A Recent Study Shows that College Drinking Remains High

Persistence of heavy drinking and ensuing consequences at heavy drinking colleges.

Nelson TF, Xuan Z, Lee H, Weitzman ER, Wechsler H.

University of Minnesota, Minneapolis, 55454, USA. tfnelson@umn.edu

OBJECTIVE: The purpose of this study was to examine drinking levels, related harms, and secondhand effects of alcohol use at heavy drinking colleges between 1993 and 2005 at colleges with high levels of drinking in 1993. METHOD: Students attending 18 colleges with high levels of heavy episodic drinking (50% of students or more) from the 1993 Harvard School of Public Health College Alcohol Study were surveyed in 2005 (n = 4,518). Data collected through mailed and Web-based questionnaires were compared with responses from students at the same schools in 1993, 1997, 1999, and 2001 (N = 13,254) using time trend analyzes.

RESULTS: Overall, levels of alcohol consumption, experience of problems, and levels of secondhand effects remained high among students attending heavy drinking colleges. More than four of five students at these schools drank alcohol (range: 85%-88%), and more than half engaged in heavy episodic drinking (range: 53%-58%). The stability of drinking behavior occurred among subgroups of students as well. The few statistically significant changes occurred mainly between 1993 and 1997. A decline in driving after any drinking between 1997 and 2005 was observed, but no similar decline was found in two other measures of drinking and driving.

CONCLUSIONS: Heavy drinking and associated problems continue unabated, with few exceptions, at colleges that are most in need of intervention: those with high levels of heavy episodic drinking. Addressing student alcohol use at heavy drinking colleges may require stronger, more consistent, and more comprehensive approaches, with increased emphasis on the alcohol environment.

25 Top Most Crime-Ridden Campuses

Good link to an accounting of the 25 Top Most Crime-Ridden Campuses in the USA. To be on this inauspicious list you have to have some bad luck, be in an inner-city neighborhood, or be doing a terrible job of security. Or all three!

Anyway you look at it, these campuses have a huge problem. The reaction quotes from the campuses seem pretty thin and are centered around the "it's happening off campus and we are doing our best on-campus" defense. But i feel it is the schools responsibility to get the information out to the students. faculty and staff to understand and manage their risks. Everyone knows the inner-city is more dangerous but not everyone knows how to deal with, and minimize the risk to the school population.

In addition, there are rural, small, suburban, and urban schools such as South Carolina State to University of Maryland - Baltimore to the scenic California State University - Monterrey Bay. They all have a reason...but the only real solution is dealing with the real problems.

This is a list that any college does not want to be on, and there are schools in terrible parts of the inner-city that are NOT on this list! Most notably is Johns Hopkins University in downtown Baltimore...congratulations, the campus deals with crime in one of the most dangerous cities in America. Their cross-town institutions at UM-Baltimore and the University of Baltimore are on the list...hmmmm...

Studies Show...

Studies show again and again that students are at risk on campus. The common thought outside of our community is that the college campus is a completely safe and secure environment where the occasional bad-guy roams the campus, but...not HERE!

We all know that the bad guys do roam pretty freely on campus and, in-spite of the hard-work of our campus police and local police forces, anything can, and does happen.

But the immediate issue is the "good guys" turning bad due to alcohol and drug abuse...and guys and girls forgetting their up-bringing and going wild on campus...this has to be discusses and properly managed with each entering class. And as the father of two teenage boys, I know it has to be constantly reminded!

The National Institute on Alcohol Abuse and Alcoholism reported the following:

• 1,700 college students die each each year from alcohol related injuries.
• 97,000 college students are victims of alcohol related sexual assault or date rape each year.
• 696,000 college students are assaulted by another student who has been drinking.
• 599,000 college students are untentionally injured under the influence of alcohol.
• 400,000 college students have unprotected sex.
• 100,000 college students report having been too intoxicated to know if they consented to having sex.

Bad Data Threatens Campus

An example of bad data or a "clerical error" may cause the mighty West Virginia University to receive penalties or have its federal funding pulled. The U.S. Department of Education says WVU mis-reported, mis-labeled and failed to report a number of incidents in the years 2001 and 2002.

The Federal 'Clery Act' requires universities to report crime to the community. I presume this act is to keep the schools' "clients" - the parents of the students and the students themselves - informed so they can make a reasonable and logical decision on the safety of the campus. This is a great idea, since openness is a cornerstone of security and of business. By getting the administration to step up and report crime, the school community can keep tabs on the effectiveness of the administration at keeping them safe.

I can only hope WVA gets its act together...and that all crimes including cyber-crime is reported to the community. This is the "quiet crime" on campus today. Identity theft, cyber-stalking, etc. are the next frontier for criminals as physical security improves on campus.

More reporting is a good thing.

Annie Le, Yale student. Her Death is a Tragedy

Our entire staff send our condolences to the family, friends and fiance of Annie Le, the Yale student who was murdered at Yale University in New Haven, Connecticut. Although these incidents are rare, they are even more tragic because of the loss of a young person poised to start her adventure of life. To all other students, please don't take risks, take control.

Some quick tips:

• Survey the campus after dark to see that buildings, walkways, quadrangles and parking lots are adequately secured, lighted and patrolled.
• Look well-ahead and around you for anything unusual.
  
• Avoid walking alone if possible.
• Walk with an air of confidence and stay alert.
• Walk in lighted areas.
• Keep your hand free, not overloaded.
• Have your keys ready.
• If you are being followed: cross the street, scream, run to an occupied residence or store, or flag down a car.
• Please remember: More than half of college crime occur between people who already knew each other. It is hard to tell the stalker or criminal mind from the casual acquaintance. Please be careful and vigilant.
  

Jonathan Kendall - College Speaker on Security & Violence on Campus

Jonathan Kendall is a highly praised and inventive risk management & security expert, keynote speaker, consultant, teacher, author, private investigator, special forces trainer, technologist & futurist...he's today's web-suave, big-picture-thinker ready to engage and compel you, his audience.

He's an internationally recognized expert in:

• Preventing, Detecting & Responding to Crime
• Identity Theft
• Cyber & Technology-Based Crime
  
• Social Networking Crimes
• Campus Security
• Crime Prevention
• Sexual Assault Deterrence
• Woman's Safety
• Risk Management
• Violence Prevention
• Travel & Spring-Break Assault Prevention

Jonathan is an authority on both today's threats and tomorrow's frightening "blended" cyber/physical attacks. He has the unique ability to translate complex information into easily understandable, thought-provoking presentations including experience, facts, humor, passion, motivation, and knowledge. His presentations and workshops are spiced with exciting and enlightening group exercises, wit, and inspirational discussion.

His enthusiasm for Security, Risk Management, Technology, and Personal Safety bring a unique and inspiring view of today’s safety & risk related issues and how to improve “everyday” living…be it your school, dorm, travels or anything in between.

Jonathan’s topics appeal to young and old...professional, administrator, faculty and student.

Institutional leaders and administrators in the community and their faculty and students face the daunting challenge of providing security in a unique built environment. Issues of privacy, civil rights, personal information, cyber-crime, social engineering, physical attacks and the terrifying “lone wolf” gunman are, or should be, at the top of the to-do list for ever member of the education community. The criminal threat is converging - CYBER, ELECTRONIC and PHYSICAL. So too must security and risk management converge for your campus. Leveraging limited resources is a challenge that cannot be ignored…the cost is too high.

Jonathan is available for:

• Lectures (anytime of the year)
• Orientation, Welcome Week & Back-to-School Programs
• Administration & Campus Leadership Conferences
  
• Student Leadership Gatherings
• Student Government Events
• AFA, NACA, APCA, BPA, DEX Functions
• Greek-sponsored Lectures
• Panhellenic Events
• Housing & Resident Life Events
• Student Safety & Anti-Violence Training
• Sex Related Education
• Commencement & Graduation
• Student Conferences
• Summer Programs
• Athletic & Club Events
• Academic Life Education
• Health, Safety and Welfare Training
• Any other Event for an "Outside" Speaker

Jonathan's programs include:

Woman's Safety & Security - The Fight Against Sexual Assault

Nearly two years ago, a man “tailgated” into a woman’s dorm in the Mid West, forced his way into a female student’s room and raped her. That incident jump-started a campus-wide conversation about security and sexual assault, prompting many of the security measures that students are familiar with today, including peepholes in doors, closed-circuit video monitoring in entryways and more. But these solutions are “brittle” and easy to work-around by most any criminal. Colleges and universities are not always the safe havens they are thought to be; statistically college women are at higher risk for sexual assault than their non-college-bound peers.

Jonathan helps students empower themselves, dispel myths and understand the threat of sexual violence both from strangers and from those we know…and trust. Spotting the behavior of the attacker, and understand the process of an attack can assist the potential victim to see the early warning signs and get out fast. Promising practices in prevention, monitoring and response, victim support rights, and other relevant topics will be discussed. Also, he discusses the dangerous role that drugs and alcohol plays in sexual assault violence.

This is an excellent program for woman's groups, new student programs, sorority talks, and Safety Week presentations.

Campus Security - The True Story

Campus security has too often been a collection of technologies without strategically thinking risk and security all the way through. We will explore the steps to be taken on any campus to realistically implement a workable security solution for physical, electronic and cyber crime. Take away the 5 key issues that MUST be addressed on any campus.

Jonathan's international experience with learning institutions of all types, locations and sizes gives him a unique and unparalleled expertise to assist institutional leaders and administrators create a safe learning environment for their students, faculty and staff.

Cyber Crime - The Rise of the Machine - Identity Theft and Cyber Assault

Everyone knows logically the threat of identity theft and cyber crime, especially today’s tech-bred students. But still, students put too much information on their Twitter, MySpace and Facebook profiles, giving online predators an open door. In this program, Jonathan talks about the dangers, but also the tremendous benefits, of social networking along with the online collection and dissemination of our personal information. From identity theft to cyber-assaults to piracy, this program gets the message across that great care must be taken to protect our online identities.

Jonathan is an expert in risk management and security especially online privacy. He has written extensively on the topic. This program is an outstanding choice for first-year experience and new student orientation programs.

Email for open dates...info@KendallDesignGroup.com

Sexual Assault & Violence on Campus - A Gov't Study

Sexual assault on the Nation’s college campuses has been receiving more attention lately. Schools are not the safe havens they once appeared to be; college women are at higher risk for sexual assault than their non-college-bound peers.

Sexual assault is widely considered to be the most under-reported violent crime in America. Most sexual assaults on campus are committed by an acquaintance of the victim, which explains, in part, why these crimes are under-reported.

Administrators want their campuses to be safe havens for students as they pursue their education and mature intellectually and socially. But institutions of higher education are by no means crimefree; women students face a high risk for sexual assault. Just under 3 percent of all college women become victims of rape (either completed or attempted)in a given 9 month academic year.

On first glance, the risk seems low, but the percentage translates into the disturbing figure of 35 such crimes for every 1,000 women students. For a campus with 10,000 women students, the number could reach 350. If the percentage is projected to a full calendar year, the proportion rises to nearly 5 percent of college women. When projected over a now typical 5 year college career, one in five young women experiences rape during college.

Counter to widespread stranger rape myths, in the vast majority of these crimes—between 80 and 90 percent—victim and assailant know each other. In fact, the more intimate the relationship, the more likely it is for a rape to be completed rather than attempted. Half of all student victims do not label the incident “rape.” This is particularly true when no weapon was used, no sign of physical injury is evident, and alcohol was involved—factors commonly associated with campus acquaintance rape.

Given the extent of non-stranger rape on campus, it is no surprise that the majority of victimized women do not define their experience as a rape. These reasons help explain why campus sexual assault is not well reported. Less than 5 percent of completed and attempted rapes of college students are brought to the attention of campus authorities and/or law enforcement. Failure to recognize and report the crime not only may result in underestimating the extent of the problem, but also may affect whether victims seek medical care and other professional help.

This must be improved through education and training of both men and women on-campus to the remove the veil of shame and secrecy...and dispel the myths of sexual assault.

Jonathan Kendall Security Seminars

See our new seminar and speaking series.

Security 101: Who's in Charge? Part 3 of 3 is Available Now

For the latest installment of "Security 101: Who's in Charge?" part 3 of 3. You can get a copy, just email me at jon@KendallDesignGroup.com, and i will send you a PDF of all the articles published to date.

The process of security and risk analysis planning was discussed in detail. We must look at the assets to protect, all of them including the students, faculty, staff, materials, technology, intellectual property, facilities, etc. We must explore and prioritize solutions, and put them in the perspective of the institution’s requirements and goals, examine the total costs in terms of money, resources, time, freedom, among other issues. And we are obliged to examine the positive and negative interaction of the solutions between the various assets, systems, technologies, and processes. Only then can we make a decision in the best interest of the institution. An acceptable level of risk can be attained only through careful planning.

High School "Incident" 2

After a very interesting discussion with the high school's principal, the vice principal, and the school systems' in-house security agent...the answer was a bit astonishing...

A teacher said my child get angry at an incident that revolved around my son wearing a hat inside the school. This teacher in question, and this is not the teacher who asked my son to remove his hat...but a DIFFERENT teacher uninvolved in the "hat" incident, made an off-handed remark about about my son being so mad and "coming to school 'packing'". Packing what? Lunch? What is this a bad movie script?

This blow open a chain of events that stunned even the principal and vice principal, as they found out about the police involvement by getting a call from a police investigator. The whole time that my son, of course, was sleeping at my house during the day...alone. And the police never spoke to him at all, never went to the house, never knocked on the door..nothing.

Keep in mind, the on-campus county police officer and the teacher in question "declined" to attend this meeting...and the officer would not help me in any way gain a copy of the police report.

There is enough of a "smoke screen" being put up now towards my efforts to glean the truth. It is making it very difficult to find out how something so severe can come from a teenage boy getting mad at an "authority" figure telling him to take off his hat.

He did not threaten anyone...nor threaten the school or the teacher or the institution. No secret plans...no long black coats...lot's of good, solid friends at school. And this is a kid with a known history of "bucking the tide" at school, so his reaction was in-no-way out of character. He needs a chance to blow-off stream as a teenage boy...join the crowd. And he has joined the US Army to help protect us all from enemies...this does not sound like a candidate for a school-shooter.

Lessons learned? The Standard Operating Procedures at this institution do not work. There needs to be a MUCH better hierarchy of escalation. This is the type of action that can result in very large lawsuits for the county and state. And would not solve nor deter any school-shooter incidents.

The lack of open communications with me as the father is another factor of misunderstanding that i am very concerned with in this incident. The only people willing to speak with me were the school administration, not the county or the police. Very bad form in an open society.

I will keep working my way through the stone-wall, and let you know the latest as it becomes available.

High School "Incident" 1

We will soon have an inside look at a real school incident with a typical SoP (standard operating procedure) in the real world.

My son recently threw a pretty normal (at least for him) "teenager tantrum" in high school the other day. The problem was he was wearing a hat in the lunch room which is not allowed (i have come to find out) and a teacher was possibly a bit aggressive in her dislike for this hat and his wearing it. Pretty small stuff in the context of running a high school which is a big and important job!

This "incident" sent a chain of events into motion that from my perspective as a father and a security consultant, focused on the education community, was fascinating. Imagine my surprise when i get a telephone call in a client meeting discussing corporate espionage while in Latin America. The call was from the local police in Maryland to discuss my son's flying off the handle and his likelihood of attacking the school. The irony was thick, and needless to say my first reaction was to be rather irritated at my son for causing this chain of events to transpire. BECAUSE OF A HAT! Then, after some thought, I realized that my son was being a hormonal teenager (even worse - A Senior) and he calmed down within minutes but the school's reaction was far from over. Why is that? He is very well known at the school, he fits no profiles, he has many friends, he has many people at the school office looking out for him...what changed?

But I believe in the long run, this will be an interesting example for all of us on real world security, and the procedures we use to keep our faculty, staff and students secure. My perspective will be from both the fatherly (I support my kids and my son has just joined the Army to help protect us all) and the professional. I will take you all on the journey through what "really" happened and what was the response. And more importantly, did this and will this response work to help or hinder security on our campuses.

Stay tuned, we will see where this goes. Open communication is the key to good security.

Cyber Crime: The Invisible Threat

We here at KDG have been singing the song of the threat of cyber crime for many years now, and the situation of this "invisible crime" has been getting worse and worse. But many educational institutions continue to bury their heads in the sand and ignore the problem. Or, they do not understand the real problem and react to the massive threat this activity is to the institution and the people it serves.

Cyber crime is a global problem, and education is not immune to the dilemma. The FBI has been investigating the universality of the crime. Not in the context of education directly, but to give you some focus on the international scale and direction of the issues. They have some interesting and alarming insight, the tidal wave is coming and we will all be washed away without preparation and dedication to managing these crimes.

“Many traditional organized crime figures who in the past committed crimes such as narcotics smuggling or extortion are now setting up shop online, and these figures are less constrained by national borders or geographic location,” said Mark Filip, Justice’s deputy attorney general, speaking at the International Conference on Cyber Security (ICCS) 2009 recently held by the FBI and Fordham University in New York City.

“The sophistication has grown exponentially,” said Shawn Henry, an FBI assistant director who heads the bureau’s cyber division. “And it really is a case where the offense sometimes outpaces the defense — the ability of attackers to exploit known vulnerabilities or to develop new tools, techniques, tradecraft to exploit emerging vulnerabilities is significant.”

“There is no shortage of groups or countries that are interested in the intelligence that is contained on U.S. networks,” he said.

Other than a nuclear device or some other type of destructive weapon, Henry added,“the threat to our infrastructure, the threat to our intelligence, the threat to our computer networks is the most critical threat that we face.”

“It’s not a U.S. problem, it’s not a Mexican problem, it’s not a Dutch problem, it’s not a German problem — it’s a problem for our society, all of us,”Henry said. “The threats that we see are threats to all of us.” Closer to home, we can say it's not just Harvard's problem or University of California's problem, it is all of our education community. Every institution is at risk...public K-12 to community colleges to the Ivy League...every school has private information and resources that are exposed to crime, intimidation, stalking and theft.

Jonathan Kendall is the President and Founder of the Kendall Design Group/Security Solutions Worldwide, a professional services and consulting firm specializing in the convergence of technology, security and management located in the Washington, DC area and Las Vegas, Nevada. Kendall has 20 plus years of experience serving the educational community around the world on over 200 campuses from K-12 to the Ivy League. He has been an instructor for the US State Department and Special Forces, featured speaker at Dartmouth College, the AIA and SCUP national conventions, and has written numerous articles. He is a registered private investigator and certified security officer. Please contact Mr. Kendall at 410-798-9003, email jon@KendallDesignGroup.com, or visit www.KendallDesignGroup.com and SecureCampus.blogspot.com.

Guns On Campus - The Next Round

An interesting article on the legalization of properly licensed concealed carry handguns on the campuses of Texas public universities and colleges (click the title above). As usual, another knee-jerk reaction on both sides to the subject of personal security on campus.

A properly conceived and implemented risk management analysis and security plan across the campuses would be a much better start than simple one-size-fits-all solutions like this one.

I will repeat my earlier observation:

All too often and unfortunately, campus security is treated as a collection of segments, as in this discussion. Do this, don’t do that, buy that don’t buy that. Security does not work like this. Security is a system of people, processes and technologies integrated into the institutional infrastructure. Security is complex.

Making global statements about do’s and don’ts in the framework of security solutions such as speaker systems vs. text systems is silly and counter-productive. Each institution has physical, cultural, geographical, technological, human, fiscal, and administrative uniqueness that requires a distinctive solution, or better yet, a systemic solution of checks and balances. The system must include personnel, technology, and physical resources in the context of the institutional environment.

There is no single system or “level” of security for all campuses; it depends on what you are willing to give up, or trade off, to get the security you desire. There is no total, absolute security. Security is challenging, and there are no easy answers.

Take the time to analyze, craft a workable global security plan , and implement it rigorously.

Jonathan Kendall is the President and Founder of the Kendall Design Group/Security Solutions Worldwide, a professional services and consulting firm specializing in the convergence of technology, security and management located in the Washington, DC area and Las Vegas, Nevada. Kendall has 20 plus years of experience serving the educational community around the world on over 200 campuses from K-12 to the Ivy League. He has been an instructor for the US State Department and Special Forces, featured speaker at Dartmouth College, the AIA and SCUP national conventions, and has written numerous articles. He is a registered private investigator and certified security officer. Please contact Mr. Kendall at 410-798-9003, email jon@KendallDesignGroup.com, or visit www.KendallDesignGroup.com and SecureCampus.blogspot.com.

A School Attack Avoided? I hope so!

The participants in a plot to attack a high school have seen their day in court. A potential school attack was allegedly avoided at the Penn High School near Mishawaka, Indiana. The adult, Lee Billi, 34, was communicating on MySpace about a Columbine-style attack at the high school. He pleaded guilty to a charge of inciting to violence, a felony that carries a possible prison sentence of one to five years. The alleged plot was detected by an astute deputy at the school who was paying careful attention to Internet postings and student behavior.

According to the Boston Globe (you can link to the full article by clicking the title above),

Authorities have said a deputy working at the school discovered the alleged plot in Internet postings in which the teenager allegedly discussed his support for the "Columbine shooters," a reference to the 1999 massacre at a Colorado high school in which two students killed 12 classmates and a teacher, and then committed suicide.

Billi's plea agreement also included 38 child pornography charges and one count of possessing criminal tools.

Both individuals stated that they had no intention of implementing the attack. It was just a "fantasy". The teenager was put in indefinite juvenile detention. And as a part of his plea deal, Billi, charges of child porn and possession of "criminal tools" were included.

Hats-off to the deputy for exploring, paying attention, and acting properly in this case. Some might think this is a violation of civil rights and the right of free speech to have their private communications monitored, but their communications in cyber space are there for all to see. There is not even a hint of privacy when you post on public forums. If they were plotting to kill, then they must be held accountable for their actions.

School authorities need to be constantly vigilant. Proper training, technology, and risk management structure need to be in-place to avoid attacks in the future.

Jonathan Kendall is the President and Founder of the Kendall Design Group/Security Solutions Worldwide, a professional services and consulting firm specializing in the convergence of technology, security and management located in the Washington, DC area and Las Vegas, Nevada. Kendall has 20 plus years of experience serving the educational community around the world on over 200 campuses from K-12 to the Ivy League. He has been an instructor for the US State Department and Special Forces, featured speaker at Dartmouth College, the AIA and SCUP national conventions, and has written numerous articles. He is a registered private investigator and certified security officer. Please contact Mr. Kendall at 410-798-9003, email jon@KendallDesignGroup.com, or visit www.KendallDesignGroup.com and SecureCampus.blogspot.com.

The Failure of Risk Management

The current economic crisis is clearly based on the complete failure of the current cast of security and risk management "experts" employed by institutions. A report by the Risk and Insurance Management Society (RIM) titled “The 2008 Financial Crisis – A Wake-up Call for Enterprise Risk Management" states the obvious. They affirm, truthfully so, that the current crisis is a total failure of risk management thinking and strategies. The report says “…we may have to tear up the manual of enterprise risk management and start over.” We do need to start again with fresh thinking and explore the past to predict the future of security and risk management. The "experts" have been creating and supporting silos of risk, technology, and management saying that organizations should focus on one specialty at a time. This is complete junk, junk thinking, junk consulting...the world is a big, churning, interactive place...these experts want to look at a small slice of risk out of the context of the greater whole...JUNK! Why do they do this? Because they cannot see beyond the end of their noses. They do not have the ability to integrate multiple variables into their planning and contingencies. This is infuriating for me.

The RIMS paper goes on and attributes the failure more precisely to these key factors:

1) Failure to embrace appropriate risk management behaviors
Risk management needs to be an essential component in all key business processes, and every person who participates in those processes needs to be aware of the impact of their actions on risk, and to provide timely information that improves the management of risk related to that business process.

2) Failure to create and reward risk management competencies
People were, and still are not prepared to make prudent decisions to provide the best level of risk for the institution. It goes without saying that effective risk management requires incentives that further that goal, rather than destroy it.

3) Failure to use risk management to inform management’s decision making (for both risk-taking and risk-avoiding decisions)
If your people are diligent about their risk management responsibilities, they still may not communicate accurate and timely information throughout your organization. Then, it’s value is negated.

This thinking is not just in the "financial" sector, it is everywhere..."Silo Thinking". Silo Thinking has led us here; it will lead us down a new path of disaster unless we change. This economic crisis will bring us to a new level of crime, theft, cheating, scamming...it already has. Crime is up. Identity theft is up. Cyber crime is WAY up. And yet we still think that none of this is connected to multiple events, actions, people and risk. IT IS CONNECTED.

We have the tools; we have the knowledge, experience and understanding to create a new interactive risk-intelligent organization to management risk on all fronts. Crime, financial, corporate, intellectual property, clients safety, IT, physical security...it is all related.

These problems are endemic to many institutions, including those that would claim that they have a working and successful risk management model, or worse yet those who believe that they are not susceptible to risk. They seem to think that as long as they have someone somewhere that is in charge of "security" and “risk management,” then everything will be fine and they can rest easy.

Junk thinking because it's Silo Thinking.

What do we do? We need to get out of the Silo Thinking and create a common risk management framework across the enterprise. This is for security, IT, financial, and the administration.

This has many elements, each of which is required to help avoid similar disasters in the future.

Risk - It's a team sport. We need to create a institutional team with outside leadership. Institutional politics must be managed and it my 25 year experience, it cannot be done in-house.

This team must create a set of common processes, terminology, and practices for managing risks of all kinds. Everyone needs to be involved at all levels, not just the police, or security, or IT, or the accountants. The current way of doing business did not work, and it will not work into the future.

We need to understand WHAT is it we are trying to protect and from WHO, then HOW. The risk analysis and the risk tolerances must be fully understood, communicated, and monitored across the institution. People need to understand the risk or improper (and risky) activities will result.

Our risk management practices should be incorporated into all processes and decisions. The team must communicate to every individual their risk-related responsibilities, and how they fit into the risk management model.

And the administration must make decisions openly, outside of the politics of the organization, communicate them freely, and adjust them accordingly. They must execute the risk management plan and deal with the risk and the results through the risk team.

Eliminate the Silo Thinking, open the institution to a safer and more liberated future. Understand that it's not Silos, it's a converged risk that needs to be addressed. The current team has failed, get new team.

Jonathan Kendall is the President and Founder of the Kendall Design Group/Security Solutions Worldwide, a professional services and consulting firm specializing in the convergence of technology, security and management located in the Washington, DC area and Las Vegas, Nevada. Kendall has 20 plus years of experience serving the educational community around the world on over 200 campuses from K-12 to the Ivy League. He has been an instructor for the US State Department and Special Forces, featured speaker at Dartmouth College, the AIA and SCUP national conventions, and has written numerous articles. He is a registered private investigator and certified security officer. Please contact Mr. Kendall at 410-798-9003, email jon@KendallDesignGroup.com, or visit www.KendallDesignGroup.com and SecureCampus.blogspot.com.

Security 101: Who's in Charge? Part 2 of 3 is Available Now

Click the title above for the latest installment of "Security 101: Who's in Charge?" part 2 of 3. You can download a PDF if you are signed up with Scribd.com or email me at jon@KendallDesignGroup.com, and i will send you a PDF of both articles published to date.

The process of security and risk analysis planning was discussed in detail. We must look at the assets to protect, all of them including the students, faculty, staff, materials, technology, intellectual property, facilities, etc. We must explore and prioritize solutions, and put them in the perspective of the institution’s requirements and goals, examine the total costs in terms of money, resources, time, freedom, among other issues. And we are obliged to examine the positive and negative interaction of the solutions between the various assets, systems, technologies, and processes. Only then can we make a decision in the best interest of the institution. An acceptable level of risk can be attained only through careful planning.

Another great article from Dark Reading - Cracking Your Passwords!

Dark Reading is highly recommended for the geeks out there. But also for all security professionals that understand the future of security because this article can relate to an access control PIN pad at your front gate in addition to your PC.

Take a look below...

How Hackers Will Crack Your Password

Posted by Robert Graham, Jan 21, 2009 02:53 PM

I've been cracking passwords lately for pen tests, and I'm surprised at how corporate guidelines don't really help people choose passwords. As in many places in security, a disconnect exists between how people secure systems and how hackers break systems. So the following is a brief description of what hackers do (or, at least, what I do when pen-testing systems).

The first problem is an "online" vs. "offline" attack. An online attack is where hackers try to log on pretending to be you and guess your password. Unless you've chosen something extremely easy to guess (such as "Wasila High"), this isn't a big danger. Online systems automatically lock your account after too many bad guesses.

The real danger is "offline" cracking. Hackers break into a system to steal the encrypted password file or eavesdrop on an encrypted exchange across the Internet. They are then free to decrypt the passwords without anybody stopping them.

Doing this, hackers can guess passwords at the rate of 1 billion guesses a second. That's fast, but not when you consider how big the problem is. Consider passwords composed of letters, numbers, and symbols. That's roughly 100 combinations per character. A five-character password will have 10 billion combinations. This means a hacker can guess a five-character password in only 10 seconds. But things quickly get worse for the hacker. This problem grows exponentially:

5 characters = 10 seconds
6 characters = 1,000 seconds
7 characters = 1 day
8 characters = 115 days
9 characters = 31 years
10 characters = 3,000 years

This is why you need long passwords. Hackers can usually crack anything with seven characters or fewer, but they would be unlikely to guess passwords using this technique that are nine characters or more.

This is also why you need complex passwords containing uppercase and lowercase, numbers, and symbols. That's 100 possible combinations for each character. Lowercase passwords have only 26 combinations per character. A hacker can guess an all-lowercase password of 10 characters in about two days.

However, hackers have another trick up their collective sleeve: the mutated dictionary attack. Because of the above problem, you might choose a large password, like "Aardvark-Zebra9." This is longer than what a hacker will be able to discover by brute force. So hackers solve this with a "dictionary" attack. Instead of trying all combinations of characters, they instead try to match passwords with words in a dictionary. They then "mutate" the words, reflecting common things people do to passwords.

When users are told to make their passwords complex, they usually do something simple to them. Instead of choosing "robert" as a password, they will make it "robert!". Putting an exclamation mark at the end of a password is one of the most common mutations people choose. Hackers know this, so their dictionary cracks will do the same thing.

Here is a list of common mutations a hacker will try to dictionary words:

* capitalizing the first letter of a word;
* checking all combinations of upper/lowercase for words;
* inserting a number randomly in the word;
* putting numbers on the ends of words;
* putting numbers on the beginning of words;
* putting the same pattern at both ends, like *foobar*;
* replacing letters like "o" and "l" with numbers like "0" and "1";
* punctuating the end of words;
* duplicating the first letter, or all letters in the word;
* combining two words together; and
* putting punctuation or space between the words.

Hackers are also smart about which words they choose. They don't just choose English words, but also include most popular languages (i.e., Spanish, French, German). They also choose words from pop culture, like xbox360 or Britney Spears.

If they know who you are, they will find words particular to you. Let's say your name is "John Smith," you drive a "BMW," you work for "Microsoft," and you like to watch "The Office." A hacker will Google these terms and create wordlists from the resulting Web pages. Thus, "Carell325i" seems like a fine 10-character password to defeat hackers, but will get cracked in only a few minutes by a hacker who knows you. (I like to use the Associative Word List Generator Web site to generate password lists for me.)

So how do you choose something that hackers can't guess? Well, remember that hackers aren't all-powerful. Increased complexity of things they have to check, the less likely they will guess your password. Yes, they will check for numbers on the ends of passwords, but as long as you've chosen something like your birthdate instead of 1234, it's something more likely to be missed.

Including just one international character, like a vowel with an umlaut, will defeat most password crackers. They can be typed by holding down the key and typing a -three-digit number on the numpad. Typing long phrases instead of words will also help. In theory, it should be easy to guess "Twas as a dark and stormy night" as a passphrase, but in practice, hackers won't catch it.

On the flip side, the more complex you make your password, the harder it will be for you to type it in. Try to create something as long as you can comfortably type, while still keeping in mind the techniques above.

Robert Graham is CEO of Errata Security. Special to Dark Reading

Sometimes I Hate Being Right...but Here We Are...

I have an article coming out that describes this hijacking of an emergency warning system to "fool" people. No one seems to believe that it is possible...until now...or that it would be used for malicious purposes...trust me it will be.

The story below describes how some "unauthorized official" (italics mine) sent a fake warning via the emergency alert system. This is will become an important part of a school attackers strategy. Read this excerpt from the Chronicle of Higher Education that seems to miss the point that this is a major breaching of what some administrators feel is an important (and expensive) safety system, and a warning that it can be used for nefarious purposes. And unfortunately, that is easy to manipulate.

Mysterious Text-Message Alert at U. of Florida Scares and Angers Students

An unauthorized official sent a text message to more than 42,000 students, professors, and staff members using the University of Florida’s emergency-alert system on Tuesday night. The message contained cryptic words that left some people charging racism, and others afraid that the message hinted at some kind of danger.

Brendan Negron, a freshman at the university, was sitting with a friend on campus when both of them got the exact same text-message that said: “The monkey got out of the cage.” They asked around and soon realized that everyone they knew had received the same cryptic words from the same unknown telephone number.

“it was pretty scary at first,” said Mr. Negron. “My first reaction was that maybe it was some kind of threat.” Then his friend suggested that the message could be a reference to the swearing-in of America’s first African-American president, which took place just a few hours before the message arrived. Several other students thought the same thing and complained to university officials about what they perceived as a racial slur.

University of Florida officials now say that the message was sent by a former employee of Mobile Campus, the vendor that the university uses to operate the text-message alert service. The employee was trying to show off to a friend that he still had access to the university’s system when he accidentally sent the message, according to a statement from the university.

“It raises a concern for us that a former employee was able to still access the system,” said Stephen F. Orlando, a spokesman for the university, in an interview today. “Clearly that’s an issue that needs to be addressed and fixed.”

But Mr. Orlando stressed that no one had hacked into the system, and he said the university was working with Mobile Campus to keep any further unauthorized messages from going out.

Many colleges and universities have set up emergency-alert systems that can send messages to cell phones, but the University of Florida was one of the first to automatically add every student to the system. The majority of colleges have an opt-in policy, in which students and others must sign up to receive emergency alerts. As a result of the University of Florida’s policy, well over 80 percent of students are part of the system, which has 60,000 registered users.

While the mysterious “monkey” message was being sent, someone at Mobile Campus noticed it and shut down the system before everyone received it, said Mr. Orlando. Officials then disabled the system while they investigated the source of the message. Mr. Orlando said he did not know whether the alert system is back in operation yet.

Officials for Mobile Campus could not be reached for comment today.

The university’s police chief, Linda Stump, sent an e-mail message to all students yesterday explaining how the “monkey” message had been sent in error. “Please know that the university’s top priority in this matter remains safeguarding students’ and staff members’ private data, as well as the integrity of the text messaging system,” she said.

This is the first incident we’ve heard of in which a college’s emergency alert was used without authorization. —Jeffrey R. Young

Just in Case You Think Schools are Immune from Credit Card Theft - No One Is!

Millions of Credit Card Numbers Nabbed in Payment System Breach

Who is doing your credit card processing?

A major credit card processor, Heartland Payment Systems Inc. of St. Louis, announced that hackers gained access to its servers used to process about 100 million credit card transactions every month - EVERY MONTH. Do the math! The company handles transactions for 175,000 businesses and bills itself as having "the highest standards" and "the most trusted transactions." The companies files have been hacked for who-knows-how-long, they say "longer than weeks." Hmmmm...two years is longer...10 years is longer as well. Why so closed mouth? Because it is a huge breach that will cost millions to pay for and correct.

This may be the largest personal data theft in history. And watch, we will never hear about who did it or where the money is. The criminals are now gone, having completed the crime and pocketed the cash. They can vanish and move on to the next victim. You?

Who is processing your credit card transactions? What are their precautions? What is your liability?

The cost of this mess will be massive. Make sure you are prepared.

Cyber Cops and Robbers (and the Burden of Litigation) on Campus

Here's an excerpt from a recent article by Symantec, a IT systems security product vendor (my comments are in the brackets):

It’s raining data

For IT departments large and small, the last few years have been brutal: Gartner estimates data volumes are rising at an estimated annual rate of 65%; at the same time, the pressure to retain and find information for business, legal, regulatory, and HR purposes has increased tremendously.

In the United States, recent changes to the Federal Rules of Civil Procedures, which dictate the processes and evidence requirements of parties in federal civil suits, have also had a significant impact on the kinds of information companies are expected to find and produce in litigation. (This is already happening in the education community, although many cases are settled out-of-court. Still the costs to education are tremendous.)

The upshot is that regulators and judges demand timely production of documents and do not consider information “inaccessible” simply because an organization lacks a system for prompt retrieval. Earlier this year, Qualcomm was hit with an $8.5 million penalty for mishandling the discovery process and failing to produce email relevant to a lawsuit with Broadcom. In the U.K., a large retailer was mandated by the Information Commissioner to install laptop encryption company-wide as a result of a data breach – a failure to protect confidential information.

Generally speaking, companies grappling with the rising tide of unstructured information (And think of all the unstructured data on your campus network. It is mind boggling...pirated software, music, video, email, pornography, intellectual property, virus's and malware...) face three key challenges:

* Security The volume and distributed nature of the information make it hard to protect – both in motion and at rest.
* Storage Greater volume means not just soaring storage and server purchases, but also soaring energy and cooling costs.
* Search More information makes it harder to find what is needed (i.e., the proverbial “needle in a haystack”).

For U.S. companies, there are also the rising costs of discovery to consider. Legal review must be conducted by skilled staff. To review 1 gigabyte of email costs more than $100,000, according to a Fulbright & Jaworski litigation survey, yet it costs 15 cents per month to store it on Amazon’s Web-based Simple Storage Service. Thus, review is 1,400 times more expensive than storage.

(A perfect example of the money and time spent on this is the RIAA (Recording Industry Association of America) recent "witch hunt" against music downloaders, and think how many copies of pirated songs are on your servers! The students love them. The RIAA is supposed to winding down the threats and litigation, but it cost many schools quite a bit of money and resources to defend themselves...it's our litigious world.)

Jonathan Kendall Security Seminars

Click to Jonathan Kendall dot com for more information

Jonathan Kendall leads Risk Management Consulting on a Turn for the Better

Jonathan Kendall and the experts at Kendall Design Group have teamed with Total Security Solutions in Rio de Janeiro Brazil to expand into the risk management arena. "We have a whole new range of services available for our clients in the US and Latin America," says Kendall, President of both organizations. "Our representatives have a broad range of international experience in international risk management, insurance consulting, claims management, construction project oversight. We have Americans, Europeans, and Brazilians at the ready to serve our clients. It is a convergence of expertise and cultural understanding that is unparalleled in the industry."

"We have clients in Brazil who want risk management and project oversight on a number of levels, managing claims for change orders and out-of-scope work. In this economic environment, it is critical to manage these risks for the betterment of all," says Hakan Olsson, managing director of Total Security Solutions. "Our American clients want to do business in the countries of the world that has not been devastated by the economic crisis and Brazil is holding it's own with a solid infrastructure, energy, transportation, steel and manufacturing leading the way," stated Kendall.

The connection and converging of the American, European and Latin American cultures of business is a unique quality of this team. The group can choose the best-of-breed international technology and techniques to delver real solutions to the client, bringing together the cultures, methods of business delivery, schedule, and quality. Pat McDonnell of Total Security Solutions says "We have direct, multi-year experience in Latin America, especially Brazil, Europe and the United States with a broad range of consulting expertise including insurance and risk assessment. I have 15 years of risk management experience in South America, David (Young) has 10, and Hakan (Olsson) has been a resident of Brazil and business security expert for 14 years here. We are unique in our field. The best of the whole world.

With offices in Ipanema, Rio de Janeiro, Brazil and the metro Washington, DC area in the USA, this is a business synergy like no other. Total Security Solutions stands ready with an in-place Brazilian corporate structure, an expert staff, and an understanding of your unique requirements.

Don't Take Risks, Take Control.

We have 20+ years experience in risk management, claims and project management, insurance review, training, converged technology and security to support the architectural, construction, education and healthcare communities.


Contact us at Total Security Solutions

In Brazil:
Hakan Olsson
(21) 2227-0154
Ipanema, RJ
hakan@ProtecaoTotal.com


In the USA:
Jonathan Kendall
(410) 798-9003
Annapolis, Maryland
jonathan@ProtecaoTotal.com

CAMPUS SECURITY

All too often and unfortunately, campus security is treated as a collection of segments, as in this discussion. Do this, don’t do that, buy that don’t buy that. Security does not work like this. Security is a system of people, processes and technologies integrated into the institutional infrastructure. Security is complex.

Making global statements about do’s and don’ts in the framework of security solutions such as speaker systems vs. text systems is silly and counter-productive. Each institution has physical, cultural, geographical, technological, human, fiscal, and administrative uniqueness that requires a distinctive solution, or better yet, a systemic solution of checks and balances. The system must include personnel, technology, and physical resources in the context of the institutional environment.

There is no single system or “level” of security for all campuses; it depends on what you are willing to give up, or trade off, to get the security you desire. There is no total, absolute security. Security is challenging, and there are no easy answers.

Some Good Advice from the UC on School Shooter Response

Here is some good, logical advice from the University of California Police. It seems pretty straight forward and simple but in the highly stressed environment of an active shooter, it can mean the difference between life and death. Click the article title above.

Get the Latest Article on School Security

Just published in the Fall edition of SEEN (South East Education Network) magazine. Click the title above for the first installment of "Security 101: Who's in Charge?" part 1 of 3. You can download a PDF if you are signed up with Scribd.com or email me at jon@KendallDesignGroup.com, and i will send you a PDF of both articles published to date.

Security 101: Who’s in Charge? By Jonathan Kendall (Part 1 of 3) Download document here

Waiting for the Security Shoe to Drop

I have the feeling that many administrations are waiting and not implementing security solutions on campus...this is caused by an interesting and well researched human condition researched in the field of Prospect Theory. Stay tuned for the specifics on why these administrations are not protecting their students, faculty, staff and resources.

An article in SEEN Magazine will come out this month...here's an excerpt:

"Security 101: Who’s in Charge?
Part one of a three part series

Consider education security in a rapidly changing world. We must see security as converged physical, electronic and cyber protection. Look from the Cleveland Elementary School to Columbine and Virginia Tech, to the 15-year old student in Pennsylvania who stole the sensitive personal information of 55,000 residents, students, parents, and teachers from the local school district. The creativity and resourcefulness of today’s criminal, regardless of their age, is expanding.

We see that these dreadful events were not new at the time of each attack. Why didn’t the educational institution have a formal plan? Why was the attacker not stopped quickly or better yet, why did the attacker even feel as though he could attempt the attack? And be successful?

Who was in charge of the security of the students, faculty, staff and information and physical resources at these schools? The physical security, the electronic security, the cyber security? Probably well meaning, professional administrators all with good intentions. No one wanted to see the horrific conclusions to these events, but more often than not, the officials in charge of the institutions and security are ill-equipped to examine and execute a successful security solution."more

2008 CDW-G School Safety Index

I invite everyone to take a look at the 2008 CDW-G School Safety Index, just click here. But beware...things aren't always as they seem.

It is a very useful benchmark for PK-12 schools to gauge their relative status of security in the cyber and physical worlds. You should truly take these results with a grain-of-salt as they are from the schools themselves with no outside verification. In the past, we have had some clients that either through ignorance or forethought indicate that the condition of the security in their facilities are far best than they actually are. Sometimes other people want to give the impression of security to keep their job or because they do not understand the true threat they face.

Often the administration relies on the security personal and network administrators to “get it right”. But these people too often do not have the training or the background to understand the relationship between assets, risks, solutions, and the unintended consequences of the interaction between privacy, access, costs, probability, risk, law, deterrence, response, and the lives and well being of your students, teachers and staff…parents, neighbors, police…and on and on.

Regularly, one can solve the wrong problem, and then believe they have a very secure system, when, in fact, they have opened themselves to a new world of risk and liability.

Do not underestimate the creativity of your students (I have two teenagers who are both very creative) and the capabilities of the “bad guys”…refer back to the article in the blog post below about the 15-year old hacking into the school network…I would be willing to bet that the school district would have said that they were VERY SECURE on the School Safety Index having just updated their cyber security because of an earlier attack...they solved the wrong problem.

An excerpt from that article:

Even worse, this is the second time since December (2007) that a student has broken into the Downingtown Area School District’s computers, even after school officials said they had improved security in the wake of the last breach. In the December hack, a 16-year-old student used a password-cracking tool to open an encrypted file he had surreptitiously downloaded. That student was charged with a felony, and the school district has since been in the process of revamping its access management processes and systems.

Again...THEY SOLVED THE WRONG PROBLEM! Don't you do that...

Be honest in the privacy of your office, how secure is your school…physical and cyber?

15-year old High School Student Hacks Schools Network

I have had some clients not believe that they are at risk from criminals...cyber, physical, and blended. AND it is SO easy today that children are hacking into campus networks and stealing sensitive and valuable personal information for fun, like it's...child’s play!

Check the article by clicking on the title above.

Think what an average criminal would do with the names, addresses, and social security numbers of the whole school district. Think what Organized Crime would do with this sensitive information. A child molester…think of all the information on your students, faculty, staff, parents and donors is stored on your network…think what would happen if you were hacked.

Cyber and physical crime is converging, make no mistake, the criminals see these stories too. And they are more creative than I.

You must take steps now to protect your educational community.

Jonathan

Another Case of Ignoring the Security Risks of Discarded Computers

Another case of simply throwing out a computer has brought the crime of information theft to the fore. Any information on an old computer can easy be resurrected if steps are not taken to properly wipe the drives. In this case a celebrity race driver opened himself and his friends to blackmail, identity theft, and cyber-hacking by the simple act of discarding a personal computer. As your institution, or you personally get rid of your computer, get it properly cleansed to avoid this crime.

MAY 15, 2008 | A Formula One driver was apparently too fast in the disposal of his hard drive: A German man has been arrested for allegedly trying to sell to a magazine the disk loaded with personal information that belonged to Force India F1 driver Adrian Sutil.

Sutil reportedly was unaware that his personal information, Swiss bank account transactions, photographs, and correspondence between him and another racing friend were still on the hard disk, which his father had previously disposed of, according to a report in the U.K.-based Telegraph.

The suspect was nabbed near Munich by undercover detectives when he tried to sell the disk to a racing magazine for 10,000 Euros. He was arrested under suspicion of attempted blackmail and possession of stolen personal data, offenses that could send him to jail for up to five years.

"Somebody took the hard disc out of a computer my father sold on, recognised me and wanted to make some money out of it. But after four days they caught him," Sutil said in the article.

“Identity thieves have been known to hang around junkyards picking up old computers just minutes after they have been dropped off, and then using data recovery tools to see if financial records, passwords, and other information useful for stealing identities can be unearthed,” Cluley said. “And if you're a business or mega-rich celebrity such as a Formula One driver the losses can be even more acute."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

The "Blended Attack" on Campus

A US Government report was recently declassified. It looks at the possibility of the "blended" cyber and physical attack that we have been talking about for many years. This idea of combining the world of cyber crime and physical crime is the future for the intelligent and professional criminal. They current weapon for the pedophile is to use the internet and chat rooms to lure the child victim into a “relationship” and then coax them into a physical sexual assault. The more advanced criminals, especially those with the high quality computer skills that are being taught on campus today, will be able to easily use these computer skills in different and unique ways. These methods can be used to disrupt communications such as a computer text message alert system or a campus audio annunciation warning system while the “lone wolf” attacker combs the campus for victims. Or what if he hacks into the warning systems to create a series false alarms, or “false positives”, to lower the campus community’s trust in the electronic systems. Then the attack can be carried out with a slower response by authorities as the community just thinks it’s another false-alarm.

The real possibility is that a much larger, more dangerous terrorist group could be planning a larger scale attack on a campus similar to the Russian school attack in September of 2004 where terrorists took control of a school, ending in a siege when approximately 300 people died, including 150 children. The event made international news, something the leading terrorists are anxious to do.

Make the “blended attack” a part of your security plan and train rigorously for it.

Jonathan

Summary: Terrorist cyber attacks on the U.S. homeland, though not evident so far, will grow increasingly possible over the next decade as terrorists see the benefits of such attacks, become more cyber-savvy, and discover vulnerabilities in cyber systems.

• Terrorists are most likely to use cyber weaponry in a blended fashion—combining offensive cyber elements to aggravate the damage and hamper recovery from a physical attack. The most probable targets for such attacks are critical infrastructure or assets, response and recovery assets, and security systems.

• Cyber only attacks are also increasingly possible. Their most likely targets are critical infrastructures such as power or telecommunications, SCADA (supervisory control and data acquisition) systems, and companies supporting U.S. policies that terrorists seek to challenge or draw attention to.

The risk of a terrorist cyber attack would be reduced by: ensuring that blended attack scenarios are included during contingency planning and vulnerability analyses, increasing surveillance and ongoing assessments of terrorist cyber abilities, and enhancing information sharing among corporate security services, intelligence entities, and emergency services.

This assessment is speculative, drawing on the expertise of 15 academic, industry, and U.S. Government cyber, threat, and operations experts; it does not reflect specific threat reporting.

Laws of the Cyber Seas

"How lessons from the U.S. government's response to pirates in the early 1800's can help the next president of the United States improve information security."

Using Thomas Jefferson's model to form our policy on information security in the digital age.

"Thomas Jefferson understood this threat and took decisive action to serve the world notice: The United States of America would defend its right to trade freely with any nation on earth."

So must the University keeping trading knowledge in an increasingly hostile electronic environment. Take look at the article, click the title link above.

Security Amateurs

Too often, the security of a campus is entrusted to non-professionals. I don't mean the campus security or the police, I mean the average student, faculty, staff who are coaxed into becoming the first line of defense. Which puts these folks well out of their realm.

The same often happens in cyberspace where a well-meaning but over-worked network administrator is "elevated" to the position of network security administrator. Many times, this promotion is in name only as they do not have the time, the skills, or the training to fulfill the new position. This exposes a critical resource, the entire IT infrastructure including personal student information, accounting and finance, intellectual property, and legal information to security breaches and a campus liability that could reach into the millions of dollars.

Don't be terribly surprised when you get poor results from amateur security...we can do better.

There’s an interesting essay on allowing security amateurs into the front line of defense…

by Bruce Schneier
We've opened up a new front on the war on terror. It's an attack on the unique, the unorthodox, the unexpected; it's a war on different. If you act different, you might find yourself investigated, questioned, and even arrested -- even if you did nothing wrong, and had no intention of doing anything wrong. The problem is a combination of citizen informants and a CYA attitude among police that results in a knee-jerk escalation of reported threats.

This isn't the way counterterrorism is supposed to work, but it's happening everywhere. It's a result of our relentless campaign to convince ordinary citizens that they're the front line of terrorism defense. "If you see something, say something" is how the ads read in the New York City subways. "If you suspect something, report it" urges another ad campaign in Manchester, UK. The Michigan State Police have a seven-minute video. Administration officials from then-attorney general John Ashcroft to DHS Secretary Michael Chertoff to President Bush have asked us all to report any suspicious activity.

The problem is that ordinary citizens don't know what a real terrorist threat looks like. They can't tell the difference between a bomb and a tape dispenser, electronic name badge, CD player, bat detector, or trash sculpture; or the difference between terrorist plotters and imams, musicians, or architects. All they know is that something makes them uneasy, usually based on fear, media hype, or just something being different.

Even worse: after someone reports a "terrorist threat," the whole system is biased towards escalation and CYA instead of a more realistic threat assessment.

Watch how it happens. Someone sees something, so he says something. The person he says it to -- a policeman, a security guard, a flight attendant -- now faces a choice: ignore or escalate. Even though he may believe that it's a false alarm, it's not in his best interests to dismiss the threat. If he's wrong, it'll cost him his career. But if he escalates, he'll be praised for "doing his job" and the cost will be borne by others. So he escalates. And the person he escalates to also escalates, in a series of CYA decisions. And before we're done, innocent people have been arrested, airports have been evacuated, and hundreds of police hours have been wasted.

This story has been repeated endlessly, both in the U.S. and in other countries. Someone -- these are all real -- notices a funny smell, or some white powder, or two people passing an envelope, or a dark-skinned man leaving boxes at the curb, or a cell phone in an airplane seat; the police cordon off the area, make arrests, and/or evacuate airplanes; and in the end the cause of the alarm is revealed as a pot of Thai chili sauce, or flour, or a utility bill, or an English professor recycling, or a cell phone in an airplane seat.

Of course, by then it's too late for the authorities to admit that they made a mistake and overreacted, that a sane voice of reason at some level should have prevailed. What follows is the parade of police and elected officials praising each other for doing a great job, and prosecuting the poor victim -- the person who was different in the first place -- for having the temerity to try to trick them.

For some reason, governments are encouraging this kind of behavior. It's not just the publicity campaigns asking people to come forward and snitch on their neighbors; they're asking certain professions to pay particular attention: truckers to watch the highways, students to watch campuses, and scuba instructors to watch their students. The U.S. wanted meter readers and telephone repairmen to snoop around houses. There's even a new law protecting people who turn in their travel mates based on some undefined "objectively reasonable suspicion," whatever that is.

If you ask amateurs to act as front-line security personnel, you shouldn't be surprised when you get amateur security.

We need to do two things. The first is to stop urging people to report their fears. People have always come forward to tell the police when they see something genuinely suspicious, and should continue to do so. But encouraging people to raise an alarm every time they're spooked only squanders our security resources and makes no one safer.

We don't want people to never report anything. A store clerk's tip led to the unraveling of a plot to attack Fort Dix last May, and in March an alert Southern California woman foiled a kidnapping by calling the police about a suspicious man carting around a person-sized crate. But these incidents only reinforce the need to realistically assess, not automatically escalate, citizen tips. In criminal matters, law enforcement is experienced in separating legitimate tips from unsubstantiated fears, and allocating resources accordingly; we should expect no less from them when it comes to terrorism.

Equally important, politicians need to stop praising and promoting the officers who get it wrong. And everyone needs to stop castigating, and prosecuting, the victims just because they embarrassed the police by their innocence.

Causing a city-wide panic over blinking signs, a guy with a pellet gun, or stray backpacks, is not evidence of doing a good job: it's evidence of squandering police resources. Even worse, it causes its own form of terror, and encourages people to be even more alarmist in the future. We need to spend our resources on things that actually make us safer, not on chasing down and trumpeting every paranoid threat anyone can come up with.

This essay originally appeared in Wired.com:
http://www.wired.com/politics/security/commentary/...

http://securecampus.blogspot.com/2009/01/jonathan-kendall-security-seminars.html

http://securecampus.blogspot.com/2009/01/jonathan-kendall-security-seminars.html