Search This Blog

Friday, August 23, 2013

Security Management Weekly - August 23, 2013

header

  Learn more! ->   sm professional  

August 23, 2013
 
 
Corporate Security
Sponsored By:
  1. "Long Beach Police Warn Businesses About Copper Wire Theft" California
  2. "Liquor Theft Soars in Washington After Privatization, But Remains Low in Oregon"
  3. "Top 10 Global Risks Underscore Business Concerns"
  4. "How to Manage Background Checks Requirements for a Global Workforce"
  5. "What Keeps CEOs Up at Night?" Corporate Risk Management

Homeland Security
Sponsored By:
  1. "Transportation Chief Pistole Outlines Terrorism Strategy"
  2. "NSA Gathered Thousands of Americans’ E-Mails Before Court Ordered It to Revise Its Tactics"
  3. "New Details Show Broader NSA Surveillance Reach"
  4. "Snowden Reporter: Won’t Be Silenced By Detention"
  5. "Al Qaeda Planning Attacks on High-Speed Trains in Europe: Newspaper"

Cyber Security
  1. "Cybercrooks Use DDoS Attacks to Mask Theft of Banks' Millions" Distributed Denial-of-Service Attacks
  2. "Microsoft Patch Problems Underline Tradeoffs for Securing Systems"
  3. "Mobile Malware Threat Growth Hits Record in Q2"
  4. "Two Updated Guides Provide Latest NIST Recommendations for System Patches, Malware Avoidance"
  5. "U.S. Power Plants, Utilities Face Growing Cyber Vulnerability"

   

 
 
 

 


Long Beach Police Warn Businesses About Copper Wire Theft
Los Angeles Times (CA) (08/18/13) Kelly, Devin

At least 74 thefts of copper wire have been reported in Long Beach, Calif., since January, prompting the city's police department to issue a warning to local business that offered recommendations for how to prevent copper wire thefts. The recommendations included installing security alarms and surveillance cameras, regularly monitoring vacant property, and securing electrical or utility boxes. City parks, commercial and private business, and schools are among thieves' targets, as are vacant buildings. Though damage estimates vary depending on where or what the copper was removed from, replacement and repair costs often run into the thousands of dollars. The main difficulty, said Long Beach police Sgt. Robert Woods, is how tricky it is to catch suspects and the fact that it is nearly impossible to determine where copper wire has come from once it arrives at a recycling yard. Woods added that this was the first time copper theft has been an issue in Long Beach, though it has been a nationwide problem for years. Metal theft nationally increased 36 percent between 2010 and 2012, with nearly 96 percent of theft claims being copper-related.


Liquor Theft Soars in Washington After Privatization, But Remains Low in Oregon
OregonLive.com (08/17/13) Esteve, Harry

Since Washington state moved from state-controlled liquor stores to privatization, with liquor being offered for sale in supermarkets, there has been a dramatic increase in the number of thefts that occur. Brian Smith of the Washington State Liquor Control Board noted that because stores are not required to report liquor theft, there is no hard evidence on the amount of theft that has occurred. However, he noted that anecdotes and news reports suggest that the amount of theft in a single week in Washington could be higher than the yearly average in Oregon, which still has state-controlled liquor stores. Experts say that it makes sense that liquor theft is more common in states where liquor is sold by private retailers because state-controlled liquor stores are more difficult to steal from. That is because their smaller size makes customers easier to track, and because liquor is mostly kept behind the counter. Supermarkets, on the other hand, tend to place liquor right in the middle of aisles. Some say that the higher rates of liquor theft in Washington state could serve as a cautionary tale for Oregon, which is considering moving away from state-controlled liquor stores. However, Oregon Liquor Control Commission spokeswoman Christie Scott noted that the state began experimenting with the sale of liquor at grocery stories two years but has not seen an increase in thefts because the liquor is sold from a "store within a store," similar to bank branches and other business that are located within supermarkets.


Top 10 Global Risks Underscore Business Concerns
National Law Review (08/11/13)

Two separate studies from Accenture and Aon Risk Solutions have found that organizational risk managers worldwide are closely aligned when it comes to risks they are most concerned about. According to the preliminary results of Accenture's Global Risk Management Research study, which asked executives from 446 organizations across eight industries what they see as the biggest external risks over the next two years, 62 percent cited legal risks, followed by business risks -- 52 percent -- and regulatory requirements -- 49 percent. Meanwhile, Aon's Global Risk Management Survey of 1,415 respondents from 70 nations and a wide range of industry sectors found economic slowdown and slow recovery to be the top concern. Regulatory/legislative changes was second highest, followed by increasing competition.


How to Manage Background Checks Requirements for a Global Workforce
Security Magazine (08/13) Greenblatt, William

Background checks are a standard procedure within the hiring process for many companies in the United States, specifically in industries like financial services and education where due diligence is government-mandated. U.S. companies are increasingly conducting pre-employment screenings for non-U.S. citizens. The U.S. Bureau of Labor Statistics estimates that more than 16 percent of the U.S. labor force is foreign-born. Furthermore, roughly 11.7 million overseas workers are employed by the majority-owned affiliates of U.S. companies. The United States permits employers to examine multiple records concerning a candidate such as criminal history, credit reports, past employment, and educational background. In developing parts of the world, it is estimated that 30 percent of the candidates embellish parts of their resumes and over-inflate their credentials. However, companies can be held liable if they violate the laws governing a candidate’s country of citizenship. Polish laws, for instance, forbid potential employers from obtaining an individual’s criminal history, while Australia prohibits personal credit checks. Outsourcing a credit check to a third party does not reduce a company's risk if information is illegally obtained. Many background check companies do not have a physical presence in the countries they research in and may not be aware of each country’s particular set of laws. Ideally, service providers should have presence in the candidate’s country of citizenship and ensure they have thorough knowledge of the law. It is also important to note that doing research in certain emerging and frontier markets may take much longer than in the United States. Moreover, things like bribery and drug use might not appear in personal records.


What Keeps CEOs Up at Night?
Security Magazine (08/13)

The Lloyd’s Risk Index provides a good view of global risk from the perspective of corporate leaders. This year’s worldwide survey comprised 588 C-Suite and board level executives from companies of various sizes. The survey asked about 50 risks across five categories: business and strategic risk; economic, regulatory, and market risk; political, crime, and security risk; environmental and health risk; and natural hazard risks. Specifically, the survey asked respondents, "How prepared are you to manage these risks?" and then instructed them to prioritize the risks. When asked the question "Are you better prepared to manage business risks than two years ago?," just 45 percent of respondents said their organization is more prepared now than in 2011, whereas 70 percent of respondents in 2011 indicated they were more prepared than in 2009. The survey also identified "a clear divide" of risk management between larger and smaller enterprises, as well as enterprises that operate in established versus emerging economies. Additionally, larger companies in faster growing markets are identifying the increased need to prioritize business risks and their relative lack of preparedness to deal with them. Larger companies are investing in more comprehensive risk transfer (insurance) and risk management (mitigation) measures. Notably, cyber crime is an increasingly serious concern, as are regulatory matters.




Transportation Chief Pistole Outlines Terrorism Strategy
Tampa Tribune (08/23/13) Jackovics, Ted

Transportation Security Administration (TSA) chief John Pistole recently discussed his agency's counterterrorism plans leading up to the 12th anniversary of the Sept. 11 attacks. Speaking before a group of TSA security officers at Tampa International Airport on Aug. 22, Pistole said his agency plans to go forward with the expansion of its PreCheck expedited security screening program. Pistole maintains the PreCheck expansion is in line with TSA's larger strategy for risk-based assessment of airline passengers. Other initiatives implemented as part of this strategy include the use of specially trained officers looking for suspicious behavior and the use of modified security screenings for passengers 12 and under or 75 and older. Pistole also discussed some of the other security measures put in place to improve airport and airplane security since the Sept. 11 attacks, including the reinforcement of cockpit doors to prevent unauthorized entry, the use of air marshals on an undisclosed number of planes, and encouraging passengers to report any suspicious behavior they might observe. According to Pistole, the biggest concern in screening is the move to nonmetallic threats that make traditional metal detectors useless, such as the use of liquid or plastic explosives. TSA staff is briefed on these evolving threats by 15 different agencies to ensure better information sharing of real-time data.


NSA Gathered Thousands of Americans’ E-Mails Before Court Ordered It to Revise Its Tactics
Washington Post (08/22/13) Nakashima, Ellen

A previously-classified opinion written by a judge on the secret court that oversees the National Security Agency's surveillance programs indicates that the agency illegally collected tens of thousands of e-mails and other electronic communications between Americans for a period of several years. The opinion written by Foreign Intelligence Surveillance Court Chief Judge John D. Bates in October 2011 discusses the so-called "upstream" collection of Internet communications that NSA was authorized by Congress to begin in 2008. During upstream collection, NSA collects Internet communications as they move across Internet hubs, filtering out communications between Americans in the process so that it can focus on foreign communications. Collecting e-mails between two Americans or two people inside the U.S. is a violation of the Foreign Intelligence Surveillance Act. But technological difficulties made it impossible for NSA to filter out communications between Americans, meaning that the agency may have been collecting as many as 56,000 so-called "wholly domestic" communications each year between 2008 and 2011, the opinion noted. Bates ordered the collection of these communications to stop and instructed NSA to come up with a way to reduce the collection of Americans' communications, which the agency subsequently did. Some officials have defended NSA by saying that it was forthcoming with information about its collection of Americans' communications by bringing the matter to the court's attention.


New Details Show Broader NSA Surveillance Reach
Wall Street Journal (08/21/13) Gorman, Siobhan; Valentino-Devries, Jennifer

Both current and former government officials say that the National Security Agency (NSA) has created a surveillance network that sweeps up more of Americans' Internet communications than officials have publicly disclosed. The current surveillance system filters through about 75 percent of all U.S. Internet traffic, including communications between Americans and foreigners. This includes phone calls made using the Internet as well as the contents of e-mails between Americans and those abroad. The NSA claims that the majority of the data collected from domestic communications is immediately discarded, but critics say the agency needs to have better privacy protections in place. Some of those critics, including Sen. Ron Wyden (D-Ore.), have sought to prevent the NSA from searching for information on U.S. citizens without a warrant. Under the present rules, telecom companies filter data before it even reaches the NSA, then the agency filters the data again, keeping only communications related to particular e-mail addresses or organizations it might be tracking. Officials say there are sometimes disagreements over the scope of the data that telecom companies are asked to hand over, particularly if it relates to communications between U.S. citizens. Once data reaches the NSA, says former telecom executive Paul Kouroupas, the system relies primarily on self-policing to protect privacy. "There's technically and physically nothing preventing a much broader surveillance," he explains.


Snowden Reporter: Won’t Be Silenced By Detention
Associated Press (08/20/13) Kirkka, Danica; Brooks, Bradley

Guardian reporter Glenn Greenwald, who has written a number of stories based on documents leaked by former National Security Agency (NSA) contractor Edward Snowden, said Monday that the detention of his partner at Heathrow Airport on Aug. 18 would only motivate him to write more aggressively about government surveillance. Greenwald said that he has documents about surveillance programs used in England, and that he would write new stories on those programs in retribution for the detention of his partner, David Miranda. Greenwald added that British authorities will "regret what they've done." Miranda was detained under British anti-terrorism legislation and was released after being questioned so that he could continue on to Rio de Janeiro, where he lives with Greenwald. Miranda was returning from a trip to Germany where he met with a filmmaker who had worked with Greenwald on stories about the NSA's surveillance programs. Greenwald said that Miranda was bringing him documents related to the NSA that were in the filmmaker's possession, though he did not say exactly what Miranda was transporting. Miranda says several personal items taken from him, including a computer, cell phone, and thumb drives.


Al Qaeda Planning Attacks on High-Speed Trains in Europe: Newspaper
Reuters (08/19/13) Martin, Michelle; Schraff, Kerstin; Hudson, Alexandra

The German newspaper Bild has reported that authorities in Germany have stepped up security on the country's rail system after learning that al-Qaida is planning to attack high-speed trains in Europe. Bild's report cited unnamed security experts as saying that the attacks could include acts of sabotage on rail infrastructure or bombings on board trains, and claimed that security had been tightened on high-speed Intercity-Express (ICE) routes and at train stations. The newspaper said the information about the potential threat came from the National Security Agency (NSA), which had intercepted a call between senior al-Qaida members. But German Interior Ministry spokesman Jens Teschke said that because Germany "already [has] a high level of protective measures" in place, authorities do not plan to step up security. A spokeswoman for the German rail operator Deutsche Bahn made no comment on the news report, but emphasized that the company is in regular contact with German security authorities regarding possible threats. A German federal police spokesman noted that the standard efforts made by the force are already at a level commensurate with the "highly dangerous situation both at home and abroad," but that its officers had been informed of the report.




Cybercrooks Use DDoS Attacks to Mask Theft of Banks' Millions
CNet (08/21/13) Musil, Steven

It appears that cybercriminals are now using low-powered distributed denial-of-service (DDoS) attacks to cover up their attempts to steal millions of dollars from banks while security personnel are distracted. According to Avivah Litan, an expert on financial fraud and banking security, at least three banks have been targeted in these types of attacks in the past several months. While Litan did not name the banks involved, she warned banks that they stand to lose far larger sums if they let these attacks continue. In her description of these incidents, Litan said the hackers were able to take over payment switches once the DDoS attack began. This allowed attackers to use privileged user accounts in order to access multiple customer accounts at once, Litan said. In order to minimize the damage hackers can do under these circumstances, Litan advised banks "to slow down the money transfer system while under a DDoS attack." She additionally called on them to institute "a layered fraud prevention and security approach." Litan is not alone in her concerns. Dell SecureWorks Counter Threat Unit issued a report in April warning of a DDoS toolkit that had been used to steal up to $2.1 million through fraudulent wire transfers from bank accounts.


Microsoft Patch Problems Underline Tradeoffs for Securing Systems
Dark Reading (08/21/13) Lemos, Robert

Some security experts worry that recent issues with Microsoft's latest Patch Tuesday software updates may lead organizations to hesitate to follow the best practice of applying updates immediately upon their release. Microsoft recently acknowledged that patches for Exchange Server, the Windows kernel, and the Active Directory had caused several problems for some customers, including losing the ability to search email, Windows crashing randomly, and inability to use the Active Directory's federation services. "Each time this happens, it is really bad for the cause, because we always tell people to patch as quickly as possible, and these things are real setbacks," says Qualys' Wolfgang Kandek. Microsoft has since fixed the issues with the Exchange patch, but the issues affecting the kernel and Active Directory updates remain. Imperva's Amichai Shulman says such patching failures are an inevitable result of the increasing complexity of software, and "the continued investment in code security is not paying off." Shulman says it may be time to reassess patching policies and to start relying more heavily on virtual patching strategies. Meanwhile, NCC Group's Ollie Whitehouse says the best practice is still applying patches immediately, but he also advises staggering the patching process across the network so that serious issues can be caught before they cripple a whole organization.


Mobile Malware Threat Growth Hits Record in Q2
eWeek (08/21/13) Eddy, Nathan

The number of Android-based malware threats increased by a record 35 percent in the second quarter, which was a growth rate last seen in early 2012, according to a new McAfee Labs report. The study noted that cybercriminals are infecting Android devices with a variety of malware, including fraudulent dating and entertainment apps, the use of which increased substantially during the second quarter. Such apps trick users into signing up and paying for services that do not exist and also steal any personal information stored on an infected device. Other types of malicious apps being used by cybercriminals include banking malware that steals text messages, weaponized legitimate apps, and malicious apps that seem to be useful tools. In addition to mobile malware, the report also discussed the prevalence of other types of threats, including ransomware used to infect computers. More than 320,000 new samples of ransomware were discovered during the second quarter, which was more than twice the number observed during the previous quarter. The increase in ransomware samples means the number of such samples that have been seen so far this year is higher than the total found in all previous periods combined.


Two Updated Guides Provide Latest NIST Recommendations for System Patches, Malware Avoidance
NIST Tech Beat (08/20/13) Brown, Evelyn

The U.S. National Institute of Standards and Technology has updated two of its security guides dealing with patching and malware defense. Creating a Patch and Vulnerability Management Program, which was written when patching was primarily a manual process, has been updated with a revised version, Guide to Enterprise Patch Management Technologies. The revision provides guidance for agencies taking advantage of automated patch management systems, in particular those based on NIST's Security Content Automation Protocol, and explains the basics of automated patch management and outlines metrics for assessing system effectiveness. NIST also updated its Guide to Malware Incident Prevention and Handling for Desktops and Laptops, the last version of which was published in 2005. The new guide provides guidance for modernizing malware incident prevention measures and enhancing existing capabilities to better handle modern malware, with a focus on the growing use of social engineering and other targeted attacks that make use of data harvested from social networks.


U.S. Power Plants, Utilities Face Growing Cyber Vulnerability
Homeland Security News Wire (08/19/13)

Although U.S. power plants have yet to report a major cyberattack, the stream of minor attacks against them shows the need for utilities to improve cybersecurity measures. According to a 2011 report from McAfee and the Center for Strategy and International Studies (CSIS), 85 percent of executives in the power, oil and gas, and water sectors were victims of network infiltration, while 25 percent reported network-related extortion. Security professionals looking to prevent these incidents in the future will not be able to rely on pre-packaged solutions. Instead, they must customize their solutions to the needs of the specific utility, both protecting established platforms and leaving room to adapt to new technologies. To do so, security professionals need to consider threats from external sources as well as from employees who may, either consciously or inadvertently, expose the company's network to malware. Some considerations to identify specific threats include the avenues that might allow attackers to enter the organization's network, the prevalence of certain risks within the industry, attacks targeting other companies in the sector, risky employee behaviors, and policies to prevent such behaviors. Only after considering these factors should the utility implement its cybersecurity strategy, which should take into account both the utility's risk profile and its overall approach to IT. The strategy must also analyze risks unique to different departments to ensure all cybersecurity measures work together, while also leaving room for additional solutions and governance changes.


Abstracts Copyright © 2013 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Advertising Opportunities | Security Management Online | ASIS Online

No comments: