Search This Blog

Friday, February 26, 2010

Security Management Weekly - February 26, 2010

header

  Learn more! ->   sm professional  

February 26, 2010
 
 
Corporate Security

  1. "The New Massachusetts Rules To Protect Consumers' Personal Information Go Into Effect on March 1; Companies Throughout U.S. Scrambling to Get Ready"
  2. "Feds Will Creatively Target Scammers" Justice Department Will Run More Undercover Operations
  3. "Can U.S. Get Tough on Intellectual Property Crime? "
  4. "Workers Behaving Badly" Employee Fraud
  5. "When Employees Vent" Social Networking Sites
Homeland Security

  1. "Texas Attack on Office Building Revives Debate Over Private Jets"
  2. "Airport Security Check to Include Swabbing Hands"
  3. "Information-Sharing Still a Roadblock"
  4. "U.S. Slow to Beef Up Homeland Security"
  5. "E-Verify Misses Half of Illegal Workers Checked"
Cyber Security

  1. "Cyber Attacks Cost Businesses Average of $2m Per Year, Says Symantec"
  2. "US 'Closes in on Google Hackers'"
  3. "Spike In Power Grid Attacks Likely In Next 12 Months "
  4. "Web 2.0 a Top Security Threat in 2010, Survey Finds"
  5. "The Web's Greatest Security Threats Revealed" Hackers Target Social Networking Sites

   

 
 
 

 


The New Massachusetts Rules To Protect Consumers' Personal Information Go Into Effect on March 1; Companies Throughout U.S. Scrambling to Get Ready
Boston Globe (02/26/10) Bray, Hiawatha

New regulations to protect personal information collected from consumers in Massachusetts are scheduled to take effect on March 1, and companies throughout the United States are scrambling to get ready. “We get requests almost daily from New Jersey, Texas, California, pretty much everywhere in the country,’’ says John McDonald, security evangelist for RSA, a division of Hopkinton data storage giant EMC Corp. that makes products used by businesses and governments to protect sensitive data. The new rules are designed to prevent the loss or theft of confidential information about consumers, including Social Security numbers and credit card information. They were originally scheduled to take effect in January, but were delayed because many companies around the country were not prepared to comply. Under the rules, any institution that holds personal data about residents of Massachusetts must create a written policy for protecting the data, and must train employees to follow the rules. In addition, organizations must encrypt any personal information when it is transmitted over the Internet or a wireless data network. Data must also be encrypted when it’s stored on portable devices like laptops or thumb drives, to protect against identity theft if the devices are lost or stolen. The cost and complexity of meeting the new standards may be offset by avoiding the high cost of a data breach. The Ponemon Institute surveyed 51 companies that had suffered security breaches and found the affected businesses lost $204 for every customer record that was compromised. Repairing the damage cost the least-affected company $750,000, while one firm’s identity theft cost it $31 million.


Feds Will Creatively Target Scammers
Miami Herald (02/26/10) Weaver, Jay

In his keynote luncheon address at the American Bar Association's white-collar crime conference, Assistant Attorney General Lanny A. Breuer said that the Justice Department will be running more undercover operations targeting financial scams. "We are ... seeking fairly but firmly to go after criminal conduct where it exists. We also are striving to innovate in how we do business,'' Breuer said. "That could mean utilizing data and intelligence more strategically, or it could mean -- as we've seen in a couple of prominent cases recently -- going undercover." In his speech, Breuer cited the Galleon hedge fund case in New York, where federal prosecutors and FBI agents used court-authorized wiretaps and confidential sources to uncover a lucrative insider-trading scheme.


Can U.S. Get Tough on Intellectual Property Crime?
CIO (02/16/10) Cooney, Michael

Following several years of criticism, the Department of Justice announced that it has established a task force that will focus exclusively on fighting U.S. and international intellectual property (IP) crime. The task force will focus on strengthening efforts to fight intellectual property crimes by closely working with state and local law enforcement partners and international counterparts. The task force will also monitor and coordinate overall intellectual property enforcement efforts at the DOJ, with a greater focus on international IP enforcement, including the connections between IP crime and international organized crime. For years, critics have argued that the U.S. needs to do more to fight the over $200 billion counterfeit and pirated goods industry with better enforcement and increased penalties for violations. The Government Accountability Office notes that a variety of IP-protected products, ranging from luxury goods and brand name apparel to computer software and digital media to food and medicine, are counterfeited or pirated. Counterfeiting in industries where products have public health and safety components, like auto and airline parts, electrical devices, health and beauty products, batteries, pharmaceuticals, and food products, is a serious concern. Part of the problem in enforcing IP protection is the number of agencies involved. For example, personnel from the Departments of Commerce, Health and Human Services, Homeland Security, Justice, and State, and the Office of the U.S. Trade Representative and the U.S. Agency for Internal Development are all involved in IP efforts.


Workers Behaving Badly
The Conference Board Review (02/10) Liberman, Vadim

In the wake of market crashes and company frauds, many organizations have called for a zero-tolerance policy on unethical workplace behavior. There is always a line, however, somewhere between the unethical actions of taking an office pencil and that of committing Enron-sized fraud. Some studies have shown that about one-third of company employees steal supplies occasionally, half of them do it regularly, and about one-fifth of them steal large amounts, meaning that nearly everyone does this at some point. Sociologists have suggested that companies may want to look the other way when workers commit small infractions, allowing them to let off some steam, rather than crack down on minor thefts that could fuel resentment and prompt a larger act of retribution. Other businesses have simply accepted the losses of stolen office supplies as a cost of doing business. Experts also acknowledge, however, that too much permission may lead to even greater infractions and losses in profit, while drawing the line between small problems and significant ones is usually difficult, if not impossible. To rein in smaller unethical actions, managers and executives may want to address specific problems that they have witnessed, such as a suspicious expense accounts. This carries additional problems, says the article's author, Vadim Liberman, as a company may risk an even larger loss if their best workers are reprimanded, so "playing dumb to his self-appointed 'perks' might be not only your smartest move but also your most ethical if it means making enough money to keep other workers employed." At the same time, other employees may resent what they see as preferential treatments, so companies must engage in a cost-benefit analysis even when it comes to office ethics. Business-ethics consultant Lauren Bloom pointed out, "Unless you’re talking about illegal things, ethics are always to some degree a bit of a judgment call." Ultimately, companies may not want to try drawing a line at all, but instead make sure their employees know what is generally expected, and are aware of the organization's overall values.


When Employees Vent
Security Management (02/10) Vol. 54, No. 2, P. 92; Anderson, Teresa

There are a number of lessons companies can learn from the case of Pietrylo v. Hillstone Restaurant, in which a New Jersey court and the U.S. District Court of Appeals for the District of New Jersey found that the company responded inappropriately to a private social networking group in which some employees complained about things that took place at work. Although the courts found that Hillstone Restaurant Group had a right to protect itself from harassment and humiliation, they also noted that it was inappropriate for a manager to pressure an employee to give him her log on credentials for the groups so he could read what was being said. Experts say that this case illustrates the importance of creating policies about social networking sites. Such policies should state that employees agree to cooperate in any investigation of improper use of a social networking site--particularly when such sites are being used to discuss safety issues at a company, trade secrets, or product-liability issues. Members of management, meanwhile, should be taught that employees have an expectation of privacy when it comes to things such as social networking sites. Companies may also want to consider monitoring social networking sites for any references made to them, though they should be sure not break any laws or bypass a site's privacy settings. If a serious issue is discovered, companies may want to respond by taking legal action against the employee or employees involved. Less serious issues may be resolved by directly approaching the employee involved. Companies may even opt to fire an employee who says something negative about them on a social networking site, as they are well within their rights to fire at-will employees for any reason that is not discriminatory.




Texas Attack on Office Building Revives Debate Over Private Jets
USA Today (02/26/10) Frank, Thomas

The Transportation Security Administration (TSA) may propose new safety regulations to smaller, private aircraft later this year, with security rules taking effect in 2011. Most private planes are small, piston-engine aircraft used primarily for recreation and instruction, and are flown out of community airports. The government considers these planes too light and slow to cause major damage, but they have been receiving closer scrutiny after last week's crash in Texas, in which Joseph Stack deliberately flew his four-seat, piston-engine plane into an office building, killing himself and an office worker, and causing extensive damage to the building. The TSA will review the damage to help decide if it will consider new security measures, although Congress has been largely silent on the matter so far. Ed Bolen, CEO of the National Business Aviation Association, said private-aviation groups have begun their own security measures, and that new rules are unnecessary.


Airport Security Check to Include Swabbing Hands
Dayton Daily News (OH) (02/23/10) Gokavi, Mark

The U.S. Transportation Security Administration (TSA) has started random hand swabbing to test airline passengers for traces of explosives, as a response to the attempted bombing on Dec. 25. This process was tested in January at five airports in the Southeast, and will be expanded nationwide to airports such as Dayton International Airport. With hand swabbing, the TSA will use Explosive Trace Detection (ETD) machines, both fixed and portable. TSA spokesman Jon Allen said that the procedure did not delay passenger flow, and could take place at the security checkpoint, in line at the checkpoint, or at the gate area. If a passenger's swab tests positive, he or she would undergo additional screening to determine if there is an actual threat. Allen said that an estimated 7,000 ETD machines are already in use, having been employed for swabbing luggage and carry-on bags.


Information-Sharing Still a Roadblock
Baltimore Sun (02/22/10) West, Paul; Bykowicz, Julie

Several Obama administration officials met with the nation's governors on Feb. 21 to discuss a number of homeland security issues. Among the issues raised at the meeting of the new National Governors Association committee on homeland security and public safety was the sharing of information between federal, state, and local officials. According to John Brennan, President Obama's special assistant for homeland security, the sharing of information among officials at all levels of government has improved since the September 11, 2001 terrorist attacks, though he added that there is still room for improvement. Maryland Gov. Martin O'Malley, the committee's chairman, agreed, saying that the lack of information sharing among law enforcement and intelligence agencies has hurt the nation's ability to prevent and respond to terrorist attacks. O'Malley said the problem was particularly prevalent at federal agencies, where there is a "J. Edgar Hoover-based" fear that sharing information will hurt investigations. Also appearing at the meeting was Homeland Security Secretary Janet Napolitano, who said that a "paradigm shift" is needed in order to improve the sharing of information among local, state, and federal officials. Napolitano added that improving the sharing of information is an important issue in the fight against terrorism, and that it was one she has been working on for the past year.


U.S. Slow to Beef Up Homeland Security
Detroit News (02/23/10) Hurst, Nathan

Congress has failed to take action to implement many of the recommendations the 9/11 Commission made to improve the nation's homeland security nearly six years ago. For example, the 9/11 Commission called on the federal government to integrate terrorist travel intelligence, operations, and law enforcement into a single strategy aimed at preventing terrorists from traveling to training camps and to the United States. During the Bush administration, the growth of the intelligence community helped achieve the 9/11 Commission's goal of expanding the small terrorist travel collection and analysis program. However, linking that intelligence has been a difficult process. The difficulties in connecting various pieces of intelligence could be seen in the case of the attempted bombing of Northwest Airlines Flight 253. The father of bombing suspect Umar Farouk Abdulmutallab warned U.S. officials in November that his son was a potential threat, though his warning was not enough for other agencies to take steps to prevent the younger Abdulmutallab from flying to the U.S. Thomas Kean and Lee Hamilton, the co-chairs of the 9/11 Commission, say there are a number of reasons why action has not been taken on many of the recommendations, including politics and bureaucracy. They also noted that "turf wars" between intelligence and law enforcement officials in Washington have made it difficult to improve the nation's homeland security.


E-Verify Misses Half of Illegal Workers Checked
Associated Press (02/25/10)

A recent study commissioned by the Department of Homeland Security (DHS) found that the E-Verify system, which is intended to identify illegal immigrants who apply for jobs, only identifies 54 percent of illegal workers. This oversight is due to the fact that the system, which checks worker information against DHS and Social Security databases, is unable to identify those workers who use stolen or borrowed identities. However, the study also found that E-Verify--which is supported by Congress and the Obama administration--was able to correctly identify legal workers 93 percent of the time.




Cyber Attacks Cost Businesses Average of $2m Per Year, Says Symantec
Computer Business Review (02/22/10)

Seventy-five percent of organizations have been victims of a cyberattack in the past 12 months and lose about $2 million annually from such attacks, according to Symantec's latest survey. In the study, based on a January survey of 2,100 enterprise CIOs, CISOs, and IT managers from 27 nations, respondents said that enterprise security is becoming a bigger challenge due to shrinking budgets, new IT programs that multiply security risks, and IT compliance issues. The study found that more than four in 10 enterprises list cybersecurity as their number one concern, more than catastrophes, terrorism, and traditional crime combined. Although the overwhelming majority of respondents—94 percent—expect some changes in IT security this year, 48 percent anticipate major changes.


US 'Closes in on Google Hackers'
BBC News (02/22/10)

U.S. officials say they are close to identifying the source of the recent cyberattacks that affected Google and more than 30 other companies. According to a report in the Financial Times, the individual who is believed to have launched the attack is a Chinese "freelance security consultant" who published portions of the code he used in the attack on the Internet. In addition, the Financial Times noted that Chinese officials had "special access" to the code, which took advantage of a vulnerability in Internet Explorer that has since been corrected. News that U.S. officials are close to identifying the source of the attacks comes in the wake of revelations that China's Shanghai Jiaotong University and Lanxiang School may have been involved in the strikes. However, both schools have denied that they were involved.


Spike In Power Grid Attacks Likely In Next 12 Months
DarkReading (02/19/10) Jackson Higgins, Kelly

The Project Grey Goose Report on Critical Infrastructure, which analyzes threats to critical infrastructures, points to state and/or non-state sponsored hackers from the Russian Federation of Independent States, Turkey, and China as the greatest threats to energy providers and other networks. Such attacks are likely to rise in number and intensity in the next 12 months as smart grid research and pilot projects advance. The transition to IP-based and wireless networks from closed energy-generation and transmission networks has opened up a new window of opportunity for hackers. The new networks will eventually have better security because they will combine built-in security with stronger regulations, but they will be most vulnerable in the early stages. A minor-scale attack would be someone attempting to cut their energy bill, while a major attack could be an attacker who compromises the grid and then controls power distribution. Some worry that smart grid vendors and energy firms are putting too great a rush on releasing new technology and, as a result, not taking the time to properly secure them with the level of sophistication necessary.


Web 2.0 a Top Security Threat in 2010, Survey Finds
eWeek (02/22/10) Eddy, Nathan

Businesses concerned about overhead costs say social networking sites such as Facebook and Twitter pose a residual threat to their network security, finds Webroot's latest survey. IT administrators report that social networks, Web 2.0 applications, and other Web-based platforms enable the spread of malware, which they say will be the greatest information security risk in 2010. Webroot's data is culled from a survey of more than 800 IT experts in U.S., U.K., and Australia. Of the respondents who said they believe their employers devote significant resources to fight security threats, 60 percent reported attacks from spyware and viruses, 47 percent reported phishing attacks, and 35 percent reported hacking incidents.


The Web's Greatest Security Threats Revealed
InfoWorld (02/22/10) Barnett, Ryan

A recent analysis of the Web Hacking Incidents Database has found that hackers prefer to target social networking sites. According to the analysis, 19 percent of Web hacking incidents between January and June 2009 involved social networking sites such as Twitter and Facebook, making them the most targeted market. SQL injection attacks, in which hackers change the contents of a site's back-end database and inject malicious JavaScript, were the most commonly used attack method, accounting for 19 percent of all security breaches. Authentication abuse was the second most commonly used attack method, accounting for 11 percent of security breaches. In addition, the analysis finds that most cyberattacks were committed by criminals who were after money, though some were committed by individuals or groups who wanted to advance a political cause. All of the attacks tried to exploit the connectivity, complexity, and extensibility of the Internet to gain access to sensitive data. To protect themselves from these attacks, organizations need to develop effective Web security strategies that identify any abnormal actions and connect them with the user who performed them. This strategy also should make it possible for organizations to quickly respond to security breaches and correct any vulnerabilities.


Abstracts Copyright © 2010 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Advertising Opportunities | Security Management Online | ASIS Online

No comments: