Search This Blog

Friday, August 01, 2014

Security Management Weekly - August 1, 2014

header

  Learn more! ->   sm professional  

August 1, 2014
 
 
Corporate Security
  1. "Security Becoming Less of a Luxury"
  2. "Police: Gunman and Victim in Loop Shooting 'Had Been Friends for Years'" Chicago
  3. "Active Shooters, School Security a Focus of ASIS 2014 Show"
  4. "Rising Cargo Thefts Prompt New Security Solutions"
  5. "After Deadly Shooting, Hospital Security Comes Into Focus" Delaware County, Pa.

Homeland Security
  1. "Suicide Bomber From U.S. Came Home Before Attack"
  2. "100% Scanning of U.S.-Bound Cargo Containers Delayed Until 2016"
  3. "Norway Defends Tightening Security Last Week Over Possible Terror Risk"
  4. "Terror Threats at Chemical Plants Underestimated"
  5. "Paying Ransoms, Europe Bankrolls Qaeda Terror"

Cyber Security
  1. "Inquiry by C.I.A. Affirms it Spied on Senate Panel"
  2. "Checking In From Home Leaves Entry for Hackers"
  3. "Android Security Threat Revealed"
  4. "70 Percent of IoT Devices Vulnerable to Cyberattacks" Internet of Things
  5. "Retail Groups Ask for Tokenization in Payment Security"

   

 
 
 

 


Security Becoming Less of a Luxury
Security Management (08/14) Gips, Michael

Spending on security has increased since 2011 and is expected to continue growing through 2017, according to an upcoming survey and report from ASIS International and the Institute of Finance and Management (IOFM). The report found that security spending in the private sector will be $377 billion in 2015, a 10 percent year-on-year increase. Much of this spending will be coming from smaller companies with revenues between $1 million and $10 million. Operational security budgets for these organizations will increase 17 percent from 2013 to 2015, while IT security budgets will increase by 15 percent during the same period. This spending may be used on items such as video surveillance, access control, IT security software, consulting services, employee screening, training, and systems maintenance. All that said, the numbers for operational security and IT may actually be underrepresented because of the potential for overlap between those two departments. The report does, however, break down operational security staff by function and compares proprietary staff to outsourced personnel, finding that 65 percent of operational security workers are contract staff, 57 percent are security officers, 17 percent are functional staff, 11 percent are executives, 9 percent perform administrative tasks, and 5 percent are functional managers.


Police: Gunman and Victim in Loop Shooting 'Had Been Friends for Years'
Chicago Tribune (07/31/14) Eltagouri, Marwa; Chachkevitch, Alexandra; Rodriguez, Meredith

Witnesses say the two men involved in a workplace shooting at Chicago's Bank of America building that left the attacker dead and the victim in critical condition on Thursday were close friends and had been colleagues for years. Witnesses say that Tony DeFrances, the chief technology officer of the supply technology firm ArrowStream, was upset about news that he was being demoted as part of a company-wide restructuring when he walked into CEO Steven LaVoie's office Thursday morning. DeFrances had been told about the demotion last Friday. LaVoie and DeFrances reportedly struggled over the gun — presumed to have been DeFrances', though he did not have a state gun license — with LaVoie sustaining gunshot wounds to the head and stomach. DeFrances then turned the gun on himself. Other workers in the building were told to stay at their desks after the shooting, but were not ordered to evacuate. Chicago Police Superintendent Garry McCarthy characterized the shooting as a "personal" dispute.


Active Shooters, School Security a Focus of ASIS 2014 Show
Security Director News (07/30/14) Canfield, Amy

The ASIS International 60th Annual Seminar and Exhibits (ASIS 2014) will focus on the topics of active shooters, school security, and women in the security profession. The 250 education sessions reflect current security concerns, said Allan Wick, an ASIS council vice president. Sessions focusing on active shooters include “Active Shooter Prevented: Evaluating a Close Call,” presented by Drew Neckar, a regional director for the Mayo Clinic Health System, and “The Evolution of Active Shooter Procedures for Schools,” presented by Paul Timm, the president of school security consulting firm RETA Security. Other sessions will focus on physical security components in recent shooting incidents and best practices. Wick says there is growing interest among security professionals in active shooter incidents, adding that those who work in corporate environments need training to learn about how to deal with workplace shootings. Several events at ASIS 2014 will address the growing number of women in the industry, including a round-table discussion about the challenges they face. The conference will be held Sept. 29 through Oct. 2 in Atlanta.


Rising Cargo Thefts Prompt New Security Solutions
Homeland Security Today (07/28/14) Vicinanzo, Amanda

All-time record levels of cargo thefts in 2012 and 2013, and the rising value of the average theft in 2014, are putting increasing pressure on transportation firms that remain reluctant to adopt new security measures. Both 2012 and 2013 saw 951 cargo thefts, and while the number of thefts was down by 11 percent in the second quarter of 2014 compared to the same time in 2013, the average value per incident rose by 90 percent to $242,010. Jim Giermanski, the chairman of the container security firm Powers International, Inc., says that the value of thefts is growing because thieves are seeking to maximize their returns by increasingly focusing on high-value cargo. Giermanski adds that theft is not the only reason transportation firms should be seeking out greater security. Conveyances that are insecure enough for cargo theft to be relatively easily are also vulnerable to exploitation for smuggling contraband, possibly including weapons of mass destruction. Giermanski says carriers especially need to take a broader interest in securing the whole conveyance, not just their tractors. Companies like US Security Associates have stepped up with products and services to secure cargo against theft, including route-planning, cargo escorts, and advanced monitoring.


After Deadly Shooting, Hospital Security Comes Into Focus
Delaware County Daily Times (PA) (07/27/14) Sullivan, Vince

More attention is being paid to security at some medical facilities in Delaware County, Pa., following the deadly July 24 shooting at Mercy Fitzgerald Hospital in Yeadon. A gunman shot and killed a mental-health caseworker and wounded a psychiatrist before the doctor fired his own gun, striking the shooter three times. While the facility does not have metal detectors, such devices are used at Crozer-Chester Medical Center in Upland, which is operated by Crozer-Keystone Health System, according to spokesman Grant Gegwich. At all five Crozer-Keystone hospitals, security officers carry pepper spray and security supervisors carry stun guns. Nighttime security guards can control access to nursing units and escort employees to and from their vehicles after hours. Crozer-Keystone Health System also has trained employees how to respond to potentially violent situations. The entire system also upgraded its security camera systems to improve video clarity and recording capabilities.




Suicide Bomber From U.S. Came Home Before Attack
New York Times (07/31/14) Schmidt, Michael S.; Mazzetti, Mark

U.S. authorities say that Moner Mohammad Abusalha, the American man who carried out a suicide bombing in Syria in May, returned to the U.S. for several months after receiving training from the Syrian militant group the Nusra Front. After spending some time in the U.S., authorities say, Abusalha went back to Syria and carried out his attack. Those findings seem to lend credence to concerns among counterterrorism officials in the U.S. and Europe that Westerners are indeed traveling to Syria, receiving training from militant groups, and returning home. But while there have been concerns that such individuals would return to their home countries to carry out attacks, Abusalha's case shows that not all Western militants who have trained in Syria have such aspirations. Indeed, the Nusra Front's primary goal is to topple Syrian President Bashar al-Assad rather than to attack the West. Meanwhile, an FBI official said that Abusalha's case underscores the difficulties the bureau faces in identifying Americans who travel to Syria to participate in jihad. While both the FBI and the Department of Homeland Security were aware that Abusalha had gone to Syria, they had no knowledge he had received training from the Nusra Front or that he was was planning to participate in an attack.


100% Scanning of U.S.-Bound Cargo Containers Delayed Until 2016
Homeland Security News Wire (07/31/14)

The Department of Homeland Security (DHS) has delayed the implementation of the SAFE Port Act's shipping container scanning requirement until 2016. The act requires that 100 percent of ocean containers bound for the United States be scanned at foreign ports of origin. U.S. importers have called on Congress to remove the scanning requirement completely rather than simply delaying it again. Critics say one of the problems with the mandate is that the law does not clarify how DHS defines “scanned.” Importers are not sure if DHS wants merely an image of a container before it ships, or if authorities must analyze the image to determine if further inspection is necessary. Customs and Border Protection currently pre-screens containers at their points of origin and identifies high-risk shipments at 58 ports around the globe before conducting physical scans or inspections.


Norway Defends Tightening Security Last Week Over Possible Terror Risk
Wall Street Journal (07/31/14) Hovland, Kjetil Malkenes

Norwegian Minister of Justice and Public Security Anders Anundsen on Thursday defended the surge in security that followed a July 24 warning by the Police Security Service of a possible imminent terror attack. "I think warning the population was right, given that the Police Security Service had information about a real threat to Norway," said Anundsen. National police stepped up security last week following the announcement of the terror threat, with armed guards patrolling train stations, airports, and border crossings. Security was relaxed again on Tuesday after news that the threat had lessened. Benedicte Bjornland, the head of the Police Security Service, on Thursday said the threat of imminent attack was "reduced" and that the public warning may have helped to discourage the potential attack, said to be plotted by Syrian fighters. Still, the warning and surge in security was criticized by some, including ruling party politician Jan Arild-Ellingsen, who compared it to "crying wolf." Anundsen countered that failing to increase security in light of the threat would have been irresponsible. Terrorism remains a serious concern for Norwegian security officials three years after a right-wing terrorist murdered 77 people in bombings and shootings in Oslo and nearby Utoya island.


Terror Threats at Chemical Plants Underestimated
Associated Press (07/30/14) Yen, Hope

A report from the Senate Homeland Security Committee's Republican staffers has concluded that the Chemical Facility Anti-Terrorism Standards (CFATS) program is a failure and that it is not helping to protect the U.S. from a chemical terrorist attack. One of the failures of CFATS that was cited in the report, which is the result of a year-long investigation, is the lack of inspections at 3,972 of the 4,011 chemical facilities that are thought to be at an especially high risk of terrorist attacks. Many of these facilities are chemical manufacturers, though some are farm supply retailers or fertilizer distribution warehouses. The report also found that the Department of Homeland Security (DHS) is in the midst of a potentially years-long backlog of chemical facility security plans that need to be approved. Security plans at about 3,111 of the high-risk facilities have not been approved, the report found. In addition, the report found that chemical facilities in the nation's larger metro areas like New York, Los Angeles, and Chicago might be at a greater risk of a terrorist attack involving the deliberate release of toxic and flammable chemicals, and that the government is underestimating the risk of such attacks in large cities. The report concluded by calling on Congress to make several changes to CFATS before it is reauthorized, including allowing lower-risk facilities to self-certify that their security plans meet government standards. DHS responded to the report by saying that it has improved its efforts to monitor chemical facilities, and that it has approved security plans at 750 such facilities over the last two years.


Paying Ransoms, Europe Bankrolls Qaeda Terror
New York Times (07/30/14) P. A1 Callimachi, Rukmini

According to an investigation by the New York Times, European nations are inadvertently financing the activities of al-Qaida by paying under-the-table ransoms when the group kidnaps their citizens, in violation of international agreements. Many argue that paying such ransoms only encourages further kidnappings. The Times estimates that al-Qaida has brought in $125 million in ransoms since 2008, including $66 million in 2013 alone. The leader of al-Qaida's affiliate in Yemen has estimated that ransom money accounts for as much as half of the group's operating budget. Following the 2003 abduction and ransom of several European tourists in Algeria by the group that would become al-Qaida in the Islamic Maghreb, al-Qaida has honed the practice of kidnap for ransom to the point that it hires out the kidnappings to criminal groups. Al-Qaida has also learned which countries will most reliably pay out — namely France, Spain, and Switzerland — and increasingly targets their nationals almost exclusively, often ignoring citizens of nations like the U.S. and Britain, two countries which refuse to pay ransoms. The average price for a single hostage has soared, with France paying an estimated $10 million each to free four hostages last year. The ransoms are often written off as aid payments and handed off using intermediaries like foreign governments or state-controlled businesses. However, European governments deny paying ransoms to terrorist groups.




Inquiry by C.I.A. Affirms it Spied on Senate Panel
New York Times (08/01/14) P. A1 Mazzetti, Mark; Hulse, Carl

The CIA's inspector general has found that the agency did indeed spy on the Senate Intelligence Committee while staffers were working on a report about the controversial terrorist interrogation and detention practices used during the Bush administration. The inspector general's office says that three CIA information technology officers and two agency lawyers "improperly accessed or caused access" to a computer network being used by committee staffers working on the report, which was critical of the interrogation and detention practices used by the CIA. Those individuals are believed to have accessed a large number of documents the committee staffers were using to compile their report. The inspector general also says that CIA officers read e-mails sent to and from Senate investigators and also used a fake identity to login to computers used by Intelligence Committee staffers. The hacking is believed to have taken place after CIA officials began to suspect that Intelligence Committee staffers were able to obtain an internal CIA report on the detention program without authorization. CIA Director John Brennan, who previously denied allegations that CIA officers hacked into computers used by the committee and its staffers, responded to the inspector general's findings by saying that the agency plans to set up an internal accountability board to examine the issue of CIA hacking and implement steps to address "systemic issues."


Checking In From Home Leaves Entry for Hackers
New York Times (07/31/14) Perlroth, Nicole

The Department of Homeland Security (DHS) issued a report on July 31 that said hackers are using remote access software to attack corporate networks. The DHS report says the software is usually used to enable outside contractors and employees to access such networks. Hackers are able to break in by using programs that guess login credentials, according to the report, which was created with the help of the Secret Service, the National Cybersecurity and Communications Integration Center, Trustwave SpiderLabs, and other industry partners. “As we start to make more secure software and systems, the weakest link in the information chain is the human that sits on the end—the weak password they type in, the click on the email from the contact they trust,” says FlowTraq's Vincent Berq.


Android Security Threat Revealed
Financial Times (07/30/14) P. 14 Kuchler, Hannah

Bluebox Security researchers say they have discovered a serious vulnerability in the Android mobile operating system that could enable malicious apps to masquerade as legitimate, existing apps by creating a fake identification code. Bluebox says it discovered the vulnerability in April but have waited to disclose it to give Google time to patch the vulnerability, which Google confirmed, saying a patch was distributed to Android partners and an open source patch has been made available. Bluebox's Jeff Forristal says the company does not believe the vulnerability has been exploited in the wild, and Google says a scan of apps in the Google Play Store did not turn up any malicious apps using the exploit, which would have given the malicious app potentially unlimited access to infected devices. Forristal will be giving a presentation on the vulnerability and how it could have been exploited at the upcoming Black Hat security conference in Las Vegas.


70 Percent of IoT Devices Vulnerable to Cyberattacks
Security Week (07/29/14) Kovacs, Eduard

Seventy percent of the most popular Internet of Things (IoT) devices currently on the market contain serious vulnerabilities, according to a new Hewlett-Packard study. HP tested 10 of the most popular IoT devices, including smart TVs, power outlets, Webcams, smart hubs, home thermostats, sprinkler controllers, home alarms, scales, garage door openers, and door locks. The researchers found 250 security holes; an average of 25 per device. The holes included privacy issues, poor authorization practices, a lack of transport encryption and software protection, and insecure Web interfaces. HP found 70 percent failed to encrypt local and Internet communications, and half of the devices' apps lacked transport encryption. Sixty percent did not download updates in a secure manner and 60 percent were plagued by Web interfaces vulnerable to cross-site scripting, weak default credentials, and poor session management. HP also found that 70 percent of devices' cloud and mobile apps' password reset features could easily be subverted to enable attackers to acquire use passwords. Many devices also enabled users to use weak or no passwords at all. HP advises device manufacturers to conduct a security review of their devices and take steps to embed security into all phases of the product lifecycle.


Retail Groups Ask for Tokenization in Payment Security
Chain Store Age (07/28/14) Berthiaume, Dan

Retail groups including the National Retail Federation, the Retail Industry Leaders Association, the National Association of Convenience Stores, and the National Restaurant Association are urging the U.S. payment industry to adopt an open and universal tokenization standard. "An open, interoperable platform will...ensure merchants can support the technology across multiple providers and make back-end security processes seamless for the customer experience," the groups say. They also say tokenization will help merchants with age verification identity checks, and storage and transmission of electronic health records and pharmacy prescriptions. The group's joint statement lists guiding principles that tokenization solutions should align with, including an open standards approach via an accredited standards-setting body, the creation of a technology-neutral platform enabling broad participation in the standard from technology stakeholders, and allowing participants to develop proprietary frameworks that operate in compliance with the standard. In addition, the groups call for guarantees the standard works for multiple payment environments, including e-commerce and m-commerce; the governance of intellectual property by the industry standard; and support for the standard by all networks, brands, and payment types.


Abstracts Copyright © 2014 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Security Management Online | ASIS Online

No comments: