Search This Blog

Friday, December 23, 2011

Security Management Weekly - December 23, 2011

header

  Learn more! ->   sm professional  

December 23, 2011
 
 
Corporate Security
  1. "Retailers Asked to Tackle Gift Card Fraud"
  2. "Southern California Edison Raises Security After Deadly Workplace Shooting"
  3. "Brave New World of Intrusion Security"
  4. "The Nine Practices of the Successful Security Leader"
  5. "Protecting Multi-Tenant Data Centers"

Homeland Security
  1. "NYPD's Spying Programs Produced Mixed Results"
  2. "U.S. Erred in Deadly Attack" Attack on Pakistani Border Outpost
  3. "Senior Republican Slams DHS For Misleading Congress on Chemical Security Office" Sen. Susan Collins
  4. "Pyongyang's Neighbors Worry Over Nuclear Arms"
  5. "US Army Traces Alleged Leaker's Digital Footprints"

Cyber Security
  1. "Lawmakers Urge Action on Hacking" U.S. Chamber of Commerce Security Breach
  2. "China Hackers Hit U.S. Chamber"
  3. "South Korean Military Raises Cyber Alert"
  4. "Hackers Threaten Voting Systems, Electoral Process" Iowa Caucuses
  5. "Smartphones Blamed for Increasing Risk of Health Data Breaches"

   

 
 
 

 


Retailers Asked to Tackle Gift Card Fraud
Security Director News (12/21/11) Richardson, Whit

Sen. Charles Schumer (D-N.Y.) is calling for retailers and card makers to take steps to prevent gift card fraud. In a recent letter to the National Retail Federation and Retail Gift Card Association, Schumer noted that criminals have been stealing gift card numbers and the PINs that are sometimes printed on the back of gift cards. Criminals are then using the Internet to monitor when those cards have been bought and activated, Schumer said, so that they can spend the money before the card's owner even knows. Schumer said that retailers should take steps to prevent gift card numbers from being stolen, while card makers should use systems and package gift cards in such a way that it is less likely that account numbers and PINs will be stolen before the cards are purchased. In response to Schumer's letter, Joe LaRocca, the senior adviser for asset protection at NRF, said that retailers have already taken steps to combat gift card fraud, including using security codes on cards, monitoring where balance inquiries come from and how many queries have been made, and training loss prevention executives who work with law enforcement to fight organized retail crime, which can include the type of gift card fraud described by Schumer.


Southern California Edison Raises Security After Deadly Workplace Shooting
Associated Press (12/19/11)

Security has been increased at Southern California Edison following a shooting at one of the company's offices on Friday. That shooting, which took place in the Los Angeles suburb of Irwindale, took the lives of four people and the gunman, who killed himself. A spokesman for Southern California Edison refused to say what new security measures were being put in place in the wake of those shootings or whether the security measures were being implemented throughout the company. Meanwhile, the investigation into the shootings is ongoing. All of the victims of the shooting were supervisors at Southern California Edison, thought it is not clear if any of them directly supervised the shooter.


Brave New World of Intrusion Security
SecurityInfoWatch.com (12/08/11) Colombo, Allan B.

On the technical side, one of the most notable changes in intrusion detection is how security platforms integrate with consumer-oriented mobile devices, such as smartphones. "Today everything is market driven in the end and our industry and the technology which is now offered is all blending together. We are indeed in the iPhone/Internet age. The bottom line is consumers are savvy about products, services and pricing," said Richard Cantor, CEO of Amerigard Alarm & Security Corp. A good example of this is the ability for the homeowner to control their residential alarm system from a remote spot using a laptop or cell phone from any part of the world. The same connection allows them to view multiple cameras, as well as change the temperature, lighting, and other controls in the home. Business owners and managers also have come to use these same technological features. This has effectively extended their reach into the actual workplace, which permits them to more closely monitor for acts of shoplifting and internal theft. This necessitates a relatively high level of integration. The challenge for some traditional alarm companies, however, is that security professionals frequently lack the requisite skill sets to deal with digital technology in the network realm. When such is true, it is not uncommon for them to contract with systems integrators to help them with the Internet Protocol (IP) side of the job. For instance, an increasing number of alarm dealers are being asked by their clients -- both residential and commercial -- to provide outside access to camera systems. Consumers simply want to take advantage of all the benefits that today's digital IP technology offers.


The Nine Practices of the Successful Security Leader
Security Executive Council (12/01/2011)

The Security Executive Council carried out a series of in-depth interviews with security leaders in 2009 and came up with these nine practices that the most successful security professionals have in common. A formal marketing and communications strategy builds internal awareness of the security department and increases the understanding of what security does and the value it brings to the organization. The security leaders interviewed who sensed that C-suite leaders required greater understanding of security's role took the critical step of speaking directly to business unit leaders to understand what risk issues keep them awake at night and what security services they find valuable. The most successful security leaders interviewed by the Security Executive Council regularly talk to senior business leaders about their goals and worries to determine how security can help. Even if the mission, goals, and strategies of the security department are perfectly in tandem with the organization's, if they are not communicated in the proper terms, they may be rejected by senior management. Discussing business issues in business terms helps enhance management's understanding of security and bolsters the chances of management support. While many security leaders believe it is their job to change the corporate culture into something that is more security-oriented, the research found that successful leaders believe it is their job to learn the existing corporate culture and find the best way to incorporate security into it. Respect is won over time, so security leaders who tap into the fears of businesses may initially gain support but could lose influence and trust in the long run. Many interviewed said that the goals of the security function trickled down from the CEO. If brand protection was a key corporate concern, for example, it became security's priority. Those interviewed who started from day-one in the organization with a high level of management support performed best. They reported that management puts a premium on the security department, that they are given one-on-one access to the presidents and chairman, and that their advice, if not always followed, is never disregarded. Many of the leaders surveyed took it upon themselves to become central contact points on risk for other business units. One interviewee remarked on his function's close relationship with no fewer than seven operational functions.


Protecting Multi-Tenant Data Centers
Security Technology Executive (12/11) Vol. 21,

Multi-tenant data centers provide organizations with a more unified and cost-effective approach to securing information. However, data centers and the security professionals who run them face competitive concerns, terrorist threats, federal regulations, and natural disasters as they work to bolster both physical and logistical security operations to seamlessly protect sensitive customer information. According to a Forrester Research questionnaire conducted in 2010, 42 percent of enterprises and 37 percent of small and medium-sized businesses planned to up security spending by 5 percent or more a year. Many multi-user data centers are adopting anti-passback security processes that require a specific sequence in which access cards must be used in order for customers, contractors, and visitors to swipe in and out of customer suites. In addition, in the unlikely event of an emergency requiring evacuation of the building, an anti-passback process gives the security team and first responders accurate information on whether or not a total evacuation has taken place. For additional internal security, data center providers are looking to in-house security teams, as opposed to contract or off-duty patrol officers, to oversee facilities 24/7. Identification and security checkpoints employed throughout large data center campuses bring greater attention to visitor protocol. For example, Quality Technology Services (QTS), the third-largest data center provider in the country, employs two to three officers per shift who carry out physical security tours each shift. Officers look over access logs, check access control systems at each man trap entryway, and observe the physical appearance of areas in and around customer suites. Data centers must comply with a checklist of requirements from the Department of Homeland Security, and participate in follow-up reviews. Physical security aspects of the review include, but are not limited to: fences, parking, security lighting, and vehicle access. Personnel security, background checks, and critical infrastructure amenities such as electric, water, waste water, and telecommunications also are considered when crafting a terrorism protection strategy.




NYPD's Spying Programs Produced Mixed Results
Associated Press (12/23/11)

The spying programs that the New York Police Department implemented in the wake of the Sept. 11 attacks had a mixed record in terms of their effectiveness in uncovering terrorist plots. Under those programs, the NYPD spied on mosques in the city and infiltrated dozens of them. Officers closely monitored imams, including some who did not advocate violence and had close relationships with police. In addition to watching mosques, the NYPD monitored Muslim student groups, businesses, and entire neighborhoods. While some of those programs achieved success, such as the foiling of a plot in 2004 to bomb a subway station in Manhattan, there were also failures as well. For instance, the program was not able to identify Najibullah Zazi and Adis Medunjanin, who plotted to attack the New York subway system in 2008. That plot was uncovered after U.S. intelligence agencies intercepted an e-mail that said that Zazi was trying to build a bomb. Other programs, such as a the monitoring of city residents who legally changed their names after converting to Islam or moving to the U.S. from a Muslim country, produced little in the way of meaningful results. Although police still receive a list of people who have legally changed their names, the program has been placed on hold while officials try to determine whether or not it has been effective. One official who does not need to be convinced about the effectiveness of the NYPD's spying programs is the department's intelligence chief, David Cohen, who said in a 2005 deposition that the fact that the city had not been successfully attacked was proof that the programs were working.


U.S. Erred in Deadly Attack
Wall Street Journal (12/22/11) Barnes, Julian E.; Entous, Adam

The U.S. military has concluded an investigation into the deadly NATO attack on a Pakistani border outpost on Nov. 26, and has determined that the U.S. bears a significant amount of responsibility for the incident. According to the report on the investigation, NATO forces did not inform the Pakistanis about a joint U.S.-Afghan operation that took place in a region near the Afghanistan-Pakistan border before the attack on the border outpost took place. The Pakistanis, meanwhile, did not provide coalition forces with information about the location of its border outposts. The report noted that after the joint U.S.-Afghan force came under attack from positions along a nearby ridge, NATO informed the force that there were no Pakistani troops in the area. As a result, U.S. officials temporarily stopped asking Pakistani military officials whether there were troops nearby. The report also found that a serviceman who was in communications with a border-control center staffed by Pakistani, Afghan, and NATO officials gave the Pakistanis incorrect information that led them to believe that the battle involving the coalition forces was nine miles from where it was actually occurring. In addition, the incorrect information made it impossible for the Pakistani representative at the border-control center to tell that U.S. helicopters were attacking Pakistani troops. But despite the mistakes made by U.S. forces, American military officials say that the presence of fighter jets and gunships should have alerted the Pakistanis to the fact that they were not firing on insurgents.


Senior Republican Slams DHS For Misleading Congress on Chemical Security Office
Fox News (12/22/11) Levine, Mike

Sen. Susan Collins (R-Maine) says that a recently-released internal Department of Homeland Security (DHS) investigation of the Chemical Facility Anti-Terrorism Standards (CFATS) contradicts what DHS officials have told Congress about the program. The report described CFATS as "at measurable risk," due to concerns over spending and unqualified employees who lack "professionalism." The report also found that the program, which is charged with inspecting facilities that manufacture dangerous chemicals, has yet to conduct any such compliance inspections. However, DHS National Protection and Programs Directorate, Rand Beers, rejected Collins' accusation that DHS officials did not warn lawmakers about their concerns, saying Congress was informed about "a number" of problems through both public hearings and private briefings. Collins, on the other hand, quoted Beers from a March 2010 Senate hearing, where he called the program "a tremendous success to date." At the same hearing, Beers repeatedly acknowledged "challenges and even some setbacks," though he did not go into as much detail as the DHS report. Beers says that he was not surprised by the report's conclusions, but said that until now he has been unaware of the details of CFATS' shortcomings. There has been some indication that DHS officials may have been misled about the program by their own subordinates. Regardless of whether or not that is the case, Collins says DHS will be held accountable for the program's problems and for ensuring CFATS gets back on track.


Pyongyang's Neighbors Worry Over Nuclear Arms
Wall Street Journal (12/20/11) Johnson, Keith

The status of North Korea's nuclear weapons in the aftermath of the death of the country's leader, Kim Jong Il, is a concern among some of the reclusive country's neighbors. One question that has been raised by the death of Kim Jong Il is who has control over North Korea's nuclear weapons. North Korea's National Defense Commission, whose leader is Kim Jong Il's brother-in-law, is technically in control of the country's nuclear devices and missiles. However, experts say that safeguards are not in place in North Korea to prevent the weapons from being accidentally deployed or deliberately deployed by unauthorized individuals. In addition, other North Korean officials could have informal control of the country's one to two dozen nuclear devices, which may or may not be in the form of operational warheads. The supreme leader may also have direct control over the devices. In addition to questions about who has control over North Korea's nuclear devices, there are also questions about where the devices are located. Some experts believe that North Korea keeps its nuclear weapons and missiles separate, though they say that the bombs are located near bases that store medium-range missiles.


US Army Traces Alleged Leaker's Digital Footprints
Associated Press (12/19/11) Dishneau, David; Jelinek, Pauline

U.S. Army officials held another hearing on Sunday to determine whether or not Pvt. Bradley Manning, the intelligence analyst who is accused of giving thousands of sensitive documents to the file sharing Web site WikiLeaks, will face a court martial. Manning faces 22 charges, including aiding the enemy, for allegedly downloading 10,000 U.S. diplomatic cables and other sensitive government information such as assessments of terrorist detainees at Guantanamo Bay and a video of a 2007 helicopter attack. Testifying at Sunday's hearing was digital-crimes investigator David Shaver, who said that an analysis of two work computers used by Manning showed that someone had used one of the machines to make the process of downloading the cables more efficient so that they could be sent to a third party. Shaver said the analysis also showed that all of the sensitive material that was downloaded was tied to Manning's user name or user profile. Evidence was also found on one of Manning's work computers that someone had performed more than 100 Web searches for information about WikiLeaks and its founder, Julian Assange. Manning's attorney's, for their part, are basing their defense on the notion that the Army private's supervisors should have known that Manning posed a potential threat and that they should have taken steps to prevent him from leaking sensitive information. The hearings into whether Manning will be court-martialed could last several more days.




Lawmakers Urge Action on Hacking
Wall Street Journal (12/22/11) Gorman, Siobhan

House Intelligence Committee Chairman Mike Rogers (R-Mich.) and other lawmakers say that the hack that took place at the U.S. Chamber of Commerce underscores the need for legislation that would improve cybersecurity in both the private and public sectors. In that breach, which has been blamed on Chinese hackers with ties to that country's government, the e-mails of four Chamber of Commerce employees who worked on Asia policy issues were stolen. It is unclear whether other documents or information was stolen by the hackers before the security breach was discovered. Rogers noted that one reason why private sector organizations like the Chamber of Commerce are experiencing cyber attacks is the fact that they need clearer authority to detect threats and share information, and because they need better access to the federal government's knowledge about cybersecurity threats. The chairman added that legislation that he is sponsoring would address these problems by allowing the private sector to access classified data about cybersecurity threats and to share information about security breaches with the government while being protected from any liability that arose from their decision to share such information.


China Hackers Hit U.S. Chamber
Wall Street Journal (12/21/11) Gorman, Siobhan

Officials at the U.S. Chamber of Commerce revealed that Chinese hackers broke into the organization's systems and had access to the network at least from November 2009 to May 2010, when the hack was discovered and eventually shut down. After the breach was uncovered, a team that had been hired by the Chamber to find out what the hackers were doing noticed that the intruders had constructed at least six back doors in the organization's systems to ensure that they had access whenever they wanted. In addition, the hackers had constructed mechanisms that would allow computers in China to communicate with the breached systems at the Chamber of Commerce once every couple of weeks. The hackers also were able to use search tools to find documents on the Chamber's network that contained certain information. It is not clear how much data the hackers were able to view while they were in the system, although it appears that the hackers stole emails that had been sent and received by Chamber employees working on Asia policy over a period of six weeks. The emails included information such as trade-policy documents, the names of companies and people who were in contact with the Chamber, and meeting notes. The breach eventually was shut down after the Chamber unplugged and destroyed some of its computers. Better intrusion detection equipment also was installed, and Chamber employees were prevented from taking portable devices to China. China has denied having any role in the hack.


South Korean Military Raises Cyber Alert
Bloomberg (12/20/11) Han, Marie-France; Yang, Jun

Both the South Korean military and the country's civilian government are on a heightened state of alert for cyber attacks from North Korea. South Korea's military has raised its cyber alert level to "infocon 4," which is one level above the standard cyber alert level and is an indication that there is a general threat of a cyber attack. The Korean Communications Commission, meanwhile, has raised its alert level to "caution." That is also one level above the standard alert level. The increased cyber vigilance in South Korea comes in response to the recent death of North Korean leader Kim Jong Il. Some say that North Korea could launch a cyber attack on its neighbor to the south in order to cause confusion and chaos and to strengthen new leader Kim Jong Un. However, others say that any cyber attacks that Pyongyang launches will likely be mild because the country is still in mourning. North Korea has launched cyber attacks on South Korean targets in past, including distributed denial-of-service attacks on as many as 40 South Korean Web sites in March.


Hackers Threaten Voting Systems, Electoral Process
eWeek (12/20/11) Rashid, Fahmida Y.

Iowa's Republican Party is increasing the security of the computer systems it will use Jan. 3 for the first caucus in the 2012 presidential campaign, after a recent threat to hack into the voting systems, according to the Associated Press. The threat came in the form of a YouTube video calling on Anonymous supporters to "peacefully shut down the Iowa caucuses," in protest of what the group considers a corrupt political system that favors corporations. Anonymous is a loose collective of like-minded hackers without an official structure, making it easy for a few individuals to claim an attack without most of the group's participation or knowledge. The Republican Party recently authorized added security measures designed to prevent attackers from delaying publication of the caucus results. Vote tampering could involve an attacker intercepting the final ballot before it is recorded on touchscreen voting systems. In September, Argonne National Laboratory researchers demonstrated such an attack using a credit card-sized device that cost about $10. "In light of the rapidly approaching 2012 U.S. presidential election, it seems there may be a need to give serious attention to securing our election technology," says ESET's Cameron Camp.


Smartphones Blamed for Increasing Risk of Health Data Breaches
American Medical News (12/19/11) Dolan, Pamela Lewis

Manhattan Research has found that there has been a rise in data breaches coinciding with the rise in physicians' use of smartphones and other mobile devices, though the reports did not indicate how many breaches were caused by these devices. These devices have two potential security risks, the first being that data can remain on a device and the second that the device can be used to access the electronic medical records of healthcare organizations. These risks are made more significant because the small size of devices makes them easier to lose, increasing the chances that this information will be accessed by a non-authorized individual. To help prevent data breaches through smartphones it is important for physicians to participate in ensuring the security of the mobile devices they use to access data. Encryption software is available for mobile devices and prevents data from being read without an encryption key. Updated anti-virus software and the use of password protection for device and data access are two protection methods that can also be implemented by a physician. Various medical societies offer resources that aide in developing the best practices for mobile device security, and some providers are finding that quarterly training meetings can help raise physician awareness of the problem and the ways to prevent data breaches.


Abstracts Copyright © 2011 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Advertising Opportunities | Security Management Online | ASIS Online

No comments: