Friday, January 30, 2015

Security Management Weekly - January 30, 2015

header

  Learn more! ->   sm professional  

January 30, 2015
 
 
Corporate Security
Sponsored By:
  1. "Closing an Airport Security Gap: Employee Screening"
  2. "In Emergencies, Companies Are Turning to Employee-Tracking Services"
  3. "Twitter Threats to Planes Require Delicate Decisions"
  4. "U.S. Business Groups Ask China to Postpone New Cybersecurity Review"
  5. "Malware Containment Continues to Weigh Heavily on Organizations"

Homeland Security
  1. "Underground Terror Network Said to Benefit Would-Be Jihadists in Europe"
  2. "NYPD Plans Initiatives to Fight Terrorism and Improve Community Relations"
  3. "Libya Hit Shows Militants Ambition"
  4. "U.S. Spies on Millions of Cars"
  5. "Beyond the Active Shooter"

Cyber Security
  1. "Java Is the Biggest Vulnerability for U.S. Computers"
  2. "Cybersecurity in 2025: What Gaps in Virtual Protection Must Be Addressed?"
  3. "Malaysia Air Site Hacked, Some Customer Data Appears Online"
  4. "Akamai Predicts More Cheap Hacking Toolkits, Political Attacks Next Year"
  5. "Cyber Security Is Growing in Importance for Medical Devices Too"

   

 
 
 

 


Closing an Airport Security Gap: Employee Screening
Wall Street Journal (01/28/15) Carey, Susan

Most U.S. airports do not conduct regular screening for many workers, such as baggage handlers and mechanics, due to concerns about heavy costs and logistics. Nearly 1 million employees of airlines, airports, vendors, and regulators have access to secure areas after passing criminal-background and threat-assessment checks, but after being hired, they are not screened by metal detectors as passengers are. Recent incidents, however, are causing the airports to rethink their approach, and research suggests that employee screening could be manageable for most facilities. In December, prosecutors charged a former Delta Air Lines Inc. employee and a then-current Delta baggage handler in an alleged scheme that involved sneaking firearms into Atlanta’s airport and onto flights to New York. This week, the FBI lodged a criminal complaint in U.S. District Court in Atlanta, alleging that a Delta gate agent illegally boarded a flight to Paris after avoiding passenger screening with his employee badge. Jeh Johnson, secretary of the Department of Homeland Security, has requested a comprehensive review of airport security from an aviation-security advisory committee. Miami International Airport and Orlando International Airport both say they have instituted 100 percent employee screening, for relatively modest annual expenses that the airlines and airport concessionaires indirectly pay in higher rents and landing fees.


In Emergencies, Companies Are Turning to Employee-Tracking Services
New York Times (01/27/15) P. B4 Levere, Jane L.

Demand for employee-tracking services is on the rise, driven largely by "duty of care" laws that require employers to know their workers’ whereabouts and help ensure their safety. Different businesses are purchasing services that use technologies such as GPS and geotracking to track their employees. International SOS is one of the oldest and most established suppliers of these services, but there is also iJET and the Anvil Group, as well as a number of new firms coming onto the scene. Travel-management company BCD Travel has created a tool that combines itinerary information, an interactive map, and text messaging to help clients track their travelers. In an emergency, employers can send out alerts, or employees can use apps to request help. International SOS, iJET, and other companies also offer evacuation planning and execution for employees who are based in or travel to dangerous locations. Geofencing uses GPS to monitor the whereabouts of travelers within a tightly defined location, which is particularly useful for companies whose employees are deployed to combat zones and other remote places.


Twitter Threats to Planes Require Delicate Decisions
USA Today (01/28/15) Jansen, Bart; Copeland, Larry

At least sixteen times in the past four days, a bomb threat on Twitter disrupted travel and frustrated airlines. On Jan. 27, American Airlines Flight 1192 from Los Angeles landed safely in Chicago O'Hare after a tweet purportedly from the Islamic State threatened that there was a bomb on the 737-800. On the same day, a now-suspended Twitter account called @RansomTheThug claimed there was a bomb on board United Airlines flight 223, which was scheduled to travel from Newark, N.J., to Miami Tuesday afternoon. The flight was cancelled two days ago in preparation for the blizzard-like conditions which hit the Northeast Monday night and Tuesday, United Airlines spokeswoman Mary Ryan said. In previous incidents, searches turned up nothing, but the incidents made plain the power of one person on social media to make big trouble. Airlines won't comment on how often it happens, and the FBI, which is investigating, won't say who may be tweeting. Observers say Twitter has given pranksters and terrorists an easy way to cause chaos. "We're seeing these new threats. In terms of the quantity of (online) threats we're seeing now, you just haven't seen it," said Glen Winn, former head of security at Northwest Airlines and United Airlines and an instructor at the University of Southern California School of Aviation Safety and Security. "In the history of aviation sabotage, I don't believe there's ever been a threat called in where there's actually been a bomb," said Douglas Laird, a consultant who is a former security director at Northwest Airlines. Still, airlines refer all threats to their security divisions, which evaluate their credibility based on confidential criteria, Laird said. Depending on the merit of the threat, a flight could be diverted to the nearest airport, so it could be searched with bomb-sniffing dogs, he said.


U.S. Business Groups Ask China to Postpone New Cybersecurity Review
Wall Street Journal (01/29/15) Tejada, Carlos

U.S. business groups on Jan. 28 sent a letter to Chinese cybersecurity officials stating that stricter cybersecurity standards could limit the range of U.S. products available to Chinese businesses. The letter comes in response to China asking U.S. technology companies to turn over sensitive material and submit to intrusive inspections. The letter said the rules were recently proposed for the Chinese banking sector, but the groups worry they could be expanded to other sectors. "An overly broad, opaque, discriminatory approach to cybersecurity policy" would isolate Chinese companies and worsen cybersecurity issues, it said. It called for China to further discuss potential new rules. The letter was signed by the U.S. Chamber of Commerce, the American Chamber of Commerce in China, the Information Technology Industry Council, and the Telecommunications Industry Association, among others.


Malware Containment Continues to Weigh Heavily on Organizations
eWeek (01/16/15) Kerner, Sean Michael

According to a new Ponemon Institute study, enterprises receive an average of 16,937 malware alerts per week and spend around 395 hours per week investigating erroneous malware alerts. The survey of 630 IT and IT security professionals in the U.S. indicates that only 19 percent of malware alerts are considered reliable, and just 4 percent are actually investigated. Additionally, respondents considered two-thirds of the time spent investigating malware alerts to be time wasted, as alerts often are revealed to be false positives. Thirty-three percent of respondents said their organizations take an informal, unstructured approach to malware containment, and just 41 percent have automated tools for handling malware. Organizations spend an average of 587 hours per week containing advanced malware, with 199 hours of that time spent investigating malware and 230 hours spent cleaning and fixing malware. "We applied the average wage of an IT professional and multiplied that by the number or hours wasted by malware, and that results in cost savings of $1.3 million by not having people chasing things they shouldn't chase," says Larry Ponemon, head of the Ponemon Institute.




Underground Terror Network Said to Benefit Would-Be Jihadists in Europe
Wall Street Journal (01/30/15) Bisserbe, Noemie; Faucon, Benoit; Meichtry, Stacy

Friends and family of jihadists may receive safe harbor from Islamic State, even if they are not true members of the terror group. For example, Hayat Boumeddiene, who is wanted for questioning by French authorities about the attacks staged in Paris by her husband, Amedy Coulibaly, was allowed to pass an Islamic State border checkpoint in northern Syria earlier this month and given special treatment. There is no evidence that Coulibaly took orders from Islamic State, though a video released after his death showed him pledging his allegiance to the group. He did, however, use a grassroots terror network that has begun to center around Islamic State. Years before Coulibaly killed four hostages at a kosher grocery and a policewoman, terrorists were using a network to recruit and send French nationals to fight U.S. troops in Afghanistan. French authorities thought they had broken up the network, but interrogations and other documents show that a homegrown network has spread its influence across continents.


NYPD Plans Initiatives to Fight Terrorism and Improve Community Relations
New York Times (01/30/15) Goodman, J. David

New York Police Department (NYPD) Commissioner William J. Bratton envisions a future that includes patrol officers with more time to visit with community members and listen to their concerns. In addition, it will include more high-powered weapons for a new unit of specially trained officers focused on patrolling terrorist targets and protests. These two initiatives, announced by Bratton during his annual State of the NYPD address to the nonprofit Police Foundation on Thursday, highlighted the tensions in New York City between the desire of city officials to put a friendlier face on officers' day-to-day interactions with citizens they are sworn to serve and protect and a rising fear of terrorism by lone extremists. Bratton used his speech to outline his vision of a police force better equipped to respond to big events, and one that has greater insight into the issues affecting high-crime areas where distrust of the police is greatest. He also touched on everything from putting stun guns into the hands of more cops to replacing aging bulletproof vests to eventually outfitting the city's entire patrol force with body cameras. Improving frayed police-community relations has been one of Bratton's priorities since returning to head the department last year. Small efforts are already underway, including officers this week giving out movie tickets to young people for a screening of "Selma."


Libya Hit Shows Militants Ambition
Wall Street Journal (01/28/15) Faucon, Benoit; Bradley, Matt; Schwarts, Felicia

An attack on a luxury hotel in Libya’s capital killed nine people, including an American, and stoked fears that the Islamic State militant group is expanding beyond the Middle East toward North Africa and Europe. A group calling itself Islamic State-Tripoli Province claimed responsibility over Twitter for the attack Tuesday morning on Tripoli’s Corinthia Hotel, a seaside complex popular with foreign businessmen, diplomats and journalists. The apparent international nature of its authors and target makes Tuesday’s attack stand out from the usual violence afflicting the North African nation, which has seen almost continuous factional fighting since longtime leader Moammar Gadhafi was killed in a popular uprising in 2011. A posting Tuesday on a Twitter account thought to be connected to the central Islamic State organization in Syria and Iraq described two of the attackers as their own. That claim is difficult to authenticate, but if further evidence surfaces that the self-proclaimed caliphate played a role, the attack could point to a growing footprint for a group whose rapid advance has unsettled much of the Middle East and drawn U.S. forces back into Iraq. Among those killed Tuesday was an American security contractor, David Berry, employed by the Virginia-based security firm Team Crucible LLC.


U.S. Spies on Millions of Cars
Wall Street Journal (01/27/15) Barrett, Devlin

The Justice Department has been secretly building a national database to track in real time the movement of vehicles nationwide, according to current and former agency officials and government documents obtained by the Wall Street Journal. Run by the Drug Enforcement Administration, this domestic intelligence-gathering program has been scanning and storing hundreds of millions of records about motorists. At the outset, the main goal was apparently to seize cars, cash, and other assets in an ongoing campaign to combat drug trafficking. However, Journal sources say the database's use has expanded to hunt for vehicles associated with a variety of other potential crimes, from kidnappings to killings to rape suspects. Justice Departent officials have publicly acknowledged that they track vehicles near the Mexican border to help fight drug cartels. What has not been previously disclosed is that the DEA has spent years working to expand the database "throughout the United States," one e-mail reviewed by the Journal shows. This has enabled many state and local law-enforcement agencies to access the database for a wide array of investigations.


Beyond the Active Shooter
Security Management (01/15) Stowell, Holly Gilbert

Weld County School District RE-3J in rural Colorado encompasses 480 square miles along the I-76 corridor, but the area has only one local police department. In 2009, the district decided to standardize its response protocols across all schools, and implemented standards from the I Love U Guys Foundation, a national nonprofit school safety initiative founded by John-Michael Keyes. The concept is to use simple, effective procedures that can be activated at any time by an announcement over the public address system instructing students what to do. The protocols include response procedures for lockout, lockdown, evacuate, and shelter-in-place, and are used by more than 5,000 schools nationwide. Weld County also conducts quarterly safety committee meetings that are attended by administrators from all six schools in addition to local law enforcement representatives. The county's high school also has implemented the BluePoint Alert System, which features small blue boxes mounted throughout the school in addition to a mobile component in the form of a pendant worn by some teachers. In the event that law enforcement response is required, the pendant can be activated or the boxes' clear casing can be lifted and a lever pulled to set off an alert at BluePoint's central monitoring station. BluePoint has five such stations across the country, all of which operate around the clock and also incorporate redundant systems, such as power supply, computer networks, and communications systems.




Java Is the Biggest Vulnerability for U.S. Computers
CSO Online (01/26/15) Korolov, Maria

The penetration rate, vulnerabilities, and patch status of Oracle's Java makes it the top security risk for U.S. desktops, according to Secunia ApS. Forty-eight percent of users polled by Secunia are not running the latest, patched versions, according to the report. The past year saw 119 new vulnerabilities identified in Java, which is installed on 65 percent of computers. Because the Secunia report used data from millions of users of Secunia's patch management software, it may underestimate the vulnerabilities. Apple Quicktime 7.x was the second-highest security risk, with 14 new vulnerabilities, 57 percent penetration on desktops, and 44 percent of users unpatched. Internet Explorer was found to have the most vulnerabilities, an increase to 248 from last year, but this may be because Microsoft is paying more attention to browser security. Secunia found 47 percent of vulnerabilities last year were due to Microsoft programs, 47 percent were due to third-party software, and 6 percent were due to the operating system. The report only covered private computers, but the data could apply to business environments, says Secunia's Kasper Lingaard.


Cybersecurity in 2025: What Gaps in Virtual Protection Must Be Addressed?
Government Technology (01/15/15) Lohrmann, Dan

The latest NASCIO survey suggests security is now back at the top of state CIOs' priorities and former Michigan CISO Dan Lohrmann predicts this will continue to be the case moving forward. Lohrmann chooses to eschew the traditional year ahead view of cybersecurity issues and looks at what issues are likely to matter to government CIOs in the next decade. The Internet of Things (IoT) is high on the list of items that are going to dominate security in the next year, but Lohrmann sees it becoming even more important over the longer term. Internet-connected technology is likely to become truly ubiquitous over the next 10 years with everything from cars and household appliances to medical devices and passive sensors embedded in the built environment sporting some kind of Internet connection. The IoT will create not just new concerns about security, but about privacy, especially in a society that has been primed by the Edward Snowden leaks to be concerned about government surveillance in the high-tech age. Surveys show the average person also is becoming more aware and more concerned about cybersecurity issues, meaning governments will have to address those concerns, which range from cyber bullies to identity fraud and simple theft.


Malaysia Air Site Hacked, Some Customer Data Appears Online
Security InfoWatch (01/26/15) Chan, Kelvin

On Jan. 26, hackers defaced the Malaysia Airlines website and warned they would dump stolen information online after posting a glimpse of customer data obtained in the attack. The airline's site was down for at least seven hours, replaced by a message from the Lizard Squad hacker group, before the company brought it back online by mid-afternoon in Malaysia. The hackers changed the site to reveal a message saying "404-Plane Not Found" and that it was "Hacked by Cyber Caliphate" with a photo of one of the airline's Airbus A380 superjumbo jets. The browser tab for the website said "ISIS will prevail." The Lizard Squad has claimed responsibility for a variety of hacks over the past year, most aimed at media companies. The airline said it was a "temporary glitch" and said user data "remained secured," however, Lizard Squad posted a link to its twitter of a screenshot of what seemed to be a passenger flight booking from the airlines internal email system. Malaysia Airlines said its domain name was "compromised" and users were redirected to the hacker group's website.


Akamai Predicts More Cheap Hacking Toolkits, Political Attacks Next Year
CSO Online (01/09/15) Korolov, Maria

Severe vulnerabilities such as Shellshock and Heartbleed will continue to emerge in 2015, according to a new Akamai Technologies report. Shellshock and Heartbleed prompted researchers to examine older technologies for potential security flaws, says Akamai's Bill Brenner. "With all the focus on SSL [Secure Sockets Layer] security holes and the transition to TLS [Transport Layer Security], expect researchers to start going over TLS with a microscope looking for flaws," he predicts. Brenner also says 2014's third quarter experienced an increase in the use of attack tools such as Blackshades rat and the Spike DDoS toolkit in addition to DDoS attacks targeting vulnerabilities in Linux systems. Port 445 has traditionally been the port most targeted by hackers, such as by the Conficker Worm, but in the last few quarters Port 445 has fallen from first place as an increasing number of old systems with the Port 445 vulnerability are taken off line, says Akamai's David Belson. As a result, hackers are now targeting Port 23, which is typically used for Telnet traffic. Hackers are using brute-force attacks to identify any remaining vulnerable Telnet ports. The report also found a higher number of DDoS attacks against enterprises, the media, and the entertainment sector and fewer attacks against commerce, the public sector, and high tech.


Cyber Security Is Growing in Importance for Medical Devices Too
Forbes (01/19/15) Poremba, Sue

As the issue of cybersecurity draws more attention, experts are pointing out that many medical devices are at risk for potential hacks. Although designers of medical equipment have never made cybersecurity a priority, new Food and Drug Administration (FDA) guidelines will change that. Manufacturers must now build new medical devices with cybersecurity functionality, although these functions will differ based on the devices' intended use, overall vulnerability concerns, and risks to the patient. The security functions to be included may be layered authentication levels, or timed usage sessions to ensure that the device is not connected to the network longer than necessary. These standards will not make the medical devices 100-percent effective against potential hackers, and they do not address the security risks of older devices already in use, which may not have the proper software for patches and fixes. "Many of these medical devices are implanted in their owners," says Don Weber, Senior Security Analyst with InGuardians. "However, if security vulnerabilities of a device or solution have been identified and disclosed, the owner and their physician can make educated decisions about these risks and determine how best to move forward with future care.”


Abstracts Copyright © 2015 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Security Management Online | ASIS Online

No comments:

Post a Comment