Search This Blog

Friday, July 29, 2005

Security Management Weekly - July 29, 2005

header
A weekly security news briefing from ASIS International

  Learn more! ->   sm professional  

July 29, 2005
 
 
CORPORATE SECURITY  
  1. " Nebraska Introduces Online Consumer Vulnerability Survey" Identity Theft Survey Provides Tips for Avoiding Fraud
  2. " Bank Hides Tellers, Money to Avoid Robberies"
  3. " Lawyers' Delight: Old Web Material Doesn't Disappear" Web Archives Allow Businesses to See if Web Sites Illegally Made Use of Their Protected Material
  4. " Coping With Catastrophe: The First 24 Hours" Companies Should Prepare for Emergencies in Advance by Creating Response Plan
  5. " Criminal Databases & Pre-Employment Screening" Despite Risks, Security Directors Using Multi-State Criminal Records Databases to Evaluate Potential Employees
  6. " The Enterprise Risk Management Imperative" Sarbanes-Oxley Act Could Increase Popularity of Enterprise Risk Management
  7. " With IT, You Get Escrow" Technology Escrow Helps Businesses Protect Mission-Critical Software and Technologies

HOMELAND SECURITY   sponsored by  
  8. " Airport Seeks Immunity From Security Suits" If TSA Grants Blanket Immunity From Security Screener Lawsuits, Many Airports Could Switch to Private Screeners
  9. " Stun Guns to Arrest Bombers a Huge Risk--UK Police" Stun Guns Could Set Off Suicide Bombs
  10. " I.R.A. Renounces Use of Violence; Vows to Disarm"
  11. " Terror Watch on Tappan Zee Bridge" Security of U.S. Bridges Being Overlooked, Experts Say
  12. " Firetrucks Go High Tech" Sept. 11 Attacks Cause Rising Demand for Sophisticated Fire Trucks

CYBER SECURITY  
  13. " Security Experts Warn of Chinese Cyberattacks for Industrial Secrets" U.S. Companies Could Be Targeted
  14. " Lost a BlackBerry? Data Could Open a Security Breach" Misplaced or Stolen BlackBerry Devices Pose Security Risk
  15. " May I Have Your Identification, Please?" Several Email Authentication Technologies Could Become Industry Standard


   








 

"Nebraska Introduces Online Consumer Vulnerability Survey"
Business Wire (07/21/05)

A vulnerability survey recently released by Nebraska attorney general Jon Bruning will help Nebraska residents determine if they are at low, moderate, or high risk for becoming victims of identity theft or other fraud. The survey consists of 10 yes or no questions, and once completed, residents are provided with access to educational brochures. Bruning recommends several tips to help residents avoid fraud, such as determining how personal information will be used before releasing it; avoiding the disclosure of credit card numbers or bank account information over the phone with unknown callers; always using a secure browser for online purchases; photocopying all personal cards to ensure immediate access to necessary information in case of wallet loss or theft; analyzing each credit card statement and bank statement for unauthorized charges; avoiding sweepstakes, chain letters, and other scams; becoming educated about a company's product return and customer satisfaction policies; shredding documents that may contain valuable information; and regularly checking credit reports for mistakes.
(go to web site)

"Bank Hides Tellers, Money to Avoid Robberies"
Beacon Journal (07/24/05)

The Unizan Bank branch in downtown Canton, Ohio, was robbed five times between 1996 and 2001, but there has not been a single robbery attempt since the branch decided to remove all money from the bank and replace the bank's tellers with remote tellers who are viewed via a closed-circuit television screen. In comparison, the nearby National City Bank was robbed once from 1996 to 2001 and has been robbed twice more since 2001. The Unizan branch uses remote-teller devices instead of bank teller windows, with the devices allowing customers to communicate and interact with tellers who are located remotely--in this case, a basement, back office, or second-floor part of the building located up to 500 feet from the remote terminal. Potential bank robbers have no idea where the tellers actually are, and a system of pneumatic tubes allow for transactions involving cash, receipts, and checks. Nationwide, roughly 300 banks have purchased the remote tellers, which cost between $10,000 and $18,000 and are capable of conducting double the number of transactions as a bank counter. FBI Special Agent Robert Hawk explains that bank robberies run in cycles, with peaks every eight to 10 years. In 2004, there were 131 bank robberies in Ohio's northern counties, compared with just 42 so far this year. The number of robberies has declined this year because the arrest and conviction rate of robbers has been close to 72 percent, Hawk says.
(go to web site)

"Lawyers' Delight: Old Web Material Doesn't Disappear"
Wall Street Journal (07/27/05) P. A1 ; Kesmodel, David

Evidence in cases involving Web pages that improperly use trademarked or otherwise protected material owned by businesses is bolstered by the existence of Web archives such as the Wayback Machine and the Google Cache feature. The archives record the content of Web pages at regular intervals, so that even pages that have been deleted can be accessed, allowing businesses to see if the site has been used in an illegal manner at any point, not only at the current time. As a result, cases--including domain-name disputes--that were previously inconclusive because the site owner lied about the uses to which the Web page was being put, then deleted or altered the page to cover the evidence, are now easily resolved, with the archive providing the evidence of the page's former content. Although not exhaustive, the archives can nevertheless capture information on millions of Web pages, and will only delete content by request of an individual with verifiable authority over the site.
(go to web site)

"Coping With Catastrophe: The First 24 Hours"
Risk Management (07/05) Vol. 52, No. 7, P. 44 ; Davis, Brian A.; Walters, T. Danielle

Every company should prepare for a potential workplace emergency, as small problems can easily turn into a crisis if they are not prepared for or effectively dealt with from the beginning. Having a plan that spells out what the company will do in the event of an emergency and who will do it can help to limit the damage and speed up the recovery process. Companies should decide in advance who will be their primary liaison with emergency officials in the event of an emergency. These officials should be prepared to speak up if they feel that emergency responders are handling the situation unsafely, as a company can often be sued if emergency responders are hurt or killed if the cause of the incident is attributed to company negligence. A company should also work to control its legal exposure following a serious emergency, starting with immediately notifying insurers and legal counsel of the event. Damage from the event can also be minimized, by ensuring that the injured receive care, securing relevant evidence, retaining experienced defense counsel, and arranging to have the location where the emergency took place, along with the surrounding area, photographed. What a company does before a crisis happens can be important as well. Getting to know local authorities, creating a reputation for safety, and being a good corporate citizen can all go a long way to increase a company's chances of successfully making it through the first 24 hours after a crisis--or avoiding it altogether.
(go to web site)

"Criminal Databases & Pre-Employment Screening"
Security Technology & Design (07/05) Vol. 15, No. 7, P. 26 ; Rosen, Lester S.

Although multi-state criminal records databases can be a useful tool for security directors to use to evaluate a potential employee, there are limitations and legal risks involved in using them. Despite the risks, some security directors are turning to these databases because they cover a much wider geographical area than a traditional search conducted at county courthouses that are relevant to an applicant's history. However, multi-state databases are often inaccurate for a number of reasons. For instance, not all states provide criminal records to these types of databases, and those that do may not provide all the records that they have. A subject could also have a criminal record in the database under another name or a variation of his name. Multi-state criminal records databases also present certain legal pitfalls to companies that chose to use them. Some of these databases offer a grading system on a subject, such as a stoplight which may show green meaning cleared to hire and red meaning do not hire, which could be a violation of the federal Equal Employment Opportunity Law. Given their inaccuracies and the legal dilemmas that they present, multi-state criminal databases should not replace traditional searches, but should be used in conjunction with them.
(go to web site)

"The Enterprise Risk Management Imperative"
Business Finance (07/05) Vol. 11, No. 7, P. 54

Enterprise Risk Management (ERM) could be catapulted to the forefront of risk management strategies and decisions at a majority of companies seeking to employ the Sarbanes-Oxley Act and the Committee of Sponsoring Organizations of the Treadway Commission's (COSO's) ERM framework. Risk management professionals agree that there are numerous pressures forcing companies to take a second look at ERM, including Sarbanes-Oxley, further New York Stock Exchange requirements, ratings agencies, board audit committees, pending or possible litigation from stakeholders, and industry-specific regulations. The latest Business Finance Roundtable on the subject unveiled several benefits of ERM, though most will be difficult to quantify, including improved management of shareholder value and capital, improved risk appetite due to a better understanding of risks facing the firm, and the change of operations to maximize the benefits of each strategic decision. However, experts agree that the nature of ERM makes it difficult to apply to corporations because it has to be done incrementally, keep senior managers interested enough to provide resources for the ERM initiatives, and change corporate cultures, without really having guidance from a key catalyst or technology tailored enough to meet all of ERM's needs. On the other hand, Sarbanes-Oxley has laid the groundwork for ERM to be built on, though many roundtable experts are concerned that without an internal leader or merger and acquisition activity to spur further cultural change, many companies are likely to balk at implementing COSO's framework or another ERM strategy. ERM is expected to provide greater transparency for stock analysts, investors, and others, but risk managers and others have to be prepared to educate these stakeholders about the risks retained by the company, why they are retained, and what the results of taking those risks are expected to be. Meanwhile, insurance programs will have to be tailored under these new strategies to address risks that need to be insured against, though some panelists believe that risk managers should not worry about whether risks are insurable or uninsurable when conducting ERM analyses. On a side note, panelists discussed the emerging title of chief risk officer and its role in ERM, and ABD Insurance and Financial Services Senior Vice President of Risk Management John W. Schaefer noted that the title "indicates a failure in traditional risk managers to take care of their career. It's redundant and foolish to have a risk manager and a chief risk officer. If risk managers do their jobs correctly, it shouldn't be necessary to appoint a separate CRO."
(go to web site)

"With IT, You Get Escrow"
Security Management (07/05) Vol. 49, No. 5, P. 66 ; Johnson, Jeffrey

Technology escrow, a little-known but important way to secure mission-critical software, functions as an insurance policy for software source code, licensed mission-critical software, and other types of intellectual property. Technology escrow is an important part of technology licensing agreements, allowing the company that is licensing the technology to place the technology in an escrow account. A technology escrow agent creates the contract for the escrow arrangement, which typically allows the escrowed technology to be released to the company that licensed it if the developer of the technology is no longer able to support the technology. Scenarios in which the technology is no longer supported include if the vendor stops supporting an older product or declares bankruptcy. Without a technology escrow agreement, a company may be forced to go through the court system to obtain the ability to continue supporting the technology, and that process can take years. Companies can also use verification services to ensure that source code technology in the escrow account can be recompiled and executed. Companies can create a cross-functional internal team to perform a risk assessment to decide what technologies should be escrowed. Factors that define mission-critical software include whether the software is custom-made or unique; how large an investment the company has made in the software; what aspects of the business the software affects; the viability of the developer of the software; and how dependent the company is on the software.
(go to web site)

"Airport Seeks Immunity From Security Suits"
USA Today (07/26/05) ; Frank, Thomas

San Francisco International Airport, which uses private airport screeners, is requesting that it be given blanket immunity from potential lawsuits related to security failures by the airport screeners. "All we're asking is that we have the same protection with a private firm as an airport that has federal employees," says airport government affairs chief Peter Nardoza. The Transportation Security Administration says it will rule on the airport's request within 30 days. If the airport is granted blanket immunity, it could cause many airports around the country to jettison their government screeners and replace them with screeners from private firms, says the policy director of the Airports Council International, Stephen Van Beek. Some 100 lawsuits are still pending against the operators of the three airports used by the Sept. 11 hijackers.
(go to web site)

"Stun Guns to Arrest Bombers a Huge Risk--UK Police"
Reuters (07/29/05) ; Majendie, Paul

London's chief of police says that authorities' use of a stun gun to subdue suspected London bomber Yasin Hassan Omar represented "an incredible risk" because if Omar had been wearing bombs, the electric currents of the stun gun could have caused the bombs to explode. Metropolitan Police Commissioner Ian Blair also indicated that there was a policy against using stun guns on suicide bombers. Blair then addressed the controversy over authorities' "shoot-to-kill" policy, which resulted in the shooting death of an innocent Brazilian man. In defense of the policy, Blair says that the only way to stop a suicide bomber is to kill them or persuade them to undress in an open space, as all other options allow the bomb to go off.
(go to web site)

"I.R.A. Renounces Use of Violence; Vows to Disarm"
New York Times (07/29/05) P. A1 ; Lavery, Brian; Cowell, Alan

The Irish Republican Army (IRA) has announced that it will abandon the use of violence and has ordered all IRA units to lay down their arms. The announcement ends 36 years of violence against British rule that claimed the lives of 3,500 people. British Prime Minister Tony Blair expressed hope that the announcement means that politics will replace terrorism in Ireland. The White House reacted to the statement by calling upon the IRA to make good on its promise by demonstrating its commitment to "the rule of law and to the renunciation of all paramilitary and criminal activities." The IRA announcement came in the form of a DVD, with member Seana Walsh, who spent 21 years in prison, proclaiming on the DVD that "all IRA units have been ordered to dump arms." However, the DVD did not indicate that the IRA would be disbanding and it did not formally address the topic of the group's involvement in organized crime, except to say that the group's members "must not engage in any other activities whatsoever" other than "the development of purely political and democratic programs."
(go to web site)

"Terror Watch on Tappan Zee Bridge"
Journal News (NY) (07/24/05) ; Golding, Bruce

Terrorism experts say that the security of the nation's bridges is an issue of great importance, one that is being overlooked. The volume of traffic on bridges makes them inherently insecure, and they are natural targets for Al Qaeda, as an attack on a bridge would have a big impact on the economy. David Schanzer, director of the Center on Terrorism and Homeland Security at Duke University and the University of North Carolina, says that bridges--along with shopping malls, office buildings, and any other place with large numbers of people--are potential terrorist targets, though he claims that chemical plants are terrorists' most-coveted target. The catastrophic nature of a bridge attack--especially one captured on video and played on television--has great allure among terrorists, the experts state. Structural engineers and bridge experts explain that the roadway is the most vulnerable part of bridges because the force of an explosion can cause it to collapse, but fixing the damage from a roadway attack could be accomplished quickly. To successfully collapse the structure of a bridge would take a large amount of explosives, and computer simulations have shown that boat-attacks are generally less effective than attacks on the roadway. However, bridges do have "fracture critical members" that could cause a bridge to collapse if they fail, and a Web page from the U.S. Army Corps of Engineers shows how fracture critical structural elements can be found on bridges, citing examples of bridges in Maryland and Delaware. Factors that influence the vulnerability of a bridge include its physical condition, the type of construction used, and the type of bridge.
(go to web site)

"Firetrucks Go High Tech"
Wall Street Journal (07/25/05) P. B1 ; Martin, Timothy W.

Demand for firetrucks that can do more than just put out blazes has risen since the terrorist attacks on Sept. 11, 2001, which raised awareness of the need for better emergency response and led the Department of Homeland Security to set aside $2.2 billion in grant money for fire departments. Today's fire engines are increasingly complex; they can be outfitted with a wide array of high-tech options, from state-of-the-art communications and GPS navigation systems to medical equipment and decontamination showers. As engines have become more sophisticated, they have also become more expensive, with single rigs often going for more than $500,000 and sometimes even exceeding $1 million. About 5,500 trucks are sold in the United States each year, most of them manufactured by three main companies: Pierce of Oshkosh, Wis.; E-One of Ocala, Fla.; and KME Fire Apparatus of Nesquehoning, Pa. The National Fire Protection Association reports that about half of the firetrucks currently being used by U.S. fire departments are at least 15 years old, meaning they should soon be upgraded. Most departments seeking to acquire a new rig spend months choosing from an array of options before having their trucks custom-built by one of the major manufacturers. In addition to equipment and technology that increase the number of tasks a fire crew can handle at once, many trucks are also now outfitted with advanced safety features to prevent accidents and protect fire fighters in the event of a rollover.
(go to web site)

"Security Experts Warn of Chinese Cyberattacks for Industrial Secrets"
Agence France Presse (07/24/05) ; Lever, Rob

Concerns are growing that U.S. companies and possibly government agencies could be the target of Chinese hacker espionage efforts, security researchers say. Evidence, although usually hard to collect following cyberattacks, is strong against the country, according to the SANS Internet Storm Center. Unlike Russian hackers, Chinese hackers are after corporate secrets rather than credit card numbers or other financial data. Lurhq security researcher Joe Stewart says he reverse-engineered the recent Myfip PC worm and found a Chinese connection. He says it's "highly likely" the worm was used for espionage purposes, since "all the emails we traced back with this particular attachment came from a single address in China." Meanwhile, SecurityFocus says recent cyberattacks in Britain and the United States were likely searching for documents from federal agencies, and Britain's National Infrastructure Security Coordination Centre said recent "Trojan-laded emails" originating in the Far East were "targeting UK government and companies."
(go to web site)

"Lost a BlackBerry? Data Could Open a Security Breach"
Washington Post (07/25/05) P. A1 ; Noguchi, Yuki

BlackBerry devices, cell phones, computer memory sticks, and other mobile devices mean increased convenience for the mobile workforce, but also mean significantly higher security risk due to the frequency of misplaced or stolen devices. Pointsec Mobile Technologies surveyed cab companies in Chicago earlier this year and found that 160,000 portable devices are left in taxicabs every year, although up to 60 percent of them get returned to their owners. Companies are increasingly mitigating the risk of losing a portable device by adding extra layers of password protection and similar security measures, and prohibiting such devices from downloading corporate information. Also, some wireless providers are offering a service that remotely wipes clean a lost or stolen device to avoid breach of data. NTT DoCoMo, a Japanese cell phone carrier, offers a fingerprint scanner to authenticate users just to prevent unauthorized use. Meanwhile, a Symantec survey determined that 37 percent of smart phone users store corporate information on the device, and only 40 percent of such users work at companies with wireless security policies.
(go to web site)

"May I Have Your Identification, Please?"
SiliconValley.com (07/25/05) ; Lee, Dan

Several email authentication technologies will go before the Internet Engineering Task Force as candidates for an industry standard. DomainKeys Identified Mail (DKIM) is a joint venture between Yahoo! and Cisco Systems that marries the former's DomainKeys and the latter's Internet Identified Mail into a technology that enables a sender's company or service provider's mail service to assign scrambled digital signatures to outgoing emails that verify the address; the recipient confirms the address by checking that the sender has been registered as genuine through the domain name system. Meanwhile, the Microsoft-backed Sender ID specification checks the numerical IP address of the server sending the email against a published list of servers authorized to send messages by the domain owner. DKIM has experienced difficulty in recognizing messages that are part of email lists employed in discussion groups that may modify a message, while Sender ID cannot always identify email forwarded from one address to another. Experts classify an effective email authentication standard as one that is adopted by a large portion of the world's email senders, and Gartner analyst Arabella Hallawell believes DKIM will emerge as the leading standard because it faces fewer technical problems than Sender ID. However, Yahoo!, Cisco, and Microsoft each expect both technologies to find use. EarthLink's Tripp Cox says the level of industry collaboration surrounding these technologies is "unprecedented." "If we're going to make an impact on spam, it's crucial that the vast majority of Internet senders and receivers implement the technology," he argues.
(go to web site)

Abstracts Copyright © 2005 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Advertising Opportunities | Security Management Online | ASIS Online

No comments: