 Think Tech Hawaii, civil engagement lives here. Hey, Aloha everybody, and welcome to the Think Tech Studios. This is another episode of Security Matters, Hawaii. I'm your host, Andrew Lanning, the security guy. And I've got Mike Gonzalez in the house today. And we're going to be talking about defense in depth. This is a security principle that all of you should be familiar with if you're involved in security for your facilities. And Mike, I want to start with one question first of all. Thanks for coming in, brother. Good to see you in the studio. We're trying to get you in here for years. What keeps you up at night, man? Keeps me up at night. I think it would be the Internet of Things. That keeps me up at night. There's a lot of people connecting all kinds of things to the Internet, and they all have questionable security on them for the most part, especially when they first come out. So, you know, translate that into our realm in the security world, right? We have all these IP-based devices that are out on the edge of these facilities, fences on the side of walls, outside of a building, something like that. All of that stuff can be leveraged to break into a company's network and do all kinds of badness, right? Which is ironic, because the whole point of it is to stop that kind of thing. But that's the stuff that people are going for. It's like we're fighting to secure it, and they're fighting to open it up. I don't understand. Wow. So you've been in security a long time, man. A long time practitioner with a lot of skills. Give ours a sense of your background, as much as you want to tell anyway. You don't have to give away the farm. Well, I joined the Army when I was 17. Thank you for your service. Thank you. Oddly enough, my military service had absolutely nothing to do with what I do these days. But it did create a very good baseline of skills that were useful later, right? So I was in the infantry. Veteran Operation Iraqi Freedom. I got out of the military in 2006 and went to work in security as I was going to college. And one thing led to another, and all of a sudden, now I have a security career. I decided to do that rather than what I was actually going to school for. Isn't that interesting how people, so many people in our industry, and we talk about this a lot, industry-wide, like no one grew up going, I'm going to be in the security industry. No one knows about our industry until they fall in it. But once you fall in it, like protecting lives and property is kind of not a responsibility, but it's a good job. It makes you feel good at the end of the day about what you do. So we don't leave. It becomes a career. It kind of gets stuck in it. It kind of plays into the same reasons I joined the Army, right? If I'm going to spend my time doing something, I want to spend my time doing something that's useful because it's helpful and I can see the usefulness immediately. You know what I mean? Like I can see the results of what I'm doing. Yeah, it's great work. So when we start off with security and people say, I got a problem and we show up, where's the first thing we look around the perimeter? So defense in depth, we're going to dig into that. We're going to start at the perimeter. And I really like to teach my team, and I'm also a military background. That's what the military does. You know, we have fence lines and we have guards on the fence lines and gates. The military can really afford to extend its security on out to that perimeter, where a lot of commercial security doesn't get that. And we'll get into that a little bit. I like my team from the commercial space to actually even cruise around the neighborhood, you know, the adjoining streets. You know, how far away is the police station? How far away is the fire station? What other type of businesses are operating in that area? Are they open 24-7 or are they closed? Are there any adjacent buildings? Are there any abandoned buildings? Are there any nest of problems? Once you get a feel for the sort of environment that places in, now you're at the fence line. And what's your experience with fence lines? I mean, some don't exist by the way. I don't even know if the people want to put up a fence. They just invite you right on the property. Come on in. Fence lines in my experience are kind of like a speed bump in a parking lot. You want to get over it or through it, you're going to get through it. videos of my properties at my workplace people getting over an 8-foot fence with triple-strand barb row on the top in less than 10 seconds sure yeah I mean no problem throw the carpet over yeah I've seen the seal teams yeah I think they take about two seconds those guys depending on what you're trying to do you know the fence lines aren't in offenses and barbed wire and things of that nature an important part of defense in depth but they're not the end-all be all when it comes to security right I mean it's just it's something that you should do but it's not where you stop yeah I like the speed bump idea too because at least we're starting to buy some time you know and at the perimeter you know we're really trying to set up our our first level of detection which starts our clock count for our response so we have seen some folks laying you know we've had leaky coax we've had an induction type systems fiber in the ground so we can get outside of that a little bit seen some of that with some video folks trying to work you know on the outside videos been a sort of a problematic issue for our industry over the years we've gotten better what are kind of things do you see a kind of just outside the fence line have you have you had experience with maybe radar or some of these other newer technologies that have you know become you know a little more palatable to the commercial space absolutely when you're looking at perimeter defenses you want to look at something that's going to do what you need to do consistently and it's going to work on the day you needed to work right and also taking into account like the total cost of ownership of that particular system right you building a building out a system where you fully understand how much it's going to cost to keep it alive and you're committed to that and it's part of your your overall strategy right maintenance or maintenance people that's a big one so there are all kinds of things you can do out in the perimeter you can have a whether you have a fence or not you can do these things you can have buried buried sensors that are in the ground their wireless I've seen that that can detect footsteps that can detect gunfire vehicle traffic you can integrate those with camera systems where when it detects that traffic a camera in the nearby vicinity can take a look and appear automatically in an operation center for example okay there's things like ground tracking radars that and they're becoming very inexpensive these days I know access just came out with one there is quite a few on the market right now that are in like the you know 50 to 100 meter range and what that's going to do a short throw yeah location sure so yeah so it's short throw radars actually once we pick it up it gives the exact GPS coordinates to the camera so the camera bam is right on the target and it's pretty smart because you can program that devices exact GPS coordinate while also integrating camera systems programming their GPS coordinates and they have handoff ability and there's a when there's a detection that cameras need to see it will determine which camera is closest in which camera can see it based on any program that you're done and it appears so it's kind of looks like magic to the to the non-tech people you know me that's like I see a sensor boom all and then your operator all he gets is the image because he needs to decide quickly what's the response guys with guns you don't want to send guys without guns that's a good point oh and so yeah so it or is it a goat or you know why we don't have too many mammals right so it's not we don't have that I guess we have some deer on some of the outer islands but here it's pig usually a pig or a dog and glad to be part of this gunfire detection is also very important when we're talking about perimeter defenses right depending on what your venue is you know what kind of facility it is and what you're concerned about I mean gunfire detection might be something you want to do those things you can do there's audio analytics that can listen for gunfire there's also there's also a form of video analytic that can pick up the muzzle flashes out in the distance there's even sensors that can detect the pressure change of the of the round coming out of the barrel within a certain distance and catch that there's also indoor gunfire detection systems that I've seen that are really great there's this there's this product from Ambox that I saw recently that that is a indoor gunfire detection system for you know other with layers of your of your perimeter within you know your building sure so you can quickly locate where a shooter may be if you got big wings or like a mall and it's tied directly with the police department so when that goes off it's already rolling a police response because the false alarm rate is zero so we can be assured that when it goes off it's for it's actually a gun yeah not a cap not a car backfiring not a in the audio analytics or what you mentioned are really interesting because I know we've deployed out of like an intercom so you have a device there that's already listening and they've taken some of those and built in analytics that can detect like gunfire so and gunshot you can hear from far away so not even when they're not maybe on your property if there's a gun fight nearby perhaps there could be damage to your facility from stray bullets maybe it's Pete gangsters shooting each other while they might damage your equipment is a good point you need to know that that's going on getting back to your point about going around the neighborhoods and looking at where abandoned buildings where the closest police department fire stations are that's also that's very important when you're doing like an assessment of a facility before you go out and build out any defense in depth or anything like that is deciding is understanding what you're working with right and if those issues are a problem in the neighborhood you're working in if there's if there's gang activity or gunfire happens you know even if it's just hunting or something like that and it's something you want to be aware of or just vandalism those are all things that you can identify in an assessment process and getting back to your point about sending the right person for the job that's why gunfire detection is very important because you don't want to send a technician or a guy with a hard hat out to solve a problem that should when you need the police or swat or whatever it may be getting that context is crucial because you know you're saving lives by doing this yeah it's an interesting a lot of people don't think that detectors you know they they give us a they let us know something's happening and we then we try to use the camera to maybe get some remote visibility so we can figure out how to respond and you know if you if you don't have full awareness for example if you zoom in very rapidly on one guy you can see wow he's not armed but if you don't have the larger picture the other three guys at the fence line are arms yeah they threw their buddy over you know whatever the context yeah that context is super critical for the response so we've took a little bit outside the perimeter once they hit the fence what kind of effective things have you seen to work like on so you can kind of tell you know wow I tripped a signal while now boom I got a fence signal someone's on my fence that's a that's a little different animal yeah it is and there's quite a few solutions out there that can do something like that there's a there's fiber that you can put in the fence that there's there's controllers that go around the fence line that shoots that light through the fiber and it can detect even the slightest change of how quickly it takes that light to get from one side to the other based on the deflection of somebody touching the fence when they jump on it exactly that's boom it bends the fiber just slightly and then there's an alarm you can do cut climb or any kind of tamper all those are integratable with camera systems too and why I keep getting back to that is that when we talk about perimeter security and and things love that nature it's important to also have some sort of video surveillance in there especially if you're doing a remote security operation oh yeah because you're going to have false alarms things that things happen like for example all of these different intrusion detection technologies out at the perimeter they all have their own inherent weaknesses right there are things that can set them off as a false alarm for example some of the some of the fence detectors that you see out there they have algorithms in there that say don't go off the first time something touches the fence wait till the third time because uh that's going to cut down significantly on false alarms but i don't know how many times a day i've seen at some of the facilities that i work with where birds land on the wire in quick succession and then boom that that algorithm is useless yeah because it's a song yeah it's a yeah so so that sort of thing is important to have video technology in place also so we can immediately see and understand that context and disregard that alarm and not get into the habit of just shutting it off because that's what we think it always is you know that never goes well for for people who have that sort of alarm fatigue right or in any control center that that taking care of false alarms is crucial if you want to make sure that your people are on it the day that you need them to be on it yeah that's it that's a real important especially for perimeter because perimeter in its nature is large so you know it's it's uh which we that's what you a lot of people will sort of surrender the perimeter and uh we're going to take a break in a little bit but we'll and so we'll get inside the perimeter after this but that that issue of perimeter extension you know and remember it's super valuable because as further out i can push detection the more time i have to respond absolutely and so that is depending on the asset and you brought up a really great point about getting your assessment done properly understanding what the risks are if you can't respond by the time they reach the more important assets on the inside or whatever it may be that is a critical component to even developing and deciding what type of perimeter security you might need to deploy what kind of false alarm rate could you live with which is actually should be about zero but you know you definitely want the capacity to you know have another type of technology confirmed for you what it is your sensor has detected right i've definitely seen good size pigs that could be the size of a small guy crawling and things like that so it's it the camera helps you really take a look and verify that so you're sort of responding to a verified alarm i tell you what we're going to do let's take a short break we're going to go pay some bills because you know this is such a well funded organization and we will be back in a minute and we'll get inside the perimeter okay hey baby that's you i want to know will you watch my show i hope you do it's on tuesdays at one o'clock and it's out of the comfort zone and i'll be your host r.e. kelly see you there hi my name is bill sharp host of asian review coming to you from hana lulu hawaii right here in the center of the pacific ocean asian review is the oldest of the 35 or so shows broadcast by think tech hawaii we've been in production since 2009 our goal is to provide you the viewer with information breaking information about events in asia asia being anything from hawaii west of pakistan from the russian far east south to australia and new zealand we hope to see you every monday afternoon at five p.m. hey welcome back to the think tech studio i'm andre the security guy this is security matters we're talking with mike and zealous and we're talking about defense in depth now we've been talking a little bit about perimeter the final thing i think we wanted to mention was a little bit of sort of dual factor detection out there on the perimeter so what have you seen in that this is a little newer to the industry but what have you what have you played with there well there's things on the fence that you that can set off false alarms in addition to wildlife right the building in the sway of the fence before you in the wind put any sensors on you want to make sure that it's not swaying and if it is you want to make sure that your your your sensor is adjustable to where you can build that in i've seen because that's an obvious problem especially with people who have hundreds and hundreds of facilities that these these systems are all out at i've seen new systems being developed that have a traditional intrusion detection system like i mentioned but it also has a built-in passive infrared sensor on every single one of those sensors along the fence and what it's doing is it's not only feeling for cut climb and tamper it's looking directly on the other side of the fence line for about three or four feet looking for motion so if it doesn't detect motion on the outside of the fence directly across from where that the sensor that's going off it's not going to set off so it's like a dual technology exactly and it's also if it's ir looking for heat as well right so exactly could could be to some bird's land while an animal standing there but by and large you're still going to get a lot less falsing which is exactly an industry it's a really one of those things that the you know the residential alarm industry struggle with perimeter has always been especially if you can think about large facilities or you know center around maybe critical infrastructure like a think about a refinery some refineries are just square miles yes and so you know if you get 20 miles of fence on military bases are the same way very difficult to cover all of that I spent even a guard force is sort of in cable they're left to just responding I think we're all praying for the day we can dispatch a drone real quick to take a look you know on those big facilities and someday I think the the FAA might allow that that's in the works or a little ways out in the works so once you get let's talk a little bit about getting people through the perimeter so we have you know service workers we have onsite staff we have a lot of people that actually need to get in the facility to do something typically we're going to see some sort of access control out there maybe single-factor maybe multi-factor what do you what do you like to know about your people when they're going you like them scheduled unscheduled talk about that a little bit you know about those arrivals at your gate it really just depends on how through the course of that threatened vulnerability assessment that we talked about earlier is deciding what that facility does how important it is to you and what's your business continuity plan for example if that facility is localized or something like that right so those are all important things to understand before you develop any kind of access control scheme right is to understand how your facility works on a normal basis and try to design something around that you know so it doesn't disrupt your entire business so you can do things like try to avoid i like to try to avoid anyway key control problems you know every time somebody leaves the company or leaves the organization or loses a key for example especially if that key has a key ring with the address of the building on it for example ouch you know what i mean that happens a lot so card readers are an important function you know for access control there is quite a few different kinds of card readers there's very simple ones that are just key fobs that don't do anything really most people will be familiar with them for their condos to get out of the parking lot something like that the exact same technology can be applied to to an actual id card and it's important for any organization to have id cards for their personnel on their property because that's the quickest way for a security personnel to understand who belongs and who doesn't belong and that applies to visitors as well you know badging visitors and they're walking in with the visitors badge making it clear that they've passed their security before they ended up wherever you see them in your in your facility right so card readers cards can be lost too right cards id cards can be lost access lot cards can be lost and somebody could pick it up and it has your company's name on it probably right so if that's a concern and and that's a concern you can't live with then you can go to dual factor authentication for for card reader technology and what that does there's quite a few different kinds right there's a you can scan your card and type in a pin for example and that keeps anybody something you know right so it's known only to you yep only to you or what i like about those also is that if you're under duress for those dual factor ones you can swipe your card and maybe type in your pin backwards or add a nine at the end or something like that and it can alert the security center and pull up the cameras and yeah everybody knows that you're being forced through this door and for our audience who may not understand what duress is perhaps someone's coerced you has a perhaps a gun to your head or is kidnapped someone someone in your family and all these things have occurred and is forcing you to access the facility so what you can do in the instance that Mike's talking about is present your card and then when you go to put in your code let's just say for example i hope it never is your codes one two three four you could put in four three two one or you could put in one two three five and what that does is it's going to allow you in everything looks normal to the guy who's watching you who has you under duress but it's going to alert the center that there's a problem so that's that's what duress alarm that's quite a bit different from the other types of alarms we talk about right thanks for that so then there's uh there's also things like biometrics right there's a thumb prints or fingerprint readers that that have cards with cards why there's also facial recognition which i use pretty extensively and awesome i like that a lot i they walk up and they scan their badge and by the time they scan their badge the reader has already seen their face and compared it against their enrollment picture and they're all good they walk right in and it's updating it updates the then it takes the newest picture also right i guess it takes that and updates it so as you're changing you know my uh sometimes i have a goatee sometimes a beard you know sometimes i have hair no i don't we have people like a lot of people at my company they have fun trying to fool it and oh yeah it's fun to watch how do they do it's unlikely you know awesome um they try to wear a mask it's like no that's not gonna work yeah it's they wear a mask like you know that's not like sorry the way the technology works is taking hundreds and hundreds of measurements are out of your face right like how far your eyes are apart how wide your mouth is where your ears are located all that stuff and that's all stuff that's pretty much impossible to fake right so yeah i love i love the biometric you know we have facilities that use all three of that you've mentioned so far you know something you have which is your credential something you know which is your pen and something that you are which is your biometric and oftentimes we see facilities you know that slows people down so it's a little inconvenient to do them all all the time but perhaps during the work day we're only asking for one maybe as you get closer to an asset like the data center we may ask for two but after hours you know after from four from four p.m. until eight a.m. the next morning you're going to use all three if you're here so that kind of an idea that kind of programming scheme is important right because you have various people within your company or within your organization that do different jobs right some of them have 24-hour jobs some of them don't some of them are contractors maybe temp workers that sort of thing and you want to give them varying levels of access depending on what they what their job is one of the mistakes that i see a lot of people make when they put access control systems in place is they don't want to deal with the management of it yes so they just give everybody access to everything on the system and whether it's whether it's dual factor or not right and that gets into the realm of insider threat right when we talk about perimeter defense we're thinking keep the bad guys out of her facilities well what about the wolf and sheep clothing kind of guy right so that's the kind of situation where you want to segment your your access control system to where it's based on on roles what your role is in the organization and that's something that is done at a very high level you know between the security department and the leadership of the organization is to decide what are all these roles in the company what do these roles require access to and how can we create a scheme that whenever there's a change of personnel status do change roles or whatever we can immediately match that in the security system and that does a lot of things it keeps people from wandering into the data center for example throwing it throwing in a usb stick into a server and now all of a sudden you're you know you're you're got a lock on all you got encryption on all your stuff you know what I mean you got a ransomware for example sure that's a bad one or let's say for example just the like just regular theft right like theft of of pieces of equipment or information or information or whatever right so these are all things to be aware of obviously we trust the people that we work with we need to you know we're all on the same team but it's really not about that it's about it's about being proactive and prudent and and taking an all hazards approach right like uh to security sure we're looking on the outside but we're also looking on the inside because if you have a strategy that stops at your perimeter and you assume everybody from your perimeter inward is trust and welcome it's going to be a problem it's risky yeah I like the I like the least sort of the the least amount of authority that is needed for them to do their job you know you may have employees who perhaps because of the way that they work or their criticality they'll require 24-hour access but boy I hope that's very few people in an organization and then obviously subcontractors you may have some trusted subcontractors you know we're cleared contractors for DOD for example so some places we're allowed to go without escorts still there are other places where we we're always going to be escorted I'm I'm thinking there's I don't go to these places but I'm sure there's nuclear facilities on the mainland that there's two or three people escorting every person just to make sure nobody goes crazy you gotta do a background check every 500 feet so there's there's that piece and then the you know but the the layering out of your staff right because the ability to detect just that someone trying to go somewhere where they're not authorized to go now maybe that's negligent maybe they oh forgot or oh they knew it ended at 4 and it's 4 10 and they weren't paying attention but those are the kind of things that we all need to know as managers of our facility and pushing that that incident out to the perimeter helps us gain some time to talk to that person see what's going on so I'm glad you mentioned great points there's uh to that to that point there is that identifying risky behavior is important as he said for security managers but it's also critically important for security managers to talk to their IT people or their IT security people and understand who's uh having those risky behaviors on the cyber side as well going to questionable websites opening up questionable attachments because those those kind of behaviors all lead to the same sort of problems right and to identify those kind of people and and take them aside and give them a little bit training training trying to try to understand they get them to understand why this is problematic right but the uh getting back to segmentation of the access control system it also gets back to uh things like active shooter prevention right so uh having having nobody except maybe the security people and the president of the company for example those are the only people that can move freely throughout the facility and scan everywhere and everybody else is segmented that could drastically reduce your risk for that sort of thing sure uh combined with physical barriers and ways to reinforce doors and things like that so those are all things to think about when when you're building this out yeah that um so kind of the other point you brought that I thought we really didn't mention was of the wearing of the badge so what what happens is we gain some perimeter assurance if if I'm just outside in the parking lot and I see that you know someone's out there and they have the badge on and I know it gives me some comfort that they belong there you know humans are sort of detectors for visual things and so the wearing of a badge because a lot of people for some reason they don't like it or they'd be either white I think it's a great thing to push awareness outside the building for people who are walking around it gives away for me to understand that they belong there now maybe they took it off the ground or whatever it should be reported but at least I've got some way of knowing that these people have been are authorized on the facility and they may be inside my fence line maybe the parking lots outside the fence line this is amazing we got through perimeter and we've run out of time so what I'm gonna have to do is get you back in here and I know you're a busy guy it may be a while but I promise we'll get Mike back in for some more defense in depth really appreciate you sharing your knowledge with us today in your experience we're going to be at the Pacific club next Tuesday for symposium for a safer Hawaii join us there if you want another dose of security and we'll be back here next Friday on security matters so thanks for joining us on the think tech studios think tech Hawaii studio we'll see you soon be safe because security matters