Tuesday, March 31, 2009

Non-Lethal Ray Gun Enters Testing – Could This Be Used to Protect against Maritime Piracy Attacks?

The device fires a 1 mm radio wave, which penetrates the top 1/64th of an inch of skin and just down to the nerve endings. When hit, the target moves away from the beam and the sensation ceases. The sensation at the target is akin to taking a heat blast from an opened “oven door,” according to Marine Corps. Col. Kirk Hymes. In most cases there is no permanent injury.

For more, go to: http://www.designnews.com/article/12709-Military_s_Active_Denial_System_is_First_True_Ray_Gun.php

How Do You Survive a Disaster?

The BBC News Magazine explains all:

http://news.bbc.co.uk/2/hi/uk_news/magazine/7933386.stm

USB Memory Sticks – Don’t Let Them Get under your Skin!


A Finnish computer programmer who lost one of his fingers in a motorcycle accident has made himself a prosthetic replacement with a USB drive attached. Jerry Jalava uses the 2GB memory stick, accessed by peeling back the "nail", to store photos, movies and programmes.

For the full story go to: http://news.bbc.co.uk/2/hi/europe/7949018.stm

Securing IT Hardware (Including Laptops) against Theft


ARC doesn’t usually recommend specific products, but this website has some good ideas for securing IT hardware:

http://www.lapsafe.com/catalogue/laptop-and-pc-security/

Terrorism Overview

Read what the UK government has to say about terrorism. Detailed information can be found on the website of The Security Service MI5, beginning at:

http://www.mi5.gov.uk/output/terrorism.html

Economic Downturn Causing Data Theft Deluge - How to Manage the Threat

Source: http://www.contingencytoday.com/online_article/Data-loss-deluge-during-downturn-/1814

A leading provider of IT security systems is warning organisations to prepare themselves for a data loss deluge during the economic downturn. Citing an increase in transient staff, higher staff turnover and a growing black market hungry for information, Overtis Systems is urging UK organisations to update their data access procedures to counter these threats with a Ten Point Plan.

Several drivers are responsible for the increase in data leakage over the past year. There has been a surge in the use of casual staff, with companies using more contractors and outsourcing core operations. This in turn has lead to greater fluidity of data and a heightened risk of security compromise. Meanwhile, temporary and permanent members of staff, uncertain of the future, are purloining data to further their own careers. Others, concerned about their own finances, are selling sensitive information to a burgeoning black market. And an increase in redundancies is also causing problems, with dismissed members of staff more likely to steal data either for their own ends or to cause their former employer operational problems.

Overtis recommends organisations adopt the following Ten Point Plan to prevent data leakage:

1. Implement a strong employee joining and exit process – email and network access needs to be revoked quickly and mobile devices recovered when an employee leaves. New members of staff need only be given access to the resources they need to perform their role.

2. Educate staff – ensure data is only accessible to staff on a need-to-know basis or push data to relevant individuals.

3. Avoid remedial action – Don't seek to address a security breach with a point security product but take a systematic approach to the whole enterprise. Controls need to be in place between the user and the data not on the network or gateway.

4. Identify assets and information flows – Address potential pain points by mapping all of the intellectual property you have and modes of access.

5. Restrict the manipulation of data – Plan who needs access and whether they have the authorisation to print, change or export data over email, IM or to removable devices. It's also now possible to apply restrictions to specific content within a document or by time and location.

6. Watch the gatekeepers – System administrators and privileged users should be subject to the same change management and critical server file integrity checks.

7. Don't overlook the obvious – Do put in place procedures to prevent the export of data to USB sticks, MP3 players etc. Do scan outgoing email for confidential attachments. Do restrict copy and paste over Instant Messenger and other social networking media.

8. Use encryption – Where you do permit data export to mobile devices and removable media, ensure it is encrypted.

9. Use two-factor authentication – Don't rely on passwords; they are often written down and are relatively simple to crack. Always combine a password with a secondary method of authentication. Sophisticated systems such as finger vein readers are simple and cannot be easily subverted.

10. Combine your security arsenal – While many organisations have biometric access systems, CCTV and even RFID, few have taken the logical step of joining these together with the IT security system. Integrating the physical with the virtual can provide the requisite evidence of a data breach, for example marrying a screenshot of a file being exported with CCTV footage of the perpetrator. Evidence can also be used to enhance staff productivity, by illuminating how data is used.

UK Law Resources

For an at-your-fingertips guide to UK criminal law acts, go to:

http://www.wikicrimeline.co.uk/index.php?title=Category:Acts

Number of Infected Web Sites Increases Sharply: Are You Being Spied On?

Source: www.nextgov.com

The number of seemingly legitimate Web sites infected with malicious code that enables hackers to steal passwords to access computer networks is increasing, with one organization reporting an 827 percent jump in compromised sites in 2008.

The number of crimeware-infected URLs, which are Web sites containing malicious code designed to steal users' passwords by tracking their keystrokes, increased more than 163 percent in just one month, from 11,834 in November 2008 to 31,173 in December 2008, reported the Anti-Phishing Working Group, a coalition of industry and law enforcement agencies fighting identity theft from malware. In January 2008, just 3,363 sites were infected, according to the group.

For more information, go to:

http://www.nextgov.com/nextgov/ng_20090323_9103.php

Or attend Security Management Stage 1, 3-14 August 2009, which covers the core areas of security management, including information and IT security:

Course Content:

Security Risk Management, Security Operations Management, Security Policies & Procedures, Security Design, Introduction to Investigations, Introduction to Security Surveying, Perimeter & Buildings Security, Access Management, Workplace Crime Prevention, Protection Against Explosive Devices, Manpower Selection & Deployment, Leadership & Motivation, Information Security & Technical Surveillance Countermeasures, IT Security, Protection of At-Risk Personnel, Crisis Management, Change Management, Course Project.

For details contact Janet.

Oil and Gas Sector Security Management

In July 2009 ARC will be offering a new course specifically tailored to its oil and gas sector clients, entitled: Managing Security Risks in the Oil and Gas Sector. The course will take place 24-28 August and will cover the core areas of:

Security Risk Analysis in the Oil & Gas Sector, Corporate Social Responsibility, Human Rights, and Community Management, Managing Activism, Managing Acts of Militancy and Terrorism against the Oil/Gas Sector, Oilfield and Pipeline Security, The Security of Refineries and other Production Facilities, Maritime and Offshore Security.

For further details contact Janet.

Community management, and stakeholder engagement are core to the programme. Community engagement and security management in such situations are two sides of the same coin. During its community engagement phase, Angola LNG pooled the best practices of Sonangol, Chevron, BP, Total and ENI, and put together an Environmental and Social Impact Assessment report of no less than 10,000 pages, which has been made available at the following link http://www.angolalng.com/project/eshia06.htm

Producing an Operational Requirement for Security Systems – Guideline


The UK’s Centre for the Protection of National Infrastructure (CPNI) has made available on its website a useful and detailed template for producing an Operational Requirement for physical (technical) security systems.

An Operational Requirement (OR) is a statement of need based upon a thorough and systematic assessment of the problem to be solved, and the hoped-for solutions. The aim of the CPNI Guide is to ensure that appropriate security measures are recommended to manage the risk to a level acceptable to all stakeholders. It introduces the concept of a structured methodology for determining the security requirements for specific sites.

To download a copy of the guide, go to: http://www.cpni.gov.uk/Docs/measures-operational-requirements-guide.pdf

Specifying security systems is covered in overview on Security Management Stage 2 (29 June – 10 July 2009), and in detail on Specifying Security Technology (13-17 July 2009).

For more information, contact Janet, or go to:

Security Management Stage 2
http://www.arc-tc.com/pages/university_acredited_sm.asp#sm2

Specifying Security Technology
http://www.arc-tc.com/pages/other_accredited_sm.asp#s4

Emergency Management (Natural Disasters) Resources


Commencing business operations in new countries is often characterised by uncertainty. Recently a delegate contacted ARC to ask for advice on where to find best practice resources which he could use as a basis for constructing plans for a range of natural disasters in an overseas country.

This is an area in which the US is quite well advanced, and the following links contain excellent guidance:

http://www.fema.gov/business/guide/index.shtm
http://www.disastersafety.org/text.asp?id=commlines
http://www.ready.gov/business/publications/index.html
http://www.ready.gov/business/_downloads/readybusiness-brochure.pdf

Business Expansion – Security Considerations is one of the core subjects covered in Security Management Stage 3, which takes place in the UK, 11-22 May 2009. Contact Janet for details or go to http://www.arc-tc.com/pages/university_acredited_sm.asp#sm3

STOP PRESS - April 1st Protests Could Break out Anywhere, Not Just London - Direct Action Examples

In recent years April 1st has been designated "Fossil Fools Day" by environmental activists, and has become a day of multiple disruption actions. In 2008 150 direct action events were staged. While the world’s attention is focussed on demonstrations today around the G20 Summit, there is a risk of environmentalist/anti-capitalist direct actions against the following types of facilities worldwide:

- Coal-fired power stations
- Oil refineries, including biofuels facilities
- Lock-ons and barricades at petrol stations
- Aviation facilities
- Gas installations (eg LNG import facilities)
- Pipelines and pipeline construction sites
- Mines
- Financial targets (eg RBS) – possibly even local bank branches as a symbolic protest
- High-profile media events involving energy companies
- Road construction sites

Types of actions include:

- Protests outside buildings
- Attempts to occupy buildings
- Banner drops
- Lock-ons
- Leaflet distribution
- Power switch off (eg petrol stations, cola conveyors at power stations
- Dumping outside HQ buildings
- Actions against directors’ residences
- Hoax press releases to media companies – it is very easy to spoof your email addresses
- Billboard poster replacement
- Bicycle takeover of roads
- IT attacks

Security staff should be advised to look for the unusual behaviour, such as a sudden gathering of media, or a group of people dressed in fancy dress, such as clowns, “biohazard” suits or polar bears.

Monday, March 23, 2009

Record Breaking Security Managers!



Stellenbosch, South Africa, was the setting for the recent Security Management Stage 1 Course, attended by 15 security managers from South Africa, Botswana, Democratic Republic of Congo, and Senegal.

The course, which was delivered by David Cresswell, covered the core skills areas of corporate security management, and included a detailed security design project, which all delegates completed to a very high standard indeed. The course concluded with a closed-book examination, which all delegates passed, with over half scoring 100% - a first for any Security Management Stage 1 Course.

One delegate remarked that it was the best security course he had attended in 30 years!

Meanwhile, in the UK, a new Security Management Stage 1 course begins today under the tutorship of Phil Wood MBE, who plans to lead the 16 delegates attending to similar successes. Representing a wide range of sectors and countries including UK, France, Belgium, Switzerland, Nigeria, Thailand, Qatar, Greece and Kazakhstan, the delegates are sure to have a very interesting and beneficial two weeks sharing best practice.

The next Security Management Stage 1 (UK) takes place 3-14 August 2009; contact Janet for details or click on the link below.

http://www.arc-tc.com/pages/university_acredited_sm.asp#sm1

Tuesday, March 17, 2009

Climate Change and Crisis Management

The 15 delegates attending the Security Management Stage 1 Course in Stellenbosch, South Africa, have been studying Crisis Management as part of the intensive 10-day curriculum. In addition to identifying crises specific to their organisations and countries, delegates examined some of the external factors that could cause future crises, including severe adverse whether phenomena as a result of climate change.

Delegates were shown a report by Lord Stern, UK government advisor on climate change, who has recently admitted that he underestimated the scale of climate change in his report two years ago. Lord Stern Warns of catastrophic effects if temperatures continue to rise beyond 2 degrees; the figure most politicians hoped we could keep to by 2100. “But we now face risks of 4, 5, or 6 degree increases, sometime towards the end of this century. 5 degrees centigrade is a temperature the world has not seen for 30 to 50 million years."

Scientists warn that a rise of even 3 degrees could be enough to devastate whole areas, turning much of Southern Europe into desert. Under this scenario the consequences for Africa long before 2100 are dire.

Monday, March 16, 2009

Does Africa Risk Being Plunged into Conflict?

African leaders gathering in London this week have warned that the dire effects the economic downturn is beginning to have on the African continent could plunge many African countries into conflict. Citing half a million copper mining workers made redundant in Zambia, the halving of cotton prices, drop in tourism income, and reduction on remittances from Africans working overseas, leaders have warned that several countries risk instability.

This dire prediction runs contrary to The World Economic Forum 2009 Global Risks Report, which predicted that Africa would be less exposed to the effects of the economic downturn than areas such, for example, Asia. The report asserted that African countries have relatively fewer financial and real assets, and thus lower exposure to asset bubbles. Even their overall exposure to economic risks is small, reflecting in part their lagging integration into global markets. (For a copy of the WEF report contact David.

Strategic security risk assessment and security risks associated with expansion into new markets are subjects that are addressed in detail during Security Management Stage 3. The course presents a number of templates to identify and analyse strategic risks, and discusses how these can then be distilled into forecasting security risks at the operational level.

The next Security Management Stage 3 takes place 11-22 May 2009. Details can be found at:

http://www.arc-tc.com/pages/university_acredited_sm.asp#sm3

Retail Theft Problems Set to Worsen

Source: red24

Retail theft in the form of shoplifting is an established and global problem. According to the Global Retail Theft Barometer - an annual survey of 920 of the leading international retailers, with combined sales of US$814 billion, conducted by the Centre for Retail Research – retail theft or ‘shrinkage’ (stock loss from crime and wastage) cost retail companies in the 36 countries examined approximately US$104.4 billion in 2008. This is equivalent to 1.34 percent of total retail sales. Although employees accounted for a significant portion of thefts, shoplifting and organised retail crime remains the largest source of this loss, representing more than 41 percent of the total and equating to some US$43 billion in the 36 countries surveyed. The current financial crisis and the accompanying global economic downturn is likely only to compound the problem of retail theft. As the fallout from the financial crisis starts to take hold, increasing unemployment and reducing disposable incomes, it is likely that a larger numbers of individuals will engage in unlawful activity as a means of securing a range of retail products. Furthermore, as companies’ profit margins are squeezed, security budgets are frequently cut, just as the threat becomes heightened. As a consequence, the next 12 to 18 months are likely to witness a sharp increase in retail theft.

For a copy of the full red24 report, contact David.

Lasers: Unconventional Weapons of Criminals and Terrorists

Source: Police Chief Magazine

With lasers becoming more commonplace and more easily accessible, the danger of individuals or groups using them to inflict harm—ranging from distraction and camera flash–like afterimages to permanent damage to the field of vision—has risen. Injuries have been reported both to the cornea (the front of the eye) and to the retina (the back of the eye).

Read more at:

http://www.policechiefmagazine.org/magazine/index.cfm?fuseaction=display&article_id=1731&issue_id=22009

Thursday, March 12, 2009

The Perils of Disposing of (or Loosing) Your Cellphone

Source: Checkmyfile.com

The ever-increasing role that mobile phones play in our day-to-day lives is making it much easier for identity thieves.

Long gone are the days of simply talking on the phone. Most new generation mobiles now allow users to browse the internet, send and receive email, and even bank online. As a result, more personal data than ever is stored on our phones.
Around 125,000 mobiles are left in London taxis alone each year and hundreds of thousands more are stolen. This is in addition to more legitimate markets for second hand mobiles, such as eBay.

There has also been a surge in the popularity of mobile ‘recycling’ websites that pay cash for unwanted handsets. Many people simply don’t realise that most of these phones are refurbished rather than recycled and then sent to Africa and Asia – hotspots for identity fraudsters.

Whilst wiping the memory of your phone completely is difficult, there are some basic steps you can take. First, remove any SD cards or other removable memory devices - don't send them with the phone. Remove the SIM card. You should also delete the phone's internal memory using the ‘Restore Factory Settings' or 'Clear Memory' functions. If in doubt, have a look at your phone handbook if you still have it. If not, search online, or ask your local phone shop to do it for you.

Without careful monitoring, you may well be completely unaware that your identity has been stolen – until you are unexpectedly turned down for credit, or contacted about a debt that isn’t yours.

Wednesday, March 11, 2009

Security in a Multi-Tenant Building

In many locations around the world companies find themselves in the setting of one of many company occupants in a multi-tenant building. The security implications of this are significant. Contract guarding in such situations is frequently inadequate and there are numerous loopholes that can be exploited by a potential adversary.

Delegates attending the Premises Security session of the Security Management Stage 1 Course currently underway in Stellenbosch, South Africa, looked at some of the questions that should be asked, including:

1.Who are the other tenants and what risk do they attract?
2.How effective is the contract security team? Are they trained and vetted? Are they poorly paid? Is it easy to confuse them due to the range of building occupants? Do they have very limited jurisdiction? Is there a quick response force and is it adequate? Have the guards been trained and exercised in threat response?
3.Is the security team provided by a reputable company?
4.Is there good liaison with local law enforcement?
5.Do the guard team staffing levels match the threats, or simply the occupant peak inflows/outflows?
6.Does the entire security “system” match your security risk analysis?
7.Is the property boundary commensurate with the assessed risk, and is it clearly demarcated?
8.Is there a comprehensive building emergency plan and a communications system? Is this shared with building occupants? Is there a practised (and compulsory) evacuation procedure? What life safety systems are in place? Are there sufficient emergency exits and is the assembly area safe?
9.Has the building been constructed to be resistant to catastrophic or progressive collapse in the event of an explosion? Are there potentially dangerous design features that could exacerbate blast enhancement?
10.Are there standard access control procedures for staff, visitors, service and maintenance personnel? Are they applied, are they complied with, and are they effective?
11.How easy is it to drive a suicide VBIED into the front vestibule?
12.How easy is it to leave a VBIED in the loading bay?
13.How effective are the vehicle and material delivery security procedures?
14.What is the exterior construction of the building? Does it pose a fragmentation hazard in the event of an explosion?
15.Where is the central security post? Would it be neutralised in the event of a frontal terrorist attack? Does it have ballistic protection?
16.Where are the critical building systems located?
17.Are the air intakes (HVAC) protected, or at least elevated away from easy access?
18.Does the building have strengthened glazing?
19.Do those responsible for security of individual occupying companies liaise? Is there a security committee? Are there weak links?
20.Is parking close to the building? Is it underground? Is there an exclusion zone close to the building for only pre-authorised or searched vehicles?
21.Is there fuel delivery and does this pose a threat?
22.Are the building security systems linked to an uninterruptable power supply?
23.What are the vehicle identification procedures? Do all vehicles require passes?
24.Who manages the CCTV system? Is the surveillance effective and is there a credible response? Are the images recorded and, if so, for how long are they retained?
25.What are the arrangements for intrusion detection and response?
26.What are the access control arrangements by day and night? What are the working patterns of other occupant companies? Do these cause security vulnerabilities?
27.Who has keys to what and how is key control managed?
28.What are the arrangements for cleaners? Is it compulsory to use the building owner’s cleaners, and if not, what security threats are posed by cleaners independently hired by other occupying companies?
29.Are the emergency exits secure and alarmed? Are they misused by smokers?
30.How accessible is the roof from adjacent structures?
31.Are roof apertures protected?
32.Are ground and first floor windows structurally protected against intrusion? Does this violate any life safety codes?
33.To what extent is the building (and its critical systems) redundant?
34.How effective is the standby power for security systems?
35.What are the emergency services response times?
36.Does the exterior design of the building allow for good surveillability (human and CCTV) by day and night, or are there blind spots and overgrown vegetation? Are the grounds well maintained or untidy? Is there sufficient illumination at night?
37.Is there appropriate signage to deter potential adversaries?
38.What have been the experiences of other tenants with the property owner?
39.How is the building constructed? If it is made up of pre-cast concrete or steel framed structures with open-web joists, it is likely to collapse if exposed to blast pressures.
40.What are the insurance arrangements? Who is responsible for reinstatement in the event of a serious security incident incurring building damage?
41.What are the procedures and is the security team is underperforming or performing inappropriately? Do buildings tenants have access to, in input into, the security procedures?
42.What provision is there for responses to a rise in the security operating level?
43.Can in-house intrusion detection technology be monitored by the site security team?

Monday, March 9, 2009

Security Experts Gather in South Africa


Fifteen security professionals from across Africa and representing industries as diverse as diamond mining, oil and gas, tobacco, banking, security services, and gold/copper mining have gathered in the mountain setting of Stellenbosch, South Africa, to begin a two-week Security Management Stage 1 Course, led by David Cresswell CPP PSP.

This is the first of a series of university-accredited courses planned for South Africa. Later in 2009 it is intended to hold Security Management Stage 2 in Stellenbosch.

Wednesday, March 4, 2009

Join Hundreds of Security Managers Worldwide in Achieving Recognition as a Competent Professional

Security Management Stage 1 (Postgraduate University Accredited)

“The course is EXCELLENT content & procedure wise. A MUST for the Security Manager.” Corporate Security Manager, Manufacturing Company

23 March – 3 April, UK
20-31 July, Kuala Lumpur
3-14 August, UK

http://www.arc-tc.com/pages/university_acredited_sm.asp#sm1

***

Security Management Stage 2 (Postgraduate University Accredited)

“The SM2 was challenging ….overall a very successful programme and highly recommended for security professionals..” Security Manager, Multinational Oil Company

29 June – 10 July, UK
12 – 23 October, UK
9-20 November, Kuala Lumpur
6-17 December, Qatar

http://www.arc-tc.com/pages/university_acredited_sm.asp#sm2

***

Security Management Stage 3 (Postgraduate University Accredited)

“Excellent presentation of topics. Leant a lot, especially when focussing on the more strategic elements.” Security Manager, Logistics Company

11–22 May 2009, UK
7-18 September 2009, UK

http://www.arc-tc.com/pages/university_acredited_sm.asp#sm3

***

Security Surveying and Design

Learn how to survey on a practical course using a real site, and dispense with the expense of external surveyors! "The course has been really useful. I have not met such a professional (trainer) in security business before."

20-24 April 2009, UK

http://www.arc-tc.com/pages/other_accredited_sm.asp#s2

***

Security Coordination and Management

“Not only a learning experience, but one of the most enjoyable courses I’ve been on.”Company Fire Prevention & Security Manager, Manufacturer

30 March – 3 April 2009, Nigeria
28 September – 2 October 2009, UK
25-29 October 2009, Oman

http://www.arc-tc.com/pages/other_accredited_sm.asp#s1b

***

Advanced Investigation Techniques

“It was a very interesting and useful training course.”

1-5 June 2009, UK

http://www.arc-tc.com/pages/accredited_investigation.asp#f2

For details on any ARC course, or to make a booking, contact Janet, and quote BLOG3 to qualify for a discount.

Many more courses can be found at http://www.arc-tc.com/

ARC Training Expands to SE Asia with an Exciting Programme of Courses

ARC Training is pleased to announce that it will be offering the following courses in Kuala Lumpur in conjunction with its local representative Kavaq:

- Security Management Stage 1, 20-31 July 2009
- Managing Security Risks in the Oil and Gas Sector, 3-7 August 2009
- Security Management Stage 2, 9-20 November 2009
- Security Management Stage 3, 18-29 January 2010

Delegates can expect the same quality courses as delivered in the UK, with the same ARC trainers.

Sunday, March 1, 2009

Cellphone Standardisation Will Significantly Increase Risks to Company Data

Three facts:

1. Most companies do not control which peripherals can be successfully connected to the USB ports of computers and laptops, despite software to perform this function being readily available.

2. Plugging a USB flash drive into a company computer’s port is one of the easiest ways to steal data; there is virtually no crime scene and the flash drive can be encrypted so as to make the evidence literally irretrievable.

3. In surveys about workplace data theft, employees consistently admit to copying sensitive company information for personal purposes (future employment elsewhere).

Data theft is one area in which, in the majority of cases, the threats are significantly greater than the countermeasures, and where companies are negligent in discharging their duty to protect this most essential asset.

With employees seemingly free to walk in and out of the workplace with personal flash drives, and precious few controls to stop them from using the drives for nefarious purposes, the situation is about to get a whole degree worse.

The GSM Association, the lead body of the mobile phone industry, has announced that by 2012 the majority of phones shipped around the world will use a universal mini-USB charger, the implications of which will be:

1. All employees will be walking around with devices that connect directly to company computers.

2. Employees will be tempted to charge their phones directly from desktop computers and laptops.

3. Data theft will be achieved by a simple sliding of the mouse between folders.
What’s more, in three years time many of us could be carrying our mobile phone on our wrists, in the form of a GSM wristwatch.