|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465School Lockdown Procedure Prevented Tragedy in Rancho Tehama0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465GridEx IV Tests The North American Power Grid|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465The Zero Day Problem's-New-in-Access-Control.aspxGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465What's New in Access Control?|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465ENDURECE BLANCOS SUAVES CON PSIM|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465The Unseen Threat2017-11-01T04:00:00Z|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Harden Soft Targets with PSIM2017-10-23T04:00:00Z|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465School Lockdown Procedure Prevented Tragedy in Rancho Tehama2017-11-16T05:00:00Z|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465November 2016 Industry News2016-11-01T04:00:00Z,-Expert-Says.aspxGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Bag Checks At Hotels Unlikely To Become New Normal, Expert Says2017-10-04T04:00:00Z

Security Management

 Morning Security Brief

View RSS feed

 SM Weekly

Retrieving Data

 SM Daily

Retrieving Data
Not a Member? Join Now Unseen ThreatGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Traditionally, factory security assessments have been directed towards the inside of the factory or plant and not to the more exposed perimeter, including the perimeter wall of the factory structure and the fence line. Similarly, assessors often look at the factory’s cyber network and examine the configuration of servers, switches, and human-machine interfaces, but may pay less attention to the outside of the facility walls and physical grounds because they tend to fall outside the classic cyber and physical security boundaries. </p><p>However, with the increased awareness of the security weaknesses that industrial control systems face, there has been a growth in requests to security and consulting companies for combined cyber and physical security assessments of factories and critical infrastructure. The North American Electric Reliability Corporation (NERC) puts out Critical Infrastructure Protection (CIP) standards that strengthen the cybersecurity of North American electric grid operations, and recent updates emphasize the importance of strengthening both physical and electronic security perimeters. </p><p>A shift in the industry toward enterprise security risk management (ESRM)—which focuses on using risk assessments to inform an organization’s security approach—moves beyond assessing physical security. However, this can be a difficult shift for facilities that do not have a clear risk profile.</p><p>This gap in the security assessment process offers an opportunity for plant managers to take an ESRM-inspired approach and better understand their security and infrastructure vulnerabilities to both physical and cyber threats.​</p><h4>DRAWING THE LINES</h4><p>Two security concepts raised in the NERC CIP are related to electronic security perimeters (ESPs) and physical security perimeters (PSPs). The ESP is an imaginary perimeter drawn around a set of critical cyber assets and is usually defined by the location of perimeter access points such as firewalls and modems. The PSP is typically defined as a six-sided border that surrounds critical assets. In the NERC model, the border is intended to totally enclose the ESP. </p><p>Although the ESP is a logical, imaginary depiction, it gives a sense of the electronic traffic flowing into and out of a critical set of digital assets as well as the physical plant. This assessment is normally performed by evaluating network topology diagrams, walking down network systems looking for telephone and wireless infrastructure, and conducting interviews with plant operations technology staff. If done thoroughly, the assessors are also looking at wireless traffic such as cellular, LAN network, or Wi-Fi connectivity flowing across the ESP.</p><p>A PSP is more readily determined and tangible. Here, security is literally walking along the perimeter of a room or building that is enclosing the ESP. Security is normally looking for any means of physical penetration such as doors, ventilation louvers, or an opening under the wall or fence. A PSP determination is more natural and can be readily performed by a skilled physical security professional.​</p><h4>ELECTRONIC PERIMETERS</h4><p>A structured but more unusual way to approach a facility assessment is to start with the ESP and PSP concepts in mind and to apply them to the footprint of the facility being examined.  </p><p>Begin with an overhead view of the facility and the corresponding fence line if possible. One technique is to obtain the satellite view of the facility from an online mapping tool such as Google Earth. Alternatively, a plan view drawing of the facility and surrounding grounds obtained from the facility service manager may be used.</p><p>Using this overhead view, draw a border around the facility perimeter with an optional border at the fence line. Once the analysis boundary has been identified, pinpoint both tangible and invisible services and activities, including underground, airborne, or surface vectors. Consider services that cross this boundary and place them on the map where they enter the facility.</p><p>Infrastructure to consider includes electric power feeds from substation or emergency generators, natural gas or propane, water, sewer, enterprise and public fiber connections, telephone and cable television lines, and other commercial services. Inbound services such as product feeds from other facilities and deliveries like mail or packages, as well as outbound shipments, should also be taken into consideration.</p><p>Electronic signals that cross in and out of the facility include Wi-Fi, cellular, radio, and satellite communications, and these should be included on the risk map. For example, while performing an assessment of a client’s facility, including a wireless security inspection, Wi-Fi service was detected but was not owned or provided by the enterprise. The investigation revealed that the signal was from a nearby house and was not secured, allowing employees and visitors at the factory to connect to the rogue Wi-Fi. Such a connection could contaminate the individual’s laptop or mobile phone, as well as other Wi-Fi–equipped devices, with a worm, virus, or ransomware from the unknown and uncontrolled Wi-Fi.</p><p>A similar vulnerability was discovered at another power plant: a contractor’s trailer adjacent to the plant fence line had an insecure Wi-Fi set up, which was available inside the power plant.</p><p>Depending on the age and type of property, identifying these services may be a challenge. Older facilities may not have the necessary drawings, infrastructure diagrams, or employee knowledge to identify where the underground lines are for some of these services. Older facilities also suffer from abandoned equipment and systems that tend to be ignored because they are no longer in service. If the client has recently purchased the property, it may not know where these services enter or exit the plant.</p><p>An additional complication is that some services have dual feeds from separate locations. For instance, a data center will normally have redundant power and communications at different perimeter locations. These should be reflected on the analysis mapping.</p><p>Once these various activities and services have been identified and listed, begin looking at the vulnerabilities each poses to the plant and to the availability of the facility operations. </p><p>The perimeter assessment should be more holistic than simply walking down a fence line or the perimeter of a building. For example, while performing this analysis for a client, a problem was identified with the underground water feed into the plant. The plant had only one line entering the plant supplying potable water, service water, and fire protection/sprinkler water. The line ran under the fence, across a large field between the fence and the factory itself, and then into the building with some feeders going to the fire pumps located outside the factory in a field. The line could be subject to backhoe or digging damage because it was not effectively marked, but the larger problem was outside of the fence.</p><p>Beyond the fence line was the water service building—a small, unmarked wooden structure that contained the tap into the local city water supply, as well as several isolation valves and a flow meter for billing and volume calculations. The inspector discovered the building open and unoccupied—the door padlock was hanging open on the hasp. This would have allowed an attacker to shut the water supply valves and take advantage of the unlocked padlock to either lock the valves or close and lock the building door, thus delaying emergency responders to reopen the valves. Such an attack would have posed serious consequences for the factory because closing these valves would have shut off all water to the facility.</p><p>The inspector needs to look at all telltale signs and artifacts—many of which are prominently placed—that could tell an attacker where a softer and more vulnerable service feeding the plant is located. For example, site and facility architects use underground vault covers that explicitly label the service. That practice can be helpful for maintenance and emergency response but it also provides an easy target for criminals. </p><p>Similarly, the way these vault covers are secured could be problematic. The covers should be locked, but an added layer of security includes using tamper-resistant fasteners or proprietary screw heads and bolts.</p><p>Conducting an integrated, ESRM-based analysis helps bring awareness of what crosses facility boundaries, whether it be in electronic or physical form. It encourages plant managers to document underground infrastructure and fill gaps in knowledge, and provides enhanced planning for both physical and wireless attacks from modes ranging from surface injections to airborne threats. By mapping out both the physical and electronic perimeters, a facility’s security approach can be based on what can and cannot be seen.  </p><p><em>Ernie Hayden, PSP, Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), SANS Global Industrial Cyber Security Professional (GICSP), is the ICS cybersecurity lead at BBA, a Canadian engineering company. He is a member of ASIS. ​</em></p> 2017 SM OnlineGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<h4>​Telework Safeguards </h4><p>Employees who telework may be using their own PCs, laptops, tablets, and smartphones for work purposes, so a telework program may require another layer of security to protect sensitive data. Security managers facing this issue may want to consult the <em><a href="" target="_blank">Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security</a></em>, issued by the U.S. Department of Commerce’s National Institute of Standards and Technology. The free guide provides information on security considerations for remote access solutions, and it makes recommendations for securing a variety of telework, remote access, and BYOD technologies. It also gives advice on creating related security policies.​</p><h4>Elections </h4><p>The Russian hacking of the U.S. 2016 presidential election was an “assault” on election infrastructure, and there may be similar efforts affecting future elections. <em><a href="" target="_blank">Securing Elections from Foreign Interference</a></em>, issued by the Brennan Center for Justice at the New York University School of Law, outlines steps that can be taken now to protect the most critical elements of the U.S. election infrastructure.</p><h4>Secure Access</h4><p>A study conducted among IT professionals explores the security threats faced by organizations today. Among its findings, <em></em><a href="" target="_blank"><em>The Secure Access Threat Report 2017 </em>from Bomgar reveals that while 90 percent of security professionals trust employees with privileged access most of the time, only 41 percent have “complete trust” in those users. ​</a></p><h4>​Disclosure</h4><p>In <em><a href="" target="_blank">Government’s Role in Vulnerability Disclosure: Creating a Permanent and Accountable Vulnerability Equities Process</a></em>, experts recommend that the United States formalize the process it uses to disclose cyber vulnerabilities.</p><h4>Fake News Technology</h4><p><a href="" target="_blank">In a Vanity Fair article, </a>Nick Bilton writes about new technologies that can change audio and video in the same way that photos can be altered. He fears that “governments can weaponize fake news.” The article includes videos that show these technologies in action.​</p><h4>Military Supplies</h4><p>Investigators <a href="" target="_blank">posing as a fictitious federal agency</a> were able to acquire excess military equipment, and the U.S. Defense Department<a href="" target="_blank"> needs to do more​</a> to track equipment it provides to Iraq.</p><h4>Seeing=Believing</h4><p>Humans are predisposed to believe fake news. <a href="" target="_blank">A Yale University study</a> found that even one exposure to a false news story predisposed the reader to believe that the story was true. The more times the reader was exposed, the more he or she believed it. <a href="" target="_blank">Another study</a> uncovered a tendency to believe clearly untrue information even if the reader previously knew that the information was false.</p><h4>Data breaches​</h4><p>The heightened risk of future identity theft is sufficient to show standing to sue at the pleading state in a lawsuit, <a href="" target="_blank">a U.S. court of appeals ruled</a>.</p><h4>Driver testing</h4><p>The Federal Motor Carrier Safety Administration and Federal Railroad Administration <a href="" target="_blank">withdrew a proposed rule​</a> to require truck drivers and train operators be tested for obstructive sleep apnea.​</p><h4>Data protection</h4><p>The United Kingdom will<a href="" target="_blank"> introduce new legislation </a>that will align U.K. law more closely with the EU General Data Protection Regulation.</p> Future is FlexibleGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Mention teleworking, and some managers immediately feel at sea. How can I supervise employees I can’t see? Will staffers be sending check-in emails while watching Netflix? Can professionalism be maintained in pajamas?</p><p>Yet behind these fears lay opportunities. Teleworking, if planned and managed successfully, can be thought of as an opportunity for an organization to build trust and productivity among employees. It can also be employed as a strategic talent management initiative that improves employee attraction, engagement, and retention while reducing costs for both the firm and the workers. </p><p>In the security field, there are some jobs that are not conducive to telework, such as physical security positions that require an on-site presence. But others are more location flexible, and some positions have elements of both–they require on-site availability on some days, but they also include duties that can be conducted at home, such as report writing, security officer scheduling, or customer service interactions that take place over email and phone. Security managers who dismiss telecommuting because not every position in their department is telework-friendly may be losing out on the broader organizational benefits of telework. </p><p>The aim of this article is twofold. It will offer some best practice guidance, mined from expert opinion and recent research, for managing teleworkers. It will also explore how a telework program can be used by a manager so that it plays a key role in the organization’s talent management strategies. ​</p><h4>Growing Trend</h4><p>About 43 percent of U.S. workers work remotely in some capacity, even if that means telecommuting only once a week or less, according to the 2017 version of Gallup’s annual report, The State of the American Workplace. That percentage is up from 39 percent in 2012, which indicates a moderate but steady increase in teleworking.</p><p>As telecommuting becomes more popular, the average amount of time each teleworker spends at home or in another remote location increases. The percentage of U.S. teleworking employees who spend 80 percent or more of their time (equivalent to four days per week or more) working remotely has increased from 24 percent in 2012 to 31 percent in 2016. The number of employees who work remotely 40 to 80 percent of the time has also slightly increased, while the number of employees working remotely less than 20 percent of the time has decreased.</p><p>In addition, in more than half of the largest U.S. metro areas, telecommuting beats public transportation as the preferred commuting option, according to another report, 2017 State of Telecommuting in the U.S. Employee Workforce. Telecommuting has grown far faster than any other commuting mode, according to the study, which was issued by FlexJobs and Global Workplace. </p><p>One of the drivers of the growth of telework has been the U.S. federal government. In 2010, the U.S. Telework Enhancement Act became law, and it required the head of each executive agency to establish and implement a policy under which employees could be authorized to telework. The U.S. General Services Administration (GSA) serves as the lead agency for the government’s initiative; in its latest annual report to Congress, GSA said that federal teleworking continues to increase, with participation growing from 39 percent to 46 percent of eligible employees from 2013 to 2015. </p><p>Another telework driver is the increasing pressure from younger workers for more work options. “The millennial generation, which values flexible work, has risen to prominence in the workforce. They are influencing and encouraging remote work policies,” says Robert Arnold, a principal with management consultancy Frost & Sullivan’s Digital Transformation-Connected Work Industry practice. With developments like advanced cloud services, technology continues to evolve and offer more reliable support for remote work, Arnold adds. </p><p>Nonetheless, barriers remain. “Federal agencies have made considerable progress (in teleworking), but they also continue to report challenges such as management resistance, outdated cultural norms, and technology limitations,” the GSA said in its latest annual report to Congress. </p><p>Often, this management resistance simply boils down to lack of trust, says Kate Lister, president of Global Workplace Analytics. “Some managers have this attitude–if they’re not looking at [workers] in the office, they’re at home on the sofa eating bonbons,” she says. Ironically, she adds, being in sight does not always mean being productive; workplace studies show that the majority of both cat videos and pornography are viewed in the office during working hours.​</p><h4>Concentrative v. Collaborative</h4><p>One of the first tasks for those who plan to manage teleworkers is deciding who on staff may be eligible for telework. Overall, Gallup has found that a little over half of U.S. jobs, or about 55 percent, could allow for telecommuting, at least on a part-time basis. </p><p>Security jobs that require a daily on-site presence are generally not eligible for telework. And some employees, regardless of position requirements, simply do not want to telecommute. “Many people already know this about themselves—given the choice, they will opt to go into an office every day for the companionship, sense of purpose, or because they don’t trust themselves to be productive at home,” say consultants from Frost & Sullivan in their report, Best Practices for Managing Teleworkers: Changing Attitudes, Changing Ways.</p><p>However, those holding jobs with part-time on-site requirements may be eligible. Lister cites the example of a group of park rangers she worked with. Although they spent much time patrolling the park, they also had administrative responsibilities such as report writing, allowing many to successfully telecommute part time.</p><p>For guidance, some organizations use the model of concentrative versus collaborative work, Lister explains. Concentrative work, which is best conducted alone and without interruptions, can be done well remotely; collaborative work, such as meetings and group projects, is often best tackled in the firm’s office, with other team members present.​</p><h4>Best Practices</h4><p>Once it is decided who might be working remotely, teleworking managers should keep in mind the following best practices, which come from various experts, including those quoted above, and from program guidance offered by GSA. </p><p>Co-create. A teleworking policy should be developed by the entire team. To set the tone and foster confidence before a new teleworking program begins, managers should engage in dialogue with their teams and address any questions about teleworking. Asking team members to discuss and achieve consensus on solutions to these questions can help the team become more invested in making a teleworking initiative a success.</p><p>While the specific answers will differ for each organization, managers should be prepared for questions such as: </p><p>• How will we connect with each other?</p><p>• How will teleworking affect my performance evaluations and the way my work is assessed?</p><p>• What are the procedures for coordinating team projects?</p><p>• Will teleworking affect my career path?</p><p>• How can we manage customer expectations while teleworking?</p><p>• How can we use technology to help us telework better?</p><p>• Can we create a sense of workplace and community when we are working away from the office?</p><p>Teamwork. If more than one employee is telecommuting, treat telework as a team activity rather than an individual one, whenever possible. Develop a team schedule, rather than an independent schedule, and a teleworking system that is consistent with the needs of the department and organization. This may mean that if an important team meeting needs to be held in person, employees normally scheduled to telework that day may have to come to the office on a scheduled telework day.</p><p><strong>Virtual presence. </strong>Instant messaging systems can be used by team members to check in each morning, and change status when they will be away from the computer for more than a few minutes. Using a rotating system, one team member can also lead a virtual water cooler chat with a question or comment for team members to respond to once or twice a day. Transparent communication tools like shared calendars can also be useful.</p><p>In addition, advanced collaboration tools like video conferencing may also be considered. “They help to bridge the gap by building trust and intimacy that is conveyed by eye contact, body language, and other nonverbal communication cues,” Arnold says. </p><p><strong>Customer service.</strong> If your team members interact with customers, make sure service-level support requirements in communicating with customers are clearly defined. All team members need to agree to meet the same service levels to ensure transparency to the customer. Commit with each other to an acceptable response period for email inquiries or phone calls.</p><p><strong>IT support. </strong>A common reason for teleworking dissatisfaction is IT failure. Teleworkers are dependent on fast, reliable, consistent connections. Work with your IT group to ensure the technology is effective, efficient, operates consistently, and provides excellent customer service. IT department involvement and support is critical to your success.</p><p><strong>Trust. </strong>In talking with teleworkers on the phone, managers should avoid comments like, “Hey, I hear a washing machine. Are you doing your laundry, or working?” Instead, managers should use telework as an opportunity to foster trust between employees and management. Established daily check-ins can be useful, but rigid micro-monitoring of daily activities hinders productivity and creates an environment of distrust.</p><p><strong>Get together.</strong> The value of in-person community office time increases when working in a mobile environment. Collectively decide what types of events and activities will build a sense of cohesion and community. A regular social event might be included. </p><p><strong>Office space options. </strong>In some organizations, teleworkers are encouraged to share their space while teleworking, and relinquish their in-office space when working in the office. This will require coordination with other employees, and sometimes the development of shared space protocols. Hoteling software, which can help administrators keep track of space booking and scheduling, can also assist in this process. </p><p><strong>Manage by results. </strong>For managers used to passing offices where employees are working away, telework can be disconcerting. But apparent worker activity should not be confused with the results those activities produce. Establish a clear definition of objectives and performance indicators, and keep track of those indicators. </p><p><strong>Monitor performance measures. </strong>One measure might be team sick days and absenteeism—have they decreased as your teleworking program progresses? Customer satisfaction might be another measure —has the needle moved in any direction since some team members started teleworking? </p><p><strong>Keep evolving. </strong>Managers should think of a telework program as a continual work in progress. Teams are unlikely to get all arrangements right the first time. Evolving work groups and projects may also force changes in the original arrangements, regardless of how successful they may have been. Remain flexible, evaluate frequently, and adjust the arrangements as needed.​</p><h4>Telework as Strategic Initiative </h4><p>The potential value of a well-managed teleworking program becomes even more clear when it is contextualized in the broader state of the current workplace. And as Gallup’s The State of the American Workplace finds, “the modern workforce knows what’s important to them and isn’t going to settle.” More than half of U.S. employees (51 percent) are searching for new jobs or watching for openings, and 47 percent say now is a good time to find a quality job.</p><p>But in this environment, teleworking options can boost an organization’s employee retention efforts. “Gallup consistently has found that flexible scheduling and work-from-home opportunities play a major role in an employee’s decision to take or leave a job,” the report says. </p><p>GSA has found that teleworking can have a positive impact, in various ways, on the worker. In research comparing teleworkers with nonteleworkers, GSA found that teleworkers report more job satisfaction and higher engagement levels. They are also less likely to want to leave their current organization than nonteleworkers. </p><p>Private sector experts have found similar effects. “We do find that job satisfaction and loyalty continue to be positively impacted by remote work. Work-life balance is a big emphasis by employers in many sectors that wish to recruit and retain top talent and employees with increasingly scarce skill sets,” Arnold says.</p><p>Indeed, when it comes to employee engagement, the Gallup report showed that the most engaged workers were those who spent 60 to 80 percent of their week—or roughly three to four days—working from home. While four days out of the office may be a bit extreme for some organizations, Lister says that many employers are finding two to three days a week as the telecommuting “sweet spot,” with workers benefitting from both in-office camaraderie and out-of-office concentrative sessions. And Gallup has found that workers who say they have privacy when they need it are 1.7 times more likely to be engaged than workers who do not have that luxury.</p><p>Organizations are also finding other benefits to telework. Some organizations have combined an increase in telework with a transition to a smaller office space, thus reducing overhead costs. </p><p>And the 2017 State of Telecommuting in the U.S. Employee Workforce report found that employers, on average, save roughly $11,000 per half-time telecommuter per year. In addition, firms are often getting more out of their telecommuters. A half-time teleworker gains back an average of 11 days a year in commuting time, and will devote about 60 percent of that gained time toward work, Lister says. </p><p>Finally, as the benefits of teleworking become apparent to more employees and more organizations, they are also forcing change, Gallup finds. Organizations are being forced to reconsider how to best manage and optimize performance. Even the basic idea of when and where people work is evolving. </p><p>“The workplace is changing,” Gallup says, “at unprecedented speed.”  ​</p> ThreatsGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p></p><p>What region is most afraid of ISIS? ​<img src="/ASIS%20SM%20Callout%20Images/November%202017%20Last%20Page%20-%20Snapshot.jpg" alt="" style="margin:5px;width:884px;height:1165px;" /></p> SurveillanceGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​For small business profitability, it’s the little things that make a difference, and keeping tabs on employees can help prevent shrinkage. According to Subway franchise owner Kim Jordan, protecting her assets means that every bag of chips and loaf of bread must be accounted for. “The only way we can make money as a franchise is by keeping our labor expenses down…and by keeping our food costs down,” says Jordan, who owns six of the sandwich franchise stores in Alabama. </p><p>Because employees often work solo shifts in the store, Jordan has experienced food theft, which drives up business costs.  </p><p>“The greatest loss to my business is employee theft, whether it may be someone walking out the door with a case full of steak, stealing products, or giving away products,” she explains. </p><p>While Jordan knew that video surveillance would help, the infrastructure for individual security systems at each store would have been burdensome from a financial and management perspective, she says. That’s when she turned to Hokes Bluff, Alabama-based security integrator Lee Investment Consultants, LLC, to determine the best solution for preventing the theft and robbery plaguing the restaurant. <img src="/ASIS%20SM%20Callout%20Images/1117%20Case%20Study%20Stats%20Box.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:430px;height:244px;" /></p><p>After evaluating a number of manufacturers, the decision was made to choose two camera models and a video management system from Hanwha Techwin America. With this system, the end user can view live video remotely or from individual store locations, and easily review recorded footage. </p><p>The install at the first store location was completed in May 2015, and over the next year and a half the other stores were outfitted. The last installation, at the store located inside a Walmart, was completed in November 2016. </p><p>To keep infrastructure costs down, the integrator provides long-term video storage at its hosting facility. It keeps footage for 30 days for the Subway stores before overwriting it. </p><p>Given the limited bandwidth Subway restaurants use mainly for their point of sale (POS) systems, local SD recording has been a major benefit of the system. For redundancy purposes, recording is performed right on the device using an SD card, and the video is uploaded overnight to the storage servers. </p><p>Most store locations have two cameras–one pointed at the sandwich line and register, and another pointed at the back portion of the store where the coolers are. One of the larger stores has three cameras, and the Walmart location only has one camera at the entrance. </p><p>“We’ve had problems where employees are voiding out transactions at the register,” Jordan says. “Once employees get clever with the computer system, they might void out an order they just transacted…and stuff that money in their pocket.” </p><p>Now the problem with employee theft at the register has gone down, Jordan says, because they can view the cameras which are pointed at the POS terminals. “We can go back and view the video at the time that void was made, so we can see if the transaction is legitimate or not.”</p><p>Many of her individual store managers have access to the camera feeds, and Jordan entrusts them with reporting any cases of theft or unwanted employee behavior.</p><p>For example, one of her managers performed an inventory check and realized several bags of sandwich sauce were missing. Suspecting one employee in particular as the culprit, that manager decided to watch a live video feed the next time that employee was working. </p><p>“She just sat there...and actually watched the employee sneaking out the front door with the sauces,” Jordan says. The employee was immediately fired. “If someone’s going to steal a bag of sweet onion teriyaki sauce, they’re not trustworthy.” </p><p>The cameras have also led to the arrest of employees in more serious incidents. “A few months ago a customer had come in and had left her wallet behind, so my manager put it in a filing cabinet and told an employee that was coming in it was there,” she explains. “And when the lady came to pick up her wallet, she had a credit card and cash that was missing.” </p><p>Video revealed that the employee who knew where the wallet was had stolen a credit card, and used it to buy a bag of chips in the store. The security integrator helped Jordan upload the footage onto a thumb drive to take to the police. “We got a warrant, and they arrested her for using that credit card,” Jordan tells Security Management. “We could not have proved it if it weren’t for the cameras.” </p><p>Even more recently, Jordan noticed about $5,000 was missing from the franchises’ bank deposits that a manager was supposed to be putting in the bank. “Our cameras provided the evidence that she did get the deposits out of the safe and walked out of the store with them,” Jordan says. The manager was arrested and charged with felony embezzlement.</p><p>“I never give someone a second chance to steal,” Jordan says. “To me if they steal a bag of chips or give a sandwich to a friend, then they’ll take home five sandwiches for themselves when they get the chance.” </p><p>The return on investment from a business perspective has also been huge, Jordan notes. “At one location, our food cost for months had been above 40 percent,” she notes. “After we got those cameras, within a week our food cost came down within the margin we needed.” </p><p>The cameras have also led to a greater sense of security among her workers. “I have had employees say they feel safer because of the cameras,” she notes. “Especially with some younger employees, 16 or 17 years old, it’s been a comfort to their parents having the cameras when their child is closing alone.”</p><p><em>For more information: Tom Cook,,, 201.325.2623 ​</em></p> Zero Day ProblemGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​In August 2017, FireEye released new threat research confirming with “moderate confidence” that the Russian hacking group APT28, also known as FancyBear, was using an exploit to install malware on hotel networks that then spread laterally to target travelers. </p><p>“Once inside the network of a hospitality company, APT28 sought out machines that controlled both guest and internal Wi-Fi networks,” FireEye said in a blog post. “No guest credentials were observed being stolen at the compromised hotels; however, in a separate incident that occurred in fall 2016, APT28 gained initial access to a victim’s network via credentials likely stolen from a hotel Wi-Fi network.”</p><p>After APT28 accessed corporate and guest machines connected to the hotel Wi-Fi networks, it deployed a malware that then sent the victims’ usernames and hashed passwords to APT28-controlled machines.</p><p>“APT28 used this technique to steal usernames and hashed passwords that allowed escalation of privileges in the victim network,” FireEye explained. </p><p>This new method is worrisome for security experts because the exploit APT28 was using to infiltrate hotel networks in the first place was EternalBlue, the same vulnerability used to spread ransomware such as WannaCry and NotPetya. It was also allegedly stolen from the U.S. National Security Agency (NSA).</p><p>A group of hackers, dubbed the Shadow Brokers, posted the EternalBlue exploit online in April 2017 after claiming to have stolen it from the NSA. The leak was just one of many the group has made over the past year detailing NSA vulnerabilities that exploited Cisco Systems, Microsoft products, and others. </p><p>The leaks prompted renewed debate on whether the NSA should change its vulnerabilities equities process (VEP) to disclose cyber vulnerabilities to the private sector more frequently to prevent future cyberattacks.</p><p>Some of the harshest criticism came from Microsoft itself. In a blog post, President and Chief Legal Officer Brad Smith wrote that the WannaCry attack provided an example of why “stockpiling of vulnerabilities by governments” is a problem.</p><p>“An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen,” Smith explained. “And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world—nation-state action and organized criminal action.”</p><p>The VEP began to take form under the George W. Bush administration when then President Bush issued a directive instructing the director of national intelligence, the attorney general, and the secretaries of state, defense, and homeland security to create a “joint plan for the coordination and application of offensive capabilities to defend U.S. information systems.”</p><p>Based on this directive, the respective agencies recommended that the government create a VEP to coordinate the government’s “offensive and defensive mission interests,” according to a memo by the Congressional Research Service (CRS) in February 2017. </p><p>The Obama administration then created the current VEP, which became publicly known in 2014 in response to the Heartbleed vulnerability—a bug in the OpenSSL cryptographic software that allowed protected information to be compromised. </p><p>The VEP, as it is known to exist today, provides the process for how the U.S. government chooses whether to disclose vulnerabilities to the vendor community or retain those vulnerabilities for its own use.</p><p>“Vulnerabilities for this purpose may include software vulnerabilities (such as a flaw in the software which allows unauthorized code to run on a machine) or hardware vulnerabilities (such as a flaw in the design of a circuit board which allows an unauthorized party to determine the process running on the machine),” according to the CRS memo sent to U.S. Representative Ted Lieu (D-CA).</p><p>To be eligible for the VEP, however, a vulnerability must be new or not known to others. Vulnerabilities are referenced against the Common Vulnerabilities and Exposures Database to determine if they are new or unknown.</p><p>When choosing to disclose a vulnerability, there are no clear rules but the U.S. government considers several factors, according to a blog post by former White House Cybersecurity Coordinator Michael Daniel that was written in response to allegations that the NSA knew about the Heartbleed vulnerability prior to its disclosure online.</p><p>For instance, the government considers the extent of the vulnerable system’s use in the Internet’s infrastructure, the risks and harm that could be done if the vulnerability is not patched, whether the administration would know if another organization is exploiting the vulnerability, and whether the vulnerability is needed for the collection of intelligence.</p><p>The government also considers how likely it is that the vulnerability will be discovered by others, if the government can use the vulnerability before disclosing it, and if the vulnerability is, in fact, patchable, according to Daniel.</p><p>In the post, Daniel wrote that the government should not “completely forgo” its practice of collecting zero-day vulnerabilities because it provides a way to “better protect our country in the long run.”</p><p>And while the process allows the government to retain vulnerabilities for its own use, it has tended to disclose them instead. NSA Director Admiral Michael Rogers, for instance, testified to the U.S. Senate Armed Services Committee in September 2016 that the NSA has a VEP disclosure rate of 93 percent, according to the memo which found a discrepancy in the rate.</p><p>“The NSA offers that 91 percent of the vulnerabilities it discovers are reported to vendors for vulnerabilities in products made or used in the United States,” the memo said. “The remaining 9 percent are not disclosed because either the vendor patches it before the review process can be completed or the government chose to retain the vulnerability to exploit for national security purposes.”</p><p>Jonathan Couch, senior vice president of strategy at ThreatQuotient, says that the U.S. government should not be expected to disclose all of the vulnerabilities it leverages in its offensive cyber espionage operations.</p><p>“Our government, just like other governments out there, is reaching out and touching people when needed; they leverage tools and capabilities to do that,” says Couch, who prior to working in the private sector served in the U.S. Air Force at the NSA. “You don’t want to invest a ton of money into developing capabilities, just to end up publishing a patch and patching against it.”</p><p>However, Couch adds that more could be done by agencies—such as the U.S. Department of Homeland Security (DHS)—that work with the private sector to push out critical patches on vulnerabilities when needed.</p><p>“Right now, I think they are too noisy; DHS will pass along anything that it finds—it doesn’t help you prioritize at all,” Couch says. “If DHS could get a pattern of ‘Here’s what we need to patch against, based on what we know and are allowed to share,’ then push that out and allow organizations to act on that.”</p><p>Other critics have also recommended that the government be more transparent about the VEP by creating clear guidelines for disclosing vulnerabilities and to “default toward disclosure with retention being the rare exception,” the CRS explained.</p><p>One of those recommendations was published by the Harvard Kennedy School’s Belfer Center for Science and International Affairs in Government’s Role in Vulnerability Disclosure: Creating a Permanent and Accountable Vulnerability Equities Process. </p><p>The paper, written by Ari Schwartz, managing director of cybersecurity services for Venable LLP and former member of the White House National Security Council, and Rob Knake, Whitney Shepardson senior fellow at the Council on Foreign Relations and former director for cybersecurity policy at the National Security Council, recommended the VEP be strengthened through formalization. </p><p>“By affirming existing policy in higher- level, unclassified governing principles, the government would add clarity to the process and help set a model for the world,” the authors explained. “If all the countries with capabilities to collect vulnerabilities had a policy of leaning toward disclosure, it would be valuable to the protection of critical infrastructure and consumers alike, as well as U.S. corporate interests.”</p><p>However, the authors cautioned that affirming this process does not mean that the government should publicize its disclosure decisions or deliberations.</p><p>“In many cases, it likely would not serve the interests of national security to make such information public,” according to Schwartz and Knake. “However, the principles guiding these decisions, as well as a high-level map of the process that will be used to make such decisions, can and should be public.”</p><p>U.S. lawmakers also agree that the VEP should be overhauled to boost transparency. In May, U.S. Senators Brian Schatz (D-HI), Ron Johnson (R-WI), and Cory Gardner (R-CO), and U.S. Representatives Ted Lieu (D-CA) and Blake Fernthold (R-TX) introduced legislation that would require a Vulnerabilities Equities Review Board comprising permanent members. These members would include the secretary of homeland security, the FBI director, the director of national intelligence, the CIA director, the NSA director, and the secretary of commerce. </p><p>Schatz said that the bill, called the Protecting Our Ability to Counter Hacking (PATCH) Act, strikes the correct balance between national security and cybersecurity.</p><p>“Codifying a framework for the relevant agencies to review and disclose vulnerabilities will improve cybersecurity and transparency to the benefit of the public while also ensuring that the federal government has the tools it needs to protect national security,” he explained in a statement.</p><p>Additionally, the secretaries of state, treasury, and energy would be considered ad hoc members of the board. Any member of the National Security Council could also be requested by the board to participate, if they are approved by the president, according to the legislation.</p><p>The bill has not moved forward in Congress since its introduction, which suggests that many do not see a need for an overhaul of the current disclosure system. </p><p>“It’s just not realistic for NSA, CIA, or the military or other international governments to start disclosing these tools they’ve developed for cyber espionage,” Couch says. ​ ​</p>