|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Seminar Sneak Peek: Machines, People, and Decisions0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Eyes on Minneapolis|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Industry News July 2016|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Patient Zero|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465It Takes Teamwork|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Hide. Hide. Hide.2016-07-01T04:00:00Z|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465The Power of Physical Security2015-05-07T04:00:00Z|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465ASIS News July 20162016-07-01T04:00:00Z|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Organizations Ask Pokémon Go Users To Refrain From Catching Them All2016-07-13T04:00:00Z|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Cyber Pulls the Plug2016-05-01T04:00:00Z

Security Management

 Morning Security Brief

View RSS feed

 SM Weekly

Retrieving Data

 SM Daily

Retrieving Data
Not a Member? Join Now Hide. Hide.GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​</p><p>When Michael D’Angelo, CPP, was tasked with creating an active shooter response plan for six Miami-area hospitals, he turned to the U.S. Department of Homeland Security’s (DHS) “Run. Hide. Fight.” training. At the time, D’Angelo was the manager of emergency preparedness and security for Baptist Health South Florida, which has hospital facilities in three counties. But when D’Angelo and a team of stakeholders looked at the verbiage of the DHS active shooter response program, they realized it didn’t suit the hospital environment.</p><p>The “Run. Hide. Fight.” training instructs people who find themselves in an active shooter scenario to flee the threat if possible. If not, they should take cover. As a last resort, they should be prepared to fight the gunman. “Most of the hospitals around the country are writing their active shooter policies based on the DHS guidelines, which have been out for three or four years now, but the problem is those are very cookie cutter,” explains D’Angelo, who is now the director of security at one of Baptist Health’s hospitals. “They give it to school systems, healthcare systems, everybody. It’s kind of that one-size-fits-all response plan to an active shooter.”</p><p>The recommendation to flee the shooter isn’t logical in Baptist Health’s multistory hospitals, D’Angelo notes. Complicated layouts combined with areas designed to provide clear line-of-sight create a dangerous environment for those attempting to flee a shooter.</p><p>Likewise, D’Angelo and his team agreed that telling hospital staff to fight an active shooter was too much of a risk. “Even though it’s prescribed as a last resort, we had that feeling that by talking about it, you almost plant this subconscious belief in the staff that they have some kind of obligation to end the incident, which is a difficult thing when it comes to clinical caregivers, because they’re taught to put the patient first for everything. So now you’re going to empower them with this belief that they are going to have to stop the shooter to protect the patient. And this is the one scenario where they have to put their own life before the life of their patient.”</p><p>In fact, D’Angelo says convincing staff to put themselves first in an active shooter scenario has been one of the most challenging aspects of creating a response plan. Staff can’t help patients if they themselves are injured, and tak­ing the time to hide slow-moving patients imperils everyone.</p><p>Ultimately, D’Angelo and his team agreed that the only applicable aspect of DHS’s recommendation was to instruct the staff to lock the doors, turn off lights and any unnecessary machines, and shelter in place until police arrive. They call it the “Cease to Exist” approach, and it has received buy-in from local law enforcement.</p><p>Baptist Health’s six hospitals sit in five different police jurisdictions, so D’Angelo and his team had to meet with each police department to make sure the plan fit in with each department’s active shooter response strategy.</p><p>“From law enforcement’s perspective, our plan seems to fit because their point of view is, we need you and your staff to be out of the way, not in the hallway, not running and distracting us, so we have as empty and clear a path to getting to the shooters as fast as we possibly can,” D’Angelo explains. “If anything, our response program speeds up their plan and effectiveness of ending the incident as quickly as possible.”</p><p>D’Angelo notes that local law enforcement has changed its active shooter response to provide more immediate assistance to shooting victims. In the past, fire rescue and paramedics would not enter the area until police had cleared the entire building, but the wasted time turned casualties into fatalities. Now, emergency response is coordinated so that fire rescue and paramedics follow behind police as they move from room to room, so that the police can focus on finding the shooter while rescue teams can safely attend to casualties. </p><p>“We’re doing our best to get that point across to our staff that fire rescue is go­ing to come onto the scene with law enforcement as soon as possible,” D’Angelo explains. </p><p>The discussion about having a proactive versus passive response to an ac­tive shooter goes hand-in-hand with the debate over whether hospital staff or security officers should be armed, D’Angelo notes. Baptist Health does not arm its security staff based on data: 50 percent of emergency room shootings in the U.S. involved a police or security officer’s firearm, which was either stolen to shoot victims or used by security to fire at an assailant, according to a Johns Hopkins report. “If I can guarantee a 50 percent less chance of a shooting taking place in my ER by not arming my security staff, then why would I do it? Based on raw data, I can’t see how having armed security forces is going to be the answer,” D’Angelo says.</p><p>Within the hospitals, there has been mixed response to the “Cease to Exist” approach. Some departments want to see more in the way of training and education, because they feel the staff should take a more proactive approach to a potential active shooter. D’Angelo reiterates that staff should help protect patients only if they can simultaneously protect themselves. “I guess nobody wants to address that real gray area of saying we leave the patients on their own, because some of them can’t help themselves, but you do the best you can to protect both of you if it’s realistic to do so,” he says. </p><p>But for nurses with three or four patients, running from room to room and concealing each of them may be counterproductive.</p><p>There has been significant dialogue between Baptist Health leaders and staff about the “Cease to Exist” response, but D’Angelo says that Baptist Health prohibits active shooter drills. He describes one “disastrous” active shooter exercise a few years ago where, instead of causing chaos throughout the hospital, the code elicited almost zero response from the staff. </p><p>“We quickly learned that the staff is alarm fatigued,” D’Angelo says. Infant abduction drills, fire drills, and [other mandated exercises] mean that every code is a drill until proven other­wise. “With something as significant as an active shooter, we absolutely couldn’t have that attitude. There’s only one way to guarantee that when staff hear that code, they will know that someone is actually shooting—and that is to prohibit exercising the code.”</p><p>D’Angelo acknowledges that Baptist Health is taking an unusual approach by not following DHS’s “Run. Hide. Fight.” program, but he notes that even DHS says it’s not a one-size-fits-all policy. “We took the time to look at it,” he explains. “If you automatically adopt the DHS policy and turn that into your in-house policy, you may be prescribing something to your staff that may be doing more harm than good.”​ ​</p> News July 2016GP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<h4>​Active Shooter White Paper Released</h4><p>The ASIS International School Safety and Security Council has released a highly-anticipated white paper, Active Shooter. The 60-page document consists of 13 chapters written by members of the council who hold security and safety positions at colleges, universities, and elementary and secondary schools, or are consultants to these institutions. </p><p>Each author addresses a different proactive approach to preventing and responding to active shooter situations. After an introduction to active shooter programs, the following topics are among those covered in subsequent chapters: The six phases of an attack; pre- attack indicators; on-site training programs; behavioral threat assessment teams; hardening the target; primary and secondary schools as soft targets; and lessons learned</p><p>The last chapter, “To Arm or Not to Arm…Teachers,” examines both sides of this heated debate and offers advice on teacher training and the consequences of each strategy. The author concludes, however, “that both sides have the same goal, which is to keep our schools, students, and teachers safe.”</p><p>Active Shooter ends with five append­ices, which include articles from Secu­rity Management, “A Guide to Safe Schools” from the U.S. Department of Education, and conclusions from the ASIS Workplace Violence Prevention and Response Guidelines.</p><p>The white paper is available to download for ASIS members at <a href="">​</a>. </p><p><br></p><h4>Executive Protection Council Launched</h4><p>The ASIS International Executive Protection Council, the newest addition to the ASIS International roster of 34 councils, has been approved by the ASIS Board of Directors. </p><p>Members of the council work in executive protection (EP) full time, oversee EP departments, or advise clients on EP concerns, according to the council’s chair, Robert Oatman, CPP. Senior managers from Fortune 500 companies as well as from privately-held companies that provide EP services to the private and government sectors serve on the council.</p><p>Impetus to form the council began in 2013, when ASIS offered a Certificate in Executive Protection. While Oatman had been teaching a two-day program for ASIS on executive protection since 1998, growing interest in the course and the certificate led to the formation of an ad hoc council in 2014.</p><p>With its formal status now secured, council members will focus in earnest on their mission and goals, which in­clude providing education and re­sources on professional executive protection and establishing EP as a business enabler to keep protectees safe and productive. In the short term, the council will foster its active leadership, add new members, enhance content to the council’s website, and present a webinar. Longer term, the council hopes to develop an executive protection standard, and has formed a subcommittee to look into that possibility.</p><p>International interest in EP is evident by the diverse backgrounds of the students that attend the ASIS EP programs. Many are currently working in the field, but all want to learn more about the art of executive protection. In addition, says Oatman, corporations have realized the value of EP services. As a result, EP has become a viable career path for individuals transitioning from law enforcement or government positions.    </p><p> To learn more about the council and its programs, visit the council’s website, <a href=""></a>.</p><p><br></p><h4>ASIS 2015 Earns spot on Top Trade Show list</h4><p>The ASIS International 61st Annual Seminar and Exhibits (ASIS 2015), which took place September 28 to October 1, 2015 at the Anaheim Convention Center in Anaheim, California, has placed 100th on the 2015 Trade Show News Network’s Top 250 U.S. Trade Shows list. The Trade Show News Network (TSNN) is the world’s leading online resource for the trade show, exhibition, and event industry since 1996. TSNN began its list of top U.S. trade shows in 2010 based on net square footage.</p><p>“Our Annual Seminar and Exhibits is the premier education and networking event for those charged with the protection of life, property, and information in our world today,” says ASIS President David C. Davis, CPP. “It is a critical time for our industry, which is reflected in the size and scope of our conference and exhibition. We are honored to be recognized by Trade Show News Network.”  </p><p>ASIS’s Annual Seminars and Exhibits draw approximately 20,000 security professionals from around the globe each year. The event presents more than 250 educational sessions and typically features more than 225,000 net square feet of the latest security technology and innovations in traditional and logical security, providing a showcase for more than 500 companies demonstrating cutting-edge solutions.</p><p>The 62nd Annual Seminar and Exhib­its will take place September 12 to 15 at the Orange County Convention Center in Orlando, Florida. For the sixth consecutive year, (ISC)2, the largest not-for-profit membership body of certified information security professionals worldwide, will colocate its Annual Security Congress with the ASIS Annual Seminar and Exhibits. Registrants of either event may gain access to each event’s education sessions and the exhibit hall. Both organizations also will offer review courses for their respective certifications, as well as separate, members-only activities.</p><p>For complete event, registration, and housing information, visit</p><p><br></p> Failure to CommunicateGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​<span style="line-height:1.5em;">“More than 10 years after the bipartisan 9/11 Commission reported that improvements to interoperable communications at all levels of the government need to be addressed, the National Capital Region continues to face challenges in achieving emergency communications interoperability within and among federal, state, and local agencies, despite substantial investment by the federal government to improve interoperability,” the U.S. Government Accountability Office (GAO) found in a recent report, Emergency Communications: Actions Needed to Better Coordinate Federal Efforts in the National Capital Region. </span></p><p>Crisis response experts say it is critical for first responders and officials to have emergency communications interoperability, or the ability to communicate across agencies and jurisdictions. The lack of interoperability can hamper mission operations and put first responders and the public at risk during a response.    </p><p>The 9/11 Commission, in its report issued in 2004, examined the communications failures first responders experienced after the 9-11 attacks. The commission recommended allocating radio spectrum to public safety to create an interoperable public safety communications network. </p><p>However, the effort to create such a network did not begin in earnest until 2012, when Congress created the First Responder Network Authority (FirstNet) to provide the first nationwide public safety broadband network for public safety entities. </p><p>Earlier this year, FirstNet issued a Request for Proposals (RFP) for the deployment of this public safety broadband network. In April, FirstNet officials indicated that interest was high, and so it extended the deadline for proposals through May.  </p><p>“Our decision to extend the deadline for final proposals was driven by both the volume and nature of the capability statements, as well as requests for extensions we’ve received from interested parties,” FirstNet CEO Mike Poth said in a statement. “We remain on track to award by November 1.”</p><p>In addition, the FirstNet Board of Directors has updated its strategic roadmap, which sets out a timetable for the establishment of the new network. The updated roadmap sets an August 2018 goal for the network to have its initial markets installed, and to be ready for live testing and activation of power sourcing equipment devices on the network. </p><p>And for some, August 2018 can’t come soon enough. Several major crisis situations that have occurred since 9-11 have demonstrated the pressing need for such a network, especially in light of the communications problems experienced by responders. </p><p>For example, the response to Hurricane Katrina in 2005 was hampered by “a complete breakdown in communications that paralyzed command and control and made situational awareness murky at best,” according to A Failure of Initiative, a bipartisan report on the disaster issued by the U.S. House of Representatives. During that response, agencies could not communicate with each other due to equipment failures and a lack of system interoperability, the report found. </p><p>Given the failings of the Katrina response, Congress went on to establish the Office of Emergency Communications (OEC) in the Post Katrina Emergency Management Reform Act. The OEC is designed to coordinate federal interoperable communication programs and conduct outreach to and support for emergency response providers. In 2008, the OEC issued the first National Emergency Communications Plan, which included goals for improving communications capabilities at the state and local levels.</p><p>Then, in September 2013, communication problems hindered the response to the Navy Yard shooting, which resulted in 13 fatalities. In an afteraction report on the shooting issued in July 2014, the Washington, D.C., Metropolitan Police Department identified interoperability communication problems among first responders.</p><p>The report found that some federal responders experienced communication problems that hindered interoperability during the response. It also found that interoperability would have been enhanced if all responders had access to the same designated radio channel.</p><p>Moreover, another report on the Navy Yard response, issued by the U.S Department of the Navy, found that the Navy responders did not have interoperable communication with other agencies because of a lack of understanding of equipment capabilities and incorrectly programmed radios. The reports attracted critical feedback from Congress. </p><p>“Interoperable communications continues to be a challenge during disaster response, as evidenced during the response to Hurricane Sandy and the Navy Yard shooting,” U.S. Rep. Susan W. Brooks (R-IN) said at a recent Capitol Hill hearing. “We must continue to work to ensure first responders have the tools they need to communicate.”</p><p>Besides unsuccessful interoperability, inadequate interagency coordination is another issue that has hindered federal emergency communication, the GAO’s Emergency Communications report found.   </p><p>In the Homeland Security Act of 2002, Congress created the Office of National Capital Region Coordination (ONCRC) to coordinate homeland security activities in the National Capital Region. But ONCRC does not currently have a formal mechanism in place to coordinate such activities, according to the GAO. Previously, the Joint Federal Committee (JFC) was the means ONCRC used to coordinate with federal agencies. But the JFC has not convened since 2014, and the ONCRC plans to restructure it. </p><p>“Officials explained that the JFC was not efficient and effective as a coordinating body and that they plan to strengthen its coordination capabilities. However, written plans were not available,” the GAO wrote. </p><p>As a result, GAO recommended that when ONCRC restructures the JFC, it clearly specifies in a written agreement how agencies will work together, and what their roles and responsibilities will be. </p><p>“ONCRC concurred with the recommendation,” the GAO wrote. “No timeline for the restructuring was offered, however.”</p><p>​<br></p> ZeroGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​</p><p>It was like going back in time. Instead of using an electronic records system to access patient data and update charts, MedStar Health staff did medical rounds using good, old-fashioned paper and pencil.</p><p>The reason? Ransomware had compromised the $5 billion health-care provider that operates 10 hospitals and more than 250 outpatient facilities in the Washington, D.C., region, serving thousands of patients and employing more than 30,000.</p><p>While exact details were not released before Security Management’s press time, attackers hit MedStar on the morning of March 28, launching an attack that prevented certain users from logging in to its systems.</p><p>“MedStar acted quickly with a decision to take down all system interfaces to prevent the virus from spreading throughout the organization,” MedStar spokesperson Ann Nickels said in a statement. “We are working with our IT and cybersecurity partners to fully assess and address the situation. Currently, all of our clinical facilities remain open and functioning.”</p><p>MedStar also reassured stakeholders that it believed no patient data had been compromised, and that it was working with its cybersecurity partner—Symantec—and the FBI to find out exactly how attackers gained access to its systems. </p><p>Through this effort, MedStar was able to keep its doors open and bring its systems back up “in what can only be viewed as a very rapid recovery led by dedicated MedStar and external IT expert partners,” it said in a statement.</p><p>The ransomware attack on MedStar is just one of a string of recent attacks on the healthcare industry. In March, attackers took the computers of Hollywood Presbyterian Medical Center in Los Angeles hostage for more than a week until officials paid the ransom, approximately $17,000 in Bitcoin.</p><p>“The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key,” said Hollywood Presbyterian President Allen Stefanek in a statement. “In the best interest of restoring normal operations, we did this.”</p><p>Ransomware is a form of malware that attackers use to infect a computer or network, encrypt its data, and then demand payment—the ransom—from victims to decrypt the data. If victims don’t pay up, the data will remain encrypted or may be deleted.</p><p>Attackers have been using it to compromise healthcare systems in the United States, Germany, Canada, and France, according to research by Security Management. This raises the question: Why are hospitals such lucrative targets for ransomware?</p><p>James Carder, CISO of LogRhythm and former director of security information for the Mayo Clinic, says he thinks it’s because healthcare is “so far behind the times” when it comes to cybersecurity. </p><p>“If you just think about the core business of what a hospital does, they are there to treat sick people—treat patients,” he explains. “They think of security from a physical security perspective…the cybersecurity world is nothing that they’ve actually planned for. If you look at their IT infrastructure, they’re all built around supporting patient care and they have never made that connection with cybersecurity being directly connected to patient care.”</p><p>Instead, an emphasis is placed on making patient data available at all times and on remaining compliant with the Health Insurance Portability and Accountability Act (HIPAA). “The focus is on patient care and having access and availability of records, more so than securing the records,” Carder adds.</p><p>Couple this attitude towards cybersecurity with the large amounts of data that healthcare institutions use on a daily basis and the large resources most hospitals have, and you have a prime target for a ransomware attack, says Dan Holden, director of Arbor’s Security Engineering and Response Team (ASERT).</p><p>For attackers, “the great part about these commercial entities is they can get so much more,” Holden explains. “Rather than carrying on a campaign for $25, if you go through the investment to find serious targets in hospitals…the likelihood that you’re going to get paid is likely to be higher.”</p><p>This incentivizes hackers to go after hospitals because they are “the soft underbelly in terms of market,” Holden explains, giving them a high return on investment (ROI) for their efforts. And it doesn’t matter if the hospital is in the United States or in Europe, because all of them depend on having access to their data to serve their patients.</p><p>“The financial state of the country doesn’t necessarily matter,” Holden says. “You know they are going to have to depend on that data. From an ROI standpoint, it’s a good investment.”</p><p>Ransomware itself is also becoming more sophisticated, allowing it to infect a victim’s network more easily than in the past, according to Craig Williams, senior technical leader and security outreach manager for Talos, a threat intelligence organization owned by Cisco.</p><p>“Earlier ransomware required a human to spread,” he explains. “They had to have someone go to the website, see a malicious ad, or get an e-mail and click on it and run the e-mail attachment; they all required user interaction.”</p><p>SamSam, a new type of ransomware, however, does not. Instead, it combines network-based vulnerabilities with a ransomware payload. This means that the ransomware can target and penetrate a network when no one’s there.</p><p>SamSam works by exploiting well-known vulnerabilities—some up to nine years old—on unpatched systems. During the initial compromise, attackers conduct manual reconnaissance to locate systems they’d like to target with ransomware. They program what they would like the malware to perform, and it works without requiring an active command and control.</p><p>In plain English, “the way you can think of ransomware operating previously is they needed someone to unlock the door,” Williams says. “SamSam is the first piece of ransomware that can open the door for itself.”</p><p>SamSam first came on the scene in December 2015 when it was used in a gaming industry campaign. Williams says he thinks this was a trial run to make sure it was an effective form of ransomware. </p><p>However, it wasn’t until mid-February 2016 that Talos began seeing significant growth of the use of SamSam, with an “explosive growth period” in April. And Talos is continuing to see those high numbers, Williams adds.</p><p>“Talos did a small scan of the Internet, and, based on our preliminary findings, it appears that there are around 2.1 million vulnerable servers on the Internet right now,” he explains. “That’s a bad number.”</p><p>The FBI has also acknowledged the rise of SamSam, sending out a confidential “Flash” advisory on March 25, obtained by Reuters, requesting help from businesses and software security experts in investigating the new form of ransomware. </p><p>“Friday’s FBI alert was focused on ransomware known as [SamSam] that the agency said seeks to encrypt data on entire networks, an alarming change because typically, ransomware has sought to encrypt data one computer at a time,” Reuters reports.</p><p>Security Management reached out to the FBI to discuss the advisory, but the Bureau declined to be interviewed for this article.</p><p>And while the healthcare industry is on high alert and beefing up its cybersecurity due to the string of recent ransomware attacks, Williams says he’s concerned that the attacks aren’t going away anytime soon. This is because attackers have built SamSam to make use of several different vulnerabilities that require companies to complete a variety of patches on their systems.</p><p>“The reality is, once people do start applying these patches the attackers will simply rotate in a new vulnerability to exploit,” Williams says. </p><p>Also aiding the attackers is that they are implementing best practices in customer service to make sure their victims pay the ransom, instead of just using a back-up or losing their data.</p><p>With SamSam, attackers are offering bulk discounts to decrypt data. In a case documented on Talos’s blog, a ransomware victim bought one key to decrypt his data and then came back and bought a second key for a lower price. The victim did this because the ransomware encrypted multiple machines, requiring separate decryption keys for each machine to decrypt the data.</p><p>“What’s really interesting about this is that the attackers apologized for delaying posting the key, which goes back to the problem these ransomware authors have of gaining victims’ trust,” Williams explains.</p><p>Also unique to the recent rise of SamSam is that attackers appear to be continuously upping the amount that they are charging victims to get their data back. </p><p>“We don’t see that normally,” Williams says. “What that tells me is they don’t fully understand the value of their data, and they’re trying to experiment to see exactly how much people will pay them.”</p><p>This presents a problem for customers because the more people who pay the ransom, the higher the ransom will go until the attackers reach a period of diminishing returns, he adds. </p><p>Additionally, Williams says he’s concerned when he hears reports of businesses paying the ransom—as Hollywood Presbyterian did—because there’s no way to know if their data’s integrity is intact.</p><p>“There’s no reason an attacker couldn’t have tampered with medical records or engineering design documents, or other things that could have a very significant impact to the world when they release the files to you,” he explains. “Without the ability to verify your data’s integrity, users need to be very cautious when trusting that data.”</p><p>Despite the bleak outlook for the healthcare industry, the best ways to prevent a ransomware attack continue to be patching systems regularly to keep them up to date, creating cybersecurity awareness training for employees, and having reliable back-ups that are tested, says Lysa Meyers, security researcher at ESET.</p><p>“You test it and make sure that it’s actually functioning,” she explains. “If you have a back-up and it’s not functional, that’s not a good back-up…this trend of ransomware could disappear in a short period of time if more businesses started doing back-ups.”</p><p>And having a good back-up system is something hospitals tend to do well, Carder says, because of their crisis management planning. </p><p>“Hospitals do things around: what if a core infrastructure goes down, how would you actually respond?” he says. For MedStar, it responded by using paper and pencil instead of its electronic systems to provide service. </p><p>“It kind of takes it back a number of years, but the good news is—at least for MedStar—that they had some type of plan that they could go to if the IT infrastructure went down,” Carder explains. “They could revert back to that, if needed, to treat patients.”  ​  ​</p> Cyber Incident Survival GuideGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​<span style="line-height:1.5em;">The worst has happened. Someone hacked your company's network, stealing thousands of documents and compromising customer and employee data in the process. And you're not sure what else the hackers had access to, if they are still in your network, or who is responsible.</span></p><p>If your company hasn't prepared for a major cyber incident of this scope, this scenario can quickly become overwhelming as you attempt to work with law enforcement, deal with the media, and restore business operations.</p><p>With more than 2,100 confirmed data breaches in 2015 and almost 80,000 incidents, according to Verizon's 2015 Data Breach Investigations Report, developing an incident response plan for a cyber incident should be a top priority.</p><p>"Protecting your organization from a data breach could save your business tens of millions of dollars, and help maintain customer loyalty and shareholder confidence," the report explains. "Data security isn't something that should be left to the IT department. It's so important that it should matter to leaders, and indeed employees, from all functions."</p><p>To help security leaders plan for the worst and know what to expect in the aftermath, Security Management spoke with experts about their best practices for cyber incident response.</p><p> </p><p><strong>Before the Breach</strong></p><p>Just as a company has an incident response plan in case the building catches on fire and burns to the ground, it needs to have an incident response plan to handle a cyber incident before one actually occurs. </p><p><strong>Craft a plan.</strong> Gary Bahadur, senior director of FTI Consulting's Risk Management Practice, helps companies craft these plans on a regular basis. He suggests that organizations first think about how they are most likely to be attacked and who is most likely to be behind the attack. </p><p>For instance, banks that allow customers to conduct transactions online—say through an online banking portal—may be vulnerable to a breach through their Web applications. Or high-tech firms may be most concerned about an insider threat compromising their intellectual property. </p><p>"The first step is determining how we're going to be attacked and then figuring out what are the best controls and roadblocks to block the most likely scenarios," Bahadur explains.</p><p>From that point, companies can use the U.S. Department of Justice's (DOJ) Cybersecurity Unit's Best Practices for Victim Response and Reporting of Cyber Incidents guidance to craft an actionable incident response plan.</p><p>It suggests, at a minimum, identifying who has the lead responsibility for different elements of the company's cyber incident response, from decisions on public communications to information technology to implementation of security measures to resolving legal questions.</p><p>Companies should also determine how to contact critical personnel at any time, how to proceed if critical personnel are unreachable, and what mission-critical data, networks, or services should be prioritized for the greatest protection. </p><p>"All personnel who have computer security responsibilities should have access to and familiarity with the plan, particularly anyone who will play a role in making technical, operational, or managerial decisions during an incident," the guidance says.</p><p>Completing this process is becoming especially important because a new legal standard is emerging as organizations develop a track record of reasonableness for assessment, planning, incident response, and recovery, says Ed McAndrew, partner in Ballard Spahr LLP's Privacy and Data Security Group and a former federal prosecutor.</p><p>"There's a new legal standard that is emerging where organizations need to employ reasonable data security standards to mitigate foreseeable risk," explains McAndrew, who is also a former DOJ national security cyber specialist. "Companies need to have appreciated the risk, attempted to manage the risk, and then have a plan for attempting to respond to these incidents."</p><p>After companies identify their low-hanging fruit and craft an incident response plan, Bahadur suggests creating a roadmap to analyze the likelihood of that particular attack and how to prevent it. Companies should also consider how they will create a long-term strategy that continues to adapt to new security challenges as new business functions are developed. </p><p>"You have to be able to grow your security organization and its functionality," he adds.</p><p><strong>Consider law enforcement.</strong> While companies are developing their incident response plans, they need to consider their relationship with local and national law enforcement.</p><p>McAndrew says there's a "real appetite in law enforcement" to develop relationships with the private sector when it comes to cybersecurity. This is because law enforcement understands that "effective investigation of cyber requires a level of trust and personal relationships between investigators and their counterparts inside organizations," he explains.</p><p>For this reason, the government has created a variety of outreach programs that target the private sector, including InfraGard, Information Sharing and Analysis Centers and Information Sharing and Analysis Organizations, and the U.S. Department of Homeland Security's new cybersecurity information sharing program.</p><p>"Joining these organizations and attending those outreach programs is a great and easy way to begin to build relationships" with law enforcement, something companies should do before a cyber incident occurs, McAndrew says. </p><p>Companies can also reach out to their local FBI office, because agents there are often willing to help companies conduct cybersecurity risk assessments, incident planning, and data security planning.</p><p>These relationships can also help companies know what to expect from their law enforcement partners, should a breach occur, says Mick Stawasz, deputy chief for computer crime and head of the DOJ Cybersecurity Unit. </p><p>"Before there's an event, we, the FBI, and other investigative agencies are trying to lay the groundwork so that there are relationships in place and an understanding of what may happen when we arrive," Stawasz explains. "We're out there doing events to try and tell people, when we show up, this is the type of information to have before an event."</p><p>For instance, he says that companies should think about what data they can share with law enforcement and what kind of access they will be willing to provide should an incident occur. This can help streamline the process of an incident investigation because companies won't be doing original legal research "while the clock is ticking," Stawasz says. "We really encourage people to think ahead of time because there are certain things we're going to want."</p><p>However, McAndrew says that while it's great to engage with law enforcement, companies should do so carefully. "You need to understand the levels of engagement, and the logistics where law enforcement can be helpful, but also where engaging them may result in an investigation," he adds. </p><p>To help companies navigate this area, McAndrew recommends relying on outside counsel with experience in cybersecurity</p><p><strong>Practice makes perfect.</strong> After companies outline their cyber incident response plans, they need to practice them to identify problem areas and ensure that they are effective.</p><p>Bahadur recommends conducting a tabletop exercise with all the key stakeholders in the room, including representatives from the C-suite, IT, public relations, legal, marketing, and even sales staff.</p><p>"People say that a cyber breach is an IT problem," he explains. "It's not...when a breach occurs we need our PR people. We need legal to discuss what the repercussions are for the industry we are in. And we need executive support, marketing, and sales because this could impact relationships with clients."</p><p>Leonard Bailey, special counsel for national security in the DOJ Computer Crime and Intellectual Property Section, agrees that practicing the incident response plan is important because it reinforces what people's roles are when an incident occurs, and allows companies to designate an alternate to fill those roles should the designated person not be available.</p><p> </p><p><strong>During the Breach</strong></p><p>Despite careful preparation and cyberattack prevention tactics, even "the best laid plans of mice and men often go awry," as Robert Burns wrote. But by remembering the following tips, companies can prevent a cyber incident from becoming a cyber crisis.</p><p><strong>Make an assessment.</strong> When companies identify a cyber incident, they should immediately make an assessment about the nature and scope of the incident, according to the DOJ guidance. </p><p>"In particular, it is important at the outset to determine whether the incident is a malicious act or a technological glitch," the guidance explains. "The nature of the incident will determine the type of assistance an organization will need to address the incident and the damage and remedial efforts that may be required."</p><p>To identify the nature of an incident, companies can have systems administrators attempt to identify the affected computer systems, the origin of the incident, any malware used in connection with the incident, remote servers to which data was sent, and the identity of any other victim organizations.</p><p>The initial assessment should also document what users are currently logged on, what the current connections to the computer system are, what processes are running, and all open ports and their associated services and applications.</p><p>"Any communications (in particular, threats or extortionate demands) received by the organ­ization that might be related to the incident should also be preserved," the guidance explains. "Suspicious calls, e-mails, or other requests for information should be treated as part of the incident."</p><p><strong>Maintain evidence.</strong> Often, the first reaction when a company learns about a cyberattack is to do whatever it takes to stop the bleeding.</p><p>"The first thing companies do is unplug the device that's been hacked to stop the bleeding, potentially," Bahadur says. "But if you want to do forensic analysis—track the attack or report it—if you change the environment and erase a server that's been hacked, you're losing really valuable evidence."</p><p>To prevent evidence from being compromised, Bahadur says companies should follow good forensic practices—something most organizations struggle with. "Most companies don't handle chain of custody well," he adds. "They will literally screw up the whole process and tamper the evidence so badly."</p><p>Instead, companies should create a chain of custody for evidence and should have IT staff work with the legal department to ensure that technology is in place to maintain and preserve that evidence, says Patrick Dennis, CEO of Guidance Software.</p><p>"If you want to have an infrastructure in place that includes people, technology, and policies that can work with law enforcement and produce evidence, there has to be a program put in place beforehand to do that," he explains. "Otherwise, generally they will end up compromising some or all of that evidence."</p><p><strong>Notify law enforcement.</strong> Once an initial assessment has been made and evidence has been gathered, managers and other personnel within the organization should be notified following the protocols outlined in the cyber incident response plan. </p><p>Then, if the company suspects that criminal activity has taken place, it can consider notifying law enforcement. The FBI and the U.S. Secret Service conduct cyber investigations, and contacting law enforcement may prove beneficial for victim organizations, because law enforcement can use tools and methods typically not available to private companies.</p><p>"These tools and relationships can greatly increase the odds of successfully apprehending an intruder or attacker and securing lost data," the DOJ guidance explains. "In addition, a cyber criminal who is successfully prosecuted will be prevented from causing further damage to the company or to others, and other would-be cyber criminals may be deterred by such a conviction."</p><p>When it comes to reaching out to the FBI, McAndrew recommends that companies use their knowledge about the bureau because some agents are "true superstars" when it comes to cybersecurity. "Not all agents are created equal, just like not all lawyers are created equal," he jokes. </p><p>And in some cases, it may be better to have someone on the corporate legal team reach out to a U.S. Attorney's Office to use a lawyer-to-lawyer relationship. </p><p>"Speaking lawyer to lawyer can sometimes be more helpful," McAndrew says. "I know that if I get them interested in the matter, I won't have to cold call an FBI office I've never dealt with." </p><p>And everyone should be on the same page about what's happening to prevent information from falling through the cracks, or being inadvertently shared. </p><p>"Is the IT department the one that has the relationship with the FBI and is legal out of the picture?" McAndrew asks. "Is IT sharing information with­out legal's knowledge? Is senior management briefed and knowledgeable about what happens next when you begin interacting with law enforcement, and are they willing to do those things?"</p><p>Asking these questions—often ahead of time—will help companies simplify decision making if an incident occurs, he adds.</p><p><strong>Avoid pitfalls.</strong> While there are many actions companies should take following a cyber incident, the DOJ guidance explicitly urges companies not to use compromised systems to communicate. </p><p>"If the victim organization must use the compromised system to communicate, it should encrypt its communications," the guidance says. "To avoid becoming the victim of a social engineering attack, employees of the victim organization should not disclose incident-specific information to unknown communities inquiring about an incident without first verifying their identity."</p><p>The DOJ guidance also says com­panies should not hack into or damage another network following </p><p>a cyber incident. </p><p>"Regardless of motive, doing so is likely illegal, under U.S. and some foreign laws, and could result in civil and/or criminal liability," it explains. "Furthermore, many intrusions and attacks are launched from compromised systems. Consequently, 'hacking back' can damage or impair another innocent victim's system rather than the intruder's."</p><p> </p><p><strong>After the Breach</strong></p><p>Once companies have managed to stop the bleeding of a cyberattack, they may find themselves in court if the perpetrators of a breach are prosecuted. Because of this, Bailey and Stawasz explain that companies need to keep a potential court appearance in mind.</p><p><strong>Victim status.</strong> When a cyber incident happens, it's important for companies to remember that they are a victim of a crime, and that prosecutors should treat them as such, Stawasz says. </p><p>"We really are trying to help. We will work with them in the process of an investigation, and with luck a prosecution—of somebody—for what was done," he explains.</p><p>Stawasz also says that the DOJ is trying to do a better job of keeping companies informed of how the investigation and prosecution are proceeding. Companies have a right to be informed at various stages, such as before a case is resolved, when charges are brought, if a plea deal is made, and to appear to make a sentencing statement if an individual is convicted.</p><p>"We encourage them to make a statement to highlight for the public and the court the impact a cybercrime has on a victim," Stawasz explains.</p><p><strong>Remain vigilant.</strong> After a cyber incident has been resolved and appears to be under control, it's important for companies to remain vigilant in case of future attempts to breach their systems. </p><p>"It is possible that, despite best efforts, a company that has addressed known security vulnerabilities and taken all reasonable steps to eject an intruder has nevertheless not eliminated all of the means by which an intruder illicitly accessed the network," the DOJ guidance explains. "Continue to monitor your system for anomalous activity."​​​</p> on MinneapolisGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​</p><p>The annual Saint Patrick’s Day Parade in downtown Minneapolis, Minnesota, draws large crowds every year, consistently numbering in the tens of thousands. So when a disruptive group of teenagers caused problems at last year’s event, the police department was glad to have critical video evidence to help apprehend the suspects.</p><p>“We were able to reach out to a number of businesses and get information that led us to help identify some of the individuals that were causing problems in the downtown area,” says Commander Scott Gerlicher of the Minneapolis Police Department. </p><p>What started as rabble rousing, intentionally blocking traffic, and getting into fights eventually turned into an all-out brawl. Two people were injured and six arrests were made. </p><p>With the help of Securonet’s Virtual Safety Network, a cloud-based tool that allows law enforcement to communicate with the business community, police were able to identify which cameras would likely show footage of the brawl and contact the owners of those devices. They ultimately leveraged resources from 32 cameras. </p><p>“Securonet has allowed us to enhance some of that collaboration with the business community that was already going on,” Gerlicher says. “We have many security cameras and police public safety cameras in downtown Minneapolis and throughout other areas of our city, but what we haven’t been able to do is tap into all those privately held cameras.” </p><p>While the relationship between the business community and law enforcement in Minneapolis is long-established, the initiative for a public safety camera network began with the Major League Baseball All-Star Game in 2014, hosted at Target Field. </p><p>Securonet’s founder, Justin Williams, had a working relationship with both the police department and the Minneapolis Downtown Improvement District (MDID) and approached both entities about the Virtual Safety Network when security plans for the game were underway. </p><p>“We looked at models, and looked at what other cities were doing” as far as camera programs, says Shane Zahn, director of safety initiatives with MDID. “There weren’t a lot of other cities doing this, so that’s when we partnered with Securonet to see if they could custom build us something here that we were looking for.” </p><p>Leading up to the game, MDID created a website that allowed business users to register their cameras on Securonet. In addition to the police’s monitoring station, MDID has a fusion center located within the city’s First Precinct where a team of police and private security monitor the cameras. </p><p>After the All-Star game, the law enforcement community wanted to expand the camera initiative throughout the rest of the city. In early 2015, the city began opening up the registration to businesses located outside the downtown area.</p><p>Securonet is hosted on a Web-based portal where businesses can register cameras that may capture incidents of interest to law enforcement. These cameras usually face public areas, or are mounted on building exteriors. </p><p>Authorized police officers can log in to the portal and view these cameras on a map to see which devices may be related to what they’re investigating. </p><p>“We have a team of intelligence analysts at a central location, and there’s about 15 of us up here that have access to the Securonet portal,” notes Gerlicher, referring to the Minneapolis Police Department’s Strategic Information Center. There are additional analysts at the MDID fusion center. If they so choose, businesses can also publish the live feed of certain cameras on the portal so law enforcement has a real-time view. </p><p>The cameras are geo-located on a live map view of existing cameras. A security official or law enforcement officer then simply types in an address, and all the cameras on the site surrounding the area of interest appear. </p><p>Law enforcement can then send a message over the portal that lets the camera owner know exactly when the incident occurred and what it’s looking for. As of mid-2015, there were approximately 400 cameras registered to the system. </p><p>Police or operators can also send out a mass message to several affected camera owners at once. </p><p>“We can query the people who have signed up through Securonet,” Gerlicher explains, “and send out a mass notification saying, ‘We had this incident take place…and the suspect was seen wearing a red top and black jeans, at this date and time. Let us know if you have anything on video.’” </p><p>The business can reply affirming that a suspect does, in fact, appear on the video, or that the suspect does not. In the past, law enforcement would have someone go knock on the door of that company to inquire about the footage, a time-consuming process that kept police tied up. </p><p>Investigators then go to the business and pick up a digital copy of the footage. “Once businesses turn it over to us, they understand it will be part of the case file,” he says. </p><p>Businesses appreciate the fact that it’s an e-mail-based tool, notes Zahn, and that the communication with law enforcement is in a familiar, unobtrusive format. “What the businesses are saying is, one, it’s easy to register; and two, they are getting more specific communications than just a general e-mail blast.” </p><p>He adds that the city tries to limit its communication with business owners on issues unrelated to investigations to about once a week, so that they aren’t oversaturated with e-mails. The city also strives to keep communications to a simple format that is consistent throughout each message. </p><p>“You get familiar with the requesters and vice-versa,” Zahn says. “You build a relationship—this virtual relationship—through the tool.” </p><p>Evidence obtained via Securonet often helps the First Precinct solve property crimes, Gerlicher adds, and the technology also helps rule out any frivolous or erroneous leads in an investigation. “If we don’t see the suspect in that footage, we can determine, ‘well he must not have gone that way.’” </p><p>And the business community has kept up its end of the bargain. Gerlicher says law enforcement has experienced a 100 percent response rate of camera owners replying when there is an inquiry. </p><p>Securonet is developing another application called Helplink (911), which will allow businesses to turn on access to cameras both outside and inside a building during an emergency. Minneapolis is currently testing the technology, and Gerlicher says the city hopes to roll it out soon. </p><p>“That would give incredible situational awareness to those officers responding or a SWAT team so they can see exactly what’s happening and they are not going into that building blind,” notes Gerlicher.</p><p>For more information: Greg Boosalis, <a href="">greg@securo­</a>, <a href=""></a>, 612/930-4632 ​  ​</p>