Search This Blog

Friday, August 07, 2015

Security Management Weekly - August 7, 2015


  Learn more! ->   sm professional  

August 7, 2015
Corporate Security
Sponsored By:
  1. "Kaspersky Finds Employees Are Not Careful Enough With Work Data"
  2. "Counterterrorism Expert Says It's Time to Give Companies Offensive Cybercapabilities"
  3. "Retail CIOs Must Balance Security Innovation"
  4. "The Wild, Wild West of IoT Security"
  5. "White House: Government Cybersecurity Improving, More Work to Do"

Homeland Security
Sponsored By:
  1. "FBI to Seek Counseling, Not Handcuffs, for Some Islamic State Suspects"
  2. "Police Kill Suspect in Theater Attack in Nashville"
  3. "Coming Soon? Movie Theaters Mull Metal Detectors, More Security After Violence"
  4. "ISIS or Al-Qaida? American Officials Split Over Biggest Threat"
  5. "FBI Looking Into Hillary Clinton's Email Server Security, Lawyer Says"

Cyber Security
Sponsored By:
  1. "China to Embed Internet Police in Tech Firms"
  2. "From Car-Jacking To Car-Hacking: How Vehicles Became Targets For Cybercriminals"
  3. "U.S. Decides to Retaliate Against China's Hacking"
  4. "Apple Mac Attacks 'Trivial,' Claims Security Researcher"
  5. "New York Village Paid Ransom to Keep its Computers Running, Comptroller Says"




Kaspersky Finds Employees Are Not Careful Enough With Work Data
FierceMobileIT (08/04/15) Bartley, Robert

Employees who use personal devices at work do not take proper security measures, either with the data they handle or the devices themselves, according to a survey conducted by Kaspersky Lab in conjunction with B2B International. The survey found that 73 percent of all Internet users aged 16 years and older use a personal device for work, of which 63 percent use a tablet and 58 percent use a smartphone. Only 10 percent of workers are "seriously concerned about keeping work information safe should cybercriminals gain access to their device," Kaspersky reported. The survey, which included 12,355 people in 26 countries, also found that 36 percent of employees keep work files on personal devices, and 18 percent store passwords for work email accounts. This could have serious consequences for an organization if someone were to gain malicious access to a device. Kaspersky recommends set contingencies for wiping a device if it is lost or stolen or an employee leaves the company. The security firm also provided a list of tenets for companies to follow to stay secure when practicing “bring your own device,” such as implementing a broad solution that sees to the security of all devices, and keeping mobile-security specialists on staff.

Counterterrorism Expert Says It's Time to Give Companies Offensive Cybercapabilities
IT World (08/03/15) Gross, Grant

At a forum on economic and cyber espionage held by the Hudson Institute this week, former deputy national security advisor for counterterrorism Juan Zarate said the U.S. government should allow companies to pursue offensive cyber activities as a means of defending their networks. Zarate suggested that the U.S. government could issue a private company "cyberwarrants" that would give them license to, "to protect its system, to go and destroy data that’s been stolen or maybe even something more aggressive." Zarate was joined in his call by Steven Chabinsky, chief risk officer at security firm CrowdStrike, who called the current focus by most businesses on vulnerability mitigation a "fool's errand." Chabinsky says that cyber defense has become extremely expensive, while it is still relatively cheap and easy for attackers. However, other speakers at the event discouraged businesses from taking action against cyberattackers. Former congressman and FBI agent Mike Rogers warned that many attacks originate in other countries and that companies taking action against such attackers could quickly find themselves in over their heads, calling such a strategy a "loser." "When you decide you’re going to breach territorial jurisdiction and go after someone, you have opened up a can of worms which is well beyond the scope of your threat."

Retail CIOs Must Balance Security Innovation
CIO (08/05/15) Goldman, Sharon

The major breaches of Home Depot and Target's payment systems in 2014 were a major wake-up call for the retail sector, and experts agree that retail CIOs are taking data security seriously. Boston Retail Partner's 2015 POS/Customer Engagement Benchmarking Survey found that payment security was among retail CIOs' top three priorities for 2016, with major focus on encryption and tokenization. Perry Kramer, vice president and practice lead a Boston Retail Partners, says that retail businesses are in a unique position, with a large amount of potentially vulnerable data -- ranging from customer's payment and personal information to proprietary merchandise/product data and financial plans -- and hundreds of thousands of access points, often manned by employees with little or no training in how to securely handle technology. Kramer says that this means retail business should "make every effort possible to lock down peripherals and every risk point." The situation is only getting worse and more and more aspects of the retail business involve technology. Marketing, for example, has largely become a technology-driven effort that could potentially open businesses to attack. That is why retail CIOs have to be involved with all line-of-business efforts to adopt technology and make sure these efforts include taking the necessary steps to secure this new technology.

The Wild, Wild West of IoT Security
Computerworld (08/03/15) Evans, Nicholas D.

Security in the Internet of Things (IoT) is an unorganized, untamed “wild West” situation that could create a number of risk situations, writes Nicholas D. Evans, who leads the Strategic Innovation Program for Unisys. These things include drones with attached firearms, connected cars that could be remotely sabotaged, and hacked hospital systems that could threaten the safety of patients. One main problem with IoT security is that it is frequently an afterthought that is added to solutions only when issues are found, rather than having them be built in. There are signs of improvement, such as reference architecture recently published by the Industrial Internet Consortium, which examines key characteristics of IoT and key concerns. This is meant to provide developers, engineers, systems integrators, and organizations with a common vocabulary and approach to building and implementing secure and interoperable IoT systems. Organizations that are designing and implementing IoT solutions should first have a clear sense of the possible threat scenarios, have a framework to understand devices and their networks, and take a holistic approach to cybersecurity.

White House: Government Cybersecurity Improving, More Work to Do
New York Times (07/31/15) Mason, Jeff

U.S. federal agencies have increased cybersecurity measures, but more work is necessary to help prevent further attacks, the results of a 30-day effort to raise standards showed. Last month, the White House's Office of Management and Budget kicked off a "cybersecurity sprint" after the hacks that put the personal data of millions of Americans at risk, directing agencies to strengthen their networks and report back. The White House's Chief Information Officer Tony Scott said in a blog post that federal civilian agencies had increased use of "strong authentication for privileged and unprivileged users" from 42 percent to 72 percent. However, many were still not up to the highest standards set by OMB. A team of more than 100 government and private industry experts are reviewing the government's cybersecurity policies and will issue an assessment in the coming months, he said.

FBI to Seek Counseling, Not Handcuffs, for Some Islamic State Suspects
Wall Street Journal (08/06/15) Barrett, Devlin

Finding itself overwhelmed by the logistical challenge of tracking the thousands of Americans that are believed to be interested in joining or carrying out attacks on behalf of the Islamic State (IS), the FBI is trying a new approach to handling some of these suspects. The so-called "intervention model" involves directing suspects, especially younger suspects, who are expressing interest in IS towards counseling in hopes of changing their minds before they become too radicalized. The approach has been used for several years in Europe and is similar to the methods U.S. law enforcement have long used to steer youngsters away from street gangs. However, it is very new to the FBI and many veteran counterterrorism agents remain unconvinced of its utility. The model has been used successfully in Dearborn, Mich., where nearly a third of the population claims at least some Arab ancestry. Dearborn Police Chief Ronald Haddad says that those actually planning attacks or other crimes will be arrested and that those who are subject to intervention will still be tracked and monitored by law enforcement. The approach is increasingly favored by the Obama administration and FBI officials who say the task of tracking and prosecuting the thousands of current suspects is simply too large.

Police Kill Suspect in Theater Attack in Nashville
New York Times (08/06/15)

A man armed with a hatchet and a pellet gun on Wednesday shot pepper spray at an audience at a movie theater in Nashville, but was then fired at by a police officer and fatally shot by a SWAT team as he tried to flee. Police say that the man, identified as 29-year-old Vincente David Montano, was carrying two backpacks and wore a surgical mask. There were eight people in the theater, including the assailant, and the three hit with the pepper spray have been treated, said Don Aaron, Metro Nashville Police spokesman. Montano tried to escape the theater through a back door, but met with a SWAT team and was shot dead. Aaron said that one of Montano's backpacks was found to contain a fake bomb. His motive remains unclear, although he has been committed four times for psychiatric or psychological issues and previously arrested for assault.

Coming Soon? Movie Theaters Mull Metal Detectors, More Security After Violence
NBC News (08/06/15) Carrero, Jacquellena; Ortiz, Erik

In the wake of numerous violent incidents at movie theaters, some are calling on theaters to install metal detectors and other security measures. A 29-year-old man wielding a pellet gun, pepper spray, and an ax was killed by police on Wednesday after he attacked patrons at a screening of "Mad Max: Fury Road" in Nashville, Tenn. That attack came two weeks after a man killed two people and injured 9 others before turning his weapon on himself during a showing of the movie "Trainwreck" in Lafayette, La. Jacob Broussard, a witness to the Lafayette rampage, this week told NBC News that movie theaters should install metal detectors to help prevent such shootings. However, security expert Michael Dorn believes that metal detectors would be prohibitively expensive for movie theaters and would likely create just as many problems as they would solve. Dorn estimates that installing and maintaining metal detectors and hiring security guards could cost individual theaters as much as $1 million a year, and that the long lines they would likely create would be just as vulnerable a target as moviegoers in a theater. Dorn instead advocates for theaters hiring security guards to protect the lobby and parking lots at theaters.

ISIS or Al-Qaida? American Officials Split Over Biggest Threat
New York Times (08/04/15) Schmitt, Eric

U.S. intelligence, counterterrorism and law-enforcement are divided over whether Islamic State (ISIS) or al-Qaida are the greatest threat. The decision will affect the allocation of counterterrorism funds and the assignments of federal agents, intelligence analysts, and military troops to combat a rapidly changing threat. The indecision demonstrates how ISIS appears a more immediate danger because of its scope and sophisticated use of social media to inspire followers. According to analysts, ISIS replaces its combatants as fast as they are killed, and the group still maintains as many as 31,000 fighters and earns close to $1 billion a year in oil revenues and taxes. At the same time, however, al-Qaida operatives in Yemen and Syria are using those countries' turmoil to plot larger “mass-casualty” attacks. The White House has launched a review of its counterterrorism policy toward ISIS, and the National Counterterrorism Center also has diverted analysts to focus on that militant group. The FBI, Justice Department, and Homeland Security Department are more concerned with the rising risk from ISIS, while the Pentagon, intelligence agencies, and the National Counterterrorism Center are more concerned about al-Qaida operatives overseas.

FBI Looking Into Hillary Clinton's Email Server Security, Lawyer Says
CNN (08/05/15) Merica, Dan

Hillary Clinton's representatives on Tuesday confirmed that the Federal Bureau of Investigation is looking into the security that was used to protect the private email system that Clinton used during her time as secretary of state. A report from the inspectors general of the U.S. intelligence community and the State Department last month disclosed that some of Clinton's emails contained classified information that had not been identified correctly, though it was unclear whether Clinton knew at the time that she was potentially compromising classified information. Initial reports about the report incorrectly suggested that Clinton was the focus of a federal criminal investigation over the potentially compromised information. Clinton has repeatedly denied sending or receiving classified information. Her traveling press secretary Nick Merrill most recently reiterated that position on Tuesday saying that "she did not send nor receive any emails that were marked classified at the time. We want to ensure that appropriate procedures are followed as these emails are reviewed while not unduly delaying the release of her emails. We want that to happen as quickly and as transparently as possible."

China to Embed Internet Police in Tech Firms
Wall Street Journal (08/05/15) Dou, Eva

China’s government will set up cybersecurity police units at major Internet companies to help them prevent crimes such as fraud and “spreading of rumors,” China’s official Xinhua news service said. China’s Ministry of Public Security did not specify which companies will have the new police units. China’s Internet sector is dominated by three companies: e-commerce giant Alibaba Group Holding Ltd., gaming and messaging company Tencent Holdings Ltd., and search-engine provider Baidu Inc. It was not clear clear whether the cyberpolice units would apply to international, as well as domestic, tech firms operating in China. The measure comes as part of Beijing's broader effort to exert greater control over China's Internet and amid heightened tensions with the United States over cybersecurity.

From Car-Jacking To Car-Hacking: How Vehicles Became Targets For Cybercriminals
Bloomberg (08/04/15) Solon, Olivia

Automotive cybercrime is becoming increasingly prominent, with police seeing a rise in tech-savvy criminals using key-cloning systems to gain entry to high-value vehicles. Approximately 6,000 vehicles were stolen using keyless entry hacks in London alone last year, making up 42 percent of all vehicle thefts according to London's Metropolitan Police. The roll out of progressively hi-tech cars, equipped with Internet connectivity and obstacle detection, has made car owners more vulnerable to theft, and has made the cars more at risk of cyber attack. As such, cybersecurity has become a top priority for carmakers, particularly after a recent cyberattack on a Jeep Cherokee that saw hackers take control of a car's steering and braking while it was on the highway. Stuart Hyde, former chief constable of Cumbria Police in England, notes that "anything connected to the Internet can be hacked, including cars. What hackers can do depends on how much the Internet connection interacts with different aspects of the vehicle." Car manufacturers are therefore advised to focus on plausible threats, and consider how to balance good safety with insightful protections.

U.S. Decides to Retaliate Against China's Hacking
New York Times (08/01/15) P. A6 Sanger, David E.

The Obama administration has decided to retaliate against China for the hacking and theft of the databases of the Office of Personnel Management (OPM), which compromised the personal information of more than 20 million Americans. The decision was based on a conclusion that the attack was so large that the usual practices for dealing with traditional espionage do not apply. Some of the possible U.S. responses include largely symbolic moves, such as diplomatic protests or ousting known Chinese agents in the United States. One possible action discussed is to find a way to breach the “great firewall,” China's complex network of censorship and control that it uses to suppress dissent. There are concerns, however, that more significant actions could trigger an escalating cyberconflict between the two nations. A response may not happen soon, or be obvious when it does occur. The Justice Department is looking into the possibility of legal action against Chinese individuals and organizations that may have been responsible for the OPM theft, but criminal charges are unlikely. According to intelligence officials, any legal case could lead to the exposure of U.S. intelligence operations inside China.

Apple Mac Attacks 'Trivial,' Claims Security Researcher
BBC News (08/06/15) Lee, David

Security firm Synack's Patrick Wardle demonstrated several new types of malicious software that bypassed Apple's security measures. Wardle said Apple knows about the threats, but the company has not commented on the research. Wardle was speaking at Black Hat 2015, an annual gathering of hackers and security professionals. He added that Apple's increased popularity means it is attracting attention from cybercriminals who would commonly focus on attacking computers running Microsoft's Windows. While Windows is an attackers' platform of choice, antivirus firm Kaspersky Labs recorded a surge in Apple malware in the past couple of years. Wardle's research focused on one piece of apple software, Gatekeeper, which warns the user when they are opening a file that is not from a "trusted" source. Still, Wardle was able to use "dynamic libraries" to inject malicious code into trusted programs. Wardle said he has shared his research with Apple and "they have patched of fixed some of the bugs." He added that in some cases, the patches are insufficient, and he can bypass the patch.

New York Village Paid Ransom to Keep its Computers Running, Comptroller Says
Associated Press (07/31/15)

State auditors said a village in central New York made ransom payments of $300 and $500 last year to keep its computers running after two official looking emails released malware throughout its system. The comptroller's office said Ilion's experience should warn others of the threat, which can infiltrate computers and make them inaccessible. Mayor Terry Leonard said the issue for the village of 8,000 was that the village accounting system was locked up. Additionally, other agencies across the country have dealt with malicious software known as ransomware. In Maine this year, Lincoln County sheriff's office computers were infected and held hostage. In suburban Chicago, the Midlothian village police paid a $500 ransom in bitcoin, a digital currency that’s virtually untraceable, to get its files unencrypted. Ilion officials have developed new security steps and trained staff to look out for suspicious emails.

Abstracts Copyright © 2015 Information, Inc. Bethesda, MD

  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Security Management Online | ASIS Online

No comments: