Search This Blog

Friday, February 28, 2014

Security Management Weekly - February 28, 2014

header

  Learn more! ->   sm professional  

February 28, 2014
 
 
Corporate Security
Sponsored By:
  1. "Attorney General Seeks National Standard to Protect Against Identity Theft"
  2. "Small Towns Not Immune, Need to Prepare for Active Shooter Events"
  3. "How to Survive Your Next Security Tech Project"
  4. "At Maryland Live Casino, Relentless Surveillance Operation Targets Cheats, Thieves"
  5. "No Vacancy: The Daunting Challenge of Hotel Security"

Homeland Security
Sponsored By:
  1. "Armed Men Seize Two Airports in Ukraine's Crimea, Yanukovich Reappears"
  2. "Yahoo Webcam Images From Millions of Users Intercepted by GCHQ" Government Communications Headquarters
  3. "Obama Officials Seek to Hold NSA Phone Records Longer"
  4. "White House Weighs Four Options for Revamping NSA Phone Surveillance"
  5. "Syria a 'Top' Concern for Homeland Security Chief"

Cyber Security
  1. "Indiana University Says Student Data Left Unsecured For Nearly a Year"
  2. "'Contagious' Wi-Fi Virus Created by Liverpool Researchers"
  3. "NSA Too Focused On Perimeter Defense, Clarke Says"
  4. "Windows 7, XP Vulnerabilities Rose in 2013, Security Firm Finds"
  5. "University of Maryland CIO Says Data 'Relics' Left it Vulnerable"

   

 
 
 

 


Attorney General Seeks National Standard to Protect Against Identity Theft
Reuters (02/24/14) Cooney, Peter; Selyukh, Alina

Attorney General Eric Holder on Monday called for Congress to enact a law that would specify how retailers handle data breaches. Holder said such a law, which would supersede the retailer data breach notification statutes that have been enacted in a number of states, would ensure that companies that suffer data breaches are held accountable for failing to protect consumer data. The attorney general also said that a national data breach notification standard would help law enforcement agencies better investigate data breaches and would give consumers the means to protect themselves from identity theft. Holder's call for action comes as more and more lawmakers are also saying that Congress needs to enact a national data breach notification law that addresses retail data breaches, particularly in light of the consumer data thefts at Target and Neiman Marcus. Federal law currently governs how banks, hospitals, and other industries besides retailers handle data breaches. In the absence of a federal statute, 46 states and the District of Columbia have enacted laws dealing with how retailers handle retail data breaches. But a national standard for retail data breaches could face opposition from attorneys general in those states, who may be concerned that their authority to pursue violators of state data breach laws would be weakened.


Small Towns Not Immune, Need to Prepare for Active Shooter Events
Security Director News (02/24/14) Canfield, Amy

The Retail Association of Maine has planned a new training session designed specifically to help small businesses and other employers in smaller cities and towns determine how to deal with an active shooter situation. The association's executive director, Curtis Picard, says that the March 28 session is important because many cash-strapped local governments are not prepared for these incidents, even though they are still at risk. The training will be presented by Jeremiah Hart of the Los Angeles-based Force Training Institute and will provide a "tactical primer" on active shooter incidents. The session, entitled “Workplace Safety: Active Shooter & Emergency Response Training,” specializes in low cost or no-cost solutions to improve workplace security. Hart will review participants' operation plans and will teach businesses how to detect potential threats and safely deny access to such individuals. Picard is hopeful that the training, which he previously attended, will help businesses keep their employees safer.


How to Survive Your Next Security Tech Project
Security InfoWatch (02/24/14) Bernard, Ray

Ray Bernard, the principal consultant for the security consultancy Ray Bernard Consulting Services, says that companies can survive their next security technology deployment project by using the Security Tech Project Survival Test. The test is based upon best practices that have been collected over two decades of critical project success experience and includes ideas that people likely have not considered incorporating into such projects. Bernard believes that a lot can be learned when executing technology projects, including the fact that the initial project schedule is only preliminary as many things can cause schedule slippage. One best practice is to update project schedules as each phase of the project is completed to ensure that the project remains well-defined, that each phase can be verified as having been fully completed, and that management is accurately informed of the project's status. The second thing that Bernard believes can be learned is that project status must be proven via inspection or demonstration to fully meet requirements and that progress payments should tied to provable 100 percent complete milestone accomplishments. The third major lesson is to make active project risk management a key customer role in order to get ahead of potential problems, says Bernard. Because most contractors and project team members do not consider themselves to be potential sources of risk, Bernard says, customers should assume the full responsibility for project risk management as they are better able to identify the areas of project risk and actively manage risk factors. Bernard writes that these success factors are identified in the Security Tech Project Survival Test, which includes a checklist that can be used to rate current or upcoming projects and allow for corrective action to take place to reduce the risk projects going over budget and over schedule.


At Maryland Live Casino, Relentless Surveillance Operation Targets Cheats, Thieves
Washington Post (02/22/14) Du Lac, J. Freedom

Maryland Live Casino in Hanover, Md., uses a sophisticated surveillance system to prevent people from cheating at table games and to prevent the theft of cash by employees. Members of the surveillance team work from a secret bunker where they monitor the more than 1,200 cameras installed in and around the casino to determine whether customers' behaviors are indicative of cheating. The surveillance system also has cameras watching in the count room, the dice-and-card destruction room, employee corridors, the liquor room, and in the warehouse. In addition to the state-of-the-art surveillance system, the casino employs a security force of 200 officers, headed by Karen Shinham, formerly of the Howard County Police Department. Shinham's weekend security force is greater than the police force on patrol in some Maryland counties. Rob Norton, the casino's president and general manager, said that all employees who are part of the surveillance team are "trained to identify things that don't make sense," including "unnatural behavior and things that just look suspicious." The system became particularly important after the casino added live-action tables in April 2013, as cheats came to try to take advantage. All those who have been caught by the team are entered into the casino's "black book," which includes the names and faces of banned individuals, though Norton would not say whether the casino uses facial recognition software.


No Vacancy: The Daunting Challenge of Hotel Security
Homeland Security Today (01/01/14) Vol. 10, No. 10, P. 28 Coleman, Timothy W.

The hotel industry faces a number of challenges in protecting guests from a variety of different threats, including terrorist attacks and more run-of-the-mill crimes such as robberies and kidnappings. One such challenge stems from the need to provide adequate security for guests but without hurting customer service and comfort. Compounding the problem is the failure of some hotels to adequately fund and execute their security programs, said Roman & Associates President Anthony Roman, whose firm provides investigation, risk management, and security consulting services to companies around the world. However, some hotel companies say they are working hard to ensure their guests stay safe. Carlson Rezidor Hotel Group Americas, for example, says it uses monitoring technology to stay on top of threats to its properties. Information about threats or potential threats is then quickly passed on to the relevant hotel so that best practices can be implemented to mitigate the risk to the property, the company says. Carlson Rezidor also says it has partnered with the Department of Homeland Security to provide its employees with training that helps them to identify suspicious behaviors that could be indicative of a potential security threat. Security experts agree that such public-private partnerships are an important part of hotel security.




Armed Men Seize Two Airports in Ukraine's Crimea, Yanukovich Reappears
Reuters (02/28/14) De Carbonnel, Alissa; Prentice, Alessandra

Armed men who are believed to have ties to Russia took over two airports in Ukraine's Crimea region on Friday, one day after gunmen took control over the autonomous region's Parliament building. One of the airports that was taken was over was the international airport in Simferopol, where men armed with assault rifles and machine guns and dressed in full battle gear were seen patrolling the airport's grounds. Gunmen were also seen moving in and out of the airport's control tower. A group called the People's Militia of Crimea is reportedly helping the gunmen. Meanwhile, Ukrainian Interior Minister Arsen Avakov said Russian naval forces have taken over a military airport near Sevastopol. Roads to the airport are reportedly being blocked by armed men in camouflage uniforms. Meanwhile, it remains unclear whether gunmen are still holed up inside the Crimean Parliament, one day after they took control of the building and raised the Russian flag over it. The gunmen made no demands, and the Parliament continued to meet as normal.


Yahoo Webcam Images From Millions of Users Intercepted by GCHQ
Guardian (United Kingdom) (02/27/14) Ackerman, Spencer; Ball, James

Edward Snowden has released a new set of documents that indicate that Britain's Government Communications Headquarters (GCHQ) received help from the National Security Agency (NSA) for a surveillance program that involved collecting webcam images from millions of Yahoo users. The program, which began in 2008 under the codename Optic Nerve, relied on a tool developed with the help of NSA research that was able to identify Yahoo webcam traffic in the Internet cables tapped by GCHQ. Once this traffic was identified, the documents note, one still image from a webcam chat was saved every five minutes, stored in GCHQ databases, and fed into NSA's XKeyscore search tool. GCHQ analysts did a variety of things with the images that were collected, including monitoring existing targets or discovering new ones. The agency was particularly interested in finding terror suspects or criminals who used a number of different anonymous user IDs. The documents indicate that the images were collected from individuals who were not intelligence targets. It is unclear how much access NSA had to the webcam images that were collected. The agency refused to comment about its access to Optic Nerve. GCHQ, meanwhile, said Optic Nerve and all its other activities were necessary and carried out in compliance with British law. Yahoo has denied providing GCHQ or NSA with assistance in carrying out the program.


Obama Officials Seek to Hold NSA Phone Records Longer
Wall Street Journal (02/27/14) Barrett, Devlin

The Justice Department has submitted a request to the Foreign Intelligence Surveillance Court (FISC) to retain Americans' phone records for longer than five years, in response to lawsuits challenging the National Security Agency program in which those records are collected. Should the court approve the request, the NSA's database of telephone metadata would be expanded, since phone records that are more than five years old would not be deleted as they are now. However, NSA analysts would not be allowed to search records older than five years, even if they are searching the records of terrorist suspects. The Justice Department says it needs to retain the older phone records in order to preserve evidence for the lawsuits challenging the program. One of the plaintiffs in those cases, the Electronic Frontier Foundation, agreed that the older phone records needed to be held in order to show the scope of the telephone metadata collection program. But the American Civil Liberties Union, which is also challenging the program, said the request was simply a "distraction" and that it has no objection to the deletion of any of the phone records.


White House Weighs Four Options for Revamping NSA Phone Surveillance
Wall Street Journal (02/26/14) Barrett, Devlin; Gorman, Siobhan

White House officials say that the president has been given four choices for overhauling the National Security Agency's (NSA) telecommunications metadata collection program. One option is to abolish telephone data collection entirely, which intelligence agencies are loath to do. The second option would allow telephone companies to store the data and allow the NSA to only access call records of people with suspected terrorism connections. While this choice has some legislative support, it is opposed by telephone companies and House Intelligence Committee Chairman Rep. Mike Rogers (R-Mich.). Another option would be to allow the FBI or another federal agency to retain the data, or turn over control of it directly to the Foreign Intelligence Surveillance Court, which already provides oversight for the program. Judges on the court have not been supportive of that possibility. The final choice is to have an entity other than phone companies or a government agency hold the records, although privacy advocates have denounced that plan by saying the entity would be likely to become an extension of the NSA.


Syria a 'Top' Concern for Homeland Security Chief
CNN (02/26/14) Crawford, Jamie

Homeland Security Secretary Jeh Johnson said at a House Homeland Security Committee hearing on Wednesday that in the eyes of all those involved in the United States' homeland and national security, the chaos and instability in Syria continues to be "at the top of the list or near the top of the list" of concerns for protecting the country. Together with his European counterparts, Johnson said that he is monitoring border enforcement and is on the watch for would-be terrorists traveling to and from Syria. Panel Chairman Rep. Michael McCaul commented that there are "more and more jihadists pouring into Syria," which is "becoming one of the largest training grounds now in the world." Johnson also emphasized the need for constant monitoring of aspiring terrorists already in the U.S. and called for increased information sharing between the intelligence community and homeland security officials.




Indiana University Says Student Data Left Unsecured For Nearly a Year
Herald-Times (IND) (02/27/14) Blau, Jon

Indiana University (IU) recently informed the state attorney general's office that the personal data of 146,000 students and recent graduates may have been exposed after the data was left unsecured on one of its Web sites for almost a year. University officials noted that they do not believe that any of the data was accessed by an outside individual. The data includes the names, addresses and Social Security numbers of individuals who were students at all of the university's campuses from 2011 through 2014. Jim Kennedy, the associate vice president for financial aid and university student services and systems, said that the data was put at risk because an authentication point used to protect the information was not working properly, noting that the issue dates to a March 2013 security upgrade to the Office of Student Services site. Kennedy said that it is unlikely that anyone would have been able to decipher the data if it had been accessed by someone outside the university, but that IU wanted to inform its students of the "low probability" that their information may have been accessed by an outside individual. IU has had the "cached" information removed from Web searches and has transferred the data to a secure location. An investigation will be conducted to determine what disabled the security point.


'Contagious' Wi-Fi Virus Created by Liverpool Researchers
BBC News (02/26/14) Lee, Dave

University of Liverpool researchers have created Chameleon, a proof-of-concept computer virus that targets Wi-Fi access points that have not had their admin password changed from the default setting. The researchers say once Chameleon is installed on an access point in a densely populated area, it can go from network to network finding weaknesses, without being controlled by a human. Chameleon can automatically seek out other vulnerable access points, taking them over when they are found. The researchers note the virus would be more of a concern for homes and small establishments than for large organizations, which have enhanced security in place. The team now is developing software that would prevent such an attack. "Rather than rely on people to use strong passwords, you want to integrate intrusion detection systems to the access points," says Liverpool professor and lead researcher Alan Marshall.


NSA Too Focused On Perimeter Defense, Clarke Says
InformationWeek (02/26/14) Jackson, William

Former White House cybersecurity adviser Richard Clarke accused the National Security Agency (NSA) and other government institutions of being too focused on keeping intruders out of their networks while largely ignoring the threat posed by insiders. Clarke told attendees at the RSA security conference that the massive data breach perpetrated by former NSA contractor Edward Snowden illustrates the agency's problem, explaining that the incident occurred "because the NSA had terrible internal security." The lack of internal network monitoring and defense is not unique to the NSA, Clarke added, nor is it unique to the public sector, as illustrated by the massive data theft at Target over the holiday shopping season. "The money goes to firewalls. The money goes to antivirus. The money goes to intrusion detection and prevention systems, and we know these systems fail all the time," Clarke points out. He believes the solution to the problem may need to be regulation, because "market forces have failed" to force government agencies and private companies to improve cybersecurity.


Windows 7, XP Vulnerabilities Rose in 2013, Security Firm Finds
IDG News Service (02/26/14) Kirk, Jeremy

The number of reported vulnerabilities affecting Windows 7 and XP doubled in 2013 according to a new report from Secunia. The study found 102 Windows 7 and 99 Windows XP vulnerabilities discovered in 2013, up from 50 and 49 respectively in 2012. Windows 8, however, led both previous OSes with 156 vulnerabilities reported in 2013, although Secunia says this is mostly due to the integration of Flash Player into the latest version of Internet Explorer, which accounted for 55 of the reported Windows 8 vulnerabilities. Windows products including XML Core Services, Windows Media Player, and Internet Explorer had the most vulnerabilities, but third-party programs accounted for 76 percent of the total vulnerabilities, an improvement from 86 percent in 2012. Secunia found that patches were available for 86 percent of vulnerabilities the same day their existence was reported, and that the average time between a vulnerability being reported and a patch being issued has continuously improved. Secunia also found only 10 zero-day vulnerabilities—those actively being exploited while still unpatched—affecting the top 50 products in 2013.


University of Maryland CIO Says Data 'Relics' Left it Vulnerable
Wall Street Journal (02/24/14) Schectman, Joel

University of Maryland at College Park CIO Brian Voss says hackers were able to access more than 309,000 personal records for students and staff due in part to institutional inertia and the changing threat environment. Hackers gained access to the personal data of faculty, staff, and students who received school IDs as long ago as 1998, including their Social Security numbers and birth dates. Voss says the Social Security numbers in the university's ID card system were data "relics," as the numbers were used as unique identifiers despite the fact that less sensitive identifiers could have been used in this way. Voss notes it is difficult in large organizations to push back against the tendency to arbitrarily collect data, because the inclination is to hold onto data longer than necessary. He says the ID system that was hacked was created in 1998, and the creators of the system could not have envisioned the types of security threats to personal data that are seen today.


Abstracts Copyright © 2014 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Advertising Opportunities | Security Management Online | ASIS Online

No comments: