Monday, April 5th, 2010

Security News, Information and Items of Interest

by Kelly Klatt

This week we have posted several security articles from prominent and respected sources in the industry for Security Consultants and those with the responsibility of providing a safe and secure workplace  :

  • Covert Investigations: Cameras
  • Top execs need to be involved in cybersecurity, study says
  • Experts stress need to combat social engineering attacks
  • Guide puts a price tag on security breaches
  • FBI, DOJ Falling Short on Identity Theft: Report
  • How to Reduce Malware-Induced Security Breaches
  • Vulnerable Transit Systems Step Up Security
  • White House considers proposals to improve information sharing
  • In About-Face, Marines Lift Ban on Social Networking
  • Organizations Rarely Report Breaches to Law Enforcementp

Covert Investigations: Cameras (CSO online, 4/1/10)

The elusive suspect had countered the manufacturing site security’s reactive measures for the last 3 months. Dogging the well placed but ineffective overt closed circuit television (CCTV) cameras, the unknown suspect gained access to the administration’s offices and finger-painted anti-corporation slogans along the walls with red paint for the fourth time. Even after increasing physical security patrols to that area, the stealthy suspect made his mark on the walls expressing his discontent for the company’s stock price.

An often simple, but miscalculated solution to this type of investigation and others like it is the use of covert video cameras. Catching your criminal red handed and much like an undercover sting operation on COPS can do wonders for solving your investigation. However, there are many technical considerations you need to know before you join the CIA’s black ops team.   Read the rest of this article here.

Top execs need to be involved in cybersecurity, study says (Computerworld, 3/31/10)

Organizations with top executives who aren’t involved in cybersecurity decisions face a serious problem — a major hit to their bottom lines, according to a report released Wednesday. “Many organizations see cybersecurity as solely an IT problem,” said Karen Hughes, director of homeland security standards programs at the American National Standards Institute (ANSI), one of the major sponsors of the new report. “We are directing a wake-up call to executives nationwide. The message is, this is a very serious issue, and it’s costing you a lot of money.”

The report, called “The Financial Management of Cyber Risk,” recommends how C-level executives can implement cybersecurity risk management programs at their companies. Part of the goal is to get executives such as chief financial officers directly involved in cybersecurity efforts, said Larry Clinton, president of the Internet Security Alliance (ISA), the other major sponsor of the report. Read the rest of this article here.
Experts stress need to combat social engineering attacks (V3.co.uk, 3/31/10)

Administrators and security vendors must step up efforts to prevent social engineering attacks in the enterprise, according to security vendor Blue Coat Systems. The company said in its annual security report that, in addition to swifter analysis and protection, end users need to be aware of the practices commonly used to trick them into installing malware and releasing sensitive data. Blue Coat cited increasingly popular trends such as search engine optimisation and more sophisticated and targeted attacks, and said that companies need to make employees more aware rather than depend on new security tools and appliances.

“The increasing use of link farms to manipulate search engine results and prey on the trust users have in their internet experience drove many of the malware exploits we saw in 2009 and are continuing to see in 2010,” said Blue Coat senior malware researcher Chris Larsen. “To provide comprehensive protection in the face of these threats, enterprises need not only a layered defence but better user education.”  Read the rest of this article here.

Guide puts a price tag on security breaches (Nextgov, 3/31/10)

Public and private sector chief financial officers should develop a budget that calculates the gross financial risk a security breach could pose to their organization, according to a new report from a U.S. standards body and a security trade association.

The 76-page guide comes in response to a 60-day White House review last year of the nation’s cybersecurity infrastructure that found quantifying the value of protection motivates organizations to address vulnerabilities. The document — written by the American National Standards Institute and the Internet Security Alliance, a nonprofit electronic industry group that is affiliated with Carnegie Mellon University — assigns dollar figures to information losses and advises CFOs on the financial management of cyber risk.  Read the rest of this article here.

FBI, DOJ Falling Short on Identity Theft: Report (esecurityplanet, 3/31/10)

An audit by the Justice Department’s Office of the Inspector General reveals that while the FBI and Justice Department have made “various efforts” to fight identity theft crimes in recent years, these initiatives have “faded as priorities” mainly because the agencies have failed to develop a coordinated plan to deal with what’s become an epidemic of cybercrimes. The audit (PDF format) is the most recent and comprehensive review of federal law enforcement’s efforts to uphold The Identity Theft and Assumption Deterrence Act of 1998, a statute passed during President George W. Bush’s second term that made identity theft a federal crime.

And while there have been a handful of high-profile identity theft arrests and convictions, the OIG report found that the number of defendants both charged and convicted of identity theft actually decreased between 2008 and 2009, despite the fact that the several independent surveys and reports show a dramatic increase in both the number of people and dollars lost to online identity theft scams.   Read the rest of this article here.
How to Reduce Malware-Induced Security Breaches (eWeek, 3/31/10)

Malware has caused the industry to rethink its security best practices, introducing tools such as transaction verification to guard against real-time, man-in-the-middle attacks. Out-of-band authentication mechanisms are growing rapidly in popularity. While it is certain that malware will continue to evolve, Knowledge Center contributor Steve Dispensa offers four simple steps you can take to significantly reduce your malware-induced security breach exposure.

In a recent survey of IT professionals, over 32 percent felt that malware installed on PCs will pose the greatest external threat to IT security over the next 12 months. Over 16 percent indicated that malware on mobile devices presented the greatest threat. In total, malware running on PCs and mobile devices was ranked the top threat for 2010 by nearly 50 percent of respondents. Here is a closer look at the types of malware threats you should be prepared to face this year, as well as four concrete strategies your company can implement to protect against them.  Read the rest of this article here.
Vulnerable Transit Systems Step Up Security (WSJ, 3/30/10)

The bombing in Moscow’s heavily traveled and often densely packed metro Monday offers a tragic reminder that subways, buses, and trains are particularly vulnerable to terrorists, with millions of people pouring in and out of them every day. Commuters and travelers use mass transit systems daily without going through metal detectors, baggage inspections, or any of the security measures commonplace at airports.

Since the Sept. 11, 2001, terrorist attacks and subway and rail bombings in London and Madrid, transit agencies have increased surveillance, adding cameras, more police and bomb-sniffing dogs. On Monday, many U.S. transit systems beefed up their security as a precautionary measure in the wake of the Moscow attacks.   Read the rest of this article here.

White House considers proposals to improve information sharing (Nextgov, 3/30/10)

The White House is seriously considering proposals by a bipartisan task force to prevent lapses in information sharing among agencies that have allowed some terrorist plots to go undetected, according to members of the nonprofit panel. A task force assembled by the Markle Foundation, a New York-based think tank that studies health information technology and security issues, recommended on March 24 that the government expand the deployment of technologies that make it easy to probe existing information in agency databases to preempt attacks such as the attempted bombing of a Detroit-bound airplane on Christmas Day.

The proposals, which are based on past reports by the Task Force on National Security in the Information Age, were submitted to the House Judiciary Committee on March 24. The panel held a hearing that day to discuss improving information-sharing to prevent attacks such as the Christmas Day incident and the mass shooting at Fort Hood, Texas, in 2009, which killed 13 people. The bipartisan task force, which was established in 2002, includes information technology executives, policymakers, public interest advocates and specialists in privacy, intelligence and national security. It advises all levels of government on the use of terrorism-related information.   Read the rest of this article here.
In About-Face, Marines Lift Ban on Social Networking (Wired.com, 3/30/10)

Last summer, the U.S. Marine Corps took a draconian approach to Web 2.0, issuing a sweeping ban on Twitter, Facebook, MySpace and other social media sites from its networks.In an order issued yesterday, the service changed course, issuing guidelines to encourage “responsible and effective use” of social networking technology. “The Marine Corps embraces and strives to leverage the advances of internet-based capabilities,” the directive states. “Effective immediately, internet-based capabilities will be made available to all MCEN [Marine Corps Enterprise Network] users.”

In addition to opening up YouTube and Google tools, it encourages Marine organizations to create a better online presence. Marine recruiters already use Facebook; Marine Corps public affairs uses Twitter. This new guidance gives the green light for other units to use the same tools.  Read the rest of this article here.
Organizations Rarely Report Breaches to Law Enforcement (Dark Reading, 3/30/10)

Most organizations hit by breaches that don’t require public disclosure don’t call in law enforcement — they consider it an exposure risk, with little chance of their gaining any intelligence from investigators about the attack, anyway.

FBI director Robert Mueller has acknowledged this dilemma facing organizations that get hacked, noting in a speech at the RSA Conference last month that disclosing breaches to the FBI is the exception and not the rule today. But the FBI will protect victim organization’s privacy, data, and will share what information it can from its investigation, he said, rather than continue with the mostly one-way sharing that organizations traditionally have experienced when dealing with the FBI.

Gary Terrell, president of the Bay Area CSO Council and CISO at Adobe, says different companies have their own rules about reporting to law enforcement. He says the feds have their own communications “protocol” for sharing classified information, but they don’t have a standard and confidential way to work with the private sector on breach investigations. And until the feds can work with NDAs, there won’t be much back-and-forth between companies and these agencies about breaches, he predicts.    Read the rest of this article here.

Keep coming back for the latest security news and information.

Back to news…