CLEAF LINKS |
ABOUT CLEAF SUMMER 1998 EDITION Computers in Law
Enforcement
MEMBERSHIP INFORMATION: MAILING ADDRESS: CONTENTS: This Issue By Bernard H. Levin, Ed.D.
Computer
Based Training By Debra Littlejohn Shinder, M.C.P.
The
CyberSecurity Guard: By Thomas W. Shinder, M.D., M.C.P. Bernard H. Levin, Ed.D. and Philip A. Broadfoot,
M.P.A. Computer networks have become nearly ubiquitous in law enforcement. We generally exercise a modicum of care regarding the technical aspects of the networks, but we don't pay much attention to the social implications. That failure to pay attention can have unfortunate consequences. Computer systems themselves have become relatively user friendly, having buried much of the technical underpinnings in places where only cybergeeks need to go. Computer systems have evolved; they have become far more reliable, far less expensive, far more powerful, and far more important. In 1964, when Levin first used a computer, the computer was an add-on that would allow the user to do the same things, faster. In 1998, however, computers are crucial for organizational functioning. Computers not only do the tasks more quickly; without computers some tasks (such as geographical information systems) could not be done at all. Many organizations, including most police departments, would grind to a halt if their systems died. Changing computers, and particularly changing operating systems and software, has always been a challenge for police agencies. Now, changing has become a very high-risk activity because it jeopardizes core operating functions such as dispatch and case-tracking and because the hidden costs (training and infrastructure such as wiring, office furniture, and space) have become significant. Computer systems have a short lifespan. Most law enforcement agencies are using computers that long since would have been declared obsolete and surplus in manufacturing corporations and even in colleges. DOS is alive, if not well, in many PD's. In most police departments, the typical computer is several generations old. This is because of failure to acquire funding for hardware, software, infrastructure, and training, rather than a sense that the computers are still current and effective models. Computers tend to operate well past their useful lifespan. And past its useful lifespan is where the average police computer is. But the problem is not only funding. There is also a failure to plan. We buy systems to collect information, but often have only a fuzzy sense of what we might do with the information other than just store it. We turn sophisticated systems into expensive file cabinets. Few departments are very serious in terms of crime analysis and problem solving and use of data to develop and test crime prevention models. In addition to failure to acquire funding and failure to plan, there also is a shortage of tested, cost-effective software and training to run the system. Record management systems that are ready for prime time and support for those systems are more often promised than delivered. Software is buggy and can cost $80-100k for even modest operations. Computer history is littered with the corpses of companies that promised software that worked and promised support that would meet customer needs, but then went belly-up, lost key personnel, sold their assets and disappeared, or just reneged. Sooner or later (in law enforcement, probably later) every organization decides to upgrade software and/or hardware. The decision is made and the funds are identified by management, the purchases are made, and someone is hired to do the installations. Training is something that is bargained for. Unfortunately, the law enforcement folks are seldom experts in training and have done no formal assessment of what they need, and usually the companies that are effective in writing software are not very effective in training. As a result, the training is typically a poorly targeted unfocused day or several days around the time of system delivery, and then you're on your own. Departments want that concentrated training because it is cheaper and easier to schedule. This is in the face of a huge literature that shows it is best to train people using smaller, spaced sessions that are directed at specific problems they are facing. Follow-up training is a pipe dream. The development of internal help-desk functions is seldom addressed at all. But there is a more important problem with training. Most of the training delivered as part of system upgrades is inappropriate and/or unnecessary. By inappropriate we mean rote training that leaves the officer dependent on others, rather than training the officer to be an independent learner. If departments had been doing the professional development they should have, the need for training delivered by external providers regarding new systems would be minimal. In modern networked systems, a database is a database is a database. Each has its own pattern of drop-down menus, and each has its idiosyncrasies and limitations, but fundamentally, they are commodities, generic in nature. A technically competent officer, one who has learned to be an independent learner, can sit down with a new cad system and be functional in a very short time, given only minimal handouts from the vendor. Training is often a symptom of departmental failure to hire and develop its personnel. Problems with system upgrades are in part caused by the way the process is structured. Those who would use the system daily have not been trained and educated well enough that they would be helpful in the planning/decision making process. The decisions typically are made at the top, out of a realistic fear that the line officers who do the useful work have so narrow a scope that their decisions would be inappropriate. Those who do make the decisions (typically the chief or senior staff) are isolated from those who are affected. In effect, by centralizing the decision, the typical department trades off admittedly limited expertise for often unadmitted lack of breadth. That's not a good trade. Those affected by the decisions are allowed only limited input and limited resources for problem solving. Technical assistance often is limited to a daylight-only remote telephone help desk. Because of these problems in funding, planning, and professional development, upgrades tend to be painful for all involved. There is another way to do business. Thoughtful development of human resources can reduce training crises and also improve the quality of planning. In turn, improved planning increases the potential for enhanced funding both from internal and external sources. At our department, we strive to hire people who have the potential to be chiefs two decades hence. Entry level competencies, while required, are insufficient. We are looking for, and usually find, people who show initiative, are willing to make investments in themselves, and who understand that in a changing world the person who stands still is an impediment to progress. At Waynesboro, we assume that people will do what they are rewarded for doing. A second assumption is that it is best to move decisions as close as possible to the people who will be affected by them. A third assumption is that the best help is help that is close at hand. We have developed a system for rewarding line officers and corporals who take the initiative to learn new things and to teach their peers. The officers selected as police specialists each year receive a pay increase as well as social recognition. Further, while there is no overt connection between police specialist status and promotion, those who have earned approval as police specialists do make viable candidates for promotion. Nominations for police specialist are by peers; nominees who decide to allow their names to be put forward must present a portfolio asserting their merit. Recommendations for police specialist are made by a committee of all department members from corporal to deputy chief, and includes three ranking reserve officers. The final decision is made by the Chief, who usually rubber-stamps the recommendations. This process is very different from most career development programs in that it totally ignores seniority, jobs worked, and schools attended. Instead, it rewards people for helping their peers with technology-related issues. It provides a basis for generalized peer review of performance. It also saves the department significant amounts of resources it would otherwise have to spend to trouble-shoot various technological issues. Approximately 35 officers are eligible for police specialist status. As of the end of the second full year of our police specialist program, the Chief has granted police specialist status to 9 of the 11 officers who were recommended. One rejection was based on personnel issues unknown to some of the individual's peers; the other was rejected because there was no formal documentation of technical leadership. . The police specialists serve as one-to-one trainers and problem-solvers. Not all of them are rewarded for computer-related activities, but it turns out that all have acquired more than a modicum of computer skills and a willingness to share their expertise. As our PD at long last moves to a Windows95 environment, we will be leaning on the police specialists to help their peers upgrade. All of the police specialists have at least some Windows95 experience, and they will use their expertise to mentor their peers. Will we have to use some outside trainers in addition to the police specialists? Probably. But when those trainers have gone, we will have in-house expertise where we need it -- with peers. We also will be looking to the police specialists for computer policy guidance and development. The utility of the police specialist is not limited to computer upgrades. Other things have changed as well. Because of our improved criteria for new hires, and because of the implementation of programs such as the police specialist, the department functions very differently than it did even five years ago. Building the knowledge and skill base at the line level has moved power down to the line level. Officers take their new power, and use it to get the job done. In turn, this frees management to do the things that only management can do. In our department, big changes have resulted. The chief no longer is involved in decisions such as calling out the SWAT team, extradition, car rentals, minor expenditures, and myriad other routine but necessary decisions. The shift commander, typically a sergeant but sometimes a corporal, runs the city. The shift commander and his officers make the decisions, solve the problems, work with peers to manage incidents, and address citizen complaints. What we have tried to do is create an environment where change is seen as a friend, and where the development of our human resources is geared toward the future rather than toward the crises of the present or the scars of the past. Levin is Reserve Major and Commander of the Policy and Planning Bureau at Waynesboro (VA) PD. He also is Professor of Psychology at Blue Ridge Community College. Broadfoot is Chief of Police, Waynesboro VA and a member of the Patrol and Tactical Operations Committee of the International Association of Chiefs of Police. He earned an MPA and is a graduate of the FBI National Academy. He has published law enforcement-oriented papers on a variety of topics in the Police Chief and Police Futurist, among others. Computer
Based Training By Debra Littlejohn Shinder, M.C.P. The newest trend in training circles is the CBT, or computer-based training. This is usually a diskette or more likely in today's multimedia world, a CD-ROM which may use formats such as Powerpoint Presentation files, HTML, or executable programs to present educational material. Private training companies love it. Cost of producing the CD courses is far less than that associated with traditional classroom training. Instructor salaries must only be paid once, during development of the course, and thousands of students can be reached whereas before the same number of instructional hours reached only 30-50 students. Additional disks can be copied or CDs recorded for a few dollars each, and then sold to students for $20, $50, even hundreds of dollars. The ongoing need for facilities is done away with, along with scheduling difficulties. No wonder community colleges and other traditional educational institutions are getting into the act. And for the student, there are many advantages to computer-based training, too. Convenience is first and foremost; no rushing to get to class on time -- now you can sit through it when you feel like it. No money has to be spent on transportation costs, babysitters, etc. Time can be used more efficiently and effectively when you don't have to travel to and from the educational facilities. In-service law enforcement training seems a prime candidate for this new format. Police officers work schedules that in many cases don't fit in well with class schedules. They are often on standby, which may result in being called to work and missing important class time. In many states, academies and/or educational institutions offering police training are located in centralized locations, and it may be difficult for cops in more remote areas to travel to those locations. Law enforcement officers usually have little enough time to spend with their families, without the added obligation of attending school. For all these reasons, many states have approved computer-based training programs for P.O.S.T. or other licensing authority credit. Experimental programs are popping up all over. Some are successful; others are less so. What factors should be considered when deciding whether to take a traditional class or use the new technology, especially when it comes to mandatory continuing education which may be tested by the state? Following are a few questions to keep in mind when evaluating the alternatives:
TOPIC AREA: Why it matters Some areas of instruction are better suited for computer-based training than others. It may go without saying that you wouldn't try to teach someone how to shoot a weapon via just a CD lesson, demonstration or even simulation. The same goes for such hands-on topics as defensive tactics and baton use. But the importance of live interaction and participation may not seem as obvious with classes like Cultural Diversity or crisis intervention training. But any class which attempts to change attitudes, and is dependent on the ability to discuss, disagree and resolve issues, is likely to do a poor job of accomplishing its objectives without in-person attendance. LEARNING OBJECTIVES What are the goals and objectives of the block of instruction? If to simply impart information, such as Penal Code and procedural law, a CD may be able to give the student as much knowledge as a live instructor could. In some cases, the computerized training will even have a superior outcome, due to the student's ability to repeat the "class" as often and as many times as desired. On the other hand, a course that involves complex concepts may require at least some personalized instruction. And one which aims to develop proficiency in a skill absolutely most be conducted in a practice-oriented, active environment, not by the more passive method of presenting text, graphics, video, etc. WHO IS THE TRAINING PROVIDER? Not all CBT instructors are created equal, and not all educational institutions have equal technological capabilities for producing quality training software. CBT is a whole new media, and you can't just take a good classroom instructor, stick him/her in front of a video camera, turn his lecture notes into hypertext files, and have a good computerized course. Creating a computer based training course requires a team effort, and must be orchestrated and produced much like a theatre production. Otherwise the advantages offered by the technology will be wasted and you'll get, at best, mediocre training. In summary, there is a place for computer-based training in law enforcement -- but it's not for everyone, nor is it for every type of course. Police work is still a "hands-on," up close and personal job, and training someone to do it cannot always be accomplished in the solitary environment of the computer user. Deb Shinder is president of CLEAF, publisher of the Survive-L Electronic Newsletter, a former police officer and current community college criminal justice instructor at Eastfield College in the Dallas County Community College District, and a Microsoft Certified Professional.
The
CyberSecurity Guard: By Thomas W. Shinder,
M.D., M.C.P. Data Security at one time was a relatively simple process. In a world which was made up of predominately unconnected computers, you setup a password on each computer, and you were done with it. If you required extra security, you could lock the most important computers up in a room where no one could access them. However, with the widespread adoption of the Internet as a tool to connect computers, the simple process of installing local passwords is woefully inadequate. The complexities introduced in a networked environment require us to consider many more issues when we attempt to secure our data. You must always keep in mind that whatever computer you have connected to the Internet via the TCP/IP protocol is potentially accessible to over one hundred million persons worldwide. And while the overwhelming majority of these individuals have no interest in your information, all it takes is one person with a vested interest. That one person can either procure or destroy the data contained on your computers connected to the Internet. What I will do here is raise consciousness regarding some of the aspects of security which are integral to maintaining a secure environment. I will discuss these ideas primarily in the context of the NT Server/client based environment PASSWORDS How do you assign passwords? Are they simple passwords so that your users can remember them easily? Do you allow your users to assign their own passwords? How long are those passwords valid, and how often do you require changes to those passwords? Strong passwords are the sine qua non to the foundation of a good security model for your organization. Too often, the administrator, because of concern over increased workload that can occur if he has to spend a lot of time unlocking accounts for users who forget their passwords, will allow simple passwords to be used on the network. Or there will be no password policy in force at all. The passwords you use should not be open to simple "brute force" or dictionary attacks, where the cracker is hoping that the administrator password is contained within a list of words against which is it checked. An adequate password policy would include passwords that are at least eight characters in length, and are composed of a required mix of alpha and numeric characters, with the alpha characters being of mixed case. To further strengthen the password, using a character symbol (such as #$%+) of your choice is an option. Another important consideration is: for how long are the passwords valid? If you use a static list of passwords that never change, the intruder essentially has unlimited time to work on cracking your system. The level of security required at your site will determine how frequently you need to change them. If you use NT Server, the default for time allowed for current passwords is 42 days, or six weeks. You must weigh the inconvenience of changing passwords frequently with the possible inconvenience of having to rebuild your data center. Lastly, control the repeat use of passwords. Users get to like certain passwords, and if they are allowed to, will use them repeatedly. This poses a serious security threat to your organization. When passwords are used to access different resources made available on your network, do NOT allow the use of the same password twice. Once the intruder has access to one password, he will attempt to use this password on other resources because most individuals fail to realize the important of heterogeneous passwords. Once he's cracked your first resource, he will have access to everything else which uses the same password. Using the same password on multiple resources is one of the most common security errors made by otherwise thoughtful organizations. DON'T fall into this trap! PHYSICAL SECURITY What an individual can access via the network is not the same as what can be done if he can get to the actual computer himself. Many bulletproof network security schemes fall on their collective faces when the intruder is able to directly access the server or workstation. There are a variety of reasons for this. Depending on the file system used, it can be a relatively simple affair to use a simple disk editor, such as Norton DiskEdit, to access the contents of otherwise "locked away" files. There are also a number of techniques and hacks an intruder can use to gain access to a local machine which are not available via the network. If destruction of data is the main goal of the intruder, this becomes a simple feat with direct access to the machine in question. Locking away the Server is an easy thing to do, but a remarkable number of small and moderate sized businesses fail to do this. Part of it may be an ego "trip", since typically the server is the most powerful and adept system on the network, and therefore they want to "show off" their baby. However, they put themselves at horrible risk by not physically securing their machines. Physical security must also be extended to your data. In the event of tampering or hardware disaster, you will depend on your backups in order to restore order to your organization. The most common error in this regard is that the backup disks, tapes or CD-R media are kept in the same proximity as the server machine. This makes it easy for the intruder to procure them or for environmental disaster to destroy them together with the server. Given the degree of irreplaceability of your data, you must consider multiple backup copies. ALL backup copies should ideally be kept off site. If you require fast access to backup information in the case of data center intrusion or destruction, then consider keeping one copy in a locked area AWAY from the server computer itself. Data has a way of turning up in the wrong hands, even when there appears to be no obvious evidence of intrusion. Accessibility and accountability of access to backed up material must be tracked. When using NT Server as your operating system, one way this can be accomplished is to enable file and object auditing (although this can be potentially resource intensive). The system log will track the time when the backup procedures are performed. A record of each person who has physical access to data might be implemented. This would include the name, date, time, and reason why a person would be in the same room as the backed up material. An incident log should be considered also, to document any irregularities. "SOCIAL" SECURITY The most difficult area to control is that of "social" security. You may have implemented the ideal (on paper) security scheme and yet be victimized by intrusion or destruction of your data. In today's world of downsizing, rightsizing, and dumbsizing, and increasing amount of employees leave their work place with negative emotions. If those employees are in possession of passwords which are not changed after their departure, they are free to use those passwords themselves, or provide them to others in order to wreak havoc on your datacenter. If an employee must be terminated, plan the termination intelligently. If you give advance notice and expect the employee to stay on for a period of time before final departure, then control the resources that employee can access, so as to protect all but relatively inconsequential information from potential mutilation. If this employee is part of management or IS Services, it would be wise to limit advance notice of termination, and politely allow them to leave AFTER access and passwords have been changed. Another common breech occurs when individuals call a receptionist, a security person, or manager stating that they are with the IS department, or they are a consultant, or even an employee at that site, and they need passwords in order to do the job they were hired on to do. Most people are trusting sorts, and do not realize the importance of maintaining complete control over the password list. The best way of controlling this "good will" security lapse is to ensure that only those personnel that require the passwords have access to them. Optimally, only the system administrators have access to a password list, and every member of the organization knows only their own password. If you use NT Server based networks, if you allow users to set their own passwords, then even the administrator will not have access to the password list, making it impossible for them to log on as another user. CONCLUSIONS We have covered just a few of the important considerations in designing and implementing a security policy of your organization. There are many other things to take into account, such as whether you are using a web server to provide content for the world wide web, or do you provide access to files via FTP, and the nature of the network protocols you use internally in your organization. By implementing just the security measures outlined above, you will have improved the safety and security of your data by orders of magnitude. Stay safe, and keep your data safe too! Thomas W. Shinder, M.D., M.C.P. is a physician turned network consultant, with a special interest in computer security issues. He teaches in the MCSE training and applications training programs at Eastfield College and is a founding member of CLEAF. CALL FOR ARTICLES We are always looking for good
articles relating to law enforcement technology issues. |
