Friday, April 23, 2010

Security Management Weekly - April 23, 2010

header

  Learn more! ->   sm professional  

April 23, 2010
 
 
Corporate Security

Sponsored By:
  1. "Medical Marijuana at Work?" Colorado
  2. "Gunmen Burst Into Holiday Inn, Abduct Guests" Mexico
  3. "Suspected Pirates Headed for Trial in the U.S."
  4. "PCI Council to Update Its 3 Standards" Payment Card Industry
  5. "Be Sure You Learn the Right Lessons from Crisis Events"
Homeland Security

  1. "White House Focus on Nuclear Terrorism Gets Scrutiny"
  2. "Chemical Plant Security Re-Engaged"
  3. "Senators Seek Documents on Fort Hood Suspect"
  4. "Senators Call for Scrapping 'Virtual Fence'"
  5. "Allies Kill Another al Qaeda Leader in Iraq"
Cyber Security

  1. "McAfee Anti-Virus Goes Berserk, Reboots PCs"
  2. "Federal Cybersecurity Monitoring Goes Real-Time and Digital"
  3. "Web Hit by Hi-Tech Crime Wave"
  4. "Cyberattack on Google Said to Hit Password System"
  5. "Politically Motivated Attacks Could Force Enterprises to Reshape Defenses"

   

 
 
 

 


Medical Marijuana at Work?
Glenwood Springs Post Independent (CO) (04/23/10) Urquhart, Janet

Colorado employers with questions about the state's medical marijuana laws will be able to get some answers at an upcoming seminar being given by the Aspen Chamber Resort Association and the workers compensation insurer Pinnacol Assurance. The seminar, entitled "One Toke Over the Line: Medical Marijuana in the Workplace," will be given by attorney Daniel Wennogle and will help employers develop a framework for addressing the issue of employees who may be medical marijuana users. Wennogle, an attorney with the Glenwood Springs firm of Balcomb & Green, noted that the laws regarding medical marijuana are clear-cut in some respects. For instance, employers are not required to accommodate the use of medical marijuana in the workplace, Wennogle said. He added that the use of medical marijuana is also prohibited in situations that could endanger someone. But a number of issues remain unclear, including what companies must do in the event a person who is legally allowed to use medical marijuana tests positive for the drug, Wennogle said. Although Wennogle said he will try to clear up some questions regarding the law at the April 29 seminar, he added that he will not provide any attendees with specific legal advice.


Gunmen Burst Into Holiday Inn, Abduct Guests
Associated Press (04/22/10) Rodriguez, Olga R.

At least six people were kidnapped when a group of 20 to 30 gunmen believed to be associated with drug gangs stormed two hotels in Monterrey, Mexico, on Wednesday. The incident began when the gunmen went into the Holiday Inn in Monterrey and went from room to room looking for specific individuals. After kidnapping four guests and a receptionist from the Holiday Inn, the gunmen went across the street to the Hotel Mision and abducted the receptionist there. It remains unclear what the motive for the attack was. The identities of the victims are also not known, though authorities say that the guests that were abducted from the Holiday Inn include three men from Mexico City and a woman from the Mexican border city of Reynosa. None of the victims were Americans, despite media reports to the contrary, the U.S. Consulate in Monterrey said. The U.S. Consulate also said that the incident underscores the need for American citizens to be wary of violence in Nuevo Leon, the Mexican state where Monterrey is located.


Suspected Pirates Headed for Trial in the U.S.
Associated Press (04/22/10) Jelinek, Pauline

U.S. officials have announced that 11 suspected pirates captured off the coast of Somalia are being brought to Norfolk, Va., to stand trial. The suspects were moved from the U.S.S. Nassau amphibious assault ship and flown to the states in the custody of the Justice Department. Five of those being flown into Virginia were captured March 31, after the frigate U.S.S. Nicholas exchanged fire with a suspected pirate vessel, sinking a skiff and confiscating its mother ship. The other six suspects were captured after they began shooting at the amphibious dock landing ship U.S.S. Ashland. The navy has held the suspected pirates since their capture until officials could determine where and how they could be prosecuted and to prepare legal charges against them. An additional 10 pirates remain in Navy custody. They were captured when the U.S.S. McFaul responded to a distress call from a merchant vessel. It is unclear whether they will be released or handed over to another country for prosecution. Thus far, many countries have been reluctant to try Somali pirates due to difficulties transporting them and fears that they may claim asylum or raise difficult jurisdiction issues. Kenya has been encouraged by the international community to try many of the pirates captured in the region, but the country now says pirates are putting too much strain on its court system. The Navy has also handed over evidence related to the pirate attack on the U.S.S. Nicholas, including the pirates' weapons and photographic evidence of small arms fire that hit the ship. The Justice Department has not said what charges will be brought against the pirates.


PCI Council to Update Its 3 Standards
PaymentsSource (04/20/10)

PCI Security Standards Council general manager Bob Russo says that all three of the council's standards will be updated this year. The first standard, the PIN Transaction Security standard for devices that feature PIN pads, will be updated in April. The remaining two standards—the Payment Application Data Security Standard, which addresses software used in point of sale systems; and the PCI Data Security Standard, which addresses the security of all payment systems—will be updated in October. Russo says that all three updates will provide the payments industry with more information about how to use the standards as well as a better understanding of how the standards will change in the future. He says the council also is considering updating PCI DSS every three years, instead of the current update frequency of two years.


Be Sure You Learn the Right Lessons from Crisis Events
Security Director's Report (04/10) Vol. 2010, No. 4,

Studies reveal that organizations usually have a better response to a disaster the second time around. Put another way, one of the best ways to become crisis-ready is, unfortunately, to experience a crisis. But the extent to which a company prepares for a reoccurrence depends on whether it asked the right questions and learned the right lessons the first time. "Business Continuity Management" author Michael Blythe says companies should ask the following questions during a post-disaster audit: Did pre-crisis assessments identify risks and prioritize them appropriately? Did our mitigation efforts offset the damage? Were managers well-equipped, and did they implement contingency plans? Are the risks the same post-incident? How should immediate, interim, and long-term strategies be modified? And, What tactics, training, or policies need to be revised? As companies examine what post-crisis lessons can be culled, they must be aware of their organizational bias toward either a centralized or decentralized crisis management style. In a centralized response, authority is consolidated among higher-level manager during an event, while in a decentralized response individual business units, departments, and people are empowered to manage and respond to a crisis.




White House Focus on Nuclear Terrorism Gets Scrutiny
Wall Street Journal (04/23/10) P. A2; Johnson, Keith

The Obama administration has been taking a number of steps to prevent a terrorist group from using a nuclear weapon to launch an attack on the U.S. For instance, the White House recently invited the leaders of 47 countries to Washington, D.C., to participate in a nuclear-security summit that aimed to prevent al-Qaida and other extremist groups from acquiring fuel for a nuclear bomb. John Brennan, President Obama's counterterrorism adviser, said the summit was necessary because the possibility that a terrorist group could use a nuclear weapon is "one of the greatest threats to our national security." But some experts say that while a terrorist attack involving nuclear weapons would be devastating, the likelihood that such an attack would take place is low, given the difficulty involved in acquiring fissile material, assembling it, and detonating a bomb. A bigger threat, these experts say, is the danger posed by a biological or chemical attack. Experts say that although such attacks are far more likely to be used by terrorist groups, the Obama administration has not done enough to protect the nation from these threats. For example, the White House has not named an ambassador to the Chemical Weapons Convention in The Hague, which was created to monitor military-grade chemical weapons and chemicals that have civilian uses but could also be weaponized. In response to the threat posed by biological weapons, both the House and Senate are considering bills that would increase preparedness for a bioterror attack. However, some experts say that they do not see any signs that al-Qaida's ambitions are getting smaller, and that the group is still likely to attack the U.S. with a nuclear weapon.


Chemical Plant Security Re-Engaged
Politico (04/22/10) Morris, Jim

The Senate is reportedly preparing to introduce a new bill that would give the Department of Homeland Security (DHS) greater oversight to require major manufacturers and users of deadly chemicals such as chlorine to either switch to a safer alternative or step up security measures. Former Environmental Protection Agency (EPA) Homeland Security Advisor Bob Bostock says that tighter regulation is necessary to prevent terrorists from killing thousands by breaching a chlorine storage tank or through the use of other deadly chemicals. The House already passed such a bill in fall 2009, and Sen. Frank Lautenberg (D-N.J.) says he will submit a similar bill in the near future. These bills would give DHS the power to enforce significant improvements to security measures at the nation's highest risk chemical facilities. However, the chemical industry is pushing back against new bills that would allow DHS to make now-voluntary measures mandatory, saying that it has a good track record and has already taken steps to prevent accidental or terrorist-induced releases of dangerous compounds. The American Chemistry Council claims that its 145 member companies have spent more than $8 billion in security enhancements since September 11, 2001, including guards, perimeter fencing, and video surveillance. They also point out that the current law allows DHS to fine or shut down facilities that do not take proper measures, although DHS has yet to take either action. The department has, however, acquired basic information on 38,000 chemical sites, approximately 5,800 of which are considered high risk. While these facilities are required to submit security plans and are subject to DHS inspection, experts say the law is still deficient because it bars DHS from actually requiring any specific security changes and exempts the nation's 2,400 drinking water and wastewater treatment facilities, some of which store large amounts of chlorine.


Senators Seek Documents on Fort Hood Suspect
Wall Street Journal (04/20/10) Johnson, Keith

Sen. Joseph Lieberman (I-Conn.), the chairman of the Senate Committee on Homeland Security and Governmental Affairs, and Sen. Susan Collins (R-Maine), the panel's ranking member, issued subpoenas on April 19 ordering the Obama Administration to turn over information related to Army Maj. Nidal Hasan, the suspect in last November's shootings at Fort Hood, Texas. Among the information the senators want the administration to turn over is Maj. Hasan's personnel file at the Department of Defense and his performance evaluations. Sens. Lieberman and Collins are also asking for the Pentagon to release a confidential supplement to a January report on the Fort Hood shootings, as well as information held by the Department of Defense and the Department of Justice on the communications Maj. Hasan had with "known or suspected terrorists" like radical Muslim cleric Anwar al-Awlaki. The administration has until April 27 to turn over the requested information. If it fails to do that, the full Homeland Security Committee will vote on seeking a court order for the release of the information. According to Leslie Phillips, the communications director for the committee, Sens. Lieberman and Collins are asking for the information to be released because they want to know what information the government had about Maj. Hasan before the shooting and the steps that were taken or not taken to prevent the attack. For its part, the administration has repeatedly refused to provide the information requested by the committee, saying that doing so would compromise the investigation into the shootings. Phillips dismissed those concerns, saying that congressional inquiries do not prevent terrorist suspects from being prosecuted.


Senators Call for Scrapping 'Virtual Fence'
Associated Press (04/20/10)

During a hearing on border security that was held by the Senate Homeland Security and Governmental Affairs Committee on Tuesday, Sens. Joseph Lieberman (I-Conn.), the panel's chairman, and Roland Burris (D-Ill.) said that it may be time to consider canceling Boeing's contract to build a virtual fence along the U.S.-Mexico border. Lieberman and Burris said that the government may want to think about ending the contract for the fence, which is made up of a network of cameras, ground sensors, and radars that detect when people cross the border, because it is not capable of stopping illegal immigration. Lieberman added that it may be better for the government to build a real fence that is "double- and triple tiered, and layered." But when asked whether the contract could be canceled, Border Protection Commissioner Alan Bersin, who testified before the committee, said he could not give his opinion on the issue. He also acknowledged that there have been problems with the virtual fence, including difficulties in integrating the system to allow the border to be monitored from a central location. However, he added that Homeland Security Secretary Janet Napolitano believes that wholesale integration of the system is not a practical goal or one that would produce the desired results.


Allies Kill Another al Qaeda Leader in Iraq
Associated Press (04/20/10)

Officials say that Iraqi and U.S. troops killed a third regional al-Qaida leader in Iraq on Tuesday. According to Iraqi Maj. Gen. Qassim al-Moussawi, the leader, Abu Suhaib, was in charge of the terrorist organization's operations in Kirkuk, Salahuddin, and Ninevah provinces. In addition to Suhaib, Iraqi and U.S. forces killed al-Qaida leaders Abu Omar al-Baghdadi and Abu Ayyub al-Masri in a joint operation on Sunday that involved Iraqi ground troops and U.S. air support. Iraqi troops surrounded the safehouse where the two men were hiding and engaged them in a firefight. They then called in U.S. helicopters for air support due to concerns that Masri was wearing a suicide vest. After the shooting inside the safehouse stopped, four dead men were discovered inside the house: Masri, his assistant, Baghdadi, and Baghdadi's son. A suicide vest was found on Masri's body. Two women were also found alive inside the house. The identities of both men were reportedly confirmed via DNA testing and fingerprinting. The intelligence that allowed U.S. and Iraqi troops to track down all three men came from a senior al-Qaida operative captured in March. A U.S. tip generated more information from Iraqi informants that led to the safehouse outside Tikrit, where Masri and Baghdadi were found.




McAfee Anti-Virus Goes Berserk, Reboots PCs
Associated Press (04/22/10)

Thousands of computers hospitals, schools, and companies worldwide started continuously rebooting themselves on April 21 after downloading updates for McAfee's anti-virus software. The problem started when the update, which was released that morning, identified a normal Windows file as a virus. Companies and organizations across the globe were affected, including the National Science Foundation (NSF), the Kentucky state police, and Illinois State University. The university's IT department moved to correct the problem by preventing computers from downloading the update. It then worked on machines individually to get them running again since the computers could not download new software updates while they were constantly rebooting. NSF headquarters temporarily lost computer access due to the problem, while Kentucky police officers were told to shut down the computers in their cars while the problem was being fixed. McAfee has since posted a new update to replace the faulty version that was sent out on Wednesday.


Federal Cybersecurity Monitoring Goes Real-Time and Digital
NextGov.com (04/21/10) Sternstein, Aliya

The White House Office of Management and Budget (OMB) recently released a memo that outlines new continuous reporting requirements for federal agencies. Under the requirements, federal agencies will be required to submit a variety of information, including holistic views of their security programs and information about the specific security measures used by their major department divisions, through a Web-based gateway called CyberScope by Nov. 15. In addition, agencies must submit information about their security programs on a monthly basis beginning next year. The memo also says that CyberScope will ask agencies questions about the status of their security measures. If any vulnerabilities are reported, federal security specialists will be sent to interview agency officials. The goal of the requirements is to improve the execution of the Federal Information Security Management Act, which has been criticized for including burdensome reporting requirements. The requirements will also help federal agencies know the status of their security across all their bureaus and agency components, says the SANS Institute's Alan Paller.


Web Hit by Hi-Tech Crime Wave
BBC News (04/20/10)

Cyber-savvy criminals are carrying out more than 100 attacks a second on the world's computers, suggests a new Symantec survey. Although the majority of these attacks are benign, the report says that a PC is hit by an attack once every 4.5 seconds. The barrage of attacks was spurred by a precipitous increase in the circulation of malicious software, the annual report states. The volume of malware samples that Symantec tallied in 2009 was 71 percent higher than in the previous year. From this data Symantec determined that 51 percent of all the viruses, Trojans, and other malicious programs it has ever come across were logged during 2009. Overall, Symantec identified nearly 3 million pieces of malicious code during that 12-month time span. The steep increase in malware was fueled primarily by the proliferation of easy-to-use toolkits that amateur cybercrooks are using to generate their own malware, says Symantec's Tony Osborn.


Cyberattack on Google Said to Hit Password System
New York Times (04/19/10) Markoff, John

The cyberattack against Google's computer networks, first disclosed in January, also reportedly breached the company's password system, called Gaia, which controls user access to almost all of its Web services. Although the hackers do not appear to have stolen the passwords of Gmail users, the Gaia breach leaves open the possibility that hackers may find other unknown security weaknesses. The intruders were able to gain control of a software depository used by the Google development team by luring an employee to a poisoned Web site through a link in an instant message. "If you can get to the software repository where the bugs are housed before they are patched, that's the pot of gold at the end of the rainbow," says McAfee's George Kurtz. An attacker looking for weaknesses in the system could benefit from understanding the algorithms on which the software is based, says Neustar's Rodney Joffe. Google still uses the Gaia system, although now it is called Google Sign-On. Soon after the intrusion, Google activated a new layer of encryption for its Gmail service. The company also tightened the security of its data centers and further secured the communications links between its services and the computers of its users.


Politically Motivated Attacks Could Force Enterprises to Reshape Defenses
Dark Reading (04/19/10) Wilson, Tim

Companies are being increasingly targeted by politically-motivated cyberattacks, according to a new Damballa report. Damballa's Gunter Ollmann says the attacks are being launched for a number of reasons, including anger over a company's political positions, environmental record, and its treatment of employees. He notes that these attacks can take many forms, such as distributed denial-of-service attacks, Web site defacement, or malware. The attacks can be difficult to defend against because the security measures many companies have put in place are designed to protect them from criminals trying to steal money or data, not protesters trying to make a political statement. In addition, laws are not clear about the differences between a civil protest such as an email campaign and a politically motivated cyberattack, Oilmann says. However, he observes that there several steps that companies can take to protect themselves from angry cybercriminals, including having policies in place for responding to politically motivated attacks. Ollmann says that companies also should try to stay ahead of potential threats by monitoring what is being said about them on the Web and social networking sites.


Abstracts Copyright © 2010 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Advertising Opportunities | Security Management Online | ASIS Online

No comments:

Post a Comment