case, how to interview, evidence handling, civil and criminal law, the law of England and Wales, disciplinary practice and procedure, and how to present a case.

In developing the programme, Angus and David paid close attention to the National Occupational Standards for investigators, which can be accessed by clicking here.

The next Investigation and Interviewing Skills Course will take place 10-13 March 2008, followed by a further course 3-6 November. Contact Janet for more information or to reserve a place.

Wi-Fi Security System Is 'Broken' - BBC

Is your organisation using internal wi-fi for routine data transmission?

Are your executives processing business information at home using wi-fi?

Are your laptop holders accessing wi-fi hotspots in hotels, airports and railway stations?

Are you transmitting CCTV images over wi-fi?

"WEP (wired equivalent privacy), the basic security encryption for wi-fi networks is so broken that your (and everyone else's) kid sister can easily circumvent it," according to computer security researcher Ralf-Philipp Weinmann, co-author of the aircrack-ptw tool that can crack WEP in minutes.

WPA-2, a much stronger encryption, is available, but there is a tendency in businesses to stick with WEP as not all wi-fi devices are WPA-2 compliant.

Read on at:

RFID: The Way Forward or an Exposure Which Could Cripple a Business Logistics Operation?

Some airports are planning to expedite baggage handling by attaching RFID-augmented labels to the suitcases as they are checked in. This makes the labels easier to read at greater distances than the current bar-coded baggage labels.

Now consider a malicious traveller who attaches a tiny RFID tag, pre-initialized with a virus, to a random person's suitcase before he checks it in. When the baggage-handling system's RFID reader scans the suitcase at a Y-junction in the conveyor-belt system to determine where to route it, the tag responds with the RFID virus, which could infect the airport's baggage database. Then, all RFID tags produced as new passengers check in later in the day may also be infected. If any of these infected bags transit a hub, they will be rescanned there, thus infecting a different airport. Within a day, hundreds of airport databases all over the world could be infected.

Read about the alleged susceptibility of RFID tags to virus transmission at:

http://www.rfidvirus.org/

A Lifetime of Beer if You Can Find the Stolen Laptop

A New Zealand brewery is reportedly offering a lifetime supply of beer for the return of a stolen laptop. Local media said the laptop was stolen from the Croucher Brewing Company in the central North Island city of Rotorua last month.

Owners were desperate to retrieve the computer containing designs, contact details and financial information. The company has back-up copies of the material stored on the laptop but these are not up to date, the Rotorua Daily Post said.

They have offered a lifetime’s free beer to anyone giving clues leading to its recovery.

Check Your Credit Card Statements Carefully – It May Be Too Late Once You Are Arrested for Promoting Terrorism!

Identify theft can be a miserable business, sometimes causing immeasurable personal disruption, damage to credit rating and months of reorganising financial accounts. As a security manager you are well placed to offer proactive advice to your company’s staff on how to protect against this fast growing crime. Good basic advice, which you can develop into an awareness campaign, can be found at the following sites:

http://www.identity-theft.org.uk/protect-yourself.htm
http://www.vnunet.com/computeractive/features/2138242/identity-theft-facts

But the consequences of falling victim to ID theft may be worse than financial. What if someone steals your identify to access illegal paedophile services on the web? Moreover, ID theft is increasingly being used to finance terrorism. During a raid on the house of an Al-Qaeda associate in London in 2005, police discovered that stolen credit card details had been used to pay for internet sites to which had been posted jihadist training manuals, beheading videos and other inflammatory materials, including advice on how to hack sites.

Under new EU proposals setting up websites that encourage violence or explain how to make bombs will become a criminal offence, and the first port of call for the police is obviously going to be the owner of the credit card that paid for the site!

Save Your Data and Secure Your Business

For many organizations, Business Continuity (BC) means securing their data and IT systems against failure. Although BC planning is about a lot more than just IT, it is prudent to ensure that if disaster strikes, your information is safe.

There are many methods of preserving systems and information - effective methods are storage virtualization and replication, both of which can save your business if implemented appropriately and wisely. Chris Ross, of Bakbone Software, provides more detail on these methods and of their potential for maintaining continuity here.

ARC features IT Security and Business Continuity in several of its training courses in 2008. For more details contact Janet or check the 2008 brochure.

Sunday, November 11, 2007

The New Breed of Cyber-Terrorist. "Most Companies and Organisations Seem Oblivious to the Threat" Warns DHS

According to cyber-security experts, the terror attacks of 11 September and 7 July could be seen as mere staging posts compared to the havoc and devastation that might be unleashed if terrorists turn their focus from the physical to the digital world, reports the UK newspaper "The Independent".

Scott Borg, the director and chief economist of the US Cyber Consequences Unit (CCU), a Department of Homeland Security advisory group, believes that attacks on computer networks are poised to escalate to full-scale disasters that could bring down companies and kill people. He warns that intelligence "chatter" increasingly points to possible criminal or terrorist plans to destroy physical infrastructure, such as power grids. Al-Qa'ida, he stresses, is becoming capable of carrying out such attacks.

Most companies and organisations seem oblivious to the threat. Usually, they worry about e-mail viruses and low-grade hacker attacks. But Borg sees these as the least of their worries. "Up to now, executives and network professionals have worried about what adolescents and petty criminals have been doing," he says. "In most cases, these kinds of cyber attacks aren't very destructive. The reason is that businesses generally have enough inventory and extra capacity to make up for any short-term interruptions."

What companies and organisations should worry about, Borg insists, is "what grown-ups could do" - terrorists or hardcore criminals. One key target would probably be the vital Supervisory Control and Data Acquisition (Scada) systems in power plants and similar industries. "Chatter on Scada attacks is increasing," says Borg, referring to patterns of behaviour that suggest that criminal gangs and militant groups are now fully capable of unleashing such attacks.

Read on here.