F. Gary Alu, CISSP

I will start with Intruder Control and Detection because this is what many consider the “alarm system”. Please note this is under the category of Physical Security. Intrusion Detection Systems under the Network Security category refers to detecting intruders on your network and something I will discuss in future postings.

Today modern Intruder Control and Detection systems have wireless infrared and contact points, radio backup to the telephone connection, video surveillance, remote management, and a range of other goodies. We are faced with making the decision of how much of this do we need and will what we deploy help protect our people and other assets.

First let’s understand and accept that the alarm system is a deterrent measure not prevention. Our goal here is to deploy a layered system to monitor and control who has access and when and to detect unauthorized access and notify us when that occurs. Selecting the security company to provide this solution is the first step in the process.

Having some novice intruder simply cut the phone line will not prevent the alarm from sending notice of intrusion to the alarm monitoring facility. More effort is required, and some expertise and understanding of the systems, to circumvent the intrusion alarm system. Even then most reputable alarm monitoring providers notice when the alarm system goes missing if the signal is interrupted.

Finding a “reputable” alarm or security company is probably a good starting point.

• Do they have verifiable references?
• What do these references think of the service and most importantly the response time to an intrusion alarm?
• Do they outsource their monitoring and if so, where?
• Do they outsource their response guards?
• What kind of technology do they offer (the fun stuff for me)?
• How easy is it to manage the system and can I do it myself?

Some of these questions may seem obvious and others not so. I must plead guilty to having more focus on the technology than most, just comes with part of being a “propeller head” I guess. After my bad experiences I found it more comforting to own my alarm system and pay for the monitoring services. Owning my own system also provided me with the capability of managing the system, e.g. adding or deleting accounts, changing pass codes, and remote monitoring. Of course today nearly every commercial and residential Intruder Control and Detection system will provide these services on a lease or service level. I will get into more detail on the technical components that comprise a good Intruder Control and Detection system in my next posting, The Alarm System - Part 3.

In most cases it is perhaps better to start at the top of my list and not have so much focus on the “cool” stuff. Having up-to-date technology is certainly important and more than a just a selling point. Finding a reputable company must come first because of the “tree falling in the forest and does it make a sound if there is no one around to hear it” rule. When an intrusion is detected and the alarm sounds does anyone hear it? Check the references provided and ask the next question, what about response time? Do you have any idea of how much equipment can be loaded into a van or SUV in 30 minutes? Having a very loud siren that cannot be easily deactivated may deter an amateur but a small group of professionals will ignore the noise and haul your stuff away.

This is a good place to interject the layered approach again. Locked office doors, servers in a designated secure room with more locked doors, even physically securing desktop systems with theft deterrent lock systems will make it more difficult even for the professional and will certainly take more time. The longer the clock ticks the better chance the intruder may become frustrated and leave or the security guard may arrive on the scene and change the game plan.

The geographic location of the alarm monitoring facility is probably not critical, unless of course there are issues with communication because of the location. Having the monitoring facility in a city prone to natural disaster might pose a problem if the disaster disrupts the service for several hours of even days. In that case, who is watching the store? Is there a backup facility?

I have personally found that an alarm company with an outsourced guard response solution to be less reliable than a company who owns and maintains their own guard response teams. In Las Vegas, as it is in many cities, the police are not the first respondent to an intrusion alarm for private commercial business or a home. There are exceptions of course, 911 panic alarm, fire alarm, banks, etc. For the most part the first respondent will be the guard from the alarm company. Do some research here and look into the “professionalism” of the guards. Is there a required training program in place? Or after cursory background check the new hire is given a cool uniform and heaven forbid, permitted to carry a firearm.

This last statement does require that I interject a personal experience to better express my concern. In many cases I am personally listed for some of my clients as a contact in the event of an intrusion alarm. Such was the case with one customer where I was contacted on a Sunday morning and notified an IR (Infrared) motion detector had been activated in the kitchen hall. As I had a complete knowledge of the building in question, I knew this intrusion must have required a window breach and might be serious. I asked that the guard be dispatched and I headed out myself. I arrived on site, parking up the street a bit, and walked into the back parking lot. I immediately noticed the kitchen area window was open and the horizontal blind was blowing in and out because of the very strong wind. I stood for a moment and then heard “pssst” from behind me. I turned to look and there was a guard standing behind the corner of the block wall with his hand-gun drawn pointing it at the open window. Of course I immediately put myself on the other side of that guard and his shaky gun. I inquired “have you called the police”? He had not as he was waiting on instructions from the monitoring facility and for me to arrive and approve the call.

As it turned out, an employee had left the kitchen window open and the very high wind blew the blinds causing enough movement to trip the infrared motion detector in the corner of the room. I have more interesting tales regarding things that go bump in the night causing a false alarm in my discussion of the technology in Part 3.

In summary, ask for references and do check the references provided. Ask others who they use and check that reference. Make sure the alarm company can respond quickly and professionally to an intrusion alarm. The company should have technology that fits your business and, in my case, personal requirement. Don’t be oversold! Accept responsibility for securing your assets and employ a layered approach. It is important to understand that the intrusion and detection system is a deterrent and simply another layer in your physical security policy.

I thought it might be useful to discuss and clarify comments made during the 60 Minutes piece regarding credit card transactions made online and the level of security provided.  The statement that shopping online is more secure should not be taken as a blanket approval for doing business online.  Let’s break things down a bit to gain a better understanding of the process so we don’t end up with a false sense of security.

We need to start with that infamous WiFi device that started this discussion.  The same security issues discussed by 60 Minutes also apply in to our home WiFi system.  You can bet “War Driving” is not limited to the commercial industry alone.  The connection between the home computer and the WiFi router is where we start the process of making our shopping experience as secure as possible.

All WiFi routers that I have come in contact with in the past two or three years support WPA and WPA2 with PKA (Public Key Access)or AES (Asynchronous Encryption Service).  Today I find many have a very nice installation application to guide the user toward a more secure install.  How secure?  Let’s dig in to that a bit and sort out some the “acronym soup” in the process.

For a refresher on WEP (Wired Equivalent Privacy) visit http://en.wikipedia.org/wiki/Wired_Equivalent_Privacy

For a refresher on WPA and WPA2 (WiFi Protected Access) http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access

We have obviously worn out the fact that WEP is not the way to go.  Unfortunately there are some older WiFi routers and adapters that only support WEP, typically older than three of four years.  It is time to replace the old router or access point with a new model.  The computer is another story and obviously it is not necessary to toss out the laptop or home PC in order to use newer WiFi security protocols.  If the computer has available USB ports I recommend disabling the built-in WiFi adapter and using an external USB WiFi adapter that does support WPA.  There are several good USB WiFi adapters on the market for less than $100.

Now that we have all the right parts let’s get back in to acronyms for a while.  The commercial environment differs somewhat from the home environment because WiFi is typically deployed to support a large number of users and over a wider geographic area.  A competent professional deploying WiFi with WPA or WPA2 in the commercial environment would typically use an authentication service or server to distribute secure keys to authenticated users.  A less secure but effective method for the home user is the Pre-Shared Key (PSK).  This method employs a passphrase that is incorporated in the router configuration and then supplied to the user.  The passphrase is entered as part of the client side connection configuration on the computer.  That passphrase is used in the authentication process after the connection to the WiFi device has been established.

It is important to use a passphrase that is long enough and sufficiently complex, something a bit more than “mysecret”.   The passphrase can be between 8 and 64 characters long so don’t be shy. 

usingapassphrasethatis64characterslongmakesithardtocracksoitsgood

Obviously the passphrase above is a bit more difficult to break but not something one could easily remember.  Let’s try something that uses a long easy to remember phrase or statement that we encrypt using our own key.  For example let’s use “thisismysecretphrase”.  Now we create our own cryptographic key as follows:

• Every third letter is UPPERCASE
• S-s = $
• A-a=@
• I-i=1

Now using our key our passphrase becomes th1$1$my$ecRetPl@Ce.  Just create your key and keep that in a safe place.  Use a phrase that is easy to remember and encrypt it using your key.  One would need to know both sides of the puzzle in order to compromise the passphrase, e.g. the key and the passphrase.

Now that we have been over the WEP, WPA, WPA2, and PSK we will need to add one more acronym to our list, MAC or Media Access Control.  It is also possible to configure your WiFi router so that it will only accept a connection from your computer alone.  This is accomplished by letting the router know the MAC address of your WiFi network adapter.  We don’t want to go off the technical deep end here so simply put, the MAC address is a unique “serial number” for a network card and it is typically displayed in hexadecimal format as follows:

01:23:45:67:89:ab

The first section of the address identifies the manufacture of the card, e.g. Intel, 3Com, etc.  In the example that would be 01:23:45.  A common MAC identifier for a 3Com card is 02:60:8C.  The second half of the number is the unique sequence of numbers, in this case 67:89:ab.  Both numbers are combined to comprise the MAC address.  So, like finger prints, no two MAC addresses are supposed t be alike.  If we identify our computer to our router using our MAC address it will add another layer to our home security solution.  Now we have authentication security via WPA-PSK and using the MAC address we limit which computers our router will communicate with.

Now our online transaction is more secure from the War Driver or eaves dropping.  The next step must be to make certain our connection during any login or transaction on the website is secure.  Your browser should let you know if the connection has been secured via SSL (Secure Socket Layer) but you will need to pay attention.  Internet Explorer 7 indicates a secure connection by showing a little padlock at the top right after the URL.  Firefox has the same padlock icon and it also turns the URL space yellow to indicate a secure connection has been established.  You should also notice that the URL should start with HTTPS and not HTTP.  It is important that the secure HTTPS connection be in place starting with the login process.  Without the secure browser connection the user and password information or being transported “in the clear”.

You will find I continue to refer to a security solution as “layered”.  There is of course no such thing as an absolutely secure system.  The layered approach presents obstacles that must be overcome to gain access to a trusted system or service.  For the most part these obstacles are transparent to the authorized user once they are deployed.  Everything discussed here, the WPA-PSK and MAC identification, are incorporated into the computer and the router as part of the configuration process.  The unauthorized user will need to work a bit to obtain information necessary to gain access.  It is equally important to consider good security practice at home and in the workplace.

I wanted to start with Physical Security because I believe it is something we can all wrap ourselves around.  We all make an effort to keep ourselves and those close to us safe and secure.  As business owners, executives, and managers we understand our first responsibility is the safety and security of our people.

I have had the personal misfortune of being the victim of several burglaries over the years.  The only thing positive about the experience is that I take something away that has been beneficial in the development and deployment of physical security solutions for my clients.  Burglars range from the meek to the very bold and from amateur to very experienced.

In one instance I arrived at my place of business in the morning to find the front door lying on the sidewalk and the interior completely trashed.  My new IBM PS2 Model 80 had vanished along with other hardware and believe it or not, a case of bathroom tissue.  I’m talking the BIG Costco bale of bathroom tissue!  Perhaps they needed some packing for my Model 80?

Another time I arrived (same office) at the office and opened the door to find the alarm was not beeping and begging to be disarmed.  It quickly became apparent that the burglar had broken in through the back door and taken an ax to the bundle of cable running out of my alarm box.  This was before radio or cellular backup so the alarm company had no indication of a problem because the phone line had been cut.  But wait, there’s more!  As I was calling the local constabulary I reached over to switch on my desktop and found it was unable to find any server.  I looked across the room and I could see the server but it did seem strangely quiet.  After finishing up with the police on the phone I went over and things were certainly very quite.  I opened up the server and NO MOTHERBOARD. 

Needless to say, in this case the best resolution to these frequent burglaries was to relocate, which I did.  It also helped me to start thinking bit like a burglar, much to the dismay of my local alarm professional.  For the next alarm installation I had the lad install the control box on the wall above the suspended ceiling and asked him to place the siren at the other end of the room, also above the ceiling tiles.  It occurred to me that the creeps were coming in and they could obviously find everything by just following the beep or siren.  I also had the technician set the disarm delay to just 20 seconds.  Just my idea of a layered approach and gladly I was not presented with an opportunity to prove the deterrent effect. 

In the posting to follow I will drill down a bit into the pieces and parts that comprise a modern alarm system and hopefully provide some insight that may help with the selection and deployment process.