Important Security Precepts

Physical Security Vulnerability

The concept of total security is fraught with problems. Perfect or absolute security is always the goal of security practitioners responsible for the protection of a facility or activity, but such a state of absolute security can never be fully obtained. The permutations to consider are in constant flux and calibrations and recalibrations are necessary. There is no asset so well protected that it can never be stolen, damaged, destroyed, or undermined by unauthorized individuals. For that reason a balanced, multilayered security program, informed and design after a thorough security vulnerability assessment provides protection against defined set of threats by informing the user of attempted intrusions and providing resistance to the would-be intruder’s attack paths. This resistance must be consistent around the intended asset protected perimeter area.

Surveillance mega camera's concept with a sky background

There are four main security elements that should be properly integrated in order to achieve a proper balance of physical security. They are:

  • This is the process of detecting and locating intruders as far from the protected areas as feasible. Early detection gives the user more time for effective alarm assessment and execution of pre-planned response.
  • Assessment is determining the cause of the alarm or recognizing the activity. This must be done as soon as possible after detection to prevent the intruder’s position from being lost.
  • Intruders must be delayed long enough to prevent them from achieving their objectives before the response force can interdict them.
  • A response force must be available, equipped, and trained to prevent the intruders from achieving their objective. The response time must be less than the delay time if the response force is to intercept the intruders before they achieve their objective.

Security in the news — Aftermath of Flight MH17

Downing of flight MH17


The downing of Malaysia flight MH17 is an unprecedented attack on commercial aviation. I posted news report on tweeter as soon as the news broke, but waited to write about until there was at the very least some intelligent assessment of exactly what happened. The threat of a surface-to-air missile used by terrorist to target a commercial jetliner is not an unthinkable scenario that has not been consider my risk analyst before. In fact over the last 50 years there have been many other similar incidents which have occurred over conflict zones around the world. I can also recall at least one scenario which worried intelligence authorities related to terrorist groups intent on acquiring missile technology for such a gruesome plan during the aftermath of the 9-11 terrorist attacks on US soil. But in recent times the thought that a sophisticated weapons system, under the control of a State, should be put in the  hands of irregular actors would appear improbable and outside of all rules of engagement. That the same antiaircraft system should be trained on a passenger jetliner would be inconceivable; not any more. One thing appears clear, whether this was the result of a terrible accident or intentional action, the parties responsible should be severely punished as to discourage the indiscriminate use of such weapons in any armed conflict.

Shot Down Plane in history

Some news media have attempted to lay fault on the airlines for flying over a popular air route which for months has been an increasingly escalating conflict zone. In fact, some airlines had made the risk calculus and opted to fly around Eastern Ukraine. It’s understood that after Ukrainian separatist rebels shot down Ukrainian military transport and a fighter jet using Russian made weapons just days before, some degree of caution should have been practiced by all airlines even in the absence of or limited no-fly zone. Perhaps this was a foreseeable black swan event, but the reality we were supposed to believe was that a commercial airline would be safe from such risk once a plane reaches cruising altitude above thirty two thousand feet, hence the ban on flights below that range for the Eastern part of the country. Furthermore even the current duty-of-care standards for commercial aviation fall short of accounting for such events. It’s difficult to fault an airline following the conventional wisdom, in the absence of guidelines, when you consider all these permutations.

mh17-infographic-mistaken identity

No doubt this event is a game changer, and all commercial aviation stakeholders are rewriting their ops manual to involve geopolitical risk assessments from their security and risk management departments before a final decision is made on the air route to follow. We should prepare also for the potential for travel disruptions to come in the immediate future as conflicts flare up in a G-0 world struggling to define a new order. We’ve seen evidence of this just yesterday with many airlines suspending all flights to Tel Aviv’s Ben Gurion airport after reported rockets may have been aimed at the run-way following the renewed Israeli-Palestinian conflict on the Gaza Strip.

As we mourn for the victims of flight MH17, we’re also left with a sense of despair. Significant damaged has already been done to the confidence of air travelers when this terrible tragedy follows in the heels of another as yet unexplained commercial aviation accident involving Malaysia Airline flight MH370 . For a person skeptical of coincidences, is hard to come to terms with the fact that such terrible fate should revisit one single airline in a short period. Restoring confidence should be high on the list of all the stakeholders regardless of their powerful motivation to the contrary.


Getting out in time requires precision

Emergency Evac2

Companies and organizations have several options for getting employees and others out of dangerous countries such as Iraq. For instance, they can rely on their respective country governments to get their people out of areas that are experiencing a crisis. However, private evacuations are often more efficient and faster than those handled by governments. Such private evacuations can be handled by insurance companies or evacuation companies like Anvil Group. Such security firms are hired to evacuate company staff or students abroad when crisis conditions reach a crescendo. Recent crisis events include the wave of violence stemming from political instability (the so-called Arab Spring) that swept the Middle East (Egypt, Tunisia, Libya, Syria, among others); the earthquake in Japan, as well as the Ukrainian and most recently the conflicts in Iraq.


Emergency Evac3

Many organizations tapped Anvil Group after their insurance providers were unable to handle the evacuation. Some evacuations have only been partially handled due to failure to properly plan for specific scenarios, considering any and all modes of transportation, access to ports, border-crossing, save havens or other critical considerations. Such situations run the risk of placing people in harm’s way, which could be mitigated if evacuees have been advised to shelter-in-place until conditions were ripe for safe transfer to their country of origin or other safe locations.  Companies like Anvil Group are paid to consider all probable scenarios and develop robust, reliable plans that can be implemented often with very short notice. Because of the unpredictable nature of crisis events, organizations are advised to develop internal plans in coordination with the crisis mitigation firm; develop drills and table-top exercises based on credible scenarios. Companies are also encouraged to dispense with template documents that collect dust on shelves and instead develop practical, living-documents, easily scalable with logical steps that can facilitate activation during the crisis.


Posted in 1. Leave a Comment »

Country Risks Influence Security Levels

Aon Interactive Country Risk Map_2014


Being exposed to different countries with varying risk levels, I’ developed a keen sense of the proper security layers that should be implemented. The most often asked question by company executives is as follows: Why are more resources invested in essentially identical business operations in different geographical locations?

The short answer is this, a country’s risk level is a fundamental external catalyst which added to the risk analysis enables decision making on the proper security layers to implement in the protection of people, assets and the well-being of all stakeholders. A number of different strategies are intertwined forming an effective protective fabric.  For instance, depending on your business activities (considering the difference between transporting valuables and commodities which require different mitigation strategies) in terms of duty of care for a broader geographical spectrum, few resources are allocated to staff protection in Alberta, Canada where the country risk level for violent criminal activities is relatively low, as opposed to Cairo, Egypt where political instability may trigger violent criminal acts (also considering the absence of or overreaction by state authorities), thus requiring more resources to assure the integrity of staff for on-going business operations. Even more resources would need to be invested if the risk levels reach a climax forcing business operations to be either temporarily or permanently interrupted.

Think of it as the layers and various fabrics that should be worn to protect yourself against the climatic elements. For instance, you’d be ill advised to don a heavy wool sweater or goose down jacket to the hot desert climate of Cairo for a business trip; just the same as you would not be fitted in a fashionable light linen shirt for a similar trip to Alberta at the height of the winter season. If traveling back and forth between these regions, care would be taken to wear the right clothing based on the prevailing climate. Equal permutations should be considered when tailoring the proper security strategies for these regions respectably and as mentioned before, based on your particular business operation.


Security in the news


Meet Bob

While monitoring information channels, I came across a thought-provoking article related to the application of a robot, appropriately named Bob (As of now in the research stage) to the task of building security. The immediate reactions are to associate this adaptation of advance robotics andAi, setting aside the inherent weaknesses in this technology platform, with two very sensitive areas of our current economic model, that of replacing human labor with technology at a time when there remains soft pockets of labor markets in the global economy. There is also a more acidic view, that of another creepy intrusion of advance technology into personal privacy as such “droids” may lend themselves to abuse either willingly by its operators or unwillingly by malicious intrusion from hackers exploiting flaws in its software architecture.

But there is another reading to this. For years we in the security profession have been witnesses to the convergence of physical and logical security, where in many cases these two separate ops centers functioned seamlessly. In other words the same command and control centers that handle cybersecurity and other InfoSec countermeasures also integrate surveillance, access control and the human (security officer) interactions forming a concentric mesh of enterprise protection. I see the development of new nodes, such as robotic technology powered by the latest in artificial intelligence technology as an inevitable evolution in the converged ecosystem. The challenge will be to leverage the new technology to plug gaps in existing security programs with augmented nodes of information. For instance this would take the surveillance technology which is for the most part fixed on particular locations and make it mobile and interactive with people occupying the space where deployed. Furthermore, promising technology such as facial or pattern recognition which has yielded limited results in protection schemes could have more effective applications when loaded onto a roaming droid.

These are just quick reflections on this development. In time we can come up with more sophisticated approaches to the application of robotic technology to protection programs and more importantly in a way that’s not detrimental to our privacy and to the millions of men and women that depend on the security profession as a livelihood.

Read article:

Meet Bob, Britain’s First Robotic Security Guard

Daily Mail (United Kingdom) (06/16/14) Zolfagharifard, Ellie


The tin can: CLICK HERE 



Reloading: a road-map to re-engage with readers

After a long hiatus, I feel the need to return to providing valuable security information through this blog. If you care to know, I have been immersed in a very exciting project with a MNC providing a full range of security services in challenging environment. Although I’m forbidden from disclosing confidential information regarding any of past, present and future companies I’m engage to provide these services, I see value in sharing with you all the methods by which a protection program is articulated. It’s my firm believe that this grain of sand not only contributes to the discussions of more resilient people, communities and enterprises.

It’s my sincere commitment to continue to provide more valuable information through frequent posts and interactive discussions on comments and Q&A sections.

Security Beyond Borders 8

Anarchism in the Age of Cyber

An important announcement from my LEO channel. I thought it important to share with everyone for monitoring:

For situational awareness, the following message (in italics) was posted online by the hacking group Anonymous:

Anonymous announces a nationwide “Day Of Vengence” to take place in dozens of cities across the USA on Saturday – September 24, 2011 at High Noon.

In coordination with these protests across the USA on September 24th, Anonymous and other cyber liberation groups will launch a series of cyber attacks against various targets including Wall Street, Corrupt Banking Institutions – and the NYC Police Department. We encourage the media to follow the Twitter feed @PLF2012 for ongoing reports throughout the day.

Additional public source information has identified possible targets of these attacks, to include entities in New York (state and city), public and private entities associated with the recent execution of Troy Davis in the state of Georgia, and law enforcement in general.

No further information is available at this time in regard to the specific nature, means, or potential targets of Anonymous’ plans for September 24th; however, in the past, Anonymous has engaged in distributed denial of service (DDoS) attacks, utilized SQL injection to gain unauthorized access to computer systems, conducted social engineering to gather personal identifying information, and released both personal information (i.e. “doxing”) and the contents of compromised systems (e.g. e-mail message content, passwords, etc.).

InfraGard members are encouraged to engage in information security best practices, such as using strong passwords, not reusing passwords, updating software to protect against known vulnerabilities, and ensuring that web-based applications are not at risk to attacks, such as SQL injection.