We need to distribute data of every kind across the widest possible law enforcement network in a collaborative manner

The Eiffel tower illuminated with colours of the French national flag on November 16

Let’s say it up front: The physical security sector has limited solutions to address events like those in Paris on the 13th November. The series of coordinated terrorist attacks consisted of mass shootings, suicide bombings, and hostage-taking in which 129 people died. Among the dead were 89 people at the Bataclan theatre where American band Eagles of Death Metal was playing at the time to an audience of around 1,500.

But we can take our cue from President Obama, who has just announced that the United States will not only share more information with its allies but will do so more quickly and across more channels.

If anything can be learned from Friday 13th it’s that we need to distribute data of every kind (video footage from both public and private sectors, access control reports, and biometrics) across the widest possible law enforcement network in a collaborative manner. We already have physical security information management (PSIM), and we are making strides towards smart cities, the Internet of Things and Big Data that is easily retrieved and analysed. Public perception may be that we are already more cohesive than we actually are.

Vigilant guarding and biometric scrutiny

Three of the terrorists detonated suicide vests either on the perimeter or very close to the 80,000-capacity Stade de France in the north of the city. (A stadium wall is currently pockmarked with the imprint of ball bearings.)

Whatever our technological advances, it should be remembered that one of the terrorists seeking entry to the game was detected by a vigilant steward conducting a body frisk. Manned guarding of the highest order is perhaps still our greatest safeguard and should never be underestimated by legislators or eclipsed by technology companies with large marketing budgets. A terrorist scare at the German team’s hotel on the same morning occurred in error but was the result of staff showing diligence and alertness.

Manned guarding of the highest
order is perhaps still our greatest
safeguard and should never be
underestimated by legislators or
eclipsed by technology companies
with large marketing budgets

The possible consequences of reports that a forged Syrian passport was found at the sports stadium are enormous. Still more incendiary is the probability that the jihadist entered Europe from Syria and used the forged ID to buy ferry tickets while posing as a refugee. But all this is for the politicians. In the security community, our responsibility is to ensure that biometric scrutiny of passports at a small island off the Greek coast is as rigorous and sophisticated as checking at airports such as Ben Gurion and John F. Kennedy International.

Expectations of technology

We should not only avoid apportioning blame but are duty-bound to ensure that the public has realistic expectations of our technology. Anne Hidalgo, the mayor of Paris, could install as many 16-megapixel cameras in the Place de la Concorde as there are figures around the famous fountains; the city would still not be protected even against known suspects since automated facial recognition remains the stuff of science fiction.

Saying this, the attacks can only result in the installation of more cameras and greater public acceptance of them. To date, cameras in Paris have been used more for enforcement of traffic regulations than surveillance of pedestrians, with sensitivity about civil liberties being acute and entrenched. (The French have also tended to be sceptical about the effectiveness of video analytics.)

Protecting vulnerable venues and events

French security administrators should focus on known future challenges and not impute failings to specific policing or civil service sectors either in France or neighbouring countries. The most immediate challenge is next year’s European football championships (UEFA Euro 2016) which will be held in 10 French cities with the final (inevitably) slated for the Stade de France. Security in stadiums (as was shown earlier this month) generally works well, and the risk is more to street gatherings and celebrations where there are no fixed entrance points. Of course Euro 2016 will see large informal gatherings of fans in public squares prior to games.

French security administrators should focus on known future challenges and not impute failings to specific policing or civil service sectors either in France or neighbouring countries
Crowds lit candles outside the Bataclan theatre
in tribute to the victims
 

Concert halls such as the Bataclan (where there is ticketing but no turnstiles) are likely to prove vulnerable, and it was here that the terrorists proved most lethal, killing over 89 people with automatic rifles and explosives. An arts venue can’t be a fortress, but we are surely close to a situation where attending any event in a large venue will involve producing photographic ID. And would it be such an enormous infringement of my human rights that the credit card with which I bought a ticket for a concert this morning should be linked to my passport number?

Need for communication and shared data

There is surely scope for security authorities to work with Twitter in order to create officially sanctioned hashtags in emergency situations. With the Paris transport system frozen, much was achieved with an unofficial #PorteOuverte hashtag as inner-city residents simply opened their doors to strangers and in many cases almost literally pulled people out of harm’s way into their homes. 

None of this came out of a clear blue sky. François Heisbourg, a French security expert from the International Institute for Strategic Studies, gave an immediate interview saying: “We were expecting something big but not like this and not this sophisticated. The background noise [‘chatter’] was getting very disturbing.” But chatter rarely gives specifics, and the threat could have been to any part of mainland Europe. As I write, the focus has turned to Belgium and an impoverished suburb of Brussels which may now be the hideout of the one gunman to survive the shootings. The search for Salah Abdeslam is probably the biggest manhunt in European history and is certainly involving the most intensive use of technology.

Just as the threat is evolving, with jihadists showing an increasing level of preparation and determination to inflict mass casualties in coordinated actions, the physical security sector needs to communicate with police and legislators to illustrate the sophistication of cameras, access control and perimeter protection (which can now be deployed effectively on a temporary basis for one-off events.) But the greatest mistake (and irresponsible conduct) in the face of continuing threats would be for security vendors to oversell their offerings.

Share with LinkedIn Share with Twitter Share with Facebook Share with Facebook
Download PDF version

Author profile

Jeremy Malies European Correspondent, SourceSecurity.com

Jeremy Malies is a veteran marketeer and writer specialising in the physical security sector which he has covered for 20 years. He has specific interests in video analytics, video management, perimeter intrusion and access control.

In case you missed it

Managing security during unprecedented times of home working
Managing security during unprecedented times of home working

Companies are following government guidance and getting as many people as possible working from home. Some companies will have resisted home working in the past, but I’m certain that the sceptics will find that people can be productive with the right tools no matter where they are. A temporary solution will become permanent. But getting it right means managing risk. Access is king In a typical office with an on-premise data centre, the IT department has complete control over network access, internal networks, data, and applications. The remote worker, on the other hand, is mobile. He or she can work from anywhere using a VPN. Until just recently this will have been from somewhere like a local coffee shop, possibly using a wireless network to access the company network and essential applications. CV-19 means that huge numbers of people are getting access to the same desktop and files, and collaborative communication toolsBut as we know, CV-19 means that huge numbers of people are getting access to the same desktop and files, applications and collaborative communication tools that they do on a regular basis from the office or on the train. Indeed, the new generation of video conferencing technologies come very close to providing an “almost there” feeling. Hackers lie in wait Hackers are waiting for a wrong move amongst the panic, and they will look for ways to compromise critical servers. Less than a month ago, we emerged from a period of chaos. For months hackers had been exploiting a vulnerability in VPN products from Pulse Secure, Fortinet, Palo Alto Networks, and Citrix. Patches were provided by vendors, and either companies applied the patch or withdrew remote access. As a result, the problem of attacks died back.  But as companies race to get people working from home, they must ensure special care is taken to ensure the patches are done before switching VPNs on. That’s because remote desktop protocol (RDP) has been for the most part of 2019, and continues to be, the most important attack vector for ransomware. Managing a ransomware attack on top of everything else would certainly give you sleepless nights. As companies race to get people working from home, they must ensure special care is taken to ensure the patches are done before switching VPNs on Hackers are waiting for a wrong move amongst the panic, and they will look for ways to compromise critical serversExposing new services makes them also susceptible to denial of service attacks. Such attacks create large volumes of fake traffic to saturate the available capacity of the internet connection. They can also be used to attack the intricacies of the VPN protocol. A flow as little as 1Mbps can perturbate the VPN service and knock it offline. CIOs, therefore, need to acknowledge that introducing or extending home working broadens the attack surface. So now more than ever it’s vital to adapt risk models. You can’t roll out new services with an emphasis on access and usability and not consider security. You simply won’t survive otherwise. Social engineering Aside from securing VPNs, what else should CIO and CTOs be doing to ensure security? The first thing to do is to look at employee behaviour, starting with passwords. It’s highly recommended that strong password hygiene or some form of multi-factor authentication (MFA) is imposed. Best practice would be to get all employees to reset their passwords as they connect remotely and force them to choose a new password that complies with strong password complexity guidelines.  As we know, people have a habit of reusing their passwords for one or more online services – services that might have fallen victim to a breach. Hackers will happily It’s highly recommended that strong password hygiene or some form of multi-factor authentication (MFA) is imposedleverage these breaches because it is such easy and rich pickings. Secondly, the inherent fear of the virus makes for perfect conditions for hackers. Sadly, a lot of phishing campaigns are already luring people in with the promise of important or breaking information on COVID-19. In the UK alone, coronavirus scams cost victims over £800,000 in February 2020. A staggering number that can only go up. That’s why CIOs need to remind everyone in the company of the risks of clickbait and comment spamming - the most popular and obvious bot techniques for infiltrating a network. Notorious hacking attempts And as any security specialist will tell you, some people have no ethics and will exploit the horrendous repercussions of CV-19. In January we saw just how unscrupulous hackers are when they started leveraging public fear of the virus to spread the notorious Emotet malware. Emotet, first detected in 2014, is a banking trojan that primarily spreads through ‘malspam’ and attempts to sneak into computers to steal sensitive and private information. In addition, in early February the Maze ransomware crippled more than 230 workstations of the New Jersey Medical Diagnostics Lab and when they refused to pay, the vicious attackers leaked 9.5GB or research data in an attempt to force negotiations. And in March, an elite hacking group tried to breach the World Health Organization (WHO). It was just one of the many attempts on WHO and healthcare organisations in general since the pandemic broke. We’ll see lots more opportunist attacks like this in the coming months.   More speed less haste In March, an elite hacking group tried to breach the World Health Organization (WHO). It was just one of the many attempts on WHOFinally, we also have bots to contend with. We’ve yet to see reports of fake news content generated by machines, but we know there’s a high probability it will happen. Spambots are already creating pharmaceutical spam campaigns thriving on the buying behaviour of people in times of fear from infection. Using comment spamming – where comments are tactically placed in the comments following an update or news story - the bots take advantage of the popularity of the Google search term ‘Coronavirus’ to increase the visibility and ranking of sites and products in search results. There is clearly much for CIOs to think about, but it is possible to secure a network by applying some well thought through tactics. I believe it comes down to having a ‘more speed, less haste’ approach to rolling out, scaling up and integrating technologies for home working, but above all, it should be mixed with an employee education programme. As in reality, great technology and a coherent security strategy will never work if it is undermined by the poor practices of employees.

How does audio enhance security system performance?
How does audio enhance security system performance?

Video is widely embraced as an essential element of physical security systems. However, surveillance footage is often recorded without sound, even though many cameras are capable of capturing audio as well as video. Beyond the capabilities of cameras, there is a range of other audio products on the market that can improve system performance and/or expand capabilities (e.g., gunshot detection.) We asked this week’s Expert Panel Roundtable: How does audio enhance the performance of security and/or video systems? 

How have standards changed the security market?
How have standards changed the security market?

A standard is a document that establishes uniform engineering or technical criteria, methods, processes, and/or practices. Standards surround every aspect of our business. For example, the physical security marketplace is impacted by industry standards, national and international standards, quality standards, building codes and even environmental standards, to name just a few. We asked this week’s Expert Panel Roundtable: How have standards changed the security market as we know it?