Archives

Security Management Magazine Cover
​Beginning December 2016, Security Management will also be available as a PDF. View ​Issues available for Download

 October 2017 ‭[1]‬

 

 

https://sm.asisonline.org/Pages/The-Unseen-Threat.aspxThe Unseen Threat2017-11-01T04:00:00Z<p>​Traditionally, factory security assessments have been directed towards the inside of the factory or plant and not to the more exposed perimeter, including the perimeter wall of the factory structure and the fence line. Similarly, assessors often look at the factory’s cyber network and examine the configuration of servers, switches, and human-machine interfaces, but may pay less attention to the outside of the facility walls and physical grounds because they tend to fall outside the classic cyber and physical security boundaries. </p><p>However, with the increased awareness of the security weaknesses that industrial control systems face, there has been a growth in requests to security and consulting companies for combined cyber and physical security assessments of factories and critical infrastructure. The North American Electric Reliability Corporation (NERC) puts out Critical Infrastructure Protection (CIP) standards that strengthen the cybersecurity of North American electric grid operations, and recent updates emphasize the importance of strengthening both physical and electronic security perimeters. </p><p>A shift in the industry toward enterprise security risk management (ESRM)—which focuses on using risk assessments to inform an organization’s security approach—moves beyond assessing physical security. However, this can be a difficult shift for facilities that do not have a clear risk profile.</p><p>This gap in the security assessment process offers an opportunity for plant managers to take an ESRM-inspired approach and better understand their security and infrastructure vulnerabilities to both physical and cyber threats.​</p><h4>DRAWING THE LINES</h4><p>Two security concepts raised in the NERC CIP are related to electronic security perimeters (ESPs) and physical security perimeters (PSPs). The ESP is an imaginary perimeter drawn around a set of critical cyber assets and is usually defined by the location of perimeter access points such as firewalls and modems. The PSP is typically defined as a six-sided border that surrounds critical assets. In the NERC model, the border is intended to totally enclose the ESP. </p><p>Although the ESP is a logical, imaginary depiction, it gives a sense of the electronic traffic flowing into and out of a critical set of digital assets as well as the physical plant. This assessment is normally performed by evaluating network topology diagrams, walking down network systems looking for telephone and wireless infrastructure, and conducting interviews with plant operations technology staff. If done thoroughly, the assessors are also looking at wireless traffic such as cellular, LAN network, or Wi-Fi connectivity flowing across the ESP.</p><p>A PSP is more readily determined and tangible. Here, security is literally walking along the perimeter of a room or building that is enclosing the ESP. Security is normally looking for any means of physical penetration such as doors, ventilation louvers, or an opening under the wall or fence. A PSP determination is more natural and can be readily performed by a skilled physical security professional.​</p><h4>ELECTRONIC PERIMETERS</h4><p>A structured but more unusual way to approach a facility assessment is to start with the ESP and PSP concepts in mind and to apply them to the footprint of the facility being examined.  </p><p>Begin with an overhead view of the facility and the corresponding fence line if possible. One technique is to obtain the satellite view of the facility from an online mapping tool such as Google Earth. Alternatively, a plan view drawing of the facility and surrounding grounds obtained from the facility service manager may be used.</p><p>Using this overhead view, draw a border around the facility perimeter with an optional border at the fence line. Once the analysis boundary has been identified, pinpoint both tangible and invisible services and activities, including underground, airborne, or surface vectors. Consider services that cross this boundary and place them on the map where they enter the facility.</p><p>Infrastructure to consider includes electric power feeds from substation or emergency generators, natural gas or propane, water, sewer, enterprise and public fiber connections, telephone and cable television lines, and other commercial services. Inbound services such as product feeds from other facilities and deliveries like mail or packages, as well as outbound shipments, should also be taken into consideration.</p><p>Electronic signals that cross in and out of the facility include Wi-Fi, cellular, radio, and satellite communications, and these should be included on the risk map. For example, while performing an assessment of a client’s facility, including a wireless security inspection, Wi-Fi service was detected but was not owned or provided by the enterprise. The investigation revealed that the signal was from a nearby house and was not secured, allowing employees and visitors at the factory to connect to the rogue Wi-Fi. Such a connection could contaminate the individual’s laptop or mobile phone, as well as other Wi-Fi–equipped devices, with a worm, virus, or ransomware from the unknown and uncontrolled Wi-Fi.</p><p>A similar vulnerability was discovered at another power plant: a contractor’s trailer adjacent to the plant fence line had an insecure Wi-Fi set up, which was available inside the power plant.</p><p>Depending on the age and type of property, identifying these services may be a challenge. Older facilities may not have the necessary drawings, infrastructure diagrams, or employee knowledge to identify where the underground lines are for some of these services. Older facilities also suffer from abandoned equipment and systems that tend to be ignored because they are no longer in service. If the client has recently purchased the property, it may not know where these services enter or exit the plant.</p><p>An additional complication is that some services have dual feeds from separate locations. For instance, a data center will normally have redundant power and communications at different perimeter locations. These should be reflected on the analysis mapping.</p><p>Once these various activities and services have been identified and listed, begin looking at the vulnerabilities each poses to the plant and to the availability of the facility operations. </p><p>The perimeter assessment should be more holistic than simply walking down a fence line or the perimeter of a building. For example, while performing this analysis for a client, a problem was identified with the underground water feed into the plant. The plant had only one line entering the plant supplying potable water, service water, and fire protection/sprinkler water. The line ran under the fence, across a large field between the fence and the factory itself, and then into the building with some feeders going to the fire pumps located outside the factory in a field. The line could be subject to backhoe or digging damage because it was not effectively marked, but the larger problem was outside of the fence.</p><p>Beyond the fence line was the water service building—a small, unmarked wooden structure that contained the tap into the local city water supply, as well as several isolation valves and a flow meter for billing and volume calculations. The inspector discovered the building open and unoccupied—the door padlock was hanging open on the hasp. This would have allowed an attacker to shut the water supply valves and take advantage of the unlocked padlock to either lock the valves or close and lock the building door, thus delaying emergency responders to reopen the valves. Such an attack would have posed serious consequences for the factory because closing these valves would have shut off all water to the facility.</p><p>The inspector needs to look at all telltale signs and artifacts—many of which are prominently placed—that could tell an attacker where a softer and more vulnerable service feeding the plant is located. For example, site and facility architects use underground vault covers that explicitly label the service. That practice can be helpful for maintenance and emergency response but it also provides an easy target for criminals. </p><p>Similarly, the way these vault covers are secured could be problematic. The covers should be locked, but an added layer of security includes using tamper-resistant fasteners or proprietary screw heads and bolts.</p><p>Conducting an integrated, ESRM-based analysis helps bring awareness of what crosses facility boundaries, whether it be in electronic or physical form. It encourages plant managers to document underground infrastructure and fill gaps in knowledge, and provides enhanced planning for both physical and wireless attacks from modes ranging from surface injections to airborne threats. By mapping out both the physical and electronic perimeters, a facility’s security approach can be based on what can and cannot be seen.  </p><p><em>Ernie Hayden, PSP, Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), SANS Global Industrial Cyber Security Professional (GICSP), is the ICS cybersecurity lead at BBA, a Canadian engineering company. He is a member of ASIS. ​</em></p>

 

 

https://sm.asisonline.org/Pages/November-2017-SM-Online.aspxNovember 2017 SM OnlineGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<h4>​Telework Safeguards </h4><p>Employees who telework may be using their own PCs, laptops, tablets, and smartphones for work purposes, so a telework program may require another layer of security to protect sensitive data. Security managers facing this issue may want to consult the <em><a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-46r2.pdf" target="_blank">Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security</a></em>, issued by the U.S. Department of Commerce’s National Institute of Standards and Technology. The free guide provides information on security considerations for remote access solutions, and it makes recommendations for securing a variety of telework, remote access, and BYOD technologies. It also gives advice on creating related security policies.​</p><h4>Elections </h4><p>The Russian hacking of the U.S. 2016 presidential election was an “assault” on election infrastructure, and there may be similar efforts affecting future elections. <em><a href="https://www.brennancenter.org/sites/default/files/publications/Securing_Elections_From_Foreign_Interference.pdf" target="_blank">Securing Elections from Foreign Interference</a></em>, issued by the Brennan Center for Justice at the New York University School of Law, outlines steps that can be taken now to protect the most critical elements of the U.S. election infrastructure.</p><h4>Secure Access</h4><p>A study conducted among IT professionals explores the security threats faced by organizations today. Among its findings, <em></em><a href="https://www.bomgar.com/assets/documents/Bomgar_Secure_Access_Report.pdf" target="_blank"><em>The Secure Access Threat Report 2017 </em>from Bomgar reveals that while 90 percent of security professionals trust employees with privileged access most of the time, only 41 percent have “complete trust” in those users. ​</a></p><h4>​Disclosure</h4><p>In <em><a href="https://www.belfercenter.org/sites/default/files/legacy/files/vulnerability-disclosure-web-final3.pdf" target="_blank">Government’s Role in Vulnerability Disclosure: Creating a Permanent and Accountable Vulnerability Equities Process</a></em>, experts recommend that the United States formalize the process it uses to disclose cyber vulnerabilities.</p><h4>Fake News Technology</h4><p><a href="https://www.vanityfair.com/news/2017/01/fake-news-technology" target="_blank">In a Vanity Fair article, </a>Nick Bilton writes about new technologies that can change audio and video in the same way that photos can be altered. He fears that “governments can weaponize fake news.” The article includes videos that show these technologies in action.​</p><h4>Military Supplies</h4><p>Investigators <a href="http://www.gao.gov/assets/690/685916.pdf" target="_blank">posing as a fictitious federal agency</a> were able to acquire excess military equipment, and the U.S. Defense Department<a href="http://www.gao.gov/assets/690/684935.pdf" target="_blank"> needs to do more​</a> to track equipment it provides to Iraq.</p><h4>Seeing=Believing</h4><p>Humans are predisposed to believe fake news. <a href="https://poseidon01.ssrn.com/delivery.php?ID=764097064115114087102023107085076029057062017031026026005090098067007091028083023031101007022041026027017101026070086017001071041034005023078068013105096092102069064065078040075030090065005127003080070094090119089088002115080084075073107080116110124067&EXT=pdf" target="_blank">A Yale University study</a> found that even one exposure to a false news story predisposed the reader to believe that the story was true. The more times the reader was exposed, the more he or she believed it. <a href="https://www.apa.org/pubs/journals/features/xge-0000098.pdf" target="_blank">Another study</a> uncovered a tendency to believe clearly untrue information even if the reader previously knew that the information was false.</p><h4>Data breaches​</h4><p>The heightened risk of future identity theft is sufficient to show standing to sue at the pleading state in a lawsuit, <a href="http://law.justia.com/cases/federal/appellate-courts/cadc/16-7108/16-7108-2017-08-01.html" target="_blank">a U.S. court of appeals ruled</a>.</p><h4>Driver testing</h4><p>The Federal Motor Carrier Safety Administration and Federal Railroad Administration <a href="http://cdn.ca9.uscourts.gov/datastore/opinions/2017/07/17/16-16067.pdf" target="_blank">withdrew a proposed rule​</a> to require truck drivers and train operators be tested for obstructive sleep apnea.​</p><h4>Data protection</h4><p>The United Kingdom will<a href="https://www.gov.uk/government/news/government-to-strengthen-uk-data-protection-law" target="_blank"> introduce new legislation </a>that will align U.K. law more closely with the EU General Data Protection Regulation.</p>
https://sm.asisonline.org/Pages/Subway-Surveillance.aspxSubway SurveillanceGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​For small business profitability, it’s the little things that make a difference, and keeping tabs on employees can help prevent shrinkage. According to Subway franchise owner Kim Jordan, protecting her assets means that every bag of chips and loaf of bread must be accounted for. “The only way we can make money as a franchise is by keeping our labor expenses down…and by keeping our food costs down,” says Jordan, who owns six of the sandwich franchise stores in Alabama. </p><p>Because employees often work solo shifts in the store, Jordan has experienced food theft, which drives up business costs.  </p><p>“The greatest loss to my business is employee theft, whether it may be someone walking out the door with a case full of steak, stealing products, or giving away products,” she explains. </p><p>While Jordan knew that video surveillance would help, the infrastructure for individual security systems at each store would have been burdensome from a financial and management perspective, she says. That’s when she turned to Hokes Bluff, Alabama-based security integrator Lee Investment Consultants, LLC, to determine the best solution for preventing the theft and robbery plaguing the restaurant. <img src="/ASIS%20SM%20Callout%20Images/1117%20Case%20Study%20Stats%20Box.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:430px;height:244px;" /></p><p>After evaluating a number of manufacturers, the decision was made to choose two camera models and a video management system from Hanwha Techwin America. With this system, the end user can view live video remotely or from individual store locations, and easily review recorded footage. </p><p>The install at the first store location was completed in May 2015, and over the next year and a half the other stores were outfitted. The last installation, at the store located inside a Walmart, was completed in November 2016. </p><p>To keep infrastructure costs down, the integrator provides long-term video storage at its hosting facility. It keeps footage for 30 days for the Subway stores before overwriting it. </p><p>Given the limited bandwidth Subway restaurants use mainly for their point of sale (POS) systems, local SD recording has been a major benefit of the system. For redundancy purposes, recording is performed right on the device using an SD card, and the video is uploaded overnight to the storage servers. </p><p>Most store locations have two cameras–one pointed at the sandwich line and register, and another pointed at the back portion of the store where the coolers are. One of the larger stores has three cameras, and the Walmart location only has one camera at the entrance. </p><p>“We’ve had problems where employees are voiding out transactions at the register,” Jordan says. “Once employees get clever with the computer system, they might void out an order they just transacted…and stuff that money in their pocket.” </p><p>Now the problem with employee theft at the register has gone down, Jordan says, because they can view the cameras which are pointed at the POS terminals. “We can go back and view the video at the time that void was made, so we can see if the transaction is legitimate or not.”</p><p>Many of her individual store managers have access to the camera feeds, and Jordan entrusts them with reporting any cases of theft or unwanted employee behavior.</p><p>For example, one of her managers performed an inventory check and realized several bags of sandwich sauce were missing. Suspecting one employee in particular as the culprit, that manager decided to watch a live video feed the next time that employee was working. </p><p>“She just sat there...and actually watched the employee sneaking out the front door with the sauces,” Jordan says. The employee was immediately fired. “If someone’s going to steal a bag of sweet onion teriyaki sauce, they’re not trustworthy.” </p><p>The cameras have also led to the arrest of employees in more serious incidents. “A few months ago a customer had come in and had left her wallet behind, so my manager put it in a filing cabinet and told an employee that was coming in it was there,” she explains. “And when the lady came to pick up her wallet, she had a credit card and cash that was missing.” </p><p>Video revealed that the employee who knew where the wallet was had stolen a credit card, and used it to buy a bag of chips in the store. The security integrator helped Jordan upload the footage onto a thumb drive to take to the police. “We got a warrant, and they arrested her for using that credit card,” Jordan tells Security Management. “We could not have proved it if it weren’t for the cameras.” </p><p>Even more recently, Jordan noticed about $5,000 was missing from the franchises’ bank deposits that a manager was supposed to be putting in the bank. “Our cameras provided the evidence that she did get the deposits out of the safe and walked out of the store with them,” Jordan says. The manager was arrested and charged with felony embezzlement.</p><p>“I never give someone a second chance to steal,” Jordan says. “To me if they steal a bag of chips or give a sandwich to a friend, then they’ll take home five sandwiches for themselves when they get the chance.” </p><p>The return on investment from a business perspective has also been huge, Jordan notes. “At one location, our food cost for months had been above 40 percent,” she notes. “After we got those cameras, within a week our food cost came down within the margin we needed.” </p><p>The cameras have also led to a greater sense of security among her workers. “I have had employees say they feel safer because of the cameras,” she notes. “Especially with some younger employees, 16 or 17 years old, it’s been a comfort to their parents having the cameras when their child is closing alone.”</p><p><em>For more information: Tom Cook, tom.cook@hanwha.com, www.hanwhasecurity.com, 201.325.2623 ​</em></p>
https://sm.asisonline.org/Pages/Global-Threats.aspxGlobal ThreatsGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p></p><p>What region is most afraid of ISIS? ​<img src="/ASIS%20SM%20Callout%20Images/November%202017%20Last%20Page%20-%20Snapshot.jpg" alt="" style="margin:5px;width:884px;height:1165px;" /></p>
https://sm.asisonline.org/Pages/The-Zero-Day-Problem.aspxThe Zero Day ProblemGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​In August 2017, FireEye released new threat research confirming with “moderate confidence” that the Russian hacking group APT28, also known as FancyBear, was using an exploit to install malware on hotel networks that then spread laterally to target travelers. </p><p>“Once inside the network of a hospitality company, APT28 sought out machines that controlled both guest and internal Wi-Fi networks,” FireEye said in a blog post. “No guest credentials were observed being stolen at the compromised hotels; however, in a separate incident that occurred in fall 2016, APT28 gained initial access to a victim’s network via credentials likely stolen from a hotel Wi-Fi network.”</p><p>After APT28 accessed corporate and guest machines connected to the hotel Wi-Fi networks, it deployed a malware that then sent the victims’ usernames and hashed passwords to APT28-controlled machines.</p><p>“APT28 used this technique to steal usernames and hashed passwords that allowed escalation of privileges in the victim network,” FireEye explained. </p><p>This new method is worrisome for security experts because the exploit APT28 was using to infiltrate hotel networks in the first place was EternalBlue, the same vulnerability used to spread ransomware such as WannaCry and NotPetya. It was also allegedly stolen from the U.S. National Security Agency (NSA).</p><p>A group of hackers, dubbed the Shadow Brokers, posted the EternalBlue exploit online in April 2017 after claiming to have stolen it from the NSA. The leak was just one of many the group has made over the past year detailing NSA vulnerabilities that exploited Cisco Systems, Microsoft products, and others. </p><p>The leaks prompted renewed debate on whether the NSA should change its vulnerabilities equities process (VEP) to disclose cyber vulnerabilities to the private sector more frequently to prevent future cyberattacks.</p><p>Some of the harshest criticism came from Microsoft itself. In a blog post, President and Chief Legal Officer Brad Smith wrote that the WannaCry attack provided an example of why “stockpiling of vulnerabilities by governments” is a problem.</p><p>“An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen,” Smith explained. “And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world—nation-state action and organized criminal action.”</p><p>The VEP began to take form under the George W. Bush administration when then President Bush issued a directive instructing the director of national intelligence, the attorney general, and the secretaries of state, defense, and homeland security to create a “joint plan for the coordination and application of offensive capabilities to defend U.S. information systems.”</p><p>Based on this directive, the respective agencies recommended that the government create a VEP to coordinate the government’s “offensive and defensive mission interests,” according to a memo by the Congressional Research Service (CRS) in February 2017. </p><p>The Obama administration then created the current VEP, which became publicly known in 2014 in response to the Heartbleed vulnerability—a bug in the OpenSSL cryptographic software that allowed protected information to be compromised. </p><p>The VEP, as it is known to exist today, provides the process for how the U.S. government chooses whether to disclose vulnerabilities to the vendor community or retain those vulnerabilities for its own use.</p><p>“Vulnerabilities for this purpose may include software vulnerabilities (such as a flaw in the software which allows unauthorized code to run on a machine) or hardware vulnerabilities (such as a flaw in the design of a circuit board which allows an unauthorized party to determine the process running on the machine),” according to the CRS memo sent to U.S. Representative Ted Lieu (D-CA).</p><p>To be eligible for the VEP, however, a vulnerability must be new or not known to others. Vulnerabilities are referenced against the Common Vulnerabilities and Exposures Database to determine if they are new or unknown.</p><p>When choosing to disclose a vulnerability, there are no clear rules but the U.S. government considers several factors, according to a blog post by former White House Cybersecurity Coordinator Michael Daniel that was written in response to allegations that the NSA knew about the Heartbleed vulnerability prior to its disclosure online.</p><p>For instance, the government considers the extent of the vulnerable system’s use in the Internet’s infrastructure, the risks and harm that could be done if the vulnerability is not patched, whether the administration would know if another organization is exploiting the vulnerability, and whether the vulnerability is needed for the collection of intelligence.</p><p>The government also considers how likely it is that the vulnerability will be discovered by others, if the government can use the vulnerability before disclosing it, and if the vulnerability is, in fact, patchable, according to Daniel.</p><p>In the post, Daniel wrote that the government should not “completely forgo” its practice of collecting zero-day vulnerabilities because it provides a way to “better protect our country in the long run.”</p><p>And while the process allows the government to retain vulnerabilities for its own use, it has tended to disclose them instead. NSA Director Admiral Michael Rogers, for instance, testified to the U.S. Senate Armed Services Committee in September 2016 that the NSA has a VEP disclosure rate of 93 percent, according to the memo which found a discrepancy in the rate.</p><p>“The NSA offers that 91 percent of the vulnerabilities it discovers are reported to vendors for vulnerabilities in products made or used in the United States,” the memo said. “The remaining 9 percent are not disclosed because either the vendor patches it before the review process can be completed or the government chose to retain the vulnerability to exploit for national security purposes.”</p><p>Jonathan Couch, senior vice president of strategy at ThreatQuotient, says that the U.S. government should not be expected to disclose all of the vulnerabilities it leverages in its offensive cyber espionage operations.</p><p>“Our government, just like other governments out there, is reaching out and touching people when needed; they leverage tools and capabilities to do that,” says Couch, who prior to working in the private sector served in the U.S. Air Force at the NSA. “You don’t want to invest a ton of money into developing capabilities, just to end up publishing a patch and patching against it.”</p><p>However, Couch adds that more could be done by agencies—such as the U.S. Department of Homeland Security (DHS)—that work with the private sector to push out critical patches on vulnerabilities when needed.</p><p>“Right now, I think they are too noisy; DHS will pass along anything that it finds—it doesn’t help you prioritize at all,” Couch says. “If DHS could get a pattern of ‘Here’s what we need to patch against, based on what we know and are allowed to share,’ then push that out and allow organizations to act on that.”</p><p>Other critics have also recommended that the government be more transparent about the VEP by creating clear guidelines for disclosing vulnerabilities and to “default toward disclosure with retention being the rare exception,” the CRS explained.</p><p>One of those recommendations was published by the Harvard Kennedy School’s Belfer Center for Science and International Affairs in Government’s Role in Vulnerability Disclosure: Creating a Permanent and Accountable Vulnerability Equities Process. </p><p>The paper, written by Ari Schwartz, managing director of cybersecurity services for Venable LLP and former member of the White House National Security Council, and Rob Knake, Whitney Shepardson senior fellow at the Council on Foreign Relations and former director for cybersecurity policy at the National Security Council, recommended the VEP be strengthened through formalization. </p><p>“By affirming existing policy in higher- level, unclassified governing principles, the government would add clarity to the process and help set a model for the world,” the authors explained. “If all the countries with capabilities to collect vulnerabilities had a policy of leaning toward disclosure, it would be valuable to the protection of critical infrastructure and consumers alike, as well as U.S. corporate interests.”</p><p>However, the authors cautioned that affirming this process does not mean that the government should publicize its disclosure decisions or deliberations.</p><p>“In many cases, it likely would not serve the interests of national security to make such information public,” according to Schwartz and Knake. “However, the principles guiding these decisions, as well as a high-level map of the process that will be used to make such decisions, can and should be public.”</p><p>U.S. lawmakers also agree that the VEP should be overhauled to boost transparency. In May, U.S. Senators Brian Schatz (D-HI), Ron Johnson (R-WI), and Cory Gardner (R-CO), and U.S. Representatives Ted Lieu (D-CA) and Blake Fernthold (R-TX) introduced legislation that would require a Vulnerabilities Equities Review Board comprising permanent members. These members would include the secretary of homeland security, the FBI director, the director of national intelligence, the CIA director, the NSA director, and the secretary of commerce. </p><p>Schatz said that the bill, called the Protecting Our Ability to Counter Hacking (PATCH) Act, strikes the correct balance between national security and cybersecurity.</p><p>“Codifying a framework for the relevant agencies to review and disclose vulnerabilities will improve cybersecurity and transparency to the benefit of the public while also ensuring that the federal government has the tools it needs to protect national security,” he explained in a statement.</p><p>Additionally, the secretaries of state, treasury, and energy would be considered ad hoc members of the board. Any member of the National Security Council could also be requested by the board to participate, if they are approved by the president, according to the legislation.</p><p>The bill has not moved forward in Congress since its introduction, which suggests that many do not see a need for an overhaul of the current disclosure system. </p><p>“It’s just not realistic for NSA, CIA, or the military or other international governments to start disclosing these tools they’ve developed for cyber espionage,” Couch says. ​ ​</p>
https://sm.asisonline.org/Pages/Fake-News-Real-Threats.aspxFake News. Real ThreatsGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​In November 2016, a man armed himself with an assault rifle and drove six hours from North Carolina to Washington, D.C. His goal was to storm Comet Ping Pong, a D.C. pizza restaurant, and rescue children being held captive and abused by Hillary Clinton. Once inside, the man fired on the restaurant, but no one was hurt. </p><p>The Comet Ping Pong story was one of many deliberately false news stories circulating in 2016. After the story was exposed as a hoax, “a post on Twitter by Representative Steven Smith of the 15th District of Georgia—not a real lawmaker and not a real district—warned that what was fake was the information being peddled by the mainstream media. It was retweeted dozens of times,” according to The New York Times.</p><p>The concept of fake news entered the popular vocabulary during the U.S. presidential election in 2016. While intentionally spreading false news reports for financial, political, or psychological reasons is not a new phenomenon, the practice has expanded significantly in the last year. During the particularly divisive U.S. election, numerous hyper-partisan blogs and websites posted a wide range of rumors, conspiracy theories, and fabrications, which have collectively been labeled fake news. Far from its original meaning—articles that are blatantly untrue—the term fake news has been embraced by all sides of the political divide to denigrate reporting that they feel is biased or incomplete.</p><p>While primarily political in nature, fake news has been used against various organizations and poses a real and increasing threat to private sector organizations of all sizes. It is important for security professionals to explore the relationship between fake news and corporate security, and determine how they can begin to address the threats posed by the release of false news and information.</p><h4>Transmission<br></h4><p>There has been an explosion in the creation and distribution of fake news through various online channels, including blogs, websites, discussion forums, and especially social media platforms. According to a 2017 survey, A Real Plague: Fake News, conducted by Weber Shandwick, Powell Tate, and KRC Research, approximately 7 in 10 American adults reported having read a fake news story in 2016. Research conducted by Hunt Allcott and Matthew Gentzkow and published in the spring 2017 edition of The Journal of Economic Perspectives also found that a database of 38 million shares of fake news stories on social media translated to about 760 million instances of clicking on, and reading, fake news stories. </p><p>The subject matter of these stories has run the gamut from political conspiracies to alleged criminal conduct by high-profile individuals to allegations of corporate political bias. A unique aspect of the current situation is that these stories are shared more widely, and more quickly, than ever before due to the ubiquity of social media. According to Allcott and Gentzkow, the list of fake news websites compiled by Stanford University received 159 million visits during the month of the election, while some 41.8 percent of individuals reported that they were exposed to fake news via social media.</p><p>Another important aspect of the current situation is that many of these fake news stories have gained a level of credibility among segments of the population that is surprising considering the sometimes bizarre nature of the claims made. In a study by Ipsos Public Affairs for BuzzFeed, 75 percent of respondents who reported remembering a fake news headline believed it to be accurate. In the study by KRC Research, 74 percent of individuals surveyed reported that it is difficult to determine what news is real and what is not.</p><p>The increased acceptance of baseless rumors and extreme conspiracy theories is due in no small part to a widespread decline in trust in media, government, academia, and most other forms of traditional authority. The falling levels of trust in media have been well documented by Gallup, Pew Research, and the Edelman Trust Barometer. This collapse of trust has led to the increased importance of the “people like me” category as a trusted source of news and information. according to Edelman’s 2017 global report. Because of these developments, sources such as Reddit, personal blogs, Facebook accounts, and quasi-official websites have gained credibility, while trust in traditional news media and government sources has declined. The fact that these fake news stories are rebroadcast many times, through cross-links and reposts on social media, further adds to the illusion of credibility. </p><p>If fake news were limited to stories about Area 51 or the JFK assassination, it would represent an interesting sociological case, but with limited relevance to corporate security. However, both the subject matter and the intensity of emotion elicited make fake news a real threat to corporations in terms of potential financial losses, reputational damage, and the physical security of facilities and personnel. This enhanced threat environment will require adaptation by corporate security professionals and the incorporation of new defensive and offensive capabilities to existing corporate security plans.</p><p>The increasingly widespread use of false or misleading information to cause confusion or harm to an individual or organization is not likely to disappear in the near term. The efficiency of this technique has been clearly demonstrated and the tools facilitating it are becoming ever more powerful, accessible, and easy to use. It is also difficult to imagine a significant increase in trust in traditional authority figures in the near future. </p><p>For corporations, some of the most serious fake news risks relate to stock manipulation, reputational damage, and the related loss of business—through boycotts for example—and direct threats to staff and property.</p><h4>Stock Manipulation</h4><p>At the macro level, fake news has been used to move entire stock exchanges. This was the case in April 2013 when a tweet that appeared to come from the Associated Press (AP) Twitter account reported that there had been an explosion at the White House and that U.S. President Barack Obama was injured. The Dow Jones Index lost 145 points in two minutes, while the S&P lost $136.5 billion. The news was quickly disproved and the market corrected within minutes, but the potential for large-scale disruption was demonstrated. In this instance, the fake news attack was claimed by the Syrian Electronic Army, according to The Washington Post.</p><p>In October 2009, the Stock Exchange of Thailand (SET) fell 7.2 percent because of an online rumor related to the health of the Thai king. The market made up about half of the loss within the next trading day, and the Thai police made several arrests related to the case later that month, as reported by Reuters.</p><p>Fake news has been used to manipulate the shares of individual companies as well. In May 2015, a fake offer to purchase Avon Products led to a surge in trading and a significant increase in the share price, according to The New York Times. Then in November 2016, a fake offer to acquire Fitbit shares led to a spike in activity, and a temporary halt to the trade in Fitbit stocks as reported by The Financial Times. In 2013, a fake press release was posted claiming the Swedish company Fingerprint Cards AB would be acquired by Samsung. Company shares surged until trading was halted. </p><p>In the United States, the Securities and Exchange Commission (SEC) has taken an increasingly aggressive stance in combating this threat to market integrity. It has filed enforcement actions against 27 companies and individuals involved in “alleged stock promotion schemes that left investors with the impression they were reading independent, unbiased analyses on investing websites while writers were being secretly compensated for touting company stocks,” according to an SEC statement.​</p><h4>Reputation</h4><p>False stories, rumors, or statements taken out of context have led to both reputational harm, as well as to threats to corporate personnel and property. In this type of threat, a corporate statement or action that would be innocuous under normal circumstances has taken on an increased risk due to hyper-sensitive stakeholders.</p><p>A case in point was New Balance, when Matthew LeBretton, vice president for public affairs said, “The Obama administration turned a deaf ear to us and frankly, with President-elect Trump, we feel things are going to move in the right direction,” during an interview with The Wall Street Journal. The statement related specifically to President Trump’s plan to withdraw from the TransPacific Partnership (TPP), but was widely misinterpreted. This caused a twofold issue for New Balance. First, anti-Trump individuals saw the statement as an endorsement of the candidate and everything he was purported to believe. This in turn led to calls for a boycott, and many social media posts depicting the destruction of New Balance products as reported by CNBC. A few days later the same statement led Andrew Anglin, a blogger associated with the white supremacist movement, to write on his popular Daily Stormer blog that New Balance shoes were the “Official Shoes of White People.” New Balance was blindsided by the intensity of reactions to a single statement related to a proposed international trade agreement and was forced into reactive positions throughout the crisis.</p><p>Another executive statement that was taken out of context and twisted to fit a partisan narrative was made by Indra Nooyi, CEO of PepsiCo in her interview with Andrew Sorkin of The New York Times on November 9, 2016. Her statement included congratulations to President-elect Trump on his victory, while also indicating that some of her employees expressed concerns about their safety as a result of the election. Numerous fake media outlets exaggerated the statement by claiming that she and her employees were “terrified” of Donald Trump and his supporters. This led to a firestorm of social media protests against Pepsi, including calls for a boycott and threats against the company.</p><h4>Direct Threats</h4><p>As noted above, one of the most serious cases of threats to an organization based on fake news were the reports of child abuse allegedly masterminded by Hillary Clinton and carried out at a D.C. pizza parlor. While the story was repeatedly debunked, it nevertheless continued to circulate and was supported by Michael Flynn, Jr., son of then National Security Director General Michael Flynn, according to The Washington Post. The shooter was arrested immediately after leaving the pizzeria, where he found no evidence of any abuse. He later pled guilty to the interstate transportation of ammunition and a firearm, a federal charge, in addition to a D.C. charge of assault with a dangerous weapon, according to The Hill.</p><p>This case indicates that even the most ridiculous story, if repeated often enough, will find an audience that believes it, and possibly someone who is willing to take action based on its claims. It is possible that a less extreme story focusing on a corporate executive or brand would lead to similar examples of direct action.​</p><h4>Countermeasures</h4><p>Countering fake news is difficult when the target audience finds it easy to discount facts and the usual sources of information are distrusted. However, there are a number of actions that corporate security teams can take to mitigate the risks posed by this new threat.</p><p><strong>Risk assessment. </strong>As with any threat to corporate security, the place to start is with a detailed risk assessment. The corporate security team needs to look at both internal and external factors to determine both the level of risk, as well as the most likely points of attack. Internal factors include employee demographics, employee morale, and computer use policies. The external factors include the competitive environment, the current perception of the organization and its management, the level of openness and transparency, and the nature of current conversations about the organization. With this information, corporate security will be in a much stronger position to establish policies and procedures to mitigate the risks from fake news attacks.</p><p>A white paper by Accenture focusing on social media compliance and risk in the international financial industry highlights the importance of identifying areas where an institution has vulnerabilities and incorporating the findings into its risk mitigation plans. A survey of executives cited in the white paper, A Comprehensive Approach to Managing Social Media Risk and Compliance, found that 59 percent of respondents reported having no social media risk assessments in place, while only 36 percent reported being offered any training on social media risk mitigation.</p><p><strong>Monitoring. </strong>To have any hope of effectively countering fake news, the corporate security team needs to have as close to real-time visibility of its appearance as possible. This points to the requirement for a comprehensive monitoring program that builds on any existing media or social media monitoring capability the organization already possesses.</p><p>It is important that this monitoring program specifically focus on channels that are outside the organization’s norm. These channels may be antithetical to the values of the organization, targeted to a demographic that is generally not associated with the company, or linked to apparently phony information sources. It is also important to look specifically for negative references to the organization.</p><p>After experiencing a number of negative stories driven by news and social media, Dell Computer adopted an “everyone is listening” approach to social media monitoring. A Framework for Social Analytics by Susan Etlinger of the Altimeter Group discusses Dell’s hybrid model for media monitoring, which gives a large number of its 100,000 plus workforce some responsibility for monitoring social media channels related to their lines of business. The company also has a Social Media Listening Command Center, which employs sophisticated social media monitoring software to complement its traditional media monitoring program.  </p><p>A company’s monitoring system should also include an analysis component that helps vet the material, determining how it should be classified and its importance from a risk management perspective. This component would then ensure that any important material is routed to the key decision makers for immediate action.</p><p>Finance, investment, and hedge fund companies have been taking a lead in the area of monitoring and identifying fake news stories. The growth of organizations that can deploy multiple content generators focusing on specific companies poses a significant risk to stock market investors. According to reporting in Forbes, companies are also seeking to develop algorithms that can sort through large quantities of content and identify malicious fake news campaigns. One such company that has been widely cited in this regard is Houston-based Indexer LLC.​</p><h4>Response Plans</h4><p>Based on the results of the risk audit, the most likely fake news scenarios should be identified and used to create detailed response protocols that can be activated in the event of an actual fake news situation. At a minimum, these plans should include contact information for all crisis team members, checklists for key actions, prepared statement templates to be used with internal and external stakeholders, and escalation metrics in the event that the fake news situation is not immediately contained.</p><p>The importance of incorporating the social media environment into a robust crisis response system is shown in the Nuclear Energy Institute’s Implementing and Operating a Joint Information System planning document. The plan covers the importance of preassignment of roles and responsibilities, training and readiness exercises, and media monitoring and engagement. The last item includes specific information on the importance of ensuring that information on social media regarding nuclear facilities and incidents is accurate, and that rumors and falsehoods are flagged and corrected.​</p><h4>Training</h4><p>The weaponization of news represents an evolving threat for many organizations and is not often included in corporate crisis management plans or training programs. As examples of fake news incidents increase, corporate security professionals should build this new threat into security training that is offered in conjunction with the corporate communications and human resources functions. Members of the senior leadership team should also be involved in any fake news response training.</p><p>Countering fake news requires fast decision making and decisive action on the part of the organization. To be able to execute effectively, the relevant personnel should be exposed to these scenarios in a simulated environment.</p><p>The communications function at DePaul University in Chicago, recognized the importance of building a mix of true and false information on social media into its crisis response training program. The result was a multi-party simulation exercise involving real-time interactions with traditional media, Twitter, and Facebook, as well as direct stakeholder communications. One of the key challenges in this type of training is sorting through incoming information quickly while still ensuring that key facts are not overlooked.​</p><h4>Cross-Functional Teams</h4><p>By its nature, the threat posed by fake news needs to be met by a comprehensive organizational response. This implies a cross-functional approach to fake news management. While corporate security may take point, the expertise and resources available to the corporate communications, human resources, and legal teams will prove critical.</p><p>An executive from an international bank reported to Accenture that it was important for all key functions to participate in risk management planning, especially when it concerns social media. “However, it is always important to have a representative from risk sitting at the table—someone from compliance, someone from legal, and so forth, to provide guidance to the business and make sure what the company is doing is sound,” notes the Accenture white paper.</p><p>Because fake news is still a type of news, the communication and media relations skills of the corporate communication function will be needed to analyze the content and develop and distribute counter messages to all fake news reports. This function may also be the appropriate host for the monitoring program because it is a logical extension to standard corporate media monitoring activities.  </p><p>Employees are a critical audience for fake news and an important distribution channel for counter messaging. This being the case, the human resources department needs to be involved in the creation and execution of corporate security strategy with regards to fake news.  </p><p>To ensure that the organization’s rights are fully protected, and that it does not itself cross the line in terms of libel, the corporate legal team should be involved in the fake news strategy, and have a role in vetting counter messages.​</p><h4>Communications</h4><p>Because of the potentially serious morale and operational ramifications fake news can have on an organization, it is vital that employees are provided with clear and accurate facts and count­er messages as quickly as possible.</p><p>Beyond reacting to a fake news incident, the organization should seek to inoculate its staff against its effects by undertaking a comprehensive internal communications and employee engagement program. This can be incorporated into the concept of encouraging employees to be brand ambassadors.</p><p>Organizations that are most vulnerable to fake news are those about which little is known. Without a base of preexisting knowledge, stakeholders who are exposed to fake news cannot immediately discount it, which is where the seeds of doubt take root. It is thus important that the organization be as transparent as possible, which includes regular proactive external communications. Corporate actions and policies should be communicated, explained, and contextualized to establish the reality of the situation before a fake news story can present a false narrative.  </p><p>It is especially important to get in front of any bad news stories and ensure that the organization is seen as working to resolve the issue, rather than hiding it. The idea of a first mover advantage with releasing properly contextualized negative information is a central tenet of contemporary public relations practice, and it can help thwart attempts to create a scandal by fake news outlets. ​</p><h4>Trust</h4><p>While a full discussion of trust-based relationships is beyond the scope of this article, it should be noted that the establishment of trust with key stakeholders is one of the best defenses against fake news attacks. Creating trust goes beyond simply telling the truth. It involves a range of factors including organizational reliability, competence, and benevolence, along with honesty and transparency. Because trust building involves all aspects of organizational behavior, it must be seen as a strategic initiative and be driven by senior management. Trust’s relationship to fake news defense is likely to be a collateral benefit rather than a primary driver of the initiative.  </p><p>The use of intentionally false or misleading information distributed through online and social media channels to disrupt or harm organizations is likely to increase dramatically in the years ahead. These actions are increasingly easy and cheap to execute, and take advantage of current weaknesses in organizational capabilities and the fact that societal trust in most traditional authority figures is at a historically low level. It is thus imperative that responsible corporate security professionals develop the internal capabilities and protocols to deal with this new threat environment before they are faced with a fake news attack. The good news is that most of the necessary resources already exist to some degree within the organizational structure and only need to be oriented around the fake news threat. This will include proactive measures such as audits, monitoring, training, and proactive communications, as well as moving quickly to react to the emergence of damaging fake news to contain it and neutralize its ability to damage the organization.  </p><p>In today’s hyperconnected global information environment no organization is safe from a fake news attack. We have had ample warnings that the threat is real and is likely to get worse.  There is no time to waste in hardening the organization against this new type of assault.  </p><p><em>Jeremy E. Plotnick, Ph.D., is founder of CriCom LLC. He has worked in international communications consulting, public affairs, and public relations for more than 20 years. ​ ​ ​</em><br></p>
https://sm.asisonline.org/Pages/Highway-to-Hurt.aspxHighway to HurtGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Smuggling is a serious crime, but when the cargo being smuggled is human, the crime can go beyond serious, into the realm of the tragic.</p><p>A particularly horrid example of this came about last July, when authorities found the gruesome results of a criminal smuggling enterprise: 39 undocumented immigrants, nine dead (a tenth died later) and the rest needing hospitalization, lying in a tractor-trailer parked at a Walmart in San Antonio, Texas. The trailer had contained an estimated 70 to 200 illegal aliens total during its journey, according to court records.  </p><p>A few weeks later, U.S. Immigration and Customs Enforcement (ICE) officials reported that the San Antonio incident was only one of four that had occurred in nearby areas, all within a few weeks’ time. Although the other three did not involve loss of life, they were still disquieting; in one of the incidents in July, border agents in Laredo, Texas, found 72 people from Mexico, Ecuador, Guatemala, and El Salvador locked inside a trailer. Border security leaders pledged to fight the problem. </p><p>“This horrific crime…ranks as a stark reminder of why human smuggling networks must be pursued, caught and punished,” ICE Acting Director Thomas Homan said after the San Antonio incident. “[ICE] works year-round to identify, dismantle, and disrupt the transnational criminal networks that smuggle people into and throughout the United States. These networks have repeatedly shown a reckless disregard for those they smuggle.” </p><p>How do these human smuggling operations work? Often, the process begins a few months before the smuggling, in a country such as Mexico, Guatemala, or Honduras, where sizable numbers of people are looking to emigrate, according to an investigation and review of court documents by the Associated Press. Those seeking to cross the border get to the Mexican–U.S. border region, and then cross by foot or river raft. They are then picked up by a tractor trailer somewhere past the border. The stressful traveling conditions make them vulnerable—dehydration, hyperthermia, and asphyxiation have been among the causes of death in truck cases.</p><p>One analyst, the U.K.-based global risk firm Verisk Maplecroft, warns companies that an increase in human smuggling activity could have ramifications for supply chain security. “Under the Trump administration, businesses with supply chains that rely on low-skilled, temporary migrant labour will face increasing risks of modern slavery in their workforce,” the firm says in one of its risk reports for 2017.</p><p>Verisk Maplecroft outlines the risk involved as follows. The construction of a U.S.–Mexico border wall, or stricter enforcement of deportation rules, will not reduce the appeal of migration for thousands of Latin Americans. But it could increase trafficking costs and deepen migrant worker debt, making migrants more vulnerable to exploitation. Suppliers in agriculture, construction, manufacturing, hospitality, and transport would be most exposed to supply chain risk. </p><p>Emigration-related schemes are not the only form of human smuggling that ICE and its allies are fighting. Human trafficking for the purposes of coerced sex trade operations also continues—a practice that groups like Truckers Against Trafficking (TAT) are trying to help eradicate. </p><p>The group, a 501c(3) nonprofit, takes an all-hands-on-deck approach and partners with members of the trucking and truck stop industries, law enforcement officers, and trafficking survivors to fight human trafficking. The group’s educational efforts include a 36-minute video that offers an overview of the trafficking issue, as well as four-hour training sessions for law enforcement officers such as the state highway patrol, according to Kylla Lanier, deputy director and cofounder of TAT.</p><p>Included in this training are case studies from officers who stopped a truck for a violation, and then upon closer inspection detected a trafficking incident. In the case studies, officers give a breakdown of the indications that tipped them off, and offer advice and best practice guidance for other officers. </p><p>For example, the passengers in the truck may exhibit some telling signs and behaviors, Lanier explains. “If the passengers are young, are they afraid to look at you? Are they acting like normal kids, or are they looking really scared?” she says. Sometimes, the passengers may have branding tattoos or bruises from physical abuse, and may be carrying many hotel key cards. Officers who speak with the driver and passenger separately sometimes find out that their respective stories do not match, or even make much sense. </p><p>Traffickers also exploit locations as well as victims, she adds. They will look for rest stops and other areas that are not well lit, without visible security, and which have a captive audience of drivers rolling through. “That’s where they will bring their victims to,” she explains. TAT works with truck stop industry partners to help make their facilities more safe and secure. </p><p>TAT also works closely with sex trafficking survivors; the group has two on staff. Survivors are key in the antitrafficking movement, because they can change perceptions about the sex trade. </p><p>Prostitution is “a vicious evil system” that has been whitewashed as a victimless crime, Lanier says, in part through unrealistic portrayals like the movie Pretty Women. In reality, the vast majority of those in the trade are being prostituted against their will, in hotels, motels, and rest areas, and are “cruelly raped and beaten within an inch of their lives,” she explains.</p><p>“It’s not the oldest profession,” Lanier says, “it’s the oldest oppression.” One study found that the rate of post traumatic stress disorder among prostitutes is equal to that of war veterans, she adds. </p><p>Given this, having the survivor’s voice in the issue is vitally important, because they can discuss the victim’s experience and point of view and “what’s going on behind the scenes,” Lanier explains. So, when people assume the survivor turned to prostitution to support a drug habit, the survivor can tell them it was just the opposite—being forced into the sex trade made the victim turn to drugs and alcohol. </p><p>Such compelling stories from survivors have helped the antitrafficking cause spread awareness, and the cause has made inroads. And on the legislative front, other advocacy groups such as Polaris pressured the U.S. House of Representatives into reauthorizing the Trafficking Victims Protection Act, which was created in 2000, in July 2017. </p><p>But in the end, demand for prostitution needs to be reduced so that further inroads can be made, and that will take “a societal paradigm shift,” Lanier says. ​</p>

 

 

https://sm.asisonline.org/Pages/The-Unique-Threat-of-Insiders.aspx2017-10-01T04:00:00ZThe Unique Threat of Insiders
https://sm.asisonline.org/Pages/Driving-a-Security-Transition.aspx2017-10-01T04:00:00ZDriving a Security Transition
https://sm.asisonline.org/Pages/Schoolhouse-Guardians.aspx2017-10-01T04:00:00ZSchoolhouse Guardians
https://sm.asisonline.org/Pages/Stress-Test.aspx2017-10-01T04:00:00ZStress Test
https://sm.asisonline.org/Pages/Mobile-Mayhem.aspx2017-10-01T04:00:00ZMobile Mayhem
https://sm.asisonline.org/Pages/October-2017-Industry-News---Supporting-the-Troops.aspx2017-10-01T04:00:00ZOctober 2017 Industry News: Supporting the Troops
https://sm.asisonline.org/Pages/Employee-Theft.aspx2017-10-01T04:00:00ZEmployee Theft
https://sm.asisonline.org/Pages/Driving-the-Business.aspx2017-10-01T04:00:00ZDriving the Business
https://sm.asisonline.org/Pages/October-2017-SM-Online.aspx2017-10-01T04:00:00ZOctober 2017 SM Online
https://sm.asisonline.org/Pages/Embassy-Evacuations.aspx2017-10-01T04:00:00ZEmbassy Evacuations
https://sm.asisonline.org/Pages/Book-Review---Hijacking.aspx2017-10-01T04:00:00ZBook Review: Hijacking: Violence in the Skies
https://sm.asisonline.org/Pages/Empowered-International-Teams.aspx2017-10-01T04:00:00ZEmpowered International Teams

 

 

https://sm.asisonline.org/Pages/Book-Review---Soft-Targets.aspx2017-09-01T04:00:00ZBook Review: Soft Targets
https://sm.asisonline.org/Pages/House-Rules.aspx2017-09-01T04:00:00ZQ&A: House Rules
https://sm.asisonline.org/Pages/Uniform-Color-Theory.aspx2017-09-01T04:00:00ZUniform Color Theory
https://sm.asisonline.org/Pages/Book-Review---Physical-Security.aspx2017-09-01T04:00:00ZPhysical Security
https://sm.asisonline.org/Pages/Peer-2-Peer-Protection.aspx2017-09-01T04:00:00ZPeer 2 Peer Protection
https://sm.asisonline.org/Pages/September-2017-Legal-Report-Resources.aspx2017-09-01T04:00:00ZSeptember 2017 Legal Report Resources

- Issues

November 2017 October 2017 September 2017 August 2017 July 2017 June 2017 May 2017 April 2017 March 2017 February 2017 January 2017 December 2016 November 2016 October 2016 September 2016 August 2016 July 2016 June 2016 May 2016 April 2016 March 2016 February 2016 January 2016 December 2015 November 2015 October 2015 September 2015 August 2015 July 2015 June 2015 May 2015 April 2015 March 2015 February 2015 January 2015 December 2014 November 2014 October 2014 September 2014 August 2014 July 2014 June 2014 May 2014 April 2014 March 2014 February 2014 January 2014 December 2013 November 2013 October 2013 September 2013 August 2013 July 2013 June 2013 May 2013 April 2013 March 2013 February 2013 January 2013 December 2012 November 2012 October 2012 September 2012 August 2012 July 2012 June 2012 May 2012 April 2012 March 2012 February 2012 January 2012 December 2011 November 2011 October 2011 September 2011 August 2011 July 2011 June 2011 May 2011 April 2011 March 2011 February 2011 January 2011 December 2010 November 2010 October 2010 September 2010 August 2010 July 2010 June 2010 May 2010 April 2010 March 2010 February 2010 January 2010 December 2009 November 2009 October 2009 September 2009 August 2009 July 2009 June 2009 May 2009 April 2009 March 2009 February 2009 January 2009 December 2008 November 2008 October 2008 September 2008 August 2008 July 2008 June 2008 May 2008 April 2008 March 2008 February 2008 January 2008 December 2007 November 2007 October 2007 September 2007 August 2007 July 2007 June 2007 May 2007 April 2007 March 2007 February 2007 January 2007 December 2006 November 2006 October 2006 September 2006 August 2006 July 2006 June 2006 May 2006 April 2006 March 2006 February 2006 January 2006 December 2005 November 2005 October 2005 September 2005 August 2005 July 2005 June 2005 May 2005 April 2005 March 2005 February 2005 January 2005 December 2004 November 2004 October 2004 September 2004 August 2004 July 2004 June 2004 May 2004 April 2004 March 2004 February 2004 January 2004 December 2003 November 2003 October 2003 September 2003 August 2003 July 2003 June 2003 May 2003 April 2003 March 2003 February 2003 January 2003 December 2002 November 2002 October 2002 September 2002 August 2002 July 2002 June 2002 May 2002 April 2002 March 2002 February 2002 January 2002 December 2001 November 2001 October 2001 September 2001 August 2001 July 2001 June 2001 May 2001 April 2001 March 2001 February 2001 January 2001 December 2000 November 2000 October 2000 September 2000 August 2000 July 2000 June 2000 May 2000 April 2000 March 2000 February 2000 January 2000