Share this:FacebookFacebook logoTwitterTwitter logoRedditReddit logoLinkedInLinkedIn logoWhatsAppWhatsApp logo
The evolution of physical security has brought about numerous changes to the way security professionals think about security. In the past people associated physical security with a fenced facility with a guard at the entrance to act as a deterrent or to verify identification of persons wishing to enter the facility. This approach to physical security was appropriate in the past but has since changed because of the changing of the security dynamics. This has meant that security management models have had to evolve into proactive processes embedded throughout an organization to address new roles and responsibilities of security within an organization. To illustrate why successful security management is driven by an agenda of financial viability enhancement, this paper will explore the various security management models available as a framework for illustrating what can make security management successful in enhancing an organization’s physical security, as well as its advances in Information Technology (IT).
As the United States remains a target to terrorist and other groups attempting to infiltrate our nation’s most sensitive resources; police, military and federal agencies must stay ahead of our enemies. Since the September 11, 2001 terror attacks, the Unites States have thwarted over an estimate 60 terror plots, directly aimed at symbolism, damage and human loss.
Deter, detect and defend through people, technology and physical barriers are some of the foundations of the Security Management degree plan. I plan to research additional methods of the aforementioned in order to provide strategic approached to protect our nation’s assets against terrorism, intelligence, espionage, lone wolf attacks and other bad actors.
Q1. What is the statistical data in the United States for attacks on our country/infrastructure since 9/11?
Q2. How did state/federal law enforcement change after 9/11 and what new threats do we face?
Q3. In last 20 years, how and why did our Government change the way we protect our federal facilities and infrastructure against physical, cyber and terrorist?
Q4. What detection and deterrence methods are used in Physical Security Plans to enhance the overall security of the enterprise?
Q5. How can technology (IT/Cyber) help the United States prevent future cyber or digital attacks?
Key Points Addressed
P1. Snapshot on post-Oklahoma City bombing and 9/11 changes which drove major changes to how protect/defend private and government facilities.
P2. The changes in local, state and federal law enforcement with regards to force protection/anti-terrorism against our enemies….including insider threats.
P3. Advances in information technology (IT) and cyber warfare and how effective measures and protect our most sensitive assets.
Proposed Methodology/Research Strategy
Through quantitative research, I look to evaluate statistical data on attacks on our nation. Because of its numerical nature, I will attempt to hypothesize and predict using the cause and effect method the outcomes of security if correctly implemented.
From a mixed research prospective, I will explore and extensive research into what it takes to plan, implement and employ effective security measures in order to secure our nation’s most sensitive assets. I will research and outline Security Manager’s priorities based on the Crime Prevention through Environmental Design (CPETD). I will further research the concepts of physical security, personnel security, surveillance through CCTV, as well as, human sensors (security guards) and entry control.
For this capstone, I will focus my attention toward effective security design…specifically, in light of the largest attack on in our nation’s history, how our physical security foundations have adjusted focus based on lessons learned.
On the surface, I do not anticipate having too many limitations since this research project will be unclassified and open source data in regards to effective security design. However, my the primary limitation will be just that….I will not be able to cite classified sources of information pertaining to security measures and attack details.
Since the dawn of security came to light. Security has been an issue ever since man thought to be in fear of his or her life and because of this he or she had to feel safe. Before technology the only way to be safe was either to lock the doors or hire someone to protect someone. Physical security comes in so many forms. Anywhere from a new lock system on the door to a multimillion dollar security alarm system. One fact is certain….U.S citizens prefer to feel safe and not be concerned about what may occur down the road. In a sense, physical security consisted of security guards and locked doors for decades. However, then the computer system was invented and security aspects took on new world of its own. Everything in security started to turn to electronic equipment. In most cases, they became more reliable than the everyday guard who where untrained to be in a position to protect. Guards were and are today deterrence’s more than anything. Ever since 9/11 occurred security has stepped up and took on a new way of doing business. With the help of technology and better trained people businesses can rely on these companies to help protect their assets much better than they use to.
What drove the need to change the way we protect our facilities?
The Interagency Security Committee (ISC) is the committee established by President Clinton after the Oklahoma City bombing in 1995. At the time the largest vehicle borne attack on a government facility in the United States was perpetrated. Due to how the attack occurred several deficiencies for protection were identified such as lack of security, or standard policy. Meeting these requirements for protection of government owned or leased facilities and personnel was the priority for the ISC through creating a committee to standardize security, information sharing, and physical elements (stand-off/blast protection).
The ISC was formed by bringing together 23 different agencies responsible for creating policy in regards to security for federal facilities (Clinton, 1995, para. 1). Of note this order did not apply to military facilities, as measures and doctrine were already being used. This committee was to create all standards and policies regarding security, whether that was construction standards, or the formation of a data base. Furthermore, the ISC is responsible for staying abreast of any changes and implementing further guidance. Prior to 1995 security standards were not practiced the same way at any facility except in cases where practices where known by the individual managers.
Before the Oklahoma City tragedy there was not any true security minimum standard to follow or attain guidance from. Physical security practices had been used along with entry control and guards, however that could differ based on the Security Manager of each facility. According to Stout, “It should be noted that most federal facilities had had enhanced security long before the Murrah Building bombing. The threats were already well-known based on previous incidents overseas…” (2015, para. 3). Today the construction standards and distance to access a building also known as stand-off distance are some of the major considerations affected after the attack.
Most the events over the last few years have focused on training for active shooter threats generally coming from individuals who already have access. When addressing these threats and managing them the ISC has provided the policy necessary to conduct these assessments, and then provide standards/best practices by either new construction, practices, or modification of existing standards (Homeland Security, 2017 para. 2-3). As mentioned above one of the biggest factors to consider was stand-off distance in regards to vehicle borne improvised explosive devices. This simple act can prevent many of the effects of large bombs and is considered as a primary practice.
Executive Order 12977 was a launching point for the formation of a dedicated committee to address government facility security policy. This committee was formed by meshing 23 different agencies together to create, plan, and integrate minimum standards of practice/policy for all government owned or leased property. Prior to the ISC there were physical security measures used however, there was not any minimum standards. After forming the ISC all best practices, assessments, and guidance was provided from construction to modifications as well as how to constantly assess for future threats. This committee has evolved the manner in which the government should protect the personnel and buildings it is responsible for.
New threats we face……
Around the globe there are constant threats, and attacks being carried out by those that are against their government and the decisions that are made, or by terrorist groups and lone-wolf terrorists that look to bring destruction and chaos into the world of others. Preventing and combating the growing number of attacks on U.S. facilities both abroad and domestically has become a great challenge for those who work inside of the number of agencies within our nation’s government. Physical security breaches to U.S. facilities either violent or non-violent can affect how security is measured at these locations. Such security measures have been tested at a government location known as the, National Institute of Standards and Technology (NIST)
Not an exact date was disclosed within the report put out by the Government Accountability Office (GAO) which spoke of the attempted and successful physical security breaches into the NIST campuses both in Maryland and Colorado. These security breaches were carried out by GAO undercover federal auditors which were able to gain access on 15 different attempts, into areas inside of these two locations that are unauthorized by anyone who does not hold the appropriate clearances or the proper credentials that are required to be allowed access to these areas. (physicsworld, 2017) These attempted and successful breaches were conducted because of past incidents where several individuals made their way onto the campus and wonder into areas that were supposed to be secure and have controlled access. In April of 2016 an individual was found wondering a building site by facility officers inside of the campus perimeter. This breach though deemed “accidental” and the successful breaches carried out by the federal auditors has set in motion the need for the facility to reconsider their physical security measures and protocols. (nextgov, 2017)
The National Institute of Standards and Technology is responsible for suggesting and providing assistance to private and federal agencies on how their cybersecurity and information security policies should operate. All federal agencies within the United States government must follow any actions that are put into effect by NIST. The GAO suggested that the split of operational control over the physical security of the facility between NIST and the Department of Commerce is a probable cause in how these security breaches were so successful. (physicsworld, 2017) With the growing incidents of attacks against U.S. Facilities domestically and abroad, the number that is also growing alongside that are those attacks carried out by lone-wolf actors. These types of attacks have become more prominent since 9/11 and they are harder to deter due to the lack of communication that usually occurs within large terrorist organizations. The Lone-wolf terrorist is spontaneous at times and goes undetected until the act has been carried out. Terrorist organizations are operating more on the Lone-Wolf front because this type of attack has been far more successful than attacks that have been carried out where multiple individuals of a group were involved. (Michael,2014) At times attacks carried out by a single person are not connected to any terrorist group or ideology but of their own thoughts, and mindset and a number of those attacks that end with many casualties are then deemed by terrorist groups like; ISIS or Al Quade as their own doing and they were the ones that are responsible for the actions carried out. The war on terror is no longer a threat that is fought in the middle east, it is a threat that has moved across the waters and is currently at the doorstep. The fight against terrorist groups and the more prominent lone-wolf attackers has our government at a constant step behind.
The relationship between terrorist groups like ISIS and the Lone-Wolf terrorist is hard to connect. Those that have carried out attacks as a single entity, like the recent New York incident claim they did it in the name of ISIS, but are there any true connections between that individual and the terrorist organization? Our federal agencies will look for any connections but that search will mostly likely bring up no such connection, so determining if terrorist organizations are now looking to operate more on individuals attacks instead of large coordinated attacks is going to be hard to say due to the number of lone terrorism attacks that stake their claim alongside those organizations and end up having no ties of any kind.
Incidents can even impact the safety and security of our President of the United States. In March of 2017 an individual by the name of Jonathan Tran was caught attempting to enter the White House after a successful breech of many physical security measures. This individual was able to scale three separate barriers leading to the White House while also evading the Secret Service responding to the incident and triggered sensors. When asked why the individual wanted to get in the White House Tran stated, “I am a friend of the President. I have an appointment” (2017, para. 5). Tran was found with a backpack containing a letter, laptop, and cans of mace. Later Tran admitted to wanting attention albeit it may never be fully known exactly why this individual decided to breech the White House perimeter.
The event showcased that even one of the most protected federal facilities which houses the President of the United States can fall victim to security breaches. The Secret Service is in charge of these duties while the Federal Protective Services are the authority for all federal facilities. It is also known the for DoE facilities the National Nuclear Security Administration secures its own facilities. The point of failure can be attributed to many factors however, systems are only as good as the operator controlling them as well as the guard on the ground responding, and being aware of a change in baseline.
The highest anti-scaling fence that was climbed over was only eight feet tall. While that is sufficient for many applications the average individual would have a harder time with a 10 foot fence. While defense in depth was used for overlapping sensors the security personnel became accustom to false alarms. According to Williams, “Officials said at the time that Tran triggered motion detector alarms but that officers on duty thought it was the movement of animals on the grounds, a frequent occurrence” (2017, para. 3). Complacency in this case may be the official answer of how this was able to happen at the White House. One could consider this a lone wolf attack however, the intent may never be known.
In regards to lone wolf attacks such as the most recent in which an individual used a rented truck to run people over in New York continues the trend of decentralized operations by terrorist. According to Metz, “As terrorism mutates into two tracks, the United States must adjust its strategy. Track I terrorism is more amenable to traditional counterterrorism. It requires training, organization, funding and communication. All of these create vulnerabilities that counterterrorism forces can exploit” (2016, para. 7). These groups still exist and can be fought such as the operations against ISIS. Although just like the Vietnam War and guerrilla operations blending into the environment allows for anonymity of the terrorist group or individual.
Decentralization and compartmentalization is how to avoid having any individual know too much information, when to act, who is acting with them, or who they are receiving the information from. By using propaganda individuals can target at risk individuals to persuade in helping with whichever cause the group is trying to establish. Avoidance techniques like these are born based on the tactics used to counter them. Furthermore, technology has created the ability to continue this small group mentality.
According to Metz, “Track II terrorism will be harder to control. The contributing factors, which include the glorification of violence in popular culture; the recruitment and inspiration of people with mental health problems via social media; the ability of terrorists to weaponize things as widely available as trucks; and the decay of traditional systems of discipline, personal meaning and authority will not go away, at least in the short term. And one attack spawns others” (2016, para. 8). This shows the ability of technology to reach across continents! As people become more accustom to violence in everyday life being granted instant access via the internet, and the sensitization of news media in a globalized fashion can make individuals numb to the violence that occurs. This is what has shaped the current events, and how terrorist operate.
Tactics dictate the flow of creativity to avoid detection. Take for instance during the Iraq War and the use of Improvised Explosive Devices (IED). Remote detonation was prevalent early using devices such as a cell phone and this still occurs. After devices were brought in to defeat these remotes, command detonation and rudimentary applications appeared more frequently. It is the flow of one fighting force against another. Spaaij states, “The predominant use of firearms in lone wolf terrorism is particularly interesting when compared to collective terrorism. Bombings and firebombings are the most common form of terrorist incident, accounting annually for 65–75 percent of all international terrorist attacks. Lone wolf terrorism thus partially differs from group-based terrorism with regard to its weaponry” (2010, p. 864).
Overall, logistics, money, technology, psychology, and asymmetric conditions allow for the change in terrorist tactics. That can be explained in terms of how the United States controls sensitive information with differing access controls from secret to SAP. By decentralizing the operations the group can be more successful while also avoiding detection. Controlling of smaller groups is also easier than the large aspect. Warring factions for control can also create these conditions for splinter groups. All of these factors and more could be the reasons behind the smaller scale terrorist tactics.
Protecting those who protect us…
The security of military installations varies from the security of other federally operated facilities. The nature of the work and the weapons of war found on such facilities merit different protocols to secure this environment. Department of Defense (DoD) Instruction 5200.08 – “Security of DoD Installations and Resources” gives instruction on how military facilities will manage physical security. In addition to the 5200.08 is the 5200.08-R – “Physical Security Program”. Perhaps most important is the Unified Facilities Criteria 4-010-01- “DoD Minimum Antiterrorism Standards for Buildings”, the UFC deals with the “…planning, design, construction, sustainment, restoration, and modernization criteria…for all DOD projects” (DoD, 2013) with the intent of minimizing death or injury in DoD facilities in the event of a terrorist attack. While the emphasis remains of terrorist attacks the construction standards could also proof useful against attack in a military conflict, if such a scenario ever played out on American soil or at overseas DoD installations. The UFC 4-010-01 is the military standard for any new construction and is also applicable to major renovations to facilities built prior to the UFC. The 4-010-01 addresses such construction requirements as standoff distances, resistance to blasts or small arms, and even cost considerations when seeking to deviate from these requirements (Dod, 2013). Some DoD facilities may be designed to NATO standards for protective measures and take into consideration the standards of the UFC to further harden structures.
Security of non-military federal facilities does not fall under the authority of the UFC 4-010-01, instead these facilities are under the direction of the Interagency Security Committee. The ISC also aims to safeguard facilities through many of the same measures and standards mentioned in the UFC. The differences in what is being secured and the intended nature of the work allow for different standards. The DoD secures war making material and information, the rest of the federal government focus more on securing information and providing safe places for federal employees to work or perform diplomatic functions. “The ISC Standard is more directed at physical and electronic security and operational countermeasures to address a series of identified threats in a risk-based fashion; [the] UFC 4-010-01 is focused on facility design to resist specific baseline threats” (Refroe et al, 2016). The ISC goes into more detail to produce countermeasures and operational environments to protect the civilian locations where most of these facilities are located. The UFC however does not address these operational and directed countermeasures in great detail because the DoD already has other guidance to address these areas and secure DoD installations.
Another difference is that the ISC uses Facility Security Levels (FSL) to decide what security level a facility needs to be designed to. A lower FSL building will be less secure, but design to defeat threats in the area of operation – it is a cost saving measure that is meant to give adequate security and the right price for the threats present. The UFC does not encourage such a system and seeks to have all DoD buildings meet the minimum standards to resist terrorist attack. While the UFC does have exceptions they usually result in more money to building a stronger facility (windows, doors, and other construction materials) to resist attack. Both standards meet the intended goals of keeping facilities and peple safe, the requirements vary to meet the working conditions that are present in the civilian sector compared to a military environment.
Sometimes when something is overdone it could cause more harm than good. Knowing what to do is the key to a safer environment and knowing when to say enough is enough. The right amount of security in place is good for the morale and the well-being of their employees but putting too much security in place makes it uneasy for those who may feel like they are in a prison. A security system and the systems design depends on the location, building type, and what needs to be secured. Recent trends are showing that buildings of all shapes and sizes are now candidates for security planning that runs hand-in-hand with the architectural process. Another factor to consider is what the security system is designed to protect, and to remember that security is not just about the people inside the organization but also about the buildings contents. I have viewed several external building structures and I will indicate their abilities to withstand various types of attack. I will discuss types of lighting, perimeter controls, security guards, CCTV and other monitoring devices, motion sensors, and pedestrian traffic and access control.
Every plan takes on a unique design approach. Interaction should be maintained by the architect and the security planning team and or engineer. This is important because the builder will typically install all the windows, doors, locks, lights, perimeter security and most of the other security features of the organization (Carpency). Importance should be placed on optimizing space, time, cost and on how to incorporate efficient ways to update the equipment when the time comes later to upgrade to a newer security feature, system or model.
Physical security is not only at a level of introducing ways to secure a site but also can be done on an architectural way. The building could have a design in a way of using fewer entrances to enter a building. Providing fewer ways to break in could cut down the chances of someone thinking of entering the building. Plus, reinforcing glass windows making it harder for someone to break into and by positioning some employees in work areas to will help oversee protection (Carpency).
Much if the time a good design or lay out is the icing on the cake and will help protect what he or she is trying to protect. The main purpose of physical security is to make sure that the company is protected and everyone that works there is safe and protected. When trying to determine what, it is that needs to be in protection a person needs to ask these questions. What assets need protection, what threats are there to those assets, what vulnerabilities are there to the assets and the priorities. Once those can be answered then there is a good chance in having a good physical security system in place.
Cradle to Grave…
A concrete security plan is necessary in order to uphold a successful place of business with a solid security design plan. Any mall or retail store needs to have a suitable form of security to operate properly and be able to make a profit. Security can have many different forms. These forms can vary from locked gates to armed guards and access points. Electronics can also play a key role in keeping a business secure and safe. Security systems like surveillance cameras, alarms, and security personnel watching the cameras can play an important role in the success of the business (Whittle, 2008). This is all done to keep merchandise from leaving the stores or premises without being paid for.
The core concept of physical security is to detect and prevent an intrusion (Whittle, 2008). Physical security involves the detection and prevention of any unauthorized intrusions. Although businesses will have vulnerabilities, physical security can be used to protect the areas of weakness and protect the business. The main concept of physical security is to create obstacles to protect the people, environment, and other assets of the business. Security is the backbone of a business when concerning protection. Physical Security can improve a business in several ways. Different areas of a business that lack protection or enough physical contact to protect a business will be considered to create or change surveillance and notification systems. Change takes time and several changes could be ineffective. The main concept of physical security is to create obstacles to protect the people, environment and other assets of the business. Security is the backbone of a business when concerning protection. Physical Security can improve a business in several ways. Different areas of a business that lack protection or enough physical contact to protect a business will be considered to create or change surveillance and notification systems. Change takes time and several changes could be ineffective.
Crime Prevention Through Environmental Design
Crime Prevention Through Environmental Design (CPTED) is a theory developed by an architect named Oscar Newman. His concept or theory is based on defensible space, wherein he identifies 3 key points to be successful in providing exterior security (McCrie, 2007). His 3 concepts are surveillance, image and environment. In order to be successful with proper surveillance, agencies and/or security must be able to view the exterior of the premises from within the physical facility. This could be done in a variety of ways; however, one of the most efficient and cost effective ways to accomplish this is through the use of video surveillance. I will touch on this below.
Image refers to how the outside public views the establishment. According to Newman, the area is important as it could dictate or have a higher propensity for significant crime. For example, in areas that are poverty stricken, the statistics for violent crimes are higher (McCrie, 2007). And finally, the environmental surroundings of a secured area could greatly impact the effectiveness of the security you are wishing to provide. Depending on the security level of the resource, this could vary. Many buildings requiring security I have seen limit the amount of high or concealable landscape…trees, bushes and high grass. Many places establish a “clear” zone, wherein the landscaping is cut very low and away from the outside of the perimeter fence. This provides a better surveillance method of detection.
Every plan takes on a unique design approach. Interaction should be maintained by the architect and the security planning team and/or engineer. This is important because the builder will typically install all the windows, doors, locks, lights, perimeter security and most of the other security features of the organization. Importance should be placed on optimizing space, time, cost and on how to incorporate efficient ways to update the equipment when the time comes later to upgrade to a newer security feature, system or model. In my career field in the Air Force (Security Forces), we are directly responsible for defending the installation by ensuring a defense in depth approach and 24/7 security through entry control, police patrols, tactical automated security sensors, K-9, etc. Additionally, most installations have a robust security surveillance and monitoring systems. As an Installation Security Manager, I had to work very closely as the subject matter expert for our “environment” as we closely coordinated with contractors as they installed our security measures.
Lighting is very important for any organization regarding security concerns and procedures and lighting serves as an excellent psychological and physical deterrent (McCrie, 2007). Perimeter control is also very important for external building structures. Examples of perimeter control are fences, gates, walls, landscape, lighting and locks. Fences include gates, turnstiles, and mantraps. Fences provide crowd control, and help to deter trespassers. The drawbacks to fencing include cost, appearance, and their inability to stop a determined intruder (Groom, 2007). A mantrap may be more effective because the entrance is routed through double doors and is monitored by a guard or CCTV. Locks can be used to secure the organization and the organizations goods. Locks can be divided into two types which are preset and programmable. Preset locks are the most common types of locks. In order to change the lock, the lock must be removed and replaced by another one (Groom, 2007). Types of pre-set locks are mortise, rim locks, and key-in-knob. These types of locks all have variations of cylinders, dead bolts, and latches. Programmable locks can either be electronic or mechanical. These types of locks are often dial combination locks similar to those used in high school lockers, however, electronic locks require a digital number to be entered into a key pad in order for them to unlock. Examples of landscape control is hedge bushes, tall trees, or mountains that may surround the area deterring people from entering because of a lack of vision or an unwillingness to attack (Groom, 2007).
Balanced Security/Defense in Depth
In the world of security, we are always looking to the keep the advantage for what and when we protect. The bad guys will normally have the advantage of element of surprise; however, our vigilance and response will or should shift the advantage to our side. This is done by establishing a balanced protection plan. Balanced protection is a plan that protects from any unwarranted attackers or intrusions. Detecting and preventing from anything that can cause harm or damage to the business or organization is the focus of any security agency. Usually all businesses have weaknesses or vulnerabilities, but security plans are in place to protect them. The intent of balanced protection is to control access and prevent the interruption of operations (Carpency). These goals are accomplished using effective countermeasures ranging from fencing and lighting to electronic surveillance equipment and carefully defined policies and procedures.
The basic concept of physical security is to create barriers or obstacles that will protect people, their assets, and the environment. In our readings for the last few weeks, there has been a high emphasis of ensuring plans provide “detection, delay and response” as part of a well implemented security plan (Carpency). A balanced protection initiative can’t prevent everything but creating protocols and ways to back up systems or to create a way for these businesses to rebuild without completely losing their business is a way to protect. To be prepared for anything is hard to do but with research and good instincts a business could be and feel safe from manmade and natural disasters. Security can be used to fix any gaps or problems with security. They may bring in surveillance, fences, hiring someone for the front desk, security badges for employees, guards at entrances. Anything that could prevent unwanted visitors that would be the proper type of security for the business will be considered. Additionally, a defense in depth approach will not only deter a threat or enemy, but will delay and provide us or a security team the advantage to respond, neutralize and physically control the threat. Physical control is important for the aspect for controlling the threats from the inside and the outside to minimize any threats.
Cyber Security…Key to Future
Cyber security is a best understood if we define the term cyber risk. Cyber risk is not just one specific risk but it is a group of various risks that differ in the technological world, these risks include, attack vectors, means and many others (Lacey, 2007). Cyber security is a measure taken to eliminate cyber risks; it is a branch of information technology sometimes referred as information security that is applied to computers as well as to networks (Lacey, 2007). The digital platforms and networks must be secured; this will ensure information technology of the future will be able to defend the vital infrastructure and also be able to respond to cyber attacks from the enemies. The potential targets could range from cellular phones/networks to the government networks to our economic infrastructure. Continuous advancements to the protections of this information technology are critical to our future.
Defense Secretary Robert Gates predicted Cyber-attacks are increasingly looming. They “could be as destructive as the terrorist attack of 9/11” and might amount to a “cyber Pearl Harbor.” (Brown, 2006). Gates provided terrifying details of previous attacks that disrupted financial institutions in the United States and a computer virus which penetrated the systems of the Saudi Arabian Oil Co (Brown, 2006). Some of these attacks are just some illustrations which point to a very scary trend. According to the U.S. Cyber Command, computer system intrusions against infrastructure swelled 17-fold between 2009 and 2011, and cyber based strikes have led to the theft of about $1 trillion in intellectual property (Brown, 2006).
Threats to Our Digital Information
In September 11, 2001, the United States federal government called attention to a security breach in European airport that, until recently, has been overlooked. The federal government said that a large European airport hacked into the airline’s curbside check-in service and successfully provided clearance for the terrorist and 10 others to board flights to the United States under assumed names (TSA.gov). It was said the Hackers had infiltrated systems network by plugging a middle-man attack USB (Universal Serial Bus) to monitor and change the flight rosters. Since then the cyber-attacks have doubled and even tripled. While the traditional response to a security breach is to find the breach and redact any damage caused by the attacker, it is now known how important it is to keep the equipment and areas secured from these attackers. Understanding the limitations of defenses for the attackers highlights the complexity of trying to defend against these threats for corporations and the United States federal government and to do so we have to define what they are and what threats they pose.
The infrastructures that support the lives of Americans and those that support the U.S. Military are targeted from inside as well as outside of the United States. Terrorist attacks aimed at weaknesses within critical infrastructures will allow the terrorists to gain the attention they desire, and avoid the damaging conflict to their organizations. Understanding our infrastructures, their criticalities and the threats facing them is necessary to continue our way of life as we know it. As new technologies increase the speed of operations, the flow of information, or the timeliness of the common operating picture, opportunities to damage or destroy also increase. We must continually evaluate the new system as well as determine the capabilities of the threat to ensure every move forward does not expose a weak link to attack.
Here is the bottom line…Our worlds’ cyber infrastructure is extremely vulnerable. In the United States, the Department of Defense is unable to fight the fight completely on its own. Enterprises that do not take the necessary steps to protect and secure their most sensitive assists are placing both critical resources and national security at direct risk. Yes, cyber security guidelines and foundations are imperfect response to a different and dangerous new territory of warfare. Currently however, it could be the only or primary measure standing between us and the cyber abyss. Cyber-attacks more often than not are considered the effort of global intelligence agencies, elite criminal groups and even low level lone hackers who can actually pose a very high threat. To that point, these threats can come from these hacker or cyber guerrillas employed by countries hostile to United States interests. Moving forward, all we can do is defend and protect ourselves in the most efficient way possible and always be cognizant and vigilant to any indicators criminal cyber actions.
Physical security experts need to be well versed in any situation. Even in cases of the fires, security professionals need to know each step that need to be completed in others to protect the enterprise and personnel within. Additionally, in cases of physical intrusion, security needs to ensure they are aware how to take action fast before criminals commit any harm to the enterprise. It is vital for the security professionals to be aware of the vulnerabilities and threats that face the organization because the organization depends on them heavily.
Fennelly, L. (2012). Effective Physical Security (4th Edition). St. Louis, MO, USA: Butterworth-Heinemann.
McCrie, R. (2013). Security Operations Management. Burlington, MA: Betterworth-Heinemann.
Groom, R. (2007). Protecting the Perimeter of Your Building. December 12, 2017, from http://bizsecurity.about.com/od/buildingsecurity/a/protectperm.htm
Johnson, A. & Gross, A. (2017). White House Fence Jumper Jonathan Tran Freed Under Court-Ordered Monitoring. Retrieved from https://www.nbcnews.com/news/us-news/white-house-fence-jumper-jonathan-tran-freed-under-court-ordered-n733051
Metz, S. (2016). Can the U.S. Counter Terrorism’s Shift to Decentralized and Random Violence? Retrieved from https://www.worldpoliticsreview.com/articles/19505/can-the-u-s-counter-terrorism-s-shift-to-decentralized-and-random-violence
Williams, P. (2017). California Man Who Entered White House Grounds Pleads Guilty. Retrieved from https://www.nbcnews.com/news/us-news/california-man-who-entered-white-house-grounds-pleads-guilty-n782771
Carpency, Frank, M. (n.d.). Systems Design and Engineering [PowerPoint Slides]. Carpency and Associates, LLC 13425 Scottish Autumn Lane. Gaithersburg, MD.
Whittle, T. (Director) (2008, September 15). Security Systems Design: Part I. ASIS NATIONAL SEMINAR. Lecture conducted from , Charleston.
Groom, R. (2007). Protecting the Perimeter of Your Building. Retrieved 16 July, 2014, from http://bizsecurity.about.com/od/buildingsecurity/a/protectperm.htm
Clinton, W. (1995). Executive Order 12977—Interagency Security Committee. Retrieved from http://www.presidency.ucsb.edu/ws/?pid=50669
Homeland Security. (2017). Interagency Security Committee Policies, Standards, and Best Practices. Retrieved from https://www.dhs.gov/isc-policies-standards-best-practices
Stout, K. (2015). How the Murrah Building Bombing Changed Federal Facilities Security. Retrieved from http://knowledge-leader.colliers.com/kurt-stout/how-the-murrah-building-bombing-changed-federal-facilities-security/
Michael, G. (2014) Counterinsurgency and Lone Wolf Terrorism. Retrieved from http://www.tandfonline.com.ezproxy1.apus.edu/doi/full/10.1080/09546553.2014.849912?scroll=top&needAccess=true#aHR0cDovL3d3dy50YW5kZm9ubGluZS5jb20uZXpwcm94eTEuYXB1cy5lZHUvZG9pL3BkZi8xMC4xMDgwLzA5NTQ2NTUzLjIwMTQuODQ5OTEyP25lZWRBY2Nlc3M9dHJ
Fennelly, L. (2012). Effective Physical Security (4th Edition). St. Louis, MO, USA: Butterworth-Heinemann.
Physical security expert Lawrence Fennelly deep dives the strategies into creating a formidable physical security plan. In this portion, he describes how the mindset of people has to be altered so that everyone is in agreement in what is in need to protect the company assets. Then developing a good security contingence that meets what that company is looking for. Then the implementation of the whole security outfit that everyone agreed upon. When trying to have a security plan pass everything has to be taken care of to have it pass through (Fennelly, 2012). Fennelly mentions that all physical security systems needs to cover all the devices such as technologies and specialist materials for perimeter, external, and internal protection. With any good security plan needs a good policy that shows that who needs to do what and how to go about doing it within the company by-laws and so on. One of the staples of my capstone project is bare bones physical security measures. Fennelly is world renown in this field. His concrete foundation in proven core fundamental principles is an extremely important part of my research and I hold his expertise in very high regard.
McCrie, R. (2010). Security Operations Management. Burlington, MA: Betterworth-Heinemann.
Robert McCrie is a Security Operations expert who describes the concept behind Crime Prevention Through Environmental Design (CPTED). CPTED is a theory developed by an architect named Oscar Newman. His concept or theory is based on defensible space, wherein he identifies 3 key points to be successful in providing exterior security (McCrie, 2010). His 3 concepts are surveillance, image and environment. According to McCrie, in order to be successful with proper surveillance, agencies and/or security must be able to view the exterior of the premises from within the physical facility. This could be done in a variety of ways; however, one of the most efficient and cost effective ways to accomplish this is through the use of video surveillance. Image refers to how the outside public views the establishment. According to Newman, the area is important as it could dictate or have a higher propensity for significant crime. Physical security is the stokehold of our degree plan and my capstone, therefore, McCrie’s expertise is one I will rely on to research and analyze for this capstone research.
Nash, K. (2012) How Integrating Physical and Information Security Mitigates Risks. Web. Retrieved from http://www.cio.com/article/2392576/security0/how-integrating-physical-and-information-security-mitigates-risks.html
Physical and IT professional, Kevin Nash goes into depth on the many variables of cyber security. Nash, like many security experts define cyber-terrorists as attackers’ motivation defined by as an ideology, or attacking for the sake of their principles or beliefs (Nash, 2012). This view has not shifted from the present day definition as well. Cyber terrorists are sometimes considered the attackers that should be feared the most, for it is almost impossible to predict when or where an attack may occur. Cyber-terrorists use the internet and (in-house) attackers that work for the corporation or federal government to gain access to unauthorized areas or equipment to penetrate security measures and steal or alter information. The search for the right long-term defense strategy has been complicated. Many of the defenses used today by corporations and the US federal government seem lackadaisical and almost non-existent when it comes to combating these threats. The research Nash has conducted and describes is a main point of my capstone in regards the to the ever emerging threat that is cyber warfare.
Lacey, D. (2012). IT and Physical Security Management-Should they be integrated? Retrieved from http://www.computerweekly.com/blogs/david_lacey/2012/05/it_and physical _security _manag_1.html
Lacey discusses physical controls and how they were considered as optimal in the past are not as effective because of advances in technology. Attackers and terrorist are evolving and are becoming very sophisticated. Security managers and officials must monitor current controls to keep up with technology to balance, develop, and design up-to-date security controls (Lacey, 2012). Human safety is an important part of physical security. The security assessment process begins with identifying threats and vulnerabilities. It is up to all personnel to assist in identifying threats, risks, and vulnerabilities. Also, an effective security policy will ensure that all personnel understand the importance of reporting possible threats, risks, and vulnerabilities. After the potential threats or risks are identified, organizational security officials analyze the risks; determine the likelihood of occurrence, and the potential impact of the identified risks or threats on the organization. Some of the factors that are reviewed based on the identified risks are the level of effort to mitigate the risks, the type of technology needed, how much time to complete, and the overall feasibility. This is an importance part of my capstone as a huge portion of it is to ensure our infrastructure and assets remain a hard target.
Brown, R. (2011). Information security means better business. Retrieved from http://www.computerweekly.com/opinion/Information-security-means-better-business
Brown explores the importance of using technology to combat threats and ensuring enterprises invest on getting the correct people to utilize this technology. New technology changes all the ground-rules, and many employees may not understand them well (Brown, 2011). Previously, it was reasonable to rely, to a large extent on employee’s good sense (for example, in not leaving filing cabinets unlocked). With IT-based systems, they may not even realize that they are taking unacceptable risks. On the other hand, at the opposite end of the skills spectrum, there are highly talented technicians who regard it as a challenge to invade and disrupt systems. They can conduct their attacks from the other parts of a network-without needing to go anywhere near the premises they are attacking. Combining IT and Physical security should also provide more opportunities for lateral movement within the different aspects of security. Instead of just being stuck in physical security a person may be able to learn more from the IT and audits, and with that be able to grow and advance their technical knowledge. I have used this source for my capstone research in order to deep dive the convergence of physical security and IT.
What is security management models? ›
The Security Management Model establishes a holistic effective management mechanism to assist the small island states in dealing with multidimensional and transnational threats and challenges to, and concerns about, their security in a coordinated and cooperative manner.What are security models in information security? ›
A computer security model is a scheme for specifying and enforcing security policies. A security model may be founded upon a formal model of access rights, a model of computation, a model of distributed computing, or no particular theoretical grounding at all.What are the 5 components of information security management? ›
It relies on five major elements: confidentiality, integrity, availability, authenticity, and non-repudiation.Why are information security models important? ›
A security model precisely describes important aspects of security and their relationship to system behavior. The primary purpose of a security model is to provide the necessary level of understanding for a successful implementation of key security requirements.What is information security model and its classification? ›
Information security models are the procedures used to validate security policies as they are projected to deliver a precise set of directions that a computer can follow to implement the vital security processes, procedures and, concepts contained in a security program. These models can be intuitive or abstractive.How many security models are there? ›
There are five security models used to define the rules and policies that govern integrity, confidentiality and protection of the data.Which of the following are the security models? ›
- State Machine Model. The state machine model is based on a finite state machine, as shown in Figure 5.6. ...
- Information Flow Model. ...
- Noninterference Model. ...
- Confidentiality. ...
- Integrity. ...
- Other Models.
IT security management consists of processes to enable organizational structure and technology to protect an organization's IT operations and assets against internal and external threats, intentional or otherwise. These processes are developed to ensure confidentiality, integrity, and availability of IT systems.What are the four main security management functions? ›
What Is Security Management? Corporate security managers identify and mitigate potential threats to a company. For example, they assess safety and security policies to ensure that an organization's employees, products, buildings and data are safeguarded.
What are the basic components of the security model? ›
The CIA triad refers to an information security model made up of the three main components: confidentiality, integrity and availability. Each component represents a fundamental objective of information security.What are the 4 main elements of computer security? ›
In order to fulfil these requirements, we come to the three main elements which are confidentiality, integrity, and availability and the recently added authenticity and utility.What is the 3 components of security? ›
Confidentiality, integrity and availability together are considered the three most important concepts within information security. Considering these three principles together within the framework of the "triad" can help guide the development of security policies for organizations.How do you develop a security model? ›
The five main steps in building a security model are defining personas, defining base profiles, extending access with permission sets, defining the sharing model, and accounting for specific access types.What is formal security models? ›
formal security model is a formal specification of system's security requirements. As depicted in Figure 3. 1, the system model component that specifies how the system operates, interpreted in a specific formalism and a security component which specifies what security property is required.When was the security model created? ›
The Bell-LaPadula model was the first mathematical model, and it was developed in the 1970s to prevent secret information from being accessed in an unauthorized manner. Three main rules are used and enforced in the Bell-LaPadula model: Simple security rule.What are the 4 levels of information classification? ›
Typically, there are four classifications for data: public, internal-only, confidential, and restricted.What are the 4 types of data classification? ›
Data types with similar levels of risk sensitivity are grouped together into data classifications. Four data classifications are used by the university: Controlled Unclassified Information, Restricted, Controlled and Public.Who uses the Biba model? ›
In FreeBSD, the Biba model is implemented by the mac_biba MAC policy. In Linux, the Biba model is implemented in the General Dynamics Mission Systems PitBull product. In XTS-400, the Biba model is implemented in the BAE Systems's XTS-400 operating system.What is security architecture models? ›
The Security Architecture of the OSI Reference Model (ISO 7498-2) considers five main classes of security services: authentication, access control, confidentiality, integrity and non-repudiation. These services are defined as follows: The authentication service verifies the supposed identity of a user or a system.
What is Bell LaPadula model explain? ›
The Bell–LaPadula model focuses on data confidentiality and controlled access to classified information, in contrast to the Biba Integrity Model which describes rules for the protection of data integrity. In this formal model, the entities in an information system are divided into subjects and objects.How might an information security professional use a security model? ›
4. How might an InfoSec professional use a security model? Answer: InfoSec professionals can use security models as an outline for a comprehensive design of an organization's entire planned security program or as the starting point for a more fully customized version of such a plan.What is the difference between a security framework and a security blueprint? ›
A framework is the outline of the more thorough blueprint, which is the basis for the design, selection, and implementation of all subsequent security controls. To design a security blueprint, most organizations draw from established security models and practices.How many security models are there? ›
There are five security models used to define the rules and policies that govern integrity, confidentiality and protection of the data.What are the 7 layers of security? ›
- Information Security Policies. These policies are the foundation of the security and well-being of our resources. ...
- Physical Security. ...
- Secure Networks and Systems. ...
- Vulnerability Programs. ...
- Strong Access Control Measures. ...
- Protect and Backup Data. ...
- Monitor and Test Your Systems.
In FreeBSD, the Biba model is implemented by the mac_biba MAC policy. In Linux, the Biba model is implemented in the General Dynamics Mission Systems PitBull product. In XTS-400, the Biba model is implemented in the BAE Systems's XTS-400 operating system.What is lipner model? ›
Lipner Model • Combines the elements of BPL and Biba model to provide confidentiality and Integrity • Describes two ways of implementing Integrity • First method to separate objects into data and programs • One uses BPL confidentiality model and the other uses both the BPL and Biba integrity model together • In BPL ...What is Chinese wall model in information security? ›
The Chinese Wall model is a security model that concentrates on confidentiality and finds itself application in the commercial world. The model bases itself on the principles defined in the Clark Wilson security model.What is formal security models? ›
formal security model is a formal specification of system's security requirements. As depicted in Figure 3. 1, the system model component that specifies how the system operates, interpreted in a specific formalism and a security component which specifies what security property is required.When was the security model created? ›
The Bell-LaPadula model was the first mathematical model, and it was developed in the 1970s to prevent secret information from being accessed in an unauthorized manner. Three main rules are used and enforced in the Bell-LaPadula model: Simple security rule.
Which security framework is best? ›
ISO 27001/27002, also known as ISO 27K, is the internationally recognized standard for cybersecurity.What are IT security standards? ›
IT security standards or cyber security standards are techniques generally outlined in published materials that attempt to protect the cyber environment of a user or organization.What is the purpose of a security framework? ›
A security framework defines policies and procedures for establishing and maintaining security controls. Frameworks clarify processes used to protect an organization from cybersecurity risks. They help IT security professionals keep their organization compliant and insulated from cyber threats.What are the ISO standards for cyber security? ›
ISO 27032 is an internationally recognized standard that provides guidance on cybersecurity for organizations. The Standard is designed to help organizations protect themselves against cyber attacks and manage the risks associated with the use of technology.