Search This Blog

Friday, May 18, 2007

Security Management Weekly - May 18, 2007

header

  Learn more! ->   sm professional  

May 18, 2007
 
 
CORPORATE SECURITY  
  1. " Bank Beefs Up Security System" Wisconsin Bank Installs Secure-Entrance System, Could Set Trend
  2. " Achieving Good Records Management" Protecting Records to Prevent Security Breaches
  3. " Analog to Digital" Advice to Security Practitioners for Switching Analog Video Systems to Digital
  4. " Ask the Auditor: Guarding Against Employee Fraud and Theft in Health Care Organizations"
  5. " Having the Right Kind of Recovery Site" How to Set Up Off-Site Facilities in Event of Business Disruption
  6. " The Dangers of Identity Theft" Advice for Preventing Identity Theft

HOMELAND SECURITY  
  7. " U.S. Air Marshals Flood German, British Flights" Intelligence Reports Suggest Another Al Qaeda Airliner Plot
  8. " FEMA Chief Pledges Agency's Storm Preparedness"
  9. " Deal on Immigration Reached" Senate Measure Would Enhance Border Security
  10. " Report: Schools Fall Short in Preparing for Emergencies"
  11. " FBI's Mueller: Bin Laden Wants to Strike U.S. Cities With Nuclear Weapons"
  12. " Al Qaeda Suspects Confess Saudi Strikes" Suspects Claim Bin Laden Was Plotting Oil-Facility Attacks on Scale of Sept. 11

CYBER SECURITY  
  13. " Beware P2P Networks With a Tunnel to Confidential Data, Study Warns"
  14. " Essential Security: Firewalls"
  15. " Security Appliances: Are They Good Enough?" Security Appliance Sales Growing Faster Than Security Software Sales


   








 

"Bank Beefs Up Security System"
Milwaukee Journal Sentinel (05/16/07) ; Gores, Paul

After experiencing three armed robberies within a span of less than six months, the Associated Bank branch in Menomonee Falls, Wis., decided to install a stout new security entrance that has proven effective at deterring bank robberies. The secure-entrance system, which took about two weeks to install, consists of a two-door, bullet-resistant, metal-and-glass entry chamber enabled with a metal detector. The first door permits only single-file entry, and the second door, which is resistant to bullets, will not open if the metal detector's alarm goes off. The alarm will go off when larger metal objects like guns are detected, but it is programmed not to respond to the presence of small metal objects like keys. If the alarm does sound, customers can place the offending metal object on a ledge inside the entrance system, where the object can be remotely inspected from inside the bank via a video camera. The Wauwatosa Credit Union's Menomonee Falls branch has the same security system in place, and a mask-wearing robber who unsuccessfully tried to enter the credit union became so discouraged that he turned and fled. The Wisconsin Bankers Association says that banks in the state could adopt similar security systems if the system used by Associated Bank proves effective. FBI statistics show that bank robberies have increased by 31 percent in Wisconsin and 3.5 percent nationwide since 2005.
(go to web site)

"Achieving Good Records Management"
Commercial Risk (05/01/2007) Vol. 75, No. 44, P. 13 ; Mountain, John

Insurance companies and others need to create and meet high standards for storing and protecting records to prevent security breaches and regulatory litigation. Records management is distinct from document management, as records comprise data crucial for the organization's operability and health. Companies should begin by defining which records should be archived, how, and for how long. Then, archivists must develop an indexing standard, or metadata, that will accompany the archive. Since the index guarantees the records will be accessible in the future, metadata must be clear, categorized, and complete. In terms of security, organizations should limit and supervise access to the indexing information database. To counteract the possibility of internal blackmail or sabotage, archivists should ensure that hard copies are safe from fire and water damage. Companies need to create and store electronic copies of the records in various locations. Finally, to protect online data, organizations should use a secure Web site, employ user names and passwords, and make sure that all Web site traffic is encrypted. Highly sensitive data may necessitate the combined use of passwords and user IDs with the use of synchronized hard authentication, note experts.
(go to web site)

"Analog to Digital"
Security Technology & Design (04/07) Vol. 17, No. 4, P. 36 ; Ladd, Matt

Security practitioners can switch their analog video systems to digital, at a modest price, by following the advice of some top systems operators. For example, one operator recommends that security practitioners switch the head-end equipment but keep as much of the remaining infrastructure as possible. "As a rule, the cost of replacing the infrastructure is fairly significant, so we start by replacing the VCRs or DVRs and the matrix switches, and put the video on a network to be recorded by an NVR," he says. Security practitioners should try to switch from analog to digital as fast as they can and in as few steps as they can--if they have the budget to do so. In situations where new analog cameras are being installed, security practitioners may want to avoid using coax cabling and instead use Cat 5 or Cat 6 cabling and video baluns, assuming the run is less than 300 feet. Cameras can also be powered via the same Cat 5 cable, thereby reducing costs and eliminating the need to run separate power cables. Practitioners should also consider replacing a non-working DVR with a hybrid DVR capable of supporting a few IP cameras--this provides an easy and inexpensive way to test out IP cameras. At present, only about one in 10 security cameras that are sold are IP cameras, but industry observers predict that within about three to seven years 90 percent of cameras sold will be IP.
(go to web site)

"Ask the Auditor: Guarding Against Employee Fraud and Theft in Health Care Organizations"
Employee Benefit News (05/07) Vol. 21, No. 6, P. 12 ; Denyer, Charles

Vendor fraud perpetrated by employees can be a major risk for many healthcare organizations, due to the overwhelming number of miscellaneous supplies they must order. Employees can commit vendor fraud by creating a small shell company, forging a bill for supplies to their employer, and then paying the bill in the employer's name, thus transferring the funds to the shell company. This scheme is so simple for employees to carry out, which is why healthcare organizations need to take steps to identify the signs quickly. A complete list of vendors should be available so that any suspicious bills can be cross-checked against the list. Signs of a suspicious vendor include a post-office box address in a nearby ZIP code, an e-mail address from a free provider, and missing information in any electronic vendor-data records. Legitimate vendors are more likely to have reliable contact information.
(go to web site)

"Having the Right Kind of Recovery Site"
Commercial Insurance (Quarter 2, 2007) Vol. 75, No. 44, P. 24 ; Landin, Jared

In the event of a major disruption, business operations can be resumed in a timely manner through the use of offsite facilities, though companies must select the type of site that best fits their needs and budget. All offsite facilities should be geographically separated from the primary site, ideally in a different telecommunication exchange and power grids, though staff accessibility and cost must be considered as well. Organizations with a Recovery Time Objective (RTO) of 10 minutes or less should consider using a fully mirrored site, which contains an exact replica of the primary site's data and systems. In addition, some global companies use revolving sites spanning several continents in which the sites alternate between their roles as the primary and the mirrored sites. For companies with a RTOs of under 12 hours, hot sites are fully equipped facilities enabling operations to continue for at least three months, and are less expensive than mirrored sites. Partially or minimally equipped sites--known as warm and cold sites respectively--are appropriate for the recovery of non-critical operations or for companies with long RTOs, though they have become less effective in an age of mobile technology. Companies should audit the recovery site's governance to assess the vendor's industry and technical expertise, financial situation, and controls and operations. An internal audit should also verify that the vendor contract documents all important control aspects. All fees and costs should be highlighted and approved and dispute resolution policies must be in place to alleviate financial and litigation risks.
(go to web site)

"The Dangers of Identity Theft"
Inc (05/07) Vol. 29, No. 5, P. 39 ; Akst, Daniel

Frank Abagnale, a fraud expert, has written a book on identity theft that may be especially helpful for at-risk entrepreneurs. Since data security is at the heart of identity theft, entrepreneurs "have more to protect" than most individuals. Identity theft also takes time to remedy, which is a significant cost for entrepreneurs. Abagnale's book recommends taking steps such as examining monthly statements and using strong passwords on computers. Technology can help; Windows XP Pro offers built-in data encryption, and some companies provide software that can locate lost laptops. An important step for entrepreneurs to take against fraud is freezing credit cards, which can be done by writing to Equifax, Experian, and TransUnion. In addition, Abagnale suggests using credit cards instead of checks, as checks reveal signatures, addresses, and account numbers. Credit cards also provide limited liability.
(go to web site)

"U.S. Air Marshals Flood German, British Flights"
ABC11TV.com (Raleigh, N.C.) (05/14/07)

ABCNews.com has learned that U.S. air marshals are being assigned to U.S.-bound planes in Europe to prevent what is believed to be another coordinated Al Qaeda plot to hijack airliners and either blow them up or crash them into targets. Up to half a dozen U.S. air marshals are being placed aboard all U.S.-bound commercial airliners departing from airports in London; Frankfurt; and Manchester, England, sources say. In recent weeks, U.S. and German officials have suggested that a new terrorist plot is well underway, according to ABC News, and roughly two months ago, security aboard all airliners leaving Germany was stepped up. "The intelligence was that there are plans to take a plane and crash it in a high-density, high-profile place," said one official. Another top law enforcement official said, "We're afraid someone in the back is going to mix something or light something up, so air marshals are being placed strategically through the plane." An official with the air marshal program has acknowledged that more air marshals are being placed aboard European flights, "but not at the expense of protecting U.S. domestic flights."
(go to web site)

"FEMA Chief Pledges Agency's Storm Preparedness"
Gainesville Sun (FL) (05/17/07)

Speaking at the Florida Governor's Hurricane Conference, Federal Emergency Management Agency (FEMA) Director R. David Paulison vowed on Wednesday that there will never be a repeat of the Hurricane Katrina disaster in the United States. Claiming that FEMA has become a different agency under his watch, Paulison said, "Don't believe the stories that you've heard that FEMA and the federal government are not ready" for the June 1 start of the 2007 hurricane season. Paulison said that within hours of any disaster, FEMA will be ready to deploy numerous assets, including generators, helicopters, road-clearing teams, and disaster medical personnel. This time, FEMA will be ready to respond to hurricanes even before disaster declarations are issued, he said, pointing to the agency's immediate response to the tornado that devastated a Kansas town two weeks ago. Meanwhile, the state of Florida has prepared for hurricane season by forging strong ties with emergency responders in each of the state's 67 counties, Gov. Charlie Crist said. In addition, a new law on the books that will require 254 gas stations along evacuation routes to have generators will be vigorously enforced, Crist warned. "We found out a couple of days ago that only about half of those gas stations are prepared," Crist said, noting that the stations have been warned by letter that they have until June 1 to comply with the law.
(go to web site)

"Deal on Immigration Reached"
Washington Post (05/18/07) P. A1 ; Weisman, Jonathan; Abramowitz, Michael

A comprehensive immigration reform measure was agreed on by a bipartisan coalition of senators and the White House on Thursday, and its provisions include a legalization program for the approximately 12 million illegal immigrants in the United States, a crackdown on employers who hire undocumented workers, and a toughening of border security. The Senate bill would grant temporary legal status to practically all illegal aliens in the nation and let them apply for residency and eventual citizenship; establish a temporary-worker program that could admit up to 400,000 migrants into the country annually, although their visas would expire after two years; base the current visa allocation process on a point system that would stress education and job skills over family ties; and require that certain security measures be implemented before most of these provisions go into effect. Labor unions are critical of the temporary work program, because the immigrants would be forced to leave when their visas expire and have no opportunity to appeal for permanent residency, which would drive down wages and give rise to an underclass. The adoption of the point system is also a sore point, with Rep. Luis V. Gutierrez (D-Ill.) arguing that "a system that values and honors the work of all" should be deployed. Another concession Democrats do not like is the requirement that a border crackdown must take place before illegal immigrants are granted access to long-term visas and the guest-worker program is implemented. Republicans, meanwhile, criticized the bill's intention to grant undocumented workers who entered the country before January a permit to stay, and let them apply for a four-year "Z visa" that can be renewed indefinitely, provided they pay a $5,000 penalty and a $1,500 processing fee, maintain a clean work record, and pass a background check. Presidential candidate Rep. Tom Tancredo (R-Colo.) stated that the legislation's authors "seem to think that they can dupe the American public into accepting a blanket amnesty if they just call it 'comprehensive' or 'earned legalization' or 'regularization.'"
(go to web site)

"Report: Schools Fall Short in Preparing for Emergencies"
CNN.com (05/17/07)

The Government Accountability Office (GAO) has analyzed the state of emergency preparedness at U.S. schools and concluded that schools' emergency plans are insufficient. The GAO finds, for example, that roughly 50 percent of all school districts lack a plan for educating students in the event that schools are closed for a long time. Districts are also failing to include first responders when implementing their emergency plans, and 28 percent of districts with emergency plans do not have plans for evacuating disabled students. Also, about 66 percent of districts are hampered by a lack of preparedness knowledge and equipment, including communications equipment and good locks for their buildings.
(go to web site)

"FBI's Mueller: Bin Laden Wants to Strike U.S. Cities With Nuclear Weapons"
NewsMax Wires (05/15/07) ; Kessler, Ronald

Osama bin Laden remains active, but isolated, and the Al Qaeda chief is likely still communicating with Al Qaeda cells, according to FBI Director Robert S. Mueller. Mueller did not provide supporting details of these assertions, but he did say that there are still Al Qaeda cells in the United States and that bin Laden is desperate to procure nuclear weapons and detonate them in U.S. cities, with New York City and Washington, D.C., the most likely targets. Intelligence sources other than Mueller say that the intensity of the U.S. effort to find bin Laden has left bin Laden with no choice but to return to the "horse-and-buggy days" of communications in an effort to avoid detection--thus, bin Laden is using loyal couriers instead of electronic communications. Mueller says that he kept President Bush fully informed during the FBI's 16-month surveillance of the group suspected of plotting attacks on Fort Dix. "Before Sept. 11, we would have been probably inclined to disrupt them earlier than we did," Mueller says of the Fort Dix plotters. But the FBI instead decided to let the Fort Dix plot mature a little in order "to determine what ties they may have had to other individuals in the U.S. or overseas," he explains. Mueller is concerned that, nearly six years removed from the Sept. 11 attacks, the United States has become complacent about terrorism. Mueller predicts that terrorists will strike the United States again at some point, explaining that "it's just a question of when and to what extent."
(go to web site)

"Al Qaeda Suspects Confess Saudi Strikes"
CNN.com (05/15/07)

Four alleged members of Al Qaeda have confessed that they were planning to participate in terrorist attacks on oil facilities in the Middle East that would have been equal in scale to the Sept. 11 attacks in the United States. The four suspects, arrested in April 2006, confessed that they were ready to attack major oil facilities in areas like Ras Tanura and Jubail in Saudi Arabia but were told by Al Qaeda's leadership to wait for a direct signal from Osama bin Laden so that they could coordinate their attacks with a larger plot to attack multiple oil facilities in Kuwait and the United Arab Emirates. "We started planning [our attacks] but were told to wait for direct instructions from sheikh Osama bin Laden," said one of the suspects. "I asked how would we receive a signal from him, I thought he was in some mountains." The suspect said that he was told by Al Qaeda's leadership that it would take from six to seven months to get bin Laden's approval, as Al Qaeda was planning multiple strikes on oil facilities in the Middle East. "They said it will be a huge operation, equal to the September strike...and its impact will be on a global level," affecting oil prices, the suspect said. The four suspects were among about 170 suspects arrested by Saudi authorities after a failed suicide bombing attack on the Abqaiq oil facility in February 2006.
(go to web site)

"Beware P2P Networks With a Tunnel to Confidential Data, Study Warns"
InformationWeek (05/15/07) ; Greenemeier, Larry

Peer-to-peer networks are being used by cyberthieves to tunnel into networks and access confidential information, according to a new study of corporate data leaks released by researchers at Dartmouth business school. Eric Johnson, a professor of operations management at Dartmouth's Tuck School of Business and a co-author of the study, noted that most users were not sufficiently protecting their files and data from peer-to-peer networks. He added that the majority of peer-to-peer software applications have interface designs that are confusing and even deceptive in a way that gets users to unwittingly share the contents of their entire hard drive. This can open up consumers to identity theft, and can also give criminals access to confidential information stored on corporate networks, such as job performance reviews and the results of security audits. There are a number of ways that companies can see whether their data has been leaked onto peer-to-peer networks. For instance, security professionals can set up their own accounts on the most popular peer-to-peer networks and search to see if any information being offered is similar to their proprietary data or intellectual property. Security professionals can also keep track of all searchable keywords that would lead a Web surfer to their company, including firm names, abbreviations, and ticker symbols, and use those keywords to search peer-to-peer networks.
(go to web site)

"Essential Security: Firewalls"
PC Magazine (05/08/07) Vol. 26, No. 10, P. 91 ; Morgan, Russell

Every time a technological advancement is made that creates new business capabilities, those looking to cause harm or steal information find a way to exploit it. Such ongoing and constantly developing threats make it essential for every business to have a bulletproof, centralized firewall. A firewall acts on a network much like an alarm system protects a house, ensuring that one unlocked door does not negate all of the other security measures. A firewall controls network traffic, allowing or blocking activities and access based on company security policies. Network firewalls are unable to protect the network from laptops taken home or on a trip, which is why IT security professionals focus on "layers of security." These layers basically mean protecting a network via firewalls and protecting each individual device with software-based personal firewalls and antivirus utilities. Having firewalls at the office and personal device-based security does not mean that you can relax about security, however, as hackers and virus writers are always finding new ways to circumvent security measures. It is critical to install "patches" issued by firewall and security software vendors. It is also wise to use an IT consultant to set up your firewall, as it is relatively easy to misconfigure the firewall.
(go to web site)

"Security Appliances: Are They Good Enough?"
Computerworld (05/07/07) ; Robb, Drew

Companies looking for a low-hassle network security strategy are increasingly deploying virtual private network/security appliances instead of best-of-breed security software. Infonetics Research analyst Jeff Wilson says sales of security appliances are growing faster than sales of security software. Figures from Infonetics show that while overall security appliance and software sales rose 15 percent to $4.6 billion last year, SSL VPN gateway appliance sales soared 40 percent after posting a 61 percent increase in 2005. Synergy Research Group analyst Aaron Vance says the growth of distributed networks is driving the adoption of multifunction appliances as companies try to safeguard connections such as those among branch offices. Multifunction appliances are also popular among midsize organizations with a limited number of IT security staffers. For example, the city of Encinitas, Calif., installed a security appliance to block spam and malware at its six locations. But although many organizations are turning to these hardware/software combinations because they are easy to install and manage, they do not offer the highest levels of security. As a result, some recommend that security appliances be used as part of a layered security approach at the gateways or to offload certain functions from the servers while simultaneously running antivirus and intrusion-protection software on servers and workstations.
(go to web site)

Abstracts Copyright © 2007 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Advertising Opportunities | Security Management Online | ASIS Online

No comments: