| |
Starbucks Seeks to Keep Guns Out of its Coffee Shops
New York Times (09/19/13) Strom, Stephanie
Starbucks has released a policy change asking customers not to carry guns in its stores or outdoor seating areas. Company officials announced the shift in the wake of the Sept. 16 shooting at the Washington Navy Yard, although Starbucks said the change was not in response to the incident. Starbucks had previously been unwillingly co-opted by "open carry" activists for adhering to local laws allowing openly carried firearms when other companies banned them, and some gun-control activists subsequently boycotted the company or held protests outside its stores. While Starbucks CEO Howard Schultz acknowledged strong feelings on both sides of the debate, he justified his decision by saying "Customers in many stores have been jarred and fairly uncomfortable to see guns in our stores, not understanding the issue and feeling that guns should not be part of the Starbucks experience, especially when small kids are around.” Schultz did say that baristas would not ask people with guns to leave nor would there be any signage stating that guns are banned. The company will reevaluate compliance to the policy without these measures first and may consider signs at a later date.
Thieves Nab 4,000 lbs. of Copper From N.Y. Power Station
Security Director News (09/18/13)
Since the beginning of June, thefts at the Wind Farm Power Station in Orangeville, N.Y., have resulted in the loss of 4,000 pounds of copper. Those thefts have cost O'Connell Electric, which operates the station, $20,000 in material alone. In the most recent theft at the end of last month, thieves cut through a metal fence surrounding O'Connell Electric's plant. According to investigator Aaron Anderson, some stolen copper was insulated and some was bare, though all of it was three-quarter inch thick, one-inch diameter braided copper cut out in sections, leading him to believe that the thief is "someone with knowledge" about power stations. Dave Copestick, the general foreman at the plant, said that station workers are concerned about what might happen if people try to steal more copper. He noted that any thief is "risking life and limb trying to pick up a few hundred dollars" because of the high voltage at the plant. Local metal yards have been asked by the Wyoming County Sheriff's Office to be on the lookout for large quantities of copper, and O'Connell Electric has offered $1,000 reward for information leading to an arrest.
Robbery Video Sent to Cops Within Minutes
Security Director News (09/16/13) Canfield, Amy
Futon Financial Corp. has implemented a new enterprise DVR management system, Verint's Actionable Intelligence Solution, in all of its 270 offices. According to Dianne Kolb, Fulton vice president and corporate security director, and Susan Follmer, Fulton's corporate physical security manager, the best attribute of the new system--which is centrally managed with Verint's Nextiva Op-Center--is the time it saves in getting surveillance video to local police in the event of a robbery or other criminal incident at one of the offices. The video is sent to police from a desktop within minutes of the incident, potentially given them the chance to catch the perpetrator before he or she leaves the area. This also gives the company the opportunity to shift its focus to ensuring the well-being of its employees more quickly. Follmer and Kolb also receive automatic assurance from the system that everything is running. The system sends a report if a DVR is not communicating with the network, so Fulton does not have to conduct monthly physical checks of its cameras.
Security Awareness: Is There a Magic Formula?
CSO Online (09/05/13) Brock, Larry
Most security experts agree that an effective education and awareness program is one of the cheapest solutions to improve security at a business. However, as threats constantly change it becomes even more important to implement training programs. A good program can turn employees into skilled detectors of potential attacks before they happen. Additionally, employees who understand company policy will also ensure that sensitive information is protected from risky activities. These policies should detail how sensitive information should be handled. A good awareness program should also teach workers that the financial health of a company could depend on proper practices when it comes to confidential data. Compulsory computer training should also be a part of an orientation program. However, the most critical feature should be a data protection programs that monitor users of potential risky activities in real time. Similar programs can be highly effective in mitigating risks before a breach or lapse in security. Building a culture of education within a company regarding security can be a key step in avoiding disaster.
Where's My Security ROI?
CSO Online (09/03/13) Contos, Brian
Return on investment (ROI) and return on security investment (ROSI) can both be tools that allow companies to make budgets and security budgets compatible with business priorities. Enhanced ability to prevent malicious activity; improved incident detection to incident remediation threat window; and enriched decision making predicated on more exacting security data are a few important aspects of ROSI, but may not be an option for some business that possesses little security knowledge. As a result many businesses are asking security teams to implement ROI measures that sync with business processes. One strategy involves using security suites and APIs. Another example is security officials using what systems are available and making them more effective. Both methods can save money and not sacrifice security.
Officials Probing Whether Workplace Dispute Drove Navy Yard Shooting
Washington Post (09/20/13) Halsey III, Ashley ; Williams, Clarence; Horwitz, Sari
Law enforcement officials speaking on condition of anonymity say that they are looking into the possibility that Washington Navy Yard gunman Aaron Alexis was upset with his co-workers when he carried out his shooting rampage on Monday. Officials say that the shootings, which claimed the lives of 12 people, began on the fourth floor of Building 197, where Alexis worked as an IT contractor. One law enforcement official says that the investigation into the shootings so far indicates that Alexis first shot co-workers that he had some type of dispute with. The investigation into Alexis' work life has revealed that at least some of his colleagues believed that he was not doing a very good job and that they were concerned about his poor job performance. Those concerns may have escalated in the week before the shootings, officials say. However, officials also point out that the severity of the dispute remains unknown. After shooting several of his co-workers, Alexis then moved around the building and shot others, looking for what one official said were "targets of opportunity." Alexis was ultimately shot and killed after engaging in several gun battles with police. The Experts, the company that employed Alexis, has not said whether or not there was a dispute between Alexis and his co-workers.
Same Firm Vetted Snowden, Navy Shooting Suspect
Wall Street Journal (09/19/13) Nissenbaum, Dion; Barrett, Devlin
US Investigations Services (USIS) LLC admitted on Sept. 19 to conducting the background checks for the Washington Navy Yard shooting suspect. The same company previously missed signs that former National Security Agency (NSA) contractor Edward Snowden might pose a data theft risk. The U.S. Office of Personnel Management, which oversees security clearance reviews, already concluded that USIS neglected to interview key players in Snowden's life and failed to question some of his overseas travel. According to USIS representatives, the company carried out a background check of shooting suspect Aaron Alexis in 2007, when he joined the Navy reservists. No details of that investigation were released. USIS already faces a grand jury investigation into whether it is conducting sufficiently thorough reviews, a case that the Navy Yard shooting could fuel. The OPM said, unlike the Snowden case, the USIS appeared to have followed procedures in the Alexis review, and did not miss Alexis' 2004 arrest in Seattle for shooting out the tires of a coworker's car. However, it does not appear that incident was enough to deny granting him "secret" security clearance, which he retained even after he left the reservists.
Military’s Background Check System Failed to Block Gunman With a History of Arrests
Washington Post (09/18/13) Leonnig, Carol D.; Gold, Matea; Hamburger, Tom; et al.
President Obama has ordered his budget office to launch a government-wide review of security standards for federal government contractors and employees, amid questions about how Navy Yard gunman Aaron Alexis was able to acquire and obtain a secret-level clearance despite having a history of arrests. Alexis was first granted a secret-level clearance--which gave him complete access to six military installations--when he was a full-time Navy reservist in 2008, and he still held that clearance when he was re-hired by a Hewlett-Packard subcontractor in June to work on a computer project at Navy and Marine Corps facilities. This was despite the fact that he had been arrested a number of times over the last several years, such as when he fired a gun into the ceiling of his apartment in 2010. However, a background check on Alexis when he was re-hired by the HP subcontractor only turned up one minor traffic violation. The HP subcontractor that employed Alexis, a company known as The Experts, blamed the Pentagon for not informing it about Alexis' history and said that it would not have hired him had it known about his past issues. The Defense Department has defended its handling of the case, saying those who are given secret-clearances are allowed to keep those clearances if there is not any "unadjudicated derogatory information" against them.
D.C. Navy Yard Gun Attack Kills 12, Wounds 14; Alleged Shooter Dead, ID’d as Aaron Alexis
Washington Post (09/17/13) Halsey III, Ashley; Hermann, Peter; Williams, Clarence
A former U.S. Navy reservist armed with a gun went on a shooting rampage at the highly-secure Washington, D.C., Navy Yard on Monday, killing 12 people and injuring 5 others in an incident that resulted in the worst loss of life in the region since the Sept. 11 attacks. Authorities say the shooting spree began at about 8:15 a.m. when the alleged gunman, Aaron Alexis, shot a security guard at the Navy Yard's Building 197. Alexis is believed to have then taken the security guard's gun before he began methodically moving through the interior of the building in search of additional victims. Meanwhile, federal and local authorities converged on the Navy Yard several minutes after the first shots were fired. As authorities arrived, some employees at Building 197 evacuated the building after the fire alarm sounded, while some other workers heeded advice to stay put and hid to stay out of the gunman's sight. Authorities eventually engaged in a series of shootouts with Alexis before he was fatally wounded. There were initially concerns that two other gunman may have been involved, but that turned out to not be the case. D.C. Mayor Vincent Gray says that the shooting rampage was not a terrorist attack. Other officials said they are looking into the possibility that Alexis' discharge from the Navy Reserves may have played a role in the shootings.
New Report Highlights Unfulfilled Recommendation by 9/11 Commission
Homeland Security News Wire (09/15/13)
A new report by the Annenberg Retreat at Sunnylands and the Aspen Institute's Justice and Society Program says that Congress continues to put Americans at risk by failing to consolidate oversight of the Department of Homeland Security (DHS), as recommended by the 9/11 Commission. According to the report's authors, "Fragmented jurisdiction impedes DHS’ ability to deal with three major vulnerabilities: the threats posed by small aircraft and boats; cyberattacks; and biological weapons." 9/11 Commission Co-Chairman Thomas H. Kean said that this is both one of the most important recommendations of the Commission and one of the hardest to implement, as Congress tends not to focus on reforming its own practices. The report--which was written by a task force made up of both current and former members of Congress, executive branch and DHS officials, and other homeland security experts--specifically calls for Congress to create a unified oversight structure for DHS like those in place for the departments of Defense and Justice. It also recommends that committees overseeing DHS have overlapping membership and that an authorization bill is put in place that gives the department a clear mission from Congress.
Symantec Fingers Most Advanced Chinese Hacker Group
Wall Street Journal (09/18/13) Yadron, Danny
Symantec's new 28-page report has identified the most advanced Chinese hacker group, which it internally refers to a "Hidden Lynx," as a group of 50 to 100 professional cybercriminals. The group has previously breached Adobe, Bit9, Google, Lockheed Martin, and RSA, and is likely a "hackers for hire" service that has been active since at least 2009, the report found. Since November 2011, 52.8 percent of the group's targets have been U.S. companies, 15.5 percent have been in Taiwan, while 9 percent of its targets have been in China. Symantec did not mention any involvement of, or link to, the Chinese government, saying only that "much of the attack infrastructure and tools used during these campaigns originate from network infrastructure in China." However, other security researchers have said that the group is likely working on behalf of the Chinese government, given its sophistication, the targets it has chosen, and the methods it has used in carrying out attacks.
U.S. Official Warns on Threat to Banks From Cyberattacks
Wall Street Journal (09/18/13) Crittenden, Michael R.
Comptroller of the Currency Thomas Curry on Wednesday said that information sharing among regulators, the financial services industry, and federal agencies must improve to protect financial systems from the growing threat of cyberattack. "The financial-services industry is one of the more attractive targets for cyberattacks, and, unfortunately, the threat is growing," said Curry, pointing to increasingly advanced cyberthreats posed by criminal organizations, hackers, and foreign governments. Denial-of-service and other attacks have knocked out bank websites, and banks have spent millions trying to defend against the threat. However, smaller firms lack the ability to implement the level of security employed at their larger counterparts, and experts warn that cybercriminals could breach a smaller bank to access the wider financial system, due to banks' growing interconnectedness. The government has regularly held classified briefings for banks on potential threats, and bank executives must assume responsibility for guarding against potential threats, Curry says.
Swisscom Data Stolen
Wall Street Journal (09/18/13) Revill, John
The Swiss telecommunications firm Swisscom AG said Sept. 18 that backup tapes had been stolen from two of its sites, potentially putting customers' personal information at risk. The company became aware of the thefts after four tapes were given to the Neue Zuercher Zeitung (NZZ), a nationwide Swiss newspaper, which published a report on the tapes. The paper noted that the tapes contained 600,000 phone numbers, medical appointments and invitations to social events, as well as 14,500 e-mails from Swisscom employees, including details of contracts with the company's business and private customers. The company is investigating the theft and has informed the Swiss Federal Data Protection and Information Commissioner. A Swisscom spokesman said that it is believed that theft happened in 2012 as the tapes were being transported for destruction, adding that the company is not aware of any motivation for someone to steal the tapes, nor has anyone tried to blackmail the company using the tapes. In its statement, Swisscom said that the tapes contained backup files of internal data from 2008 to 2010, and that it has filed charges against persons unknown with the public prosecutors. Three of the tapes were given back to Swisscom by NZZ, while a fourth tape has been returned by NZZ to the person or persons who provided it to the paper.
7 Ways to Build Your Cybersecurity Team
Federal Computer Week (09/16/13) Corrin, Amber
The Security for Business Innovation Council recently released the first of three reports, which outlines seven recommendations for building a sophisticated security team. The report says that because information security is a cross-organizational undertaking, with security processes deeply embedded into business functions, it is necessary that more people at various levels be involved in an organization's security. This extended team must include business, procurement, and legal sides, among others. There also should be a core team with focused, specific competencies—an idea that tops other recommendations on the list. These core-team proficiencies should hone in on cyberrisk intelligence and security data analytics, security data management, risk consultancy, and controls design and assurance. On the other hand, it also is important to depend on internal units or external providers for the everyday security processes and routines. Organizations need to be open to "borrowing or renting" experts with certain specialties when the need arises, the report says. Other recommendations address relationships, including those inside—partnerships that foster ownership of security risks and a coordinated approach to security—as well as outside, to gain strategic partnerships that can be leveraged when needed.
What Kind of Target Are You?
CSO Magazine (09/13) Vol. 12, No. 7, P. 28 Violino, Bob
Security experts and executives say that while any company can become the victim of a cyberattack, some are more likely than other to be targeted. The majority of those that suffer attacks have been nothing more than targets of opportunity, because they inadvertently exposed a weakness that someone knew how to exploit, says the "2013 Data Breach Investigations Report" from Verizon Enterprise Solutions. Wade Baker, the managing principal of the Verizon Risk Team and the principal author of the report, notes that often companies become targets because a service or vulnerability they have is one that cybercriminals look for and then target. The report shows that three-quarters of breaches result from simple opportunistic attacks, and, though the percentage is difficult to determine, Baker believes that the percentage of attacks resulting from vulnerability scans could be more than 90 percent. Attackers look for certain things in their targets, like a known vulnerability or something that is enticing like intellectual property, product information, or fluid financial assets. Some attackers may even consider the size of their target, though it is likely that small and midsize business often become targets simply because they lack the resources and knowledge base to properly protect themselves and repair vulnerabilities. Ultimately, it is vital for companies to be diligent about implementing the proper security measures and taking steps to reduce exposures and risks.
Abstracts Copyright © 2013 Information, Inc. Bethesda, MD |
No comments:
Post a Comment