Dr. Rick Rigsby, a renowned communicator, author and viral video star, will share his motivational message titled ‘Making an Impact’ during the ESX Keynote Luncheon on June 4 in Indianapolis. A video of Rigsby’s inspiring commencement speech to the California State University Maritime Academy went viral in 2017, racking up more than 200 million views worldwide. His book, Lessons from a Third Grade Dropout, is a USA Today, Wall Street Journal and Amazon bestseller. Rigsby&rsquo...
Keysight, the test and measurement vendor, has released the results of a survey sponsored by Ixia, on ‘The State of Cloud Monitoring’. The report highlights the security and monitoring challenges faced by enterprise IT staff responsible for managing public and private cloud deployments. Cloud Environment The survey, conducted by Dimensional Research and polling 338 IT professionals at organizations from a range of sizes and industries globally, revealed that companies have low visi...
As the Internet of Things (IoT) and other trends drive the convergence of physical and information security, integrators and end users attending ISC West may be struggling to keep pace with new areas of responsibility and expanding roles in the larger security ecosystem. Help is here. The Connected Security Expo, co-locating with ISC West, focuses on building a holistic security strategy for the connected enterprise. Exhibitors will focus on how physical and information security can be used tog...
The Security Industry Association (SIA) has selected Mark McCourt as the recipient of the 2018 Sandy Jones Volunteer of the Year award, which recognizes SIA volunteers who have made tireless efforts to expand SIA’s programs and services. SIA will present McCourt with the award at The Advance, SIA’s annual membership meeting, during ISC West. SIA Autonomous Robotics Working Group Mark McCourt, head of commercialization at Cobalt Robotics, has made valuable contributions to SIA, incl...
Wrike, the collaborative work management (CWM) platform for high-performance teams, continues to remove the security barriers preventing enterprise companies from adopting a cloud-based CWM platform. The company announced today that it is has earned the ISO/IEC 27001:2013 certification from the British Standards Institution. This recognition demonstrates Wrike’s relentless commitment to protecting customer data and supporting the most rigorous security standards. Wrike also announced the...
UNION has launched CodeGUARD 5, the first access control device available to meet the new BS 8607 grade 5 standards. High-Security Push Button Locks The recently introduced grade 5 standards provide the most stringent level of security and access control for mechanical push button locks to date. Providing an extremely strong level of attack resistance, grade 5 was introduced because of the need for a high-security push button lock, and UNION is the first manufacturer to answer this need. Grad...
Aqua Security, global security platform provider for securing container-based and cloud native applications, has announced the availability of version 4.0 of the Aqua cloud native security platform, introducing new security and compliance controls for serverless functions and Linux hosts. As enterprise development and deployment of cloud native microservices-based applications continue to accelerate, Aqua enables security teams to manage and enforce security policies across a blend of VM-based containers, Containers-as-a-Service (CaaS) and Function-as-a-Service (FaaS) spanning both multi-cloud and on-premises environments. Gartner Distinguished VP Analyst, Neil MacDonald, notes that “securing serverless will force information security and risk professionals to focus on the areas we retain control over. Specifically, the integrity and assurance of the code, identities of the code and developers, permissioning, and serverless configuration, including network connectivity.” Serverless Security Solutions Aqua’s comprehensive serverless security solution now includes a full chain of controls to discover functions across multiple cloud accounts Aqua’s comprehensive serverless security solution now includes a full chain of controls to discover functions across multiple cloud accounts, scan them for vulnerabilities, detect excessive permissions and configuration issues, and provide function assurance – preventing the execution of untrusted or high-risk functions based on defined policies. The key controls for serverless environments include: Functions discovery: Creating an inventory of functions stored across cloud accounts. Vulnerability scanning: Deep scanning of a functions packages and dependencies for known vulnerabilities (CVEs), based on multiple sources and supporting multiple programming languages. CI/CD Integration: “Shifting left” beyond scanning existing functions, Aqua provides development teams with plug-ins for Continuous Integration environments to detect security issues as functions are being built. Permissions Assessment: Identifying use of excessive or over-provisioned permissions specific to the serverless cloud environment, and monitoring for unused permissions –reducing the potential attack surface of a function. Sensitive Data Assessment: Detecting secrets and hard-coded keys within the functions themselves, or within environment variables, specific to the cloud environment – for instance AWS credentials or Azure Authentication keys. Function assurance: Security teams can set policies to determine the risk threshold to allow or disallow function execution, based on a variety of factors including CVE severity, CVSS score, sensitive data, and permissions. Function anomaly detection: Monitoring of function usage patterns and alerting on sudden spikes in the frequency or duration of function execution. Enhanced Security Controls Another significant addition to the Aqua platform is tighter controls to secure the Linux hosts that run containers. This addresses potential risks from vulnerabilities such as the one discovered earlier this year when a severe new vulnerability (CVE-2019-5736) was disclosed in runc, a component used in most container runtimes which is part of Linux OS distributions, highlighting the need for securing the container stack at both the workload and host levels. The new technologies supporting cloud native applications require a holistic approach to security and compliance" “The new technologies supporting cloud native applications require a holistic approach to security and compliance, across the application lifecycle as well as up and down the stack, and this has become more evident in recent months with significant vulnerabilities discovered in Kubernetes and runc for example,” notes Amir Jerbi, CTO and co-founder at Aqua Security. “With this new release from Aqua, our customers can protect their applications against those, as well as yet undiscovered vulnerabilities by implementing tight compliance and whitelisting-based zero-trust security.” Aqua 4.0 Security Platform Aqua 4.0 builds on previous Aqua host protections that already included testing hosts according to CIS (Center for Internet Security) benchmarks, scanning hosts for known vulnerabilities, and monitoring user logins, to provide: Malware Scanning: Detecting malware in the host OS, or any of its components. Vulnerability scanning: Scanning for CVEs found in the host OS, or any of its components. Whitelisted and Blacklisted Users and OS Packages: Security teams can specify which types of users and OS packages are either allowed or forbidden from being used on a host. User Activity Monitoring: Aqua now logs all user commands on the host OS for security and compliance tracking (in addition to the previously available user logins and login attempts tracking) CIS Benchmarks Testing: Having achieved CIS certification for its Kubernetes benchmark, Aqua now provide detailed information on each benchmark test success/failure to provide teams with remediation information. Custom Benchmark Scripts: Enabling the upload of scripts that customize benchmarks to account for configurations that aren’t supported in the standard CIS benchmarks, including Kubernetes clusters on Red Hat OpenShift. Host Assurance: Allowing to set policies that will determine a threshold for host compliance and security risk based on the results of the above scans and checks and generate alerts and audit events upon policy violations. Aqua CSP v4.0 will be generally available in mid-March for existing customers and new deployments.
As the U.S. government reforms its security clearance process, it must address the use of publicly available electronic information (PAEI)—specifically social media and commercially available databases—for personnel security determinations and insider threat purposes, according to a new white paper issued by the Intelligence and National Security Alliance (INSA). The Use of Publicly Available Electronic Information for Insider Threat Monitoring, developed by the INSA Insider Threat Subcommittee, recommends the Director of National Intelligence, as the government’s Security Executive Agent, work with the Defense Department, which will assume government-wide investigation and adjudication responsibilities, to take several key steps, including: Determine what sources of publicly available information are relevant to security determinations; Develop a single legal interpretation of what PAEI, including social media data, may be collected and analyzed for personnel security purposes; and Establish policies for how PAEI, including social media data, may be used for security-related personnel determinations. Balancing Security Needs With Privacy Organizations would be irresponsible to ignore publicly available data when assessing personnel security risks"To do so, the government must determine what PAEI constructively informs a risk assessment, what types are appropriate to use, and how to use such data to make both initial and ongoing assessments. “Organizations would be irresponsible to ignore publicly available data when assessing personnel security risks, but it’s neither productive nor desirable to collect every piece of information that might exist,” said Chuck Alsup, INSA president. “The DNI should lead a government effort to determine what data is relevant, how to interpret it, and how to balance security needs with employees’ reasonable expectations of privacy. Private companies can then build on policies and standards set by the government to develop their own practices.” Determining Potential Threats Defined as information that is available to the public on an electronic platform such as a website, social media, or database (whether for a fee or not), PAEI can provide insights into an individual’s perceptions, plans, intentions, associations, and actions. This data can help employers determine whether an employee poses a potential threat to themselves or the organization. The report provides a framework of the most important factors to consider when developing culturally viable and operationally effective policies"Criteria for evaluating social media may be particularly difficulty to establish, both because social media postings may not clearly indicate potential security risks and because social media monitoring by an employer may be seen as overly intrusive. “Companies are struggling to develop strategies to leverage the significant value that public data provides to insider risk mitigation, particularly as the ‘borderless work environment’ expands,” says Val LeTellier, principal author of the report and member, INSA Insider Threat Subcommittee. “The report provides a framework of the most important factors to consider when developing culturally viable and operationally effective policies. To use PAEI effectively, government agencies and private firms need a single set of parameters for what data to use and how to evaluate it.”
MedixSafe, a pioneer in the access control cabinet market, is pleased to introduce its new GS1 Gun Safe. Initially custom-built to accommodate a request from a police department looking to secure firearms, the GS1 electronically controlled cabinet is an access control solution that law enforcement, airport security staff and private gun owners alike can count on to restrict access to their firearms. Easy to manage from any computer, the MedixSafe GS1 is equipped with a stand-alone networkable TCP/IP based controller. It’s designed to require both an individual PIN and/or Proximity Card to gain access. All PIN/Card activity is recorded in the PIN/Card reader memory, providing a reliable log of who has accessed the gun safe. The GS1 can store up to 30,000 users and a 50,000 event activity log. Embedded Help Screen It features a USB-host port for offline data management/access; audio-visual indicators via an internal speaker; bi-color LED operation indicator; two separate compartments; a large LCD screen; and, MedixSafe Audit software. The software comes with an interactive embedded help screen, intuitive icons; descriptive, easy-to-understand information, and a well-organized menu and programming for quick setup. The only hardware users need is their existing PC or laptop. "MedixSafe is dedicated to providing the very best in access and key control," says Jim Turner, President, MedixSafe. "Our new GS1 Gun Safe allows law enforcement, airport security staff and private gun owners alike to properly secure their firearms with a trusted access control solution.” Made of heavy-duty 10 gauge steel, it features two mechanical locking mechanisms and a key override. The GS1 is available in a black, powder coated finish. Dimensions: 63” High x 36” Wide x 30” Deep. Voltage: 12 Volt DC current draw 80mA idle 500mA active.
The American National Standards Institute (ANSI) has appointed Susan Carioti, the vice president of certification, standards and guidelines at ASIS International, to a three-year term as a director-at-large on the ANSI board of directors. Standards And Conformance-Based Solutions As a director-at-large, Carioti will work with members of the board to determine and approve the policies and direction of ANSI’s strategic vision, and in close collaboration with stakeholders from industry and government, to identify and develop standards and conformance-based solutions to national, international and global priorities. “The role at ANSI is quite an honor and recognizes ASIS’s commitment and grit as both an accredited standards development organization and certification body,” said Carioti. “I look forward to continuing this important work and raising the bar with ASIS members and the security community.” ASIS National Standards Development Program Carioti joined ASIS more than a decade ago, and as an ANSI-accredited standards developer, established ASIS’s credible national standards development program. In addition to overseeing the ASIS standards program internationally by way of ISO security, risk and resilience activities, she provides strategic direction and management in advancing ASIS certification programs in conformance with ISO 17024 Personnel Certification accreditation requirements. An active participant in numerous ANSI groups for more than twenty years, Carioti currently serves on the ANSI appeals board and served many years on the ANSI executive standards council. “Sue’s experience and expertise are a valuable addition to the ANSI Board,” said Fran Schrotter, Sr. VP & COO, ANSI. “She has demonstrated tremendous commitment and drive for excellence in ANSI standards and conformity assessment activities. We more than welcome her ideas and contributions.”
Aqua Security announced that its Aqua Container Security Platform (CSP) has been certified by CIS Benchmarks to compare the configuration status of Kubernetes clusters against the consensus-based best practice standards contained in the CIS Kubernetes Benchmark. Organizations that leverage Aqua CSP can now ensure that the configurations of their critical assets align with the CIS Benchmarks consensus-based practice standards. “We are thrilled to have our platform certified by the CIS for the Kubernetes Benchmark,” said Amir Jerbi, CTO and co-founder at Aqua. “This certification is a testament to the rigorous security testing performed by our platform, and our commitment to providing enterprise customers with solutions that enable them to meet CIS best practice standards and maximize the security posture of their Kubernetes clusters.” Aqua Container Security Platform (CSP) Aqua’s platform is used by more than 100 of Global 1000 companies, securing their container-based and cloud native applications, on-prem and in the cloud, supporting both Linux and Windows runtime environments, across Kubnernetes as well as other orchestrators. The Aqua platform drives DevSecOps automation and provides visibility and runtime protection for cloud native workloads, including both host-level and network-level controls. The CIS Benchmarks program is a trusted, independent authority that facilitates the collaboration of public and private industry experts This certification is issued by CIS (Center for Internet Security, Inc.) and reflects proven guidelines that are continuously refined and verified by a volunteer, global community of experienced IT professionals. “Cybersecurity challenges are mounting daily, which makes the need for standard configurations imperative. By certifying its product with CIS, Aqua Security has demonstrated its commitment to actively solve the foundational problem of ensuring standard configurations are used throughout a given enterprise,” said Curtis Dukes, CIS Executive Vice President of Security Best Practices & Automation Group. CIS Certified Security Software Products In order for a product to receive the CIS Benchmarks Certification, a vendor must adapt its product to accurately report to the security recommendations in the associated CIS Benchmarks profile. CIS Certified Security Software Products demonstrate a strong commitment by the vendors to provide their customers with the ability to ensure their assets are secured according to consensus-based best practice standards. The CIS Benchmarks program is a trusted, independent authority that facilitates the collaboration of public and private industry experts to achieve consensus on practical and actionable solutions. CIS Benchmarks are recommended as industry-accepted system hardening standards and are used by organizations in meeting compliance requirements for Federal Information Security Management Act, PCI, Health Insurance Portability Accountability Act and other security requirements.
Security-Net, Inc., a global provider of security system services, is celebrating its 25th Anniversary this year, a testament to the strength of the organization that today brings together the best independent security systems integrators to collaborate on enterprise-level projects, technology acumen and business practices. Security Systems Integrators Group Since its founding in 1993, Security-Net has been recognized as the top group of security systems integrators within the industry Since its founding in 1993, Security-Net has been recognized as the top group of security systems integrators within the industry. Its members are regularly included in the SDM 100 Top Systems Integrators list, an annual listing of the top security systems integrators in North America, and the Security Systems News 20 Under 40, an annual award that recognizes the top up and coming security systems integrators. “The idea for Security-Net originated during a manufacturer’s award trip when several security systems integrators expressed a desire to discuss common problems and business best practices with industry peers,” said Bill Savage, President of Security Control Systems of Houston and one of the four original founders of Security-Net. “A year later we had an organization formed.” Security-Net Project Management Platform Over the past 25 years, Security-Net has evolved into an organization that now collaborates on national projects, helps its members stay up to date on the latest technology issues and trends, and provides sales and project management training to its members. The group has also launched its own project management platform. “We’re proud of how Security-Net has grown dynamically over the years,” said J. Matthew Ladd, a member of the Security-Net Board of Directors. “Within the past 10 years we’ve added numerous sub-committees, including Tech-Net, Ops-Net and Sales-Net, and provided member companies with access to programs to strengthen their sales and project management skills.” Global Security Services Today, Security-Net members regularly collaborate with other member companies on projects that expand beyond their geographic areas of business, providing customers with global security services through its network of security systems integrators. Security-Net’s membership based currently includes 21 members a combined 50 offices in North American, Brazil, the Dominican Republic, the United Kingdom and Europe.
The oil and gas market is driven by a number of technology trends, political issues, waves of supply and demand, and regulations. At times, it seems like the market is in a constant state of ebb and flow, with business affected by traditional drivers, such as government mandates and operational efficiencies, and other non-traditional markers, like challenging weather conditions (consider the 2017 hurricane season as an example). Additionally, the global economy continues to grow, propelling increased energy demand. But like nearly every other market today, the oil and gas market is on the brink of a sea change. According to Deloitte’s 2018 outlook on oil and gas, “the digital revolution is here.” The sheer volume of information and data generated by digital devices, such as those associated with the Internet of Things, will allow producers to leverage rich data and combine it to deliver smart, efficient solutions. The rise of digital technologies is unleashing new ideas across the oil and gas industry and even though we are in the beginning stage of being able to harness the power of these types of technologies, innovative ideas are emerging — all designed to support the core business, reduce internal investments, deliver products faster, boost efficiencies, and enhance safety. Maximized Operations And Increased ROI This ongoing growth propels energy producers to embark on extensive exploration and production activities to meet increased demand This is welcome news because there are a number of challenges facing the oil and gas industry, from improving reserve replacement and ensuring workplace safety to reducing operating costs and limiting downtime. All of these objectives must be achieved while maximizing operations and increasing overall return on investment. Never has it been more crucial for critical infrastructure organizations to demonstrate a focus on safety, security, and collaboration. Here's why: Growth and demand According to the U.S. Energy Information Administration, world energy consumption will grow by 56 percent between 2010 and 2040. This ongoing growth propels energy producers to embark on extensive exploration and production activities to meet increased demand. As energy-centric organizations look to emerging markets or remote regions to source production, safety becomes even more mission-critical to their success. Compliance Continuous demand is only one challenge; compliance with industry and government regulations is another significant hurdle that must be maintained or there is risk of production shutdowns. For example, the Department of Homeland Security’s Chemical Facility Anti-Terrorism Standards (CFATS) impose comprehensive federal regulations for high-risk chemical facilities, requiring organizations to conduct vulnerability assessments. This is just one of many regulatory procedures sites must follow to conform to environmental protections, safety precautions, and safe handling of hazardous materials. As energy-centric organizations look to emerging markets or remote regions to source production, safety becomes even more mission-critical to their success Threat Protection, Mitigation, And Collaboration In addition to meeting the requirements of regulatory procedures, mitigating risk in this industry propels leaders to develop stringent strategies to ensure robust protection of people, property, and assets, effective and efficient response to incidents when they occur, and procedures and protocols to ensure business continuity in emergency situations. Energy providers require comprehensive safety planning and technology systems that can augment the capabilities of on-site and remote personnel. In recent years, video solutions have become the standard for monitoring facilities, assets, and employees, and now these organizations require enterprise-class solutions that can help gather intelligent data that allows for enhanced security and safety efforts but also focus on processes that enhance operational efficiencies. Cyber-attacks are becoming increasingly more complex and sophisticated in the oil and gas market IT security is also a concern. Cyber-attacks are becoming increasingly more complex and sophisticated in the oil and gas market. An IT breach can cause operational havoc, risk to the public, and damage to an organization’s brand. Adopting a continuous improvement approach to a security strategy safeguards and helps protect valuable company information and reduces the likelihood of an incident. Also, collaboration between IT and physical security leaders and the correlation of both departments' data makes it much easier to identify a potential breach before havoc ensues. The Digital Age With the rise of the digital revolution and the demand for data to improve insight, oil and gas producers and businesses need to find new ways to capture data, correlate it as needed, and then leverage it to make the most informed decisions. Software platforms are being used in a wide variety of applications to provide a single pane-of-glass view that allows operators to gain critical insight into operations. By collecting intelligence from digital sensors, such as video surveillance cameras, open-source Web intelligence, building systems, crowdsourcing, weather sensors, mobile devices, and more, operators can detect potential risks and manage and respond to situations more efficiently. Furthermore, information can be shared easily with multiple agencies, employees, citizens, and first responders — especially valuable in the event of a safety incident where rapid response is paramount. By creating a single enterprise-wide view across disparate systems and technologies, organizations experience improved response times, lowered operational costs, and increased employee safety. Cyber, traditional security, digital devices, and situational awareness technologies combine to deliver an integrated, automated, and adaptive architecture to efficiently mitigate advanced threats in real time or forensically Traditional Command Centers Intelligent solutions, such as those derived from the idea of artificial intelligence, help organizations make sense of vast amounts of data. These integrated applications, such as advanced video analytics and facial recognition, can automatically pinpoint potential breaches and significant events, and send alerts to the appropriate personnel, departments, and agencies. These solutions can be powerful in unifying disparate command center technologies within the oil and gas industry, fusing critical data input from emergency calls and responder activity to enhance situational awareness. With traditional command centers relying mostly on call and radio updates, visibility can be limited, but new digital platforms enable operators to oversee a situation and engage with and direct the response force. Overall, these types of automated functions deliver a simplified and modernized operating environment. The Future Is The Intelligent SOC Oil and gas facilities can implement a proactive approach to safety and better mitigate threats and protect assets All of these digital solutions are designed to take center stage within the Intelligent Security Operations Center (ISOC). To combat advanced, multi-stage threats, oil and gas facilities are transforming the traditional SOC into the next-generation unified ISOC with an integrated platform for detection, investigation, communication, and response. Cyber, traditional security, digital devices, and situational awareness technologies combine to deliver an integrated, automated, and adaptive architecture to efficiently mitigate advanced threats in real time or forensically. Energy providers operate in challenging, fast-moving environments in which opportunities, requirements, and regulations can vary widely, change quickly, and evolve significantly over time. As the idea of the digital age continues to transform this market, new technologies will be more widely used to improve business operations from exploration and extraction to transportation and distribution. With the right technology, strategic partnerships, and enhanced situational awareness, oil and gas facilities can implement a proactive approach to safety and better mitigate threats and protect assets, while continuing to focus on achieving business goals that will sustain supply and demand for years to come.
According to the reports of not-for-profit organization Gun Violence Archive, the year 2018 has seen 323 mass shooting incidents as of November 28 in the United States. This number is 346 for the year 2017 and 382 for 2016 (more statistics are available here), with “mass shooting” defined as cases where four or more people are shot or killed in the same time period and location. While definitions of mass shooting vary with organizations in the US, the count of over 300 incidents per year, or about once per day on average, is simply alarming. It raises public safety concerns, ignites debates and protests, which in turn lead to public unrest and potentially more violence, and increases costs for governments from the regional to federal level. Most importantly, the loss of lives demands not only improvement in post-incident handling and investigation, but also new prevention technologies. Gunshot Detection Solutions AI weapon detection offers a more efficient alternative to prevent active shooting There are several gunshot detection solutions in the security market, commonly used by law enforcement agencies to detect and locate gun fires. These systems function based on acoustic recordings and analyses and often in combination with signals detected by sensors of the optical flash and shockwave when a gun is fired. However, gunshot detection by nature dictates that the law enforcement can only react to a shooting incident that has occurred. With fast action, law enforcement can prevent the incident from escalating, but lives that are lost cannot be recovered. With the development of artificial intelligence in object recognition, AI weapon detection offers a more efficient alternative to prevent active shooting: AI can visually detect guns based on their shapes before they are fired. The AI is trained to recognize firearms in different shapes, sizes, colors, and at different angles in videos, so that the AI weapon detector can be deployed with existing cameras systems, analyze the video feeds, and instantly notify security staff when a gun is spotted. Comparison of the advantages for law enforcement and public security agencies Legacy gunshot detection using sensors AI weapon detection Reactive measure: detect after guns have been fired Proactive measure: detect before guns are fired Time to action: within 1 second Time to action: within 1 second Unable to provide visual data about shooter(s) Can provide data about shooter(s) based on the camera recording: clothing, luggage (backpack, handbag, etc.), facial features, vehicle Unable to track the location of the shooter(s) before and after shooting because of the lack of sound Can track the shooter(s) using AI Person & Vehicle Tracking, AI Face Recognition, and AI License Plate Recognition False detection caused by similar sound such as fireworks and cars backfiring Minimal to no false detection, as AI can distinguish different types of handguns and rifles from normal objects (umbrella, cellphone, etc.) Require physical deployment of gunshot detection sensors Can be used with existing camera systems, do not require special hardware Complicated to deploy, require highly trained professional Easy to deploy as an add-on to existing video surveillance system - Can integrate with gun-shot detection to create a “double knock” audio and video active shooter alert system Gun-Shot Detection Advantages In addition to advantages for law enforcement and public security agencies, this type of visual-based pre-incident detector has three-fold advantages for the public: Save lives by spotting the shooter before the shooting event. Minimize the chaos entailing an incident: panic and chaos caused by a shooting incident often adds to injury, as people run, fall, trample on others… With an AI weapon detector, when a gun is spotted, the system sends an alert to security staff, who can quickly control the situation in an organized manner and apprehend the intending shooter. Can be added as a SaaS (Security as a Service) component to small business and home surveillance systems, e.g., intrusion detection alerts (home invasion incidents with firearms number over 2500 per year nationwide). For a complete active shooter detection system, video-based AI detector can operate in conjunction with gunshot detectors for enhanced security. Traditional X-ray based weapon detection or metal detection entrance systems are complicated and expensive; with AI video technology, active shooter detection system can be cost-effective, and after all, what price tag can one put on a life? Written by Paul Sun and Mai Truong, IronYun
With the coming of a New Year, we know these things to be certain: death, taxes, and… security breaches. No doubt, some of you are making personal resolutions to improve your physical and financial health. But what about your organization’s web and mobile application security? Any set of New Year’s resolutions is incomplete without plans for protecting some of the most important customer touch points you have — web and mobile apps. Every year, data breaches grow in scope and impact. Security professionals have largely accepted the inevitability of a breach and are shifting their defense-in-depth strategy by including a goal to reduce their time-to-detect and time-to-respond to an attack. Despite these efforts, we haven’t seen the end of headline-grabbing data breaches like recent ones affecting brands such as Marriott, Air Canada, British Airways and Ticketmaster. App-Level Threats The apps that control or drive these new innovations have become today’s endpoint The truth of the matter is that the complexity of an organization’s IT environment is dynamic and growing. As new technologies and products go from production into the real world, there will invariably be some areas that are less protected than others. The apps that control or drive these new innovations have become today’s endpoint — they are the first customer touch point for many organizations. Bad actors have realized that apps contain a treasure trove of information, and because they are often left unprotected, offer attackers easier access to data directly from the app or via attacks directed at back office systems. That’s why it’s imperative that security organizations protect their apps and ensure they are capable of detecting and responding to app-level threats as quickly as they arise. It’s imperative that security organizations protect their apps and ensure they are capable of detecting and responding to app-level threats as quickly as they arise In-Progress Attack Detection Unfortunately, the capability to detect in-progress attacks at the app level is an area that IT and security teams have yet to address. This became painfully obvious in light of the recent Magecart attacks leveraged against British Airways and Ticketmaster, among others. Thanks to research by RiskIQ and Volexity, we know that the Magecart attacks target the web app client-side. During a Magecart attack, the transaction processes are otherwise undisturbed Attackers gained write access to app code, either by compromising or using stolen credentials, and then inserted a digital card skimmer into the web app. When customers visited the infected web sites and completed a payment form, the digital card skimmer was activated where it intercepted payment card data and transmitted it to the attacker(s). Data Exfiltration Detection During a Magecart attack, the transaction processes are otherwise undisturbed. The target companies receive payment, and customers receive the services or goods they purchased. As a result, no one is wise to a breach — until some 380,000 customers are impacted, as in the case of the attack against British Airways. The target companies’ web application firewalls and data loss prevention systems didn’t detect the data exfiltration because those controls don’t monitor or protect front-end code. Instead, they watch traffic going to and from servers. In the case of the Magecart attacks, the organization was compromised and data was stolen before it even got to the network or servers. Today’s proven obfuscation techniques can help prevent application reverse engineering, deter tampering, and protect personal identifiable information and API communications Best Practice Resolutions The Magecart attacks highlight the need to apply the same vigilance and best practices to web and mobile application source code that organizations apply to their networks—which brings us to this year’s New Year’s resolutions for protecting your app source code in 2019: Alert The key to success is quickly understanding when and how an app is being attacked First, organizations must obtain real-time visibility into their application threat landscape given they are operating in a zero-trust environment. Similar to how your organization monitors the network and the systems connected to it, you must be able to monitor your apps. This will allow you to see what users are doing with your code so that you can customize protection to counter attacks your app faces. Throughout the app’s lifecycle, you can respond to malicious behavior early, quarantine suspicious accounts, and make continuous code modifications to stay a step ahead of new attacks. Protect Next, informed by threat analytics, adapt your application source code protection. Deter attackers from analyzing or reverse engineering application code through obfuscation. Today’s proven obfuscation techniques can help prevent application reverse engineering, deter tampering, and protect personal identifiable information and API communications. If an attacker tries to understand app operation though the use of a debugger or in the unlikely event an attacker manages to get past obfuscation, threat analytics will alert you to the malicious activity while your app begins to self-repair attacked source code or disable portions of the affected web app. The key to success is quickly understanding when and how an app is being attacked and taking rapid action to limit the risk of data theft and exfiltration. Protecting encryption keys is often overlooked but should be considered a best practice as you forge into the new year with a renewed commitment to app security to ensure your organization’s health and well-being in 2019 Encrypt Finally, access to local digital content and data, as well as communications with back office systems, should be protected by encryption as a second line of defense, after implementing app protection to guard against piracy and theft. However, the single point of failure remains the instance at which the decryption key is used. Effective encryption requires a sophisticated implementation of White-Box Cryptography This point is easily identifiable through signature patterns and cryptographic routines. Once found, an attacker can easily navigate to where the keys are constructed in memory and exploit them. Effective encryption requires a sophisticated implementation of White-Box Cryptography. One that combines a mathematical algorithm with data and code obfuscation techniques transforming cryptographic keys and related operations into indecipherable text strings. Protecting encryption keys is often overlooked but should be considered a best practice as you forge into the new year with a renewed commitment to app security to ensure your organization’s health and well-being in 2019. Protecting Applications Against Data Breach According to the most recent Cost of a Data Breach Study by the Ponemon Institute, a single breach costs an average of $3.86 million, not to mention the disruption to productivity across the organization. In 2019, we can count on seeing more breaches and ever-escalating costs. It seems that setting—and fulfilling—New Year’s resolutions to protect your applications has the potential to impact more than just your risk of a data breach. It can protect your company’s financial and corporate health as well. So, what are you waiting for?
School shootings continue, as does a search for answers. What solutions are there to prevent school shootings and/or to improve the response (and thus minimize the death toll)? In the physical security industry, we like to think we have solutions that can help, if not “solve”, the problem, but realistically speaking, how effective are they at the end of the day? We like to think we have solutions that can help, if not “solve”, the problem: but how effective are they at the end of the day? The sad answer – even after dozens of school shootings and even in the wrenching aftermath of the latest one – is that we don’t know. There is a gaping lack of knowledge and research when it comes to measuring the effectiveness of preventative measures as they relate to school shootings. Scarce Resources For Preventative Measures The dearth of knowledge on the subject leaves schools at risk of spending scarce resources on measures that don’t have any real impact, or worse, that have a negative effect on education environments. The natural impulse following a school shooting is to do something – anything – to prevent the tragedy from happening again at any school, but especially at my school. But how is money best spent?Successful businesses are a good thing, but not at the expense of misspending education resources on solutions that don’t solve anything Congress has passed the Stop School Violence Act of 2018 to provide $50 million per year to develop programs to train students, teachers and law enforcement to prevent violence, and to create anonymous reporting systems, such as hot lines, for school violence threats. The bill authorizes another $25 million for improvements to school’s physical security infrastructures. Congress also provides $1.1 billion in Title IV block grants, which districts can use to pay for diverse needs such as security systems. Several states are providing additional funding for physical safety measures and campus police, and local districts are also stretching their budgets to address security concerns. But is that money being targeted to measures that will help the situation? What is the role of technology in preventing school violence, and are we as an industry at risk of over-selling our preventative capabilities and diverting money from other measures that might have more impact? Successful businesses are a good thing, but not at the expense of misspending education resources on solutions that don’t solve anything. More metal detectors, armed guards and police officers could cause anxiety in some students and even interfere with the learning process Studies On School Safety And Protection Researchers, advocates and educators gathered this fall at American University to consider the need for better research to inform decision-making on safety, reported Education Week.The field is in desperate need of more evidence on what works, and schools want this information presented to them" A 2016 study by the Rand Corp. points to the problem: Lack of data and research on what works and what doesn’t. “Despite growth in the school safety-technology sector, rigorous research about the effectiveness of these technologies is virtually non-existent,” according to Rand. “The field is in desperate need of more evidence on what works, and schools want this information presented to them in vetted, digestible ways to help them with procurement.” Jeremy Finn, a professor of education at the University of Buffalo, has pointed out the difficulty of assessing the effectiveness of measures designed to deter events that likely won’t occur anyway. “How do you know when you have deterred a school shooting?” he asks. “It didn’t happen.” The Effects On Our Students Might technologies aimed at making schools more secure have an adverse effect on the learning environment? More metal detectors, armed guards and police officers could cause anxiety in some students and even interfere with the learning process. The physical security industry should freely acknowledge that the technologies we offer are only part of the solution to school violence Do security measures aimed at preventing active shooting incidents absorb resources that might better be used to address a more general and/or likely security threat such as vandalism or student discipline? Theoretically, security measures in general should help to prevent the probability of an active shooter at the same time they are addressing a wider range of concerns and threats. But do they? At the very least, we in the physical security market should be aware, and should freely acknowledge, that the technologies we offer are only part of the solution to school violence. Schools should take the broadest possible approach to the range of security challenges, and technology should be one tool among many. Furthermore, better data to measure what works is sorely needed to illuminate the best path forward.
I have been thinking a lot about the U.S. government’s ban on video surveillance technologies by Hikvision and Dahua. In general, I question the wisdom and logic of the ban and am frankly puzzled as to how it came to be. Allow me to elaborate. Chinese Camera Manufacturers Reality check: The government ban is based on concerns about the potential misuse of cameras, not actual misuse. Before the government ban, you occasionally heard about some government entities deciding not to use cameras manufactured by Chinese companies, although the reasons were mostly “in an abundance of caution.” Even so, I find the targeting of two Chinese companies – three if you count Hytera Communications, a mobile radio manufacturer – in a huge government military spending bill to be a little puzzling. I can’t quite picture how these specific companies got on Congress’s radar. The government ban is based on concerns about the potential misuse of cameras, not actual misuse What level of lobbying or backroom dealing was involved in getting the ban introduced (by a Missouri congresswoman) into the House version of the bill? And after the ban was left out of the Senate version, was there a new wave of discussions to ensure it was included in the joint House-Senate version (with some minor changes, and who negotiated those?). It all seems a little random. Concerns For The U.S. Furthermore, the U.S. ban solves neither of the two main concerns that are generally used as its justification: Concern: Cybersecurity. The U.S. ban “solves” the issue of cybersecurity only if both of the following statements are true. No security system that uses a Hikvision or Dahua camera or other component is cybersecure. Any system that does not use a Hikvision or Dahua camera or other component is cybersecure. What level of lobbying or backroom dealing was involved in getting the ban introduced into the House version of the bill? The ban ignores the breadth and complexity of cybersecurity and instead offers up two companies as scapegoats. Our industry has sought to address cybersecurity, and the one principle that has guided that effort is that cybersecurity is an issue that must be addressed by manufacturers, consultants, integrators and end users – in effect, everyone in the industry. Cybersecurity does not begin and end with the manufacturer and banning any manufacturers from the market does not ensure better cybersecurity. Concern: “Untrustworthy” Chinese companies. Hikvision and Dahua are only two Chinese companies. Any response to concerns about whether Chinese companies are trustworthy would need to cover many more companies that manufacture their products in China. Australian TV recently claimed that “All Chinese companies pose a risk. Because of Chinese laws, there is a requirement for companies to be engaged in espionage on behalf of the state.” Even if one embraces that extreme view, the logic fails when only two companies are targeted. One source told me that 60 to 65 percent of the global supply of commercial video cameras are manufactured in China, so it’s a much bigger issue than two companies.The Chinese government has much more effective ways of conducting espionage than exploiting security cameras And is U.S. security at risk unless or until it is cut off from more than half of the world’s supply of video cameras? Even Western camera companies manufacture some of their cameras and/or components in China. Why name only two (or three) companies, only one of which has ties to the Chinese government? If the goal of the U.S. ban was to address the possibility of cybersecurity and/or espionage by the Chinese government, shouldn’t there be other companies and product categories included? Clearly, video surveillance is not the only category that has the potential for abuse. The Chinese government has much more effective ways of conducting espionage than exploiting security cameras. Global Response To U.S. Ban And now that the U.S. ban has been passed, how is the ban being misused to justify a new level of alarm about Chinese companies? Australian television effortlessly made the leap from “software backdoors” to a concerted and organized effort by the Chinese government to use cameras to be the “number one country for espionage.” And it’s not just about government facilities: “Even on the street, [cameras] have the potential to inadvertently contribute toward Chinese espionage activity by providing real-time information about the situation on the ground,” says the Australian TV report. If all Chinese companies pose a risk, why is the U.S. government targeting specific companies rather than all Chinese companies? If all Chinese companies pose a risk, why is the U.S. government targeting specific companies rather than all Chinese companies, or at least those with electronics or computer products that could be used for espionage? What about the espionage potential of the 70% of mobile phones that are made in China? What about other consumer electronics such as PCs or smart TVs? How many government facilities that are eliminating Dahua and Hikvision cameras have employees who use iPhones or use other electronic equipment from China? Artificial Intelligence & IP-Over-Coax Also, consider the impact of the ban on business. Hikvision and Dahua have had many successes in the video surveillance market, including in the U.S. market. They have added value to many integrators and end user customers. They have been on the forefront of important trends such as artificial intelligence and IP-over-coax. And, yes, they have made technologies available at lower prices.Cybersecurity issues have plagued several companies in the industry, not just Hikvision and Dahua Cybersecurity issues have plagued several companies in the industry, not just these two, and both Hikvision and Dahua have worked to fix past problems, and to raise awareness of cybersecurity concerns in general. Is a U.S. ban on two companies an appropriate response to a series of geo-political concerns that are much bigger than those two companies (and bigger than our entire market)? Should two companies take the brunt of the anti-Chinese backlash? Video Surveillance Cameras Is the video surveillance market as a whole better or worse for the presence of Hikvision and Dahua? Is it up to the U.S. government to make that call? In some ways, thoughts of Chinese espionage are a sign of these uncertain political times. Fear of video surveillance is perfectly congruent with long-standing anxieties about “Big Brother;” suspicion about China taking over our video cameras just rings true at a time when Russia is (supposedly) controlling our elections. But should two companies be targeted while broader concerns are shrugged off?
Repercussions are rippling through the physical security industry since President Trump signed into law the ban on government uses of surveillance equipment by Chinese manufacturers Hikvision and Dahua. In addition to the direct and indirect consequences of the new law, there have also been other developments likely to impact the future of Chinese companies in the video surveillance market. The ban has raised awareness of Chinese companies’ role in video surveillance, and other developments are related to tariffs and possible sanctions, all playing out amid the backdrop of an escalating trade war. One Chinese manufacturer previously dismissed security concerns about its role in video surveillance as “Cold War rhetoric.” There has been an almost nostalgic tone recently to the escalating concerns about video cameras being used for spying. Hikvision and Dahua have both stated emphatically that they have not conducted any espionage-related activities. Even so, the U.S. government ban has emboldened the concerns. However, to be clear: No one has alleged that technologies from either of the companies have been used for espionage. Rather, the concerns are about the potential for misuse, not actual misuse. Also aggravating the situation are Chinese companies’ previous, actual problems with cybersecurity, which the companies say they have addressed. Here are some recent developments related to the U.S. government ban and Chinese manufacturers in general: Tariffs And Trade Concerns Additional rounds of U.S. tariffs have targeted an expanding array of Chinese goods, including data storage and processing components such as printed circuit boards, as well as video camera lenses. The escalating trade war has kept generalized concerns about China and its trade practices in the public eye and fomented a level of uncertainty in many markets, including physical security. Additional rounds of U.S. tariffs have targeted an expanding array of Chinese goods Involvement Of Surveillance In Chinese Human Rights Violations Concerns have surfaced in a Congressional hearing recently about the Chinese government’s surveillance activities targeting the Uyghurs and other Muslim ethnic minorities in the Zinjiang Urghur Autonomous Region (XUAR). Specific attention is being directed at the region’s surveillance system including “thousands of surveillance cameras, including in mosques,” and Hikvision and Dahua were mentioned in the Congressional hearing as profiting from security spending in the area. Increased Global Media Attention The ban has not been widely publicized in the U.S. mainstream media, but the topic has attracted global attention. For example, the Australian Broadcasting Corporation broadcast a 10-minute expose on the use of Chinese-made cameras in Australian government facilities, including “sensitive military facilities.” The report, which mentioned the U.S. ban, noted that “Both [Hikvision and Dahua] have had security flaws be exposed leading to fears that some of the flaws were placed there to help the Chinese government spy.” The report continues: “China is trying to set itself up as the number-one country for cyber-espionage, and this is part of that platform.” How broadly should one interpret the inclusion of "critical infrastructure" mentioned in the bill? Broader Interpretation Of The Bill Beyond The Federal Government The language in the bill leaves a level of ambiguity in terms of the scope of its application, and the security marketplace as a whole has been struggling to understand its full impact. Does the ban only restrict an integrator’s use of Chinese technology on a specific government job, or does it eliminate an integrator who installs the technology (even in non-government projects) from consideration for government jobs? How broadly should one interpret the inclusion of “critical infrastructure” mentioned in the bill, for example, non-governmental facilities? Will other governments and private entities assume they should ban Hikvision and Dahua in order to be compliant? For example, Suffolk, VA., has announced it will not to use Dahua or Hikvision cameras because the federal ban applies to “U.S. government-funded contracts and for critical infrastructure and national security usage.” The result of these developments is a kind of snowball effect, simultaneously drawing attention to the issues and adding new elements to an overall narrative. Taken together, these developments suggest the U.S. ban has set off a level of concern about Chinese companies that will have an industry-transforming impact in the months to come.
Manufacturer ROCKWOOL International A.S. has chosen Nedap’s Global Client Programme to secure its offices and factories worldwide. AEOS, the physical security platform by Nedap, installed during the program, enables ROCKWOOL to establish a truly global security policy and unified work processes. An advanced project rollout, the Global Client Programme is developed for large multinationals and offers several benefits, including standardization across sites, shorter implementation times and cost efficiencies. Standardizing Company’s Security Measures The Global Client Programme connects all of ROCKWOOL’s factories and office premises, and standardises the company’s security measuresROCKWOOL has 28 factories across the world. The Global Client Programme connects all of these factories and ROCKWOOL’s office premises, and standardizes the company’s security measures throughout the world. Fokko van der Zee, managing director at Nedap Security Management, says: “The implementation of a standardized security solution across the world is a complex process. It involves a large project spanning many years and involving many stakeholders, and demands a high level of project management. In the absence of a structured program with defined guidelines, a global security rollout is likely to be a stressful execution. That’s why we set up our carefully designed Global Client Programme.” ROCKWOOL Digital Service Lead, Matthew Thorne, agrees: “We’ve worked with Nedap over the past few years and recently became a member of their Global Client Programme. Now we’re equipped with the people and tools we needed to standardize our physical security solution. The Global Client Programme also minimizes risk and guarantees compliance. It really meets our needs in every possible way.” Central Security Platform Saves Money The program helps achieve cost savings by avoiding initial setup costs per site and having one central security platform instead of severalThe Global Client Programme is designed to ensure monitoring and control during every step of the rollout process. Timon Padberg, responsible for business development at Nedap Security Management, explains: “The repetitive nature of local site deployments allows us to work with models and templates, such as standard proposal and calculation documents. We can therefore produce a scalable process that ensures uniformity and a consistently high quality of implementation across each site.” By using the Global Client Programme, ROCKWOOL is aiming for uniformity and alignment across all sites. The program also helps achieve cost savings by avoiding initial setup costs per site and having one central security platform instead of several. Moreover, there are significant savings on operational and maintenance costs due to shared services and economies of scale.
Premier League football club Everton FC has deployed SureCloud’s GDPR suite to manage and monitor its data and GDPR compliance, enabling the club to work towards GDPR compliance, optimize internal processes and position it strategically for the future. The solution replaced Everton FC’s manual data mapping and processing methods. Manual Data Mapping And Processing Everton FC’s databases are extensive, containing details on over 32,000 season ticket holders and over 600,000 registered fans, with details on around 360 employees, players, agents, suppliers, and individuals associated with the club’s community charity and partner school. Much of this information is sensitive. This data and all of the processes associated with it were being manually managed and tracked in a series of Excel spreadsheets. With multiple requests and queries to respond to every day, the club’s Data Protection Officer was struggling to record and manage smaller ad hoc queries, incidents, and tasks. With GDPR due to place much tighter restrictions on how the club processed, managed and shared its data – as well as on the reporting of any incidents that did occur – the club needed a more comprehensive and reliable tool in place before 25th May 2018. SureCloud Platform The club approached its long-standing IT support provider NCC to find a solution. NCC recommended the SureCloud GDPR Suite, delivered on the SureCloud platform. After SureCloud had successfully demonstrated the ability to provide full visibility for management and automation of GDPR processes across the organization, Everton FC selected its cloud-based suite of solutions. Two dashboards were created according to Everton FC’s specific needs Two dashboards were created according to Everton FC’s specific needs: one to show all data mapping and transfers, including where data is being held and who it is being shared with; and one showing incidents and requests, including a subject request register and incident tracker path. This gives an immediate overview of which requests are still outstanding, such as a request for an individual’s personal information to be erased from the database. SureCloud GDPR Suite The five applications Everton FC chose to deploy from the SureCloud GDPR Suite were: GDPR Program Tracker - to enable the club to map all its disparate data and workflows using intelligent risk-based questions GDPR Management – to provide all mandatory GDPR business-as-usual processes Information Asset Management - to record and maintain the club’s entire data inventory Compliance Management for GDPR - to help Everton FC speed up their process of attaining compliance and on-going real-time risk remediation Incident Management for GDPR – to meet the GDPR requirement to log, track and notify the ICO of any data breaches, should an incident arise Ian Garratt, Data Protection Officer at Everton FC said: “The penalties for not achieving GDPR compliance are severe – up to 4% of our revenues, or €20 million. It was imperative that we got a solution in place that could not only help us achieve GDPR compliance but would also make it quick and easy for us to demonstrate that compliance at any point, on request. SureCloud’s GDPR Suite fit the bill.” Centralized Data Management Now, all of Everton FC’s disparate data are mapped, risk-assessed and tracked in a single centralized system “We are now tracking and recording every single data request in a centralized way. With NCC’s support, SureCloud’s solution has brought a comprehensive clarity to our data processing that was impossible to achieve with manual spreadsheets. The system is so intuitive; it has helped us streamline multiple processes and undertake impact assessments that we couldn’t handle before.” Now, all of Everton FC’s disparate data are mapped, risk-assessed and tracked in a single centralized system. All changes and requests are automatically tracked so that activity records and data audits can be produced at the click of a button. Should an incident like a suspected data breach occur, it is identified and reported immediately and automatically. The club’s data protection team can select which asset has been affected and immediately determine the severity of the incident and whether it needs to be reported to the ICO. Should it need to be escalated, the report is available instantly. Data Processing, Documentation And Risk Management Ian Garratt added: “The SureCloud GDPR Suite isn’t just a compliance tool; it’s a comprehensive management tool. We now have a continuous, real-time status of where we are and what we need to be doing in terms of data processing, documentation and risk management. It would have simply been impossible to achieve this manually. SureCloud has not only helped us to work towards GDPR compliance they have optimized our internal processes and positioned us strategically for the future.” In addition to deploying five applications within the GDPR suite, SureCloud is currently adapting its Incident Assessment tool to meet Everton FC’s specific requirements.
To succeed in business, one must be brilliant at one thing. In many cases it’s a skill, such as art, coding, engineering or design. Or that one brilliant attribute can also be a personality trait or a business process. No business will be successful unless it is at least adequate, and preferably superb, in product development, sales, and customer engagement - not to mention finance, planning, marketing and recruiting. Too many VMS producers are trying to do all these things themselves when they should be doubling up on what they are best at and leveraging the rest. It is a new mindset. Instead of obsessing about which ‘me-too’ product to supply, software producers could make their first priority finding complementary and compatible partners. Developing A Partnership Ecosystem One partner might see the opportunity to sell a solution. Another partner might know a better way to distribute a product. A third partner might provide the vertical expertise to get the customer a perfectly tailored solution. By leveraging partners and developing a partner ecosystem, a company will tend to have more unique offerings and the ability to execute faster in an ever-changing world. All this additional partner horsepower is still no guarantee a company will succeed but partnerships will also give a company a feedback channel. Many stand-alone companies plod along, never quite failing, but never getting better either. Partners are less likely to tolerate business limbo. They will be quick to utilize great products, and less wedded to the concept if it doesn’t prove out. Because the partners are in close contact with the market, they are the first responders to changing or developing needs. This is why a company should listen very closely to their partners: They are the feet on the street and the ears to the beat! Open Platform Matters Producing software takes time, and producing great software takes even longer All of this is not possible, however, if a company produces closed platform software. This is software whose functions can only be changed by the original developers. Producing software takes time, and producing great software takes even longer. This means low agility. The partners might identify great opportunities, but before the closed platform software producer can react, the opportunities might be gone - or worse, be grabbed by competitors. The slow reaction capabilities of closed platform providers will frustrate partners and may lead to the worst of all complications in a partnership: distrust. Add-On Modules and Intrinsic Scripting When the products are based on an open platform, however, they are adaptable. Then the partners have the ability to change the solution through the open software architecture. Not by changing the basic code (that would be open source) but by add-on modules and intrinsic scripting abilities. Total Integrated Solution Open platform means that the partner can easily extend and enhance the software into a total integrated solution Open platform means that the partner can easily extend and enhance the software into a total integrated solution to fulfill the customer’s needs with the minimum of effort. This gives agility, and agility means fast go-to-market abilities. Just what is needed in this fast-moving world. There are some important things to note here. The ways to extend and enhance the software have to be easy and well documented. The partners must have access to training and knowledge sharing. (It does not help to have a system for extending the capabilities of the software if the partners have to guess at the process and the documentation is rudimentary.) Open Access Is Key It is important that the business philosophy is based on openness, giving the partners full access to all relevant information. And openness is a two-way street: By being open for your partners, you also have to be open about their business. A partner might be able to develop a highly sophisticated solution but be unable to market the solution. By building a catalog of partner solutions easily accessible to customers, openness extends to ensure open access to the partners. Openness is not something a business can just tack on to their approach. It has to be in the DNA of the business from the start. In a Harvard Business Review article entitled ‘Predators and Prey: A new ecology of competition,’ JF Moore says: “A business ecosystem, like its biological counterpart, gradually moves from a random collection of elements to a more structured community.” Structured Business Ecosystem Milestone has seen this progression within the company's ecosystem Milestone has seen this progression within the company's ecosystem. They introduced training and certification requirements as part of the partnership success structure, ensuring knowledge is shared and also used in a way that is most mutually beneficial for all involved. Moore also writes: “Every business ecosystem develops in four distinct stages: birth, expansion, leadership and self-renewal.” At present, Milestone and its partners are entering into the ‘leadership’ stage, where video enabling is creating opportunities beyond those offered by a traditional video surveillance system, and into areas that provide additional business benefits to our customers. Video Enabling “A leader must emerge in the ecosystem,” Moore says, “to initiate a process of rapid, ongoing improvement that draws the entire community toward a grander future.” This is the role Milestone has played in leading the industry towards the video enabling phase and redefining the industry’s expectations of what a surveillance system is capable of. In the article, Moore underlines that “executives whose horizons are bounded by the traditional industry perspectives will find themselves missing the real challenges and opportunities that face their companies.” Getting Connected Connectors are those people with a wide range of contacts across different social circles In his book The Tipping Point, Malcolm Gladwell describes what he calls ‘The Law of the Few,’ which says: "The success of any kind of social epidemic is heavily dependent on the involvement of people with a particular and rare set of social gifts." This is based on the 80/20 principal, “which is the idea that in any situation roughly 80 percent of the 'work' will be done by 20 percent of the participants." He goes on to identify three types of people with these gifts: Salesmen, who are skilled in persuasion and negotiation; Mavens, who collect and disseminate useful information; and Connectors. Connectors are those people with a wide range of contacts across different social circles who can make introductions and create links between otherwise disparate individuals. Milestone, Key Connector In Physical Security Industry In the wider scheme of things, Milestone effectively acts as a ‘Connector’ in the business ecosystem and in the overall physical security industry. Milestone brings together companies who are brilliant in their respective fields and make it easy for them to work together to create a valuable solution for the customer. The company provides the environment for that to occur and work closely with them to ensure that the end result is useful and effective. At Milestone, partners realized that significant investments in education and training was required to create the demand for the company's products and solutions that the conservative physical security industry required. The value of partnership was learnt and the ‘open’ approach adopted, which was a central part of the thinking behind our software. Adopting The Scandinavian Management Model Milestone effectively acts as a ‘Connector’ in the business ecosystem and in the overall physical security industry Milestone extended this approach to the entire business model, creating the ecosystem that has been the driving force for success. And while the company embraced the best of the Scandinavian management model, its inclusiveness and encouragement of creativity, they still needed to have the courage to make changes to the business, changes which would ensure the best possible position to take on whatever challenges the future might hold. Milestone Partner Ecosystem Milestone have always worked in a partner-driven business mode. The company from the start was designed to be open and partner oriented. The Milestone partner ecosystem is a fundamental part of its mindset and daily operations. It is one of the major reasons for getting the company to the position where it is today. To be in a company without the partner component would be like cutting the internet and phone cables while reverting to telex and written paper letters! The company would be developing products in the dark, not knowing the demand. Open Business World Today, Milestone's partners are delivering optimal solutions to mutual customers, building a better and open business world with video as a business enhancer. All thanks to the company's open platform and community approach. To have a flourishing partner ecosystem, one must think not as a corporation but in human terms. Because companies don’t think, humans do. In all senses of the word, there is one thing that will contribute more to the success of a partnership than anything else; 'Give before hoping to receive'.
The Security Industry Association (SIA) has expressed strong support for MI HB 5828 and HB5830, two bills designed to improve school security across the state of Michigan. Michigan Legislation In a letter to Michigan House of Representatives Committee on Appropriations Chairwoman Laura Cox and Vice-Chair Rob VerHeulen, SIA CEO Don Erickson praised the bills’ creation of a comprehensive school plan and fund to enable local districts to procure security solutions to protect students from malicious perpetrators and update building code requirements to include security measures. “Sadly, our nation’s schools have increasingly become a soft target for mass violence – at Sandy Hook Elementary, recently at Stoneman Douglas High School and in many other attacks,” said Erickson. “We support holistic approaches to improving school safety and security in response to these tragedies – recognizing there is no single action that can be taken that will, by itself, make our schools safe.” SIA is a co-founder of the Partner Alliance for Safer Schools (PASS), a consortium of school security experts Improving School Security SIA represents about 900 security and life safety solutions providers – companies that develop, manufacture and integrate technologies that help keep people and property safe from hazards. These industry leaders strive to introduce robust security solutions integrated into our nation’s K–12 public schools, private academic institutions, colleges and universities. In addition to serving member organizations working to improve security in schools and other environments, SIA is a co-founder of the Partner Alliance for Safer Schools (PASS), a consortium of school security experts that developed threat- and income-based guidelines for schools housing grades K–12 to implement appropriate, layered security measures. These guidelines are available to help guide school investments. Additionally, PASS provides integrators with risk assessments and white papers that can be used when working with schools to evaluate and establish the best security protections for their buildings. SIA believes state assistance like that in the Michigan legislation is a start to addressing key security gaps in schools and is especially critical to high-risk school districts or those with limited budgets.
Keeping the food supply safe was not an issue for Furman Foods back in 1921, when John W. Furman canned 360 glass jars of tomatoes with his wife, Emma, and their six children. Just as food processing practices have evolved over time, so too has the nation’s approach to securing food processing facilities. Today, Furman Foods uses ID cards as the first step of a greater plan to enhance its plant security. Furman Foods is a family-owned business. By 1969, the company had sold a million cases of tomatoes and was complementing its tomato crop with beans, peppers and other vegetables sold under the Furmano’s name. The company’s roots are planted firmly in the soil of the Susquehanna River Valley of Pennsylvania. Despite this remote location, Frank Furman, Vice President of Quality, is ready to take the facility to the next level of security and quality. “The need is here,” he said. “Everything is coming together at once. Not only does security make good business sense, but it also is something we need to do for our customers.” Food Safety And Security While the company has focused on food safety for many years, the U.S. Food and Drug Administration’s (FDA’s) Bioterrorism Act of 2002 made security a top concern for food producers such as Furman’s. Title III of the act specifically addresses protecting the safety and security of food and drug supplies. In addition, because Furman Foods provides food for U.S. Department of Agriculture (USDA) food programs, it is subject to USDA security measures. Security isn’t new to the company. It began incorporating additional security measures shortly after September 2001. The well heads for the water supply are locked and checked daily, for example, and a third-party security service is on duty during off-hours. Delivery truck doors now must be sealed, the company’s computer systems have new access controls in them, and locks now adorn all bulk storage areas, such as those for corn sweeteners and vinegar, some of the most vulnerable areas in the company. An important part of the security system at Furman’s is a new ID card program Time And Attendance Tracking An important part of the security system at Furman’s is a new ID card program. “We needed to replace our time clocks,” said Mark Slear, Systems Administrator, “so we took advantage of the opportunity to introduce employee ID cards to track time and attendance.” “I wanted some kind of control so that people who don’t work here don’t get in,” Furman said, “Despite the fact that we are located in a rural area, we still were seeing people here who shouldn’t be here. We had to figure out some way to limit access.” In the past, the company had pre-printed, pre-numbered, bar coded cards for hourly employee access. Employees were assigned a number, but that was it. HID Fargo Printer/Encoder Slear and Furman selected the Fargo DTC550 Direct-to-Card Printer/Encoder with lamination capabilities from ID Wholesaler (www.idwholesaler.com), a Fargo Value-Added Retailer and the largest online reseller of photo ID products. “I looked around quite a bit,” said Slear, “and all of my research kept coming back to Fargo.” Furman’s warehouse employees require a stronger card to withstand the everyday wear and tear associated with their active jobs" “We determined that Furman Foods needed a higher level of security than a basic photo ID card could offer,” said Shane Stark, Account Manager, ID Wholesaler. “The FDA keeps tight regulations on who has access to food processing areas. Along with using bar codes and magnetic encoding for security measures, Furman’s warehouse employees require a stronger card to withstand the everyday wear and tear associated with their active jobs. This led us to lamination and a Mylar card, which offers greater durability.” Slear was also interested in the printer’s speed. “When we ramp up during the summer, we produce a year’s worth of product in three months,” he said. “We have to print a lot of ID cards quickly to accommodate our seasonal workers.” Security Access Cards Furman’s bought the Fargo printer in October, took employee pictures in November and began issuing new ID cards in January. The ID cards contain a full photo, and the program includes all employees, even the extra 300 that are hired during the July-to-October busy season. While tracking time and attendance with the ID cards was the company’s first concern, Slear and Furman were thinking ahead when they chose an ID card printer, knowing that security needs would be enhanced down the road. “We added a magnetic stripe and photo in preparation for future security,” said Slear. “We haven’t defined yet what else we might do, but much of it will be driven by FDA and USDA directives.” “We liked the fact that the DTC550 printer can print on proximity cards if we decide to upgrade our ID cards someday,” said Slear. Furman agreed. “Eventually, we will go to smart cards, especially for the room where our ingredients are mixed,” he said. “We need to limit this area to those who are designated to be there. They will have to swipe an ID card for access. We chose a printer that will allow us to upgrade the cards, knowing that sooner or later we’ll have to go further with security.” Our product and industry knowledge enable us to assess our customers’ needs and present options that meet their requirements" Comprehensive Identification Solutions “Everything has been going well,” Slear said. “The person printing the cards picked up on it quickly.” Slear gives high marks to ID Wholesaler for their customer service. “Every time I talk to Shane, I get the answers I need,” he said. “He also checks in from time to time, just to see how things are going.” “Our product and industry knowledge enable us to assess our customers’ needs and present options that meet their requirements and their budgets,” said Jennifer Clancy, Marketing Manager, ID Wholesaler. Currently there are three variations to the Furman’s ID cards: yellow background for employees, green background for visitors and blue background for vendors. “Certain vendors are allowed on site without an escort,” said Furman. “For instance, because we are a kosher facility, once a month a rabbi comes in to check our operations. He has his own vendor ID card and is pre-approved, so he can move throughout our facility unescorted.” Facility Security One of our big concerns is having someone follow a carded employee into the plant Furman Foods prides itself on its strong values, its quality products, its sustainability and its food security. Yet Furman isn’t satisfied. “We are still not where we should be,” he said. “We have come a long way, but we have a long way to go. If I could wave a magic wand, we would have one entrance, where everybody has to enter and exit. This entrance would be secured by a card reader, so individuals would have to swipe an ID card to get in. One of our big concerns is having someone follow a carded employee into the plant. Restricted areas should require special access cards, and I’d like a fence around the entire facility, with a guard shack where everyone checks in and out,” he further added. Right now, there are multiple entrances for traffic. The facility is very spread out, and the road in front is a public road. Photo ID Access Card Yet, all agree that the ID cards are an important step on Furman Foods’ journey toward enhanced security. “A safe workplace is fundamental,” said Clancy. “Photo ID cards provide at-a-glance validation that the card wearer is authorized to be on the premises. This is especially important for food manufacturers.” “I tell our employees security is only going to get tighter,” Furman said. “More safeguards will be put in place. We are in the food business. If we don’t have safe foods, we don’t have jobs.”
Following several high-profile incidents alleging abuse of special needs students (including some non-communicative students), and the activism of a number of parent groups in the state of Texas, Governor Greg Abbott signed Texas Senate Bill 507, requiring districts to install audio and video surveillance equipment into select special education classrooms when requested. The law requires the installation of cameras and recorders in classrooms meeting certain criteria—if and when a parent, school board member, or school staff requests them from the 2016-2017 school year forward. Surveillance must cover all areas in a classroom, with the exception of bathrooms and changing areas, and recorded footage must be retained for a minimum of six months. Many Texas school districts have begun the work of bringing relevant educational spaces into compliance with the law, including the Edna Independent School District.The IDIS solution crafted by PSX meets Edna ISD’s SB 507 compliance requirements Super Fisheye-Powered Surveillance Carefully considering Edna ISD’s requirements for a highest-quality surveillance solution, capable of audio recording and coverage in compliance with the law, along with their need for a fiscally responsible solution that minimized total cost of ownership, while maximizing value, PSX recommended the IDIS Total Solution’s DirectIP line. The IDIS Total Solution has a selection of affordable, highest-quality options for school districts, easily scaled to meet any classroom size, configuration, or budget. The IDIS solution crafted by PSX meets Edna ISD’s SB 507 compliance requirements with a custom configuration of IDIS cameras and recorders for multiple classrooms and sites. At the heart of the solution is the IDIS DirectIP Super Fisheye Camera, which features breakthrough IDIS technology recognized by the industry for solving common concerns found with many other fisheye models.The IDIS Super Fisheye offers unparalleled client, camera, and mobile dewarping for a clearer picture Smart UX Controls The IDIS Super Fisheye offers unparalleled client, camera, and mobile dewarping for a clearer picture and strongest possible assessment and documentation of incidents. It also features the company’s award-winning IDIS Smart UX Controls (named a 2016 ‘New Product of the Year’ by Security Products magazine), which allow for agile real-time pointing and zooming in a simplified and smooth manner previously unheard of in the industry. Other IDIS benefits, including two-way communication and the powerful recording and storage technology the company is known for, make the solution an ideal one for Edna ISD’s needs. Significantly, SB 507 was not accompanied by additional funding for implementation. It required school districts to cover the cost of surveillance purchases and installation from existing funds, donations, or other alternate funding strategies. This expands the requirement for school districts such as Edna ISD, beyond the simple purchase and installation of new surveillance solutions, to include the identification of surveillance solutions able to provide maximum quality with a low total cost of ownership and to be as responsive as possible to the law, student needs, and existing budgetary requirements.The IDIS Total Solution has proven a strong fit for school districts Cost-Effective Deployment Offerings that feature combinations of technical and cost-effective benefits have proven a strong fit for school districts, including Edna ISD, looking to meet SB 507 requirements without sacrificing quality for cost, something that is important to institutions such as public schools, charged with both optimal execution of their core educational mission and careful stewardship of public funds. The IDIS Total Solution, differentiated by its ease of installation and use as well as its lack of licensing and maintenance fees, has proven a strong fit for school districts, including Edna ISD. Alan Morris, Vice President of Sales for PSX, Inc., stated, “While SB 507 compliance has proven a challenge for some school districts, Edna ISD has shown an uncompromising commitment to its special needs students through the selection of technology that provides easy real-time review of classroom behavior and provides the best, clearest evidence possible should an incident occur.” Secure Learning Environment "In Edna ISD, the safety of our students, teachers, and staff is a key part of our educational mission. When those in our schools, and the families that love them, know their environment is safe and secure, the educational mission can thrive. We have embraced the SB 507 requirements as yet another tool in ensuring an ideal learning environment for all, providing additional support and protection for our special needs population.” “We were committed to doing this with only the best technology the industry had to offer, while also remaining responsible to our taxpayers throughout the process. The IDIS combination of a fully scalable solution of next-generation technology with a lower total cost of ownership than typically seen in the industry made it the right choice for our needs."
Round table discussion
The concept of how security systems can contribute to the broader business goals of a company is not new. It seems we have been talking about benefits of security systems beyond “just” security for more than a decade. Given the expanding role of technologies in the market, including video and access control, at what point is the term “security” too restrictive to accurately describe what our industry does? We asked the Expert Panel Roundtable for their responses to this premise: Is the description “security technology” too narrow given the broader application possibilities of today’s systems? Why?
Knowledge shared among peers is often afforded more credibility than information from manufacturers. An approximation of that principle is at work in the use of case studies as marketing tools in the physical security industry. Case studies are aimed at telling real-world success stories – from actual customers – about how various technologies are used to accomplish security goals and make the world a safer place. But how useful are they? We asked this week’s Expert Panel Roundtable: What are the benefits of case studies as a marketing tool in the security industry?
More cameras today are providing more video than ever, but how much of the video is available when and how it is needed? The question often comes up when law enforcement entities are seeking to access video from private systems to help solve a crime. There are many more private video systems than public systems, but is the video available when needed? And what about privacy: In what situations is it acceptable to share private video for the public good? We took these questions to this week’s Expert Panel Roundtable. Specifically, we asked: When does it make sense to share video from private video surveillance systems with citywide systems? What are the technical and/or privacy hurdles to sharing video more widely?