Search This Blog

Friday, February 06, 2015

Security Management Weekly - February 6, 2015

header

  Learn more! ->   sm professional  

February 6, 2015
 
 
Corporate Security
Sponsored By:
  1. "Amy Pascal Steps Down as Head of Sony’s Film Business"
  2. "Experts Suspect Lax Security Left Anthem Vulnerable to Hackers"
  3. "Japanese Firms Face Wake-Up Call on Threats of Violence: Security Expert"
  4. "U.S. Tech Companies Press Case Against Restrictive Chinese Rules"
  5. "New Framework Helps Companies Quantify Risk"

Homeland Security
  1. "Jordanians Step Up Bombing Raids on ISIS"
  2. "Another Giant Security Gap at Airports: Lack of Criminal Background Checks"
  3. "U.S. Diplomatic Spending to Focus on Islamic State, Embassy Security"
  4. "Japan's Prime Minister Defends Terrorism Policy"
  5. "ISIS Tactics Questioned as Hostages Dwindle"

Cyber Security
  1. "Anthem Hacked in ‘Sophisticated’ Attack on Customer Data"
  2. "The Vast Majority of the Government Lacks Clear Cybersecurity Plans"
  3. "Browsers Are the Window to Enterprise Infection"
  4. "Rosengren Says Fed Has Big Role to Play in Cybersecurity"
  5. "Cybersecurity: Defending 'Unpreventable' Cyber Attacks"

   

 
 
 

 


Amy Pascal Steps Down as Head of Sony’s Film Business
Wall Street Journal (02/06/15) Fritz, Ben

In the wake of the cyberattack that plunged Sony Pictures into chaos late last year, Amy Pascal, who has run Sony Corp.'s movie business for more than a decade and worked at the studio for nearly 20 years, will step down in May as Sony Pictures co-chairman. She will become a producer based at the company. As recently as November, Pascal was negotiating with Sony to extend her contract, which expires in March, according to emails stolen by the hackers and released online. However, she was damaged more than other executives by leaked emails, which revealed she was struggling to find a new direction for the studio’s “Spider-Man” franchise, second-guessing many of her own decisions, and facetiously speculated about whether President Obama prefers movies starring black actors. The stress of the cyberattack was the final straw for Pascal, said a person familiar with her thinking, following recent cost-cutting ordered by Sony Corp. and the attacks on her leadership by activist investor Daniel Loeb, who in 2013 took aim at the studio Pascal oversaw, criticizing management for overspending and urging Sony to spin it off. November’s cyberattack, which the Federal Bureau of Investigation blamed on hackers backed by the North Korean government, crippled the company’s computer network, revealed personal information including Social Security numbers for more than 47,000 current and former employees and put the company in the international spotlight as it went back and forth on whether to release “The Interview,” the movie that supposedly prompted the cyberattack.


Experts Suspect Lax Security Left Anthem Vulnerable to Hackers
New York Times (02/06/15) Abelson, Reed; Goldstein, Matthew

The cyberattack on Anthem, one of the country's largest health insurers, highlights the vulnerability of health care companies. Anthem's data was vulnerable because the company did not take steps, such as using encryption, in the same way it protected medical information that was sent or shared outside of the database. Anthem officials say they do not know who is behind the attack, but several security consultants have noted that in the past Chinese hackers have shown an interest in going after health care companies. The hackers are thought to have infiltrated Anthem’s networks by using a sophisticated malicious software program that gave them access to the login credential of an Anthem employee. The insurer, along with federal investigators and security experts from FireEye’s Mandiant division, is now trying to determine whether there were other requests that it did not detect, a process that could take several more weeks. Security professionals say the company’s decision to make the breach public quickly means that it is early in the investigation into exactly what happened and what information may have been compromised. "You can spend months doing the forensics," said Fred Cate, a law professor and cybersecurity expert at Indiana University. While he praised Anthem for taking the "unusual and quite laudable step in coming forward quite quickly," he cautioned that company officials might not know the scope of the attack at this point. Still, Cate said the medical information was not likely to result in the public unveiling of sensitive medical information, unlike smaller attacks aimed at finding something embarrassing or derogatory about an executive or celebrity. "As a general matter, huge breaches often result in less harm than targeted breaches," he said. "The notion that someone’s poring over this data is highly unlikely." The decision by Anthem to bring in the Federal Bureau of Investigation and go public with the breach is the kind of move that law enforcement officials have been encouraging for the last several months. FBI officials have appeared at a number of industry conferences urging corporate executives to promptly report breaches and, when possible, share information about the breach with competitors.


Japanese Firms Face Wake-Up Call on Threats of Violence: Security Expert
Today Online (02/06/15)

Since two Japanese hostages were killed by Islamic State (ISIS) militants, Japanese companies with overseas operations have become more interested in gathering advice and guarding against security threats. Bruce McIndoe, president of Annapolis-based iJET, a risk management advisory company, says that talks with clients show that Japanese companies are taking a greater interest in security for their overseas personnel. Most Japanese companies would purchase insurance, "and then they tick the box and think they are done," McIndoe says, but now companies are taking further steps and hiring risk-management specialists. Companies that include Inpex Corp, Japan's biggest energy explorer, and JX Holdings, Japan's biggest crude importer, have said that they have increased overseas security and issued alerts to staff. Japan has long had close economic ties to the Middle East, but it has rarely been targeted by extremists in the region. Prime Minister Shinzo Abe is pushing for a tougher stance overseas, however, since ISIS militants pledged to target Japan after Abe announced $200 million in non-military aid for countries fighting the terror group.


U.S. Tech Companies Press Case Against Restrictive Chinese Rules
Wall Street Journal (02/06/15) Clark, Don; Yadron, Danny

On Wednesday, 17 trade groups wrote to U.S. officials urging them to request that their counterparts in China reverse new cybersecurity regulations they say would hurt market opportunities abroad. Addressed to Secretary of State John Kerry , Treasury Secretary Jacob J. Lew, Commerce Secretary Penny Pritzker and others, the letter argues that the new policies would cause long-term damage to U.S. businesses trying to sell technology to China, a market estimated to be worth about $465 billion. The groups also wrote to officials in China last week to express their opposition to the restrictions. The proposed restrictions are the latest sign of the continuing repercussions from information about U.S. government intelligence-gathering tactics leaked by Edward Snowden, a former contractor for the National Security Agency. Among other things, Snowden alleged U.S. authorities hacked millions of Chinese phone messages. China has issued restrictions that so far affect the country’s banking sector, but officials there have said they are under review and may be extended to telecommunication and other sectors, according to the letter. To qualify as being what China calls "secure and controllable" technology and software, foreign products and services must undergo “intrusive” security testing, contain indigenous Chinese intellectual property, implement local encryption technology and comply with China-specific security standards, the letter states. The restrictions also require that vendors disclose software source code and other sensitive and proprietary information to the Chinese government and engineer their products to restrict the flow of data outside the country, the letter adds.


New Framework Helps Companies Quantify Risk
CSO Online (01/23/15) Korolov, Maria

The World Economic Forum has released a new framework that helps organizations calculate the risk of cyberattacks. The risk calculation is based on an assessment of an organization's vulnerabilities and defenses, the potential cost of data breaches, and a profile of the attacker. "The framework's orientation towards probabilistic models of possible losses from attacks will keep businesses focused on minimizing total possible losses rather than building hard brittle shells around their networks," says Ntrepid's Lance Cottrell. The framework also builds on President Obama's cybersecurity agenda, particularly when it comes to raising awareness and information sharing. "You never know what new kind of attack might come around and how to protect a network from such an attack," says Malwarebytes' Adam Kujawa. He also notes the framework helps organizations get into the minds of attackers. However, the framework lacks the historical data necessary to estimate the likelihood of attacks from particular types of attackers for particular industry segments. To help address this gap, the World Economic Forum called for global information sharing about cyberthreats.




Jordanians Step Up Bombing Raids on ISIS
New York Times (02/06/15) P. A6 Cooper, Helene; Barnard, Anne

Jordan has increased airstrikes against the Islamic State in Syria (ISIS) in response to the killing of captured Jordanian pilot First Lt. Moaz al-Kasasbeh. In comparison to launching two to four missions at one time against militant targets in the past, Jordan sent out dozens of warplanes to carry out 15-24 strikes against militant targets in Syria, hitting ammunition depots and training camps. Although Jordan has participated in the U.S.-led coalition against ISIS for months, its role in the air campaign has been relatively quiet until now, out of concerns for angering Islamist extremists there. After ISIS released a video of its fighters burning al-Kasasbeh to death, however, national sentiment changed to encourage further participation against the terror group. The U.S. government has sent additional Black Hawk helicopters to Erbil, Iraq, to increase the number of resources available to rescue downed pilots. The Pentagon said it was taking further steps to reduce the time to reach downed pilots, after the United Arab Emirates demanded that the United States establish a better search-and-rescue system closer to the battleground in northern Iraq. After the capture of al-Kasasbeh when his F-16 went down in northern Syria, the Emirates suspended combat missions in late December out of fear for the safety of its own pilots.


Another Giant Security Gap at Airports: Lack of Criminal Background Checks
CNN (02/04/15) Devin, Curt; Griffin, Drew; Zamost, Scott

Gary Perdue, the FBI's deputy assistant director of counterterrorism, recently admitted that once airport employees complete an initial background check, no one reviews criminal backgrounds after they are hired. These security loopholes were critiqued at a hearing before the House Subcommittee on Transportation Security, where lawmakers questioned current airport security regulations. A CNN investigation discovered that only two of the nation's major airports, Miami International Airport and Orlando International Airport, require all employees with secure access to pass through metal detectors. The Miami airport also organizes random criminal background checks after hiring employees. Miguel Southwell, the general manager of Hartsfield-Jackson Atlanta International Airport where breaches have occurred, expressed support for implementing full screening of employees with access to secure areas. But he did not specify if and when the screening will begin. Mark Hatfield, the acting deputy administrator of the Transportation Security Administration, said his agency is working to determine what investments and policy changes may be necessary.


U.S. Diplomatic Spending to Focus on Islamic State, Embassy Security
Wall Street Journal (02/03/15) Schwartz, Felicia

In the 2016 budget, President Barack Obama has requested more money for diplomatic efforts in the Middle East, after a year of unrest that saw the rise of Islamic State (ISIS). This is an increase of about 6 percent from the final figure for fiscal 2015. The proposed budget includes a request of $50.3 billion to fund the State Department and the U.S. Agency for International Development, including $3.5 billion that would go to support regional partners in the international coalition against ISIS, provide humanitarian assistance, and strengthen Syria’s moderate opposition. Obama also has requested $1.1 billion to support diplomacy with Iraq. Another $1 billion would go to address migration from Central America, including unaccompanied children. Obama has also proposed increased protections for U.S. diplomats across the globe in the wake of the 2012 attacks in Benghazi and a report that the State Department’s security provisions were “grossly inadequate.” Another $117 million is requested for the State Department budget to counter “aggressive acts” by Russia in Ukraine.


Japan's Prime Minister Defends Terrorism Policy
USA Today (02/02/15) Onyanga-Omara, Jane

Japanese Prime Minister Shinzo Abe on Feb. 2 defended his policy on terrorism, as Japan mourned two of its nationals who were purportedly killed by the Islamic State group. The flag at Abe's official residence flew at half-staff Monday in a mark of mourning for freelance journalist Kenji Goto and Haruna Yukawa, the founder of a private security firm. Jordan renewed its offer Sunday to exchange an al-Qaeda prisoner for Jordanian fighter pilot Lt. Muath al-Kaseasbeh, who is being held hostage by the extremists. There has been no word on the fate of al-Kaseasbeh. During a long day of parliamentary debate Monday, Abe warded off numerous questions about his handling of the hostage crisis. The militant group released a video that purports to show the beheading of Goto late Saturday. Abe said his announcement of $200 million in non-military aid for the fight against the Islamic State group, made during a visit to the Middle East days before the militants demanded a $200 million ransom for Goto and Yukawa, was meant to convey Japan's strong commitment to fighting terrorism and fostering peace and stability in the region Some have questioned that decision, saying Abe should have been more cautious and not mentioned the Islamic State, also known as ISIS and ISIL, by name. Abe said he did not see an increased terrorist risk following threats in a purported ISIL video that vowed to make the knife Goto's killer was wielding Japan's "nightmare." "The terrorists are criminals," Abe said. "We are determined to pursue them and hold them accountable."


ISIS Tactics Questioned as Hostages Dwindle
New York Times (02/02/15) P. A16 Nordland, Rod

The Islamic State (ISIS) garnered worldwide attention from its negotiations over Japanese and Jordanian hostages, but terrorism experts say that ISIS did not accomplish anything of importance. In killing its two Japanese hostages, ISIS did not achieve its goals of receiving $200 million in ransom, or the release of a female Iraqi suicide bomber on death row in Jordan, where ISIS has hopes for expansion. Threats to kill a captive Jordanian air force pilot may have backfired: rather than undermining support for Jordan’s role in the international coalition that is bombing ISIS targets, it encouraged Jordanians to rally together in denouncing extremists. ISIS is running out of foreign hostages, as fewer aid workers and journalists are venturing into Syrian territory. ISIS held at least 23 Western hostages last August, but now is believed to have four internationally prominent hostages, and an unknown number of Syrians. Because it lacked a coherent strategy in handling the Japanese and Jordanian hostages, ISIS may have been seeking public relations, at which it failed, said Ora Szekely, a political scientist at Clark University in Massachusetts who studies extremist groups. “You just have to give them time and space and their extremity will alienate their own base,” said Clark McCauley, a psychology professor at Bryn Mawr College who studies political radicalization.




Anthem Hacked in ‘Sophisticated’ Attack on Customer Data
Bloomberg (02/05/15) Harrison, Crayston

Anthem Inc., the second largest U.S. health insurer in terms of market value, said hackers obtained data on tens of millions of current and former customers and employees in a sophisticated attack that has led to an FBI probe. The information included everything from names, birth dates, and Social Security numbers to street and e-mail addresses and employee data, including income. The company has pledged to notify all customers who were affected and provide credit and identity-theft monitoring services for free. An Anthem statement read: "As soon as we learned about the attack, we immediately made every effort to close the security vulnerability, contacted the FBI, and began fully cooperating with their investigation." The Anthem breach is believed to be the largest in the health-care industry since Chinese hackers swiped Social Security numbers, names, and address from 4.5 million patients of Community Health Systems Inc., the second-biggest for-profit hospital chain, in 2014.


The Vast Majority of the Government Lacks Clear Cybersecurity Plans
Brookings Institution (02/03/15) Desouza, Kevin C.; Fedorschak, Kena

There is a decided lack of focus on issues of cybersecurity, even as the cyberthreats facing federal agencies become clearer than ever, according to a new Brookings Institution study of federal agency strategic plans. Under the Government Performance and Results Modernization Act of 2010, all federal agencies are required to have a strategic plan setting forth goals, objectives, and other performance priorities. Brookings researchers read through more than 1,000 pages of agency strategic plans and found that only slightly more than one third of strategic plan objectives contained some information technology elements and only 12 percent of objectives dealt almost entirely with IT. Only half of agencies' strategic plans made mention of cybersecurity and less than a quarter of strategic plan objectives related to IT make any mention of efforts to secure IT. Cybersecurity is rarely discussed in detail in agencies' strategic plans, with the U.S. Department of Defense (DoD) standing as a notable exception. The DoD's strategic plan discusses IT and IT security in depth, including discussions of efforts to build robust and redundant security and authentication systems, continuous monitoring, and secure IT infrastructure. "Agencies need to develop capabilities to take proactive stances when it comes to understanding future threats," Brookings says. "This will require them to develop innovative cybersecurity strategies."


Browsers Are the Window to Enterprise Infection
Dark Reading (02/02/15) Chickowski, Ericka

Browser insecurity is the main reason for enterprise malware problems, according to a new report from the Ponemon Institute. On average, a user's insecure Web browser caused 55 percent of malware infections in the past year, the study found. Sixty-nine percent of IT and security professionals believe browser-borne malware is a more significant threat than a year ago, which is problematic because many security solutions designed to address the issue are still permitting malware through. Web-borne malware was able to bypass layered firewall defense, according to half of organizations, and 38 percent also said sandboxing and content analysis engines did not prevent infection "The findings of this research reveal that current solutions are not stopping the growth of Web-borne malware," says Ponemon Institute chairman Larry Ponemon. Many organizations face an uphill battle in isolating risks at the browser level, acknowledging the issue of inertia at the fundamental level. And to some degree, they are dependent on the product improvements of the major browser security vendors.


Rosengren Says Fed Has Big Role to Play in Cybersecurity
Wall Street Journal (01/30/15) Derby, Michael

Federal Reserve Bank of Boston President Eric Rosengren says the central bank has an important role to play in ensuring the nation’s financial system is resilient against cyberattack. "I view cybersecurity as one of the most serious financial stability concerns facing central banks," says Rosengren, adding that it is a matter in which central banks need to become "more directly involved." "A safe and available payment system" is essential to a functioning economy, and because of this, helping financial-sector participants ward off and be resilient against computer-based attacks is a key mission for the Fed, he says. Rosengren says his bank, in an effort to help smaller financial institutions in the Boston Fed district, has been building a cyberthreat information-sharing program. A pilot effort has been "very successful," and the program will be expanded this year, Rosengren says.


Cybersecurity: Defending 'Unpreventable' Cyber Attacks
BBC News (02/02/15) Rubens, Paul

Businesses should stop worrying about keeping intruders out of their computer networks, and focus on ways to minimize the damage when they do, according to James Lewis, a cybersecurity expert at the Washington, D.C.-based Center for Strategic and International Studies. Government-backed attackers have more resources at their disposal than criminal gangs, and they may be able to breach security through such other means as human agents or communications intercepts. Such hackers will persist until they succeed, which means that companies should rethink the way they calculate and mitigate security risk. Forrester Research security and risk management analyst Rick Holland suggests that businesses work harder to segment their networks, separating one part from another so that if hackers access the network, they can only reach the data in that one segment. Some industries practice "air gapping," in which important computer infrastructure is physically disconnected from corporate networks so that hackers are unable to reach them from the rest of the network. Companies can also reduce their "embarrassment footprint" by promptly deleting unnecessary data so that hackers have less to steal, Holland says.


Abstracts Copyright © 2015 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Security Management Online | ASIS Online

No comments: