INTERNATIONAL FOUNDATION FORCULTURAL PROPERTY PROTECTION
News
Reposted from TechRepublic
Nearly half of companies do not have an overall information security strategy, according to a new report from PwC. Here's how leaders can step up cybersecurity measures.
Despite the rise of ransomware and other malicious attacks, 44% of companies worldwide said they do not have an overall information security strategy, according to the 2018 Global State of Information Security Survey from PwC.
Further, 48% of the 9,500 executives surveyed across 120 countries said they do not have an employee security awareness training program, and 54% said they do not have an incident response process.
"Many organizations need to evaluate their digital risk and focus on building resilience for the inevitable," said Sean Joyce, PwC's US cybersecurity and privacy leader, in the report.
Cybersecurity preparedness varies widely between countries worldwide, PwC found. Nations most likely to employ an overall security strategy include Japan (72%) and Malaysia (74%). Both countries are in East Asia and the Pacific, where the World Economic Forum says cyberattacks are among the top five business risks.
Business leaders must take greater responsibility for building cyber resilience in their companies, the report stated. In the private sector, leaders responsible for driving business results must also be held accountable for the associated risks of doing business. Boards must also exercise oversight and proactive risk management, PwC noted.
However, only 44% of companies reported that their corporate boards actively participate in security strategies or investment plans.
"Many boards still see it as an IT problem," Matt Olsen, co-founder and president of business development and strategy for IronNet Cybersecurity, who formerly led the US National Counterterrorism Center, said in the report. Perhaps due to their lack of involvement, few board members said they feel confident that their companies are properly secured against cyberattacks, according to the National Association of Corporate Directors' 2016-2017 surveys of public and private company directors.
The role of the CISO continues to grow in importance, with more of these professionals reporting directly to the CEO now than in the past, the report found. Some 52% of respondents said their organizations employ a CISO, while 45% said they employ a chief security officer. Some 47% said they employ dedicated security personnel to support internal business operations.
"The CISO must help the board understand where the company stands in providing cybersecurity for the company networks," Keith Alexander, the founder and CEO of IronNet Cybersecurity, who formerly led US Cyber Command and the National Security Agency, said in the report. "The information provided should include any cyberattacks that have occurred, as well as shortfalls in training, equipment and tools in the cyber domain. The CISO must highlight shortfalls so the board can execute their responsibilities in understanding and addressing risks facing the company."
PwC offered the following five tips for business leaders to follow to better protect their companies from attacks.
1. Engage the C-suite and the board
Senior leaders driving the business must take ownership of cybersecurity policies and practices, the report stated. Setting a top-down strategy to manage cyber and privacy risks across the enterprise is key, and a risk management strategy should be informed by understanding the threats facing the organization, and knowledge of which assets require the most protection.
2. Work to achieve resilience, not to simply avoid risk
Companies that achieve greater risk resilience will see stronger, long-term economic performance than those that take a more reactionary stance, the report noted. For example, the report said, the Japanese companies that built business-continuity management procedures into their enterprise risk management programs before the 2011 tsunami were able to resume operations faster than their competitors.
3. Purposefully collaborate, and leverage lessons learned
Industry and government leaders must work across organizational and national borders to identify, map, and test cyber-dependency and interconnectivity risks, the report said. Leaders must also work together to deal with problems such as accountability, liability, responsibility, and consequence management.
4. Stress-test interdependencies
All industries worldwide should conduct stress tests with simulated cyberattacks designed to inform risk management, the report said. These stress tests should be able to answer the question, "Can I withstand the failure of others on whom I depend?"
5. Focus more on risks to data manipulation and destruction
Integrity will soon take the place of confidentiality as the most important goal of cybersecurity in the private sector, according to computer security analyst and risk management specialist Dan Geer, cited in the report. This can better help companies recover and restore data after a major cyberattack. The growing use of blockchain will likely impact this as well, the report noted.
"The bottom line is that leaders can seize the opportunity now to take meaningful actions designed to bolster the resilience of their organizations, withstand disruptive cyber threats and build a secure digital society," according to the report.
Want to use this data in your next business presentation? Feel free to copy and paste these top takeaways into your next slideshow.
44% of companies worldwide do not have an overall information security strategy. -PwC, 2017
44% of companies worldwide report that their corporate boards actively participate in the companies' security strategies or investment plans. -PwC, 2017
52% of companies said their organizations employ a CISO, while 45% say they employ a chief security officer. Some 47% said they employ dedicated security personnel to support internal business operations. -PwC, 2017
See Original Post
Reposted from Security Management
Twenty-thousand strong marched in protest in Bogotá in 2011 at the Colombian government’s plans to cut university spending. The protestors retained a student-led atmosphere of goodwill and the only simmering of potential aggression was due to the presence of the Colombian Police’s Riot Control Unit (ESMAD) parked on strategic side streets.
I was in downtown Bogotá on the second floor café above the throngs with a tourist from Seattle, watching students from all over Colombia protesting the bill pushed through by President Juan Manuel Santos’ government to reform higher education by introducing a profit motive.
“I wish my daughter could be here to witness this,” the Seattle visitor told me. “It’s a healthy display of the young airing their grievances with a government decision. We don’t see this anymore in the United States.”
Protest participants were handing out carnations to members of the ESMAD, placards were held aloft announcing the arrival of different student bodies. With several years of experience as a foreign correspondent in Colombia, I knew better than to drop my guard despite the festive mood as if these students had somehow lost their way in route to a humanities class.
And my instincts were right, as the carnival atmosphere was threatened by an undercurrent of disobedience as masked agitators—armed with spray paint canisters—left shop windows and walls emblazoned with slogans: “Pensar diferente no es un crimen.” Translation: “Thinking differently isn’t a crime.”
From our present vantage point we were safe, unless the protest turned violent, as it has been proven time and again that an emotionally charged crowd of people can be swayed from grief or merriment to sadistic dementia in a second.
After all, if the ESMAD fired off tear gas, where would we go? The only exit from the café would be down a narrow flight of stairs and out onto the Carrerra Septima, the principal thoroughfare for all demonstrations in Bogota as it leads directly to the Plaza de Bolivar and the Palicio Narino seat of power—hardly an ideal route.
Strikes, marches, and demonstrations are a routine occurrence in Colombia, set against the backdrop of the Colombian armed conflict—currently the longest-running in the hemisphere. And in 2016, in the lead up to and after the signing of a final peace accord with the Revolutionary Armed Forces of Colombia (FARC rebels), these may increase as disgruntled sectors of the country’s society feel their needs and complaints are not being heard.
If President Santos makes good on his promise to bring the final accords to a referendum, so people can vote in favor or against it, there will be many opportunities for people to make their cases heard by pounding the streets.
As a Bogotá-based journalist, the possibility of being caught up in some kind of social unrest during the course of my work in 2016 is high. To help plan for the worst, I picked the brain of a trusted security expert—Ben Hockman, senior consultant at Control Risks, a global risk management consultancy specializing in assisting clients operate in complex and hostile environments.
Planning
Even with experience witnessing challenging demonstrations across South America from Bolivian miners threatening to hang themselves by the neck from a bridge to facing off with police and throwing sticks of dynamite along each avenue leading up to La Paz’s Plaza Murillo to politically charged May Day lawlessness, I know better than to stay too close to the action.
This experience with the issues of violence and potential lawlessness in demonstrations in Latin America has helped me in the past. But before hitting the streets, Hockman suggests I take the following into account when I’m planning to cover an event.
Gather intelligence. Know the immediate area, the wider area, and all evacuation options. Determine what the political and economic situations are.
Study the basics of the local political and economic situation. A well prepared traveler to Venezuela might avoid wearing red t-shirts in and around Caracas, for instance, in the current climate of social unrest.
Have a Go Bag. Collect identification documents, copies, snacks, cash for emergencies, water, basic first aid kit, and put them into a bag to take with you.
Print physical copies of maps from apps. Don’t rely on applications, such as Waze, Google Street View, as Internet access may go down in the midst of unrest.
Know in advance where help points are located and how to get to them.
Have a back-up communication plan and prepare for network infrastructure failure. Have a replacement cell phone, a radio, or a walk-talkie.
Be conscious of your wardrobe. Are you able to change your look quickly? What happens if you are in olive drab and resemble the military?
As Hockman advises, before even approaching a demonstration, I should know the lay of the land—or at least have in my possession a map of the area where I will be engaging with the event.
I also need to keep myself abreast of the type of demonstration that is taking place: is it political, is violence likely? I should check for security forces and know the general current of feeling in the city and country at that precise moment, in addition to having investigated the outcomes and reactions to past demonstrations.
Additionally, as a 6-foot-tall Caucasian male, I know I’m going to stand out in a melee of rioting Bolivian miners. The question is if that makes me more—or less—of a target.
And in extreme situations where a demonstration may lead to military deployment and a challenge of the political regime, it’s crucial to have my passport and tickets out of the country on hand.
Responding
As the tourist from Seattle and I watched the main cadre of students pass by during their protest, I was right to be concerned. Things were heating up, and paint bombs were being hurled at government buildings.
Our exit option was limited and there would be precious little space for movement on the street because of the numerous protestors. To get out of the café, the tourist and I would need to keep close, head to the edges of the protest, and move with the crowd as if negotiating a strong ocean current, before slipping away down a side street.
The aim would be to get out, avoid a possibly trigger-happy police front line spraying pepper spray or tear gas, and escape injury in the process.
To help think through our escape plan—if it became necessary—I ran through Hockman’s checklist on what to do if caught in the midst of a violent protest.
Remember your principal objective is to put as much distance as possible between you and the unrest. If you fail, plan b will be to seek appropriate cover—alleyways, buildings, or vehicles.
Control your emotions. Try to remain as calm as possible.
Keep anyone in your party close—maintain a distance within reach or physical contact, and agree on safe meting points ahead of time in the event that you are separated.
Keep moving, but don’t run.
Move with the crowd and don’t draw attention to yourself. Look for exit options to side streets and your help points—alleys, safe zones, or alternative cover.
Make yourself compact while moving. Protect your head, neck, face, and vital organs. Do not get pushed against or blocked by solid objects.
Watch your footing and obstacles on the ground.
Move between “waves of crowd movements.”
Avoid major roads and sites.
If gas or pepper spray is released, cover your airways with clothing but try to keep your hands free.
Do not approach the front line of police.
Avoid interaction with demonstrators or security forces.
Avoid confrontation with any party.
If you find yourself on the ground, try to stand as quickly as possible. If you can’t stand up, curl yourself into a ball to protect vital organs and try to regain your footing as soon as possible.
If you’re in a vehicle, stay in the vehicle. If gun shots sound, determine their origin and the target before driving away or running away. Sudden movements can draw attention from both protestors and the security forces, particularly during exchanges of fire, so have a plan before you move.
Luckily, the worst of the violence was defacement of property and a couple of skirmishes during the student protest in 2011, and we were able to safely leave the café.
The Aftermath
Fast forward four years, however, and I was again in the midst of some social unrest in the form of the Colombian Farmers’ Protests of 2015. Thousands of farmers were protesting to demand that the government comply with reforms it agreed to in 2014, accusing it of failing to implement measures to reduce debt and control the price of fertilizer. It was clear that the Colombian people were largely in favor of the protests, and on key dates 45,000 people had taken to the streets to demonstrate.
This time the feeling was different and the carnival atmosphere of the student-led demonstration was replaced with a more sinister and aggressive sentiment. And, as was to be expected, pandemonium ensued.
At the height of the turmoil, there was a period of four hours when police used tear gas on rioters throwing petardos (flash-bombs) that injured the police and the public. None of the injuries appeared serious, however, in what was Bogota’s worst street violence since protesters in March 2012 against the city’s municipal bus system were attacked by young vandals.
This was clearly a demonstration to avoid, and Hockman gave me the following tips to manage the immediate aftermath of violent social unrest.
Avoid public transportation.
Check for injuries and, if necessary, seek medical help. The immediate adrenaline rush experienced during violent unrest might mask injuries.
Report in to your office or family as frequently as you can.
Consider the possibility of mild-Post Traumatic Stress Disorder and seek medical attention where necessary.
Colombia will face a new wave of emotionally and politically fueled demonstrations in 2106 and beyond as the government seeks to sign off on a peace accord with the FARC and entice the country’s second guerrilla group—the National Liberation Army—to the negotiating table, demonstrations will be the norm.
It pays to be prepared, and to fully consider the advice provided by experts in the field.
Description
Urban Emergency Management: Planning and Response for the 21st Century takes the concepts and practices of emergency management and places them in the context of the complex challenges faced by the contemporary city. Cities provide unique challenges to emergency managers. The concentrated population and often dense layering of infrastructure can be particularly susceptible to disasters—both natural and human-caused. The book provides guidance across all phases of emergency management, including prevention and all-hazards approaches.
Key Features
Readership
Practitioners in urban emergency management; undergraduate and graduate students in emergency management programs, with a focus on urban practices
Table of Contents
Copyright: © Butterworth-Heinemann 2018
Published: 27th September 2017
Imprint: Butterworth-Heinemann
About the Author
Thomas Henkey
Thomas Henkey served for six years as Senior Emergency Management Coordinator for the City of Chicago, where he was responsible for disaster planning and response, as well as special events, physical-security, infrastructure, transportation, and antiterrorism analysis. Mr. Henkey also has nearly 15 years of experience in a range of private-sector and nonprofit safety and security management roles. He is currently the Director of Emergency Management for Titan Security Group. Mr. Henkey is a Certified Emergency Manager (CEM), a Certified Institutional Protection Manager (CIPM II), and a member of the International Association of Emergency Managers, the ASIS Cultural Properties Council, the International Foundation for Cultural Property Protection, the Illinois Security Professionals Association, and the Chicago Council on Global Affairs. He is the vice-chairman of the Chicago Cultural Properties Security Group, and the former chairman of the ASIS International Museum Committee. Mr. Henkey holds undergraduate degrees from St. Louis University, and a Master’s Degree in Emergency and Disaster Management from American Military University.
Affiliations and Expertise
Director of Emergency Management, Titan Security Group
OPTEX iSeries Wireless Photobeam Detectors, Powered by Inovonics Wireless Technology, Awarded the 2017 SSI Security Solutions Award in Intrusion Detection
OPTEX, a global leader in indoor and outdoor security sensors, and Inovonics, an industry leader in high-performance wireless sensor networks for life safety applications, proudly announce that the OPTEX iSeries Wireless Photobeam Detectors, powered by Inovonics wireless technology, have recently been awarded the 2017 SSI Security Solutions Award, in the Intrusion Detection category. The announcement was formally made at the 63rd ASIS International Annual Seminar and Exhibits taking place Sept. 23-27 in Dallas, Texas.
The SSI Security Solutions Awards program distinguishes and spotlights manufacturers and vendors whose electronic security solutions have been proven in the field to meet security, safety, or other organizational needs for end users.
The winning iSeries Wireless Photobeam Detectors offer a battery-powered, wireless quad beam 350ft point-to-point perimeter solution that eliminates the need for trenching or cables, and meets the copper-theft proof and damage-resistant needs of a large electric power company. An Inovonics EN1941 wireless transmitter is also pre-installed, and includes a battery expansion option for up to ten years of battery life. As an award recipient, OPTEX will be profiled in the SSI’s annual December Technology Issue, and spotlighted online and through other electronic media.
Click here to see full press release.
Reposted from Business Matters
Establishing a safe working environment is not as easy as it seems. Creating a set of policies and getting them implemented is not always enough, mainly because of the complex challenges employers and employees now face.
At the same time, workplace safety is a serious and important issue to attend to and there are regulations put in place to make sure every workspace is as safe as it can be.
Aside from the general aspects of safety such as installing a sprinkler system to prevent fire hazards, there are small details that can also greatly influence safety at the office. We are going to take a look at the eight workplace safety details you must never neglect in this article.
An Orientation Program
The lack of a thorough safety orientation program is still noted as one of the most common causes of workplace accidents. An orientation program helps new employees get familiar with the company’s safety policies and objectives, which is why it is very important to have an orientation program in the first place.
Training sessions and refresher courses are also important. Proper training sessions can reduce work-related accidents by as much as 80% in many cases.
Documentation
Similar to improving other parts of the business, a company can improve its safety policies by learning from its mistakes. To be able to learn from your mistakes effectively, a logging or document system needs to be put in place.
Keep a register of all injuries and accidents in the workplace. Use the log to evaluate your safety policies and how they are implemented. You can even perform deeper analysis and compare data from one period to another. This way, keeping track of the company’s progress in providing employees with a safe working environment is easier to do.
Get Employees Involved
While company management makes the final decisions, employees are the ones actually facing challenges in the workplace. The best way to improve office safety is by letting employees get involved in the creation of the company’s safety policies.
It’s never too late to start hearing input from employees. The next time a safety audit or evaluation is due, get employees involved in the process. Don’t just listen to their input either. You need to act on the feedback you receive from employees, especially when the changes can help reduce workplace-related safety risks immediately.
Pay Attention to Electrical Safety
We rely on technology more and more these days. Computers are helping companies and their employees be more efficient in many ways. Intranet and the internet, along with good networking, are just as important, mainly because they allow faster and more effective communication.
The more electrical appliances a company uses, the more important electrical safety becomes. Malfunctioning electrical equipment doesn’t just pose risks to the company’s productivity level; it is also a risk to employee safety.
Networking cables, for example, must not be allowed to run across the floor unprotected. Exposed cables pose a serious trip hazard and can even cause fatalities. Good data cabling support is handy for keeping cables close to the ceiling. There are also desk cable management services to help keep every employee’s workspace safe and free of cluttered cables. If this is an issue that you know is present in your office, get in touch with support services such as ACCL who are a London based company that can install and maintain your system for you.
Information Security
Workplace safety in today’s modern world needs to cover more than just physical safety. The policies you put in place must also govern how to handle information security, especially since over 80% of today’s business operations are recorded and stored digitally.
Having a good backup procedure in place is a good start. You can save the company a world of trouble with the help of automated backups. Storing backups in remote locations – including in the cloud – also helps with restoring the company’s operations in the event of a catastrophic disaster.
Work Well-being
As mentioned earlier, safety policies are only as good as the way they are implemented. To get these policies implemented properly, you need the support of your employees. This can only be achieved when employees are focused and aware of their surroundings. This is where work well-being comes in.
In recent years, companies are starting to invest more in the comfort of their employees. An ergonomic chair, a suitable desk, and even facilities such as an on-site gym or a comfortable break room are there to help employees stay comfortable throughout the day. By keeping employees comfortable, you are helping them focus on the tasks at hand, including maintaining maximum office safety.
Use Signs and Instructions
Last, but certainly not least, don’t hesitate to use signs and safety instructions when necessary. Many companies, especially newer ones, don’t really install safety signs and instructions at the office because they tend to look formal and daunting.
You actually have a lot of freedom with the design and placement of safety instructions, so take advantage of simpler, more modern signs to remind employees about safety in the office. This too will help improve workspace safety by a substantial margin.
Reposted from Campus Safety Magazine
With the common denominator of IP networks as their backbone, building automation, security and, in particular, access control systems are increasingly coming together. The myriad data these systems put forth, often through a shared protocol such as BACnet or SNMP, make it possible to create not only a safe building, but a smarter and more energy-efficient one.
The intersection of energy savings with smart building objectives can often ride on the information supplied by access control data. By knowing the occupancy of a particular building or sector within a structure, captured through entry and/or exit readers, it becomes possible to implement heating and cooling, lighting and fresh air ventilation controls based on the number and location of individuals.
With heating and cooling systems, the best savings come in seldom-used areas, where the HVAC system can operate in standby mode, rather than being subjected to a particular on-off schedule.
While such an operation isn’t recommended for a large-scale system — you wouldn’t want to heat up the entire building for just one person coming in on a weekend — it can be advantageous in areas where occupancy minimums are more easily reached.
Access control systems can be programmed to control lighting circuits based on occupancy. Once a card is presented to the reader, the system can then begin turning on the appropriate lights based on where that person’s office is located.
And unlike motion sensors, which can also be used to control lights, there is no minimum “on” times with a programmed system, so once a person logs out, the lights go off.
Ventilation is another component of the energy-saving capabilities tied to access control. While the amount of fresh air in a building is governed by building codes, it is usually expressed in the amount of fresh air per minute per person.
So, if the number of people in an area can be measured via the access control system, then the amount of fresh air can be adjusted, saving the expense of conditioning that outside air.
Deploying access control data can also serve as a planning tool for future building projects, either within the existing structure or when considering expansion or reuse of a property.
Having the details on occupancy — who is onsite, what hours is the building most used, are there areas underused or too crowded? — can become a tool for bottom-line decisions about property expenses.
Likewise, such information can be used in day-to-day planning, such as knowing how many people are likely to be at work so security details, parking attendants and cafeteria workers can be scheduled accordingly.
And at locations where shared workspace is becoming more prevalent, access data can also help when assigning desks or conference rooms to individuals and groups.
Because of the interactive nature of today’s access control systems, employees can receive necessary information through the same system that is logging their comings and goings.
Touchscreens have the ability to provide messages, whether they are alerts about an urgent matter, notices about training programs, changes in company policy or just updates on events, such as a campus-wide or department-wide meeting.
Readers can also become tools for booking rooms or, through the use of a built-in intercom, communicating with security personnel in an emergency.
Mobile apps tied to access control add yet another layer to building automation by allowing users to remotely unlock doors, receive mobile alerts and provide two-factor authentication for access to higher security areas.
Apps now and into the future will likely get cardholders even more involved with the buildings, allowing them to provide instant feedback and notifications.
Additionally, the integration of video enhances both smart building capabilities and security by making alarms visually verifiable, which increases the safety of occupants by better assessing their location and situation.
Video can help reduce false alarms and utilizing video analytics can provide further data on building usage trends.
Reposted from ASIS
It’s perhaps the most infamous incident of an insider threat in modern times. During the spring and summer of 2013, then-National Security Agency (NSA) contractor and Sharepoint administrator Edward Snowden downloaded thousands of documents about the NSA’s telephone metadata mass surveillance program onto USB drives, booked a flight to Hong Kong, and leaked those documents to the media.
An international manhunt was launched, Snowden fled to Moscow, hearings were held in the U.S. Congress, and new policies were created to prevent another insider breach. The damage a trusted insider can do to an organization became painfully obvious.
“If you’d asked me in the spring of 2013…what’s the state of your defense of the business proposition as it validates the technology, people, and procedures? I would have said, ‘Good. Not perfect,’” said Chris Inglis, former deputy director and senior civilian leader of the NSA during the Snowden leaks, in a presentation at the 2017 RSA Conference in San Francisco.
“I would have said that ‘we believe, given our origins and foundations, and folks from information assurance, that that’s a necessary accommodation,” he explained. “We make it such that this architecture—people, procedure, and technology—is defensible.”
Inglis also would have said that the NSA vetted insiders to ensure trustworthiness, gave them authority to conduct their jobs, and followed up with them if they exceeded that authority—intentionally or unintentionally—to remediate it.
“We made a critical mistake. We assumed that outsider external threats were different in kind than insider threats,” Inglis said. “My view today is they are exactly the same. All of those are the exercise of privilege.”
Inglis’ perspective mirrors similar findings from the recent SANS survey Defending Against the Wrong Enemy: 2017 Sans Insider Threat Survey by Eric Cole, SANS faculty fellow and former CTO of McAfee and chief scientist at Lockheed Martin.
The SANS survey of organizations with 100 to 100,000 employees found that it can be easy to conclude that external attacks should be the main focus for organizations.
“This conclusion would be wrong. The critical element is not the source of a threat, but its potential for damage,” Cole wrote. “Evaluating threats from that perspective, it becomes obvious that although most attacks might come from outside the organization, the most serious damage is done with help from the inside.”
Incidents like the Snowden leaks and the more recent case of Harold Thomas Martin III, an NSA contractor accused of taking top secret information home with him, along with other incidents of economic espionage have raised awareness of the impact insider threats can have. However, many organizations have not adjusted their security posture to mitigate those threats.
In its survey, SANS found that organizations recognize insider threat as the “most potentially damaging component of their individual threat environments,” according to the survey. “Interestingly, there is little indication that most organizations have realigned budgets and staff to coincide with that recognition.”
Of the organizations surveyed, 49 percent said they are in the process of creating an insider threat program, but 31 percent still do not have a plan and are not addressing insider threats through such a plan.
“Unfortunately, organizations that lack effective insider threat programs are also unable to detect attacks in a timely manner, which makes the connection difficult to quantify,” SANS found. “From experience, however, there is a direct correlation between entities that ignore the problem and those that have major incidents.”
Additionally, because many are not monitoring for insider threats, most organizations claim that they have never experienced an insider threat. “More than 60 percent of the respondents claim they have never experienced an insider threat attack,” Cole wrote. “This result is very misleading. It is important to note that 38 percent of the respondents said they do not have effective ways to detect insider attacks, meaning the real problem may be that organizations are not properly detecting insider threats, not that they are not happening.”
The survey also found that the losses from insider threats are relatively unknown because they are not monitored or detected. Due to this, organizations cannot put losses from insider threats into financial terms and may not devote resources to addressing the issue, making it difficult or impossible to determine the cost of an insider attack.
For instance, an insider could steal intellectual property and product plans and sell them to a competitor without being detected.
“Subsequent failure of that product might be attributed to market conditions or other factors, rather than someone ‘stealing it,’” Cole wrote. “Many organizations, in my experience, are likely to blame external factors and only discover after detailed investigation that the true cause is linked back to an insider.”
And when organizations do discover that an insider attack has occurred, most have no formal internal incident response plan to address it.
“Despite recognition of insiders as a common and vulnerable point of attack, fewer than 20 percent of respondents reported having a formal incident response plan that deals with insider threat,” according to the SANS survey.
Instead, most incident response plans are focused on external threats, Cole wrote, which may explain why companies struggle to respond to insider threats.
Organizations are also struggling to deal with both malicious and accidental insider threats—a legitimate user whose credentials were stolen or who has been manipulated into giving an external attacker access to the organization. “Unintentional insider involvement can pose a greater risk, and considerably more damage, by allowing adversaries to sneak into a network undetected,” the survey found. “Lack of visibility and monitoring capability are possible explanations for the emphasis on malicious insiders.
To begin to address these vulnerabilities, SANS recommends that organizations identify their most critical data, determine who has access to that data, and restrict access to only those who need it. Then, organizations should focus on increasing visibility into users’ behavior to be proactive about insider threats.
“We were surprised to see 60 percent of respondents say they had not experienced an insider attack,” said Cole in a press release. “While the confidence is great, the rest of our survey data illustrates organizations are still not quite effective at proactively detecting insider threats, and that increased focus on individuals’ behaviors will result in better early detection and remediation.”
When the NSA recruits and hires people, it vets them thoroughly to ensure their trustworthiness, according to Inglis.
“We ultimately want to bring somebody into the enterprise who we can trust, give them some authority to operate within an envelope that doesn’t monitor their tests item by item,” he explained. “Why? Because it’s within that envelope that they can exceed your expectations and the adversary’s expectations, your competitors’ expectations, and hopefully the customers’ expectations.
You want them to be agile, creative, and innovative.”
To do this, the NSA would go to great lengths to find people with technical ability and possible trustworthiness. Then it or a third party would vet them, looking at their finances and their background, conducting interviews with people who knew them, and requiring polygraph examinations.
After the Snowden leaks, the U.S. federal government examined the work of its contract background screening firm—United States Investigations Services (USIS). USIS had cleared both Snowden and the Washington Navy Yard shooter Aaron Alexis. The government decided to reduce its contracted work with the company.
USIS later agreed to pay $30 million to settle U.S. federal fraud charges, forgoing payments that it was owed by the U.S. Office of Personnel Management for conducting background checks. The charges included carrying out a plot to “flush” or “dump” individual cases that it deemed to be low level to meet internal USIS goals, according to The Hill’s coverage of the case.
“Shortcuts taken by any company that we have entrusted to conduct background investigations of future and current federal employees are unacceptable,” said Benjamin Mizer, then head of the U.S. Department of Justice’s Civil Division, in a statement. “The Justice Department will ensure that those who do business with the government provide all of the services for which we bargained.”
This part of the process—vetting potential employees and conducting background checks—is where many private companies go wrong, according to Sandra Stibbards, owner and president of Camelot Investigations and chair of the ASIS International Investigations Council.
“What I’ve come across many times is companies are not doing thorough backgrounds, even if they think they are doing a background check—they are not doing it properly,” she says.
For instance, many companies will hire a background screening agency to do a check on a prospective employee. The agency, Stibbards says, will often say it’s doing a national criminal search when really it’s just running a name through a database that has access to U.S. state and county criminal and court records that are online.
“But the majority of counties and states don’t have their criminal records accessible online,” she adds. “To really be aware of the people that you’re getting and the problem with the human element, you need to have somebody who specializes and you need to…invest the money in doing proper background checks.”
To do this, a company should have prospective employees sign a waiver that informs them that it will be conducting a background check on them. This check, Stibbards says, should involve looking at criminal records in every county and state the individual has lived in, many of which will need to be visited in person.
She also recommends looking into any excessive federal court filings the prospective employee may have made.
“I’ll look for civil litigation, especially in the federal court because you get people that are listed as a plaintiff and they are filing suits against companies for civil rights discrimination, or something like that, so they can burn the company and get money out of it,” Stibbards adds.
Additionally, Stibbards suggests looking for judgments, tax liens, and bankruptcies, because that gives her perspective on whether a person is reliable and dependable.
“It’s not necessarily a case breaker, but you want to have the full perspective of if this person is capable of managing themselves, because if they are not capable of managing themselves, they may not make the greatest employee,” she says.
Companies should ensure that their background screenings also investigate the publicly available social media presence of potential employees. Companies can include information about this part of the process in the waiver that applicants sign agreeing to a background check to avoid legal complications later on.
“I’m going to be going online to see if I see chatter about them, or if they chat a lot, make comments on posts that maybe are inappropriate, if they maintain Facebook, LinkedIn, and Twitter,” Stibbards says.
Posting frequently to social media might be a red flag. “If you find somebody on Facebook that’s posting seven, eight, nine, or 10 times a day, this is a trigger point because social media is more important to them than anything else they are doing,” Stibbards adds.
And just because a prospective employee is hired doesn’t mean that the company should discontinue monitoring his or her social media. While ongoing review is typically a routine measure, it can lead to disciplinary action for an employee who made it through the initial vetting process. For instance, Stibbards was hired by a firm to investigate an employee after the company had some misgivings about certain behaviors.
“Not only did we find criminal records that weren’t reported, but we then found social media that indicated that the employee was basically a gang member—pictures of guns and the whole bit,” Stibbards says.
It’s also critical, once a new employee has been brought on board, to introduce him or her to the culture of the organization—an aspect that was missing in Snowden’s onboarding process, Inglis said. This is because, as a contractor working for the NSA, regulations prohibited the U.S. government from training him.
“You show up as a commodity on whatever day you show up, and you’re supposed to sit down, do your work—sit down, shut up, and color within the lines,” Inglis explained.
So on Snowden’s first day at the NSA, he was not taken to the NSA Museum like other employees and taught about the agency’s history, the meaning of the oath new employees take, and the contributions the NSA makes to the United States.
“Hopefully there are no dry eyes at that moment in time, having had a history lesson laying out the sense of the vitality and importance of this organization going forward,” Inglis explained. “We don’t do that with contractors. We just assume that they already got that lesson.”
If companies fail to introduce contractors and other employees to the mission of the organization and its culture, those employees will not feel that they are part of the organization.
Once trusted people are onboarded, companies need to evaluate their data—who has access to it, what controls are placed on it to prevent unwarranted access, and how that access is monitored across the network.
“The one thing I always recommend to any company is to have a monitoring system for all of their networks; that is one of the biggest ways to avoid having issues,” Stibbards says. “Whether it’s five people working for you or 100, if you let everybody know and they are aware when they are hired that all systems—whether they are laptops or whatever on the network—are all monitored by the company, then you have a much better chance of them not doing anything inappropriate or…taking information.”
These systems can be set up to flag when certain data is accessed or if an unusual file type is emailed out of the network to another address.
Simon Gibson, fellow security architect at Gigamon and former CISO at Bloomberg LP, had a system like this set up at Bloomberg, which alerted security staff to an email sent out with an Adobe PDF of an executive’s signature.
“He’s a guy who could write a check for a few billion dollars,” Gibson explains. “His signature was detected in an email being sent in an Adobe PDF, and it was just his signature…of course the only reason you would do that is to forge it, right?”
So, the security team alerted the business unit to the potential fraud. But after a quick discussion, the team found that the executive’s signature was being sent by a contractor to create welcome letters for new employees.
“From an insider perspective, we didn’t know if this was good or bad,” Gibson says. “We just knew that this guy’s signature probably ought not be flying in an email unless there’s a really good reason for it.”
Thankfully, Bloomberg had a system designed to detect when that kind of activity was taking place in its network and was able to quickly determine whether it was malicious. Not all companies are in the same position, says Brian Vecci, technical evangelist at Varonis, an enterprise data security provider.
In his role as a security advocate, Vecci goes out to companies and conducts risk assessments to look at what kinds of sensitive data they have. Forty-seven percent of companies he’s looked at have had more than 1,000 sensitive data files that were open to everyone on their network. “I think 22 percent had more than 10,000 or 12,000 files that were open to everybody,” Vecci explains. “The controls are just broken because there’s so much data and it’s so complex.”
To begin to address the problem, companies need to identify what their most sensitive data is and do a risk assessment to understand what level of risk the organization is exposed to. “You can’t put a plan into place for reducing risk unless you know what you’ve got, where it is, and start to put some metrics or get your arms around what is the risk associated to this data,” Vecci says.
Then, companies need to evaluate who should have access to what kinds of data, and create controls to enforce that level of access.
This is one area that allowed Snowden to gain access to the thousands of documents that he was then able to leak. Snowden was a Sharepoint administrator who populated a server so thousands of analysts could use that information to chase threats. His job was to understand how the NSA collects, processes, stores, queries, and produces information.
“That’s a pretty rich, dangerous set of information, which we now know,” Inglis said. “And the controls were relatively low on that—not missing—but low because we wanted that crowd to run at that speed, to exceed their expectations.”
Following the leaks, the NSA realized that it needed to place more controls on data access because, while a major leak like Snowden’s had a low probability of happening, when it did happen the consequences were extremely high.
“Is performance less sufficient than it was before these maneuvers? Absolutely,” Inglis explained. “But is it a necessary alignment of those two great goods—trust and capability? Absolutely.”
Additionally, companies should have a system in place to monitor employees’ physical access at work to detect anomalies in behavior. For instance, if a system administrator who normally comes to work at 8:00 a.m. and leaves at 5:00 p.m. every day, suddenly comes into the office at 2:00 a.m. or shows up at a workplace with a data storage unit that’s not in his normal rotation, his activity should be a red flag.
“That ought to be a clue, but if you’re not connecting the dots, you’re going to miss that,” Inglis said.
To truly enable the technology in place to monitor network traffic, however, companies need to have processes to respond to anomalies. This is especially critical because often the security team is not completely aware of what business units in the company are doing, Gibson says.
While at Bloomberg, his team would occasionally get alerts that someone had sent software—such as a document marked confidential—to a private email address. “When the alert would fire, it would hit the security team’s office and my team would be the first people to open it and look at it and try analyze it,” Gibson explains. “The problem is, the security team has no way of knowing what’s proprietary and valuable, and what isn’t.”
To gather this information, the security team needs to have a healthy relationship with the rest of the organization, so it can reach out to others in the company—when necessary—to quickly determine if an alert is a true threat or legitimate business, like the signature email.
Companies also need to have a process in place to determine when an employee uses his or her credentials to inappropriately access data on the network, or whether those credentials were compromised and used by a malicious actor.
Gibson says this is one of the main threats he examines at Gigamon from an insider threat perspective because most attacks are carried out using people’s credentials. “For the most part, on the network, everything looks like an insider threat,” he adds. “Take our IT administrator—someone used his username and password to login to a domain controller and steal some data…I’m not looking at the action taken on the network, which may or may not be a bad thing, I’m actually looking to decide, are these credentials being used properly?”
The security team also needs to work with the human resources department to be aware of potential problem employees who might have exceptional access to corporate data, such as a system administrator like Snowden.
For instance, Inglis said that Snowden was involved in a workplace incident that might have changed the way he felt about his work at the NSA. As a systems administrator with incredible access to the NSA’s systems, Inglis said it would have made sense to put a closer watch on him after that incident in 2012, because the consequences if Snowden attacked the NSA’s network were high.
“You cannot treat HR, information technology, and physical systems as three discrete domains that are not somehow connected,” Inglis said.
Taking all of these actions to ensure that companies are hiring trusted people, using network monitoring technology, and using procedures to respond to alerts, can help prevent insider threats. But, as Inglis knows, there is no guarantee.
“Hindsight is 20/20. You have to look and say, ‘Would I theoretically catch the nuances from this?’”
Reposted from The New York Times
A college freshman shot and killed a campus police officer at Texas Tech University in Lubbock on Monday night after the student was taken to the university police station for questioning in a drug-related case, the authorities said.
The on-campus shooting caused the authorities to put the university on lockdown as they searched for the student, who fled the station on foot and was identified by the university as Hollis A. Daniels, 19. The university’s Twitter account and online emergency-alert system urged those on campus to shelter in place starting at about 8:30 p.m. on Monday. Mr. Daniels was caught about an hour later, and the lockdown was lifted.
He was charged with evading arrest. Other charges were pending.
The episode began earlier Monday evening, when officers with the campus police department made a so-called student welfare check at Mr. Daniels’s room. The officers entered his room and found evidence of drugs and drug paraphernalia, according to a statement from a spokesman for the university, which is in West Texas. Officers took him to the police station for a “standard debriefing,” said the spokesman, Chris Cook. He then pulled out a gun and shot a campus officer in the head, killing the officer. The officer’s name was not immediately released.
Officials said a Texas Tech police officer later tackled Mr. Daniels as he fled near the Lubbock Municipal Coliseum and took him into custody, assisted by Lubbock officers. Mr. Daniels is from Seguin, a city nearly 40 miles east of San Antonio.
Classes were to resume as scheduled on Tuesday.
In a statement, Gov. Greg Abbott said he had spoken with Robert Duncan, the chancellor of the Texas Tech University System, and offered his condolences. “First and foremost, our hearts go out to the family of the police officer killed at Texas Tech University,” Mr. Abbott said in the statement.
Reposted from Total Security Daily Advisor
While mass shooting attacks in public places, offices, and on K–12 schools and college campuses are frequently in the news and more visible, a recent shooting at a city library offers a reminder of how these public facilities are vulnerable, because they can’t really pick their customers.
On August 28, 2017, a 16-year-old suspect walked into the Clovis-Carver, NM, public library and shot and killed two employees and wounded four others. He was arrested by police and gave them no motive for the attack. Like the June 2015 shootings at the Methodist Episcopalian Church in Charleston, SC, which were done by 21-year-old killer Dylan Roof, these incidents appear to be committed by depressed, disturbed young people with no connection to the organization or the people inside it at the time. These are “statement” murders, where the killer is attempting to show the world he is hurting, angry, or wanting to be recognized, even in a highly negative way.
Libraries, like other public places, can’t really pick who comes inside or controls their behavior, until it violates their code of conduct or breaks the law. Security officers are rare in most of the 99,000 libraries in the U.S., and the police presence is usually only there when they are called. Library staffers know that they deal with the homeless, mentally ill patrons, gang members, thieves, and drug takers and sellers. They often don’t know who these people are until they act out and by then, they can create fear, cause damage, or drive other members of the public away because they don’t feel the library is a safe place anymore. Like a church or other location that invites the public, library employees don’t know who may be armed with a gun or knife until that person displays a weapon.
Libraries with the best success for keeping patrons and staff safe follow these security guidelines:
Reposted from Security Magazine
The Battle of Thermopylae, also known as “The Hot Gates,” fought in 480 B.C. is often put in the context that 300 Spartans held off a huge Persian army. In reality, the 300 Spartans were not alone during the battle. Alongside of them fought Athenians, Thebes, Thespians, and a variety of other united Greek forces. All told, until the last day or so, the Greeks had a force of between 7,000 and 10,000 soldiers at Thermopylae. The key difference is that the Spartan warriors were bred as warriors – they were professional soldiers. The Athenians, Thebes and Thespians were soldiers, but most of them had other, full-time jobs, and fought in the army when they were called upon.
Your users are not Spartan warriors. They are developers, engineers, designers, craftsmen, lawyers, nurses and so on. They are not professional security geeks. They don’t think like hackers. Elevated security measures do not come naturally to most of these people. They all have real jobs to do which are NOT focused on information and cybersecurity.
Security awareness is important, and we cannot give it lip service. We cannot throw a bunch of generic security stuff in a set of slides and say, “Our users are trained.” The real world does not work that way. We cannot make everyone Spartan warriors.
So what do we do? We figure out an awareness program that works in our environment.
One of the key elements to remember is that an awareness program really is not about “awareness.” An awareness program is about training and changing employee behavior enough that it increases your staff’s ability to consciously make more secure decisions. That is much more easily said than done.
Remember, you are not making security experts. That is why you have security geeks. You need employees to be good enough that they can help protect what is important to the organization. When you focus on their jobs, and what they do in their day to day activities, you are much better off – even more so if you can keep the security messages simple, and the security “geekiness” low.
QUICK LINKS
ConferenceMembershipTraining & CertificationDonate to IFCPP
TRAINING & EVENTS
1305 Krameria, Unit H-129, Denver, CO 80220 Local: 303.322.9667 Copyright © 1999 International Foundation for Cultural Property Protection. All Rights Reserved
Contact Us