Friday, February 27, 2009

Install and Use a Firewall Program


This section describes a firewall, its importance to your home computer strategy, and a way to think about the job you need to do. We’re going to depart from our “computer-is-like-a-house-and-the-things-in-it” analogy to use another that you are probably also familiar with: an office building.

Have you ever visited a business where you first stopped at the reception desk to interact with a security guard? That guard’s job is to assess everybody who wishes to enter or leave the building to decide if they should continue on or be stopped. The guard keeps the unwanted out and permits only appropriate people and objects to enter and leave the business’s premises.

Let’s dig deeper into this analogy. When someone enters a building, the security guard usually greets them. If they have an appropriate identification badge, they show it to the guard or swipe it through a reader. If all is OK, they pass through the guard’s checkpoint. However, if something’s wrong or if they are a visitor, they must first stop at the guard desk.

The guard asks whom they wish to see. The guard may also ask for identification such as a driver’s license or their company ID. The guard reviews the list of expected guests to see if this person is approved to visit the party in question. If the guard decides everything is all right, the visitor may pass. The visitor usually signs a logbook with their name, the company they represent, whom they are seeing, and the time of day.

On a computer, the firewall acts much like a guard when it looks at network traffic destined for or received from another computer. The firewall determines if that traffic should continue on to its destination or be stopped. The firewall “guard” is important because it keeps the unwanted out and permits only appropriate traffic to enter and leave the computer.

To do this job, the firewall has to look at every piece of information – every packet – that tries to enter or leave a computer. Each packet is labeled with where it came from and where it wants to go. Some packets are allowed to go anywhere (the employee with the ID badge) while others can only go to specific places (visitors for a specific person). If the firewall allows the packet to proceed (being acceptable according to the rules), it moves the packet on its way to the destination. In most cases, the firewall records where the packet came from, where it’s going, and when it was seen. For people entering a building, this is similar to the ID card system keeping track of who enters or the visitor signing the visitor’s log.

The building’s guard may do a few more tasks before deciding that the person can pass. If the person is a visitor and is not on the visitors list, the guard calls the employee being visited to announce the visitor’s arrival and to ask if they may pass. If the employee accepts the visitor, they may proceed. The guard may also give the visitor a badge that identifies them as a visitor. That badge may limit where in the building they can go and indicate if they need to be escorted. Finally, no matter whether the person is a visitor or an employee, the guard may inspect their briefcase or computer case before they pass.

The firewall can also check whether a given packet should pass, allowing the computer’s user to respond to unanticipated network traffic (just as the guard does with the unexpected visitor). Individual packets can be allowed to pass, or the firewall can be changed to allow all future packets of the same type to pass. Some firewalls have advanced capabilities that make it possible to direct packets to a different destination and perhaps even have their contents concealed inside other packets (similar to the visitor being escorted). Finally, firewalls can filter packets based not only on their point of origin or destination, but also on their content (inspecting the briefcase or computer case before being allowed to pass).

Back to the office building, when employees leave the building, they may also have to swipe their ID card to show that they’ve left. A visitor signs out and returns their temporary badge. Both may be subject to having their possessions inspected before being allowed to leave.

Firewalls can also recognize and record when a computer-to-computer connection ends. If the connection was temporary (like a visitor), the firewall rules can change to deny future similar connections until the system’s user authorizes them (just as visitors must re-identify themselves and be re-approved by an employee). Finally, outgoing connections can also be filtered according to content (again, similar to inspecting possessions at the exit).

What does this all mean? It means that with a firewall, you can control which packets are allowed to enter your home computer and which are allowed to leave. That’s the easy part.

The hard part is deciding the details about the packets that are allowed to enter and exit your home computer. If your firewall supports content filtering, you also need to learn which content to allow and which not to allow. To help you get a handle on this harder task, let’s return to our security guard analogy.

Imagine that you are that security guard and it’s your first day on the job. You have to decide who’s allowed in, who’s allowed out, and what people can bring into and take out of the building. How do you do this?

One strategy is to be very conservative: let no one in or out and let no possessions in or out. This is very simple, very easy to achieve, but not particularly helpful to the business if none of its employees or visitors can get in or out. Nor is it helpful if they can’t bring anything with them. With this type of strategy, your tenure as a security guard may be short-lived.

If you try this, you quickly learn that you need to change your strategy to allow people in and out only if they have acceptable identification and possessions using some agreed-to criteria. Add the requirement that if you don’t meet the precise criteria for admittance, you don’t get in.

With most firewalls, you can do the same thing. You can program your firewall to let nothing in and nothing out. Period. This is a deny-all firewall strategy and it does work, though it effectively disconnects you from the Internet. It is impractical for most home computers.

You can do what the security guard did: review each packet (employee or visitor) to see where it’s coming from and where it’s going. Some firewall products let you easily review each packet so that you can decide what to do with it. When you are shopping for a firewall, look for this review feature because it can be quite helpful. Practically speaking, it isn’t easy to decide which traffic is all right and which is not all right. Any feature that makes this job easier helps you achieve your goal of securing your home computer.

Just like the security guard who learns that anybody with a company photo ID is allowed to pass, you too can create firewall rules that allow traffic to pass without reviewing each packet each time. For example, you may choose to allow your Internet browsers to visit any web site. This rule would define the source of that traffic to be your browsers (Netscape Navigator and Microsoft Internet Explorer, for example) and the destination location to be any web server. This means that anybody using your home computer could visit any Internet web site, as long as that web server used the well-known standard locations.

Now that you have an idea of what your firewall security guard is trying to do, you need a method for gathering information and programming your firewall. Here is a set of steps to use to do just that:

  1. The Program test: What’s the program that wants to make a connection to the Internet? Although many programs may need to make the same type of connection to the same Internet destination, you need to know the name of each. Avoid general rules that allow all programs to make a connection. This often results in unwanted and unchecked behavior.
  2. The Location test: What’s the Internet location of the computer system to which your computer wants to connect? Locations consist of an address and a port number. Sometimes a program is allowed to connect to any Internet location, such as a web browser connecting to any web server. Again, you want to limit programs so that they only connect to specific locations where possible.
  3. The Allowed test: Is this connection allowed or denied? Your firewall rules will contain some of each.
  4. The Temporary test: Is this connection temporary or permanent? For example, if you’re going to connect to this specific location more than five times each time you use the computer, you probably want to make the connection permanent. This means that you ought to add a rule to your firewall rules. If you aren’t going to make this connection often, you should define it as temporary.

With each connection, apply the PLAT tests to get the information you need to build a firewall rule. The answer to the PLAT tests tells you if you need to include a new firewall rule for this new connection. For most firewall programs, you can temporarily allow a connection but avoid making it permanent by not including it in your rules. Where possible, allow only temporary connections.

As you run each program on your home computer, you’ll learn how it uses the Internet. Slowly you’ll begin to build the set of rules that define what traffic is allowed into and out of your computer. By only letting in and out what you approve and denying all else, you will strike a practical balance between allowing everything and allowing nothing in or out.

Along the way, you may come across exceptions to your rules. For example, you might decide that anybody who uses your home computer can visit any web site except a chosen few web sites. This is analogous to the security guard letting every employee pass except a few who need more attention first.

To do this with firewall rules, the exception rules must be listed before the general rules. For example, this means that the web sites whose connections are not allowed must be listed before the rules that allow all connections to any web site.

Why? Most firewall programs search their rules starting from the first through the last. When the firewall finds a rule that matches the packet being examined, the firewall honors it, does what the rule says, and looks no further. For example, if the firewall finds the general rule allowing any web site connections first, it honors this rule and doesn’t look further for rules that might deny such a connection. So, the order of firewall rules is important.

Many firewalls can be programmed to require a password before changing the rules. This extra level of protection safeguards against unwanted changes no matter their source, that is, you, an intruder, or another user. Follow the guidance in Task 6 - Use Strong Passwords when assigning a password to your firewall.

Finally, make a backup of your firewall rules. You’ve probably taken a lot of time to build and tune them to match how your home computer is used. These rules are important to your computer’s security, so back them up using the guidance in Task 5 - Make Backups of Important Files and Folders.

Firewalls come in two general types: hardware and software (programs). The software versions also come in two types: free versions and commercial versions (ones that you purchase). At a minimum, you should use one of the free versions on your home computer. This is especially important if you have a laptop that you connect to your home network as well as a network at a hotel, a conference, or your office.

If you can afford a hardware firewall, you should install one of these too. We’ve recommended this as something to do later. (Firewall programs are Task 4 on our list of recommended actions, and hardware firewalls are Task 8.) The same issues apply to the hardware versions that apply to the software versions. Many can also be password protected against unwanted changes. Search the Internet with your browser to see what’s available and what they cost. The price of hardware firewalls is coming down as the demand grows.

A firewall is your security guard that stands between your home computer and the Internet. It lets you control which traffic your computer accepts. It also controls which of your programs can connect to the Internet. With a firewall, you define which connections between your computer and other computers on the Internet are allowed and which are denied. There are free firewall products that provide the capabilities you need to secure your home computer. Commercial versions have even more features that can further protect your computer.

Use Care When Reading Email with Attachments


We’ve all heard stories about people receiving an item in the mail that in some way caused them harm. We’ve heard of letter bombs and exploding packages, and in 2001, we learned about Anthrax-laden letters. Although their frequency is low, they do make news.

These unsolicited items are sent to unsuspecting recipients. They may contain a return address, a provocative envelope, or something else that encourages its receiver to open it. This technique is called social engineering. Because we are trusting and curious, social engineering is often effective.

In the case of the Anthrax letters addressed to United States senators, the envelopes contained a school’s return address as an inducement to open them. What government official wouldn’t want to serve their constituency by reading and responding to a letter supposedly sent by a class at a school, especially an elementary school? By opening the letter and subsequently spreading its lethal contents, the recipient complied with the wishes of the sender, a key foundation of social engineering. In the pre-Anthrax letter days, a mail handler might have given little thought to the contents of the letter or the validity of the return address. Those days are behind us.

You probably receive lots of mail each day, much of it unsolicited and containing unfamiliar but plausible return addresses. Some of this mail uses social engineering to tell you of a contest that you may have won or the details of a product that you might like. The sender is trying to encourage you to open the letter, read its contents, and interact with them in some way that is financially beneficial – to them. Even today, many of us open letters to learn what we’ve won or what fantastic deal awaits us. Since there are few consequences, there’s no harm in opening them.

Email-borne viruses and worms operate much the same way, except there are consequences, sometimes significant ones. Malicious email often contains a return address of someone we know and often has a provocative Subject line. This is social engineering at its finest – something we want to read from someone we know.

Email viruses and worms are fairly common. If you’ve not received one, chances are you will. Here are steps you can use to help you decide what to do with every email message with an attachment that you receive. You should only read a message that passes all of these tests.

  1. The Know test: Is the email from someone that you know?
  2. The Received test: Have you received email from this sender before?
  3. The Expect test: Were you expecting email with an attachment from this sender?
  4. The Sense test: Does email from the sender with the contents as described in the Subject line and the name of the attachment(s) make sense? For example, would you expect the sender – let’s say your Mother – to send you an email message with the Subject line “Here you have, ;o)” that contains a message with attachment – let’s say AnnaKournikova.jpg.vbs? A message like that probably doesn’t make sense. In fact, it happens to be an instance of the Anna Kournikova worm, and reading it can damage your system.
  5. The Virus test: Does this email contain a virus? To determine this, you need to install and use an anti-virus program. That task is described in Task 1 - Install and Use Anti-Virus Programs.

You should apply these five tests – KRESV – to every piece of email with an attachment that you receive. If any test fails, toss that email. If they all pass, then you still need to exercise care and watch for unexpected results as you read it.

Now, given the KRESV tests, imagine that you want to send email with an attachment to someone with whom you’ve never corresponded – what should you do? Here’s a set of steps to follow to begin an email dialogue with someone.

  1. Since the recipient doesn’t already Know you, you need to send them an introductory email. It must not contain an attachment. Basically, you’re introducing yourself and asking their permission to send email with an attachment that they may otherwise be suspicious of. Tell them who you are, what you’d like to do, and ask for permission to continue.
  2. This introductory email qualifies as the mail Received from you.
  3. Hopefully, they’ll respond; and if they do, honor their wishes. If they choose not to receive email with an attachment from you, don’t send one. If you never hear from them, try your introductory email one more time.
  4. If they accept your offer to receive email with an attachment, send it off. They will Know you and will have Received email from you before. They will also Expect this email with an attachment, so you’ve satisfied the first three requirements of the KRESV tests.
  5. Whatever you send should make Sense to them. Don’t use a provocative Subject line or any other social engineering practice to encourage them to read your email.
  6. Check the attachments for Viruses. This is again based on having virus-checking programs, and we’ll discuss that later.

The KRESV tests help you focus on the most important issues when sending and receiving email with attachments. Use it every time you send email, but be aware that there is no foolproof scheme for working with email, or security in general. You still need to exercise care. While an anti-virus program alerts you to many viruses that may find their way to your home computer, there will always be a lag between when a virus is discovered and when anti-virus program vendors provide the new virus signature. This means that you shouldn’t rely entirely on your anti-virus programs. You must continue to exercise care when reading email.

Keep Your System Patched


If one of your appliances broke, you’d probably try to have it repaired. You’d call a repairperson whom you hope could do the job. You’d get an estimate and then you’d either get it fixed or replace it. Your goal is to somehow restore the functions that the appliance provides.

What do you do when a software “appliance” – a program – or the operating system itself breaks? How do you restore the functions that they provide? Do you know whom to call or even where to look to determine what to do next?

Most vendors provide patches that are supposed to fix bugs in their products. Frequently these patches do what they’re supposed to do. However, sometimes a patch fixes one problem but causes another. For example, did you ever have a repairperson fix an appliance but in the process, they scratched the floor or damaged a countertop during their visit? For a computer, the repair cycle might have to be repeated until a patch completely fixes a problem.

Vendors often provide free patches on their web sites. When you purchase programs, it’s a good idea to see if and how the vendor supplies patches, and if and how they provide a way to ask questions about their products. Just as appliance vendors often sell extended warranties for their products, some software vendors may also sell support for theirs.

Have you ever received a recall notice for your car or another product you’ve purchased? Vendors send these notices to product owners when a safety-related problem has been discovered. Registering your purchase through the warranty card gives the vendor the information they need to contact you if there is a recall.

Program vendors also provide a recall-like service. You can receive patch notices through email by subscribing to mailing lists operated by the programs’ vendors. Through this type of service, you can learn about problems with your computer even before you discover them and, hopefully, before intruders have the chance to exploit them. Consult the vendor’s web site to see how to get email notices about patches as soon as they’re available.

Some vendors have gone beyond mailing lists. They provide programs bundled with their systems that automatically contact their web sites looking for patches specifically for your home computer. These automatic updates tell you when patches are available, download them, and even install them. You can tailor the update features to do only want you want, such as just telling you something new is waiting but doing nothing more.

While the patching process is getting easier, even to the point where it can be completely automated, it is not yet foolproof. In some cases, installing a patch can cause another seemingly unrelated program to break. The challenge is to do as much homework as you can to learn what a patch is supposed to do and what problems it might cause once you’ve installed it.

This is a hard job. Often, the vendors don’t tell you about problems their patches can cause. Why? Because it is simply impossible to test all possible programs with all possible patches to discover unexpected side effects. Imagine doing that job and then continuing to do that for each new program and patch that comes along. Vendors rely on their customers to tell them when something unexpected happens once a patch is installed. So, if this happens to you, let them know.

Imagine then that you’ve either found a patch on the vendor’s site or you’ve received notice that a patch is available. What do you do next? Follow the steps below to evaluate a patch before you install it:

  1. The Affected test: Does this patch affect one of the programs on your computer? If it doesn’t affect your computer, you’re done. Whew!
  2. The Break test: Can you tell from the vendor’s web site or the patch’s description if installing it breaks something else that you care about? If installation does break something, then you have to decide how to proceed. Try notifying the vendor of the program that might break to learn what their strategy is for addressing this problem. Also, use your web browser to learn if anyone else has experienced this problem and what he or she did about it.
  3. The Undo test: Can you undo the patch? That is, can you restore your computer to the way it was before you installed the patch? Currently, vendors are building most patches with an uninstall feature that enables you to remove a patch that has unwanted consequences. In addition, some computers also come with features that help you restore them to a previously known and working state should there be a problem. You need to know what your computer provides so that you can undo a patch if necessary.

Recall from the Introduction that intruders exploit vulnerabilities to gain access to home computers. How do intruders find out about these vulnerabilities? In many cases, they read the same vendor mailing lists and use the same automatic notification schemes that you use. This means that you need to evaluate and install patches on your home computer as soon as they’re available. The longer a vulnerability is known, the greater the chances are that an intruder will find it on your home computer and exploit it. With the ABU tests, you can quickly evaluate and install patches to keep intruders off your home computer.

One last thing: patches are usually distributed as programs. This means that you need to use the DCAL steps described in Task 7 - Use Care When Downloading and Installing Programs before loading and installing a patch. Intruders often take advantage of vulnerabilities wherever they may be. In many cases, the vulnerabilities they exploit may have patches, but those patches were not installed. For your home computer, make time to keep your programs patched wherever possible. If you can’t patch a program, shop around for an equivalent program and use it until the original program is fixed or you’ve abandoned it in favor of something more reliable.

You can spend money on maintenance where you get patches for programs, but that’s usually not necessary. Since most vendors provide free patches, mailing lists, and automatic updates, keeping your computer patched usually only costs you time.

Install and Use Anti-Virus Programs

If someone rang your doorbell and wanted to come into your living space to sell you something or to use your telephone, you’d need to make a decision whether or not to let them in. If they were a neighbor or someone you knew, you’d probably let them in. If you didn’t know them but believed their story and found them to be otherwise acceptable, say they were neat and clean and not threatening, you’d probably also let them in, but you’d watch them closely while they were in your space.

What are you doing here? You are profiling this person and then deciding what to do based on that profile. It’s your responsibility to be concerned about who enters your living space. Further, if you have children, you’ve probably also taught them how to deal with strangers who come to your door.

Anti-virus programs work much the same way. These programs look at the contents of each file, searching for specific patterns that match a profile – called a virus signature – of something known to be harmful. For each file that matches a signature, the anti-virus program typically provides several options on how to respond, such as removing the offending patterns or destroying the file.

To understand how anti-virus programs work, think about scam artists – people who visit your home to try to get you to buy a phony product or service, or to let them in. Once inside, they may try to steal your valuables or try to harm you in some way.

There are a variety of ways you might find out about a specific scam artist lurking in your neighborhood. Perhaps you see a television report or read a newspaper article about them. They might include pictures and excerpts of the story the scam artist uses to scam their victims. The news report gives you a profile of someone you need to be on the lookout for. You watch for that person until either the story fades away or you hear that they’ve been caught.

Anti-virus programs work much the same way. When the anti-virus program vendors learn about a new virus, they provide an updated set of virus signatures that include that new one. Through features provided by the updated anti-virus program, your home computer also automatically learns of this new virus and begins checking each file for it, along with checking for all the older viruses. However, unlike scam artists, viruses never completely fade away. Their signatures remain part of the master version of all virus signatures.

Suppose a scam artist was at your front door. What would you do? Perhaps you’d not encourage them to come in nor buy their product but, at the same time, you’d try not to upset them. You’d politely listen to their story and then send them on their way. After you closed the door, you may call the police or the telephone number given in the report that initially brought them to your attention.

With viruses, you often have the chance to react to them when they’ve been discovered on your home computer. Depending upon the specific characteristics of the virus, you might be able to clean the infected file. Or you might be forced to destroy the file and load a new copy from your backups or original distribution media. Your options depend upon your choice of anti-virus program and the virus that’s been detected.

In your living space, you look at those who come to your door and you look at what you receive in the mail. These are two of the ways that items can get into your living space, so you examine them, sometimes closely, sometimes not.

Viruses can reach your computer in many ways, through floppy disks, CD-ROMs, email, web sites, and downloaded files. All need to be checked for viruses each time you use them. In other words, when you insert a floppy disk into the drive, check it for viruses. When you receive email, check it for viruses (remember to use the KRESV tests described in Task 3 - Use Care When Reading Email with Attachments). When you download a file from the Internet, check it for viruses before using it. Your anti-virus program may let you specify all of these as places to check for viruses each time you operate on them. Your anti-virus program may also do this automatically. All you need to do is to open or run the file to cause it to be checked.

Just as you walk around your living space to see if everything is OK, you also need to “walk” around your home computer to see if there are any viruses lurking about. Most anti-virus programs let you schedule periodic exams of all files on your home computer on a regular basis, daily for example. If you leave your computer turned on over night, think about scheduling a full-system review during that time.

Some anti-virus programs have more advanced features that extend their recognition capabilities beyond virus signatures. Sometimes a file won’t match any of the known signatures, but it may have some of the characteristics of a virus. This is comparable to getting that “there’s something not quite right here, so I’m not going to let them in” feeling as you greet someone at your door. These heuristic tests, as they’re called, help you to keep up with new viruses that aren’t yet defined in your list of virus signatures.

An anti-virus program is frequently an add-on to your home computer, though your newly purchased computer might include a trial version. At some point, say after 60 days, you must purchase it to continue using it. To decide whether to make that purchase or to look elsewhere, use these steps for evaluating anti-virus programs:

  1. The Demand test: Can you check a file on demand, for example, when you want to send an attachment as part of the KRESV tests?
  2. The Update test: Can you update the virus signatures automatically? Daily is best.
  3. The Respond test: What are all the ways that you can respond to an infected file? Can the virus checker clean a file?
  4. The Check test: Can you check every file that gets to your home computer, no matter how it gets there, and can those checks be automated?
  5. The Heuristics test: Does the virus checker do heuristics tests? How are these defined?

These tests – the DURCH tests – help you compare anti-virus programs. Once you’ve made your selection, install it and use all of its capabilities all of the time.

Intruders are the most successful in attacking all computers – not just home computers – when they use viruses and worms. Installing an anti-virus program and keeping it up to date is among the best defenses for your home computer. If your financial resources are limited, they are better spent purchasing a commercial anti-virus program than anything else.

Assigning Inmates to Prison

Assigning Inmates to Prison

Prison classification is a method of assessing inmate risks that balance security requirements with program needs. Newly admitted inmates are transported from county jails to one of 11 prison receiving centers where the risk assessment process begins. There are two reception centers for females, two for male youth, and seven for adult males. Upon admission, processing and evaluation of offenders begins. They are put through a series of evaluations, including medical and mental health screenings. Prison classification specialists develop an individual profile of each inmate that includes the offender’s crime, social background, education, job skills and work history, health, and criminal record, including prior prison sentences. Based on this information, the offender is assigned to the most appropriate custody classification and prison.

From this initial classification, inmate behavior and continuing risk assessments by prison staff will determine the inmate’s progression through the various custody levels to minimum custody and eventual release. Prison managers assign inmates to work, rehabilitative self improvement programs, and treatment. As inmates serve their sentences, the inmates who comply with prison rules, do assigned work, and participate in corrective programs, may progress toward minimum custody. Inmates who violate prison rules are punished and may be classified for a more restrictive custody classification and a more secure prison. Inmates are then required to demonstrate responsible and improved behavior over time to progress from this status to less restrictive custody classifications and prisons.

Inmate Custody Levels
Inmates may be classified and assigned to the following custodial levels; close, medium, minimum I, minimum II and minimum III. The classification levels are in descending order of perceived public safety risks presented by the inmate. Inmates in close custody present the highest risk while inmates in minimum III generally present the least risk. Within this mix of custodial assignments, inmates also may be subject to various control statuses. The control statuses include maximum, death row, intensive, safekeeper, disciplinary, administrative and protective. Each of these control statuses further restricts inmate freedoms and privileges. Assignment and removal of inmates from these statuses is generally at the discretion of higher level classification authorities in the Division of Prisons. The imposition of these additional custody control measures are generally for the purpose of maintaining order in the prison, protecting staff safety or providing for inmate safety.

Prison Security Levels
Prisons are classified and designated by security level. The security levels used by the Division of Prisons are close, medium, and minimum. Specific cell areas within close security institutions may be designated by the Director of Prisons as maximum security. Security levels are determined by the design and unique features of the prison, the level of staffing, and the operating procedures. Maximum security is the most restrictive level of confinement and minimum security is the least restrictive. The prison security level is an indicator of the extent to which an offender who is assigned to that facility is separated from the civilian community.

Maximum security units are comprised of cells with sliding cell doors that are remotely operated from a secure control station. Maximum security units are designated by the Director of Prisons at selected close security prisons. These units are utilized to confine the most dangerous inmates who are a severe threat to public safety, correctional staff, and other inmates. Inmates confined in a maximum security unit typically are in their cell 23 hours a day. During the other hour they may be allowed to shower and exercise in the cellblock or an exterior cage. All inmate movement is strictly controlled with the use of physical restraints and correctional officer escort.

Polk Youth Institution
Polk Youth Institution
Butner, NC
Close security

Close security prisons typically are comprised of single cells and divided into cellblocks, which may be in one building or multiple buildings. Cell doors generally are remotely controlled from a secure control station. Each cell is equipped with its own combination plumbing fixture, which includes a sink and toilet. The perimeter barrier is designed with a double fence with armed watch towers or armed roving patrols. Inmate movement is restricted and supervised by correctional staff. Inmates are allowed out of their cells to work or attend corrective programs inside the facility.
Medium security prisons typically are comprised of secure dormitories that provide housing for up to 50 inmates each. Each dormitory contains a group toilet and shower area as well as sinks. Inmates sleep in a military style double bunk and have an adjacent metal locker for storage of uniforms, undergarments, shoes, etc. Each dormitory is locked at night with a correctional officer providing direct supervision of the inmates and sleeping area. The prison usually has a double fence perimeter with armed watch towers or armed roving patrols. There is less supervision and control over the internal movement of inmates than in a close security prison.

Wayne Correctional Center
Wayne Correctional Center
Goldsboro, NC
Medium security

Some medium security prisons may be designed with dry cells as the method of inmate housing. Dry cells contain no toilet fixture. Most inmate work and self improvement programs are within the prison, although selected medium custody inmates are worked outside of the prison under armed supervision of trained correctional officers. These inmate work assignments support prison farm operations or highway maintenance for the Department of Transportation. Each medium security prison typically has a single cell unit for the punishment of inmates who violate prison rules.

Durham Correction Center
Durham Correctional Center
Durham NC
Minimum security

Minimum security prisons are comprised of non-secure dormitories which are routinely patrolled by correctional officers. Like the medium security dorm, it has it’s own group toilet and shower area adjacent to the sleeping quarters that contain double bunks and lockers. The prison generally has a single perimeter fence which is inspected on a regular basis, but has no armed watch towers or roving patrol. There is less supervision and control over inmates in the dormitories and less supervision of inmate movement within the prison than at a medium facility. Inmates assigned to minimum security prisons generally pose the least risk to public safety.
Minimum custody inmates at minimum security prisons usually participate in community based work assignments such as the Governor’s Community Work Program, road maintenance with Department of Transportation employee supervision, or work release with civilian employers. Also, inmates may participate in prerelease transition programs with Community Volunteers and family sponsors. The proper security designation of facilities combined with appropriate offender classification and assignment provide the foundation for safe and secure prison management and operational efficiency.