Search This Blog

Wednesday, November 23, 2011

Security Management Weekly - November 23, 2011

header

  Learn more! ->   sm professional  

November 23, 2011
 
 
Corporate Security
  1. "Man Assaults Hospital Security Guard" Port Huron, Mich.
  2. "How to Have Real Risk Management"
  3. "Back to Basics: Functional Requirements" Electronic Security Systems
  4. "A Risk Mitigation Strategy in Preventing Workplace Violence"
  5. "The Role of Standards in Workplace Violence Prevention and Response"

Homeland Security
Sponsored By:
  1. "Al-Qaeda Targets Dwindle as Group Shrinks"
  2. "Egypt Protesters, Military Continue Standoff"
  3. "Police, FBI Split on Terror Suspect"
  4. "New York Man Arrested in Alleged Bomb Plot"
  5. "Iran May Have Sent Libya Shells for Chemical Weapons"

Cyber Security
  1. "DHS Denies Report of Water Utility Hack" Springfield, Ill.
  2. "Xbox Live Users Hit by Phishing Attacks"
  3. "EFF Proposes New Method to Strengthen Public Key Infrastructure" Electronic Frontier Foundation
  4. "Fake Bank Site Spreads Malware"
  5. "The Network Is the Security" Cyber Attack Detection Methods

   

 
 
 

 


Man Assaults Hospital Security Guard
Times-Herald (11/21/11)

A 29-year old man was arrested and jailed by police after allegedly attacking a security guard in the emergency room of Michigan's Port Huron Hospital. The suspect had entered the hospital demanding to immediately see a specific doctor. The man than allegedly began attacking the security guard. Witnesses stopped the suspect and restrained him until police arrived. The man posted bail that night. Police will review the incident to secure a warrant in the next few weeks.


How to Have Real Risk Management
Computerworld (11/01/11) Hulme, George V.

Andy Ellis, chief security officer at Akamai Technologies, says the important thing for organizations in regard to risk management is to actually understand the risks that apply to them, and make informed decisions based on that profile. "These are the organizations that are actually out front, leading the way, defining new risk models for themselves and selecting technologies and solutions that are appropriate for their business," Ellis said in a recent discussion with this publication. "It's about paving the way, not following somebody else's cookie cutter." Not everything is in an organization's control, he said, so one of the critical things is to focus on how the organization will carry out its incident response plan following an event. Ellis said this is "the most important thing" to ensure an organization has in place. As long as an organization already has an incident response plan in place, it can weather any event, he said, adding that "businesses ought to focus on [incident response] -- but many don't consider that business continuity or disaster planning."


Back to Basics: Functional Requirements
SecurityInfoWatch.com (10/12/11) Pearson, Robert

Large companies are frequently expanding, creating a conglomerate of various companies that have been merged together. In these situations, it is highly unusual for the philosophy of the electronic security system to be standardized. As such, these organizations would be best served by developing functional requirements, which have been used for years to provide organization and structure to a security system. The obvious goal is providing more consistent, uniform security across the enterprise. Electronic security philosophy standards within a corporation are designed to develop a common employee identification/access card; establish consistent procedures and alarm responses; provide cost savings in the security budget; ensure compliance with local/national codes and customer requirements; facilitate a consistent employee and visitor experience and expectation; and enhance information gathering. In order to determine which security functions should be standardized, electronic security must be evaluated by desired functionality vs. the current evolved system. A list of enterprise-wide functional requirements should be developed that will facilitate developing electronic and administrative security solutions. Implementation of security solutions should incorporate procedures, modifications to facilities and electronic security modifications. Functional security areas include badges, video surveillance, intrusion and fire alarms, control center operations, and many others. After the functional requirements are developed for the corporation, the next step is to understand what electronic security functionality exists at each facility. A Security Survey should be sent to each facility or group of facilities that are under the oversight of a given Security manager in an effort to uncover additional functional requirements that need to be added to the list. After the process of standardization begins, it is important to know and control any planned expenditure for electronic security equipment that could impact the enterprise functional requirements at a given facility to minimize additional cost. There is no single way to accomplish a given functional requirement, and the challenge for the security professional is finding the technology most suitable for said functional requirements. There are many other electronic security components that might also be addressed in the standardization process, and decisions will be made to determine if these components are an issue or not during the development of the functional requirements.


A Risk Mitigation Strategy in Preventing Workplace Violence
Security Magazine (10/11) P. 22 Nater, Felix

The importance of workplace violence prevention is often overlooked because of the mistaken beliefs that such situations are not preventable or that they "would not happen here." It is vital to eliminate avoidance tactics by building an integrated and collaborative prevention system that includes the entire organization. Developing a comprehensive understand of staffing, workplace culture and the impact of new or altered policies is critical to discovering factors which could create a negative or potentially violent situation. Rather than regulating prevention to Human Resources alone, let HR act as program manager, and department heads handle daily activities, while security handles investigation, correction and external coordination. The driving forces behind a successful Workplace Violence Prevention program are leadership involvement, universal commitment and proactive engagement, and the implementation of best practice methodologies, including frequent vulnerabilities assessments and a prevention and response plan.


The Role of Standards in Workplace Violence Prevention and Response
Security Magazine (10/11) P. 23 Ahrens, Sean A.

ASIS International and the Society of Human Resource Management (SHRM) are working to develop a Workplace Violence Prevention Standard that will provide guidance through generalized policies and protocols on which companies can base prevention and intervention strategies. The standard will provide a practical definition and a continuum for classifying behavior and events, as well as strategies and procedures for finding, investigating, managing and responding to potentially dangerous behavior. Planning ahead for a workplace violence crisis is as important as planning for environmental crises and natural disasters; demanding a well-articulated response plan and the ability to usefully integrate assistance from internal and external resources and emergency services. ASIS and SHRM's standard will unite security and human resource expertise to give better options for workplace violence prevention and mitigation.




Al-Qaeda Targets Dwindle as Group Shrinks
Washington Post (11/23/11) Miller, Greg

The ranks of al-Qaida's leadership have been dwindling over the past six months. In addition to the death of Osama bin Laden in May, Atiyah abd al-Rahman--who communicated with bin Laden on a regular basis and briefly served as al-Qaida's day-to-day operational chief--was killed in a CIA drone strike in August. U.S. officials say that there are now just two high-ranking members of al-Qaida that are being targeted by CIA drones: Ayman al-Zawahiri, who took over the leadership of al-Qaida following the death of bin Laden, and his lieutenant Abu Yahya al-Libi. A number of lower-level fighters and members of other insurgent groups are being targeted by drone strikes as well. With al-Qaida's leadership down to just two members, the terrorist organization is now operationally ineffective, according to a U.S. counterterrorism official. U.S. officials believe that al-Zawahiri will find it difficult to rebuild al-Qaida, given the fact that he is seen as being abrasive and lacking in the charisma that bin Laden had. But Libi is seen as being a more dynamic figure in al-Qaida. As a result, he is likely al-Qaida's best hope for a resurgence, experts say.


Egypt Protesters, Military Continue Standoff
Wall Street Journal (11/23/11) Levinson, Charles; Bradley, Matt

Violence broke out in Cairo for a fifth day on Wednesday as protesters once again streamed into Tahrir Square to protest the military rulers that have controlled the country since President Hosni Mubarak stepped down earlier this year. Police and demonstrators clashed in an area near Egypt's Interior Ministry, a heavily-guarded building that is associated with the widely-reviled police force and Mubarak's regime. Police and Egyptian soldiers were forced to use tear gas and rubber bullets to prevent protesters from storming the Interior Ministry building--something that the demonstrators said they had no intention of doing anyway. Instead, demonstrators said that they wanted to prevent security personnel from forcing them out of Tahrir Square. The protests took place in spite of promises by military officials that they would make a number of concessions, including transferring power to an elected president sooner than originally planned. As many as 38 people have been killed in violence in Egypt since Nov. 19.


Police, FBI Split on Terror Suspect
Wall Street Journal (11/22/11) Barrett, Devlin; Gardiner, Sean

The FBI did not take part in the investigation into 27-year-old Jose Pimentel, the New York City man who has been arrested and charged with allegedly planning a terrorist plot. Although the bureau was aware of the case, in which Pimentel is accused of trying to build pipe bombs to attack police officers, returning military personnel, and post offices, it was concerned about the use of a confidential informant. The informant used by the New York Police Department recorded several hours of conversations with Pimentel, though the FBI felt that he would have been a mediocre witness at Pimentel's trial. In addition, the FBI declined to join the case about Pimentel because it had doubts as to whether he would have been capable of carrying out the suspected terrorist plot by himself. Pimentel is suspected of having mental problems, and FBI officials believe that he did not pose a serious threat. However, New York City Police Commissioner Ray Kelly has said that Pimentel was thought to be an imminent threat. Law enforcement officials grew particularly concerned about Pimentel after they determined that the components for the bomb he was believed to be building could pose a threat to the people who were living in his apartment building.


New York Man Arrested in Alleged Bomb Plot
Wall Street Journal (11/21/11) Hollander, Sophia

Authorities in New York City have arrested and charged a suspected lone-wolf terrorist, following a two-and-a-half year investigation into the man's activities. Jose Pimentel, a 27-year-old Dominican-born U.S. citizen who had been living in New York City and is thought to have been inspired by an al-Qaida magazine, is suspected of trying to build crude pipe bombs in order to attack returning military personnel, post offices, and police stations. The materials that Pimentel allegedly planned to use for the bombs were purchased from Home Depot and other retailers in small enough quantities that they did not arouse suspicion. Among the materials that Pimentel allegedly purchased to include in his bombs were nails, which he is believed to have used in order to increase the amount of shrapnel generated when the devices exploded. However, Pimentel was arrested before he could leave his apartment with a completed explosive device. In addition to allegedly trying to build pipe bombs to use in terrorist attacks, Pimentel is also suspected of creating a Web site to promote radical Islamist beliefs and to build support for attacks against the U.S. Pimentel is believed to have tried to contact the now-deceased radical Muslim cleric Anwar al-Awlaki, though he never received a response.


Iran May Have Sent Libya Shells for Chemical Weapons
Washington Post (11/21/11) Smith, R. Jeffrey; Warrick, Joby; Lynch, Colum

Libyan rebels have recently found that former leader Moammar Gaddafi's regime had been stockpiling artillery shells filled with mustard agent. The shells were discovered at two sites in central Libya, neither of which the outside world knew about until recently, a U.S. official said. Gaddafi had told the U.S., the U.K., and the United Nations in 2004 that he would reveal the existence and begin destruction of all of his country's chemical weapons--a promise that now appears to have been broken. The official also noted that the artillery shells were not secured before they were discovered by Libyan rebels. However, both sites are currently under heavy guard and 24-hour surveillance by drones. Following the discovery of the weapons sites, U.S. officials have launched an investigation into how Libya obtained the artillery shells. A senior U.S. official speaking on condition of anonymity has said that Iran is believed to have produced and designed the shells for Libya. The sale of the shells may have taken place following the Iran-Iraq War, during which Iran produced 2,500 tons of mustard agent. However, Iran has denied giving the artillery shells to Libya. Nevertheless, the discovery of the shells raises questions about the ability of the U.S. and other nations to enforce promises by the leaders of secretive nations to destroy weapons of mass destruction.




DHS Denies Report of Water Utility Hack
CNet (11/22/11) Mills, Elinor

The Department of Homeland Security and the FBI are contradicting the findings of the Illinois Statewide Terrorism and Intelligence Center about recent problems at a water utility in Springfield, Ill. In its report on the incident, the Illinois Statewide Terrorism and Intelligence Center said that an attacker was able to steal customer usernames and passwords from a vendor for a supervisory control and data acquisition (SCADA) system and used that information to hack into the SCADA at the Curran-Gardner Public Water District. Once inside the system, the attacker caused a pump at the utility to burn out by repeatedly turning the SCADA system on and off. However, a DHS spokesman said that a detailed analysis of the incident has not uncovered any evidence of a hack at the water utility. The spokesman added that the Illinois Statewide Terrorism and Intelligence Center's report was based on "raw, unconfirmed data." The spokesman also noted that there is no evidence that the attack on the utility's SCADA involved malicious traffic from Russia or any other foreign nation. An investigation into the incident is ongoing, the spokesman said.


Xbox Live Users Hit by Phishing Attacks
Guardian (United Kingdom) (11/22/11) Boxer, Steve

Xbox Live users are facing an onslaught on cyber attacks on their accounts hosted by Microsoft's proprietary online gaming service. Microsoft issued an official statement in light of the recent issues, but insisted it was not a breach on their end. Instead, it appears the problem stems from phishing, which is a method hackers use to trick people into sending out personal information that is then used to access bank accounts. The most common instance of that occurring is with sites set up to give away free Microsoft Points in exchange for personal information. Microsoft has warned customers against these phishing scams and says they "consistently take measures to protect Xbox Live against ever-changing threats."


EFF Proposes New Method to Strengthen Public Key Infrastructure
IDG News Service (11/22/11) Constantin, Lucian

The Electronic Frontier Foundation (EFF) has proposed an extension to the current Secure Sockets Layer (SSL) chain of trust that aims to improve the security of HTTPS and other secure communication protocols. One of the major problems with the current Public Key Infrastructure (PKI) model is the lack of control over certificate authorities (CAs) and their subsidiaries. The EFF's Sovereign Keys (SK) specification was designed to solve this problem by allowing domain owners to sign CA-issued certificates with their own private keys for additional authenticity. The SK model shrinks the number of attack points from hundreds of CAs to 30 or fewer servers where any compromise can be detected automatically. The SK specification also is compatible with Domain Name System (DNS)-Based Authentication of Named Entities (DANE), a protocol used to associate certificates with domain names via DNSSEC, and can be used to cross-sign DANE keys to prevent DNS-based attacks. "My feeling is that this migration would be unlikely to happen, as it requires the use of client technologies that Web browsers are disinclined to integrate, as well as commitments and mechanics that the operators of SSL Web sites are disinclined to make," says security researcher Moxie Marlinspike.


Fake Bank Site Spreads Malware
BankInfoSecurity.com (11/18/11) Kitten, Tracy

The Office of the Comptroller of the Currency (OCC) last Thursday issued a warning about HelpWithMyBank.com, an illegitimate website feigning to offer consumer information about bank accounts and loans. Once visited, the HelpWithMyBank.com URL directs users to a legitimate consumer information site, HelpWithMyBank.gov, attempting to convince users they are connecting to a legitimate site, according to the OCC. But connecting to the fake site before the redirect is believed to expose consumers to malware.


The Network Is the Security
Network World (11/09/11) Oltsik, Jon

The methods some large organizations are using to detect cyberattacks as they are underway may not be sufficient, according to findings from a ESG Research report. Large organizations often collect data from sources such as log files and NetFlow and then organize and analyze the data using log management, SIEM, and other tools. ESG Research's report notes that more than two-thirds of organizations use network management tools to detect a cyberattack, and more than half use log-file analysis, the next most popular method of attack detection. The report also notes that 52 percent of the organizations that have created or altered security processes in response to advanced persistent threats have improved network traffic monitoring for attack patterns and other types of unusual behavior. Some say that collecting data from various sources and organizing and analyzing it using log management and SIEM misses important details about the network, including network behavior, payload analysis, and packet analysis, from several layers of the OSI stack. As a result, organizations often do not know what is going on in their networks, which means that they are vulnerable to attacks. Some say that instead of focusing only on network monitoring, CISOs need better data and analytics so that they can automatically take actions to enforce granular policies.


Abstracts Copyright © 2011 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Advertising Opportunities | Security Management Online | ASIS Online

No comments: