Gangs, Kidnappers, and Other Threats
IN FEBRUARY, ARMED ROBBERS kidnapped the manager of a security depot in England along with his wife and son. The robbers threatened to kill them if the manager didn’t cooperate. They forced him to give them access to the high-security building where they tied up staffers and made off with more than $90 million.
The incident makes it clear that personal protection plans are not only needed for top executives. Clark Cummings, CPP, senior vice president of First Bank, and P. Kevin Smith, CPP, senior vice president of Chevy Chase Bank, will discuss this and similar cases, and then lay out a blueprint for setting up and selling a comprehensive personal protection strategy in a session at the ASIS International 52nd Annual Seminar and Exhibits in San Diego, California.
That session is just one of 150 educational opportunities that can be found at the seminar on subjects ranging from counterterrorism skills for security managers to gang culture to the new breed of cyberpredators. Following is a preview of several of the upcoming sessions.
Smith says that, traditionally, protection plans have been aimed at top executives of financial services organizations, but the more likely targets are mid-level employees. “What we really need in the financial services industry is a commitment from the top level to support personal protection plans for employees who are below the executive level,” he says. “Specifically branch managers and branch employees who, quite frankly, are the perceived value targets for kidnappers.”
Creating personal protection plans begins with identifying those most at risk, which security directors already know how to do, Smith says. “We’re going to focus on selling the concept in the organization,” he says. “Then we’ll do step-by-step implementation strategies, gathering sample information from the perceived target,” and then look at training techniques.
Clark says that the session is not theoretical but is meant to provide practical information for attendees. “It’s my hope that when participants walk away from this session, that they’ll have a few concrete items that they can go back and implement,” he says. “We’re going to talk about implementation throughout the organization, and they can go back with key self-assessment tools and checklists they can actually use with the key targets within their organizations.”
While financial services companies may be the most likely and obvious candidates for this kind of attack, Clark notes that the threat is more widespread. “I think we can reasonably apply this to various portions of the critical infrastructure, anyone who’s perceived as having access to some kind of high-value information or system,” he says. For instance, it could be the operations person at a dam or someone in the nuclear or chemical industry, he says.
Smith points out that this kind of attack on lower-level employees and their families happens more often than “the true, classical executive hostage situation.” He adds that protection plans also provide a perk for employees and demonstrate how valuable they are to the organization. “If you end up providing some alarm-monitoring service and safeguards for the entire family through your program, that’s a heck of a perk that frankly is a noncost item,” he says. “I think it’s a good morale piece for any organization.”
Undercover investigations may sound glamorous, but the reality is that they require a great deal of preparation, says Steven Foster, CPP, PCI, of Business Controls, Inc., who will describe a number of his firm’s cases in his sessions.
He says that undercover investigations in the workplace have a very different focus than similar investigations by law enforcement. “From an investigative standpoint inside corporate America, what you’re looking for is to understand what processes are broken, what issues relative to business are allowing this type of situation to occur,” he says. Foster speaks from long experience on both sides: before joining Business Controls seven years ago, he spent 15 years in law enforcement, conducting undercover investigations with a Drug Enforcement Administration task force.
Foster’s session, “Undercover Investigations in the Workplace,” will help security professionals to understand whether an undercover investigation is needed, and if so, how that investigation should be structured. An undercover investigation is not always the first or best option, he says. “In a lot of cases, people call me and say, ‘We need an undercover,’” he says. But, he continues, “I get done talking to them, and they realize that an undercover is far from what they need.”
When an undercover investigation is deemed necessary, Foster explains what a real, well-conceived, and well-executed operation looks like; he will discuss these details in his seminar session as well. “What I want to impart is, how do you set up and construct an undercover investigation,” Foster says. “There are elements to a successful investigation that I’m going to teach.”
First among these elements are involvement by the security team and a healthy dose of management buy-in. “The security director has to have a seat at the table, has to understand the business needs of the organization, has to have commitment from management above them,” he says.
Next, it’s important that everyone involved understands precisely what they hope to achieve with the investigation. “They have to have meaningful objectives,” he says, “not just words. These objectives are real and they have to be stated and agreed upon up front.”
The next requirement is a strong strategy of how to proceed. Foster says that companies may need to do months of legwork to gather information before a decision can be made about whether an undercover investigation is necessary.
Foster, who chairs a committee for the ASIS Business Practices Council and is a faculty member for the CPP review course, says that companies need to be well prepared because it’s critical that investigations be done lawfully. “If they’re not, that’s going to get you killed,” he says. Security managers who need to know how undercover investigations work and how they should be carried out will find out everything they need to know at Foster’s session.
Has your company unwittingly hired, or is a student in your school, a gang member? How would you know? Some gangculture identifiers that are relied on to recognize gang members—such as certain kinds of clothing, like baggy pants—have become a part of the mainstream culture. “What you have to do as a security director,” says George Patak, operations manager of the Detroit office of
Wackenhut, “is separate culture from criminal activity.”
Patak will help security managers do this in his session “Gang Culture from the School Yard to the Workplace.” It’s critical to recognize gang members, he says, because they don’t leave their gang affiliations outside of work or school.
“There are some huge manufacturing facilities where gang problems are so endemic, if you have allegiance to either a Blood or a Crip sect, there are certain locker rooms you can’t use,” Patak says, referring to the two major gangs in the United States. “One is going to be Blood territory, and if you use it [and you’re aligned with the Crips], you’re going to get beat up or hassled or get your tires flattened.”
A former police officer who’s worked with gang members, Patak says that there are eight criteria commonly used to look for gang membership. These include official records such as police reports (which can be found during preemployment screening), correspondence that is cryptic or looks like graffiti, and photos inside lockers or books that show them with other gang members, often in menacing poses.
Gang paraphernalia such as bandannas, or clothing worn in a certain way, can also be indicators. But clothing, or ‘colors,’ Patak says, can be tricky. “A lot of gangs adopt logos of sports teams as their colors,” he says. “There’s a Crip gang in Chicago called Maniacs and Gangsters in Chicago, or MAGIC, and they’ve adopted the Orlando Magic’s sportswear.”
Patak, who is vice chairman of the Detroit chapter of ASIS International, will talk about some gang countermeasures as well. For example, he says that gang graffiti is an early sign of gang activity, and so he advocates using principles of crime prevention through environmental design (CPTED).
“You need to harden targets of graffiti,” he says. “It’s the billboard of the streets and it’s used to publicize power and status.” He will show photographs of some locations of gang graffiti and discuss ways to prevent it from appearing.
CPTED and preemployment checks are not enough, Patak says. As a police officer, he championed peer-resistance programs because he knew it was critical to take away the negative role model given by gangs and substitute it with a positive role model. “You need school enrichment programs that can provide recognition, affection, belonging, a sense of identification, in a positive way. Companies can do the same thing with employee enrichment programs and employee wellness programs,” he says. All of these will be topics in his presentation.
Words like “tradecraft” and “counterintelligence” bring to mind three-letter government agencies or Tom Cruise blockbusters. But in fact these practices are relevant to any business that needs to protect itself from theft of intellectual property, crime, and even an attack.
The session “Counterterrorism: How to Watch Who’s Watching You,” by three members of the California University of Protection and Intelligence, will teach attendees the basics of tradecraft. “What we talk about is, how do you train employees to recognize when they’re being elicited for information? How do you train employees to be aware of their environment?” says Tom Mann, instructor and special advisor at the university.
Mann explains that human-intelligence collectors take advantage of people’s trusting natures and willingness to be helpful. “We’re customer-service trained people in America. People ask us questions and we answer them, so as trained human-intelligence collectors, we prey on that,” he says.
In some cases, open-source intelligence is simply out there for the taking. Mann gives as an example an annual festival in Portland, Oregon, not far from where he lives. Navy ships are brought in for the event that Mann says represent “a great terrorist target.” He says that the local newspaper explains where all the ships are docked, what rows they’re in, and other information that would make planning an attack easier.
Elicitation is the opposite of passive information collection. Mann calls it “the art of getting people to talk to you and answer questions without you actually having to ask direct questions.” He gives the example of someone calling the receptionist of a large company pretending to be a builder or architect who’s looking for the company’s construction schematics. “Those are interesting questions that wouldn’t necessarily be the normal questions you would get when someone calls,” he says. He says this makes it clear that “your front-line defense against any kind of outside threat is not your security people; it’s your employees.”
The session will give attendees ideas of how to get buy-in for a security program from the right employees; that process entails finding what Mann calls the “leaders within the organization,” who are often without executive titles. “When you get those people to buy in, 90 percent of the organization buys in,” he says.
Dr. Michael Corcoran, president of the university and a copresenter at the session, says the presentation will include hands-on exercises that will help attendees find solutions to their real-life difficulties. Mann says another exercise will challenge attendees to do some spywork against their own organizations.
“You’d be amazed at how much information is out there about corporate leaders and their private lives, and the company, and the schematics. We’re going to tell them how you go about finding some of this stuff, because as a security manager, in order to figure out what you’re protecting, you have to figure out how much stuff is already available.”
For the average computer user, the Internet is a convenience, offering a wealth of information, myriad ways of keeping in touch with friends, and the ability to get work done from almost anywhere.
Computer security professionals, however, see it differently. Scott Lupfer, principal security architect with Internet Security Systems, Inc., calls the Internet “a borderless abyss of organized crime fueled by financial gain.” He plans to back up this grim assessment in his session, “Analysis of the Threat Landscape: Interactions Between Cyber Criminals.”
“It’s not only borderless in terms of countries but borderless in terms of legal responsibility,” Lupfer says. “It’s borderless in terms of the fact that it provides near anonymity for criminals and attackers.”
Combine borderlessness with anonymity and what you get are virtual gangs in which members only know each other by their online “handle” and where they can communicate without fear that law enforcement is listening in. Lupfer says these gangs can comprise tens, hundreds, or even thousands of crooks who have realized that there is more to gain by working together than by working alone.
“It’s like any other business,” Lupfer says. “You pool resources to achieve the most gain, and that’s what they’re doing.” He says that one example is the use of spam to deliver spyware along with junk e-mail; once the spyware is installed, it delivers a “bot” (a small piece of software that can take orders from a remote master) that allows it to participate in a widespread network of compromised computers called a botnet.
Lupfer calls last year’s Zotob virus a perfect example of disparate criminal elements working together. “What it was was almost a perfect storm from an Internet worm perspective, in that it slowly discovered vulnerable systems, it launched attacks against those vulnerable systems,” and then compromised these computers as well. Bots can be commanded to perform almost any action, such as sending spam or searching for—and mailing out—confidential information.
Fortunately, in most cases Zotob merely left victims’ computers constantly rebooting rather than attacking more systems. Nevertheless, Lupfer says, “That gives us an example of what could be coming down the pike in terms of identifying a vulnerable system, compromising that system, and then have it sitting there waiting to participate in some sort of illegal activity” later on. This kind of attack and a look at future threats will be covered in the session.
Lupfer says his session is designed to raise awareness of the problems among average computer users. It won’t address high-tech details with jargon; rather, Lupfer will help attendees see these problems in terms of their own home computers, and he hopes that awareness will transfer to safer practices when they are using corporate networks.
“When you’re in a corporate environment, you think about things from a corporate perspective,” he says, so you may be less security conscious and more likely to rely on the IT department to keep things safe. “When you think as an individual, what you’re seeing is the participation or the responsibility you can have in protecting yourself, and that does carry back over into the corporate environment.”
Peter Piazza is an associate editor at Security Management magazine.