An Interview with Felicia King
Interview by Gila Hayes
In our November edition, we enjoyed a comprehensive interview with Felicia King from Quality Plus Consulting and QPC Security who shared a number of ways to safeguard our communications so criminals can’t jam cell or Wi Fi signals and make it impossible to phone 9-1-1 to report a home invasion or other attacks against you and your family. In talking with Felicia, it became apparent that not only is her experience very well-suited to coaching and guiding people who often feel that using technology for security is too complex and, as a result of that mistaken conclusion, fail to take advantage of many options that can, indeed, improve our prevention of and defenses against physical attack, as well as defending against cyber risks, as well. If you missed the first installment of our talk with Felicia, please browse first to https://armedcitizensnetwork.org/november-2024-front-page.
In the month between publication of the first installment of Felicia’s interview, most of the feedback has been about radios. Several wanted us to be aware of licensing differences for amateur radio bands, which the Baofeng radios discussed in the November installment use. In response, Felicia recommended a very informative online article at https://www.wearecb.com/cb-radio-frequencies-channels.html that explains use of CB radios, appropriate use of various CB frequencies, the nomenclature, customs and a whole lot more. After all, details matter enormously – for example, knowing which channels are commonly in use in your community in case you need to reach out for help so your message goes out on a commonly used frequency. If, in pursuit of a non-technical discussion last month, we glossed over important details, this will fill in needed information. Readers interested in adding radio to your emergency planning, will want to read the linked article.
Following is the second half of our interview with Felicia King, outlining ways to use technology for remote control gates to keep out intruders, as well as valuable encouragement she offered about how to manage cyber security risks. We switch now to our Q & A format to learn from Felicia in her own words. For those preferring video, browse to https://youtu.be/VtbIKOmvLdM for a more casual version.
Tech to Control Access
eJournal: We put up fences to keep thieves away, usually, but what if someone shows up and says, “We’ve got a package you have to sign for,” maybe you want to see what it is but maybe, too, you’re worried because you haven’t ordered anything. Could you talk to us about building that kind of control?
King: I think sometimes shipping and delivery companies like FedEx or UPS become unwilling to deliver to a residential location where they have “friction for delivery.” That’s anything that causes them to fall more behind schedule.
Let’s say you have a long driveway. In the first 30 feet, you could give them room to pull off the road so they’re safe. Then you have a concrete pad on which you put a steel lock box you leave unlocked until a package is put in and the door auto locks closed. Put up a little sign: “Please leave packages here and shut the lid” and simple as that, your package is left inside of a rainproof, secure box. That doesn’t require any codes or access delays. The driver just comes in the first 30 feet, parks, turns around, does what they need to do, and gets out. You’re not creating any friction for delivery.
eJournal: What about tech to implement barriers against physical access? I’ve seen remote gates, and some were layered with a fenced buffer zone that ends at a second gate, so I’m very interested in your ideas for putting in remote control gates and intercoms.
King: If you’re really smart about this, you start with a good plan. You could do it yourself or hire someone like me to do the engineering design and bid specs, then train you to manage the contractors. Have a concrete pad poured with a hole for wiring or if you have a pad already, get a core drill or hire someone to drill through the concrete pad and then hire a directional boring company to put an underground pipe from the pad to your house. Some might think that they’re going to save money by trenching their own pipe. I used to be that person. I have since concluded it’s better to find directional boring contractors.
If you watch for phone company or broadband cable work being done in your neighborhood, you can find a directional boring contractor to do a small project at your place. Have a conversation with the owner or crew head, show them a good plan, including location of other underground lines, offer them cash and they can make some money and save you some, too, by coming by when they don’t have jobs that take a full day in your area. I’ve done this repeatedly, so I know this approach works really well. The key word in this plan is “cash.”
You will never get as good of an outcome by digging a trench and putting in pipe as you will with directional boring. They get it far deeper and don’t disturb the ground. I’ve had them go underneath septic lines and they don’t break them if you hire a quality company. After the work’s done, you have to get all the dirt back in. The directional boring company has compactors and can get it compacted down and in general, don’t destroy your flower beds.
Let me also share one of “Felicia’s Hacks:” have a professional surveyor make a survey map of your properties. I have the big drawings, of course, and I also have the map in PDF, of which I have multiple versions. One of the versions has little lines for the natural gas line and the electrical lines and other things I’ve put in, because the digger’s hotline doesn’t know anything you’ve done yourself on your property.Showing that kind of professionalism, organization, and discipline, goes a long way towards conveying competency and risk management to your directional boring contractor.
The boring contractors hired by the phone or broadband companies are typically quite experienced. Your advance work should include the hole in your foundation, so they bring that directional boring pipe up through the hole manually, or if you don’t have it yet, just have them leave a stub like two feet up. They’ll tape it up and make it waterproof because you do not want water in your pipe to make a mess.
Be very thoughtful about how the wire comes into your house. When you bring an internet connection into your house, please do so underground. Protect it; don’t make it easy for bad guy to come to the outside of your facility and just cut that wire. Use a little subterfuge while you’re at it. I love to install multiple LB fittings. If there are several, the criminal doesn’t know which one to destroy to cut the internet connection. Bad guys may not even be that bright, but if you just have a coaxial line coming out the side of your house or an AT&T box on the outside of your house, they darned well know what that is. Please don’t make it easy for them.
If your engineering is really smart, at the gate at the end of your drive you can have one pipe wiring a little pedestal with a pad and call button which comes through to your video management system and to your own phone system, too, if you want. I prefer a combination push call button with full duplex audio with video; those are around $900. That’s called an IP video door station. They’re on Axis Communication’s website (https://www.axis.com).
You could have one device giving you video, audio, and a call button down at the end of your driveway. You can partner it with a vertical rectangular keypad/card swiper to open the gate. I like individual pin codes for residences. Pins are not unusual; they’re on phones and debit cards. If you give everybody individual pins, it drives accountability and it reduces risk.
Pin codes let you create a schedule. Let’s say I knew you were visiting on Saturday between eight and five and I wanted you to be able to come in. I can program a code and tell you your special PIN code. That pin code is unique to you, which I prefer because if I give somebody a card, they can lose it and then I have to deactivate the card. What if they don’t tell me that they lost the card?
You could have specific pin codes that only work for your lawn care service on Tuesdays from eight to two. You could also do time-based access on any schedule you want or generate a specific alarm based upon a pin code that was entered. That way you know when Bob the plumber arrives. Maybe Bob’s coming for a month to do a project for you. You can schedule that, and have an alarm so you know he is coming in.
I like an alarm code with a code word. That’s no different than if I wanted to broadcast a message to my entire family. I like to keep things simple, so I ever broadcast a code word, everybody knows to respond accordingly. That is the power of scenario planning.
Getting Started
eJournal: Improving security is a challenging mix of threat assessment and prevention planning mixed with buying and installing equipment, with even a little construction thrown in! Last month and now this month, we have talked about so many aspects of tech for security that it would be all too easy to feel inept and fail to do anything.
King: A lot of times people are frustrated by fear they will make a mistake. People are so afraid to make a mistake that they’re paralyzed. The attitude that I’ve always taken is that I am learning, no matter how much I bork up the process.
When my husband and I moved into our house, the shower head was too low, so I rebuilt it. After finishing eight hours of plumbing, I had my faucet in, but when I mocked up where the bathtub would be, it was way off center. I knew I couldn’t possibly stand to be in that shower every day for the rest of my life, realizing that I didn’t do my best. I ripped it out and redid it, but I don’t look at that as if I blew about $800 worth of time and supplies. You know what? That’s an $800 lesson, isn’t it? I shall learn from that pain and not make that mistake again. That works for me.
Realizing that I’m different from most people, for a lot of our clients, I function as a safety blanket. We’ll sit down and talk about their objectives. I then help them put together a plan and ask, “What part of the plan do you want to do? Do you want to try drafting this? OK, let me review your draft. Let’s make sure everything is hunky dory fine.” I will train them to interface with contractors and to ensure that the quality of their communications with their contractors are enough to hold the contractor accountable for the outcome.
Sometimes people are not the greatest communicators or maybe they’re not the best listeners. A lot of times, the contractor is not bad, but they are used to contractor language; it’s very much more specific. A lot of times, contractors are specialists. A plumber is not necessarily an electrician or a carpenter or a concrete contractor.
Write out a structured plan and communicate it to your contractor. Then you can ask, “Is this deliverable?” Everybody’s clear and it becomes very easy for you to hold your contractor accountable. I can be a safety blanket if questions come up in the middle of the project when a five-minute conversation can make the difference between success or failure. You may not want the $800 lesson like I had.
eJournal: It’s a great story about perseverance. I worry more about online mistakes might expose one’s home address or bank account. Recovery from that might be harder.
King: Remember I said I can be a safety blanket for some of our clients? There’s also a digital aspect to the safety blanket. Someone gets an email from the Social Security Administration that says they have to use ID.me. Gee, what do they do with that? Or people get invoices from scam artists. A lot of our technology consulting clients run everything through us so if the invoice didn’t come from us, it can go in the trash can. For them, it is part of the safety blanket.
One of the things that we’ve been doing in the last six months is working with a lot of our retired clients who have not been engaging in good basic security hygiene. I deployed a wonderful training system for them that they do at home on their computer for five minutes once a week. It’s not a big impact to their time, but it keeps digital security top of mind. I do scam and phishing testing and they get scores. They can see their own score get better or worse. We do an enterprise password management tool for them, too. I’m very security focused.
I’ve been in the IT security industry since 1993 and focus on access control and ensuring that only the authorized people can do what they need to do. This is counterparty risk management that I think everybody has to learn. I like to use the analogy, who exactly are you going to give the keys to your house, even on a temporary basis?
For example, when you go to the internet, looking for a password manager, you find LastPass. You might think it’s inexpensive, but if you talk to me, I’d tell you that that company’s been compromised four times. The tool’s price tag doesn’t matter if the tool is not to be trusted. That’s some of the things we do for clients. Maybe they want to do a credit lock freeze sort of thing. So, let’s just talk about that briefly.
I did counterparty and security risk assessments on LifeLock years ago. I would never recommend them. I don’t think they’re effective and I don’t think it’s a good use of your money. On the other hand, there is a service called Delete Me that started as Abine and has been around for at least a decade. It’s a pretty inexpensive annual service and it actually works. There’s a family plan with a good way to interface with them to achieve the balance between your private information security only giving enough information so they can act on your behalf. They scan and troll the internet for sites where your information is publicly available. It can’t be expunged everywhere, but they go hunt it down and they whack it where they can. There is absolutely no conceivable way you could do it yourself for that cost. I think they’re probably at over 30 information data brokers now, and they add more all the time.
eJournal: You also told me that there’s a discount of 20% off for Delete Me through your referral link https://joindeleteme.com/refer?coupon=RFR-2878-7RCPHF . Your endorsement is great because many times we don’t know who to trust. We need people that we turn to and ask, is this safe? I really like the way you suggest a safer alternative.
King: It is important to not engage in confirmation bias when you’re looking for experts. Throughout my entire tenure in the information technology industry, I hear how someone talked to their brother-in-law. Maybe he professionally manages databases, but he is not a PC technician, or a network engineer, or a server engineer, or a cloud engineer. Don’t discount what a trusted family member or friend says, but also don’t think they somehow know everything.
Contextuality is exceedingly relevant. Imagine you’re a manager whose wife works at some other company where they’re doing ABC. Don’t start thinking, “Well, we should be doing ABC here, too.” That’s the wrong thought process! The other company’s choices aren’t contextually appropriate to what your company is doing.
There’s value in the data, but are you talking to the person who can articulate the contextual appropriateness of a particular strategy? Talk to people, but don’t be a lemming that runs off the cliff. You must know the context, and how to correlate it to your own context. Do scenario thinking and planning. Do good risk assessment and risk management. The only way to make the right decisions is to be an informed risk decision maker.
eJournal: Another place contextuality matters is choosing internet service. In research with you prior to this interview, you showed me the security problems with just taking what the ISP packages. Could you share that with our readers?
King: Okay, most of the time when you procure a residential internet connection, you don’t have control access and security. I worked on this for a client who bought a package that could only be managed by the ISP’s own little phone app. I couldn’t even access the thing via a webpage to do any management. ISP said the app is all they do for residential connections. I asked, “What would a business connection typically cost?” A business connection can be secured and often costs just $30 to $40 a month more.
I provision internet connections for clients anywhere in the entire country, so you don’t have to deal with their frustrating salespeople who want to sell you the phone package and the TV package and the blah, blah. We can avoid all that and get you a small business connection. If it’s requested correctly, the ISP will put in equipment that enables you to have a handoff to your own equipment.
You could use their small business router, and actually control it because it’s not a residential connection. Just by having a business connection, you’re enabling yourself and empowering yourself to have more control over security, which is very important. You can say, “I really want to lock it down for full visibility and know for darn sure what the configuration is and make darn sure that no traffic is happening that I didn’t want it to happen.”
Traffic on your internet connection is like the front door on your house with people going in and going out, okay? It’s the same thing. It’s just called network packets instead of people. If you wanted more control over it, you could have your own network layer security appliance and have more possibilities on what you can do and how you can do it.
You might say, “Whoa! I’m never going to learn that” and I could argue that’s probably true, so you can have companies like mine manage it for you. That’s OK, but you could still also be enabled to have full visibility of what comes in and goes out and get weekly reports so that you know what’s going on.
At a minimum, get a business connection, because too often I see news where some ISP-managed and controlled equipment is compromised. Recently there was a DNS poisoning attack against all the customers of a particular ISP. What is DNS? It’s the internet phone book. That’s all it is, it’s the internet phone book. Imagine your computer was trying to call up Microsoft for some updates, and somebody put a different destination in the “address” for Microsoft. Now, your computer talks to something from which it hopes to download Microsoft updates, but it’s talking to the bad guys instead. That’s how your computer gets compromised.
Do you trust your ISP? If you do, if they have a track record of really good security, then that’s okay. Too much of the time, I see ISPs that don’t have a good track record. It’s a very personal decisions to make because it’s all about security and risk management versus the cost. You’re better off probably with a business connection than a residential one.
eJournal: That is very useful, because few individuals think of getting enterprise level internet. Maybe I give up ordering lattes at the coffee shop on the way to work so I can afford greater security. Maybe it means I brew my coffee at home.
King: It’s probably healthier for you to make your own coffee anyway.
eJournal: It probably is. I learned so much from you. What takeaway would you like Network members to remember from our time together and this great security series?
King: I want them to gain an attitude of investing in themselves on a daily or weekly basis. That investment might be reading some of my articles, or maybe reviewing this a few times, because it was pretty information dense. Get out there on the internet and start to do some research, invest in your own knowledge base, and start drafting a plan of what you want to accomplish, what the risks you want to mitigate are, and just scenario plan it out. Write it out: make a Word document or grab a sheet of paper and write it out.
Don’t get stuck, just start. Start and look at it as an investment in your own education. At the end of the day, I really want clients to make informed risk management decisions. How you manage your risk is your decision to make. In order to make informed decisions, you have to be educated and be willing to put that information in your brain. So that’s what it is. It’s just investing in yourself on a daily basis.
eJournal: This series has been packed, just packed full of information. We’ve included lots of links to start that research and knowledge acquisition. I can’t thank you enough for how generous you are with your own knowledge, experience and coaching us to implement security protections that we never thought were within our abilities. Thank you, Felicia.
__________
To learn more about Felicia’s work see qpcsecurity.com and study her articles at https://www.qpcsecurity.com/category/blog/ to enjoy her articles for continuing learning about this important subject.