| |
ASIS Introduces New Auditing Management System Standard
Security InfoWatch (06/05/14)
ASIS International has released the "Auditing Management Systems: Risk, Resilience, Security, and Continuity—Guidance for Application American National Standard (SPC 2)," which is the latest in a five-part series of resilience standards that aims to provide a more holistic, business-friendly approach to managing resilience and risk. The SPC 2 standard provides a step-by-step process for establishing an audit program and conducting individual audits that are consistent with the ISO 19011 and ISO/IEC 17021 standards. In addition, the standard is designed to help security practitioners evaluate risk and resilience-based management systems and identify competence criteria for auditors. ASIS said that the standard, which is applicable to organizations in the private and public sectors, provides generic concepts for auditing a risk and resilience-based management system and can be adapted to fit the specific needs of any organization.
ONVIF and SIA Announce Memorandum of Understanding on Access Control Standards
Security Today (06/03/14)
A Memorandum of Understanding has been signed by ONVIF and the Security Industry Association (SIA), under which the two will work cooperatively toward the development of Internet Protocol-based interoperability standards in access control. The agreement calls for SIA to educate its members and industry stakeholders about ONVIF's Profile C, which governs interoperability between network-based security management systems and physical access control system (PACS) panels. ONVIF, meanwhile, will support SIA's Open Supervised Device Protocol (OSDP) IP extension initiative. The initiative will expand the OSDP standard, which is based on the RS-484 standard for point-to-point serial connections and deals with interoperability between peripheral security devices, to a networked version that uses IP. ONVIF and SIA have been working independently to develop standardized interfaces for PACS but decided to work together because they realized that their efforts to date have been complimentary.
Cargo Theft: 2013 in Review
Security Today (06/02/14) DeMao, Jack
The Supply Chain and Information Sharing and Analysis Center (ISAC) has released its 2013 Cargo Theft report, which shows a drop in the total number of reported cargo thefts for the first time since 2005. The report noted that the number of known cargo thefts fell from 927 in 2012 to 811 last year. That said, cargo theft remains under reported and misreported, meaning that the number of cargo thefts that actually took place last year may be higher. The report also found that September continues to be the biggest month for cargo theft, while the biggest problem states are California, Texas, Florida, and Georgia. The most frequently targeted item is food because it tends to be easier to fence, the report found. ISAC also found higher rates of theft for consumer electronics, metals, and beverages in 2013 compared to previous years, but clothing and accessory thefts dropped. Finally, the ISAC reported that loss rates dropped by an average of $95,000 last year compared to 2012, when they were nearly twice as high.
The Business of Travel Safety
Security Management (06/14) Blankchtein, Tzviel
Businesses must take steps to protect employees when they travel abroad, writes Tzviel Blankchtein, the operator of Masada Tactical Protective Services. Kidnappings and hostage situations remain a serious threat for traveling executives, he maintains, and companies should be prepared for worst case scenarios. Blankchtein says any employee sent to a high-risk area should be protected via planning, training, tracking, and preparing for emergency procedures. In the planning stage, a thorough risk assessment should be performed to identify the modes of travel and the safest routes to use as well as risks posed by lodging options and social climate. If possible, a security team should be sent in advance of the trip to better assess these risks. This information should be used to prepare executives during a pre-travel training session. Such training will also help teach executives to blend in by adopting to local customs so they do not appear to be high-value targets. Training may additionally help executives learn simple self-defense techniques and familiarize them with their company's emergency protocols. Even with this information, it is important for companies to be able to track executives, which can help identify a kidnapping situation and speed recovery operations. Finally, should a kidnapping occur, the company must have emergency procedures in place to increase the executive's chances of a safe return.
License to Steal
Security Management (06/14) Gates, Megan
A recent report from the Center for Responsible Enterprise and Trade (CREATe) detailed the challenges that businesses face in attempting to manage the growing threat posed by trade secret theft. These challenges include the increased reliance on computerized systems, the need to send trade secrets offshore to overseas manufacturing plants, and the formation of joint ventures with foreign companies. The increasing number of trade secret thefts is forcing businesses to understand how important their trade secrets are, and is pushing them to take steps to protect those secrets. Raymond James Corporate Security Manager and ASIS International Investigations Council member Tom Stutler recommends that companies take a proactive approach to securing their trade secrets. As part of such an approach, Stutler said that businesses need to first identify these assets on a yearly basis and then identify countermeasures to protect them. A robust awareness program can also help employees take steps to protect these assets, as can teaching employees about their vulnerability when they travel overseas and ensuring that their devices contain no company data, Stutler said. R. Mark Halligan, a trial lawyer focused on intellectual property litigation, commented that the U.S. operates under a common law jurisdiction and has strong legal protections that enforce trade secret laws though some other countries do not, so companies should include common law protections in all their contracts to protect their trade secrets using those contractual rights.
Limits on Freed Detainees Outlined
Washington Post (06/06/14) Gearan, Anne
U.S. officials and others with knowledge of the agreement that won the release of Army Sgt. Bowe Bergdahl say there are controls in place to mitigate any potential threat from the five senior Taliban commanders who were freed in exchange for Bergdahl. For example, the agreement included strict bans on militant incitement or fundraising by the commanders that could pose a threat to the U.S. The commanders will also be prevented from leaving Qatar, the Middle Eastern country they were sent to, for one year--a provision that U.S. officials say reduces the chances that the commanders will take up arms against American troops, as they will not be able to leave Qatar until all U.S. combat forces are withdrawn from Afghanistan. However, critics of the Obama administration say that the commanders--who had been described as potentially the most dangerous detainees when they were held at Guantanamo Bay--will still have freedom of movement within Qatar. In addition, some point out that the Qatari government will likely not monitor the commanders closely enough to prevent them from having some type of role in the Taliban insurgency in Afghanistan. Sen. Susan Collins (R-Maine) is among those who say that the commanders are dangerous and are likely to take up arms against the U.S. when they are free to leave Qatar a year from now. But people who are familiar with the agreement say that it is unlikely that the commanders will take top battlefield roles after leaving Qatar, given their seniority within the Taliban.
Senate Panel Split on Surveillance Reform
Politico (06/05/14) Byers, Alex
A Senate panel on June 5 appeared split on the USA Freedom Act, which would end the bulk collection of phone records and require the government to obtain telephone metadata from phone companies. Some lawmakers say the bill does not do enough to change surveillance practices, while others worry that it could be a problem to allow telecom companies to have so much control of information that could be important to national security. "I believe the House-passed bill … is not the true reform I have demanded and many other Americans have for years," said Sen. Mark Udall (D-Colo.). On the other side of the aisle, Sen. Saxby Chambliss (R-Ga.) maintains "that swapping the current program out for an untested system may be a pretty bad deal from a national security perspective and for the American people." Senate Intelligence Chairwoman Dianne Feinstein (D-Calif.) said the bill could still be altered to include stronger prohibitions against bulk data collection. Intelligence officials agreed that the language could be worked on, but they want to avoid scrapping the existing measure.
Keystone XL Pipeline Opponent Cites Terrorism Concerns
Los Angeles Times (CA) (06/04/14) Banerjee, Neela
A study of the proposed Keystone XL pipeline's vulnerability to terrorism that was commissioned by environmental activist Tom Steyer and conducted by former Navy SEAL David Cooper has found that the pipeline could be a particularly attractive target as it has a high political visibility and travels through part of an aquifer that supplies drinking water to millions in the Plains states. Cooper says that he completed the study using publicly available information that would be easily accessible to anyone planning an attack, and found that "a handful of terrorists could use just four pounds of explosives at each of three pump facilities" along the pipeline to trigger a spill of more than 7 million gallons of oil. Such an oil spill would be "catastrophic," the report said. Cooper stated that he does not believe that the pipeline should be constructed until the vulnerabilities he identified have been dealt with. Keystone XL's owner, TransCanada, has called the report a propaganda stunt and panned the fact that only the Keystone XL's vulnerability to terrorist attacks was studied, despite it being only 1,100 miles long in comparison to the more than 2.5 million miles of pipelines that already crisscross the U.S. An unredacted version of the report was delivered on June 2 to the State Department, which is considering the security of the proposed pipeline and other issues associated with the project.
Jihadist Groups' Threat to U.S. Grows, Report Says
Wall Street Journal (06/04/14) Gorman, Siobhan
A new report by the Rand Corp. think tank that is scheduled to be released on June 5 says that the threat that jihadist groups pose to the U.S. has increased over the last three years. The report estimates that the total number of jihadists ranged from between 12,945 and 47,810 in 2010, and that this range increased to between 45,510 and 105,510 in 2013. Similarly, the number of jihadist groups increased from 31 to 49 in that time period. The report suggests that the biggest cause of the increase in jihadist activity has been the Syrian civil war, as the largest increase in the number of jihadist groups and militants has taken place in that country. The report also says that a full withdrawal of American troops from Afghanistan "could seriously jeopardize U.S. security interests" because terrorists will continue to maintain a presence in that country as well as in neighboring Pakistan. The report found that al-Qaida and affiliate groups are primarily focused on attacking local enemies in the Middle East and North Africa rather than Western targets, though militants in Syria are showing increasing interest in launching attacks outside of the country.
Holder to Renew Focus on Growing Domestic Terror Threat
USA Today (06/02/14) Johnson, Kevin
The growing threat from self-radicalized domestic terrorists has prompted Attorney General Eric Holder to announce the reformation of a special Justice Department unit aimed at preventing attacks carried out by these individuals. This unit, which was first established following the Oklahoma City bombing but has been inactive since the Sept. 11 attacks, will bring the FBI, federal prosecutors and other agencies together to work to prevent potential homegrown threats. Holder commented that the evolution of the terrorist threat and the growing possibility of individual radicalization over the Internet makes it critical for the U.S. to place increased focus on potential domestic threats.
New Apple Operating Systems Bring Security Mysteries
CSO Online (06/04/14) Gonsalves, Antone
Some security experts are concerned some of the recently announced features that will be included in the latest versions of Apple's iOS and Mac OS operating systems could pose a threat to enterprise security. On June 2 Apple announced Handoff, a feature that will enable users to carry out tasks across multiple devices. Apple apps such as Mail, Safari, Pages, Numbers, Keynote, Maps, Calendar, and Contacts will make use of the feature and other developers will likely incorporate Handoff into their own apps. Fortinet's Richard Henderson says this creates a data leak threat for enterprise devices. Another new feature, Family Share, also creates a leakage risk. Family Share would enable family members common access to some apps and information such as device locations. Henderson says Apple should allow enterprises the ability to turn off these features in the new OSes and if that does not happen, enterprise security staff should consider not letting iOS devices on their network. On the other hand, one potentially useful new feature is developer access to the TouchID fingerprint authentication application. Ping Identity's Paul Madsen says TouchID would be very useful to the enterprise if it could be integrated into mobile device management software.
New Proactive Approach Unveiled to Detect Malicious Software in Networked Computers and Data
Virginia Tech News (06/04/14) Nystrom, Lynn A.
Virginia Institute of Technology researchers say they have found the causal relations among computer network events, a breakthrough that effectively isolates infected computer hosts and detects in advance malicious software. The researchers used causal relations to determine whether or not network activities have justifiable and legitimate causes to occur. "This type of semantic reasoning is new and very powerful," says Virginia Tech professor Danfeng Yao, who led the research effort, which also included Virginia Tech professor Naren Ramakrishnan and graduate student Hao Zhang. "The true significance of this security approach is its potential proactive defense capability," Yao says. "Conventional security systems scan for known attack patterns, which is reactive. Our anomaly detection based on enforcing benign properties in network traffic is a clear departure from that." The research was funded by a $530,000 U.S. National Science Foundation CAREER Award to develop software that differentiates human-computer interaction from malware. Yao also received a three-year, $450,000 U.S. Office of Naval Research grant to quantitatively detect anomalies in Department of Defense computers, mobile devices, command-and-control servers, and embedded systems deployed on U.S. Navy ships. Yao will present the research this month at the ACM Symposium on Information, Computer and Communications Security in Kyoto, Japan.
What are the Top Security Concerns of Senior IT Executives?
Help Net Security (06/04/14)
Two polls of the senior IT security executives who attended Courion's recent annual user conference found that cyberattacks carried out by insiders are common at some organizations, and executives are finding it difficult to reduce the threat of such attacks. One of the polls found 55 percent of the executives have caught an employee or other insider stealing information from their organizations' computer systems, and 65 percent knew their organizations had experienced a computer data theft of some sort. A second poll conducted at the event found information security and identity access management (IAM) departments face challenges in working together to reduce the risks that can lead to insider attacks. That poll found 47 percent of executives believed problems such as organizational issues between information security and IAM departments, limited budgets, and technology integration problems made it difficult to achieve greater integration of IAM controls within security. The Enterprise Strategy Group's Jon Oltsik, who conducted the second poll, said it is important to achieve better integration between IAM analytics and security because doing so enables organizations to better detect and respond to potential security breaches, improve the efficiency of their IAM processes, and improve their oversight capabilities.
Critical New Bug in Crypto Library Leaves Linux, Apps Open to Drive-By Attacks
Ars Technica (06/03/14) Goodin, Dan
The developers of the GnuTLS open source cryptographic code library used in Linux and several other pieces of open source software recently identified and patched a vulnerability that could expose servers and apps to drive-by Web attacks. The vulnerability, known as CVE-2014-3466, could enable attackers to crash client applications, corrupt memory contents, or cause the execution of malicious code by sending excessively long session ID values when establishing an encrypted HTTPS connection. There have been no reports of such attacks being carried out in the wild, but it is likely that, as with the Heartbleed bug earlier this year, such attacks will increase now that the bug's existence is publicly known. The bug was patched on May 30 in the latest releases of GnuTLS—.1.25, 3.2.15, and 3.3.4—but many apps and operating systems will remain vulnerable until they are themselves updated to make use of the new GnuTLS versions. It is not clear how long the vulnerability has existed and in what previous versions of GnuTLS.
SSL: Security's Best Friend or Worst Enemy?
Dark Reading (06/02/14) Chickowski, Ericka
Enterprises underestimate the number of applications using SSL they rely on and do not fully understand the security risks this can pose, according to a new Palo Alto Networks study. Palo Alto's 11th annual Networks Application Usage and Threat report studied 5,500 real-world environments and found that just 34 percent of applications running in those environments were SSL capable. Palo Alto's Ryan Olson says one of the reasons this poses a problem is because as SSL-encrypted traffic passing over enterprise networks becomes more common and taken for granted, enterprises are more liable to overlook malicious traffic and activity that uses SSL to hide itself. Zeus and other banking Trojans are known to use SSL to hide communications with command-and-control servers, data exfiltration, and other malicious network activity. Olson says organizations need to make a point of selectively decrypting SSL traffic to catch and deter such activity. Another major issue is the legacy of Heartbleed, because while large websites and servers have patched themselves to neutralize the bug, huge swathes of SSL-enabled enterprise apps likely remain unpatched and will continue to be vulnerable going forward. Olson warns that enterprises need to work to identify such applications and patch or replace them.
Abstracts Copyright © 2014 Information, Inc. Bethesda, MD |
No comments:
Post a Comment