Active Shooter: Real world stories about lockdowns in schools saving lives.

/in , , , /by

By David Strickland, Vice President of Kenton Brothers

On November 14th, 2017 at 7:30 am, shots ring out near Rancho Tehama Elementary in Northern California. It’s an all too familiar but tragic scenario these days. One moment children are playing on a full playground, the next, panic, confusion and the succession of two more shots. This time however, the outcome is different than some of the other school shootings you may have heard about.

The staff members of the elementary school went into lockdown mode and followed the procedures they’d practiced and drilled multiple times. The staff knew what to do, and they did it in the face of true and present danger.

The secretary immediately sent out the signal for LOCKDOWN. 

Lockdown ProtocolsStudents were rushed into the building by staff members. Family members still present in the school yard were corralled by school support personnel. Teachers and staff members locked their internal doors and barricaded external doors. They huddled in their rooms away from the windows and out of the line of sight of the shooter. Hugging each other and the most solid wall in their classroom for safety.

Within seconds, two-thirds of the school was in lockdown. An then the shooter drove his pickup truck through the school fence and barreled toward the front entrance. The school custodian was busy getting parents into the school. He paused to look and see how far away the shooter was and, “looked the shooter in the eye as the shooter shot at him.” After the shot rang out, “The shooter was struggling with his weapon at this time. The gun appeared to be jammed, and he was having trouble loading ammunition.”

The gun jamming bought the staff, kids and parents precious seconds to finish their lockdown procedure. Everyone made it inside and all access to the school rooms and offices was now secure. The shooter, now fully loaded, entered the middle quad of the school 8 seconds later.

“The school secretary recognizing the threat made all the difference between 100 kids being around today and dozens being shot or killed. Those eight seconds were critical!”

The shooter was angry and frustrated and began to shoot into the classrooms and offices. In between shooting, the gunman tried to get into classrooms and the main office, but was unable to gain entry. He checked the bathroom, which was open but empty.

One 6 year old child was injured but survived and no one was killed. Six minutes after the shooting started, the gunman drove away. Hundreds of lives were changed forever, but everyone survived.

The Rancho Tehama Elementary School staff had practiced drills and executed lockdowns before, so even though they’ve never had an active shooter on campus, they knew what to do. It had become second nature.

The superintendent said, “The lockdown procedure was implemented flawlessly. The reason that we have a situation where I have one student injured on campus and nothing worse happening on campus is because of the heroic actions of all members of my school staff.”

Oxford High School in 2021

Lockdown ProtocolsThe same techniques and lockdown training were used in Michigan at Oxford High School on November 30, 2021.   Just after lunch, shots rang out inside the school in the main hallway. A 15 year-old student opened fire on his classmates. School staff, students and parents in the school that day followed the LOCKDOWN call and began to follow their training. “They had drilled this exact scenario so much that everyone knew exactly what to do next.”

In the hours after the shooting outside Detroit on Tuesday, Oakland County Sheriff Michael Bouchard said that without the measures taken by students, the tragedy would have been worse. “It is also evident from the scene that the lockdown protocols, training and equipment Oxford schools had in place saved lives.”

David Riedman, lead researcher on the K-12 School Shooting Database, said that the lockdown procedures that were deployed in Oxford, in which students sheltered and stayed out of sight, “absolutely saved lives.” The training that appeared to be on display in Michigan is similar to what students all over the country are taught, he said.

LOCKDOWNS took on new meaning during the heights of the COVID-19 Pandemic. 

Lockdown ProtocolsIn the physical security world, lockdowns mean locking down a building so that no one can enter or leave for a period of time. The location stays locked down until an all-clear signal is given. This seems like a pretty straight forward premise. It is – IF you plan correctly and have the right systems and procedures in place to make a LOCKDOWN effective.

Kenton Brothers uses several access control platforms to make it easy and quick to lock down a school. When a panic button is pressed, all the school doors lock. And alarms and mass communications go out audibly through speakers and electronically through mobile devices and computers throughout the school.

One of our manufacturers, Gallagher, allows you to not only lock down the school, but also send out emergency messaging to any staff members or parents who are not at the school. This would allow them to stay away or help support police in their efforts to bring the situation under control. Gallagher also has the ability to remotely muster or check off each person from a pre-determined list to be sure 100% of the people on-site are accounted for. This is a powerful benefit in the aftermath of these incidents.

Police can also remotely operate and IP Surveillance cameras in the building to gain situational intelligence on the location of the shooter and the direction they’re headed. This is just one example of how these security systems can help support the training, processes and procedures during a Lockdown situation.

Kenton Brothers Systems for Security helps guide schools and other entities through the process of identifying risks around active shooters and the techniques in protecting your people, property and possessions. Kenton Brothers’ qualified consultants will perform a no cost physical security assessment with recommendations for security system components, processes and procedures that will help prepare your staff. Just give us a call.

Additional Resources

CISA K-12 School Security Guide, 3rd Edition

Verkada – A New Standard for Enterprise Security?

/in , , /by

By Kevin Whaley, CPP, Sr. Security Consultant at Kenton Brothers

Verkada is one of the newest and fastest growing security system platform providers on the market. Their mission; to modernize enterprise physical security. Verkada prides itself by being a complete solutions provider, offering a suite of connected security devices that provide the user with a complete picture of the safety, security and even health of their environments. From access control, video surveillance, intrusion detection and environmental sensors, Verkada offers complete situational awareness for its users through a single, very user-friendly platform.

But wait… ANOTHER company that claims to offer a “complete” enterprise solution?

Verkada ProductsWe’ve all heard that before. I typically don’t “rave” about a specific product but rather, I always try to find the solution that I believe will meet my client’s needs. By offering various options and products, I make sure that the customer has all the info they need to make an informed decision.

Then why, you may ask, am I talking about Verkada? What makes them so different? Well, let me learn ya a thing or two.

I have to admit, when I first heard about Verkada, I was VERY skeptical and thought there was no way they could live up to what they were promising and I put them out of my mind. Then I started at Kenton Brothers and really got the opportunity to see Verkada systems in action in the field. I’ve been able to play around in the system myself. I’m pretty tough to impress, but after some time and experience, I’m a big fan!

Now, are they a good fit for everyone? Absolutely not. Are they a good fit for many? Absolutely! It’s an investment, but that is offset by the quality of their products, operating platform and ease of use.

Verkada Command

Verkada Products and SolutionsVerkada Command combines video, access control and sensor insights across your organization into a cloud-based solution. Cloud-based… meaning no more expensive servers to maintain or replace! That’s a plus. It is infinitely scalable so you can add as many devices as you need. Maintenance? Forget about it! Automatic updates are continuously delivered to make sure you’re equipped with the latest and greatest features and enhancements.

Verkada can provide a range of cameras from domes, bullets, minis and fisheyes. The cameras also come equipped with built in storage that can store anywhere from 30-365 days of video history. That means, even if your network or internet goes down, cameras are still recording.

Access Control

The access control system is great too! Each door controller is built with its own onboard processing and storage so teams can quickly configure and manage all doors. It’s easy to set up, allows you to manage access remotely and connect your organizations active directory solution to seamlessly manage credentials being added and removed. (Another plus, their door controller multi-format card readers support low and high frequency card formats.) As of now, Verkada only offers 4-door controllers, which means that if you have 16 doors, you’ll need to get 4 controllers. However, larger controllers are in development.

Intrusion Detection

Verkada ProductsNeed intrusion detection? They’ve got that covered, plus a lot more. No more need to purchase and install multiple sensors that only do one thing. Get one sensor for motion, noise, and even environmental data like temperature, humidity, air quality, vape detection, PM2.5 and TVOCs. (If you don’t know these terms, we should probably talk…)

All of this is instantly integrated, allowing all the sensors, cameras and doors to communicate with each other, making your ability to maintain situational awareness much more efficient. I’ve personally experienced the frustration and time consuming effort it takes when you’re trying to find records or reviewing hours of video to find a specific 2-3 second clip. Verkada takes all that frustration away with all of its capabilities.

They even offer 30-day trials for some of their products. Want to give Verkada a try or see it in action? Give us a call!

Red Team Testing: It’s the 1992 “Sneakers” movie in real life in 2022.

/in , , , /by

By David Strickland, Vice President of Kenton Brothers

1992 Sneakers Movie Poster

The 1992 movie Sneakers, starring Robert Redford and Dan Aykroyd, was about a Red Team that was hired to break into companies all over San Francisco.  They were hired by the same companies they were trying to break into. This was done to test their security measures (both Physical and Cyber) – What we like to call “convergence” these days.

Robert Redford’s Red Team was made up of both physical security experts (a thief and a federal agent) and cyber security experts (a hacker and electronic technology expert). Their mission was to test and penetrate the defenses of the target company to point out any weaknesses. If vulnerabilities were found, the company could shore up their defenses and make their company more secure.

Fast forward 30 years to 2022. The Red Team Testing technique is still in full swing.

Red Team Testing is still the pinnacle of testing your security systems so that you can determine your risk of exposure. The Red team will look at every aspect of your convergent security systems and create a detailed report on your weaknesses.

Red Teams ask the question – What would happen if your company was faced with some of the following scenarios?

  • Active Shooter
  • Cyber Attacks (Internal and External)
  • Industrial Espionage
  • Theft (Physical, Digital, Intellectual Property)
  • Sabotage
  • Power outage
  • Mass Casualty event (Weather, explosives, Chemical)
  • Pandemic
  • Work Place Violence

Here are a few of the techniques Red Teams will use to test your company’s exposure level:

Physical Security Penetration Testing:

Red Team TestingRed Teams will test physical penetrations with your company’s physical assets (buildings, vehicles, networks, people) and measure the company’s response and how long it took to detect and act on those tests. They will measure the effectiveness of your policies and procedures and how they affect your deterrence and detection systems.

The Red Team will pose as employees or service providers to gain access to your company’s inner workings. They may also attempt to break into see what is possible and if they get caught. They’re looking for assets they can compromise and gain access to while on the inside.

Did your coworker leave proprietary information on a white board for all to see? Did everyone sign out of their workstations? Are your access control doors propped open for easy access? If someone unplugged one of your surveillance cameras and plugged it in to their laptop, could they gain access to your network? Can they connect a thumb drive to your server? Could they sneak a weapon in? Have all of your Internet of Things (IOT) devices had their default usernames changed? The list is long.

Cyber Security Penetration Testing

Where physical penetration testing might seem like a hammer, think of cybersecurity testing as a scalpel. Red Teams utilize web application attacks, such as cross-site scripting, SQL, piggybacking, injection and backdoors, to uncover a target’s vulnerabilities. Testers then try and exploit these vulnerabilities. These types of risk include stealing data, intercepting private/confidential traffic, asset discovery, exploitation and complete shutdown. As we all have become aware, Ransomware is a true and present threat to every size of business.

In the complex cybersecurity landscape, penetration testing has become a must for most industries. In many, in fact, it’s required by law.

For instance:

  • Health organizations ensure healthcare data security under HIPAA
  • Financial institutions test for FDIC compliance
  • Businesses accepting or processing payment cards must comply with Payment Card Industry standards
  • Critical infrastructure entities must follow guidelines outlined by NERC

Even businesses that might think they don’t have any valuable information to protect could be at risk of someone trying to take over the network, install malware, disrupt services, and more.

The End Game

What does all this sneaking around mean and why should you care? Red Team Testing allows you to identify and exploit your security weaknesses without the impact of debilitating consequences. From a Red Team’s report, you can adjust your response to the threats that you see as your biggest exposure. You’ll have the ability to identify specific weaknesses and the best approach for shoring them up.

Breaches Happen Every Day – Here’s an example.

One story about a Red Team that comes to mind was about a team that created malware laced thumb drives. And they labeled them with the contracted company’s logo to make them look official. The Red Team followed several employees to a local convenience store and would drop these thumb drives by their car door when the employee would enter the store. When the employee would come back, they would see the logo and thumb drive and assume they had dropped it. They would dutifully pick it up and bring it back to work with them. Curious about what was on the thumb drive, they would insert it in the USB port on their workstation and physically introduce malware to their cyber network. Game over.

This is a great representation of the techniques a red team employs to gain access. They used social engineering to “hack the employees” and defy the policy of no outside USB connections on the network. It seems innocent enough to the employee, however the vulnerability was able to exploit the banking information of a large regional bank. Fortunately, this was a test. Only a test.

Security Systems and Processes have the best chance for success when they’re working in unison. You may have the best security system in the world, but if you forget to arm it, it’s useless. Red Team testing allows you to test both systems and processes.

Interested in how this testing could help your organization? We can help! Please reach out today and we will discuss exactly how Red Team testing can increase the protection of your business.

Is anyone really monitoring your security activities? You’ve invested so much…

/in /by

By Kevin Whaley, CPP, Sr. Security Consultant at Kenton Brothers

Prior to the September 11 terrorist attacks on the World Trade Center and the Pentagon, the most significant threat to the United States was the former Soviet Union. At that time, governments believed that only foreign state actors or representatives posed a significant threat to national security. Security measures were based around this belief that a great security threat only existed in the form of state actors, putting the responsibility for security into the hands of the government.

Today the threat of attacks and their intended targets has expanded to not only government entities, but private organizations as well. These attacks have evolved from identifiable state actors, to adversaries with no state affiliation. The conflicts of today are no longer fought on open battlefields – but instead fought daily against adversaries who are not easily identified. Similarly, much like our adversaries have evolved, so have their tactics. When new protection measures are implemented, adversaries adapt their tactics, and so the cat and mouse game continues.

Goals of a Security Program

The importance of an Annual Security Audit

The goal of any security program is to deter, detect, delay, and respond as efficiently and effectively as capable. To ensure this, organizations must regularly re-evaluate their security programs to ensure that they are staying up to date with current technologies, best practices, and the modus operandi used by adversaries. Failure to do so will only increase the vulnerabilities and risks to the organization. It is current best-practice and recommended by security professionals that a security assessment be conducted annually to assist in ensuring your organization is mitigating risks or minimizing the consequences.

Unfortunately, there is no “one-size-fits-all” approach to conducting a security assessment. Depending on your industry, there may be minimum standards that must be met, which can assist you in development and evaluation of your security program. However, each assessment must be tailored to each organization’s unique operating environment.

The basics of any security assessment should consider items including but not limited to:

  • Policies
  • Processes/Procedures
  • Crime Analysis
  • Historical Incidents
  • Critical assets
  • Threats
  • Vulnerabilities to those threats
  • Risks associated with threats
  • Security systems operational capabilities
    • Access Control
    • Video Surveillance
    • Intrusion Detection

Annual Security Evaluation

Conducting an annual evaluation of at least the aforementioned can help your organization ensure that your security program is operating as intended, assist in identifying areas for improvement, and staying up-to-date with industry best-practices. These assessments can typically be completed by in-house security personnel or by third-party consultants.

In-house assessments are beneficial since in-house personnel typically already have the institutional knowledge and may know what the issues and/or possible solutions are. However, the old adage of “if it’s not broken, don’t fix it” usually comes into play. In-house assessors may be “complacent” during the assessment. I don’t mean that they get lazy or lack attention to detail but rather, have a higher probability of overlooking potential issues simply because they are used to it or “That’s how it’s always been,” or “Well, that type of incident will never happen here.”

An example to consider…

The importance of an Annual Security Audit

My favorite example of this exact scenario playing out is when while working for a former employer, we were attempting to sell a consulting project to a client. During one of our meetings, one of the executives stated, “I don’t know why we need to do this assessment. Nothing has happened here and really what are the chances of [incident] happening?” Less than two months later, that exact incident occurred. The next week, I received a call from the same company, asking us to please do the assessment. The security leadership already knew a lot of what we explained in our report, but recognized quite a few issues that they had been overlooking for years.

Additionally, in-house assessments may typically have a harder time getting buy-in from management or the executive team. An outside consultant can assist in providing an outside perspective. They are able to look at the program with a fresh set of eyes and identify issues that may have gone previously unnoticed. Additionally, a consultant can offer substantiation to the findings and recommendations. Not only should a thorough assessment contain “findings” and “recommendations” but should also explain the why and how behind them and how they can be harmful or beneficial. Consultants can also offer insights into similar environments and experience from other industries.

Vetting Security Consultants

The importance of an Annual Security Audit

It is just as important to thoroughly vet any potential consultants as it is to conduct a proper security assessment. Professional security consulting services should be completely technology and product agnostic. Look for consultants with professional designations (i.e. CPP, PSP, CSC). These show that the professional stays up-to-date with the latest best-practices through continuing education and can provide unbiased, objectively based information to the end user. Make sure to identify other assessments they’ve done, ask for references, and even a sampling of their work so that you can gauge the quality of the assessment and report.

The assessment report identifies the findings and recommendations of the assessment. This is the meat and potatoes of the report and in my opinion, the most important. The content and level of detail of the report will be based on the scope of work. This report tells the story of the security posture. This is meant to be a medium to communicate to the management/executive team or decision makers. The report should be answering who, what, where, why, and how. I did not include “when” because the occurrence of a future incident can’t be determined. If we could predict a security incident, we security professionals would be out of a job! Each “finding” should be clearly defined in the report and details of what the finding is, why it’s bad, how an adversary may take advantage, and potential risks. Similarly, each finding should be followed by a recommendation(s) to mitigate. Again, this should also include what, why it’s beneficial, and how it may improve security and mitigate the finding. I emphasize “may” because unfortunately, nothing is 100% preventable. A truly determined and dedicated adversary will find a way. In other words, show me a 10’ fence and I’ll show you an 11’ ladder.

These detailed narratives again are used to tell a story and should help to obtain buy-in needed. The report may truly be the “make or break” factor in making decisions regarding security program changes.

While conducting an assessment, part of my responsibilities included reviewing previous assessments that were completed for an organization. What really struck me was the overwhelming lack of detail and reasoning in the report. For example, a “finding” in the report stated, “The parking lot is not sufficiently illuminated.” And the recommendation was, “Recommend install more lighting in parking lot.” Wow!

Types of Security Recommendations

Not only are the details of the report important, but just as important are the types of recommendations. There are numerous people who claim to be a “security expert” or “consultant” when in reality they may have little to no experience in this field. Or they may be trying to sell you their own products and their recommendations are based around what products/services they offer as a company. This can lead to unnecessary recommendations, which can mislead the client and may cause them to spend lots of money on something that may not truly be needed.

Sometimes, the best solution may be a simple one. Not everything needs to be solved with technology or a person. Sometimes, the best solution is possibly an administrative change. Maybe something can be mitigated with a new policy or procedure, training, or just a simple discussion. Again, sharing an example from my experience, during my time with a previous organization and during my initial assessment, I noticed that there was security technology installed in places that were completely unnecessary or used inappropriately. A fifth-floor balcony, with no other means of access besides the doors leading to the balcony itself, had card readers leading into the building. When I reviewed the previous report, it literally stated that someone could grapple up to the balcony and gain entrance. Possible? Yes. Probability? Very low if not non-existent. So the organization had spent thousands of dollars of something that could have been solved with a mechanical lock like a deadbolt on the inside of the door. Additionally, they had fisheye cameras installed in areas that these cameras weren’t designed for. They were on exterior walls, monitoring doors, hallways, etc. The cameras weren’t being used to their full potential, and ended up costing thousands more than installing a different camera that would have worked better for the desired field of view. Those fisheyes I mentioned? Half of the field of view was a brick wall.

Product/Service Agnostic

Finally, if you do use a third-party consultant, it’s important that they are completely product/service agnostic. Their reports should not recommend specific products. Instead, they should keep recommendations generic. For example, instead of recommending a brand of video surveillance, the recommendation should be “a video surveillance system”. However, they should include what types of functions it should be able to accomplish and other general specifications. They may also provide examples of brands. In my reports, I would state, “recommend video surveillance system that can…..(i.e. Brand, Brand 2, other). This way, it’s left to the client to decide which products will meet their needs.

In conclusion, conducting an annual security assessment can assist with ensuring your security program stays up to date, is operating as intended, and identify areas for improvement. Whether it’s done by in-house personnel or third-party consultants should be carefully considered. However, it’s highly recommended that a third-party consultant be used in an alternating manner with in-house assessments. For example, maybe an assessment is completed in-house, but every other year or third year a consultant is utilized to help keep the assessments unbiased and to allow for a fresh view point of the security program.

At Kenton Brothers, we have a team of certified security professionals that have years of experience conducting assessments in industries across the board from education, critical infrastructure, local/state/federal organizations, healthcare, correctional facilities, etc. Our consultants remain dedicated to ensuring that we are able to help you protect your people, property, and possessions. We are here to assist you in making the decisions that work best for you and your organization.

For more information regarding security assessments, please give us a call.

Start Strong, Finish Strong – 1 Customer, 9 Schools, 5 Different General Contractors

/in , , , /by

By Ryan Kaullen, Field Services Manager at Kenton Brothers

Start Strong, Finish StrongEarly May of 2021, Kenton Brothers was notified that we had won a commercial security project for a local school district that included 9 different school remodels with access control additions to each of the remodels. Included in the project were IP based intercoms, door release functions, web relay interfaces, and ADA integrations.

Kip Phillips was assigned as the Project Manager and I knew right away he had to Start Strong and Finish Strong because of several unique scenarios within the project.

Some of these potential challenges included:

  • Kenton Brothers was contracted directly with the school district and not the General Contractors
  • There were 9 different timelines that may or may not align depending on other trades
  • There were part logistics issues due to supply chain problems
  • Coordination with the General Contractors to ensure we installed our equipment at the right time

Kip knew that being properly prepared would allow him to maintain control of the project and be able to ensure its timely completion.

Relationship is Crucial in Complicated Projects

Start Strong, Finish StrongKenton Brothers prior relationship with the school district allowed us to not only win the job but also design exactly what the customer was needing.  Coordination began from there to align the timeline put out by the General Contractors to match what we were installing. Due to COVID, getting the parts we were contracted for took longer than normal. But there were also wait times on the parts that were needed from other trades to complete the projects.

Kip was in constant communication with everyone involved. Checking to see when parts were going to be delivered, getting them in our techs hands, and making sure the doors were in and ready for us to install the parts.

Timelines were a huge coordination component of this project. As doors and frames arrived, we had to get wiring in place so we wouldn’t get sealed out of physical places we needed to be. Sometimes, the notice that a door and frame had arrived was communicated to us the same day it was going to be installed. (Labor nightmare.) Kip had to shuffle a tech (or techs) off of one job and race over to the school district to make sure wiring was put into place quickly and correctly.

Start Strong, Finish StrongA lot of what Kenton Brothers had to do was contingent on other trades getting their work in place before we could do our work. This reality put us in a major time crunch to complete everything by the start of the school year.

Doing the Work

Kip was able to manage hundreds and hundreds of man hours spanning just a few weeks. He was able to keep everything in perspective by scheduling and organizing the techs efficiently. They knew what their tasks were each day, and they received the parts they needed.

Kip regularly attended weekly construction meetings to stay on top of everything and he provided feedback to the General Contractors, always being mindful of our deadlines. Being in constant communication with the techs, the school district, and the GCs allowed him to know where the projects stood at all times.

It helped that Kenton Brothers also had senior techs on the project… this allowed for good feedback back to Kip and our customer. The communication, the coordination, the anticipation of needs, and the strong project management allowed this project to finish successfully and on time. Our customer is happy!

This project properly aligned with the #KBWay of protecting people, property, and possessions. And we love the satisfaction of completing a project that will help the school district protect the kids and staff that work and learn in their buildings every day.

Start Strong, Finish Strong Start Strong, Finish Strong