Security Management Weekly - August 19, 2005

A weekly security news briefing from ASIS International   Learn more! ->     August 19, 2005     CORPORATE SECURITY     1. " Bills Could Make Businesses Do More to Prevent ID Theft" Several Identity Theft Bills in Congress   2. " For Munch, a Bunch of Security" Norway's Munch Museum Reopens With $6 Million in Security Enhancements   3. " Is Sarbanes-Oxley Compromising Internal Audit?"   4. " Repositioning the CISO" Enterprises Benefit by Combining Information Security With Physical Security Under One Senior Security Officer   5. " Security in Motion" Insight on How Museums Secure Their Traveling Exhibitions   6. " When Disaster Strikes, Treasury Can Strike Back" Businesses Must Include Cash Management Operations in Disaster Recovery Plans HOMELAND SECURITY   sponsored by     7. " Homeland Security Lowering Mass Transit Threat Alert" Threat Level for U.S. Mass Transit Systems Lowered From Code Orange to Code Yellow   8. " TSA Proposal Questioned by Flight Attendants" Controversy Over TSA's New Security Suggestions   9. " L.A. Holdups Linked to Islamic Group, Possible Terrorist Plot" Potential Terrorist Group Operating Out of California Prison System   10. " Blasts Rock Bangladesh Cities; One Dead, 100 Hurt" More Than 200 Bombs Explode in Various Cities   11. " Recommendations Gain Qualified Support" National Fire Protection Association Committee Addresses Federal Building Codes and Standards CYBER SECURITY     12. " Al-Qaida Recruiting Target: Skilled Hackers" Al Qaeda Attempting to Hire Hackers to Break Into Commercial and Federal Computer Networks   13. " 'War of the Worms' Spurs Latest Cyber-Attack" Cyber Attack Slows Systems at Media Outlets   14. " 'Spear Phishing' Tests Educate People About Online Scams"   15. " Mission Impossible" Seven Infrastructure Revision Techniques to Protect Enterprises From Spyware       "Bills Could Make Businesses Do More to Prevent ID Theft" Birmingham News (AL) (08/18/05) ; Williams, Roy There are several bills before both houses of Congress that aim to protect U.S. consumers from identity theft. In the House, Reps. Artur Davis (D-Ala.), Melissa Bean (D-Ill.), and Barney Frank (D-Mass.) are co-sponsoring the Consumer Data Security and Notification Act of 2005. The bill provides stronger consumer safeguards and enforcement against credit card and identity theft by widening federal protections against the improper collection and sale of confidential consumer data. It also provides consumers with advance notice when their personal information has been compromised. In the Senate, the Commerce Committee unanimously approved the Identity Theft Protection Act last month, which would dictate how companies should handle consumers' personal information. The bill requires nonfinancial companies, such as data brokers that handle sensitive personal information, to ensure the security and confidentiality of such information with security measures outlined by the Federal Trade Commission. If the security measures are compromised and the company determines that the breach has created a "reasonable risk" of identity theft, the company would have to notify the affected customers or be fined up to $11,000 per customer. (go to web site) "For Munch, a Bunch of Security" USA Today (08/18/05) ; Puente, Maria The Munch Museum in Oslo, Norway, which has been closed since the brazen armed theft of two famous Evard Munch paintings on Aug. 22, 2004, reopened its doors this summer after spending 10 months and $6 million to improve its security measures. The museum claims that it is now the most secure museum in the world, with entryway metal detectors; paintings that have been bolted to walls and encased in bulletproof glass; a surveillance control room for monitoring the museum galleries; and automatic gates to lock the galleries. Edward Dolnick, author of a book on art heists, says that American museums may begin looking to the Munch Museum as a template for security. "They've got multimillion-dollar bills hanging on their walls and open doors," he says. "It's asking for trouble." One of the two thieves that robbed the Munch Museum last summer held a gun to the head of a security guard while the other thief ripped paintings off the museum's walls. Dolnick says that although guns are not often used in art thefts, a trend has emerged in which dangerous criminals are becoming involved in the global black market for stolen artwork. Although suspects have been arrested in the Munch robbery, authorities believe that the priceless paintings that were stolen--"The Scream" and "Madonna"--may have been destroyed. (go to web site) "Is Sarbanes-Oxley Compromising Internal Audit?" Business Finance (08/05) Vol. 11, No. 8, P. 19 ; Krell, Eric Additional compliance responsibilities from the Sarbanes-Oxley Act (SOX) have burdened internal auditors, forcing companies to find new ways to balance these requirements with traditional priorities. Since the act's passage, these auditing functions have worked overtime to get companies compliant, but now some are seeking ways to outsource some of those functions to business process owners and others. When the act was first implemented up to 50 percent of internal auditing staff members were pulled away from their traditional duties to work on Section 404 compliance matters, which has complicated matters for many firms and their external auditors. However, more relaxed regulations from the Public Company Accounting Oversight Board (PCAOB) and the Securities and Exchange Commission (SEC) have allowed external auditors to rely on documentation and remediation, so long as internal auditors did not participate in both the creation of and testing of those internal controls. Meanwhile, operational audits, systems audits, and other projects, which are considered risk-based auditing, have fallen by the wayside, producing potentially dangerous consequences. However, most companies agree that their internal auditors will return to their normal duties once the SOX requirements are met, while some firms claimed that they were able to allocate their internal audit resources more appropriately through risk-based assessments to ensure that internal controls were not the only project internal auditors worked on, with some firms creating enterprise-wide risk management systems. Experts even suggest that companies still in the throes of complying with SOX should consider hiring consultants and contractors to help get firms up to speed rather than relying solely on internal auditing staff members. (go to web site) "Repositioning the CISO" Security Technology & Design (07/05) Vol. 15, No. 7, P. 62 ; Wynn, Bob Enterprises would benefit from combining information security with physical security under one senior security officer, the CISO. In fact, 34 percent of respondents to a 2004 CSO Security Sensor Survey have repositioned their CISOs from a position under the CIO to an independent position, because it puts more emphasis on long-term, enterprise-wide information security and allows better communication of security issues as they relate to business practices, according to former State of Georgia CISO Bob Wynn. However, 38 percent of respondents to the same survey are still having their CISO report to the CIO and are therefore limiting their information security objectives and communication. Senior business leadership does not receive security's message, and operational responsibilities override strategic planning. "The senior information security officer should be an 'enterprise' risk manager rather than a production resource devoted to IT operations," advises the Federal Financial Institutions Examination Council. Having the information security officer report directly to the board or senior management instead of via the IT department will guarantee independence. Enterprises would be wise to deploy ISO-17799, a security program template that defines information security best practices, such as order of security importance, ways to develop a comprehensive security program, and ways to judge the effectiveness of an enterprise's security program, writes Wynn. (go to web site) "Security in Motion" Security Management (08/05) Vol. 49, No. 8, P. 40 ; Turk, Andrew New York City's American Museum of Natural History is loaning its Einstein Manuscripts--including formulas and ledgers that were hand-written by the famous scientist--to other museums around the world, and the museum is taking steps to ensure the security of the traveling exhibit. As a result of this security process, the museum has created a tailored, high-security case for the collection of Einstein materials, replete with built-in alarms for theft and environmental factors such as humidity, bright light, and liquid spills. When considering the security of a traveling exhibit, the first step is to conduct a threat assessment before the exhibit leaves its home museum; this process begins with getting a highly detailed facilities-security report from the museums that will receive the exhibit, to ensure that their security is up to grade. The home museum's security team should visit the host museums to inspect their security, and the team should work with the host museums to make any necessary security upgrades and to review the expected security procedures and responses. Before the exhibit leaves its home, the condition of each artifact should be recorded in detail, and a representative can be sent to travel with the exhibit to ensure it is maintained properly. Diamonds and other very valuable objects can be transported on the ground by armored vehicles and hand-carried onto planes by security guards in specially designed attach� cases. The American Museum of Natural History takes a layered approach to security sensors and alarms, both in-house and for its traveling exhibits--these include vibration sensors, contact alarm sensors, and volumetric sensors to sense movement. (go to web site) "When Disaster Strikes, Treasury Can Strike Back" Business Finance (08/05) Vol. 11, No. 8, P. 27 ; Kroll, Karen M. Terrorist attacks, cyber crime, and other events are predominantly on corporate minds these days, much like fires, floods, hurricanes, and other natural disasters were on their minds in years past, but unlike natural events, the latest risks to operations are not as predictable or well understood. Disaster recovery plans are more essential than ever for businesses to have in order to protect operations from certain failure. Cash management operations, like other functions of a business, also have to be accounted for in business continuity and disaster recovery plans, especially since many of these treasury functions are more dependent than ever on technology. Financial controls have to be maintained in these treasury system under various federal and state regulations, even in the event of a disaster, but in many cases, businesses are unaware that disaster recovery processes are needed for these functions. Before these disaster recovery plans can be implemented, businesses must first assess the risks facing their firms and the likelihood that those risks will affect the business and its varying functions. Important financial and other data should be backed up and replicated in several different areas and versions; then critical systems should be protected with back-up generators and other means; employees should be able to communicate with one another through several methods; alternative workspaces need to be ready to go when the disaster strikes; reporting requirements have to be met even in the event of disaster; and finally, the plan should be tested and approved by senior managers and executives. Meanwhile, treasurers should ensure networks are protected from insiders, viruses, hackers, and other cyber-crimes via anti-virus software and firewalls. Experts agree that laptops, and other mobile devices, along with a list of accounts and important transactions and reports, are necessary for treasurers to keep cash management moving even in the event of a disaster. (go to web site) "Homeland Security Lowering Mass Transit Threat Alert" Newsday (08/12/05) ; Jordan, Lara Lakes The Homeland Security Department on the night of Friday, Aug. 12, lowered the terrorism threat level for the nation's transit systems from Code Orange to Code Yellow. Homeland Security Secretary Michael Chertoff urged the public and local and state officials to remain vigilant, despite the lowering of the terror level. Several big cities have decided to keep their transit systems at Code Orange. In addition, the state of New Jersey said it would stay at Code Orange at least through the end of this week due to the state's high number of terrorist targets. Mass transit systems spent at least $900,000 per day on the extra security costs associated with Code Orange, according to Greg Hull, security director of the American Public Transportation Association. (go to web site) "TSA Proposal Questioned by Flight Attendants" Washington Post (08/17/05) P. A5 ; Goo, Sara Kehaulani An internal Transportation Security Administration (TSA) document circulated last week suggests rolling back some aviation security measures that were instated after the Sept. 11 terrorist attacks, prompting criticism from the largest U.S. flight attendants union. One of the suggestions made in the document is that airline crews, top government officials, and other categories of passengers be allowed to bypass security screening; the document also suggests that the ban on carry-on items like knives, razor blades, and ice picks could be lifted. The TSA document is part of a review by the agency to ensure that airport security procedures address current terrorist threats, and the document specifically aims to ensure that the agency is doing enough to prevent suicide bombers from blowing themselves up aboard planes. The TSA claims that its suggested changes would not undermine security, but the Association of Flight Attendants disagrees. The association's international president, Patricia Friend, expressed her displeasure in a letter to TSA chief Edmund Hawley, stating that knives and the other banned items have no place in aircraft cabins. The banned items "may not assist in breaking through a flightdeck door, but they could definitely lead to the deaths of flight attendants and passengers," Friend said. The Air Line Pilots Association, meanwhile, commended the TSA for conducting the security review and said that it agreed with many of the new security proposals. TSA spokeswoman Yolanda Clark says that the aim of the security review is to improve security and ensure that the agency is making the most of its limited resources. (go to web site) "L.A. Holdups Linked to Islamic Group, Possible Terrorist Plot" Washington Post (08/17/05) P. A5 ; Argetsinger, Amy; Eggen, Dan Authorities have uncovered a potential terrorist plot involving a militant Islamic group operating out of the California prison system. The group, Jamiyyat Ul Islam Is Saheeh, appears to be a "truly homegrown" group with members capable of carrying out attacks on their own within the United States, said one U.S. official. "From the evidence so far, there is reason to believe that they were planning attacks," the official said, with targets apparently including National Guard centers, Los Angeles-area synagogues, the Israeli consulate, and other sites. So far, authorities have arrested three suspects--a Pakistani national and two California men--in connection to the potential plot, and more arrests could be forthcoming. The investigation began as an investigation into several armed robberies of California gas stations, but it eventually expanded into a terrorism investigation. One of the two local men arrested as suspects in the holdups owned what officials described as "jihadist" literature, bulletproof vests, and a list of addresses of synagogues and other apparent targets. One of the suspects is believed to have converted to Islam while in prison. (go to web site) "Blasts Rock Bangladesh Cities; One Dead, 100 Hurt" Reuters (08/17/05) ; Ahmed, Nizam More than 200 bombs exploded in several cities across Bangladesh during a half-hour period Wednesday morning, killing one person, injuring at least 100 others, and sparking panic in city streets. The bombs appeared targeted at government buildings, and leaflets found at most of the blast sites carried a message by outlawed Islamic group Jamaat-ul-Mujahideen urging the creation of Islamic rule in the country and warning the United States and United Kingdom to "vacate Muslim countries." No foreigners were hurt in the attacks, but the Bangladesh government has issued security alerts for 40 foreign ships in the country's ports, as well as various key installations such as power plants, fertilizer factories, and refineries. Various Bangladesh officials said that the attacks appeared to be planned in advance and well-organized, and the bombs appeared to have been made locally and detonated remotely. (go to web site) "Recommendations Gain Qualified Support" ENR (07/25/05) Vol. 255, No. 4, P. 10 ; Post, Nadine M. The National Fire Protection Association's (NFPA) High-Rise Building Safety Advisory Committee is preparing to submit its comments on the National Institute of Standards and Technology's (NIST) recent recommendations for changes to federal building codes and standards. After studying the recommendations, the 10-person committee appears to have agreed with many of the NIST's suggested changes while raising concerns about a lack of precision in the draft report and indications that the proposed changes are based on a small niche of building types. For example, the committee agrees with NIST's recommendation that "progressive collapse should be prevented in buildings," but the NFPA is calling for more specific considerations, such as the possibility of more than one column collapsing and the impact of mitigation solutions on other design objectives. The committee also calls for more clarification of concepts such as structural framing and performance-based design, both of which it supports. One area on which the committee did not reach a consensus was the subject of exits, specifically their remoteness and functionality. Finally, the group did agree to recommend that the NFPA Standards Council consider architect Steven M. Nilles' proposal of a voluntary rating system called Leadership in Life-Safety Design. (go to web site) "Al-Qaida Recruiting Target: Skilled Hackers" Investor's Business Daily (08/19/05) P. A4 ; Tsuruoka, Doug Solutionary chief security counsel Mark Rasch, former head of the Justice Department's computer crime unit, reports that foreign governments and terrorist organizations such as al-Qaida are attempting to hire Internet hackers to break into commercial and federal computer networks, with an eye toward sabotage or information theft. He says a massive assault against our cyberinfrastructure would disrupt services but not inspire terror; much more effective would be a combination cyberattack and physical attack, which would spread fear as well as hinder response strategies. Rasch says al-Qaida has formulated plans to attack U.S. networks controlling the supervisory control and data acquisition (SCADA) systems underlying the country's utility infrastructure. Terrorists can contact hackers in a variety of ways, including through Internet relay chat channels, anonymous outsourcing, and anonymous remailers that hide the original source of messages. Rasch suggests a number of precautions to defend against cyberterror attacks, such as the installation of disaster recovery and business continuation technology and redundant systems. So that people can understand and identify attack precursors, he recommends an exchange of information. Rasch also suggests improving information sharing networks following an attack. (go to web site) "'War of the Worms' Spurs Latest Cyber-Attack" ABC News (08/17/05) ; James, Michael S. The attack earlier this week that slowed systems at The New York Times, The Associated Press, and other media outlets may have been an example of battling worms competing for control of major computer networks. The culprit was identified as different strains of the Zotob worm, which targets computers running Windows 2000, though if unprotected, Windows 2003 and XP are also vulnerable. In the latest attacks, the hackers were attempting to seize control of the computers to create botnets, and posted death threats aimed at antivirus companies. The pursuit of unlawful computer armies has led to a virtual turf war, where rival hackers delete each other's worms to clear the way for their own in an effort to build the largest botnet. The recent trend in hacking has been toward personal greed, as simply defacing a Web site or launching a denial of service attack no longer motivates hackers: "Destroying the Internet is not really useful if the Internet is the means to your financial goals," noted Art Manion of the U.S. CERT center at Carnegie Mellon. Botnet operators use the expropriated computers to send out torrents of spam or access personal information, though there is also an underground economy that pays to rent botnets for various purposes, most commonly to send out spam. The use of multiple third-party computers makes it difficult to track the originator of botnet spam. Cybertrust's David Kennedy believes poor laptop security may have facilitated the recent attacks, and cautions businesses to keep security patches updated, and use a special router to manage the connection between the notebook and the providing pipeline; he adds that users should power their notebooks down completely before connecting to the network. (go to web site) "'Spear Phishing' Tests Educate People About Online Scams" Wall Street Journal (08/17/05) P. B1 ; Bank, David To raise user awareness of online scams designed to trick them into revealing sensitive information to data thieves and other miscreants, organizations such as the U.S. Military Academy are conducting exercises in which people are sent phony emails disguised as official requests to link to Web pages and enter confidential data, and then upbraided if they do so. Through this strategy, defenders hope to teach users to be more cognizant of "spear phishing" scams in which attackers craft email messages that would seem to originate from the recipient's company or organization. Last June, over 500 West Point cadets were sent mock emails from a fictitious colonel instructing them to click on a link to confirm that their grades were correct, and more than 80 percent of recipients complied; the cadets were gently reprimanded via email and advised to be more cautious in the future. In recent months, almost 10,000 employees of New York state were sent emails that were supposedly official notices asking them to access sites and enter their passwords and other personal details, and those who did were sent a note explaining the purpose of the exercise. "The bottom line lesson was: Even if the request comes from legitimate individuals, never give out personal information," said New York CIO William Pelgrin. However, such methods could potentially erode employees' trust for their organizations' information-security personnel. Still, SANS Institute research director Alan Paller called such exercises "a key defense against large-scale theft of confidential information." (go to web site) "Mission Impossible" Information Security (07/05) Vol. 8, No. 7, P. 36 ; Skoudis, Ed Spyware, a growing concern among security professionals due to its ability to compromise sensitive data and destroy IT resources, is the top concern of 87.5 percent of respondents to a recent Information Security survey. Seven infrastructure revision techniques will help enterprises protect themselves from spyware, according to security consultancy Intelguardians cofounder Ed Skoudis. The first technique is to use existing DNS servers to respond when a user is tricked into visiting a known spyware site. DNS servers can even prevent spyware that does manage to get through from communicating with their home networks and therefore renders them ineffective. The second technique is to severely limit user privileges, because most users are easily tricked into downloading or running malicious programs. Also, enterprises should ensure that all users are utilizing Windows Remote Desktop for immediate help from administrators, deploying patch management and update control tools, setting up systems so that computers are linked to all printers with the help desk able to remotely access the system, and installing for users necessary add-ons. The third technique is to use Group Policy Objects to disallow spyware to exploit system vulnerabilities. The fourth technique is to use an alternative browser that is not as vulnerable to attack, and the fifth technique is to use antispyware programs to detect spyware. The sixth technique is to establish a proxy for outbound Web traffic to create a centralized traffic control area in order to log and control employee Internet access. The final technique is to deploy a client script that constantly scans for common spyware files and registry keys, so the script becomes a highly customized antispyware program that can find and automatically delete spyware. (go to web site) Abstracts Copyright © 2005 Information, Inc. Bethesda, MD   ASIS also offers a daily and a non-sponsored, special-content Professional Edition of Security Newsbriefs. Please click to see a sample or to contact us for more information. Unsubscribe | Change E-mail | Advertising Opportunities | Security Management Online | ASIS Online