Friday, March 27, 2015

Security Management Weekly - March 27, 2015

header

  Learn more! ->   sm professional  

March 27, 2015
 
 
Corporate Security
Sponsored By:
  1. "Pilot Screening Process Comes Under Scrutiny After Germanwings Plane Crash"
  2. "National Breach Notification Bill Advances"
  3. "Tech Firms and Privacy Groups Press for Curbs on NSA Surveillance Powers"
  4. "ISIS Hacks, FREAK Attacks Test Vulnerability Awareness"
  5. "The Backward/Forward Card Security Solution"

Homeland Security
Sponsored By:
  1. "Investigators Pursue Motive in Germanwings Crash"
  2. "Germanwings Plane Crash Throws Spotlight on Cockpit Security"
  3. "Yemeni President Flees as Rebels Take Base Vacated by U.S. Special Forces"
  4. "Israel Spied on Iran Nuclear Talks With U.S."
  5. "Saudi Arabia Launches Airstrikes on Houthi Rebels in Yemen"

Cyber Security
  1. "House Advances Cybersecurity Bill Despite Surveillance Fears"
  2. "Lessons From Hurricane Sandy Aid Cyber War Games"
  3. "New York to Investigate Insurers’ Cybersecurity Work After Hacks"
  4. "90 Percent of IT Pros Worry About Public Cloud Security"
  5. "Cyberthreat Bills Take Shape on Hill, With Key Votes Looming"

   

 
 
 

 


Pilot Screening Process Comes Under Scrutiny After Germanwings Plane Crash
Wall Street Journal (03/26/15) Pasztor, Andy; Carey, Susan

The apparently deliberate crash of Germanwings Flight 9525 into the French Alps this week is likely to prompt a reassessment of pilot screening protocols by regulators and industry leaders. Authorities say the co-pilot of Flight 9525 deliberately flew the plane and its 149 other occupants into a mountain. Carsten Spohr, CEO of Germanwings' parent company Deutsche Lufthansa AG, on Thursday said that he planned to discuss possible changes to the company's pilot training program with regulators and labor groups, though he expressed "full confidence" in its selection and training practices. Lufthansa is in fact seen as an industry leader when it comes to pilot screening, carrying out in-depth interviews as well as extensive aptitude and psychological testing to clear candidates before they enter its two-year training program. Fewer than 7 percent of applicants make it through the initial screening process. However, the push for more rigorous screening will likely extend beyond Lufthansa, as such standards vary from carrier to carrier across the world. While the United Nation's International Civil Aviation Organization does offer some guidance on psychological screening for pilots, none of it is considered binding on national regulators. The tragedy is also likely to focus attention on the rigorous training regimen that the Flight 9525 co-pilot underwent, which allows new pilots to begin flying with far fewer flight hours than under traditional licensing standards.


National Breach Notification Bill Advances
BankInfoSecurity.com (03/25/15) Chabrow, Eric

The Data Security and Breach Notification Act of 2015 moved a step closer to a U.S. House vote with its March 25 approval by the House Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade. If enacted, the bill would preempt breach notification statutes in 51 different jurisdictions in favor of a national ordinance. It also would usurp provisions in some state laws that frame specific security measures companies must take to protect consumers' personally identifiable information. The bill stipulates that organizations notify consumers of breaches no more than 30 days after they have taken "necessary measures" to ascertain the scope of the intrusion and restored the reasonable integrity, security, and confidentiality of the data systems. Under the bill, only businesses and other organizations would be required to deploy and maintain "reasonable security measures and practices" to shield personal information. One rejected amendment would have permitted states to define security measures. U.S. Rep. Frank Pallone (D-N.J.) warns the federal standard is opaque, and it "surely will be litigated and left to judicial interpretation."


Tech Firms and Privacy Groups Press for Curbs on NSA Surveillance Powers
Washington Post (03/25/15) Nakashima, Ellen

Leading U.S. technology firms and a coalition of privacy groups on Wednesday will send a letter urging Congress to place restraints on government surveillance as the deadline approaches to renew a set of key Patriot Act surveillance authorities. The coalition has promised to oppose any legislation that does not ban the "bulk collection" of Americans' phone records and other data. A set of key Patriot Act surveillance authorities expire June 1, but the effective date is May 21 — the last day before Congress breaks for a Memorial Day recess. "The status quo is untenable and ... it is urgent that Congress move forward with reform," said the letter, whose signatories include the Reform Government Surveillance industry coalition. Members of the group include Apple, Google, Microsoft and Twitter. The tech firms and privacy groups’ demands are a baseline, they say. Besides ending bulk collection, they want companies to have the right to be more transparent in reporting on national security requests and greater declassification of opinions by the Foreign Intelligence Surveillance Court.


ISIS Hacks, FREAK Attacks Test Vulnerability Awareness
Credit Union Times (03/22/15) Urrico, Roy

The $101 million-asset Southwest Montana Community Federal Credit Union in Anaconda, Mont., was one of several North American websites targeted by hackers that placed an ISIS flag on their home pages. While it remains uncertain whether the hackers were really connected to ISIS, the hacks had two common elements -- the use of the WordPress content management platform and the exploitation of a known vulnerability in a plug-in with an available patch. The credit union's CEO, Tom Dedman, admitted that it missed "updates to the software that drives the website." He noted that the hackers exploited a zero-day vulnerability -- a software gap unknown to the vendor -- and that the credit union "hadn't been getting the notifications on websites on zero-day vulnerabilities." San Diego cybersecurity expert Jim Stickley, CEO of Stickley on Security, says financial institutions must require third-party vendors to provide a list of all products incorporated during development, such as open source plug-ins. "The smaller financial institutions are not very good in patching and properly testing patches after installation," says Ondrej Krehel, founder/principal of the digital forensics and cybersecurity intelligence firm LIFARS.


The Backward/Forward Card Security Solution
Pymnts.com (03/24/15)

Since the beginning of 2015, there have been more than 20 major data breaches in the United States. Hacks are becoming more common than ever, but one company is taking a new approach to combating the ever-growing threat. FiTeq CEO Joan Ziegler's approach to the problem involves a sort of tokenization. FiTeq takes credit card data and makes it valuable only to the card's true owner. Instead of authorizing a purchase via account number, consumers are issued a one-time "data token" that changes with every e-commerce transaction. This makes cards otherwise useless to potential fraudsters. In addition, the three-digit code on the back of credit and debit cards is rendered useless because a new one is generated with each purchase. Consumer habits are trending toward mobile purchasing, so reinventing the way plastic cards record data could be considered unnecessary. However, Ziegler maintains that FiTeq's strategy is tailored toward current consumer practices, and when mobile purchasing becomes the norm, the company will be quick to adapt to changes.




Investigators Pursue Motive in Germanwings Crash
New York Times (03/27/15) Bilefsky, Dan; Clark, Nicola

Investigators are continuing to search for clues to help figure out why Andreas Lubitz, a German co-pilot, apparently slammed Germanwings Flight 9525 into a mountainside in the French Alps on purpose, killing all on board. On March 26, the French prosecutor leading the investigation said the evidence from the cockpit voice recorder suggested that Lubitz had locked the pilot out of the cockpit and set the plane on its descent. Investigators began researching Lubitz's background and among the issues that are likely to come under scrutiny are his family background, whether he had financial troubles, and his personal relationships. Investigators looked through evidence removed from Lubitz's apartment late Thursday. Markus Niesczery, a police spokesman, did confirm that a second name appeared on the doorbell of the apartment in addition to Lubitz's, but refused to give further information. Carsten Spohr, the chief executive of Lufthansa, said Lubitz passed the company's health checks, but six years ago Lubitz took a break from his training for several months, and stated that if the reason was medical, German rules on privacy prevented the sharing of such information. Investigators are still working to understand why the pilot left the cockpit. Additionally, members of a flight crew could use an override door to open the door if someone in the cockpit could not or would not let them in, but the co-pilot could have activated a switch that prevents the door from opening for five minutes, or found some other way to block the door, Spohr said. Some international airlines, including Air Canada and easyJet, have already introduced new rules requiring that two crew members always be present in the cockpit.


Germanwings Plane Crash Throws Spotlight on Cockpit Security
Wall Street Journal (03/27/15) Ostrower, Jon; Pasztor, Andy

Airlines and aviation regulators outside the United States are reexamining their existing safety practices after the initial findings on the Tuesday crash of Germanwings Flight 9295. French prosecutors suspect that the co-pilot deliberately downed the plane after locking the pilot out of the cockpit, prompting a discussion of tougher rules that include requiring two other people to be in a cockpit each time a pilot steps out. Europe currently does not require two crew members to be present at all times, but the U.K. air-safety regulator on Thursday called on airlines to review practices and make sure a pilot is never left alone. Deutsche Lufthansa AG, parent company of Germanwings, said that current policy allows one pilot to leave the cockpit temporarily during certain parts of a flight. Other carriers that include Air Berlin PLC, Norwegian Air Shuttle ASA, and Emirates Airline said they would implement a two-crew policy. Most Airbus A320 jets, much like the one involved in the recent crash, are fitted with a crew-controlled locking mechanism to keep unauthorized persons out of the flight deck.


Yemeni President Flees as Rebels Take Base Vacated by U.S. Special Forces
Time (03/25/15)

Yemeni President Abed Rabbo Mansour Hadi fled his home for an undisclosed location on Wednesday as the Shiite rebels known as Houthis advanced, officials reported. Hadi's flight came only hours after the Houthis' television station said they seized the al-Annad air base, where U.S. troops and Europeans had advised Yemen in its fight against al-Qaida militants. The advisers had fled the air base days ago, after militants briefly seized a nearby city. The air base is only 35 miles from the port city of Aden, where Hadi had established a temporary capital. The advance of the Houthis could bring Yemen into a civil war, as militias and military units loyal to Hadi fragment and speed the rebel advance. Hadi already has asked the United Nations to authorize a foreign military intervention there. The al-Annad air base, Yemen's largest, was vital to the U.S. drone campaign against al-Qaida in the Arabian Peninsula, but U.S. operations have been scaled back significantly due to the chaos in Yemen.


Israel Spied on Iran Nuclear Talks With U.S.
Wall Street Journal (03/24/15) Entous, Adam

Senior White House officials have learned that Israel was spying on closed-door talks last year among the United States and other world powers regarding Iran’s nuclear program. The Israeli operation was part of a broader campaign by Prime Minister Benjamin Netanyahu to help build a case against the deal's terms. Israel shared inside information with U.S. lawmakers and others to try to undermine support for the talks, which were meant to limit Iran’s nuclear program, current and former officials said. U.S. intelligence agencies discovered the operation while spying on Israel, although Israeli officials denied spying directly on U.S. negotiators. According to Israeli officials, Netanyahu and Israeli Ambassador Ron Dermer saw that they were about to lose the chance to increase pressure on President Obama. Netanyahu and Dermer calculated that a lobbying campaign in Congress could improve the chances of killing or reshaping a nuclear deal, but could damage relations with the White House. Netanyahu was concerned that Obama intended to reach a deal with Iran whether or not it was in Israel’s best interests.


Saudi Arabia Launches Airstrikes on Houthi Rebels in Yemen
Wall Street Journal (03/26/15) Schwartz, Felicia; Almasmari, Hakim

Several Gulf states, including Saudi Arabia, have launched airstrikes against rebel forces in San’a and elsewhere in Yemen. The attacks were launched Thursday morning, hours after Yemeni President Abed Rabbo Mansour Hadi fled by boat from the port city of Aden, where Iranian-backed Houthi militants approached. Adel Al-Jubeir, Saudi Arabia’s ambassador to Washington, said that the United States was consulted on the raid, and that six Gulf countries and at least four other nations participated in the military operation, though he did not name them. Jubeir said that the allies used force "with great reluctance" but that Saudi Arabia would “do what it takes” to protect Hadi and his government in Yemen. The White House said late Wednesday that the United States would provide logistical and intelligence support this military campaign, but would not participate directly. The decision to stage airstrikes heightens the rivalry between Sunni monarchies and predominantly Shiite Iran, and could also worsen sectarian tensions that jihadist groups such as al-Qaida may exploit.




House Advances Cybersecurity Bill Despite Surveillance Fears
National Journal (03/26/15) Volz, Dustin

The House Intelligence Committee on Thursday unanimously approved its Protecting Cyber Networks Act, despite privacy advocates' government surveillance concerns. The House and Senate are now both ready to act quickly on info-sharing legislation in April after lawmakers return from the spring recess.


Lessons From Hurricane Sandy Aid Cyber War Games
Financial Times (03/25/15) Chon, Gina

Speaking at the International Financial Services Forum in London for City Week 2015, U.S. Treasury Deputy Secretary Sarah Bloom Raskin discussed U.S. mock cyber attacks on financial firms. Lessons from natural disasters such as Hurricane Sandy will help financial regulators and financial firms address risks in upcoming cyber war games aimed at helping firms adapt and adopt procedures for an orderly shutdown and reboot in the event of a catastrophic cyber breach. In 2015, the United States and the United Kingdom will hold their first joint cyber war games, which will start with a simulation focused on the financial sector as a way to improve information-sharing between the two nations. Third-party vendors are of particular concern with regard to cyber threats because they are used by a number of banks for a range of services. Raskin said banks should know all of their third-party vendors that have access to their networks and data, confirm they have appropriate safeguards, and ensure they are adhering to those policies. Moreover, financial firms should include cyber security policies in contracts with vendors so that the rules can be enforced.


New York to Investigate Insurers’ Cybersecurity Work After Hacks
Bloomberg (03/26/15) Bloomfield, Doni

Insurers doing business in New York State must tell a regulator there about efforts to prevent computer hacking, detailing the precautions taken and the personnel devoted to the task. Benjamin Lawsky, superintendent of the state Department of Financial Services, said in a letter to insurers Thursday that they must provide the information by April 27 and submit to examinations by the agency. About 160 life, health and property & casualty insurers are affected. “The department intends to schedule IT/cybersecurity examinations after conducting a comprehensive risk assessment of each institution,” Lawsky wrote.


90 Percent of IT Pros Worry About Public Cloud Security
eSecurity Planet (03/20/15) Goldman, Jeff

The Bitglass 2015 Cloud Security Report shows that many IT security practitioners are concerned over public cloud security. More than 1,000 IT and IT security practitioners were surveyed and one third of respondents have experienced more security breaches with the public cloud than with on-premise applications. Only five percent said they were not concerned about security in the cloud. Respondents' top cloud security concerns are unauthorized access, hijacking of accounts, malicious insiders, insecure interfaces/APIs, and denial of service attacks. Still, 38 percent of enterprises store intellectual property in the cloud, 31 percent store customer data, 19 percent store sensitive financial data, and 8 percent store employee healthcare data in the cloud. The report discovered that nearly 80 percent of managers are concerned about personal cloud storage services operated by employees and the risk they pose regarding data privacy and leakage. Bitglass CEO Nat Kausik said the report confirms that cloud is growing, "with some 72 percent of organizations saying they are either planning to implement or are actively implementing cloud environments."


Cyberthreat Bills Take Shape on Hill, With Key Votes Looming
Wall Street Journal (03/24/15) Paletta, Damian

Top lawmakers on the House Permanent Select Committee on Intelligence introduced legislation Tuesday that would prod companies to share information about cyberthreats with each other and the federal government, the latest move by policy makers to craft a response to the growing number of data breaches. The panel’s chairman, Rep. Devin Nunes (R-Calif.), and its ranking Democrat, Adam Schiff of California, said the bill tries to balance privacy concerns with the need for more cooperation to prevent large-scale cyberattacks that have recently hit major American companies. The bill is one of at least three that have begun to march through Congress, and their differences will have to eventually be reconciled if any measure on the issue is to become law. The House Committee on Homeland Security is working on similar legislation, though there are key differences. The intelligence panel’s bill would require the White House to designate a single “portal” for companies to share cyberthreat information within a federal agency, so long as that agency isn't the Defense Department or the National Security Agency. The homeland security committee’s draft legislation, meanwhile, would mandate that the portal be housed within the Department of Homeland Security, an approach mirrored a few weeks ago by lawmakers on the Senate Select Committee on Intelligence.


Abstracts Copyright © 2015 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Security Management Online | ASIS Online

No comments:

Post a Comment