| |
At the Frontline: 2015 ASIS International President Dave Tyson
Security InfoWatch (12/11/14) Griffin, Joel
ASIS International has announced that Dave Tyson, the senior director of information security and CISO for S.C. Johnson, will serve as its president in 2015. Over a nearly 30-year career, Tyson has worked a variety of jobs in the security industry, from being a security guard to chief security officer for his hometown of Vancouver, Canada. Tyson says his plans for ASIS in 2015 include building the organization's international member base and focusing on creating value for members. "Continuing to advance our organization in several markets where there are potentially large opportunities for us, such as India, China, Brazil and other places are a big focus for me," said Tyson. Asked what he sees as the biggest physical security challenge facing enterprises today, Tyson points to the Internet of Things and the way that physical security systems are now connected to and vulnerable through the Internet. Tyson also discussed taking security to the board level, noting that CSOs need to find ways to tie security directly to the business. "We really need to align our security programs, our spending and risk-investment tradeoffs, against what truly matters for the business," Tyson said.
Arson Eyed in Massive Los Angeles Apartment Blaze
Associated Press (12/09/14) Weber, Christopher
Investigators in Los Angeles say an arsonist may be to blame for the fire earlier this week at the massive Da Vinci apartment complex that was under construction in the city. Capt. Jaime Moore of the Los Angeles Fire Department says arson is suspected because the entire building was engulfed in flames all at once--something he said is "very rare" to see. However, investigators are still planning to interview witnesses, examine video footage of the fire, and use dogs to determine whether any accelerants fueled the blaze. The investigation will be carried out with the help of the Bureau of Alcohol, Tobacco, Firearms and Explosives. Most of the complex was destroyed in the fire, which caused an estimated $10 million in damage.
Cyberattack on Sony Is Called Sophisticated
Wall Street Journal (12/07/14) Yadron, Danny
The sophisticated and damaging cyberattack against Sony Pictures Entertainment has been linked to North Korea by cyberwar experts and U.S. officials. They say the breach reflects the efforts of an organized group and is very similar to prior hacks that U.S. and South Korean officials have linked to the North. The digital intruders at Sony broke into the system, posted on the Web tens of thousands of personal records of Sony employees and contractors and erased corporate hard drives. Deploying all of those tactics in an assault on a U.S. company is brazen, people familiar with the Sony investigation said. "The attack is unprecedented in nature," said Kevin Mandia, chief operating officer of FireEye Inc., a security company investigating the breach. "This was an unparalleled and well-planned crime, carried out by an organized group, for which neither SPE nor other companies could have been fully prepared." Mandia’s team has reportedly concluded North Korea is likely linked to the breach. The North Korean government denied hacking the studio but called the intrusion a "righteous deed" that may have been done by North Korea’s supporters. This year, Pyongyang called "The Interview," a forthcoming Sony comedy that depicts a U.S. plot to assassinate North Korean leader Kim Jong Un, an act of war.
Addressing Corporate Espionage in the 21st Century
Security Magazine (12/14)
New technology has made corporate espionage easier, to the point that annual U.S. losses to corporate espionage are estimated at $300 billion annually. Some of the most likely threats to businesses include insiders with access to key information, global criminal organizations, competitors, foreign intelligence agencies, or inadvertent disclosure by employees. Corporate espionage may be conducted through foreign surveillance, recruitment of insiders, computer hacking, targeting individuals at trade conferences, mergers, or hiring competitors' employees. The prevention of corporate espionage requires a comprehensive risk management program that addresses personnel security, such as pre-employment screening and termination procedures; legal protections for intellectual property; employee education; physical security, including access control; good market and security intelligence; strong government and industry relations; information security; and communication among all of an organization's departments.
Standardizing Security Personnel for Better Quality of Care
Security Magazine (12/14) Ritchey, Diane
The standardization of security officer services has benefits for the growing number of hospitals joining health systems or implementing the Affordable Care Act. The need for increased safety and security is positioning standardization of security services as a solution for health systems. The University of Colorado Health (UCHealth)--which has partnered with Memorial Health System, Poudre Valley Health System, and University of Colorado Hospital--is standardizing security services through its partnership with AlliedBarton. The standardization of security services has led to UCHealth saving more money and the streamlining operations. AlliedBarton security officers help create a safe and protected healthcare environment so medical staff can concentrate solely on patient care. For example, the security officers are trained to watch suicidal or mental health patients and guarantee their safety so medical staff can provide other types of care when necessary. AlliedBarton security officers were also helpful in dealing with the fallout from the Aurora, Colo., movie theater shooting. Officers assisted local police in moving patients from police cars, helped the victims' families, and assisted hospital staff in dealing with the media attention.
CIA Torture Report May Bolster Islamic State’s Propaganda Efforts
Homeland Security Today (12/11/14) Vicinanzo, Amanda
Terrorist organizations such as the Islamic State could use the controversial Senate report on the CIA's "enhanced" interrogation tactics to encourage attacks against the United States, warns House Intelligence Committee Chairman Mike Rogers (R-Mich.). Rogers said that before the report's release, foreign powers and the U.S. intelligence community had warned that terrorist organizations could use it to incite attacks. The U.S. military and U.S. embassies are on guard against a potential attack due to backlash from terrorist organizations. The FBI and the Department of Homeland Security have issued a joint bulletin saying that there have been no signs of an impending threat, but that the report could encourage future terrorist efforts.
Senate Report on CIA Program Details Brutality, Dishonesty
Washington Post (12/10/14) Miller, Greg; Goldman, Adam; Tate, Julie
The more than 500-page report by the Senate Intelligence Committee on the CIA's clandestine interrogation program documents numerous cases of unwarranted brutality and attempts by agency officials to deceive superiors and peers about the program's efficacy. The report finds that more than a fifth of the 119 prisoners were held under the program as the result of mistaken identity or bad intelligence and concludes that the use of enhanced interrogation techniques did not work. Much of the report is given over to picking apart claims made by the CIA over the years that enhanced interrogation yielded "unique" and otherwise unobtainable intelligence, including intelligence that led to the capture of Osama bin Laden. It concludes that in all cases these claims were overstated or simply untrue. Often times information that was said to have been obtained through interrogation was actually offered up freely by prisoners before interrogation or had already been obtained through some other source like signals intelligence. The report also suggests that the controversial technique of waterboarding was used on more prisoners than the CIA admits, and in some cases taken to extreme lengths that amounted to near drownings. The CIA responded to the report by admitting that there were problems with the interrogation program but that it did produce intelligence that was used to foil terrorist attacks and capture suspected terrorists.
Ex-CIA Directors: Interrogations Saved Lives
Wall Street Journal (12/10/14) Tenet, George J.; Goss, Porter T.; Hayden, Michael V.; et al.
In a piece in the Wall Street Journal, former CIA Directors George Tenet, Porter Goss, and Michael Hayden and former Deputy Directors John McLaughlin, Albert Calland, and Stephen Kappes dispute the conclusions of the Senate Intelligence Committee's recently released report on the agency's clandestine interrogation program. They criticize the report as a political and inaccurate attack on the agency, noting that the report was composed by the committee's Democratic staff, which did not question them during their investigation. They say the report's conclusion that the interrogation program failed to produce useful intelligence is incorrect and maintain that the intelligence gained led to the capture of Osama bin Laden and the disruption of terror plots and added to the agency's knowledge of al-Qaida. The former directors also disagree with the report's assertion that the agency routinely misled the public and the rest of the government about the effectiveness of the program, and that any of the techniques used went beyond those authorized by law. They also say the report should have taken into account the "context" in which the program was conceived in the aftermath of the September 11, 2001 terror attacks, saying that period "felt like the classic 'ticking time bomb' scenario — every single day."
U.S. Beefs Up Security Abroad in Advance of Releasing CIA Report
Washington Post (12/09/14) Mufson, Steven; Lamothe, Dan
The U.S. has put several military units on high alert in advance of a Senate report on interrogation techniques employed by the CIA in wake of the Sept. 11, 2001 terror attacks. White House spokesman Josh Earnest said Monday "there are some indications that... the release of the report could lead to a greater risk that is posed to U.S. facilities and individuals around the world." A declassified summary of the report that will be released to the public today is expected to be critical of the CIA's methods and concludes that harsh interrogation techniques are largely ineffective. In response to requests from the Pentagon that commanders review their security plans, the commanders of U.S. Central Command and U.S. Africa Command have ordered troops to be placed on higher alert status. Officials are most concerned about potential backlash in Africa and the Middle East, as well as Afghanistan and Pakistan. Most of the troops being put on high alert are Marines and include members of crisis response units in Spain, Italy, Iraq, and Kuwait and fleet anti-terrorism security teams. Those teams are usually used to increase security at U.S. embassies.
American Hostage Luke Somers Killed in Rescue Attempt
Wall Street Journal (12/06/14) Barnes, Julian E.; Abi-Habib, Maria
Two hostages, one American and one South African, were killed by their Al-Qaida captors during an attempted rescue operation in Yemen on Saturday. American photojournalist Luke Somers and South African teacher Pierre Korkie were shot by members of al-Qaida in the Arabian Peninsula (AQAP) during the early morning raid and died after being evacuated by American forces, according to U.S. Defense Secretary Chuck Hagel. Hagel spoke about the failed rescue on Saturday and explained that the rescue operation was attempted because, "there were compelling reasons to believe Mr. Somers' life was in imminent danger." This was the second attempt to rescue Somers and was initiated after AQAP threatened to kill him by the end of the week if their unspecified demands were not met. Those demands may have involved paying a ransom for Somers, but the U.S. has a long standing policy of not paying ransoms to terrorist groups. Somers, who began his career photographing protests in Yemen during the Arab Spring, was kidnapped in September 2013 in Yemen's capital. Korkie was kidnapped earlier in 2013 along with his wife Yolande, who was released in January.
Federal Data Security Bill Heads to Obama's Desk
The Hill (12/10/14) Bennett, Cory
The House on Wednesday night approved FISMA, sending the bill to President Obama's desk. Rep. Darrell Issa (R-Calif.) did not oppose the measure as anticipated, and some provisions from Rep. Michael McCaul's (R-Texas) bill defining DHS' cybersecurity role were included.
Less Well-Known Enterprise App Flaws Pose Big Threat, Says Report
eWeek (12/09/14) Lemos, Robert
Security flaws in IBM, Oracle, and VMware products occur more frequently compared with commodity attack tools that focus on vulnerabilities in Adobe Flash and Java, according to a Secunia analysis. The analysis notes Microsoft and Adobe both recently released patches for critical vulnerabilities, but other companies need to patch a greater number of flaws each quarter. Secunia identified at least 1,814 software security flaws, with IBM having to deal with the most vulnerabilities largely due to its suite of enterprise software products. Secunia's data, which features top-20 lists for August, September, and October, also found Google's Chrome browser was the single application with the most flaws, but other top vulnerable applications each month included EMC's Archer compliance software, Oracle’s Solaris, the Avant browser, and VMware's vCenter Server. Although patching such broadly used software is essential, companies also need to be concerned about software critical to their specific environment, notes Secunia's Kasper Lindgaard. He says attackers use "vulnerabilities in the applications that your company runs in your environment." Companies also have to focus on software from vendors that use open source libraries as part of their software offerings. Many vulnerabilities are not widely known because the software's developer does not publicly disclose the issues, Lindgaard notes.
CISOs Say Hackers Have Advantage: Report
CIO Journal (12/09/14) King, Rachael
IBM's third annual Chief Information Security Officer study found more than 80 percent of IT security leaders believe the danger from external threats is on the rise, with 60 percent reporting their organizations are not yet ready to cope with these threats. The study is based on in-depth interviews with 138 senior IT security leaders, 40 percent of which named sophisticated external threats as their top security challenge. Regulations came in second at under 15 percent. More than 70 percent reported they have mature traditional security layouts, including network intrusion prevention and advanced malware detection software. Nearly half said deploying new security technology is a top priority, identifying data leakage, cloud security, and mobile device security as top areas in need of attention. Meanwhile, 90 percent of respondents said their organization has adopted or is currently planning to adopt cloud initiatives, and of this group 75 percent said their cloud security budgets are set to increase or increase dramatically over the next three to five years. More than 70 percent said real-time security intelligence increasingly is a priority, although areas such as data classification and discovery are still not particularly well developed. Only 45 percent reported they have an effective mobile device management strategy, with mobile device management and security ranking at the bottom of the program maturity list.
Report: Most Companies Fail at Keeping Track of Patches, Sensitive Data
CSO Online (12/09/14) Korolov, Maria
IT professionals at many organizations are failing to perform several tasks that are seen as vital parts of the effort to protect information systems and networks from cyberattacks, according to Trustwave's 2014 State of Risk survey. The survey found 19 percent of organizations in the U.S. and several other countries were not controlling or tracking sensitive data in any way, while 63 percent of the survey's approximately 500 respondents admitted their processes for managing sensitive data were immature. Trustwave's Phil Smith says the findings are alarming because organizations cannot expect to protect sensitive data if they do not even know where it resides. The survey also found 58 percent of organizations were using a patch management process that was not fully developed, meaning patching of vulnerable systems was performed inconsistently or only in special cases. Another 12 percent of organizations had no patch management process in place at all. Smith says the lack of adequate patch management processes is worrisome because malicious hackers have been able to break into systems by exploiting known vulnerabilities that could have easily been patched. Finally, Trustwave found 18 percent of organizations fail to perform penetration tests, while another 21 percent fail to test their incident response plans.
The POODLE Flaw Returns, This Time Hitting TLS Security Protocol
IDG News Service (12/08/14) Constantin, Lucian
Security researchers have discovered that a bug affecting the Secure Sockets Layer (SSL) protocol also affects certain implementations of the newer Transport Layer Security (TLS) protocol. The bug in question is known as Padding Oracle on Downgraded Legacy Encryption (POODLE) and enables attackers that can intercept the traffic between an HTTPS website and a user's browser to decrypt the content of that traffic, including sensitive data. It was initially thought POODLE affected only SSL 3.0, but researchers found certain implementations of TLS that also are vulnerable. Google's Adam Langley, who built a scanner to identify vulnerable products, found in the case of some of the major sites that were vulnerable, the issue stemmed from two unpatched load balancers to handle TLS connections. Both services have since been patched. Meanwhile, Qualys estimates 10 percent of the HTTPS servers hosting the top 1 million most-visited websites according to statistics firm Alexa are vulnerable. Qualys' Ivan Ristic says vulnerable websites should immediately apply the patch provided by their vendor.
Abstracts Copyright © 2014 Information, Inc. Bethesda, MD |
No comments:
Post a Comment