A Security Perspective on the Conneticut Shootings

Given the horrible tragedy that took place yesterday in our nation, I have been given a lot of thought to how to mitigate these shooting incidents. Given the fact that my career has been centered around protecting company resources and putting plans, processes, and procedures in place to respond to security incidents, I thought I would provide a similiar approach for dealing with school shootings.

It’s important to note when I’m referencing “assets” I”m referring to the victims involved in the given incident. Please do not take this as an insensitive term to those victims, it’s just easier as a point of reference. I would also point out that I have two boys (12 & 8) that have just as easily been victimized as those from yesterday’s incident. When I use the term “threat vector” I’m speaking mainly of the perpetrators involved in the shootings.

To keep things simple for those not acquainted with Information Security concepts, I’m going to break my recommendations into two main headings; Access Control and Incident Response.

Access Control

1. Authentication – This is the means by which we identify who a given asset is in order to determine who to control what that asset has permissions to do and what resources that asset has permissions to access. The fundamental question that needs to be answered with this is, “Who are you?”.

Recommendation: Our school systems need to put security controls in place that enforce authentication checks for all staff and students within our school systems. This would take the form of a badge swipe system implemented on every entry point within the physical boundaries of the school system. Minimally this should be placed on all entry points into the building and on each classroom door.

2. Authorization – This is the means by where once the authentication question has been answered (Who are you?) we can determine what access the given asset has access to. The fundamental question that is asked with authorization is, “What are you permitted to access?”.

Recommendation: Our school systems to implement authorization controls to control who has access to what areas of the school buildings to minimize the threat vectors that can be exploited. For example, I think it would be entirely plausible for teachers to have authorized access to all of the classrooms, but not every student should have access to every classroom.

Incident Response

In the six steps that are to follow I will at times be making reference to the Access Control section. This is because in a number of areas the success of your response to a school shooting incident depends on your Access Control system.

1. Preparation – The fundamental success of any incident response plan is preparing for known risks that could turn into incidents. Given the number of incidents that this nation has been affected by, I think this is the only area that is lacking the most. Without access controls how are you going to prepare for the next shooting incident?

Recommendation: Our school systems need to create preparation plans for responding to a shooting incident. This will be radically enhanced if adequate access controls are in place.

2. Identification – The next step in the incident handling process is identifying the source of the incident. Without being able to identify the threat as it happens you will not be able to respond.

Recommendation: Our school systems need to be able to identify the threat vectors as they are occuring to minimize the number of causulties.

3. Containment – Containment has to due with isolating the threat vector that is responsible for the incident. The goal is to minimize the damage this is occuring as much as possible.

Recommendation: Our school systems need to be able to contain the threats vectors as they are occuring. Yes, getting the kids and staff out as soon as possible is probably the best method for the current system, but with fully implemented access controls containment processes will most likely need to be modified.

4. Eradication – No surprise here, the threat needs to be removed from the environment one way or the other.

Recommendation: I think our law enforcement agencies get a good grade on this one. The only change I would like to see is to have at least one dedicated security officer to each school to start the eradication process prior to law enforcements arrival.

5. Recovery – This has to do with getting this back to normal within the environment.

Recommendation: Our school systems should have a vareity of services available to console the victims that were affected by the incident and to get the school back in working order.

6. Lessons Learned – The entire sequence of events relating to the incident need to be reviewed and graded based on how things were handled.

Recommendation – Our school systems need to review every shooting incident that occured to determine the effectiveness of the response and how to improve it.

I do recognize with what I have proposed that a significant amount of cost will need to be invested by the state into our school systems to provide these controls. Given the current budget crisis of nearly every state in our union the only alternative I can see is for each state to get federal funding to charter a national campaign to protect our school systems from the next incident.