Search This Blog

Friday, June 26, 2015

Security Management Weekly - June 26, 2015


  Learn more! ->   sm professional  

June 26, 2015
Corporate Security
Sponsored By:
  1. "Breached Network's Security Is Criticized"
  2. "Lapses at Prison May Have Aided Killers' Escape"
  3. "Study: Cyber Risks Overshadow Corporate Board Security Confidence"
  4. "McDonald's Evolving Into Risk-Based Security Organization"
  5. "Insider Threat Control: Using Predictive and Real-Time Analytics"

Homeland Security
Sponsored By:
  1. "Attacker Storms Factory Near Lyon, France, Beheading One"
  2. "Gunmen Kill at Least 28 in Attack on Tunisian Coastal Resort Hotels"
  3. "Charleston Shooting Adds to Security Fears in Places of Worship"
  4. "Homegrown Extremists Tied to Deadlier Toll Than Jihadists in U.S. Since 9/11"
  5. "France Summons U.S. Ambassador Following Spying Allegations"

Cyber Security
  1. "Automakers Tackle the Massive Security Challenges of Connected Vehicles"
  2. "U.S. Officials Warn Chinese Cyber Espionage Imperils Ties"
  3. "Biometrics to Take Lead in Banking Authentication"
  4. "OPM Data Breach Undetected For a Year"
  5. "A Disaster Foretold--and Ignored"




Breached Network's Security Is Criticized
Wall Street Journal (06/24/15) Paletta, Damian

The security system at the federal Office of Personnel Management (OPM) is fraught with delays and cannot stop most sophisticated attacks, officials say. The system, known as Einstein, depends largely on “signatures” from past computer breaches, and then looks for similar digital fingerprints, making it unable to prevent unknown malware. Some private-sector firms sell technology that sometimes detects previously unknown threats, while others quickly respond to newly found codes with protective security patch. While OPM had been working with outside firms to protect against these “zero-day threats,” the coverage did not protect the whole network, and investigators believe that recent hackers entered through an unprotected part of the system. Einstein, used by most government agencies, also does little to stop people from using stolen login credentials, which are often sold online. U.S. agencies are supposed to use a “continuous diagnostics and mitigation” program, which hunts for spyware after a network breach, but few agencies have fully adopted it. U.S. officials are working to reinforce computer security protocols, forcing network administrators to use “multifactor” login credentials and looking at expanding encryption of data.

Lapses at Prison May Have Aided Killers' Escape
New York Times (06/22/15) Winerip, Michael; Schwirtz, Michael; Yee, Vivian

Current and former workers at the Clinton Correctional Facility in Dannemora, N.Y., say that a number of lapses in security at the prison likely contributed to the ease with which convicted murderers David Sweat and Richard W. Matt were able to escape the prison earlier this month. Prison regulations require guards to carefully check that inmates are present in their beds during nightly patrols, but apparently guards at Clinton have allowed inmates to cover themselves completely and no longer shine their lights directly on inmates' faces. A catwalk behind the inmates' cell, which they were able to reach after cutting through their metal cell walls, was once used to by guards to listen-in on inmate's conversations, but is rarely visited by them these days. Sweat and Matt may have found power tools left by contractors on the catwalk that they used in the other stages of their escape. Similar to the catwalk, the tunnels the two inmates escaped through used to be patrolled regularly, but current workers say these patrols have become very infrequent. Finally, the two guard towers overlooking the manhole cover through which Matt and Sweat escaped have not been staffed overnight for years. Current and former corrections officers say a sense of complacency had taken root at Clinton, which had not seen an escape in decades.

Study: Cyber Risks Overshadow Corporate Board Security Confidence
Network World (06/23/15) Greene, Tim

Directors of U.S. businesses are confident they can understand corporate security risks, but corporate security pros and unsure if their boards really get it. According to a survey of both board members and C-level security executives, 70 percent of board members say they understand the risks, but only 43 percent of hired corporate security professionals agree. There were other gaps founds as well. For example, 59 percent of board members say they believe their governance of cybersecurity practices is effective, but only 18 percent of IT pros agree. The study added that while boards, on average, give themselves an 8.1. on a scale of 10 in ranking that effectiveness, IT pros give them a 6.2. The report recommends that IT pros should brief their boards regularly on attacks and breaches the company has suffered. There is a breach between what cyber events directors and security pros consider most worrisome. Forty three percent of board members say their biggest worry are breaches that result in theft of intellectual property. For the security execs, 33 percent say they are worried about attacks that significantly disrupt business or IT operations. The Ponemon Institute study polled 245 board members and 409 IT security pros.

McDonald's Evolving Into Risk-Based Security Organization
Wall Street Journal (06/25/15) Norton, Steven

Moving to a business-centric mindset is one of the biggest changes for corporate security chiefs, says Marc Varner, McDonald's Corp. corporate vice president and global CISO. Risk management is a challenge that should involve achieving a balance between risk and reward, he said Thursday during a panel discussion at the SINET Innovation Summit. Since joining the company over five years ago, Varner has worked to focus the security function on risk management, even renaming the company's security office to Global Technology Risk Management. This is defined as “the team which is ultimately responsible for the securing of McDonald's information assets at a global level.” A risk-management group in the security office focuses on that function with discipline, while a dedicated data governance group and a team that covers day-to-day security operations work as firewall management. McKinsey & Co. partner James Kaplan says that security includes three organizational responsibilities: risk management, operations, and influence that combines enforcing rules and helping business partners understand what they need to do.

Insider Threat Control: Using Predictive and Real-Time Analytics
FierceBigData (06/22/15) Baker, Pam

Less than half of organizations have appropriate controls to prevent insider attacks, according to a Crowd Researchers Partners report. The study is based on cooperative analysis by and responses from the more than 260,000 members of the Information Security Community on LinkedIn and leading security vendors. The survey found privileged users pose the greatest insider threat to organizations, followed by contractors and consultants, and then regular employees. Although 62 percent of security professionals say insider threats have become more frequent in the last 12 months, only 34 percent expect additional budget to address the problem. In addition, fewer than 50 percent of organizations have appropriate controls to prevent insider attacks, 62 percent of respondents say insider attacks are far more difficult to detect and prevent than external attacks, and 38 percent estimate remediation costs to reach $500,000 per insider attack. Organizations should map threats into slices in order to organize and concentrate security monitoring to maximum effectiveness. Real-time analytics with machine learning also can detect small changes in insider behavior in regards to access, using, copying, and transferring data.

Attacker Storms Factory Near Lyon, France, Beheading One
New York Times (06/26/15) Rubin, Alissa J. ; Breeden, Aurelien

French authorities said a terrorist attack took place at an American-owned industrial plant near Lyon, France today. An attacker decapitated one person and tried unsuccessfully to blow up the factory. President François Hollande said the attacker had been arrested and identified. The interior minister, Bernard Cazeneuve, identified the suspect who was apprehended after the attack as Yassine Salhi. He had been identified by security sources as having connections to radical Salafists, but surveillance of him was dropped in 2008. Hollande said the attacker entered the plant in a vehicle and tried to use gas canisters to set off a bigger explosion. He added that the vehicle may have been driven by an accomplice. Other news reports said the attacker had waved flags bearing Arabic writing during the assault. The assault was carried out at a plant in St.-Quentin-Fallavier, operated by Air Products. Prime Minister Manuel Valls ordered tightened security.

Gunmen Kill at Least 28 in Attack on Tunisian Coastal Resort Hotels
USA Today (06/26/15) Stanglin, Doug

Gunmen armed with Kalashnikovs killed at least 28 people today, mostly tourists, in an attack on coastal resort hotels in Tunisia. According to Tunisia's state-run TAP news agency, at least one gunman was killed in an exchange of gunfire with police at the Impérial Marhaba hotel in the coastal town of Sousse. Sousse is a popular vacation spot for European tourists. The news agency said the battle between police and the terrorists was still going. A British tourist told Sky News that he was by the swimming pool when he heard "quite a large explosion" and guests began running back toward the hotel from the beach. It was not immediately clear which hotels in the resort were hit.

Charleston Shooting Adds to Security Fears in Places of Worship
New York Times (06/25/15) Goodstein, Laurie

The massacre last week at a Bible study in Charleston, S.C., has caused many to question the security at churches. Black churches in particular have been forced to grapple with their vulnerability to violent intruders. Ministers have reported that they are fielding more questions about security, but are in no rush to follow the same path as airports and schools, which have added metal detects and armed security guards. The Department of Homeland Security offers grants to congregations of all faiths in urban areas to bolster security measures under a program created by Congress in 2005, primarily at the urging of Jewish organizations concerned about anti-Semitic threats after the Sept. 11, 2001 attacks. Rafael Lemaitre, a spokesman at the Federal Emergency Management Agency, said little of the money from the grants has gone to churches, a vast majority of the money has gone to synagogues and other Jewish institutions. The grants can only be used for physical security improvements like cameras or bollards, not for salaries for guards, Lemaitre said. Many religious leaders said they are just beginning to think about whether they need to increase security at their churches and fear additional security would make their churches feel less inviting.

Homegrown Extremists Tied to Deadlier Toll Than Jihadists in U.S. Since 9/11
New York Times (06/25/15) P. A1 Shane, Scott

Since Sept. 11, 2001, nearly twice as many people have been killed by non-Muslim extremists, such as white supremacists, than by radical Muslims. New America, a Washington research center, reports that 48 people have been killed by extremists who are not Muslim, including the recent shooting in Charleston, S.C., while 26 have been killed by self-proclaimed jihadists. Non-Muslim extremists have carried out 19 attacks since Sept. 11, compared to seven lethal attacks by Islamic militants. These assaults have killed police officers, members of racial or religious minorities, and random civilians. Such findings bring up questions, however, about what should be counted as terrorism, usually defined as ideological violence. For example, New America did not include in its count the man in Chapel Hill, N.C., who was charged with fatally shooting three Muslim neighbors. While the man had posted angry critiques of religion online, he also had a history of outbursts over issues such as parking.

France Summons U.S. Ambassador Following Spying Allegations
Wall Street Journal (06/24/15) Horobin, William; Landauro, Inti

France summoned the U.S. ambassador after allegations that the U.S. National Security Agency spied on President François Hollande. Six documents published by WikiLeaks and two French publications late on June 23 described purported U.S. surveillance of internal deliberations and conversations of Hollande, as well as former French presidents Nicolas Sarkozy and Jacques Chirac. After a meeting of top ministers and defense advisers, Hollande’s office said “France will not tolerate any acts that compromise its security and the safeguarding of its interests.” After the documents were published, the White House said that it was not now spying on Hollande and that it would not undertake such surveillance of him in the future. The statement did not deny that spying had taken place in the past.

Automakers Tackle the Massive Security Challenges of Connected Vehicles
Wall Street Journal (06/26/15) King, Rachael

The National Highway Traffic Safety Administration hopes to make vehicle-to-vehicle communications mandatory to reduce traffic deaths, but the idea also raises questions about data security and privacy. “Connected cars,” which could reach the market by the early 2020s, would emit a stream of data that broadcasts the location of millions of cars. Eight automakers for years have been working to develop a system, a form of so-called public key infrastructure (PKI), that uses encryption and authentication to let two vehicles with no existing relationship securely exchange data. Many company systems use PKI technology, but it is not fool-proof, and the data stream from vehicles could attract a variety of hackers who could manipulate the safety messages sent from one vehicle to the next. Connected vehicles would broadcast messages about their position and speed, along with security credentials known as certificates, which would be validated by a third party known as a certificate authority. Certificates will be changed frequently to prevent tracking by outsiders, and the messages will be signed to verify that they were not changed between the time they were sent and received. It may be difficult to manage a system of this size, however. Automakers that include Ford Motor Co., General Motors Co., Nissan Motor Co., Mazda Motor Corp., Honda Motor Co., Volkswagen, Audi, Daimler AG's Mercedes-Benz, Hyundai Motor Co., and Kia Motors Corp. plan to finish a proof-of-concept for a security credential management system by August 2016.

U.S. Officials Warn Chinese Cyber Espionage Imperils Ties
Wall Street Journal (06/24/15) Schwartz, Felicia; Talley, Ian

U.S. officials on Tuesday sternly warned China that its online behavior could threaten the economic relationship between the United States and China. The warning came as high-level officials from both nations met for what is known as the U.S.-China Strategic and Economic Dialogue. Before the talks, U.S. officials had said that they would raise cybersecurity concerns. U.S. Treasury Secretary Jacob Lew said that Washington is “deeply concerned about government-sponsored cyber theft from companies and commercial sectors” and that Beijing has a duty “to abide by certain standards of behavior within cyberspace.” Although U.S. investigators believe that a major breach of federal personnel records originated in China, it is unknown whether it was considered a government-sanctioned hack. China's State Councilor Yang Jiechi supported the idea of China working with other countries, including the United States, to develop a mutual code of conduct for online data-sharing.

Biometrics to Take Lead in Banking Authentication
Credit Union Times (06/23/15) Urrico, Roy

Around 450 million bank customers across the globe will be using biometrics by the end of 2015, and biometrics will be the principal banking authentication method by 2020, according to London-based consultants Goode Intelligence. According to the report, "Biometrics for Banking: Market and Technology Analysis, Adoption Strategies and Forecasts 2015-2020," biometrics is being adopted across all major bank channels, authenticating customers when they withdraw cash from ATMs, contact their bank via telephone, or log into their mobile banking app, among other things. Electronic devices with built-in biometric support, biometric-friendly authentication standards, the rise of banking fraud and identity theft, the growth of mobile banking, and the emergence of wearable banking are some of the factors that will boost growth of biometrics in the banking industry. Alan Goode, author of the report and founder of Goode Intelligence, notes that "at least eight separate biometric technologies [finger, vein, hand geometry, facial, voice, iris, signature, and keystroke recognition] will be used by hundreds of millions of bank customers around the globe."

OPM Data Breach Undetected For a Year (06/22/15)

A recent Washington Post report revealed that Chinese hackers had access to U.S. security clearance data for a full year before the Office of Personnel Management discovered the breach. The hack is feared to have leaked industrial secrets and weapons plans and may have compromised data related to almost four million federal employees. It is still unclear which specific employees were targeted. Another breach affected OPM in April, as well as health insurer Anthem. That particular breach harvested the information of around 80 million individuals. The biggest problem with the breaches is how long it took to discover them. According to Stewart Baker, a former policy official in the Department of Homeland Security, the Chinese hackers not only had time to conduct the breach, but also to take as much information as they pleased. OPM Director Katherine Archuleta criticized security, claiming that there is a “lack of investment in federal IT systems and a lack of efforts in both the public and private sectors to secure our Internet infrastructure.”

A Disaster Foretold--and Ignored
The Washington Post (06/22/15) Timberg, Craig

A group of hackers called L0pht warned a U.S. Senate panel in 1998 that computer security was dangerously lax and companies had neither the incentive nor government the skill or will to remedy the situation. Their warning went unheeded, and 17 years later the Internet suffers from endemic insecurity that criminals regularly exploit, inflicting financial and other forms of damage around the world. Many serious online breaches can be traced to flaws in software developed at the Internet's birth, and growing awareness of the threat in ensuing years has not eliminated or mitigated the root problems, says former L0pht hacker Cris Thomas. The same programs that have enhanced the Internet experience have enabled remote manipulation of systems to which the software is connected, while tech companies fostered a culture that favored profits over security, leaving the burden of system failures on customers. Compounding Web insecurity was the growing competition among tech giants, which emphasized innovation and growth and embedded Internet-related features into their products, creating more opportunities for exploitation. Despite a revitalized push for security from tech firms and the government, cybercriminals remain consistently ahead of both business and federal efforts to protect the Internet and its users. Former L0pht members fear a historic cyber disaster may be the only effective agent for serious change.

Abstracts Copyright © 2015 Information, Inc. Bethesda, MD

  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Security Management Online | ASIS Online

No comments: