Search This Blog

Friday, July 02, 2010

Security Management Weekly - July 2, 2010

header

  Learn more! ->   sm professional  

July 2, 2010
 
 
Corporate Security

Sponsored By:
  1. "Ontario's Human Rights Tribunal Rules Home Depot Canada Discriminated Against Sikh Man"
  2. "39 Breaches Involving Financial Service Companies in 1st Half of 2010"
  3. "China Pushing the Envelope on Science, and Sometimes Ethics"
  4. "Marsh Report: Terrorism Risk Management Costs Decline as Federal Reinsurance Backstop Continues to Stabilize Terrorism Insurance Market"
  5. "Planning Ahead Can Minimize Data Breach Risks"
Homeland Security

Sponsored By:
  1. "U.S. Charges 11 in Russian Spy Case"
  2. "Amtrak Echoes Call for Vigilance" DHS Secretary Janet Napolitano Announces New Vigilance Campaign
  3. "Anti-Terrorism Drills Staged at Metro Stations" Washington, D.C.
  4. "Arizona, Texas Call for More Border Troops"
  5. "Pakistan and India to Fight Terrorism Together"
Cyber Security

  1. "White House Cybersecurity Czar Unveils National Strategy for Trusted Online Identity"
  2. "Come Together Over Cybercrime" Greg Schaffer of DHS Warns of Current Dangers of Cybercrime at CFO Core Concerns Conference
  3. "Security Managers Report Weak Threat Defenses" New Ponemon Institute Survey Finds Many Organizations Have Been Attacked Recently by Advanced Threat
  4. "20 Critical Security Controls Your Organization Should Focus On"
  5. "5 Steps to Cyber-Security Risk Assessment"

   

 
 
 

 


Ontario's Human Rights Tribunal Rules Home Depot Canada Discriminated Against Sikh Man
Toronto Star (Canada) (07/01/10) Kennedy, Brendan

Ontario's Human Rights Tribunal has ruled that Home Depot Canada and one of its senior employees discriminated against a Sikh security guard by “selectively enforcing” a hard hat rule and threatening to fire him for not removing his turban. Tribunal vice-chair Ena Chadha wrote in her decision that the company and assistant manager Brian Busch also subjected Deepinder Loomba to “discriminatory treatment in the form of rude and offensive comments and conduct” based on his Sikh religion. “I am satisfied that the complainant was treated differently because of his turban and that this was negative differential treatment,” Chadha wrote. On Dec. 6, 2005, Loomba, who worked for Reilly's Security Services, showed up for his morning shift at a Milton Home Depot. The store was six weeks from opening and some areas were still under construction. Loomba testified at the tribunal that Busch told him he had to put on a hard hat, despite the fact his role was to sit at a desk away from construction zones. He said people were moving around the site without hard hats. Loomba testified that when he did not comply, Busch was rude to him and later mocked him with a group of workers at the site. After he left the facility, he said Busch approached him and told him that individuals before him had been fired for not complying in a similar fashion. Busch denied making fun of Loomba and said he never threatened to fire him. The case was brought before the tribunal after Home Depot failed to respond to complaints. Chadha has not decided on a remedy for the case, but Loomba is seeking around $25,000 and changes to Home Depot's policies.


39 Breaches Involving Financial Service Companies in 1st Half of 2010
BankInfoSecurity.com (06/28/10) McGlasson, Linda

So far this year there have been 39 reported data breaches involving financial service companies, in which more than 8.3 million records have been stolen. This constitutes more than 50 percent of the total number of reported data breaches financial services firms suffered in all of 2009, and experts warn that more attacks are likely. Only 11.1 percent of the data breaches disclosed so far this year involve financial services, but the Identity Theft Resource Center's Linda Foley says the business sector tops the list for breaches in the first half of 2010 because of the growing number of credit card-related breaches at businesses, retailers, hotels, and restaurants. "We're seeing a lot of retail, hotel and restaurants being hacked into somewhere between the point of sale and the card-processing server," she notes. The Ponemon Research Institute's Larry Ponemon says data breaches at financial service companies are not easing. "My research suggests that financial institutions are particularly susceptible to automated agent attacks such as botnets, data-stealing malware, and other advanced threats," he says. As a result, data breach costs are likely to climb for retail banks, credit card firms, and other financial service companies, Ponemon warns.


China Pushing the Envelope on Science, and Sometimes Ethics
Washington Post (06/28/10) P. A1; Pomfret, John

China has rocketed back into the top ranks of scientific research by being free from the social and legal hindrances common in the West and due to its investment of billions of dollars. Nearly every Chinese ministry boasts a program to gain a technological lead of some sort, and in May a Chinese supercomputer was named the second fastest machine in the world at an international conference in Germany. China also is only second to the United States in the number of research articles published in scientific and technical journals worldwide. Many top Chinese scientific institutes appear to be insulating themselves from bureaucratic interference, which has raised ethical concerns about the research they are conducting. Among the challenges China faces is a weak innovation framework and unrealistic bureaucrat-driven mandates to produce discoveries. Another troubling fact is China's status as the leading source of "junk" patents, while plagiarism and doctored results abound. China's growing competitiveness is causing U.S. experts to question the practice of opening research institutions to Chinese students. U.S. Federal Bureau of Investigation officials also claim that China is running a large U.S.-based espionage operation to steal the country's industrial, military, technological, and scientific secrets.


Marsh Report: Terrorism Risk Management Costs Decline as Federal Reinsurance Backstop Continues to Stabilize Terrorism Insurance Market
MarketWatch (06/23/10)

According to "The Marsh Report: Terrorism Risk Insurance 2010" report, take-up rates for U.S. terrorism insurance continued to rise in 2009 among companies of all sizes and across all industries. The number of companies purchasing property terrorism insurance rose from 57 percent in 2008 to 61 percent last year, indicating a steady climb from the 23 percent purchasing similar coverage in 2003. Median premium rates fell to $25 per million in 2009 from $37 per million of total insured value (TIV) in 2008. Of the 15 industries examined, utility, real estate, healthcare, transportation, financial, and media firms paid the highest rates, though take-up rates exceeded 70 percent. Median premium rates for construction, hospitality, utility, and real estate firms were $50 per million of TIV. Marsh reported that take-up rates were highest in the Northeast and remained flat in the Midwest. Marsh Property Practice Senior Vice President Ben Tucker says, "Terrorism risk remains a critical concern for global companies. Recent attempted attacks in New York's Times Square and on a Detroit-bound flight on Christmas day 2009 remind companies of the importance of securing adequate financial protection against the possible catastrophic impact of terrorist events." Capacity in the standalone terrorism insurance market has increased to a theoretical maximum of $3.76 billion, but experts caution that the Terrorism Risk Insurance Act (TRIA) is still necessary to cover high-profile urban exposures because commercial insurers remain concerned about the high cost of reinsurance and residual risk associated with terror events in those areas. Tucker notes, "Terrorism remains a real and present risk, notably in major metropolitan areas. There is a real potential for an economic downturn should terrorism insurance not be readily available. The insurance industry should fully explore all possible options to maintain a viable market, regardless of the level of federal participation beyond 2014."


Planning Ahead Can Minimize Data Breach Risks
National Underwriter (Property & Casualty - Risk & Benefits Management Edition) (06/25/10) McDonald, Caroline

A panel presenting as part of an ACE webinar recommends that all companies that keep personal consumer information on record have detailed plans to prevent data theft and to communicate effectively with customers in the event of a breach. The panel argued that such a plan is not only good for data protection, but can also help prevent unnecessary damage to the company's reputation. In addition to contacting those consumers affected, the company should also consider getting in touch with the FBI or other authorities, depending on the nature of the loss. However, before determining how best to respond to a breach, the company should identify a team to be in charge of that response. Members of a response team, panelists said, should include senior level management from legal, compliance, information security, risk management, corporate communications and marketing departments. A team leader should also be identified to serve as the central contact for reporting status to senior management, and would oversee implementation of the plan. Additionally, the company should consider seeking outside expert advice for assistance in forensic, legal, and public relations concerns.




U.S. Charges 11 in Russian Spy Case
Wall Street Journal (06/29/10) Perez, Evan

The FBI has broken up a Russian spy ring in what U.S. officials say is one of the biggest disruptions in a foreign intelligence operation in the last several years. According to the FBI, the 11 people who were involved in the spy ring were sent to the U.S. by the Russian overseas intelligence service in the mid-1990s in order to infiltrate policy-making circles and send intelligence reports back to Moscow. In order to do that, the spies tried to blend in to U.S. society by living what seemed to be typical lives in suburban Washington, D.C., and New York City, as well as a number of other locations across the country. Some of these individuals were able to make contacts with government officials, as well as a financier who funded both the Democratic and Republican parties. Other agents were used to travel to other countries to pick up cash for their colleagues. Still others, including Christopher Metsos, the suspected ringleader of the group who remains at large, allegedly helped facilitate the transfer of cash and flash memory cards that had been provided by a Russian official. However, none of the agents were able to access or reveal secret information.


Amtrak Echoes Call for Vigilance
Boston Globe (07/02/10)

Department of Homeland Security (DHS) Secretary Janet Napolitano has announced a new vigilance campaign as part of DHS's information-sharing drive with Amtrak, in Penn Station. The campaign is based on the Metropolitan Transportation Authority's slogan that tells New Yorkers, "If you see something, say something." Napolitano praised the slogan as highly effective in encouraging public participation in security. "All play a critical role in increasing awareness and improving preparedness," she said. The launch of the campaign follows DHS's recent threat assessment of mass transit in the United States, which found that, although there are no specific plots against mass transit at this time, these systems remain prime targets for terrorist activity.


Anti-Terrorism Drills Staged at Metro Stations
Washington Post (06/30/10) P. B04; Tyson, Ann Scott

Anti-terrorism drills were carried out in the subway systems of cities up and down the East Coast on Tuesday. In suburban Washington, D.C., for example, Metro Transit Police boarded trains and inspected stations along a large portion of the Metrorail system's Red Line. Similar drills were also conducted at the Greenbelt Station on the Green Line. Also participating in the drills were behavioral detection officers, who were looking for people behaving suspiciously. All told, about 150 law enforcement officers from a number of local, state, and federal agencies took part in Tuesday's drill in the Washington area. The drill was part of Metro's Blue TIDE (Terrorism Identification and Deterrence Effort), a program that was launched in February to show that the transit agency is taking steps to protect passengers from terrorists. Terrorism drills were also conducted in New York City. During those drills, roughly 100 New York City Police officers performed additional bag screenings and inspections of trains and subways during the morning rush hour. Both the New York and Washington drills were part of Rail Safe, a coordinated anti-terrorism effort along the Northeast Corridor.


Arizona, Texas Call for More Border Troops
Wall Street Journal (06/30/10) Stein, Perry

The governors of Arizona and Texas are criticizing President Obama's plan to deploy 1,200 National Guard troops along the U.S.-Mexico border, saying that the number of troops that their states are getting will not be enough to prevent illegal immigration. Under the Obama administration's plan, Arizona would receive 524 National Guard troops, while Texas would receive 250. But Katherine Cesinger, a spokeswoman for Texas Gov. Rick Perry, said that the number of guards her state is receiving is not enough to secure the border. She added that Texas would continue to try to persuade the federal government to provide it additional resources. Arizona Gov. Jan Brewer, meanwhile, also said that she had hoped that her state would receive more troops. In response to the criticism, White House Press Secretary Robert Gibbs said that the Obama administration has made extraordinary efforts to secure the U.S.-Mexico border. Meanwhile, Sen. John McCain (R-Ariz.) is sponsoring legislation that would deploy 6,000 National Guard troops to the border. Fred Barton, a vice president of the global intelligence firm Stratfor, said that number is more in line with what is needed for adequate border security. The bill has been approved by the Senate Armed Services Committee, though it remains unclear whether the full Senate will pass the measure.


Pakistan and India to Fight Terrorism Together
Agence France Presse (06/27/10) Shahzad, Khurram

Pakistan and India, as well as the other members of the South Asian Association for Regional Cooperation, agreed on Saturday to work together to fight terrorism in the region. Speaking after the SAARC's conference for interior ministers from the region, Indian Home Minister P. Chidambaram and Pakistani Home Minister Rehman Malik said their two countries will work together to create a common counterterrorism strategy. Malik noted that this strategy will involve Pakistan's Federal Investigation Agency and India's Central Bureau of Investigation working together to deal with terrorism issues. For instance, the two agencies will cooperate with one another in the investigation into the 2008 Mumbai terrorist attacks, Malik said.




White House Cybersecurity Czar Unveils National Strategy for Trusted Online Identity
DarkReading (06/28/10) Higgins, Kelly Jackson

The White House has released a draft plan designed to make online transactions safer. The plan outlines a national strategy for trusted digital identities that could ultimately phase out the username-and-password model and establish a platform for a national federated identity infrastructure. The plan calls for an identity ecosystem for users and organizations to carry out online transactions privately and securely. Cybersecurity coordinator Howard Schmidt says that "through the strategy we seek to enable a future where individuals can voluntarily choose to obtain a secure, interoperable, and privacy-enhancing credential from a variety of service providers—both public and private—to authenticate themselves online for different types of transactions." He stressed that the identity ecosystem or scheme would be user-oriented. The National Strategy for Trusted Identities in Cyberspace draft paper urges the designation of a federal agency to spearhead public-private sector efforts to deploy the blueprint, and for the federal government to lead the adoption of secure digital identities. Gartner analyst Avivah Litan says there is an abundance of technology for federated identity systems, but there has been little momentum for "high-assurance" authentication schemes, such as vouching for the identity of a banking customer performing an online transaction.


Come Together Over Cybercrime
CFO (06/10) Leone, Marie

Cybercrime was the topic of a panel at the CFO Core Concerns conference, where Greg Schaffer of the Department of Homeland Security warned that it is not a future problem but a current and existing one. Revenues from cybercrime have hit $1 trillion per year, he said, making it more profitable than drug trafficking. For this reason, the communications gap between corporate risk managers and IT staff needs to be eradicated, he said. The siloed approach will not work for a problem that permeates the entire company, and CFOs must break down the silos. Often it is even difficult for companies to realize they have been hacked, so a company needs systems and processes that can detect breaches as well as prevent them.


Security Managers Report Weak Threat Defenses
InformationWeek (06/29/10) Schwartz, Mathew J.

A new Ponemon Institute survey found that 83 percent of information security professionals say their organizations have been attacked recently by advanced threats, and 71 percent report that such attacks have increased in the last year. But even as these advanced attacks escalate, many companies do not always know when they are being targeted. Forty-one percent of those surveyed said that they were unable to gauge how frequently they were targeted by sophisticated threats. For the survey, advanced threats were described as being "a methodology employed to evade an organization's present technical and process countermeasures, which relies on a variety of attack techniques, as opposed to one specific type." Although zero-day attacks are the most frequent form of targeted attack, Ponemon says "there are increasingly many instances where known attacks are being re-engineered and repackaged to extend their usefulness."


20 Critical Security Controls Your Organization Should Focus On
Federal Computer Week (06/23/10) Moore, John

The 20 pivotal security controls listed in the Consensus Audit Guidelines represent the top priority defenses that organizations should focus on, based on the probability of real-world events. The categories, which are not listed in order of priority, are divided into those that can be automatically benchmarked, in part or in whole, and those that require manual validation. The critical controls that can be automatically collected, measured, and validated are inventory of authorized and unauthorized devices; inventory of authorized and unauthorized software; secure configurations for hardware and software on laptop computers, workstations, and servers; secure configurations for network devices including firewalls, routers, and switches; boundary defense; maintenance, monitoring, and analysis of security audit logs; application software security; controlled use of administrative privileges; controlled access on a need-to-know basis; ongoing vulnerability assessment and repair; account monitoring and control; malware defenses; limitation and control of network ports, protocols, and services; wireless device control; and data loss prevention. Additional critical controls that require manual validation include secure network engineering, penetration tests and emergency-team exercises, incident response efficiency, data recovery capability, and security skills assessment and appropriate training to cover gaps.


5 Steps to Cyber-Security Risk Assessment
Government Technology (06/24/10)

There are five steps that organizations can take to assess their cybersecurity risks. For starters, organizations should spend time categorizing the information that they handle and determining which of these categories needs the most protection. Organizations should then determine where they store the various types of data on their networks. Then organizations should classify their information assets by using a scale of 1 to 5. Using this system, the number 1 should denote public information, 2 should refer to internal but not secret information, 3 should designate sensitive internal information, and 4 and 5 should be used to label compartmentalized internal information and regulated information, respectively. Next, organizations should rate the security threats faced by information that has been given one of the top ratings. These threats should be laid out on the X axis of a spreadsheet for each information asset, while the list of locations of data stored by the organization should be written on the Y axis. Organizations should then use a scale of 1 to 10 to rate the probability of the threat and the effect that the successful use of a particular attack would have on the organization, and multiply these two numbers together and enter them into each of the spreadsheet's cells. Finally, the number in each of the cells should be multiplied by the classification number given to each type of information assets. A higher number means that organizations should address threats to these types of information as soon as possible.


Abstracts Copyright © 2010 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Advertising Opportunities | Security Management Online | ASIS Online

No comments: