Search This Blog

Friday, May 29, 2015

Security Management Weekly - May 29, 2015

header

  Learn more! ->   sm professional  

May 29, 2015
 
 
Corporate Security
Sponsored By:
  1. "Cybersecurity on the Agenda for 80 Percent of Corporate Boards"
  2. "Breach at IRS Exposes Tax Returns"
  3. "FAA Group to Review Mental-Health Screenings for Pilots"
  4. "Average Cost of Computer Breach is $3.79 Million"
  5. "Financial Firms Grapple With Cyber Risk in the Supply Chain"

Homeland Security
  1. "U.S. Caution in Strikes Gives ISIS an Edge, Many Iraqis Say"
  2. "U.N. Resolves to Combat Plundering of Antiquities by ISIS"
  3. "U.S. Surveillance on Island Reveals Chinese Arms"
  4. "Rain Spreads Destruction in Houston, Killing Four"
  5. "Congressional Inaction Threatens NSA Spy Program"

Cyber Security
  1. "Islamic, Chinese Hackers Target Media"
  2. "ACLU: Feds Should Offer Rewards for Finding Cybersecurity Flaws"
  3. "Security Questions Are the Opposite of Secure"
  4. "UN Report: Encryption Crucial for Human Rights"
  5. "Cyber Firms Launch Effort to Secure 'Smart' Cities"

   

 
 
 

 


Cybersecurity on the Agenda for 80 Percent of Corporate Boards
CSO Online (05/28/15) Korolov, Maria

A recent survey conducted by NYSE Governance Services and security vendor Veracode revealed that more than 80 percent of board members say that cybersecurity is discussed at most or all board meetings. The results bode well for corporate security, especially since only one percent of respondents said that cybersecurity is never discussed at all. That being said, 66 percent believe their companies are not equipped to defend themselves against cyberattacks despite the attention being paid to the issue. Security also ranked second to last in priority when it comes to developing new products and services. Board members said that the CEO should be held primarily responsible for cybersecurity. One example of this is when Target's CEO resigned following a massive data breach. Still, there is a disconnect between what the risks are and what's being done to fix them. Further surveys will come out in the future, and new tactics will be put in place to increase security everywhere.


Breach at IRS Exposes Tax Returns
Wall Street Journal (05/27/15) McKinnon, John D.; Saunders, Laura

The Internal Revenue Service announced Tuesday that its online "Get Transcript" application had been compromised, and identity thieves used it to steal prior-year tax return information for about 100,000 U.S. households. The criminals used stolen data such as Social Security numbers to gain unauthorized access to IRS accounts from February through mid-May. IRS Commissioner John Koskinen said that the agency believes that fewer than 15,000 refunds and less than $50 million were paid as a result of the frauds. It is still possible that some of the stolen tax transcripts are being saved to use for the 2015 tax season. The incident demonstrates the increasing risks of cybersecurity breaches to both individuals and the government and shows how cybercriminals can aggregate large amounts of personal data from multiple sources for sophisticated schemes. The IRS said that the hackers had to get to the data by clearing a multistep authentication process that required personal data about the taxpayer, such as date of birth and tax-filing status, and answers to personal identity-verification questions. Social media may have been used by the criminals to obtain the answers to such questions.


FAA Group to Review Mental-Health Screenings for Pilots
Wall Street Journal (05/28/15) Pasztor, Andy

The Federal Aviation Administration (FAA) has created an advisory group to consider possible changes in mental-health screening of U.S. commercial pilots. The European Aviation Safety Agency formed a similar study group and the United Nations said it would re-evaluate international mental-health standards. Privacy laws in Germany allowed the Germanwings co-pilot Andreas Lubitz to keep his mental problems hidden from the management of the airline. Olumuyiwa Bernard Aliu, president of the top policy-making council of the U.N.’s International Civil Aviation Organization, said the public must realize "this is a complex medical challenge." In the United States, airline pilots undergo routine medical screening by FAA-approved examiners once or twice a year, but the checks usually make pilots self-report problems such as depression or drug or alcohol abuse. Still, international groups representing pilots and carriers have warned against overreacting to the Germanwings tragedy. Don Wykoff, former president of the International Federation of Air Line Pilots’ Association, said "we need to advocate together for things that work, not knee-jerk, ineffective quick fixes that only make some feel better in the short term.”


Average Cost of Computer Breach is $3.79 Million
USA Today (05/27/15) Weise, Elizabeth

A Ponemon Institute and IBM survey revealed that the average cost of a computer breach at large companies globally was $3.79 million. However, for U.S.-based companies, the average cost was $6.5 million. Globally, the cost of a data breach has risen 23 percent since 2013. In the United States, it has increased 12 percent. The average cost per lost or stolen record in the United States was $217, while globally the cost was $154. Ponemon said the costs included reputation loss, diminished goodwill, and paying for credit reports and aid to customers whose information was breached. Caleb Barlow, vice president of IBM Security, said "out on the dark side of the Internet, a credit card's worth about $1 if you're lucky." He added that a health care record is worth much more and can easily be worth $50 because if it includes a Social Security number it can be used by criminals for a long time. Additionally, the survey found that 47 percent of breaches are caused by criminal attacks, 32 percent involved system glitches, and 19 percent were the result of human error.


Financial Firms Grapple With Cyber Risk in the Supply Chain
Wall Street Journal (05/25/15) King, Rachael

Last year saw a record high of 783 data breaches, the Identity Theft Resource Center reports, and access to systems through compromised third parties or subcontractors was the second most common cause of IT breaches in 2013 and 2014. With the addition of cloud service providers, a single company may have hundreds or thousands of business network connections that could be compromised. Federal and state regulators are closely examining the issue with large financial firms, requiring them to better understand and test security they obtain from third parties. In an April report, the New York State Department of Financial Services said it was considering cybersecurity requirements for financial institutions regarding their relationships with third-party service providers, such as payment processors and data-processing companies. Besides asking for information about patch and vulnerability management programs, banks may now request screenshots of the last time servers were patched, or even require drug testing of those third-party employees with access to servers. John Haller, a security expert at the CERT Division of the Software Engineering Institute at Carnegie Mellon University, suggests that companies first identify and prioritize the most critical vendors and external entities that support important business services.




U.S. Caution in Strikes Gives ISIS an Edge, Many Iraqis Say
New York Times (05/27/15) P. A4 Schmitt, Eric

Despite the technology and weaponry available to U.S. and allied warplanes, they have not struck the most obvious or important Islamic State (ISIS) targets due to fears of civilian casualties. Such deaths could give ISIS a significant propaganda target and alienate local Sunni tribesmen and Arab countries who are important for fighting the militant group. Some Iraqi commanders and U.S. officers say, however, that this caution is why ISIS has been able to seize so much territory in Iraq and Syria. U.S. intelligence analysts say there are seven buildings in downtown Raqqa in Syria that serve as the main ISIS headquarters, but the buildings have been untouched during the air campaign. “We lost large territories in Anbar because of the inefficiency of the U.S.-led coalition airstrikes,” said Maj. Muhammed al-Dulaimi, an Iraqi officer in Anbar Province. The U.S. military's Central Command on Thursday announced that an inquiry into the November deaths of two children in Syria were probably the result of an American airstrike, and other attacks are under investigation. Human rights advocates say that the restrictions on airstrikes have saved civilian lives, although exact numbers are certain.


U.N. Resolves to Combat Plundering of Antiquities by ISIS
New York Times (05/29/15) P. A4 Gladstone, Rick

United Nations members unanimously agreed to a resolution on Thursday to stop the pillaging and trafficking of Middle Eastern artifacts by Islamic State (ISIS). Under the nonbinding resolution, countries would take new steps to prevent and prosecute antiquities smuggling and ensure the return of plundered ancient treasures. The resolution lacks the enforcement power of a Security Council resolution, but officials say it is an important step toward fighting what diplomats have described as “cultural cleansing.” ISIS members have videotaped themselves using bulldozers and explosives on some of the world's most valuable archaeological sites. So far, the damaged sites have been in or near the northern Iraqi city of Mosul, which ISIS seized last year, but the recent invasion of the Syrian city of Palmyra has caused further concerns. Iraqi officials say that ISIS militants are trying to sell what they do not destroy. Iraq's United Nations ambassador, Mohamed Ali Alhakim, has said that ISIS earns as much as $100 million annually from antiquities trading.


U.S. Surveillance on Island Reveals Chinese Arms
Wall Street Journal (05/29/15) Barnes, Julian E.

U.S. officials say that surveillance imagery has shown China positioning weaponry on one of the artificial islands it has recently created in the South China Sea. The images show a pair of motorized artillery pieces that, while they would pose no threat to U.S. planes or ships in the area, could reach nearby islands claimed by other nations, in particular an island claimed by Vietnam that the Vietnamese have stocked with weaponry for some time. U.S. officials say they have known about the artillery pieces for about a month and that the guns were recently either removed from the island or have been obscured from sight. The officials add that the presence of such weapons on the Chinese artificial islands contradict Chinese claims that the new islands are meant primarily for civilian use. A Chinese Embassy spokesman would not comment specifically on the weaponry, but reiterated that China views its land reclamation activities in the South China Sea as being within its sovereign rights and that the new artificial islands will primarily serve civilian purposes. The ongoing activities by China and other nations in the South China Sea are likely to be a major point of contention at the Shangri-La Dialogue security conference being held in Singapore this weekend. javascript:openAWindow('updateKeywordsForm.cfm?AbstractProductionID=2222463&ContractID=414&ServiceDescription=Security%20Management%20Weekly&ServiceID=521&dtPublish=05%2F29%2F15%2002%3A00%20PM','keywordWindow',600,550,1)


Rain Spreads Destruction in Houston, Killing Four
New York Times (05/27/15) P. A11 Fernandez, Manny; Pérez-Peña, Richard

Severe weather in Texas has flooded the city of Houston after five years of drought, killing at least four people and leaving at least two missing. Families in one neighborhood survived by climbing onto roofs or attics, and the Toyota Center, the downtown basketball arena, became a makeshift emergency shelter where fans stayed after a game during the storm. The death toll from recent storms in Texas and Oklahoma has reached 14, and recovery teams on Tuesday were still searching for 11 people who remained unaccounted for. As some parts of Houston were paralyzed from the weather, with closed schools and courthouses, other parts were relatively unaffected, and Mayor Annise D. Parker told reporters at Houston's emergency operations center that the city was slowly getting back to normal by Tuesday afternoon. Houston's Metro mass transit system temporarily suspended all rail and bus service for a time, and an estimated 4,000 homes had significant damage. Officials remain cautiously optimistic that the worst weather had passed. “If we can avoid any significant precipitation over the next 24 to 48 hours, the bayous will be completely back in their banks and able to handle what's coming next,” Parker said.


Congressional Inaction Threatens NSA Spy Program
Wall Street Journal (05/26/15) Hughes, Siobhan; Paletta, Damian

With Congressional lawmakers failing to come to a consensus before leaving Washington for a Memorial Day recess last weekend, it seems likely that the provision of the USA Patriot Act authorizing a controversial National Security Agency program involving the bulk collection of phone records could be allowed to lapse. The House has overwhelming passed a bill that would modify Section 215 of the Patriot Act so that the NSA can request phone records on a case-by-case basis but not collect them in bulk, but no course of action has been able to gather enough support in the Senate ahead of the June 1 expiration of Section 215. Senate Majority Leader Mitch McConnell (R-Ky) has reportedly ordered Senators to return to debate the matter this coming Sunday, but it is unclear if that will leave enough time to pass any legislation, even the simple extension sought by McConnell. The NSA leadership has already ordered the bulk phone-records program to begin winding down. A senior administration official says that the White House is considering seeking court approval to extend some of the legal powers that are set to expire, but a recent appeals court ruling that found the NSA program unconstitutional is likely to limit the president's ability to preserve the program through legal means.




Islamic, Chinese Hackers Target Media
The Hill (05/26/15) Viebeck, Elise

Last week saw a cybersecurity attack at the Washington Post that redirected users to a site controlled by the Syrian Electronic Army (SEA), which supports President Bashar al-Assad. The hacking affected parts of the Post's mobile website, but did not compromise its internal networks. Nearly every major news outlet has experienced some kind of cybersecurity breach in the last five years, monitoring their coverage or altering their websites. The Post hackers had found a way in through a software vendor to post the messages, “US govt is training the terrorists to kill more Syrians” and “The media is always lying.” Experts say that hackers continue to seek out security weaknesses in major websites for their own purposes. The New York Times, Bloomberg News, and The Wall Street Journal had all said in 2013 that they were victims of cyberattacks originating in China. Last November, the SEA targeted CNBC, the Chicago Tribune, and Forbes. While most attacks are rudimentary and meant to be publicity stunts, experts say that media outlets should remain cautious.


ACLU: Feds Should Offer Rewards for Finding Cybersecurity Flaws
The Hill (05/27/15) McCabe, David

The American Civil Liberties Union (ACLU) has offered suggestions for how federal officials can make it easier for people to report security flaws in government computer systems. In a letter sent Wednesday to the Department of Commerce Internet Policy Task Force, ACLU said there should be financial incentives for security researchers who notify the government of security flaws. These types of rewards are already common at large tech firms. The civil liberties group pointed out that the U.S. government often pays researchers for vulnerabilities that federal law enforcement can exploit, but not for notifying developers about flaws in their products. Historically, researchers who find security vulnerabilities must decide whether to do the right thing and tell the company responsible for the software, or sell the vulnerability to those who would exploit it for their own profit, ACLU wrote. The group also called for the task force to recommend that government agencies publish the contact information for their security teams and implement policies that would protect researchers from legal troubles if they report a vulnerability.


Security Questions Are the Opposite of Secure
TheHill.com (05/22/15) Bennett, Cory

Google has released a study that confirms a truth that many people have believed for a long time—security questions simply aren't very secure. Security questions have become more varied and slightly more complex over the years, but after analyzing hundreds of millions of them Google determined that they are neither secure nor reliable. Google noted that the fatal flaw affecting security questions is that their answers are either slightly secure or simple to remember, but rarely are they both. If a user picks a question like "what is your favorite food," it is statistically likely that a hacker will guess it within five tries. The study also revealed that 40 percent of Google's English-speaking users don't even remember the answer to their security question. The solution could be combining these questions with another method of authentication, like a code sent via text message.


UN Report: Encryption Crucial for Human Rights
The Hill (05/28/15) Bennett, Cory

Strong encryption is vital for basic human rights, according to a Thursday report from the United Nations' Office of the High Commissioner for Human Rights. Such security provides anonymity and allows individuals to exercise freedom of opinion and expression, the report says. The new report is released as world governments debate methods that would give law enforcement agencies greater access to encrypted data. The report's author, David Kaye, opposes intentional access points built into encryption, known as "backdoors." Governments, the report says, should avoid deliberately weakening any online security. Methods may include not only backdoors, but weak encryption standards or key escrows, which is when a third party maintains an encryption key that decrypts data. The report also asked Congress to consider the proposed Secure Data Act, which would ban the government from forcing companies to include backdoors in their encryption. Federal officials, however, argue that companies should have ways of decrypting data for criminal or national security investigations.


Cyber Firms Launch Effort to Secure 'Smart' Cities
The Hill (05/26/15) Bennett, Cory

Several security experts launched an initiative to secure increasingly Internet-dependent cities. Securing Smart Cities backers fear that countries are putting a lot of money into creating "smart," Internet-connected cities, but not building in basic security measures. Backers are planning to bring together researchers, private companies, and public officials to create cybersecurity standards for all infrastructure being brought online. The initiative's website said if the city is left vulnerable, it could expose critical infrastructure networks that control the electrical grid, water system, and more. It is believed that several foreign governments, including Russia and Iran, have already infiltrated critical systems.


Abstracts Copyright © 2015 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Security Management Online | ASIS Online

No comments: