4.23.2008

National Industrial Security Systems : Protecting US government assets held by government contractors

Courtesy of the Underwriters Laboratories Fire & Security Authority
Issue 1 - 2008
by Pete Tallman


Sensitive US government material held by government contractors is subject to a wide variety of potential threats and housed in a range of settings across the US, from major metropolitan areas to isolated locations with limited communication and support resources. In the early 1990s government officials and UL recognized the need for an alarm system verification program flexible enough to be applied in multiple settings, yet consistent enough to allow confidence in the delivery of alarm services. Developing a specialized category of service, a new standard and an Alarm System Certificate became the key for coordinating the variety of features that might be used in a particular setting and the relationship of each service provider. The result of this collaboration between UL and US government officials was the creation of the National Industrial Security System Category (CRZH), which has been designed with enough flexibility to allow protection to be rational, appropriate for the identified threat and cost effective.

Two standards are maintained by UL for this category:

• UL 2050, the Standard for Safety of National Industrial Security Systems, establishes a variety of ways in which installation, monitoring, investigation and repair service can be provided.

• UL 681, the Standard for Safety of Installation and Classification of Burglar Alarm and Holdup Alarm Systems, further defines requirements for installation of equipment and devices comprising an alarm installation in a protected area.

An alarm system certificate ties them together through the Alarm System Certification process; certificates are issued by UL at the request of UL Listed alarm service companies. The use of certification for compliance with the National Industrial Security System Category has increased steadily since its establishment in 1992. Currently, the following US government manuals contain the requirement:

• The National Industrial Security Program Operating Manual, DoD 5220.22-M
• The Physical Security Standards for Sensitive Compartmented Information Facilities, DCID 6/9
• The Manual for Physical Security of Sensitive Conventional Arms, Ammunition, and Explosives, DoD 5100.76-M
• The Physical Security Standards for Special Access Program Facilities, JAFAN 6/9

The applicable manual indicates specifications and techniques that may be required in a given situation. The US government cognizant security office or agency (CSO/CSA) assesses threats (see graphic) and determines system features, but UL 2050 and UL 681 specify the details of system delivery.

For example, if a CSO/CSA stipulates that an investigator must be a private guard and respond to an alarm within 20 minutes, UL 2050 details how to assign an investigator, how to conduct an investigation, how to record activity and follow-up actions. Category CRZH allows an alarm service company to assign the delivery of monitoring and investigation services to other service providers, but keeps full responsibility for compliance of the delivery of all services with the requirements in the standards.

Collaboration allows UL to keep pace with technological changes
Alarm system technology has changed dramatically since the National Industrial Security Systems Category was created. UL staff maintains close, collaborative contact with government organizations, government contractors and alarm service companies to stay abreast of the latest technological advances. These relationships give UL staff a strong view of evolving security issues, actual performance data and the practical impact of new technology. The movement to send signals from alarm systems in the form of packets of data across public and private networks raised concerns about the security of the communication paths. The regular collaboration between all parties allowed UL to publish requirements for the use of this technology by drawing on existing Federal Information Publication Standards and an encryption algorithm certification program from the National Institute of Standards and Testing, resulting the availability of alarm equipment that provides encrypted line security.

Centralization of the monitoring stations operated by government contractors created another new challenge. Data networks enable signals to be sent across widely distributed networks, meaning that a monitoring station can be located hundreds, even thousands, of miles from an alarmed area. CSO/ CSAs and UL quickly recognized the difficulties presented by this challenge, creating the National Industrial Security Monitoring Station Service Category (CRZM). This category allows the UL Listed alarm service company to assign area monitoring to a facility that has been evaluated by UL staff and found to be in compliance with UL 2050; the facility must have an active UL Listing. This relieves the UL Listed alarm service company of the responsibility for maintaining a monitoring facility while retaining the responsibility to ensure that alarm signal processing and monitoring system staff training are in compliance with category requirements.

The National Industrial Security System and the Associated National Industrial Security Monitoring Station Categories are tributes to the value of collaboration between parties with a common interest. A constant focus on the concepts of flexibility and threat appropriate requirements, coupled with a service delivery verification process has benefited government contractors, alarm service companies and officials responsible for protecting assets of the US government.


For more technical information about UL 2050, please contact Pete Tallman in Melville, NY at +1.631.546.2415 or at Peter.H.Tallman@us.ul.com.

Fear and Learning On Campus

Published: April 16, 2008

Los Angeles

LAST week, as I was editing my student film, my eyes wandered to the monitor of a nearby student. She had a gun in her movie, I noticed. I was impressed by her ambition. She had obviously done a lot of work — paperwork.

Since the shootings at Virginia Tech a year ago, our school has made it as difficult as possible for students to put guns in their films. Joe Wallenstein, who oversees film production by students, explained that using fake weapons could be misperceived by passers-by, and misunderstanding could lead to calamity. Just days ago, the faculty banned all guns in first-semester student films and mandated that higher-level students attend a police firearms training session before using fake guns, and under many circumstances pay a police officer $450 to oversee their productions.

One of my classmates avoided the permitting process by replacing a gun in his script with a banana, turning his Western-themed cowboy film into a slapstick comedy. In his in-class critique session, the professor told him that the banana “does not work.”

Many other universities around the country are also trying to balance freedom and safety. At Harvard, a dormitory that had prided itself on not having a security officer now has one. Dorm residents protested, but the college stood firm, insisting that the freedom of movement they had lost was secondary to their safety.

Stanford, for its part, still has no professional dormitory guards, but it is developing an ID-card-based access system that is meant to eventually include all campus buildings.

Emergency text message systems are becoming increasingly common, and many colleges now require students to submit their cellphone numbers. A friend at Florida State University complained to me that he recently received the same emergency message several times, warning about a “suspicious package” in the parking garage. The message did not specify which garage, so students avoided all of them. The package turned out to be a briefcase left on the car of a high school student whose nickname, A-Bomb, was inscribed on the exterior. Whoops.

I have lately heard classmates apologize in advance for potentially disturbing content in their movies, or crack jokes to avert suspicion that they may be emotionally troubled. Our teachers encourage us to be “edgy” (it sells) but we are also aware that, since Virginia Tech, stepping over that edge into the realm of “disturbing” could land you in the dean’s office.

I admit I was startled when, looking over that young woman’s shoulder, I saw that the gun in her film was being aimed at a student behind a desk begging for her life. Can it be a good idea to present school shootings as entertainment?

The filmmaker explained that the story was about a student who resisted peer pressure to skip class on what turned out to be the day of a school shooting. Her intent was to reveal how good intentions (not skipping class) can end up being a mistake because of forces beyond your control. My worry is that because of forces beyond her control, her movie could end up like “Oldboy,” a violent South Korean film that won the Grand Prix at Cannes in 2004, and then helped inspire Seung-Hui Cho to carry out the Virginia Tech massacre.

Freedom and safety are becoming increasingly difficult to balance, it’s plain to see. But when I consider that more than 29,000 students have bravely returned to classes at Virginia Tech this year, I’m heartened.

Alice Mathias is a graduate student at the University of Southern California film school.

4.18.2008

DVR Security Cameras - Understanding The Basics

From ehelpforu.com

In today's life, security is the main concern as the crime is
increasing day by day. DVR Security cameras are useful in
providing safety to you, your family and your business. The DVR
stands for Digital Video Recorder. It is also known as Personal
Video Recorder (PVR). DVR is a device that records the video in
a digital format on a drive. Mostly the drive on which DVR
records the video is a disk drive. When you use a DVR device for
security purposes, it is called DVR security system. Security
DVR consists of a stand alone set-top box and a software. The
software supplied with DVR system is used on the computer and
allows video capturing and playing back the video. The video
captured through the DVR system can be played directly from the
drive.

Now-a-days, many companies have started selling television with
in-built DVR system (software and hardware both). A DVR security
camera provides longer recording time in comparison to
traditional VCR systems. This is the reason that many CCTV
companies uses DVR security camera to record daily activities.

DVR security cameras are latest in the field of CCTV
surveillance. The picture quality provided by DVR security
camera is amazing. DVR security cameras have following features:

• Applications – DVR security cameras can be used for indoor as
well as outdoor applications.

• Ease of use - A DVR security camera is very easy to use.

• Video quality - Most of the Security DVRs are able to record
audio as well as video. And the quality of video is fantastic.

• Remote Access – This feature allows you to access the DVR
security cameras from a remote location via internet. This
becomes very helpful to keep a watch at a place where you have
installed the camera even when you are not present there.

• Instant playback – DVR Security camera allows you to play the
recorded video instantly without rewinding or forwarding and
hence saves your time.

• Customization – DVR security camera allows customization as
per your needs (personal or business related).

• Affordability – DVR security cameras are cost- effective.

• Selective navigation- You can search the video recorded by
DVD security camera on the basis of even, time, or date.

• Identification of criminal becomes easier with DVR security
cameras as they produce sharp images.

DVR cameras come with many advanced features such as motion
detectors, pre- alarm function, email and ftp server
notification, video compression, virus-care system and many
more. Now a day's mobile DVR security camera are also available
in the market. These mobile cameras are specifically meant for
transportation industry. Mobile DVR cameras can be used in
school buses, cars, taxis, trains, trucks, ships, aircraft,
airport shuttles, emergency vehicles, fire vehicles, police
vehicles, vans, delivery service vehicles, bank cash
transportation vehicle, prisoner buses etc. Mobile cameras are
very reliable and sturdy and at the same time reasonably priced.

DVR surveillance camera systems can give safety comfort to you
and your family, as you can watch, who is entering your house.
So whom are you waiting for! Provide security to those whom you
love the most.

Visit Hackett Security learn more about video surveillance.

4.11.2008

Real ID: Coming to a State Near You?

Growing up in the Midwest, I'd never met an adult that didn't have a driver's license. As a teenager, a driver's license was a rite of passage that opened access to a whole new world. It seemed almost un-American to my adolescent mind not to get one as soon after your sixteenth birthday as humanly possible. A few years later as a college student I discovered a downside--that slip of paper (yes, it really was printed on a slip of paper) contained information, my birthdate. And every bar near campus wanted to see it.

We forget is that a drivers' license is a recent phenomenon. Missouri and Massachusetts were the first when they passed laws in 1903 requiring all drivers to have a license. In Missouri the cost was 25 cents, and a test wasn't required until 1952.

In the United States, a driver's license has become a de facto identification card. We use it to cash checks at the grocery store and board airplanes. When I moved to Montana a few years ago the only person ahead of me in line at the Division of Motor Vehicles was an elderly gentleman. He was seeking to get a drivers license after a lapse of many years. Not to drive, which he had stopped doing years before, but because he got tired of the hassle involved not having one for identification.

What's Real ID?

Following 9/11 there was a push to change procedures for issuing identification documents, particularly when they were used to board airplanes. While the original motivating factor behind Real ID was terrorism, the objectives have grown to include addressing problems associated with identity theft and illegal immigration.

Congress, however, has ducked the politically contentious issue of creating a national identity card and instead decided to require states to comply with federal standards for driver's licenses, effectively transforming them into a de facto national identity card.

The Real ID Act of 2005 basically states that beginning May 11 of this year state driver's licenses and identification cards will not be accepted for federal purposes unless Department of Homeland Security (DHS) determines that a state is compliant with the Real ID regulations or the state has been approved for an extension. In practical terms we're talking about getting on an airplane or entering a federal building such as a courthouse. The deadline for a state requesting an extension was March 31 of this year.

What's Required?
This January DHS released the regulations establishing minimum standards for state-issued drivers' licenses and identification cards. Basically states will be required to have proof of an individual's identity and U.S. citizenship or legal status through documents such as a birth certificate or green card before issuing a drivers' license or identity card. The states must also build security features into the card itself to make them harder to forge and implement a mechanism to share data with other states and the federal government through a common architectural framework.

The final DHS requirements are much less stringent than earlier proposals. For example, requirements for biometric identification and Radio Frequency Identification (RFID) technologies on each card as well as a centralized database were in early versions of the DHS regulations.

State Resistance
The main reason for the dilution of the regulations was state resistance. Twenty-one states have passed some kind of legislation opposed to Real ID--some such as Montana and Maine going as far as opting out entirely. The reasons for opposition were both practical and philosophical.

Practical Concerns
Cost: The DHS estimates that the cost to states to comply with the Real ID Act will not exceed $3.9 billion. A joint study by the National Governors Association and the American Association of Motor Vehicle Administrators estimates the costs at more than $11 billion over the next five years and points to impacts on services to the public. So far Congress has appropriated $90 million to assist states. The DHS counters that the final regulations reduce the cost to states by 73 percent from earlier proposals and would only increase the cost of an individual license by $8.

Time and Difficulty of Implementation: State motor vehicle administrators report that reissuing 242 million licenses and identification cards, which requires verifying each individual's Social Security number, vital records (birth certificates, etc.), and legal resident status, could take eight years. Verifying identity is notoriously difficult. Exceptions, such as not having a birth certificate, having changed names, or a history of using a nickname on documents, render a simple set of procedures useless. A survey by the American Association of Motor Vehicle Administrators found that 76 percent of the responding jurisdictions anticipated that verifying the validity of source documents would have significant impact on their operation.

Security: While the current regulations no longer include a centralized database of information, concerns remain that a distributed database (one for each state) with a centralized access hub would be an attractive target for hackers. The DHS argues that the regulations provide an adequate level of security. Critics cite the recent discovery that private contractors had accessed the passport data of the current presidential candidates as evidence that federated security procedures need some work.

Scope of Information: Real ID advocates argue that the amount of information that can be remotely accessed is limited. The counter argument is that what seems to be innocuous to one person, say an address, is critical to someone else, say the victim of a stalker.

Non-official Uses: The Real ID Act does not give the DHS authority to restrict who may or may not use Real ID cards. In other words, the local convenience store will be using the Real ID card to control the sale of cigarettes to minors. Remember that Social Security numbers were never meant to be an identifier, but for decades that's what they were.

Third Party Skimming: Real ID cards will include unencrypted personal information in machine-readable format. The decision to not encrypt was driven by state and local law enforcement groups concerned about key management and accessing the information on the card quickly. Non-official users may well find it irresistible to collect the information on a Real ID card. There have been reports that some businesses are already collecting personal data from driver's licenses using commonly available readers without patrons' consent. While some States, such as California, Nebraska, New Hampshire, and Texas have passed laws that prohibit the collection of information on a driver's license or identification card, most have not.

Adequacy: Although they draw different conclusions, both those supporting and those opposing the Real ID Act are concerned about the adequacy of the regulations. Critics point out that ID documents don't reveal anything about evil intent and that determined terrorists will be able to obtain forged documents. That being the case, they argue that Real ID isn't worth the attendant loss of civil liberties.

Philosophical Concern
The philosophical objection to the Real ID Act is that it puts the country on a slippery slope to creating a national identity card and a "surveillance society." Thus we find some politically conservative "red" states such as South Carolina aligning with liberal "blue" states such as Maine in opposition to Real ID. This philosophical concern has led to strange bedfellows, including the John Birch Society and the American Civil Liberties Union.

What Does This Mean for Higher Education?
While analysis of the impact of Real ID lies with a campus' legal staff, it is inevitable that the IT unit will become involved because of the work we do with information security. We need to be prepared to help:

Determine the impact of Real ID on faculty, staff, and students. For example, an opinion by Michigan's attorney led the state to stop issuing new licenses to undocumented and temporary residents. That group included people on student visas and would have seriously impacted foreign graduate students who lived off campus. A change in state law was required.

Analyze the data security requirements needed to protect information stored on state databases. While higher education is not in a position to set state policies, it should be prepared to outline how those policies impact research and instruction. This means that IT and security staff must become familiar with the technology being used and being proposed. For example, regardless of whether the data is stored centrally as originally proposed or in 50 state databases with a common portal, a fundamental question is who can access the data. Higher education is familiar with that problem and can provide valuable recommendations to the state agencies charged with implementing Real ID.

Where Are We Now?
One key element of the final regulations issued by DHS was the extension clause, which allowed states to request an extension. Otherwise states were required to be in compliance by May 11, 2008--an almost impossible task. The DNS agreed to grant an extension if a state was making substantial progress to compliance with the regulations and requested an extension by March 31 of this year.

Earlier this month the DNS decided to avoid a showdown over extensions with recalcitrant states. For example, my home state of Montana sent DHS a letter outlining the security features in Montana's Drivers' Licenses (quite good in fact) and stating that the state could not by statute implement the Real ID Act or request an extension. DHS responded that they were granting the state an extension until 2010 anyway. As of this writing, all 50 states have been granted an extension until 2010.

But the issues and concerns haven't gone away. This is an important and highly complex initiative with intelligent and well meaning people on all sides. The April 4, 2008 Christian Science Monitor summed things up nicely: "In any case, the federal government is deluding itself if it thinks that the extensions have solved this issue. It's far from settled."


Doug Gale is president of Information Technology Associates, LLC (www.it associates.org) an IT consultancy specializing in higher education. He has more than 30 years of experience in higher education as a faculty member, CIO, and research administrator.

4.10.2008

Computer Security Tip: Response to a Virus-Infected Computer

From Security Products Online

... courtesy of the Internet Education Foundation.

"If you feel that your computer has been hacked or infected by a virus, immediately disconnect it from the Internet (unplug the phone or cable line) [ and turn it off ed ]. Use a non-infected computer to download up-to-date virus software. Then [ turn on the infected computer, install the anti-virus program, and ed ] run the anti-virus program to clean up the problem. Remember to always keep your anti-virus and firewall software up to date and running in the background to prevent problems."

[ It is advisable, once you've run the AV software the first time, to update the virus definitions and then run it again. ed ]

4.09.2008

10 Qualities Your Systems Integrator Should Have

Reprinted from SecurityMagazine.com April 2008 cover story Goodbye Handshake; Hello Contract
by Bill Zalud
April 1, 2008

According to Noelle Britton of Siemens Building Technologies, Inc., you should expect that your integrator will guide you toward a custom solution tailored to meet your needs.
  1. Desire to develop long-term partnerships. The strength of an integrator is measured by the ability to develop long-term strategic partnerships with you.

  2. Segment-specific knowledge. It is imperative that your integrator knows your business as well as you do.

  3. Certification. Your integrator should promote a culture of continuing education that focuses on bringing value back to you, the customer. Certification assures you that the integrator’s staff has a deep knowledge of the industry and products/platforms.

  4. IT/IP knowledge. With the convergence of physical security and IT, and the abundance of IP products on the market, your integrator must know how to converge these two silos.

  5. Exceptional customer service. It is not enough for your integrator to simply design and install your security system.

  6. Broad organizational capabilities. Your integrator should have the capabilities to deliver a solution on a global, national level and a local level. Integrators with such breadth can share best demonstrated practices between staff and across regions and markets.

  7. Best-in-breed portfolio. Security integrators need to have a robust portfolio of best-in-breed products that can accommodate different customers.

  8. ESP. While no one can predict the future, your integrator should keep a watchful eye on how your business grows and evolves so that your security solution adapts with it.

  9. Financial stability. You are increasingly making purchasing decisions based on a longer-term perspective. To that end, you should take into account the stability of an integrator.

  10. Industry knowledge. It seems obvious, but you’d be surprised at the number of integrators who don’t have an extensive knowledge of the industry.