Search This Blog

Friday, August 29, 2014

Security Management Weekly - August 29, 2014

header

  Learn more! ->   sm professional  

August 29, 2014
 
 
Corporate Security
Sponsored By:
  1. "7 Benefits to Standardizing Healthcare Security"
  2. "JPMorgan and Other Banks Struck by Cyberattack"
  3. "New Industry Group Tackles ATM Fraud"
  4. "Security Becoming Less of a Luxury"
  5. "Tips and Strategies for Securing Datacenters"

Homeland Security
Sponsored By:
  1. "American Fighting for ISIS is Killed in Syria"
  2. "For Sale: Systems That Can Secretly Track Where Cellphone Users Go Around the Globe"
  3. "House Homeland Security Chair Says ISIS 'Operations' Underway to Hit West"
  4. "James Foley’s Killers Linked to British Kidnapping Network"
  5. "New Safety Measures Greet Students"

Cyber Security
  1. "Android Flaw Might Also Affect iOS, Windows"
  2. "Antivirus Works Too Well, Gripe Cybercops"
  3. "DHS Cybersecurity Program Finds Few Takers"
  4. "NIST Releases Draft Guidelines for SSH Access Control"
  5. "This Android Shield Could Encrypt Apps So Invisibly You Forget It's There"

   

 
 
 

 


7 Benefits to Standardizing Healthcare Security
Security Magazine (08/14) Bukowski, Ken

A growing number of U.S. healthcare facilities are opting to standardize their security protocols and procedures and to streamline and centralize their security officer services. Doing so has a number of advantages, including the improved ability to prevent workplace violence. Workplace violence is a major security issue within the healthcare industry, with the causes of violence and types of crimes varying widely. Hospitals and other healthcare facilities that use consistent staff training, reporting procedures, and security measures can create safe working environments. A standardized approach to security also allows healthcare systems to share the lessons learned during emergency planning and drills across all component facilities while also improving collaboration with local law enforcement.


JPMorgan and Other Banks Struck by Cyberattack
New York Times (08/28/14) P. B1 Perlroth, Nicole

JPMorgan Chase and at least four other U.S. banks were the targets of what security experts say was a sophisticated cyberattack. In a series of coordinated attacks this month, hackers infiltrated the banks' networks and siphoned off gigabytes of data that included checking and savings account information. The FBI and several security firms are involved in the investigation, although the motivation and origin of the attacks remain unclear. Earlier this year, Dallas-based security firm iSight Partners warned that companies should be prepared for cyberattacks from Russia in retaliation for Western economic sanctions, but Adam Meyers, head of threat intelligence at security firm CrowdStrike, said it was too soon to suggest that sanctions were the motive behind the attacks. Hackers may have been after account information, or information about a possible merger or acquisition.


New Industry Group Tackles ATM Fraud
BankInfoSecurity.com (08/20/14) Kitten, Tracy

ATM manufacturers Diebold and Wincor Nixdorf are laying the groundwork for the formation of a new global industry group focused on thwarting ATM crime. The aim of this group is to establish industrywide technical standards for secure ATM terminals and ATM components and provide a platform for information sharing about attack scenarios and emerging threats, said Joerg Engelhardt, vice president of global product management for Diebold.


Security Becoming Less of a Luxury
Security Management (08/14) Gips, Michael

Security spending has seen significant growth since 2011, with healthy growth projected in both operational and IT security through 2017. An upcoming survey and report prepared by ASIS International and the Institute of Finance and Management, called “The United States Security Industry: Size and Scope, Insights, Trends, and Data, 2014-2017,” updates the original 2012 ASIS/IOFM survey. Private-sector spending jumped from $282 million in 2012 to $319 billion in 2013 to a projected $341 billion in 2014. Data drawn from surveys of 479 security end users, manufacturers, and service providers, predicts $377 billion in private-sector security spending in 2015, another 10 percent year-over-year increase. Most spending growth is driven by smaller firms with revenues of $1 million to $10 million. Operational security budgets for such businesses are expected to increase 17 percent from 2013 to 2015, with IT security expected to grow by 15 percent in the same period. Spending will include video surveillance, access control, alarm monitoring, IT security software, consulting services, employee screening, training, perimeter protection, and systems maintenance.


Tips and Strategies for Securing Datacenters
Security Today (08/26/14) Hill, Ginger

The first step in establishing data center security should focus on the physical security of the perimeter, which can add another layer of security between the data and potential hackers. Facilities should develop a physical security policy that every employee is aware of and follows. This may involve biometric access or security guards, as well as closed-circuit TV cameras facing each of the outside walls. Some cameras also should focus on the ceiling, which intruders may try to use to gain entry. Data centers should also separate loading and storage areas to prevent interference with the equipment. Servers should be protected even if they do not contain any data, as they are still susceptible to an attack if a malicious individual can gain physical access to install or implant hacking technology into servers. Facilities also should keep their power and network cabling neat, which can employees avoid mistakes that could compromise data integrity.




American Fighting for ISIS is Killed in Syria
New York Times (08/27/14) Cooper, Helene; Landler, Mark

The Obama administration issued a statement Tuesday confirming that a 33-year-old American man died while fighting in Syria with the Islamic State. Douglas M. McCain reportedly died Aug. 24 in a battle with the rival Syrian rebel group the Free Syrian Army, making him the first American to die while fighting for the Islamic State. Federal authorities reportedly had no idea that McCain was planning to travel to Syria to fight for the Islamic State, and did not learn that he had gone to the war-ravaged country until after he arrived there. However, authorities placed McCain's name on a terrorist watch list after they learned he had gone to Syria, meaning that he would have been the subject of additional scrutiny had he tried to fly back to the U.S. Officials say it is difficult to identify those who are planning to travel to Syria to fight with militant groups like the Islamic State because these individuals come from all different age groups and regions of the country, and many do not have any connection to Syria that would be an indication that they would be drawn to participating in that country's civil war. But Americans like McCain who fight in the Syrian conflict alongside rebel groups may not pose a direct threat to the U.S. as some fear, one security expert says. The expert noted that the fact that McCain died on the battlefield is an indication that Americans are traveling to Syria to fight with the Islamic State there rather than to train for attacks against the U.S. homeland.


For Sale: Systems That Can Secretly Track Where Cellphone Users Go Around the Globe
Washington Post (08/25/14) Timberg, Craig

Privately-owned surveillance companies are peddling systems that are capable of tracking the location of any cell phone user to governments around the globe. Marketing materials from companies like New York-based Verint describe surveillance systems that exploit the lax-to-nonexistent security of the decades-old SS7 telecommunications network used by telecom firms around the world to route calls, text messages, and data. German security researcher Tobias Engel first demonstrated methods of gathering location data from the SS7 network in 2008 and more sophisticated techniques have been developed since then. A more secure replacement for SS7 is in the works, but it will likely be a decade or more before it is fully deployed. The systems, which are capable of collecting location data without the knowledge of wireless carriers, are marketed to governments and often paired with other tools like IMSI catchers, portable devices that act as cellular transmitters and are capable of locating devices, intercepting calls, data, and texts, and installing spyware on phones. While such systems are outlawed within some countries' boundaries, they are often marketed to governments for the explicit purpose of tracking individuals across borders. The lack of international law concerning this technology makes regulating its use extremely difficult.


House Homeland Security Chair Says ISIS 'Operations' Underway to Hit West
myCentralOregon.com (08/24/2014)

The Islamic State is preparing to strike the West now that it has taken control of part of Iraq and is establishing a caliphate, House Homeland Security Chair Michael McCaul (R-Texas) said Sunday. McCaul hinted that attacks against the West could involve Westerners who have traveled to Syria to fight in that country's civil war. "We have tens of thousands of foreign fighters from all over the world pouring into this safe haven that's now been established, including hundreds of Americans with Western passports and legal travel documents, which would enable them not only to travel to Western Europe, but to the United States," McCaul added. Meanwhile, Retired Gen. John Allen pointed out that destroying the Islamic State requires "a comprehensive approach" and more resources. Allen noted that an effort to eliminate ISIS might mean working toward the same goals as Iran and Syria, even if there is no coordination between the U.S. and those countries.


James Foley’s Killers Linked to British Kidnapping Network
Homeland Security News Wire (08/27/14)

There may be a connection between the death of American journalist James Foley and a terrorist kidnapping ring operating in the United Kingdom that was involved in the disappearance of two other Western journalists. Foley’s execution has prompted intelligence officials and other experts to reexamine the role of groups associated with the Islamic State. Security forces generally do not have enough reliable information to make a connection. The U.K. government is also finding it difficult to deal with some of its own citizens waging jihad in Syria and working with the Islamic State. “We’ve been playing catch-up along with the worst foreign-fighter flows that we’ve seen in the modern terrorist era,” said former U.S. counterterrorism official Juan Zarate. “The British government has been sounding the alarm for a long time about the threat of foreign fighters and trying to do their best, but they have had trouble tracking that flow in an environment that is incredibly open.”


New Safety Measures Greet Students
Wall Street Journal (08/25/14) Porter, Caroline

U.S. public schools are continuing to increase their security efforts in response to the Sandy Hook Elementary School massacre in December 2012. Officials at Hillsborough County Public Schools in Tampa, Fla., are working on a four-phase approach that includes 20 new armed officers in elementary schools, security training for employees, hiring a safety consultant, and stricter access control. Schools in the Coeur d'Alene, Idaho, public school district now have security fencing and single entry points at each school for visitors. Montpelier Exempted Village Schools in Ohio have installed bulletproof glass and panic buttons and held assemblies for security training, and will allow four employees to carry firearms on school property. Research company IHS Technology estimates that schools will spend $4.9 billion on security systems by 2017.




Android Flaw Might Also Affect iOS, Windows
InformationWeek (08/23/14) Claburn, Thomas

Security researchers from the University of California, Riverside and the University of Michigan have discovered a vulnerability in the Android mobile operating system that could enable malicious apps to carry out man-in-the-middle (MITM) and other attacks on apps running on the same device. The attack exploits the fact that despite app sandboxing efforts, most apps still rely on a window manager, a graphic interface framework that operates in shared memory space, to render their graphical interface elements. During the recent USENIX security conference, the researchers demonstrated how a malicious app running in the background could monitor a window manager and correctly infer from activity there what a given app was doing, allowing the malicious app to execute MITM attacks such as launching a dummy login screen to capture credentials when a banking app is launched. Another possible scenario is a camera- peeking attack in which the malicious app watches for a banking app to use the camera to take a photo of a check for automatic deposit, and take its own photo immediately afterward without the user's knowledge. Because the attack works at such a fundamental level, the researchers suspect it also affects Windows and iOS devices. Possible mitigation strategies include limiting access to proc files, tightening interface animation systems, and limiting the functions available to background applications.


Antivirus Works Too Well, Gripe Cybercops
The Wall Street Journal (08/20/14) Yadron, Danny

Internal documents leaked by activists earlier this month show police clients from several nations complaining to German company FinFisher GmbH, which sells spyware to government clients, that their products were being thwarted by antivirus programs. A Pakistani client complains in the documents that antivirus software was able to block his agency's efforts to spy with FinFisher's products, a complaint echoed by a Qatari agency in another document. The documents also show FinFisher representatives advised an Estonian agency that a product enabling users to steal usernames, passwords, and documents using a USB flashdrive might not be able to bypass certain antivirus software. The world of cyberspying by police and other government agencies is a shadowy one and the companies that sell products for this purpose are often very secretive. One such company is Italy-based Hacking Team, which, although none of its products are known to be used by U.S. agencies, is a fixture at U.S. police trade shows and boasts a U.S. headquartered in Annapolis, MD. "A lot of people rely on antivirus for protection against cybercriminals," says Morgan Marquis-Boire, a senior researcher at the University of Toronto's Citizen Lab. "You have the people we pay to protect us from very real crime trying to prevent this from working properly. That is somewhat concerning."


DHS Cybersecurity Program Finds Few Takers
Government Technology (08/22/14) Heaton, Brian

Last year the U.S. Department of Homeland Security was directed by President Obama to launch a program to share classified and unclassified cybersecurity data to 16 critical infrastructure sectors. Although the initiative was intended to include state and local governments, officials appear to be unaware of it. A recent federal report on the program showed just three of the 16 industries were taking part in the program—energy, communications services, and the defense industrial base. Only CenturyLink and AT&T among Internet service providers have been authorized to receive and load the indicators. DHS' Richard Harsche says enrollment in the program has been slow because of limited outreach and resources. He also notes cyberthreat data sharing is based on manual reviews and analysis by the National Protection Programs Directorate, resulting in inconsistent indicator quality. SANS Institute research director Alan Paller believes state and local governments have been unable to use the program due to lack of specialized equipment that is needed on-site to read and process the classified data distributed by DHS through the program. He says regular computers are not powerful enough, and the majority of states, cities, and counties cannot afford the technology and lack the appropriate technical staff. "It’s hard to use the classified parts, and the unclassified parts are too close to what they can get from other people," Paller says.


NIST Releases Draft Guidelines for SSH Access Control
Security Week (08/21/14) Kovacs, Eduard

The National Institute of Standards and Technology has released draft guidelines for government agencies and private-sector organizations addressing the various security risks of the Secure Shell cryptographic protocol used by many agencies and business to secure a variety of network services. The functions SSH is used to secure are often highly privileged and include file transfers and backups, patch management, disaster recovery and provisioning, and database updates. However, security risks are often ignored, prompting NIST and SSH inventor Tatu Ylonen to write the new publication. The draft copy addresses issues including access management with SSH and a description of SSH version 2.0, including descriptions of its vulnerabilities and means of mitigating them. Other topics covered in the draft include best practices, risk mitigation for access tokens, and solution planning and deployment. The authors, which include Ylonen, believe the biggest SSH risks faced by agencies and businesses are improper implementations, and a host of issues that can be created by unaudited, incorrectly stored and used, stolen, leaked, and unterminated user keys.


This Android Shield Could Encrypt Apps So Invisibly You Forget It's There
Wired News (08/19/14) Greenburg, Andy

Georgia Institute of Technology researchers have developed Mimesis Aegis (M-Aegis), an encryption app they say can enable encrypted communication using cloud-based apps. Mimesis Aegis, Latin for "mimicry shield," is an overlay that mimics the user interface of other apps almost perfectly and enables users to enter messages normally, but immediately encrypts the messages before sending them to the app in question, where they are sent as a normal message and then decrypted at the other end by another M-Aegis user. Lead researcher Wenke Lee says the goal of the project is to make end-to-end decryption "easy as air" for the average user. The researchers plan to present M-Aegis at this week's USENIX security conference and to release the tool as an Android app this fall, although that version will be limited to only a handful of specific apps. Wenke says the team intends to continue developing M-Aegis to enable it to work with a wide range of photo and audio apps. They also want to automate the process by which it mimics other apps' front-ends, which currently has to be done manually. In addition, M-Aegis currently can only be used for communications between M-Aegis users, it only works on Android devices, and it may be subject to undiscovered security bugs.


Abstracts Copyright © 2014 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Security Management Online | ASIS Online

No comments: