February / March 2020
New Zealand Security Magazine
Expert view: AI and the detection of insurance claim fraud
Cara Carpenter of ISACORP provides insights into the double-edged implications of emerging technologies for insurance fraud.
Seven key trends for the security industry in 2020
From multi-dimensional perception to cybersecurity, Hikvision shares its thinking on key trends that will affect the security industry in 2020 and beyond.
www.defsec.net.nz
SECURITY TECHNOLOGY RELIABILITY
your electromagnetic locking specialist!
Underpinned by 30 year's experience and service with integrity. Standard features include: • Field-selectable 12 & 24 VDC options • 550kg holding force • Slimline styling • Instant release • Stainless steel fitting hardware • Through hardened, polished stainless sex nut • Full protection against transients.
Options include: • Door Position Switch • End-to-end Magnetic Bond Sensor • Header extension angle bracket • Custom full width housings • Z/L brackets for inward opening doors • Frameless glass door brackets • Powder coated or anodised colours • Stainless indoor, outdoor and gate locks
GUARANTEE
Loktronic Limited Unit 7 19 Edwin Street Mt Eden Auckland P O Box 8329 Symonds Street Auckland 1150 New Zealand Ph 64 9 623 3919 Fax 64 9 623 3881 0800 FOR LOK mail@loktronic.co.nz www.loktronic.co.nz
GUARANTEE
*Standard terms & conditions of sale apply.
21066/1/18
For expert advice and assistance with your security locking needs, trust in Loktronic, call us on 0800 367 565
security security
The Complete Security Solution The Complete Security Solution Expand your offerings to cover intrusion from DSC, video from exacq and access from Expand yourcontrol offerings to kantech cover in one singlefrom solution. intrusion DSC, video from exacq and access control from kantech in one single solution.
INTRUSION VIDEO INTRUSION VIDEO
ACCESS ACCESS
For a total solution from a single trusted source Visit: tycosecurityproducts.com Call:solution +61 0499688921 +61 499 688 921 For a total from a single trusted source Email: bts-emea-tycosales@jci.com bill.sakellariou@jci.com Visit: tycosecurityproducts.com Call: + 64 (0) 27 272 1798 Email: chris.whiting@jci.com
Š 2019 Johnson Controls. All rights reserved.
Š 2019 Johnson Controls. All rights reserved.
The all-in-one integrated solution provides the best of video surveillance, intrusion detection and access control all from one single, trusted partner. You can deliver a full solution to yourall-in-one customersintegrated with ease solution and business owners and security The provides the best of video personnel canintrusion managedetection all aspects of access on-premises surveillance, and controlphysical all from security from a single interface kantech one single, trusted partner. You -can deliveroraexacq. full solution to your customers with ease and business owners and security personnel can manage all aspects of on-premises physical security from a single interface - kantech or exacq.
CONTENTS ISSN Print 1175-2149 ISSN Online 2537-8937
13
16
26
34
Contact Energy: Security that ensures everyone gets home safely..........................................................................................................................8 Data Breaches: An Australasian perspective...................................................................................................................................................................10 New Zealand restricts travel from China amid outbreak............................................................................................................................................13 Seven key trends for the security industry in 2020.......................................................................................................................................................14 New Zealand’s Arms Act Reform: The Buy-Back is not an end in itself..................................................................................................................16 Dahua Safe City Solution safeguards Brienon-sur-Armançon..................................................................................................................................18 NZSA CEO’s January Report..................................................................................................................................................................................................20 Security Training and Professional Development SIG..................................................................................................................................................23 The interview: Ngaire Kelaher, ASIS NZ Chapter Chair.................................................................................................................................................24 Smart home consumer privacy survey reveals unease................................................................................................................................................26 Seeking SMS Authentication Alternatives........................................................................................................................................................................28 How to use the attacker mentality for good...................................................................................................................................................................30 Gun buyback over, prohibited weapons remain...........................................................................................................................................................33 Expert view: AI and the detection of insurance claim fraud......................................................................................................................................34 Tsunami monitoring and detection system to be established.................................................................................................................................37
year 10 guarantee ENJOY a
*
20851
on Loktronic Indoor Electromagnetic Locks!
4
*Standard terms & conditions of sale apply.
Events...........................................................................................................................................................................................................................................38
Industry Associations
www.security.org.nz
www. asis.org.nz
www.masterlocksmiths.com.au
www.nzipi.org.nz
www.security-institute.org.nz
0800 367 565 www.loktronic.co.nz
www.skills.org.nz
February / March 2020
February / March 2020
NZSM
5
FROM THE EDITOR With ANZIIF’s 4th Insuretech Conference set to take place in February in Sydney, NZSM sits down with Cara Carpenter, National Case Manager at ISACORP Corporate & Insurance Risk Solutions, to gain insights into the double-edged implications of emerging technologies for insurance fraud. While tech is driving an increasingly automated customer experience in insurance, will automation lead to greater fraud? David Withers APP, Security Consultant and ASIS Shadow Committee member, looks at recent data breaches across government and banking, the challenges posed by security complacency and threats to two-factor authentication. In another article, we gain insight into the search for SMS multifactor authentication alternatives triggered by an FBI report. ASIS International’s New Zealand Chapter held its AGM last December, with incumbent Chair Andrew Thorburn making way for new Chair Ngaire Kelaher CPP PSP. Inside, I speak with Ngaire about her plans for the professional body for the next 12 months, the benefits of ASIS membership, and the value of ASIS Board Certifications. Emerging technologies and applications – such as multi-dimensional perception, UHD, low light imaging, artificial intelligence, and cloud technology – are opening new possibilities in the video surveillance space, and in its analysis of what to expect in 2020 and beyond Hikvision lists its top seven trends. With the government’s gun buyback scheme’s amnesty period now passed, Dr John Battersby of Massey University’s Centre for Defence and Security Studies makes a sober assessment of the efficacy of the gun buy-back scheme, arguing that a starting point should have included identifying gun owners posing a risk to society. With the uneasy relationship between security and privacy becoming increasingly, well, more uneasy, ADT in the US recently published findings of its survey of 1,230 consumers, which reveals significant concerns over smart home privacy. According to ADT, 92 percent of respondents feel smart home security companies need to take measures to protect customers’ personal data and information. We take a detailed look at the results. We also catch up on all the latest from the NZSA. In his latest update, CEO Gary Morrison talks NZSA member benefits, support for LSV Programme, Security Services Good Guidance document, Virtual Reality for CoA training, Review of Vocational Education, and more. And there’s plenty more in this first issue of NZSM for 2020! Get in touch to find out about how your business can benefit by being part of New Zealand’s premier security and risk management industry publication. And, if you’ve got something to write about, we’d like to hear from you! Nick Dynon Auckland
facebook.com/defsecmedia twitter.com/DefsecNZ linkedin.com/company/ defsec-media-limited Upcoming Issue April/May Government, Transport, Tourism, Access management, IT security threats
6
NZSM
Disclaimer: The information contained in this publication is given in good faith and has been derived from sources believed to be reliable and accurate. However, neither the publishers nor any person involved in the preparation of this publication accept any form of liability whatsoever for its contents including advertisements, editorials, opinions, advice or information or for any consequences from its use. Copyright: No article or part thereof may be reproduced without prior consent of the publisher.
NZSM New Zealand Security Magazine
Nick Dynon Chief Editor Nick has written for NZSM since 2013. He writes on all things security, but is particularly fascinated with the fault lines between security and privacy, and between individual, enterprise and national security. Prior to NZSM he clocked up over 20 years experience in various border security and military roles.
Contact Details: Nick Dynon, Chief Editor Phone: + 64 (0) 22 366 3691 Email: nick@defsec.net.nz Craig Flint, Publisher Phone: + 64 7 868 2703 Email: craig@defsec.net.nz Postal and delivery address: 27 West Crescent, Te Puru 3575, Thames, RD5, New Zealand
February / March 2020
R
HIKVISION 2nd GENERATION INDOOR STATION 8.6 mm
Ultra-slim design Friendly UI Design
Aerospace-grade aluminum
POE 7-inch IPS touch screen
Mobile App
Wi-Fi
POE
Distributed by
R
Hikvision New Zealand Ltd www.atlasgentech.co.nz orders@atlasgentech.co.nz
www.nfs.co.nz sales@nfs.co.nz
Unit 1B, 93-95 Ascot Avenue, Greenlane, Auckland 09 217 3127 salesnz@hikvision.com
https://www.hikvision.com.au
CASE STUDY
Contact Energy: Security that ensures everyone gets home safely According to Contact Energy, Gallagher Access Control Systems helps provide their staff with a safe and secure environment, making it quick and easy to account for each person on site and to respond to evacuations without delay.
With over 20 years of history, Contact Energy has built a flexible and largely renewable portfolio of electricity generation assets. Contact owns and operates 11 power stations, produces 80-85 percent of their electricity from renewable hydro and geothermal stations, and has natural gas and diesel fired power stations to help keep the lights on when renewable energy like hydro and wind plant can’t operate. Safety is a top priority at Contact. They strive for zero harm and place the wellbeing of their employees, contractors, customers, the public, and the communities in which they operate, front of mind in everything they do, so everyone gets home safely. Contact Energy has used Gallagher Access Control Systems for over 18 years. Originally, two of their generation sites had the system installed, and now all nine power stations, two corporate offices, and two call centres have the latest version, with further updates coming later in the year. It’s part of their commitment to provide all members of staff with a safe and secure work environment. Lee Paterson, Contact Energy’s Technical Lead says “the Gallagher system offers a huge range of safety features. The most critical one for us is how quickly it allows us to respond to an evacuation. Having a quick and easy process makes all the difference.”
8
NZSM
“It could take 20 minutes or more to locate everyone using a physical tag board, but with the system’s visitor management capability, we can account for every person on site within a few minutes and make sure everyone gets out of the site safely. We can’t afford to take the risk of not knowing where people are.” “We use this at a number of our sites. It’s easy to pre-register visitors and keep track of who’s on site. Our plan is to connect all our sites to the system.” “Another useful feature,” says Lee, “is being able to link access to competencies or qualifications. This adds an extra layer of safety as it ensures that only employees qualified to enter specific areas are granted access.” Contact is also using camera integration, which came in handy recently when someone jumped a fence at one of
their sites. The camera was able to show exactly where the breach was occurring. As a matter of course, cameras pan to the gate when someone badges their access card. This comes up on a screen at the Command Centre so security personnel can see who’s entering. Lee says that Contact appreciates how Gallagher updates the system regularly. “We’re looking forward to the next update so we can start using electronic tag boards, broadcast notifications, mobile access, and site plans. All of which will improve safety at our sites.” “We’re really happy with the service and support we receive from Gallagher. It’s exceptional. They’re committed to delivering best in class solutions, and keeping their customers up-to-date. It’s a great relationship where we’re working together to minimise risk and getting our people home safely.”
February / March 2020
INFOSEC
Data Breaches: An Australasian perspective In the first in series of articles, David Withers APP considers the current state of data breaches from an Australasian perspective. Subsequent articles will cover the international perspective, how to handle a breach, and how to avoid them.
The recently published Jefferies Identity Theft Resource Centre End of Year Report 2018 looked at worldwide trends between 2017 and 2018. They noted that whilst there was a reduction of breaches by 23 percent, the number of records exposed rose 126 percent from approximately 197 million to 446 million. Hacking is still the most common event causing data loss.
David Withers is a Security Consultant with experience in large CCTV installations. He has also worked for over 20 years in Quality Assurance. As a Shadow Committee member of the ASIS NZ Chapter, David establishes and supports Auckland-based ASIS certification study groups.
10
Whilst data breaches are well reported, other types of breach are equally as important. An incident could also result in violation of laws, people’s trust, or privacy. Ultimately, the fines and eroded trust often impact the organisation long after the event itself. This article will cover some recent examples. Challenges One of the big challenges for all security professionals in Australasia is getting buy-in for security investment.
With the phenomenon of security convergence becoming more widely recognised, the silos that have traditionally separated the Information, Physical, and Personnel security domains are fading away. Within the security multi-domain there are convergent risks and threats for which we require Governance, Compliance, Policies and Procedures, and security solutions. Organisations are now having to move to enterprise level wholistic security plans to avoid gaps in responses to these. Ironically, the relative safety of New Zealand and Australia doesn’t help. The 2019 Global Finance Magazine Safety Index has New Zealand as 10th safest in the world, with Australia close behind at 18th. The safety index considers the risk of natural disaster, crime, terrorism and war. A downside of this lower risk environment is that people settle on a laissez-faire attitude to security. An indifference to the risks and threats thus ultimately pervades all levels: Government, enterprise, SME, residential and personal security.
February / March 2020
NZ Government incidents 2019 has been a bad year for New Zealand Government departments and suppliers in terms of breaches. Simple security mistakes have led to serious data loss events. Many of these could have been avoided with better oversight, governance, and policies and procedures. Privacy breach on gun buy-back site Reported in early December 2019, this breach occurred after vendor SAP added a new security profile and incorrectly provisioned it to a group of 66 dealer users as a result of human error. This had not been authorised by police and gave dealers a higher level of access than approved, including access to information on all 70,000 fire-arm handin applications, including details of gun and owner bank account details. The problem was only discovered when one dealer reported the new level of access to police. The site was shut down immediately, and a manual process invoked. The number of records compromised is not known. NZ Budget leak on Treasury Website The national opposition were able to access a copy of the yet-to-be released Budget by simply searching the treasury website. It had been published on the site earlier than it should have been. Whilst technically not a breach, it was highly embarrassing for all involved. Tuia 250 The external web site of Tuia Encounters 250 national commemoration held data insecurely. On 25 August 2019 the Ministry for culture and heritage reported a breach involving the personal details of people who applied to the Tuia 250 Voyage Trainee programme, which included images of passports, driver’s licences, birth certificates and other forms of identification stored on the website. Information from investigators indicated that at least 370 documents had been compromised. “Our advice from our security investigators,” stated the Ministry, “is that this wasn’t a targeted attack on the website, but rather an opportunistic finding of information that wasn’t as secure as it should have been.” In the wake of the breach, Prime Minister Jacinda Ardern announced that the government would introduce mandatory requirements for certain agencies to procure all products and
February / March 2020
2019 a bad year for New Zealand Government departments and suppliers in terms of breaches
services from the list of approved providers on the ‘all-of-government ICT common capabilities list’ with immediate effect. Tu Ora Compass Health With their external web site hacked, Tu Ora Compass Health revealed in October 2019 a data breach resulting in the potential exposure of sensitive medical information belonging to one million individuals. “On 5 August, our website was attacked as part of a global cyber incident,” reported the organisation. “As soon as we became aware, our server was taken offline, we strengthened our I.T. security and started an in-depth investigation. The investigation has found previous cyber attacks dating from 2016 to early March 2019. We don’t know the motive behind the attacks. We have laid a formal complaint with Police and they are investigating. “We cannot say for certain whether or not the cyber attacks resulted in any patient information being accessed. Experts say it is likely we will never know. However, we have to assume the worst and that is why we are informing people.” Banking incidents Just because banks have resources and scale, does not mean they are immune to breach. They are major targets of attackers, and this is reflected in the number of incidents reported. In addition to the expected data breaches, some banks failed to take
governance and compliance seriously. This resulted in some of them breaching anti money laundering rules, leading to significant fines and endangering their banking licences. Commonwealth Bank has had a bad few years on this front. Australian banks are required to report large transactions of $10,000 or more within 10 business days. This allows the federal financial intelligence agency AUSTRAC to monitor funds going to criminal or terrorist networks. In June 2018 CBA agreed to pay AUSTRAC AUD 700 million plus legal costs. The bank admitted to the late filing of 53,506 anti-money laundering reports. The bank also failed to properly monitor transactions on 778,370 accounts to check for money-laundering red flags over a three-year period. In June 2019 using a court enforceable undertaking, the Office of the Australian Information Commissioner (OAIC) asked CBA to substantially improve its privacy practices after an investigation of two incidents in which the bank mishandled data: • In 2016, the bank lost two magnetic storage tapes containing 20 million customers’ historical statements. • In August 2018, CBA reported inadequate internal access controls to customer data to the OAIC Westpac Bank also has been in the news. In November 2019, AUSTRAC reported legal action against Westpac relating to 23 million breaches (totalling
NZSM
11
AUD 11 billion) of the anti-money laundering laws, with potential links to child exploitation. With each of the 23 million breaches carrying a potential penalty of up to AUD 63,000, the potential total fine runs as high as AUD 1 trillion. It expected that the bank will negotiate for significant financial penalty in excess of AUD 1 Billion. This has initiated further investigations likely to directly impact the bank’s directors and senior executives. The scandal led to the resignation of CEO Brian Hartzer. “As CEO I accept that I am ultimately accountable for everything that happens at the bank,” Hartzer said. “And it is clear that we have fallen well short of what the community expects of us, and we expect of ourselves.” Chairman Lindsay Maxsted also stood down. The brand itself has been damaged, and it is expected to make it more difficult for the bank to raise capital from investors with large penalties looming. Two-Factor Authentication Many organisations have decided to implement Two Factor Authentication to reduce and mitigate risks of a breach of customer records. Many industries, including banks, use it to send an authentication code to a customer’s mobile number via text to verify the person for logins and transactions. Attackers have responded by finding vulnerabilities and identifying new avenues of attack, such as porting fraud and SIM swapping processes. This is a
12
major problem worldwide with mobile telecom providers having to review the process of shifting a mobile number between providers. The number porting process in NZ and Australia has lacked safeguards to ensure the person porting the number is the current user. When attackers look to compromise an account’s login details, for example, they could request to port the mobile number associated with that account. Once the number is on a SIM they control they can use it to reset passwords and to access sensitive data or do financial transactions. The consequences of this type of attack on an individual can be significant. They can, for example, jack a twitter account and post offensive material to damage the reputation of the account holder. Twitter CEO Jack Dorsey had his mobile number ported by an attacker in August 2019. The attacker sent out offensive tweets to 4.2 million of his followers via a text to tweet feature of the service. On the more serious side, an attacker could gain access to sensitive data from an organisation or individual. Attackers have financially ruined people by locking them out of their bank accounts and draining available funds. The process to recover from this type of event is normally slow and stressful for the victim. Conclusion Whilst we live in a safe part of the world, the examples in this article demonstrate that we are not immune from the risks, threats and vulnerabilities faced by the rest of the world.
We should also recognise that a breach is not just a cyber event. Poor access control policies can have severe impacts and cause a breach by having authorised users with too-high level access creating a leak. Poor publishing policies on a website could release important documents when embargoed. Poor handling of storage media devices also presents a risk. Poor governance, as I’ve noted, can result in the breaking of laws, such as anti-money laundering legislation. These carry significant penalties and can result in loss of senior leadership, serious brand damage, and serous fines, hindering investor confidence. One common outcome of a breach event can be more rigorous oversight by regulators. When this happens, they often find other infringements. This can result in much tighter regulation and rules that can impact on the profitability of the business. Two factor Authentication is only as good as the processes related to number porting. The consequences of the SIM swap can be significant to the organisation or person affected, and it can take a very long time to recover from this type of event. Moving from the traditional siloed approach to security to enterprise-level wholistic security plans is an important step for organisations looking to avoid gaps in their responses to risks and treats. The next article in this series will focus on the international perspective, covering major recent breach incidents.
February / March 2020
TRAVEL BAN
New Zealand restricts travel from China amid outbreak New Zealand closes its borders to people travelling from China in a move to protect New Zealand and the Pacific Islands from the spread of coronavirus.
The Government announced on 02 February that it would be placing temporary entry restrictions on all foreign nationals travelling from, or transiting through mainland China to assist with the containment of the novel coronavirus. The restrictions will be in place for up to 14 days and reviewed every 48 hours. Any foreign travellers who leave or transit through mainland China after 02 February 2020 would be refused entry to New Zealand. New Zealand citizens and permanent residents returning to New Zealand would still be able to enter, as will their immediate family members, but will be required to self-isolate for 14 days on arrival back in the country.
February / March 2020
The Ministry of Foreign Affairs and Trade also raised its travel advice to New Zealanders for all of mainland China to “Do not travel”, the highest level. “Cabinet convened last night to discuss the most up to date public health advice and recent developments in the spread of the virus. We have been advised by health officials that while there are still a range of unknowns in the way the virus is being transmitted, we should take a precautionary approach and temporarily stop travel into New Zealand from mainland China, and of people who have recently been in China,” Prime Minister Jacinda Ardern said. “It is critically important that we both protect New Zealanders from the virus and play our part in the global effort to contain it.
“I am particularly mindful that we are a gateway to the Pacific, and must factor that into our decision making. “We have been in close contact with our partners in the past 24 hours, and I have spoken on multiple occasions with Prime Minister Morrison to ensure we are each aware of any changes to our systems, and the wider impacts given the frequent travel between our two nations. “The decision of the US to put in place similar restrictions to those decided by Cabinet has had a knock on effect in terms of travel, leading Air New Zealand and other airlines to stop their flights from China. “The Cabinet is acutely aware of the economic impact of the virus, including on tourism, the primary sector and education. I have asked Ministers to make contact with industry leaders to mitigate some of these impacts as much as possible,” Jacinda Ardern said. Deputy Prime Minister and Foreign Affairs Minister Winston Peters stressed this was not a decision taken lightly. “Ultimately, this is a public health decision. The outbreak has been well managed by China, and these temporary measures are to reinforce work being done to try and reduce human to human transmission. “New Zealand has not had a confirmed case of the virus and the risk of outbreak is low and we want to keep it that way. The health and safety of New Zealanders is our main priority. “I have been in close contact with my Chinese counterpart on New Zealand’s decision and have conveyed New Zealand’s willingness to assist with China’s efforts to control and defeat the virus,” Mr Peters said.
NZSM
13
INDUSTRY
Seven key trends for the security industry in 2020 From multi-dimensional perception to cybersecurity, Hikvision shares its thinking on key trends that will affect the security industry in 2020 and beyond. Significant changes have shaped the security industry during the last decade, and more exciting innovations should be expected in the 2020s. Emerging technologies and applications – such as multidimensional perception, UHD, low light imaging, artificial intelligence, and cloud technology – open new possibilities for the industry.
At the same time, millions of cameras and other security devices are being connected into networks, making the security industry a very important part of the future IoT world. 1. Multi-dimensional perception For security cameras, image capturing simulates our sense of sight, extending the power of the human eye. But what if security cameras could use other kinds of ‘senses’, like hearing, smelling, or even detections that are beyond visual range, to identify and respond to incidents? For example, video cameras integrated with centimetre and millimetre wave radars are becoming popular in object detection. With deep integration of radar and video, a multidimensional camera extends perception beyond visual range to improve the detection of objects and movement tracking – up to a distance of 100 meters and in any weather. Another approach is the integrated automobile horn-detection camera. Equipped with sonar arrays, this camera can precisely detect and locate the source of a vehicle’s horn, while identifying the vehicle and generating photos and videos of the event as evidence.
14
More ‘senses’, like smoke detection, heat detection, or even pressure detection, can be embedded in cameras to precisely monitor and report events or incidents. 2. Multi-intelligence cameras Artificial intelligence applications have been slowly emerging in the security industry for many years. But most AIpowered security cameras can only run a single algorithm because of the limitation of computing power, which means they can incorporate only one intelligent function at a time, such as counting people or cars. The computing power of security cameras is being enhanced greatly with the increased performance of AI chips. Multi-intelligence technology will be the trend for the next generation of AIempowered cameras as several intelligent tasks will be accomplished by one camera. In many cities you can see ten or more cameras installed at intersections, for example, to detect traffic flow, to identify violations, to detect vehicle types and license plate numbers, protect sidewalks, and so on. But now, with multi-intelligence cameras, two or three cameras will be enough. Since fewer cameras will be equipped for one application scenario, the cost of equipment, installation, and maintenance and management will all be reduced. 3. Proactive and comprehensive security systems Merely reactive CCTV systems will no longer meet the demands of security operations teams as they are often looking for new opportunities to enhance their operational efficiency. Many
customers are now asking for proactive and comprehensive security systems that combine CCTV monitoring, alarm systems, access control, and even fire protection. With the development of AI technology, CCTV systems are becoming more automated by analysing live and recorded video to detect, classify, and track predefined objects. These processes can be especially effective in proactively identifying events as they happen and extracting information instantly from recorded video. Meanwhile, proactive and intelligent video analysis enables the deployment of comprehensive security systems involving the integration of CCTV and nonCCTV systems. When a camera detects an incident, a link can trigger the alarm system automatically, notifying security personnel to check the surveillance camera live feed. Conversely, when alarm, access control or fire protection systems report an incident, the CCTV system will be activated to verify what actually happened. 4. Ultra-High Definition People want to see more and see with more clarity. Pursuing ever higher image resolution has thus been a key driving force in the development of security industry technology. After the HD era, the Ultra High Definition (UHD) era will be the natural next step. UHD used to mean ‘expensive’, but now UHD is benefiting from improvements in transmission and encoding technologies. It is becoming increasingly cost-effective for large-scale use in the security industry, from entry level to top shelf.
February / March 2020
With greater bandwidth and lower latency transmission technology, the smooth transmission of UHD images is becoming possible, and widespread adoption of 4K and 8K resolution cameras will meet real opportunities. Furthermore, continuously optimised encoding technology – which is vastly decreasing the bitrate of video – is another stimulus for UHD applications in the security industry. As the bitrate of recorded footage is greatly reduced, bandwidth and storage costs are reduced as well. 5. Visibility, anytime and any condition Most security incidents occur at night, but images and footage from conventional security cameras may easily lose colour and critical details in ultra-low light environments. Low light imaging technologies have become increasingly popular in the security industry, enhancing the visibility of objects at any time and in any condition.
Hikvision’s DS-2DE5432IW-AE PTZ 32x Zoom 4MP IR
February / March 2020
Another important innovation is thermal imaging, which can detect the heat information of any object with a temperature above absolute zero. Taking advantage of heat zone imaging, thermal imaging technology allows cameras to ‘see’ in low-visibility conditions, such as fog, smog, rain, and snow – even at night. And thermal cameras have huge potential in various applications, like perimeter defence, fire detection and temperature measurement. 6. Moving to the cloud More security devices, including cameras, are being connected over the Internet, making them parts of the IoT world, and thus ‘moving to the cloud’ has become a focus for the security industry – especially for video surveillance. Why are people enthusiastic about the cloud? It’s because cloud services can bring vast benefits in efficiency, flexibility, costeffectiveness, and security. Video surveillance as a Service (VSaaS) has been trending in the security industry as an ideal choice for SMEs looking to move their videobased security systems to the cloud. For enterprises running chain stores, for example, moving video surveillance services to the cloud means they can quickly and economically centralise their security operations and remotely check the status of their stores. Since no on-site server installation and system configuration is needed, it can be more convenient than traditional video surveillance solutions. Users can distribute costs over a contract term and pay for exactly and only the services that are used. Security system integrators are also getting to grips with VSaaS as it presents
opportunities to strengthen their business models. With VSaaS, integrators are able to provide services for their clients using the cloud – such as system checks and remote maintenance. 7. Higher expectations on cybersecurity With millions of security devices becoming part of IoT, security systems are evolving from being single and isolated to open and connected. People are getting more and more concerned about the security of their data and privacy, and accordingly have set higher expectations on the security industry in relation to cybersecurity. To help minimise the risk of security breaches, a multi-layered approach – including network, application, and device layering – that addresses a full range of cybersecurity threats concurrently will be demanded by security organisations and IT departments. Security manufacturers will need to demonstrate the security of their products throughout the whole lifecycle. Final words Just as 2020 is the beginning of a new decade, we expect to see a new decade of innovation in technologies and applications. Along with the security industry trends mentioned above, other trends such as 5G, big data, smart enterprise operations, and stricter data protection regulations like the EU’s GDPR, might also greatly affect the industry in the 2020s. To find out more, or to discover Hikvision solutions that are delivering the future of security and surveillance today, please visit www.hikvision.com.
NZSM
15
GUN BUY-BACK
New Zealand’s Arms Act Reform: The Buy-Back is not an end in itself Dr John Battersby of Massey University’s Centre for Defence and Security Studies makes a sober assessment of the efficacy of the gun buy-back scheme, arguing that a starting point should have included identifying gun owners posing a risk to society. Just before Christmas New Zealand’s gun buy-back and amnesty period formally ended with considerable media coverage. Assessing the success or failure of it amid the media scrum, appeared to be a matter of perspective. The government claimed it had achieved its goal, critics alleged otherwise – both have vested interests and a more detached view is required. Dr John Battersby is the New Zealand Police National Intelligence Centre Teaching Fellow at the Centre for Defence and Security Studies, Massey University. He previously served in the NZ Police Wellington and Central Districts and at the School of Leadership, Management and Command at the Royal New Zealand Police College.
16
The ultimate question is - has the gun buy-back made New Zealand safer than it was before, and has it mitigated the risks that were starkly revealed in New Zealand on 15 March 2019? Has the buyback solved problems, or has it generated more? The government drove the changes to the Arms Act and has claimed success. It it has after all, only spent $100 million dollars compensating firearms owners and removed over 56,000 firearms in six months. The buy-
back has received considerable publicity – Deputy Commissioner Mike Clement hit the nail on the head when he said if gun owners did not know what was expected of them “they would have had to have been living under a rock.” Some of those giving up their weapons were unhappy, resigned to a course of action they didn’t choose, but some seemed relieved and all who attended the collection points cooperated. The law is clear, the communications have been clear and the warnings have been clear. If anyone wasn’t sure if their firearm was legal or not, they had only to take them to a collection point and ask. Waiting times varied, but giving up a few hours – to ensure compliance over a six month period – seems both reasonable and achievable. There have been calls for the amnesty to be extended. But why? What is another six months going to achieve that the previous six months hasn’t, other than more cost, more demands on police resources, and signal perhaps that the government isn’t that serious?
February / March 2020
The Minister of Police made it clear as the amnesty ended, that the New Zealand Government was absolutely serious. If some people had endured six months underneath a rock, another six was easily manageable and wilfulness, not ignorance, would be at the heart of it. On the other hand, the figure of 56,000 firearms is meaningless because New Zealanders do not know how many firearms are in circulation in their country. They do not know how many semi-automatic firearms are owned, and they have never known how many illegal firearms there are nor how many unlicensed individuals are in possession of them. Import data and sales information has been suggestive – and the Council of Licensed Firearms Owners claim another 100,000 banned weapons are still in the community. They argue that an extension of the amnesty is necessary, and indeed, they could have a point. If the objective is to get these weapons out of circulation – is another six months really too much to ask? Does it matter if more money and resources are spent? Does it matter if the government signals a preparedness to compromise to get the ultimate end result it is looking for? If police resources were strained getting 50,000 firearms from cooperative people, how are they going to bear the
February / March 2020
burden of finding and seizing 100,000 more guns from those who aren’t? While we balance the pros and cons of either side of this debate, we have to remind ourselves that the gun buy-back is not an end itself. On 15 March 2019 massive vulnerabilities in the administration and regulation of firearms in New Zealand were exposed. Fifty-one people paid with their lives for those vulnerabilities. An overhaul of the Arms Act 1983 became inevitable that day - things simply could not remain as they were. Regardless of what the Council of Licensed Firearms Owners say – it cannot reverse this incontrovertible reality. But change must mitigate those vulnerabilities – change must make us safer. It is unclear if taking 50,000 firearms off people who are clearly responsible enough to comply with the law, has progressed that in way, shape or form. The immediate banning of the sale and purchase of semi-automatics was a sound and decisive move, but pursuing all those who owned them for years prior to 15 March, stored and used them properly, and posed no risk to society may not have been the best first move. A thorough assessment of where the risks were, what steps would address them best and, critically, how to identify those who should not have them, would
have provided a clear foundation about how to proceed. Illegally held firearms have been, and remain, a key firearms risk for New Zealand – not yet with any obvious solution. If recent media coverage is anything to go by, it seems ‘the gun lobby’ and the government/police have divided themselves into opposing camps. This makes good media, but bad policy. Experience in the UK with its PREVENT strategy should sound a clear warning for the New Zealand government not to start targeting large communities of people for vague similarities with a tiny proportion of extremists, and for all concerned not gravitate into camps of ‘them’ versus ‘us,’ each arguing passed the other. If the media are encouraging these ‘camps’ they need to step back, shoulder some responsibility and explore if there is not some common ground between all concerned. The ultimate goal for New Zealand is a safer community where the privilege of reasonable and legitimate use of appropriate firearms by responsible people can be facilitated, but at the same time there is an accountable system in place that militates against those who wish greater harm to society exploiting an Arms regime that previously placed too much trust in the enduring New Zealand adage that “She’ll be right”.
NZSM
17
CASE STUDY
Dahua Safe City Solution safeguards Brienon-sur-Armançon Dahua’s safe city solution delivers public safety and security benefits to small town France, using wireless solutions to give the gendarmerie additional eyes on the ground and a head start against criminals. Brienon-sur-Armançon is a small town in the rural BurgundyFranche-Comté region of northcentral France. With a population of about 3,300, the postcard perfect hamlet is located at the intersection of the Créanton and ‘Armançon rivers, and despite its idyllic setting it’s as susceptible to crime as anywhere else. Challenges The two main issues facing a potential public safety solution in the town were that (a) the local police force consisted of just one police officer, and (b) there was no cabling infrastructure in place that might accommodate a modern surveillance system.
18
Solution To make up for the shortage of constabulary and network cables, Dahua Technology delivered a customised solution covering the entire town with
a range of video surveillance devices. These are linked by wireless device combining PTZ camera and antenna to transmit all the collected data to the highest point in the city centre. The data is then transmitted to the control centre, making it easy for the police to achieve round-the-clock monitoring. To monitor major sections of the town, devices including Starlight IR PTZ AI Network Cameras, Multi-Sensor Panoramic Cameras, Eyeball Cameras, Thermal Cameras, ANPR Cameras, and Wireless transmission devices are used. From the control centre located in the police station, the police are able to view situations in real-time and decide whether to take action, and/or obtain video recordings for evidentiary purposes. In addition, the combined strength of the Dahua general camera and PTZ
February / March 2020
camera create a smart capture mechanism for the police. General cameras are installed to monitor fixed scenes, and once humans or vehicles trigger ‘tripwire’ detection rules set by the operator, the PTZ camera automatically zooms-in and starts tracking. For low-light applications, the PTZ camera’s Dahua Starlight Technology offers outstanding light sensitivity, capturing colour details even under ultralow light conditions. In addition, ANPR Cameras are deployed for road safety enforcement
February / March 2020
on the town’s main roads. Embedded with License Plate Recognition (LPR) algorithms, the cameras have the ability to quickly detect and recognise moving vehicles’ plate numbers. Thermal Cameras take care of the task of monitoring barbeque sites in Brienon-sur-Armançon’s public park with their built-in fire detection functionality able to detect fires even at long range. Wireless transmission devices made it possible for cameras in all locations to connect to the control centre without the cost and trouble of wiring. A NKB
5000 HD Network Control Keyboard is installed in the control centre to help police achieve split screen operation of both general and PTZ cameras. Seagate hard disks are also used to store recorded video for future use. Benefits The Brienon-sur-Armançon police officer can now sit remotely in the control room and operate in an entirely more efficient way with the help of Dahua Safe City Solution, which allows him to effectively monitor key areas within the township and respond in time when an incident takes place. Recorded video now serves evidentiary purposes and help the police to crack cases with much less effort. In just the first week of the test run of the smart system, the police were able to solve a cemetery theft case with evidence recorded by the Dahua PTZ camera. “The origin of our cooperation with Dahua dates back to the visit to China a year ago,” said Mr Jean-Claude M.Carra, Mayor of Brienon-sur-Armançon. This visit to the Dahua headquarters in Hangzhou concluded with a reciprocal commitment – to equip the city of Brienon with video surveillance. We welcomed this agreement, which allowed the installation of the system and improved the daily life of our residents.”
NZSM
19
INDUSTRY
NZSA CEO’s January Report In this update, NZSA CEO Gary Morrison talks NZSA member benefits, support for LSV Programme, Security Services Good Guidance document, Virtual Reality for CoA training, Review of Vocational Education, and more.
From the NZSA’s perspective we are looking forward to the coming year with considerable excitement as we introduce three new member benefit programmes (refer below), continue to expand our MSD Skills for Industry programme, launch the Security Services Good Guidance document and are involved in developing a ground-breaking training initiative which will be profiled in our next newsletter.
Gary Morrison is CEO of the New Zealand Security Association (NZSA). A qualified accountant, Gary originally joined Armourguard Security as a junior accountant and held several roles over two decades prior to appointment as GM for New Zealand and Fiji, after which he established Icon Security Group.
20
NZSA HR Advisory Service member benefit From 01 February, NZSA members will be able to access free HR advice and obtain template Employment Agreements, Position Descriptions and other key Policy documents via the NZSA HR Advisory Service. Members will be able to access the service either by calling 0800 HRLIVE (0800 475483) or emailing: nzsa@ livewirehr.co.nz. Our contracted provider will provide an immediate response to enquiries received during normal business hours and will be able to provide best practice guidance on HR issues and individual situations. Where the level of advice moves beyond first level and requires specific action, our provider will advise the member accordingly and, if required, can provide those services at preferential rates exclusive to NZSA members. As part of the service we will also issue members regular updates and guidance on HR matters.
This is a fantastic offer for our members and in particular those smaller companies who do not have access to in-house or contracted HR expertise, so please ensure that your staff who may have a need for HR guidance are aware of the service. More detailed information will be provided to members shortly. NZSA Integrity Line member benefit The NZSA has partnered with CrimeStoppers in launching this service effective from 01 April. The NZSA Integrity Line will provide all employees of participating members with access to a totally confidential service where they can report issues such as bullying, sexual harassment, poor employment conditions, illegal practices such as theft or drug dealing and other matters of concern occurring in the workplace. The service is particularly valuable where employees are reluctant to report matters due to fears that it may affect their employment or that by doing so they may be further victimised. Reports received through the Integrity Line service will be independently screened prior to being forwarded to nominated senior management within member companies for investigation and reporting back. It is important to note also that the recently revised Government Procurement Rules include a requirement for the providers of designated contracts (which includes all Government security contracts) to “provide a voice for staff” in relation to employment practices and conditions. Details on the Integrity Line service, including 0800 number and email contact, will be promoted over the next few months.
February / March 2020
NZSA support for LSV Programme As part of our Skills for Industry partnership with MSD, we regularly attend and host employer expos where we can introduce candidates to the various career opportunities within the security industry. In conjunction with the work expos, we have recently attended several of the LSV (Limited Service Volunteer) employer days and have been so impressed with the attitudes and commitment of the trainees that we have introduced an NZSA Award to be presented to the trainee demonstrating outstanding qualities for the security industry - initiative, empathy and going the extra mile. The LSV programme is a free six-week motivational training course provided by MSD but facilitated by the New Zealand Defence Force. It is targeted at 18 to 25-year olds and aims to increase the number of young people entering employment or training by improving their self-discipline, selfconfidence, motivation and initiative.
Trainee Ropati Tusani, award recipient at the Trentham LSV graduation
February / March 2020
Our first award recipient was Trainee Ropati Tusani from Porirua at the Trentham graduation in early December. “Ropati was blown away by the award,” the course leader commented. “Coincidentally I was sitting beside his parents during the graduation and after I presented the award his dad shook my hand in appreciation and a wee tear in his eye. Proud parents indeed.” Tactical Solutions member benefit Tactical Solutions is New Zealand’s leading provider of high-quality security equipment and uniforms. NZSA members will receive a 10% discount on all items purchased through Tactical Solutions. Security Services Good Guidance document This document has been a long time in the making but is in the final stages of review by WorkSafe and is expected to be available for official launch within the next few months. The history of it goes back to the tragic death of Security Officer Charanpreet Singh Dhaliwal on 18 November 2011 when assigned to his first night on duty. The Coroner’s Report into the death made three key recommendations, including tasking WorkSafe (ACC at the time) with preparing an industry-wide code of practice or guideline. Whilst WorkSafe acknowledged their responsibility to produce this document back in 2017, they also confirmed it was at the lower end of their priorities and realistically it would be at least five years before it could be considered. The NZSA has subsequently taken ownership for developing the guideline and with input and assistance from
stakeholders, including E tu and NZCTU, has progressed the document to the stage where it has been through rigorous consultation and is ready for release. The Security Services Good Guidance document provides detailed operational instruction for all security providers, employees and customers that will ensure services are provided safely and in accordance with good practice. Once released, it will be available in soft copy on the respective websites of the PSPLA, NZSA, E tu, NZCTU and WorkSafe. In the interests of making the document available, the initial release version excludes service specifications on some specialised services such as Event Security and Hospital Security. We are in the process of forming special interest working groups to assist in developing the content for these sections - if you have expertise in these areas and wish to be involved, please let me know (email gary@security.org.nz). Virtual Reality Training for delivering CoA Unit Standards The NZSA is currently working with MSD and software developer JBA ( Joy Business Academy) to develop a VR (virtual reality) training platform for the delivery of the three CoA or Mandatory Training unit standards. We are very confident that this will offer the industry a number of benefits such as improved access to training, consistency of delivery and enhanced learning outcomes as well as addressing current literacy issues and providing significant cost and time savings. Obviously we still have a lot of work required on this but in our next newsletter we will provide more detail around how the training will
NZSM
21
be introduced and expected timelines plus information on the successful introduction of VR training across other industry sectors. Domestic Smoke Alarm Installation Compliance It has become apparent to the NZSA that there is some confusion within the security industry regarding the requirements for the connection of domestic smoke alarms into security systems. The NZSA has compiled a guidance document to clarify current legislative requirements. We are currently waiting for licensing approval from Standards NZ to include references from the Standards in the guidance document and as soon as this is received the document will be distributed to all members and interested parties. We strongly recommend that all service providers ensure they are compliant with these requirements and also implement a programme to retrospectively rectify non-compliant connection of domestic smoke alarms into security systems. Increase in Minimum Wage - 01 April 2020 Members are reminded that the Minimum Wage increases to $18.90 per hour effective 01 April 2020. Use of Surveillance Equipment for Recording Sound We regularly receive enquiries from our members and industry customers about the legality of using cameras and other surveillance equipment to record sound. The Privacy and CCTV Guide issued by the Privacy Commissioner for businesses, agencies and organisations
22
(privacy.org) does not specifically cover audio recordings but does emphasise the principle that recordings should not reasonably intrude on people’s privacy and the accepted interpretation is that audio would be deemed an unreasonable intrusion in most circumstances. The legislation is a little clearer in the UK where the Information Commissioners Office issued a warning that states “CCTV must not be used to record conversations between members of the public as this is highly intrusive and unlikely to be justified”. The statement also noted “customers should choose a system without audio recording if possible or if the system comes equipped with a sound recording facility then it should be turned off or disabled in some other way”. Our advice is that audio recording capability should always be turned off and if customers specifically request the recording facility, the provider should inform them of the privacy issues and actively seek to dissuade them from using the system for recording. ROVE - Review of Vocational Education The next phase of the view process is now underway with the announcement of the six industry-led Workforce Development Councils (WDCs). The WDC’s will take over many of the key functions of the ITOs and are intended to provide industry with greater leadership across vocational education and training. The six WDCs cover: • Construction and Infrastructure • Primary Industries • Service Industries • Health, Community and Social Services • Manufacturing, Engineering,
Logistics and Technology • Creative, Cultural and Recreation The security industry has been listed under the Service Industry WDC which includes coverage of wholesale trade, retail trade, accommodation and food services, tourism, cleaning, rental, hiring/leasing and real estate services, contact centres, business services and financial services. Whilst this seems a logical fit for traditional ‘manpower’ services such as guards, patrols, cash-in-transit, document destruction and monitoring/ communication centres, there is a strong argument that ‘electronic services’ such as alarms, cameras, access control and cyber would be better placed under either Construction and Infrastructure (which includes electrical services) or Manufacturing, Engineering, Logistics and Technology (which includes fire protection services). I would welcome member feedback on this as it is critical that we have strong representation within the WDC structure if we are to achieve the best education and training outcomes for our members. CareWise One in eight workers have caring commitments for a loved one who is elderly, ill or has a disability or chronic condition. National NGO Carers NZ has partnered with MSD and business networks to offer a free programme to help employers to be carer friendly. Simple steps can keep carers working, boost retention and productivity, and demonstrate commitment to workplace values. Carers NZ invites NZSA members to become CareWise. Learn more at CareWise.org or phone 0800 777 797.
February / March 2020
INDUSTRY TRAINING
Security Training and Professional Development SIG Andy Gollings, Chairperson of the NZSA’s Security Training and Professional Development Special Interest Group, provides updates on the National Certificate in Security Level 4, NZ Certificate in Electronic Security and mandatory training. The Special Interest Group for Security Training and Professional Development convened one last time in 2019 with the main focus of this meeting being on the structure and content of the new National Certificate in Security Level 4. We see this certificate and its ability to develop front line security leadership as a key building block to raising industry standards which is a primary objective of this group. Andy Gollings is Chair of the NZSA’s Security Training and Professional Development Special Interest Group. Since 2002, he has been CEO of Red Badge Group, having previously worked in a range of roles, including as a RNZAF Aircraft Maintenance Technician.
February / March 2020
As part of this last meeting of 2019 we were also presented updates on the NZ Certificate in Electronic Security, the ROVE review and its impact on Skills Organisation and the review of the COA mandatory units, which are outlined below. National Certificate in Security Level 4 A working group has been supporting Skills Organisation over the course of 2019 in the development of a new National Certificate in Security Level 4. This qualification is aimed at Senior Security Officers in a sole charge role or Security Team Leaders / Supervisors. Graduates of this qualification will be able to: • Implement and maintain operational systems and risk management processes in a security work context. • Lead staff and support their development in a security workplace.
• Implement and maintain the health and safety requirements for self and others, including defensive techniques, while carrying out security work. • Lead the response to incidents in a security work context. NZ Certificate in Electronic Security We were advised that the number completing the NZ Certificate in Electronic Security Level 3 is double the number from the previous year, with 45 currently enrolled. The Level 4 programme has been developed and approved by NZQA, and MIT will be supporting the delivery of the programme with a rollout expected in the second quarter of this year. COA training update The materials available for the COA mandatory training are currently under review to eliminate some of the unnecessary complexities of this training. We hope to see these updated materials being available by the end of the first quarter of this year. In review 2019, was an interesting year for industry training with several NZSA initiatives being well received, this Special Interest Group among them. With the objective of raising industry standards your feedback and input is essential. Please direct any questions or concerns that you have to the NZSA so that we can work together to ensure our customers and our staff are provided the quality support that they deserve.
NZSM
23
INTERVIEW
The interview: Ngaire Kelaher, ASIS NZ Chapter Chair The new ASIS NZ Chapter Chair talks with Chief Editor Nicholas Dynon about what the chapter will be getting up to in 2020 and why it’s worth looking a little closer at the benefits of ASIS International Board Certifications.
ND: What’s the focus for ASIS NZ in 2020?
Ngaire Kelaher is Chairperson of the ASIS International NZ Chapter (previously Chapter Deputy Chair and Secretary), and she is a Security Risk and Training Consultant at RISQ New Zealand. Involved in security since 1995, Ngaire is a former deputy director of Training at the NZSA. She holds the PSP and CPP ASIS International Board Certifications.
24
NK: Definitely to grow membership, and apart from memberships, it’s about getting people excited about the ASIS Board Certifications. That started last year. Which led to successes that included David Withers getting his APP and Devin [Louw], Rehan [du Toit] and Johan [ Janse van Resnburg] getting their CPPs, which is major! So, we’re looking to tailgate this with momentum to get everyone else on board as well. But the main thing for me personally is reminding people what the benefits of membership are. I think along the way people have forgotten what the benefits are of being an ASIS International member as well as being a Chapter member as well as the certifications. I want to find out why members that didn’t renew their membership last year or the year before didn’t and ask them personally, because maybe whatever the issue was back then doesn’t exist anymore. I’d like to get them back into the fold. It’s not just about getting new people, but about finding out why we’ve lost people too. ND: What’s the level of membership like at the moment? NK: Last year’s membership list totalled 51 chapter members out of about 100 ASIS International members who reside here in New Zealand. A lot of membership subscription renewals have come in recently but of course we won’t get a full picture for another month after people settle in for the new year. But it’s promising. People are renewing, which is
great, because we didn’t have this much uptake this time last year. Maybe it’s because we sent out the reminders earlier? Maybe it’s because we made the registration process a little bit simpler – you just have to click on a link and it comes up in a pre-populated email. You just fill out your bits and pieces, send it through, and we send you back an invoice and you can pay however you like. When we get confirmation that the invoice is paid, we send you an electronic welcome pack reminding you of all the benefits so you can see what your money’s going towards, and your login details to the member’s only part of the website. You can then click to receive your pdf chapter membership certificate. ND: What currently are the benefits of membership? NK: It’s not just the networking. A lot of people think that this only benefits people in Auckland and Wellington, but networking doesn’t need to be in person, it can be virtual as well. Last year we would look to get a speaker for a traditional chapter meeting, hopefully get sponsorship that would allow that same speaker to go down to Wellington and replicate the same session, but that hasn’t always worked, and it heavily relies on sponsorship. So why not make the most of technology? If we can get sponsorship, great, but we don’t want sponsorship to hold up having meetings or networking opportunities. If we can’t get sponsorship we’d be asking members to pay just a $25 breakfast fee. Alternatively, if we can do it for free because there’s no breakfast
February / March 2020
It’s hard doing it by yourself, but study groups really help. Membership also gives you access to webinars, many of which are free, and they entitle you to points towards your re-certification – one hour equals one point. There is just so much material and so many resources on the ASIS International website, scholarships available through the ASIS Foundation, whitepapers, and of course our Chapter website membersonly area. I’ve been a member of ASIS International for 15 years and the resources, networking opportunities and support have just been awesome. ND: Who would be a likely member of ASIS NZ Chapter? What profile of professional?
David Withers is handed his APP certificate by David Horsburgh CPP PSP PCI.
in it, such as a lunchtime meeting, then great… bring your lunch and it’s free. We’re looking at ways to remove barriers to meeting up. One of the big things to remind members of is that the benefits of membership are New Zealand-wide and so there are benefits if you’re a member in Huntly, for example, and you can’t make it up to Auckland… just video call in and we’ll make it work. ND: What about certifications? NK: Before last year, no one had achieved certification for three years, so there was a big gap. At the moment we have study groups happening in both Auckland and Wellington – for PSP and APP. All the study groups focus on the online review program that Michael Pepper developed for the APP, CPP, PSP and PCI, which has handouts, presentation slides and quizzes that complement the standard ASIS study materials. Having that online review program and also being accountable to each other in a study group is really important. You can join a study group at any time and you don’t necessarily need to be an ASIS International member to sit a certification but there is a cost benefit if you are.
February / March 2020
NK: Definitely someone involved in the security industry in some way or another, not necessarily with a security provider but they could be in-house or in a security-related role and looking at making connections, engaging in professional development and seeing what else is available in the industry. If they’ve been there done that ,then maybe it’s more about seeing how they can share that knowledge in a mentoring role. Remember, it’s an individual-based membership, not a company-based one, and that’s what makes ASIS unique. ND: Why is it that certification in the physical security space isn’t more of a thing? NK: APP and CPP are quite broad and don’t exclude anyone who is, say, in a niche part of the industry. That’s part of the attraction of these certifications. It’s great underpinning knowledge that provides a broad perspective on everything, but you can apply the principles anywhere because they’re at that level. I was recently on a cruise ship, the Seaborne Encore, and we had to host a table and on my table was a professor of criminology from a college in the US. We were having this great discussion and it turns out he’s got a CPP and been an ASIS member for decades over in the states, and I said hey, I’m part of ASIS International and we talked about what I did – he’d just assumed I was an artist! What are the chances that on this particular ship – and the Seaborne Encore is by no means a large ship – that on my particular table I was able to make this connection. It’s a great reminder that ASIS certifications are international.
I understand that there are plenty of people who say that they’ve got all the experience so they don’t need certification, but I say why not get recognition for all the experience you’ve got. Why not have the best of both! ND: What events are we likely to see ASIS host or be involved in this year? NK: We’ll be continuing our regular meetings – chapter meetings with a guest presenter – in Auckland and Wellington and virtually. I’d love to have a meeting in Christchurch or Dunedin or anywhere. This year I’d like the odd evening meeting in addition to the usual breakfast ones, for people who can’t make mornings. Also, there’s something that used to happen but hasn’t for a couple of years, and that’s the CPP dinner that was a special dinner hosted by ASIS before the annual NZ security conference/awards. I want to start this up again – whether it’s before the awards or around the time of the awards – and make it a certification (rather than CPP) dinner so that people who have gained their APP, CPP, etc or re-certified recently can be acknowledged in this way while everyone’s in town for the awards. ‘Women in security’ has been something we’ve been doing for the past couple of years. Dean [Kidd] (2017-18 ASIS NZ Chapter Chair) started it at the Aotea Centre the year before last and that was really popular – and our first key Women in Security event. Last year Andrew [Thorburn] (2019 ASIS NZ Chapter Chair) did an amazing job with a fantastic Women in Security event in Wellington. This year we’re going to bring it back to Auckland, otherwise if there are people interested in hosting it in Christchurch or anywhere else, we’ll take it there! We’ll certainly put a call out for sponsorship or support in some way shape or form but we’re not going to let that dictate whether or not it goes ahead. It’s really important that people understand that this event is not just for women in the industry, it’s for everyone. It’s not just for women; it’s about celebrating women and it’s tied to International Women’s Day. The more support we have – and guys turning up – the better. To this day I still get asked, “so are there women in security too?” I was getting asked the same question back in 1995… it blows my mind!
NZSM
25
REPORT
Smart home consumer privacy survey reveals unease In a report released in the US last month by ADT, 1,230 US consumers responded emphatically to a consumer privacy survey that reveals significant concerns over smart home privacy. With many data privacy and security issues in the news, says ADT, it’s no surprise that 92 percent of respondents feel smart home security companies need to take measures to protect customers’ personal data and information. However, while concerns around privacy are high, more than 40 percent of those surveyed admitted they don’t feel knowledgeable on the topic.
In early 2019, ADT rolled out the Consumer Privacy Initiative, “… an industry-level initiative to unite the smart home security industry and produce clear guiding principles… for how security
26
providers manage consumer data and protect their privacy.” Major focus areas outlined in the initiative’s manifesto include accountability, data correction and deletion, guidance and use, and transparency. Several leading smart-security brands have united with ADT to expand on the practices laid out in the initiative. The doors are open for other companies to come aboard, and this is certainly a case of “the more the merrier” because, let’s face it, those terms-and-conditions pages could do with some enriching. “ADT released the first Internetconnected smart home security platform in 2010, and we’ve consistently taken great care to protect and connect our customers in the most secure ways possible, using leading industry standards
and best practices to guard their data, privacy and personal information,” said Jim DeVries, President and CEO of ADT. “Where there is consumer confusion about privacy, we as an industry must work to reduce that confusion so consumers can be confident that the products and services we provide to help keep them safe can be trusted. With that trust in place, there can be greater peace of mind.” Key Consumer Privacy Opinion Survey Findings The explosion of the smart home device category ushered in scores of new manufacturers and brands that may have put convenience before user privacy. However, the consumer privacy opinion survey revealed consumers are now aware of and concerned about privacy as it relates to smart home devices with the top concerns reported to be hacking (75 percent) followed by government spying on in-home smart cameras (53 percent) and smart speakers (52 percent). The survey also uncovered that when it comes to how personal information is shared, consumers tend to be more concerned about how governments (89 percent) and companies (93 percent) share their personal information than they are about how they share their own personal information on social media (86 percent). And, despite acknowledging the importance of privacy protocols, most consumers don’t use privacy measures available to them. Fewer than 40 percent of survey respondents reported having
February / March 2020
any data privacy measures in place at all. “These consumer privacy opinion survey findings validate the work we’ve been doing as an industry over the past year to create a set of guiding principles, designed to help protect customer privacy and trust in the security industry and member companies, and to unify ourselves around them,” said Frank Cona, Chief Privacy Officer at ADT. A Consumer Privacy Initiative for the Security Industry The Consumer Privacy Initiative was launched as an industry-level initiative to unite the US smart home security industry and produce clear guiding principles and best practices for how security providers manage consumer data and protect their privacy. Participants, including producers of security products and security related software, implementers and other service providers, and industry associations joined together during the past year to develop a baseline of industry-wide guiding principles for consumer privacy, with input from consumer advocates. Guiding principles for the group are being developed with the understanding that providers of smart home security products and services must continually earn the trust of their customers by prioritising their privacy as well as their safety.
February / March 2020
The principles are intended to evolve with the changing smart home and security landscape – addressing top-ofmind issues such as facial recognition and analytics. Current areas of focus include: • Privacy by Design – Consumer privacy should be embedded in all areas of the security industry, and that begins with the design of the products used to help protect and connect customers. • Transparency – Providers of security products and services must spell out in clear and understandable terms how they collect, use, share, and retain sensitive data. • Handling of Audio and Video – Security providers will only share audio or video with first responders with their customers’ prior consent, or as required by law, and will not otherwise access a customer’s audio or video without the customer’s knowledge. • Data Correction and Deletion – Security providers will create an easily accessible process for customers to request that personal information collected by that provider be deleted. Customers can also request that data errors be corrected. • Guidance and Use – Providers of security products and services will
equip customers with information that empowers them to use their security products and services in a manner that better enhances everyone’s privacy. This could involve adjusting data collection settings, setup of cameras, or establishing video and audio data retention timeframes that work best for them. • Accountability – Providers of security products and services will commit to additional accountability measures, such as independent privacy assessments. To date, the following organisations have collaborated in developing the guiding principles, ADT, Alarm.com, Electronic Security Association, Security Industry Association (SIA), Sercomm, TrustArc/Nymity, and Vector Security. “The Security Industry Association is pleased to support this important broadbased effort led by ADT to ensure the privacy of consumers,” SIA CEO Don Erickson said at the time. “SIA has taken a leading role on privacy issues through its Data Privacy Advisory Board, and we look forward to working with our partners on this project to demonstrate that members of the industry are as committed to protecting data privacy as they are to securing people and property.”
NZSM
27
INDUSTRY
Seeking SMS Authentication Alternatives It’s a security measure that grates most of us each time we log into our online bank accounts, but SMS-based two-factor authentication, writes Senior Editor of Security Management Megan Gates, is increasingly vulnerable. It’s becoming commonplace for many login processes. Users need a password and an additional authenticator to complete the login. That often comes in the form of a code sent via Short Message Service (SMS), commonly known as a text message, to a cell phone. The user then enters that code into the Web account he or she is trying to access and is logged in. Megan Gates is Senior Editor at ASIS International’s Security Management magazine. She joined the Security Management team in 2013 after graduating from Missouri State University with a Bachelor of Science in Journalism.
28
People started using this authentication method to prevent phishing attacks from being successful. In addition to a password, an attacker would need the code sent via SMS to gain access to the account that he or she was attempting to infiltrate. This preventative measure has been successful in many cases. In May 2019, Google released new research on how adding a recovery phone number to accounts can prevent malicious actors from gaining access to those accounts. “We found that an SMS code sent to a recovery phone number helped block 100 percent of automated bots, 96 percent of bulk phishing attacks, and 76 percent of targeted attacks,” wrote researchers Kurt Thomas and Angelika Moscicki on the Google Security Blog. “On-device prompts, a more secure replacement for SMS, helped prevent 100 percent of automated bots, 99 percent of bulk phishing attacks, and 90 percent of targeted attacks”. But on 17 September 2019, the FBI issued a Private Industry Notification (PIN) warning cybersecurity professionals that the Bureau had seen
cyber actors circumventing multifactor authentication through social engineering and technical attacks. The Bureau said that these actors used popular multifactor authentication techniques to obtain one-time passcodes and access protected accounts. The alert stems from an incident that the Bureau became aware of in 2016 when a malicious actor targeted customers of a U.S. banking institution; the attacker ported their phone numbers to a phone he owned and operated— called SIM swapping. “The attacker called the phone companies’ customer service representatives, finding some who were more willing to provide him information to complete the SIM swap,” according to the FBI. “Once the attacker had control over the customers’ phone numbers, he called the bank to request a wire transfer from the victims’ accounts to another account he owned.” Because the bank perceived that the attacker was calling from a phone number that belonged to a customer, it did not ask full security questions but instead asked for a one-time code it texted to the phone number the attacker called from. The attacker “requested to change PINs and passwords and was able to attach victims’ credit card numbers to a mobile payment application,” the Bureau said. During the next two years, the FBI saw an increase in complaints about SIM swapping to circumvent two-factor authentication. “Victims of these attacks have had their phone numbers stolen, their bank accounts drained, and their passwords and PINs changed,” the Bureau
February / March 2020
explained. “Many of these attacks rely on social engineering customer service representatives for major phone companies, who give information to the attackers.” In addition to the Bureau’s warning, cybersecurity firm Crowdstrike also highlighted the growing threat of interceptions of SMS used for two-factor authentication (2FA). In its inaugural 2019 Mobile Threat Report, the firm explained that this type of interception is the most prevalent. “Online services have now begun to adopt other 2FA mechanisms due to insecurities in SMS, such is the ease with which inbound challenge messages can be spoofed and message interception attacks against the Signaling System 7 (SS7) telecommunications standard,” the report said. A press agent for the FBI said the Bureau would not comment on the notification, but the PIN did include some mitigation strategies to prevent circumnavigation of multifactor authentication. The Bureau recommended educating users and administrators to identify social engineering “trickery—how to recognise fake websites, not click on rogue links in e-mail, or block those links entirely.”
It also suggested using additional or more complex forms of multifactor authentication for users and administrators, including biometrics or behavioural authentication methods. The attack method the Bureau highlighted—SIM swapping—is one of the reasons that the National Institute of Standards and Technology (NIST) sought to downgrade SMS as a two-factor authentication method. It later changed its stance and said SMS is acceptable for lower-level accounts but should not be relied upon by users to authenticate themselves to access high-level accounts, such as corporate finances. “Any use of SMS messaging is insecure—it’s not encrypted,” says Clay Miller, chief technology officer at mobile workspace solution provider SyncDog. “Devices are susceptible to theft. SIM cards can be spoofed. You can set up cloud servers that can send and receive bogus numbers.” Because of these loopholes, security experts have been recommending that users implement other forms of multifactor authentication to log into accounts. For instance, they suggest using biometrics or security keys—like the ones sold by RSA or Google—that are not susceptible to SIM swapping or SMS attacks.
Miller says that he can see a trend towards requiring executives and others to use these kinds of multifactor authentication to access corporate accounts, “especially when we’re talking about regulated financial institutions and healthcare providers.” He adds that there might be more of a push for this in the future due to increasing regulator scrutiny under the European Union’s General Data Protection Regulation (GDPR). “We might in some cases have a more organizational push where people who use sensitive information must have policies in place on how they can access their account,” Miller adds. This may be especially critical as criminals become more capable of compromising multifactor authentication through new attack methods. For instance, in May 2019, the Muraena Team, made up of security consultants Antisnatchor (Michele Orrù) and Giuseppe Trotta, released Muraena and NecroBrowser—tools that automate credential phishing. “This is achieved by Muraena acting as a transparent reverse proxy solution which captures credentials and session cookies,” according to a blog post by Digital Shadows’ Photon Research Team. When users attempt to close these authentic sessions, Muraena is able to keep them open—without the users’ knowledge—and use the information it gathered to impersonate them, allow the extraction of additional data, and perform other actions on the attacker’s behalf. Despite the existence of these exploits, experts say users should continue to adopt multifactor authentication—including SMS —to prevent malicious actors from gaining access to their accounts. Doing this is better than doing nothing, says Tonia Dudley, CISSP, security solutions advisor for cybersecurity firm Cofense and board member of the National Cybersecurity Alliance—especially for email, bank, and social media accounts. “There’s a website called twofactorauth.org, and it lists websites and instructions to enable two-factor authentication,” she says. “Every website or app might have a different one— some will let you use a text or a Verisign account; sometimes they give you only one option. Enabling it is just a good idea.”
© 2019 ASIS International, 1625 Prince Street, Alexandria, VA 22314. Reprinted with permission from the January 2020 issue of Security Management.
February / March 2020
NZSM
29
INDUSTRY
How to use the attacker mentality for good According to Val LeTellier, chair of ASIS International’s Insider Threat Working Group, adopting the mentality of the attacker can prevent an insider and in doing so save up-time, reputation, jobs and embarrassment.
Society would be far less enjoyable if we all adopted an attacker mentality. Everyone’s first thought upon meeting someone new would be how to manipulate them for personal gain. Each encounter would be based upon the assumption that there are no rules of engagement, political correctness, manners, morality, or conscience at play.
Val LeTellier has three decades of risk management experience in the US public and private sector. He is chair of Insider Threat Working Group of the ASIS Defense & Intelligence Council and a member of the INSA Insider Threat Subcommittee.
30
Attackers are comfortable doing things that most people aren’t. They look for exploitable motivations and vulnerabilities to create self-serving situations. They are comfortable masquerading as someone else, building false relationships, and hiding the truth. For instance, attackers have no qualms about following your CFO home to collect personal information, booking a room on your CEO’s hotel floor and “getting to know” him or her at the hotel bar to collect details about the company, sending your IT staff cool gifts laced with malware, or even using Facebook to send your kids a malicious link hidden within a game. These guys are different. They take it up a notch or five. But what, exactly, sets them apart? Singular mission focus. Professional attackers are not distracted by what is happening on the side lines; they focus exclusively on mission achievement. They are not constrained by administration, bureaucracy, or budget, and they do not make decisions by committee. They know what they want, and they go for it.
If you ever wanted to know the comprehensive list of valuables you have access to, just ask an attacker. They will know because they are always sizing up people and opportunities for personal gain. You may be surprised by what attackers consider valuable and why. It may sometimes be as obvious as money or intellectual property, or it could also be other items. In today’s world, opportunities for financial gain are much broader than before. Attackers may seek different items, depending on whether they are thieves, conspirators, leakers, discontents, or opportunists. One’s reputation, relations, personnel, speed of business, and mental wellness can be targets for specific attackers with specific agendas. Using data as an example, the cybersecurity “CIA Triad” of confidentiality, integrity, and availability tells you that theft is not the only threat—an attacker could also harm your organisation by clandestinely disrupting your data integrity or denying you or your customers access to your data. Patience Ever found yourself in the right place at the right time? Whether we attribute it to luck or serendipity, most of us also seek to create those situations for ourselves in our daily personal and professional lives, but our results are usually hit or miss. We simply can’t be in all the right places just waiting for the right time to come around. But that is exactly what an attacker does. In the cybersecurity world, digital “honey pot” websites allow attackers
February / March 2020
to lie in wait for unsuspecting victims to come to them. In the physical world, attackers tailgate by loitering near a door to a facility and following someone with legitimate access into the building. Their greatest advantage is your greatest challenge: the attacker only needs to be right once, but defenders must be right all the time. Nonlinear thinking While most people see a direct line between points A and B, attackers often look at how points D and F can get them to point B. They see patterns and then figure out when those patterns stop applying. They find the edge between “yes” and “no” and test how sharp that edge really is. They ask open-ended questions, begin with more than one premise, make deductions, and then infer ways forward. If that path is blocked, they repeat the process from the beginning. Attackers seeking weaknesses in software exploits often follow this process; the program is viewed holistically, leading to specific premises, deductions, and inferences that point to security gaps. This linear thinking is applied within each phase of their attack: performing reconnaissance, scanning and enumerating, gaining access, escalating privilege, creating redundant access, and covering their tracks.
February / March 2020
Attackers look at problems without blinders. They see the complete picture and never rule out an implausible option if it could help them achieve their goal. Defenders face the immense challenge of shutting down paths they can’t conceive of in the first place. Backward reasoning Attackers visualize their goal and work backward, which allows them to identify all possible accesses and paths, especially ones unidentified and unprotected by defenders. Known by various terms (backward chaining, reverse engineering, purposeful task analysis, retrograde analysis, or backward induction), backward reasoning is a well-recognized methodology. Before Amazon designers and developers start a new project, they write a hypothetical press release from the future, celebrating the success of a product. From there, they determine what needs to be done to get to that point of success. And it is the second of Stephen Covey’s Seven Habits of Highly Effective People, “Begin with the end in mind.” In 2006, retail giant TJX Companies Inc. (TJX), experienced two notable examples of attackers working backward from the company’s lucrative customer record data. Attackers used in-store job application computer kiosks to deploy malware through mouse/
printer USB ports, turning the devices into remote terminals with access to the main network. The firewalls on TJX’s main network weren’t set to defend against malicious traffic coming from the kiosks. Months later, attackers accessed an improperly secured Wi-Fi network from the parking lot of a Marshall’s store in St. Paul, Minnesota, and exploited the deficiencies of the aging Wired Equivalent Privacy (WEP) wireless security protocol. More than 45 million records of customer payment data and untold revenue were lost. By any means necessary Although attackers maintain a singlemindedness in their focus, this does not mean they limit themselves to a single vector or approach. They use whatever works, whether it is within the virtual, human, or physical domains. What the average defender defines as “all possible attack vectors” is almost laughable to someone who has no rules. The Attacker Mentality at Work The attacker mindset and approach were showcased in an attack against a major oil company in 2014. Unable to breach the company’s computer network, attackers instead injected malware into the online menu of a Chinese restaurant popular with employees.
NZSM
31
A great example of social engineering is a 2007 attack on Antwerp’s ABN Amro Bank. No one knows his real name, but the staff knew him as Carlos Hector Flomenbaum. He billed himself as a successful businessman, and he had frequented the bank for at least a year. The bank’s employees loved Flomenbaum. He brought them chocolates, talked to them about non-diamond-related matters, and ultimately won their trust to the extent that he was given VIP access to the vault. One night in March 2007, he let himself in, broke into safety deposit boxes, and walked out the front door with $28 million in diamonds. The bank had a $2 million security system. Flomenbaum has yet to be caught.
When workers browsed the menu, some were socially engineered into unknowingly downloading code that provided the attackers a narrow foothold in the company’s network. From there, the attackers found an opening to create a company identification badge that allowed them to pose as an IT vendor and get physical access to the firm’s servers. This operation demonstrated attackers’ ability to exploit vulnerabilities across their operating environment, specifically within the digital, physical, and human domains. Understanding the interconnectivity and interdependency of these domains and the aggregated risk they pose is a critical first step in the development of an organisation’s risk mitigation strategy. The virtual attack surface The escalating amount of attention that the virtual domain receives is merited. Risk within the digital domain is already extremely broad and exponentially growing, ranging from a lack of operational security to bad policies to bad code to executives’ insecure home networks. In the rush to launch competitive products and the prioritisation of user convenience over security, manufacturers have often neglected necessary security safeguards. And thanks to our reliance on the Internet, attackers can now compromise almost anything—surveillance cameras, access control systems, microphones and cameras on smartphones and laptops,
thermostats, vehicles, and industrial control systems. The danger of combining an attacker mindset and widespread connectivity was exemplified in an attack against a North American casino in 2017. Using an Internet-enabled fish tank, attackers exploited sensors connected to a facility PC that regulated the tank’s temperature, food, and cleanliness. As a result, 10 GB of private data was sent out to a device in Finland. The security industry is most focused on the virtual attack surface, often developing automated digital countermeasures to identify a “silver bullet” solution. This approach addresses only part of the risk equation, and the effectiveness of each solution is reliant upon the diligence of those operating or engaging with the system. In the end, human behaviour can either reinforce or degrade security measures. The human attack surface Employees, trusted vendors, and partners represent potential weak links. Using social engineering, attackers exploit human nature to access facilities, networks, and valued items. They can create wellresearched and believable ploys to get what they need, incorporating techniques like pretexting, baiting, and quid pro quo. Social engineering is a serious discipline with serious consequences. At DefCon’s annual Social Engineering Capture the Flag event, the security practices and countermeasures of many top firms have been compromised by a talented attacker armed with just a phone.
The physical attack surface If an attacker can gain access to the premises, he or she can quickly access sensitive information—both through the network and in hard copy. Inadequate physical security controls can render most technical controls useless. Interestingly, while firms traditionally expended most of their resources for physical security, it is now far subordinate to digital defence. And this change would be more dramatic if it weren’t for the increasing attention paid to workplace violence. To penetrate physical defences, attackers collect data via open sources and create sophisticated approaches that manipulate access control though social engineering, badge cloning, and close network access. A well-used attack plan is the select placement of USB sticks labelled “payroll,” “sensitive,” or “personal” with embedded malware ostensibly dropped in public areas around a company. Well-meaning or curious employees will launch the attack themselves by connecting the USB to a work computer. Across all attack surfaces, the attacker mentality is characterized by function over form, exploitation of simple vulnerabilities, being noisy or quiet depending on operational need, aggregating bits of seemingly meaningless data, utilising unwitting or complicit surrogates, employing patience and gradual privilege escalation, creating backup access channels, and utilising burnable channels to erase one’s tracks. Part Two of this article will appear in the April issue of NZSM.
© 2019 ASIS International, 1625 Prince Street, Alexandria, VA 22314. Reprinted with permission from the September 2019 issue of Security Management.
32
February / March 2020
GUN BUY-BACK
Gun buyback over, prohibited weapons remain Police Minister thanks the 33,000 firearms owners who participated in the gun buyback following the expiry of the amnesty on 20 December, and reinforces need for proposed gun register. “The six-month firearms buyback and amnesty drew to a close last night and Police were processing some latecomers well into the evening,” Stuart Nash said.
“We are now moving to the next phase, to ensure firearms cannot fall into the wrong hands. This is the objective of the proposed gun register and tighter licensing system. We are not done with efforts to remove unlawful firearms from circulation. Around 60,907 prohibited firearms have been removed from circulation or are pending collection, including 56,250 handed in during the buyback or amnesty; 2,717 modified by approved gunsmiths, at government expense, to make them lawful; 1,577 prohibited firearms awaiting validation and collection from gun dealers; and 363 unique prohibited firearms are going through an independent valuation panel to determine compensation
February / March 2020
A further 2,874 applications for prohibited firearms to be modified by approved gunsmiths are still being processed. More than 194,245 prohibited parts have been handed in. This includes items like high-capacity magazines and pistol grips which can be assembled into working firearms. A further 3,499 unique prohibited parts are going through an independent valuation panel process for compensation. Approximately $102.2 million has been paid in compensation. Police also confirm they can account for 15,037 E-category firearms or military style semi-automatics held by 5,060 people, slightly higher than original estimates of 14,300 MSSAs. 9,532 of these have been handed in, and 4,277 have been retained by approximately 1,049 people such as professional pest controllers, bona fide collectors, gun dealers, museums, or others who notified their intention to hand in.
1,228 firearms are held by 851 people who Police have contacted or attempted to contact for follow up. This group has technical issues which need to be reconciled. Some firearms serial numbers are showing as already handed in but possibly by a different owner. Some owners are reported as deceased. Other people now report their firearms were lost or stolen and these are being reviewed or investigated. Every current licence holder registered with an MSSA has been contacted by Police. Gun dealers have gone through a separate process to members of the public. Dealers notify Police of their holdings which are then reviewed to ensure details are valid before compensation is approved. “The number of firearms handed in or still being processed is within the range estimated by KPMG, who provided independent advice to Police. “However Police have consistently warned the problem is we just don’t know exactly how many guns are out in the community. This is why we need a register, to enable Police to better track firearms. “Police are now preparing to follow up firearms licence holders who are known to still hold prohibited guns. My strong advice to these people is to voluntarily surrender them or face risk of prosecution, loss of licence and firearms, and five years jail. “Police will also keep up their focus on gangs and other criminals who unlawfully hold firearms. Around 1,800 firearms have been seized from gangs and other offenders since March, during search warrants, vehicle stops, and callouts to family harm incidents.
NZSM
33
INTERVIEW
Expert view: AI and the detection of insurance claim fraud NZSM sits down with Cara Carpenter, National Case Manager at ISACORP Corporate & Insurance Risk Solutions, to gain insights into the double-edged implications of emerging technologies for insurance fraud. NZSM: Insurance companies are moving full steam towards automated customer experience, this means moving from paper to digitised processes, real-time claims processing and generally greater use of technology. What are the risks in terms of claim fraud?
Cara Carpenter is National Case Manager for ISACORP Limited. An intuitive professional with multisector experience in financial fraud, customs and coronial investigations, she holds a Bachelor of Criminology and Criminal Justice.
34
CC: It is already noted in the USA that there has been an increase in insurance fraud since 2014, which coincides with the surge in insurance tech popularity. With automated processing, claim fraud can begin at the inception of the policy, as the information given is driven by the customer. Risk comes into it when this is automated and contained within standard parameters but without the ability to question or determine other relevant factors for risk and premium profiles.
An example is vehicle purchasing from a car yard. Registration, ownership, financial and insurance needs are automated and initially determined by ‘honest Joe’ the car salesman. Either no or bogus information and (intentional or not) lax fact checking, followed by three months of payments for legitimacy, and then a claim for a stolen vehicle in South Auckland. The fraudster is laughing all the way to his bank app. Money laundered or drug debt paid by vehicle or goods are services offered by local narcotics providers. The insurer may have little avenue to explore or recoup losses when the legitimacy of the client is not initially screened by insurance professionals. Automated claim processes look for flags inside or outside set parameters or
February / March 2020
business rules. However, with the advent of image and document manipulation technologies and digital identity theft, fraudsters can circumvent these controls. Service providers to the Insurance industry, for example, have used the automated windscreen repair claim system to defraud insurers and ultimately consumers. Healthcare providers and organised criminal gangs worldwide have used insurance related automation for fraudulent gain. Complex and involved frauds are difficult to identify and prosecute under manual fraud detection systems, especially when perpetrated by trusted professions and professionals. The automation of the claims process and the rules/parameters set can be used against insurers to commit on-going fraud. NZSM: In general, what do you see as the emerging trends in insurance fraud? Is the nature and/or incidence of insurance fraud changing? CC: Fraud in this sector is both fluid and constant in nature. The builder will still lose his tools out of the back of his ute when tax time comes around, however tech advances now put the cost of replacement in the tens of thousands with added business interruption payouts.
February / March 2020
With liability also in the mix in commercial insurance products, negotiated collusion between parties to obtain payment is emerging and, where possible, cultural barriers are exploited. New technologies can be exploited as new and emerging avenues for fraud. Insurance products are becoming more tailored to the evolving personalised needs of co-sharing, ondemand and increasingly tech driven consumers’ lives. To keep up, fraud detection analysis needs to be dynamic and evolving in its capability. Internationally, the rise of financial regulatory requirements against money laundering practices has seen emerging problems in large insurance fraud schemes. Additionally, shell insurance operations, senior care fraud, identity theft, cyber ransoming and catastrophic events are flagged as emerging problems. The detection of fraud is generally reactive to known threats, however the evolving and fluid nature of insurance fraud schemes today requires prevention strategies and industry-wide cooperation for real gains. NZSM: Automation will also see greater adoption of Artificial Intelligence technologies in claims processing. Can AI play a part in identifying possible fraud?
CC: Stephanie Taylor, Insurance AI Lead for Microsoft, explains that automation is allowing machines to perform repetitive monotonous tasks – e.g. a person doing exactly what they are told to do. AI, however, is mimicking the way persons think, say and do, but seeks patterns and insights from the data. She states that AI is a superintelligent worker. Automation is the documents, scanning, form filling and chatbots, but AI is for intelligent tasks where the ability to learn and adapt is needed, such as policy decisions and fraud identification. AI algorithms are currently being used to analyse large datasets to spot anomalies in claims and to extrapolate large scale fraud indicators. Visual analytics can be used to determine vehicle damage to repair cost accuracy. The use of cognitive and behavioural analysis of previous fraud schemes is used to detect deceptiveness in claims. However, as with all things tech, the identification is only as good as the data input, the depth and breadth of the data set and the data analyst who reads it. Internationally, AI has already demonstrated its usefulness as a tool for fraud detection using Insurtech partnerships. The AI Forum in New Zealand suggests this is a growth area in
NZSM
35
the sector, with 17 Insurtech companies established since 2017. Additionally, traditional insurers are establishing AI strategies throughout their businesses. There are challenges and barriers to this for the New Zealand sector, with large costs, expected failures, lack of inter-agency pathways and cooperation, and the need to upskill employees. Problems to be surmounted in this area are in the limited or internal datasets available, which can be skewed by systemic or unconscious bias and gender stereotyping. Additionally, the testing and learning stage required for this is a long process and can be fraught with false positives and, worse, failures leading to customer dissatisfaction. NZSM: How will such technologies, such as automated fraud detection, work in practice? CC: It uses rule-based learning to detect claims that indicate deceptiveness or the heightened risk of fraud. AI systems can learn rules that have been identified in previous insurance-related fraud schemes, and by using text and statistical analytics can examine assessor reports for anomalies. Efficient cross-referencing of internal and external datasets with traditional and standardised fraud rules identifies the probability of fraudulent claims by detecting unusual patterns that fall outside or inside the parameters of these rules. Then this data is input to make algorithms smarter. With the large amount of data we now produce, AI ‘supervised learning’ can analyse large data sets from banking data, etc. to provide more accurate personalised cover. This learning will also advance fraud detection.
36
Ben Fletcher of the UK Insurance Fraud Bureau states that frauds have common traits, and these can be determined by data-sharing and analytics. “The move from reactively looking at data and intelligence at a practitioner level to using analytical tools to proactively look for trends and patterns at an industry level,” he says, “has been the single biggest step forward from the IFB’s point of view”. NZSM: What anti-fraud technologies are emerging in the insurance sector? CC: IDC Financial Insights states that insurance is becoming more personalised, predictive and real-time. Emerging technologies will be using deep learning techniques to assess and predict fraud patterns. Natural language processing (NLP) uses phraseology and behaviour rules to detect the probability of fraud. In commercial and complex policies and claims, the use of NLP to harvest industry terms and meanings is emerging. Computer vision, which is next level image recognition, can learn the difference between a concrete or wood post pixel. Understandably, this tool will be invaluable for MV accident claims when real time assistance and assessment can be just an image sent to an app and dealt with by a chatbot. Early identification of fraud is the key to success. Emerging advances in facial recognition, fitness and health, geographic imaging and IoT data technology will all be used to detect fraud. Stephanie Taylor of Microsoft , for example, shares a strategy she developed in the claim resolution area where her client had a 20 percent grey area on car
claims where no one seemingly was at fault. By combining verbal explanations from customers and known data to a machine learning algorithm, they were more accurately able to determine the outcome of the grey area and reduced these claims to 3.9 percent. James Breeze, Digital AI Lead at AXA XL, states that photoshopped images can now be automatically detected. When a claimant sends a photo of their car damage, the app quickly assesses the damage and highlights any similar images from stock photos on Google or elsewhere, thereby detecting potentially fraudulent activity. He emphasises that AI acts as a very necessary tool between the customer and automated and efficient app-based claim processes. NZSM: Does fraud detection ultimately rely on the human touch? CC: While AI can flag a claim, an analyst is required to consider whether a false positive has occurred, and an assessor and investigator is required to compile any evidence of the fraud. Additionally, when large, commercial or complex losses occur, the customer is more likely to want to pick up the phone and speak to someone. New Zealand has a conservative insurance consumer base and customer trust in these new technologies will be a hurdle. Data protection and privacy concerns are strongly felt issues in New Zealand. As an investigator in this space, I can see no replacement for some of the instincts applied by claims handlers on bare or seemingly benign information. While AI is the future, it remains to be seen if these instincts can be keenly mimicked.
February / March 2020
CIVIL DEFENCE
Tsunami monitoring and detection system to be established Foreign Affairs Minister Winston Peters and Civil Defence Minister Peeni Henare announced in December the deployment of a network of Deep-ocean Assessment and Reporting of Tsunami (DART) buoys. “New Zealand and the Pacific region are particularly vulnerable to natural disasters. It is vital we have adequate warning systems in place,” said Mr Peters.
“DART buoys are the only tried and repeatedly tested technology that confirms the generation of tsunami waves before they reach the coast. This is particularly critical for unfelt earthquakes originating from the Kermadec trench.” “Until now, New Zealand has been reliant on a single, aging DART buoy. This is a shocking inadequacy that we have addressed with urgency,” said Mr Peters. New Zealand faces significant lifethreatening tsunami risk. New Zealand’s geographical and geological place in the Pacific, puts us at risk from many different tsunami sources, some may be generated and arrive at our nearest coasts in less than an hour. “We are establishing a network of fifteen DART buoys to provide early detection and support warnings for tsunami generated from the Kermadec and Hikurangi trenches right on our doorstep,” said Mr Henare. Deep-ocean Assessment and Reporting of Tsunami, or DART, buoys are deep-ocean instruments that monitor changes in sea level. They are currently the only accurate way to rapidly confirm a tsunami has been generated before it reaches the coast, which is particularly critical for unfelt earthquakes originating from the Kermadec trench. DART buoys detect tsunami threats by measuring associated changes in water
February / March 2020
pressure via sea floor sensors. They are capable of measuring sea-level changes of less than a millimetre in the deep ocean. Two-way communication between a DART buoy and a 24/7 monitoring centre allows rapid assessment of the potential threats. Early detection of a tsunami using DART buoys allows authorities to accurately provide early warnings to the public using a range of communication channels including Emergency Mobile Alerts. “This system will provide rapid confirmation if a tsunami has been generated, and will enable more accurate warnings of tsunami that can be communicated via public alerting systems like Emergency Mobile Alert,” said Mr Henare. “This is about saving lives – people are at the heart of what we do,” continued Mr Henare. GNS Science’s National Geohazards Monitoring Centre will support the
24/7 monitoring to receive, process and analyse the data from the buoys, and the National Emergency Management Agency will issue tsunami warnings and advisories to the New Zealand public. The DART buoy network will also provide tsunami monitoring and detection information for Pacific countries, including Tokelau, Niue, the Cook Islands, Tonga and Samoa. The establishment of the New Zealand DART Buoy Network is part of the Emergency Management System Reform, a range of initiatives aimed at improving the emergency management system. These include the establishment of a new National Emergency Management Agency and the establishment of the Emergency Management Assistance Team. Improvements to the consistency of warnings was prioritised in the Government’s ‘Ministerial Review: Better Responses to Natural Disasters and Other Emergencies in New Zealand’.
NZSM
37
EVENTS
SUBSCRIBE Readers of NZ Security include those working directly and indirectly in the domestic and commercial security industry. From business owners and managers right through to suppliers, installers and front line staff. Among our readers are IT security experts, surveillance professionals and loss prevention staff.
NZ Information Security Forum Meeting When: 7.30am, 13 February 2020 Where: University of Auckland Details: www.security.org.nz
NZSA Regional Visits When: 10-12 June 2020 Where: New Plymouth, Whanganui, Palmerston North Details: gary@security.org.nz
NZSA Regional Visits When: 13-15 February 2020 Where: Whangarei and Northland Details: gary@security.org.nz
NZSA Regional Visits When: 09-10 July 2020 Where: Christchurch Details: gary@security.org.nz
NZSA Regional Visits When: 09-10 March 2020 Where: Hamilton and Tauranga Details: gary@security.org.nz
Security Exhibition & Conference When: 22-24 July 2020 Where: Melbourne Convention and Exhibition Centre Details: www.ecurityexpo.com.au
World Border Security Congress When: 31 March 31 – 02 April 2020 Where: Athens, Greece Details: www.world-border-congress.com NZSA Regional Visits When: 06-07 April 2020 Where: Rotorua and Taupo Details: gary@security.org.nz National Security Conference When: 15-16 April 2020 Where: Massey University, Auckland Details: www.massey.ac.nz Asia Pacific Security & Innovation Summit When: 15-17 April 2020 Where: Copthorne Hotel, Queenstown Details: www.apsisummit.com/page/apsisummit-2020/ NZSA Regional Visits When: 13-14 May 2020 Where: Hawkes Bay Details: gary@security.org.nz
New Zealand Security Industry Awards When: 21 August 2020 Where: Christchurch Town Hall Details: www.security.org.nz CIVSEC 2020 When: 1-3 September 2020 Where: Brisbane Convention Centre Details: www.civsec.com.au NZSA Regional Visits When: 09-10 September 2020 Where: Wellington Details: gary@security.org.nz NZSA Regional Visits When: 08-09 October 2020 Where: Nelson and Blenheim Details: gary@security.org.nz NZSA Regional Visits When: 11-13 November 2020 Where: Dunedin, Invercargill, Queenstown Details: gary@security.org.nz
Our readers take their job seriously and make an active choice to be kept informed and up to date with the industry. For only $75.00 plus GST you can ensure that you receive a 1 year subscription (6 issues) by filling out the form below and posting to: New Zealand Security Magazine 27 West Cresent, Te Puru, 3575 RD5, Thames, New Zealand or email your contact and postal details to: craig@defsec.net.nz Mr Mrs Ms________________________ Surname_________________________ Title_____________________________ Company________________________ Postal Address____________________ ________________________________ ________________________________ Telephone________________________ Email____________________________ Date_____________________________ Signed___________________________
NZSM New Zealand Security Magazine
38
NZSM
February / March 2020
Power supply cabinets • Mounts for our 5 most popular models of power supplies; 6 key-hole anchor points for easier mounting • Lift off hinged doors for added convenience
total reed switch
• Louvre ventilation on doors • Roller ball reed switch provides anti-tamper to front and rear of cabinet
solutions from Flair
• 6 x 25mm knockouts, 2 each sides and bottom • Medium cabinet holds 5 x 7 A/h batteries
Choose from Closed Circuit or SPDT. Listed options will suit Standard doors, Steel doors, Roller doors
• Large cabinet holds 14 x 7 A/h batteries • Cam lock for security • Front lip to retain batteries and for additional strength
• Lip return on door for greater rigidity • Durable powder coated white finish in N Z •
Lo
ic Prod ron uc •D
,T
es
uc
ed
e s i gned
and Pr od ted
Designed, tested and produced in New Zealand.
kt
ts
• Heavy gauge 1.2mm steel
for power supplies
Specials available to order.
With 30 models in stock, make Loktronic your go-to supplier. Fully monitored Powerbox brand security PSUs in 12 VDC from 3.5 A to 20 A and 24 VDC units from 5 A to 12 A. We have Meanwell DIN rail PSUs in 12 & 24 VDC from 20 - 100 watts, with optional battery charging. Inline, Plug packs and DC/DC converters round out this great range.
Flair reeds from Loktronic: an unbeatable combination.
Power supplies from Loktronic – a Powerful Deal.
• Surface mount • Press fit • Self adhesive tape or screw mounting • Flying leads or screw terminals • Standard and wide gap • Stubbies • Mini flange • Sub miniatures • Pull aparts • Clamp ons • Overhead doors with offsets
• Removable shelf and removable back plate to facilitate easy bench mounting of equipment
Loktronic
R
R
ISO 9001:2015
ISO 9001:2015
REGISTERED COMPANY
REGISTERED COMPANY
Certificate No. NZ1043
Certificate No. NZ1043
20238_PSC
Loktronic Limited Unit 7 19 Edwin Street Mt Eden Auckland P O Box 8329 Symonds Street Auckland 1150 New Zealand Ph 64 9 623 3919 Fax 64 9 623 3881 0800 FOR LOK www.loktronic.co.nz
Unit 7 19 Edwin Street Mt Eden Auckland P O Box 8329 Symonds Street Auckland 1150 New Zealand Ph 64 9 623 3919 Fax 64 9 623 3881 0800 FOR LOK www.loktronic.co.nz 20237.FL.2018
Loktronic
Unit 7 19 Edwin Street Mt Eden Auckland P O Box 8329 Symonds Street Auckland 1150 New Zealand Ph 64 9 623 3919 Fax 64 9 623 3881 0800 FOR LOK www.loktronic.co.nz 20757_BP.2018
Loktronic
Power
Power
distribution module
distribution module
key switches Two functions are available Momentary or maintained contact (specify when ordering) This 6, 8 rated or 10 way Distribution Module Switch at 6APower @ 28 VDC will drop power to akeyed group of doors when signaled Supplied random byRe-key a fire alarm and key has at individual fused power or master any locksmith supply lock. LED lights when fuse fails. Front to or each rear fixing Red and black terminals distribute from PSU orApplications battery to load. Access control, air-conditioning, lifts, lighting etc Comprises • DPDT 12 or 24 VDC Fire Drop Relay New options with this versatile product • 6, 8 or 10 fused terminals with LED supplied loose • 2Key Redswitch Terminals bracket • 2Mounting Black Terminals Escutcheonon DIN Rail • Assembled Mounted on PDL plate with alloy cover • All Terminals Labelled
Loktronic
for gate locks
For the widest range range of applications, see our IP67 rated Loktronic and Loktrenz electromagnetic locks with optional brackets to make fitting a breeze.
ic Prod ron uc •D
in N Z •
kt
Comprises • DPDT 12 or 24 VDC Fire Drop Relay • 6, 8 or 10 fused terminals with LED • 2 Red Terminals • 2 Black Terminals • Assembled on DIN Rail • All Terminals Labelled
ts ,T
es
uc
ed
e s i gned
Outdoor and Gate Locks from Loktronic - a smart choice.
Lo
We have strikes by FSH and eff-eff, Rim locks by CISA, plus specialty roller door locks.
This 6, 8 or 10 way Power Distribution Module will drop power to a group of doors when signaled by a fire alarm and has individual fused power supply to each lock. LED lights when fuse fails. Red and black terminals distribute from PSU or battery to load.
Designed,tested testedand and Designed, producedininNew NewZealand. Zealand. produced
Designed, tested and produced in New Zealand.
and Pr od ted
R
ISO 9001:2015
REGISTERED COMPANY Certificate No. NZ1043
Unit 7 19 Edwin Street Mt Eden Auckland P O Box 8329 Symonds Street Auckland 1150 New Zealand Ph 64 9 623 3919 Fax 64 9 623 3881 0800 FOR LOK www.loktronic.co.nz 20756_BP.2018
R
R
ISO 9001:2015 ISO 9001:2015 REGISTERED COMPANY
REGISTERED COMPANY Certificate No. NZ1043 Certificate No. NZ1043
Unit Edwin StreetMtMt EdenAuckland Auckland Unit 7 71919 Edwin Street Eden PO Box 8329Symonds Symonds StreetAuckland Auckland1150 1150New New Zealand PO Box 8329 Street Zealand 9 623 3919Fax Fax 9 623 38810800 0800 FOR LOK PhPh 6464 9 623 3919 6464 9 623 3881 FOR LOK www.loktronic.co.nz 21636.KS.2018 www.loktronic.co.nz 20239.2018
R
ISO 9001:2015
REGISTERED COMPANY Certificate No. NZ1043
Unit 7 19 Edwin Street Mt Eden Auckland P O Box 8329 Symonds Street Auckland 1150 New Zealand Ph 64 9 623 3919 Fax 64 9 623 3881 0800 FOR LOK www.loktronic.co.nz 20239.2018
From
, a cleverly designed,
Motorised Hook Lock to simplify electric locking of sliding doors. Available now from Loktronic. HL1260 • Up to 650 kg holding strength for the toughest jobs • Motor driven hook captures roller on strike plate • Recessed or surface mounting for easy fitting to most door types • Fail Safe/Fail Secure field changeable for simplicity • Accepts 12-30 VDC • Door Position Switch • Hook Position Switch • Tested to 400,000 cycles for durability • 5 year warranty for peace of mind
Also from FSH, the expertly designed
VE Lock
sets
new standards of reliability. VE1260 • 1,000 kg holding strength… ideal where high security is needed • Release with up to 35 kg pre-load makes for easy unlocking • Field changeable between Fail Safe and Fail Secure • Accepts 12-30 VDC • Door and Lock status monitoring for total status reporting • Radiused and square edged models suit new installs and upgrades • Can be installed horizontally, vertically and into surface mounted housings • Pre-taped housings make for simple installation onto frameless glass • Special wide V strike plate allows for up 12 mm door offset
Loktronic Limited Unit 7 19 Edwin Street Mt Eden Auckland P O Box 8329 Symonds Street Auckland 1150 New Zealand Ph 64 9 623 3919 Fax 64 9 623 3881 0800 FOR LOK mail@loktronic.co.nz www.loktronic.co.nz
16078. REV 11.17
These fine products from world leaders in electric locking design, FSH, are proudly stocked and supported by NZ’s leading authorized distributor,