Put to the Test
Sobering Security Flaws
- By Michael S. Dorn
- 06/01/13
Photos courtesy of Safe Havens International
He drove 14 hours from his home in Pennsylvania to Georgia, determined that his son would die. He was intent on killing the boy. A .40-caliber semi-automatic pistol was tucked in his waistband. Having attacked three women and stabbed a man in a bar, the U.S. military veteran was intelligent, clean cut, convincing and experienced in acts of violence. He had gone to great lengths to figure out which school in what city he could find and kill the boy. Every ounce of his being was committed to killing the child, the ultimate act of revenge. He cared not that the murder would be carried out in a nice school in a good part of town and that other children might witness the horrific killing. Luckily, he was not able to carry out his terrible plan. Instead, he was taken into custody by the Bibb County School District Police Department before he could murder the child. This outcome was the result of the alertness of a school secretary, good access control policies and a school principal who made them a reality.
Success Stories
From 1989 to 1999, the Bibb County Public School System also successfully stopped numerous other violent incidents. The school system stopped another non-custodial parent armed with two handguns from removing a child from this same school. It also stopped a stalker from entering Danforth Primary School with a loaded .32-caliber semi-automatic pistol to kill a teacher he had met at a bar. It successfully prevented another man from entering Alexander II Magnet Elementary School to kill his wife with a .38 Special revolver. The school system also stopped a mentally ill grandmother with a .38 Special revolver in her purse from abducing two of her grandchildren from L.H. Williams Elementary School.
While the Bibb County School Police made the arrests in each of these cases, it was the alertness of school custodians, secretaries and school administrators that prevented each of these attempts from ending in tragedy. How did this poorly funded school district stop five out of five attempted acts of violence? How can these success stories help make schools even safer now that we have far more robust access control technology solutions than were available to schools when these and other less serious attempts to breach school security were stopped? How can school officials identify the common and simple gaps in access control that can quickly allow a determined violator to enter a school and leave a school with someone else’s child? How can we combine the awesome power of today’s incredible access control technologies with the even more powerful ability of the properly trained school employee’s brain to detect and react to danger through subtle cues in human behavior?
Penetration Testing
Borrowing a concept from the U.S. Navy, our analysts have developed a highly structured approach to testing school security and access control. The United States Navy began conducting what they call “Red Team Assessments” decades ago to test the security of their ships, installations, nuclear power plants and other high-value targets. In the late 1990s, Dr. Sonayia Shepherd began conducting what we now call “Penetration Tests at Schools,” when she was part of the School Safety Project in the Georgia Emergency Management Agency — Office of the Governor. Dr. Shepherd would attempt to bypass the access control system of a school and see if she could simulate the theft of computers, master keys, sensitive information and school children. Performed at the requests of school officials, the tests were not designed to embarrass, but instead, to educate school officials. Dr. Shepherd quickly learned that she could typically find an unattended child and persuade them to go with her within five to 10 minutes of arriving at a school. Our analysts have since conducted penetration tests at hundreds of schools and have been able to “steal” laptop computers, LCD projectors, master keys, staff directories, tractors, maintenance trucks and students without being stopped at most of the schools we assess — unless certain practices are in place.
Simulated, Non-threatening Abductions
While removing 25 laptop computers from an elementary school usually makes the point that access control is inadequate, nothing gets the attention of educators more convincingly than one of our analysts being able to persuade a five-year-old child to go with us. All of our analysts concur that this is still one of the most unsettling aspects of the wide array of work that we do. Walking down a school hallway with someone else’s child, while considering how easily a sexual predator could do the same thing, is a rather upsetting experience, no matter how many times we are able to accomplish this. As with other aspects of our assessments, there are many details that must be adhered to so we do not cause alarm or frighten students. For example, we never touch or threaten a child, we only use persuasion.
Don’t Try This at Home
As it is against the law in many states to fail to follow a school’s access control policies, penetration testing should only be conducted at the request of school officials. While we normally advocate that it can be a very effective approach for school and local public safety officials to learn how to conduct their own safety, security, climate, culture and emergency preparedness assessments, we do not recommend that local officials attempt to conduct penetration testing. While we have trained thousands of practitioners to conduct their own school security assessments, we do not train them to conduct penetration testing, as there are so many subtle things that have to be done in very specific ways to avoid problems. Penetration testing is also not something we typically recommend for our clients when we conduct assessments. This concept is best suited for two situations: (1) when school staff are extremely lax or (2) when the school is at the high end of effective access control, visitor management and, in some cases, weapons screening.
Lessons Learned From Penetration Testing
While penetration testing may not be appropriate for all school organizations, any school can learn from the patterns we have consistently seen over the past 15 years. The following are some of the more important and consistent observations from our analysts.
- Schools with 100-percent adult identification badge usage are by far the hardest to penetrate. If even 10 to 15 percent of staff are not wearing an identification badge with a photo and/or any visitors are allowed to walk the halls without a time sensitive visitor badge, our analysts have had a 90-percent success rate in taking a child.
- Even the best technologies are easily defeated if staff are not taught how to support the technology and why they need to do so.Buzzer access control systems are only as effective as the operator. For years, I have been buzzed into most of the schools I tried to enter with the following phrase “My name is Ted Bundy and I have an axe to grind with the principal.” The majority of school staff has simply buzzed me in out of habit without listening to what I had said.
- Our analysts are most often detected by students rather than school staff.
- The school custodian is the school employee who most often takes action after detecting us as a threat.None of our analyst has ever been caught by anyone monitoring a security camera system. Even though a number of our clients have personnel assigned to watch the cameras, we have never been detected by any of these staff during a simulation.We have been able to defeat every metal detection checkpoint we have attempted to bypass. Simple adjustments based on our findings will correct the simple gaps we identify.
It should be noted here that these observations should not in any way be taken as meaning that the security technologies mentioned above are not effective. But rather, our observations have consistently been that security technologies are only as reliable as the properly informed staff who learn to support them. Teaching staff not to prop doors with rocks, to check photo identification when signing in visitors and to question the presence of any adult who is not wearing an appropriate badge is extremely important. Most importantly, penetration testing has taught us that good security technologies supported by good policies, and an alert and empowered staff and student body, are much harder for even a determined and intelligent violator to beat.
Michael Dorn serves as the executive director of Safe Havens International, a nonprofit school safety center. He welcomes reader feedback and input at www.safehavensinternational.org.
This article originally appeared in the School Planning & Management June 2013 issue of Spaces4Learning.