| |
Personal Devices Pose Biggest Threat to Corporate Security
Financial Times (11/15/13) Bolshaw, Liz
Security software provider, Check Point, has found that 93 percent of US and UK companies use mobile devices to connect to corporate networks, while 67 percent allow employees to connect personal devices. The same Check Point survey showed that 52 percent of large companies said they lost more than $500,000 in security-related incidents in 2012, and those losses came from careless employees more often than criminals. According to Steve Ackx, director at professional services firm PwC, employee-related security problems will occur whether the company has a bring-your-own-device (BYOD) policy use or not. "BYOD is unavoidable," he says, explaining that employees will often read company emails or download documents on their personal and mobile devices whether they are officially permitted to do so or not. That said, Check Point found that different mobile operating systems have different risks, with 49 percent of respondents saying that Google's Android platform is the most dangerous, compared to Apple, Windows Phone, and Blackberry. To prevent these risks, companies install encryption, require strong passwords, and use mobile device management (MDM), which allows the contents of a mobile device to be wiped if it gets lost. Mr. Ackx warns that many employees may actually delay reporting their lost device because of MDM; they "don't want to lose their holiday photographs," he says. In order to provide better mobile security, Mr. Ackx advises organizations to instead "take appropriate measures to secure [company] data" adding that "There is no silver bullet solution."
Ridge Warns Utility Officials on Threat of Attack
Philadelphia Inquirer (PA) (11/13/13) Maykuth, Andrew
During the "Grid 20/20: Focus on Resilience" conference in Philadelphia on Tuesday, former Homeland Security Secretary Tom Ridge warned regional utility officials that they need to explore more ways to protect the nation's electric grid from attack. He noted that with threats becoming more frequent, those managing the nation's electrical transmission system need to be operating in a permanent state of alert. Grid operators face numerous threats, from natural disasters to cyberthreats from computer hackers and physical threats from terrorists. Cheryl LaFleur of the Federal Energy Regulatory Commission commented recently that the nation's electric grid is vulnerable to physical attacks because it is publicly accessible. Two such attacks took place against an electrical substation and AT&T fiber optic cables in California in April. Experts said the attacks were likely done in preparation for an assault on the electric grid. Ridge noted that while physical attacks against the nation's electric infrastructure are an area of concern, "the consequences of a physical attack are marginal at best compared to a cyber attack." He added that the public needs to be better informed by policymakers that improved security will come at a price, but that the risk of not improving security for the national grid and experiencing a disaster is far more costly.
Employee Theft on the Rise, Survey Reveals
Digital Journal (11/11/13) Cyprus, Jenna
Jack L. Hayes International's Annual Retail Theft Survey shows that retail theft increased 5.5 percent in 2012, which was the second increase in as many years. This finding is based on reports from 23 major retailers, leading corporate security experts to speculate that it may be representative of an ongoing problem among retailers. "The seriousness of retail theft is a much greater problem than many people realize," says Mark R. Doyle, the president of Jack L. Hayes. In order to better protect against retail theft, retailers should try to avoid cutting staffing levels or leaving an employee in the store alone, which can increase both external and internal theft. Another major problem that leads to internal theft is a failure to check employee references, either by managers or via professional background checks. The Jack L. Hayes Report found that improperly screening job applicants is the number one reason for employee theft. While background checks are important, inventory management also adds an important layer to loss prevention. Retailers should keep track of all products that enter and leave the store floor, the stock room, and the warehouse in order to quickly identify and record any shrinkage caused by theft. There are a number of electronic inventory management systems that allow for proper inventory tracking. Finally, retailers may want to consider hiring security staff or, at least, installing security cameras throughout public-facing and employee areas.
New Credit Card Security Standards Issued
Wall Street Journal (11/07/13) Dipietro, Ben
The Payment Card Industry (PCI) Security Standards Council on Nov. 7 issued version 3.0 of the PCI Data Security Standard and Payment Application Data Security Standard, which will take effect on Jan. 1. These data security standards will govern the use of credit cards by merchants and the processing of credit card payments. Businesses will be given until the end of next year to comply with the standards. Changes made in the new version of the standards include an increased focus on clarifying the intent and spirit of the requirements, highlighting the share responsibility of all involved in the processing of credit card data, and more clearly spelling out this shared responsibility in the legal agreements between service providers and merchants. The standards also call for increased validation testing. According to Rodolphe Simonetti, the managing director of Verizon's payment card industry services unit, those using simple PCI systems will not find the increased testing too challenging, but those with more complex systems will face extra costs and extra work in putting the enhanced protocols in place. He added that it is likely that more merchants and vendors will turn over management of the transition protocol to third-party companies as the PCI standard becomes more mature.
Carnegie Mellon Study Suggests Repetition of Rare Events Could Reduce Screening Mistakes by Security Officers
Carnegie Mellon News (PA) (11/04/13) Spice, Byron
Carnegie Mellon University (CMU) researchers suggest security guards could improve their detection rates through repetition. In experiments that simulated multiple-camera video surveillance, the researchers found that study participants failed to correctly detect threats about 45 percent of the time when exposed to two threat events over the course of two hours. However, the error rate declined to 25 percent when encountering 25 events in the same period of time. "If people know what they're looking for and haven't seen it for some time, or their attention is focused elsewhere, they won't necessarily see what they're looking for, even when it is in full view," says CMU's Judith Gelernter. The experiment's results indicate that one way to make threat detection more effective is to have security screeners routinely encounter and respond to simulated threats. In the CMU experiments, 108 participants underwent 30-minute training sessions to learn how to detect low- and high-level threats. Then, during the two-hour experiment, 10 interior building views alternated to cover four quadrants of a computer monitor, with each view lasting a minute, which is similar to actual surveillance video.
Whitey Bulger, Boston Gangster Protected as Informant by FBI, Gets 2 Life Sentences Plus 5 Years
Boston Globe (11/14/13) Valencia, Milton J.; Murphy, Shelley; Finucane, Martin
On Nov. 14, James "Whitey" Bulger, a Boston gangster who spent time on the FBI's 10 Most Wanted List, was sentenced to two life sentences in prison plus five years by U.S. District Court Judge Denise J. Casper. DUring her comments at the sentencing, Casper said that she "struggled with what would ever be just punishment for the unfathomable harm" that Bulger had caused during his time in Boston's underworld with the ability to operate with impunity as a prized FBI informant while under the protection of corrupt FBI agents. Bulger was order to pay $19.5 million in restitution to the families of his victims, and ordered to forfeit $25.2 million to the government, though both awards appear to be symbolic as law enforcement has not uncovered anywhere near that amount of money hidden by Bulger. In August, Bulger was convicted of charges of drug trafficking, extortion, money laundering, participation in 11 murders, racketeering, and other crimes. Defense attorney plan to appeal, and attorney Hank Brennen said that Bulger should have been allowed to present his claim that a now deceased federal prosecutor has granted him immunity for his crimes. Bulger was returned to the Plymouth County House of Correction where he has been held following sentencing and is expected to remain there until he is transferred to a federal prison.
Judge Could Torpedo NSA Surveillance Programs Monday
U.S. News & World Report (11/13/13) Nelson, Steven
U.S. District Court Judge Richard Leon on Nov. 18 will consider oral arguments for and against a broad preliminary injunction that would block some National Security Agency (NSA) surveillance programs. The hearing in Leon's Washington, D.C., courtroom will pit Justice Department lawyers against Larry Klayman, the leader of advocacy group Freedom Watch. Klayman has filed two class-action lawsuits arguing that the NSA is exceeding its authority under the law with its surveillance programs. The preliminary injunction hearing on Nov. 18 will address both lawsuits, though the two cases have not been joined. The preliminary injunction has been sought pending the final resolution of the cases. Leon has expressed signs that could suggest that he would be in favor of the preliminary injunction, though there have also been some signs that he would not grant it. The American Civil Liberties Union, meanwhile, has filed suit in New York to end the NSA's collection of phone records from Verizon. Oral arguments on the ACLU's injunction request have been scheduled for Nov. 22. Further, the U.S. Supreme Court on Friday will consider a request for direct intervention in a lawsuit filed by the Electronic Privacy Center that seeks judicial review of the Foreign Intelligence Surveillance Court's approval of government requests to collect phone records.
Report Cites Quality-Control Problems With Security Clearance Process
Washington Post (DC) (11/13/13) Davidson, Joe
Government Accountability Office (GAO) Director Brenda S. Farrell presented a report to a House subcommittee on Wednesday that emphasized the need for better quality control in the security clearance process. The report notes that quality is not consistently assessed by executive branch agencies during the process, and that measures to ensure quality have not been "fully developed or implemented." Having a process that emphasizes high-quality is "essential" to reducing the risk that classified information will be disclosed without authorization, the report said. Though Farrell's testimony did not focus on the quantity of secrets kept by the United States, Sen. Tom Coburn (R-Okla.) recently told a Senate hearing that the government should look at why there is so much classified information and examine whether some of that information can be unclassified. Coburn said that excessively categorizing information as classified has led to an overabundance of people with security clearances, which he said is another problem that needs to be addressed. Rep. Bennie Thompson (D-Miss.), the ranking member on the House Homeland Security Committee, has said that quality-control deficiencies in the security clearance process, including the "lack of clear criteria and commonly accepted standards," are linked to the explosive growth in the number of positions that require clearances.
Snowden Persuaded Other NSA Workers to Give Up Passwords
Reuters (11/11/13)
Sources who are familiar with the investigation into the leaks of classified material by Edward Snowden say that the former National Security Agency (NSA) contractor was able to obtain some information he was not authorized to access by persuading his colleagues to give him their usernames and passwords. While Snowden was working as a computer systems administrator at the NSA regional operations center in Hawaii last spring, he reportedly told between 20 and 25 of his coworkers that he needed their login information so that he could carry out his duties. Obtaining the login information of these employees helped Snowden access and download some of the tens of thousands of secret NSA documents he is accused of leaking. Sources say that officials at NSA eventually found out that Snowden convinced some of his co-workers to give him their login information. After the employees who gave Snowden their usernames and passwords were identified, sources say, they were questioned by NSA officials and removed from their assignments. However, it is not clear whether these employees were assigned other duties or if they were terminated. NSA officials and the Office of the Director of National Intelligence have refused to comment on these latest allegations in the Snowden case since a criminal investigation into the matter is ongoing.
House Chairman Sounds Alarm Over Homeland Security Vacancies
Government Executive (11/11/13) Clark, Charles S.
House Homeland Security Committee Chairman Mike McCaul (R-Texas) warned in an op-ed published in the Wall Street Journal that the 40 percent vacancy rate in top positions at the Department of Homeland Security (DHS) is "a problem that has impaired [the agency's] operations." In the article, "Nobody's Home at Homeland Security," McCaul wrote that President Obama has "shown a complete disregard" for the 1998 Federal Vacancy Reform Act. Many of the positions, he said, remain vacant because the president has taken several "months or years to nominate someone." He suggested that the vacancies say a lot about the Obama administration's dedication to maintaining homeland security, and called the lack of any long-term management of DHS's cyber and national security protections a "dire leadership vacancy." Filling these empty slots, McCaul wrote, should be the top priority of Homeland Security Secretary nominee Jeh Johnson.
Banking Malware Infections Rise to Highest Level Since 2002
IDG News Service (11/12/13) Kirk, Jeremy
Malicious software aimed at stealing online banking credentials spiked in the third quarter of this year to a level not seen since 2002, according to a new Trend Micro report. The report counted more than 200,000 new infections from July through September, versus 146,000 infections in the previous quarter. The infections were not so concentrated in Europe and the Americas and were more distributed throughout the world, indicating that cybercriminals are diversifying the banking customers they go after. The United States was the most impacted country with 23 percent of new infections, followed by Brazil at 16 percent and Japan at 12 percent. Other top countries affected include India, Australia, France, Germany, Vietnam, Taiwan, and Mexico, according to Trend Micro. The most common culprit was ZeuS malware, which dates back to 2006 and also is known as Zbot. Cybercriminals plant Zeus on websites that will then attack visitors and download the malware if the computer has a software flaw. Trend Micro said it also saw an uptick in KINS, a malicious software program modeled after ZeuS, along with Citadel, a banking credential stealer seen frequently in Japan and elsewhere.
Tech Insight: Viral Arms Race Brings New, Better Evasion
Dark Reading (11/11/13) Sawyer, John H.
The hype and fear surrounding advanced persistent threats can obscure the ongoing threat posed by more run-of-the-mill malware such as viruses, botnets, and worms. Ransomware such as Cryptolocker lock away crucial data behind encryption and demand payment in exchange for the key. Popular malware such as Zeus, Andromeda, Vertexnet, and Cidox are continually adding new capabilities meant to thwart security analysts and sandboxing. McAfee recently identified several pieces of malware incorporating polymorphic capabilities that enable them to evade signature-based detection, while a recent FireEye report shows an increasing number of malware samples that not only go dormant when they detect that they are being run in a virtual environment, but actively seek to determine that a human user is working the system before they execute their malicious code. The tools to combat such malware already exist in the form of layered defense capabilities, network segmentation, and the principle of least privilege. The SANS Institute's 20 critical security controls also offer sound guidance for securing networks against most malware. Such efforts should also be augmented by concerted efforts to educate users about phishing and other social engineering attacks.
Hacker Attack on Adobe Sends Ripples Across Web
Wall Street Journal (11/11/13) Yadron, Danny
The continuing fallout of a data breach that exposed the login information of about 38 million Adobe customers last month is demonstrating how a breach of one Internet service can indirectly affect the security of another. After some of the stolen credentials were leaked online and it was shown that the stolen passwords could be easily decrypted, many Internet companies began comparing the leaked credentials to those of their own users, knowing that users often use the same login credentials at multiple websites. Facebook and Diapers.com have already sent emails to customers and users they believe may have done just that, warning them that the Abode breach may have compromised their Facebook and Diapers.com accounts as well. The email sent to Facebook users believed to have been affected by the Adobe leak notes "Facebook was not directly affected by the incident, but your Facebook account is at risk because you were using the same password in both places." FIDO Alliance president Michael Barrett says "the attack against Adobe's customer database illustrates the extreme risk and vulnerability we accept as we continue to depend on passwords to secure our personal information and keep us safe online."
To Thwart Spies, IETF Wants to 'Strengthen the Internet'
Network World (11/08/13) Neagle, Colin
The Internet Engineering Task Force (IETF) has discussed what it can do to protect the Internet from government spying. IETF chair Jari Arkko recently spoke about the need for the engineers behind the Internet to push for new standards that would make it more difficult for government intelligence agencies to spy on Internet users en masse. Arkko suggested extending SSL-like encryption to all pages of the Internet and improving encryption algorithms. He also said businesses and website operators could be encouraged to adopt these methods by making them part of the HTTP 2.0 protocol. Another strategy could be promoting more secure alternatives to the Web tools that leave users vulnerable to monitoring. "As that work matures, we might be able to expect to improve both efficiency (being able to use multiple paths) and security/privacy (in order to tie those paths together) at once, which could be a compelling prospect," Arkko said. Using the Internet for government surveillance is an attack the IETF needs to defend against, according to the meeting's attendees.
Malware Incidents Go Unreported, Particularly in Large Businesses
eSecurity Planet (11/07/13) Eddy, Nathan
U.S. companies are facing growing cybersecurity challenges, with nearly 60 percent of malware analysts reporting they have investigated or addressed a data breach that was never announced by their company, according to a ThreatTrack Security survey of 200 security professionals dealing with malware analysis within U.S. enterprises. The survey found that the largest corporations are even more likely to have had an unreported breach, with 66 percent of malware analysts with enterprises of that size reporting undisclosed data breaches. The survey's results suggest that the data breach epidemic—621 confirmed data breaches in 2012, according to Verizon—may be drastically under-reported, leaving enterprises' customers and data-sharing partners unaware of a host of potential security risks. When asked to cite the most challenging aspects of defending their companies' networks from advanced malware, 67 percent said the complexity of malware is a key factor, while 67 percent also pointed to the volume of malware attacks, and 58 percent cited the ineffectiveness of anti-malware solutions.
Abstracts Copyright © 2013 Information, Inc. Bethesda, MD |
No comments:
Post a Comment