More Headlines

 

 

https://sm.asisonline.org/Pages/Vulnerability-Rediscovery-Occurs-At-More-Than-Twice-The-Previously-Reported-Rate.aspxVulnerability Rediscovery Occurs At More Than Twice The Previously Reported RateGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Multiple researchers—working independently—uncover the same security flaws more consistently than previously believed, according to a new report from Harvard.</p><p><em></em><a href="http://www.belfercenter.org/sites/default/files/files/publication/Vulnerability%20Rediscovery.pdf" target="_blank"><em>Taking Stock: Estimating Vulnerability Rediscovery</em> </a>looked at a dataset of more than 4,300 vulnerabilities discovered between 2014 and 2016 for Android, and the Chrome and Firefox browsers. Vulnerabilities are flaws that allow cyber criminals, as well as intelligence and law enforcement agencies, to gain access to targeted systems.<br></p><p>Researchers Trey Herr, Ph.D., postdoctoral fellow with the Belfer Center’s Cyber Security Project at Harvard Kennedy School; Bruce Schneier, research fellow with the Belfer Center and adjunct lecturer in public policy at Harvard Kennedy School; and Christopher Morris, research assistant at the Harvard School of Engineering and Applied Sciences, found that rediscovery of vulnerabilities happens more than twice as often as previously reported. <br></p><p>Their findings conclude that “rediscovery happens more than twice as often as the 1 to 9 percent range previously reported,” according to the report. “For our dataset, 15 percent to 20 percent of vulnerabilities are discovered independently at least twice within a year.”<br></p><p>Based on their findings, the researchers suggested that the U.S. government rethink its process for not disclosing software vulnerabilities to companies.<br></p><p>“Underlying the choices to pay for a software vulnerability, as well as government decisions to keep some a secret, are assumptions about how often those same software flaws could be discovered by someone else, a process called rediscovery,” the researchers explained.  <br></p><p>“When combined with an estimate of the total count of vulnerabilities in use by the NSA, these rates suggest that rediscovery of vulnerabilities kept secret by the U.S. government may be the source of up to one-third of all zero-day vulnerabilities detected in use each year,” the report said. “These results indicate that the information security community needs to map the impact of rediscovery on the efficacy of bug bounty programs and policymakers should more rigorously evaluate the costs of non-disclosure of software vulnerabilities.”<br></p><p>In a post for <a href="https://lawfareblog.com/rediscovering-vulnerabilities" target="_blank">LawFare</a>, Herr explained that modern government intelligence agencies must maintain some access to software vulnerabilities. </p><p>"However, the WannaCry ransomware and NotPetya attacks have called attention to the perennial flipside of this issue--the same vulnerabilities that the U.S. government uses to conduct this targeting can also be exploited by malicious actors if they go unpatched," he wrote.</p><p>The researchers also suggested that rediscovery rates are likely higher than what their research was able to conclude because they only looked at high to critical-severity vulnerabilities.<br></p><p>For instance, records from a bug bounty company mentioned in the study “indicate that low- and medium-severity vulnerabilities are rediscovered more frequently than high- and critical severity bugs, to which this study is constrained,” the researchers wrote. “As it is, the 15 percent to 20 percent estimate is substantially higher than previously seen.”<br></p><p>The researchers plan to present the paper and discuss its findings at <a href="https://www.blackhat.com/us-17/briefings/schedule/#bug-collisions-meet-government-vulnerability-disclosure-7587" target="_blank">BlackHat USA</a> in Las Vegas next week.</p>
https://sm.asisonline.org/Pages/Mentor-Y-Yo.aspxMentor Y YoGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Como practicantes de seguridad, aprender de nuestros propios errores puede ser costoso. “Todos nosotros estamos a un mal día de distancia de ser despedidos”, es como un colega una vez sintetizó nuestra situación. La observación fue un recordatorio realista de que los gerentes de seguridad no pueden cometer error tras error y aun así esperar mantenerse exitosos en la profesión.</p><p>Con éso en mente, dar un paso adelante hacia el liderazgo de una operación de seguridad puede ser una experiencia aterradora, especialmente para el joven profesional haciendo su debut como líder. Yo definitivamente sentí mi propia ansiedad cuando asumí el rol de gerente externo de seguridad en un gran centro comunitario de estudios superiores en 2008.</p><p>En el momento, los medios parecían presentar todas las semanas una nueva historia sobre una tragedia en un centro comercial, un lugar de trabajo, una escuela, o cualquier otro espacio público donde hubo vidas que se perdieron o que fueron afectadas para siempre. Cada vez, yo seguiría la noticia intentando entender exactamente qué ocurrió desde el punto de vista de la seguridad. ¿Le hubiera mejor a mi propio programa, o hubiera resultado en una tragedia y en mi destitución? </p><p>Afortunadamente para mí, no estaba solo. Yo tenía un mentor que se tomó el tiempo de ayudarme a convertirme en un profesional de seguridad experimentado. A través de la mentoría, un nuevo responsable de seguridad puede experimentar situaciones profesionales y hasta tomar decisiones que pueden resultar equivocadas, sin sufrir las consecuencias de realizar errores en el trabajo. Una oportunidad así es invaluable, porque contar con un espacio seguro en el que se puede fallar es crucial para el crecimiento profesional y el desarrollo de habilidades.</p><h4>EXPLORA LA COMPATIBILIDAD</h4><p>La mentoría es una asociación simbiótica entre un experto y un principiante en la que se comparten de igual manera el conocimiento y la confianza. Pero conseguir un buen mentor puede ser complicado, ya que requiere encontrar a un gerente “veterano” que tenga tanto un significativo nivel de experiencia como pasión por compartirla.​</p><p>Las organizaciones profesionales de seguridad, tales como ASIS International, son un gran lugar para mirar cuando se buscan mentores dentro de la industria. Incluso, la organización que emplee a un gerente de seguridad puede contar con un programa formal de mentoría. Sin embargo, nunca debe ser necesario obtener un permiso formal que no sea el tuyo y el del experto del que quieres aprender, para poder comenzar una relación de este tipo.</p><p>En mi caso, el experto fue George, el director de seguridad de la casa de estudios en la que yo estaba trabajando como gerente externo de seguridad. El centro empleó a George alrededor de un mes antes de que yo sea contratado; de hecho, mi fecha de inicio fue retrasada un poco para que él pudiera asentarse primero, y tener una oportunidad de entrevistarme.</p><p>Antes de la llegada de George, uno de los vicepresidentes del instituto era el encargado de la supervisión del programa de seguridad. Pero el estudio de seguridad realizado por un contratista llevó al centro a contratar un nuevo director de seguridad para desarrollar un departamento independiente de seguridad. Yo fui involucrado como un gerente externo de seguridad, con contrato permanente. La empresa de seguridad me hizo una oferta informal poco antes de que George llegara; la oferta era dependiente de una entrevista exitosa con él, lo que significaría la aprobación final.​</p><p>Como resultó, George y yo utilizamos nuestra entrevista inicial para tener una conversación amplia y agradable sobre un poco de todo, desde ética de trabajo hasta conocimientos de seguridad. Este encuentro fue muy importante, porque el éxito de una relación mentor-aprendiz depende de la compatibilidad de ambos individuos.</p><p>En general, los potenciales mentor y aprendiz siempre deberían tener una oportunidad de conocerse y determinar individualmente si van a ser capaces de trabajar juntos; un concepto que los programas formales de mentoría deben considerar antes de emparejar a sus participantes. Sinó, la relación puede verse destinada a fallar incluso antes de despegar.</p><h4>INVESTIGA</h4><p>Al elegir el mentor adecuado, el aprendiz posiblemente quiera considerar un número de variables, incluyendo el nivel de pericia del mentor y su disposición a compartir su conocimiento, así como el alineamiento general de los intereses de ambas partes. A través de la investigación en línea se pueden verificar su experiencia, sus credenciales, y sus logros; a veces pueden descubrirse fracasos de alto perfil, también.</p><p>En el caso de George, su perfil en línea mostró que él era un exitoso teniente de policía universitario que había transicionado a la seguridad corporativa, primero encabezando un sistema hospitalario multisitio, antes de llegar a la dirección de seguridad del centro comunitario de estudios superiores. También era un miembro longevo de ASIS y estaba certificado como <em>Certified Protection Professional</em>© (CPP); en definitiva, un profesional de seguridad veterano.</p><p>Por supuesto, el proceso de valorar la pericia de un mentor no tiene que terminar una vez que el proceso de selección se ve completado. Un aprendiz puede evaluar sus análisis a través de investigaciones independientes. Ésta es una gran herramienta para determinar si las acciones del mentor son consistentes con las mejores prácticas nacionales.</p><p>En mi caso, a medida que me fui involucrando con ASIS y mi propio desarrollo profesional progresaba, pude ver por qué George tomó ciertas decisiones y realizó ciertas acciones.</p><p>Por ejemplo, recuerdo haber creado una plantilla revisada de informe de incidentes para el departamento de seguridad, que incluía un glosario de tipos de incidentes con definiciones. La idea era hacer que a los guardias de seguridad les resultara más fácil elegir un tipo de incidente a reportar y promover informes más unificados entre diferentes instalaciones y entre guardias individuales. </p><p>Yo había usado las categorías del Programa de Denuncias Uniformes de Crímenes de la FBI como una base para establecer los tipos de incidentes. Cuando George los revisó, realizó una cantidad de ediciones que combinó categorías o las renombró, agregando delitos como robos, incendios provocados, y homicidios no negligentes a la lista.</p><p>George había reformado la lista de tipos de incidentes para seguir las categorías de la Ley Clery, lo que tenía más sentido ya que nuestro lugar de trabajo era un establecimiento educativo (la Ley Jeanne Clery requiere demanda que los institutos superiores y universitarios reporten información sobre delitos ocurridos dentro o cerca de sus instalaciones). Yo ya estaba familiarizado con tal ley en ese punto, pero hasta que no empecé a investigar no había comprendido del todo por qué habíamos cambiado los nombres, hasta ver qué la Ley Clery en efecto especificaba cómo se le debía llamar a los incidentes.</p><p>Ésto se volvió un patrón recurrente: cuanto más yo aprendía, más hondo podía investigar; y cuando más extensas eran mis investigaciones, más hallazgos validaban la pericia de George. Pero el proceso de evaluar la experticia de manera independiente tiene otro beneficio: a veces puede revelar que la brecha de conocimiento entre el mentor y el aprendiz es demasiado grande, y que no puede conciliarse.</p><p>Por ejemplo, si un aprendiz es apenas capaz de usar el correo electrónico, va a necesitar un mentor que lo utilice diariamente, no a un desarrollador de software que escribió el código que hace que el correo funcione. Una brecha de conocimiento demasiado extensa puede llevar a una ruptura en la comunicación entre ambas partes, en la que el aprendiz no puede comprender completamente los conceptos que el mentor considera de sentido común. Es casi como si estuvieran hablando idiomas diferentes.</p><p>Ésto no siempre se tendría que dar así, por supuesto; algunos profesionales altamente consumados también son talentosos comunicadores y docentes que pueden superar amplias grietas de habilidades. Pero a veces las brechas generan tanta frustración que ambas partes se dan por vencido. En el peor de los casos, esta mala experiencia puede impedir que ambos vuelvan a intentar establecer una relación de mentoría con un socio más apropiado en el futuro, perdiéndose así de los beneficios mutuos de este tipo de relación.</p><p>Si cualquiera de las partes siente que la pareja es insostenible, ambos deberían terminar la relación cordialmente e intentarlo nuevamente con otra persona. La industria necesita que los expertos y los novatos se busquen entre ellos y trabajen juntos, de modo que ninguno permita que la asociación se deteriore.</p><p>La investigación independiente puede ser valiosa de otra manera: como una gran herramienta educacional para los mentores. Ellos pueden usarla para desarrollar ejercicios que permitan que los aprendices analicen situaciones por su propia cuenta y seleccionen acciones apropiadas basadas en las condiciones a enfrentar.</p><p>Ejercicios como éstos ilustran que la mentoría no consiste simplemente en llevar de la mano al aprendiz; éstos deben estar dispuestos y ser hábiles para actuar y pensar por sí mismos. Practicar estas habilidades en el contexto de un ejercicio es una excelente manera de aprender.</p><p>Finalmente, la relación mentor-aprendiz puede no funcionar si ambos son considerados competidores para el mismo puesto de trabajo. El lugar de trabajo moderno puede ser territorial, y recibir mentoría de alguien que está preocupado porque eventualmente puedan tomar su trabajo (en vez de sucederlo en caso de que eventualmente se vaya de la empresa voluntariamente o se retire) será problemático. Es probable que las preocupaciones sobre un puesto de trabajo mermen la confianza de una o ambas partes, causando que la relación falle.</p><p>Dicho ésto, varios de los mejores mentores son aquellos que se están acercando al fin de su carrera profesional, son expertos en el nicho de la industria en la que el aprendiz quiere destacarse, y son entusiastas por transmitir su conocimiento a profesionales jóvenes y prometedores.​</p><h4>AVANZA</h4><p>Una vez que has identificado un mentor, crees firmemente que su pericia es genuina, hay una confianza mutua y un deseo de trabajar juntos, debes comprometerte a la relación completamente.</p><p>Cuando George y yo comenzamos a trabajar juntos, no había una separación real entre nuestros trabajos y el aprendizaje. No separábamos un día de la semana para las actividades de mentoría, con los otros cuatro días ocupados por tareas operacionales o reuniones disciplinarias. En cambio, ocurrió lo contrario: el trabajo tradicional y la mentoría se combinaron en perfecta armonía. Cada actividad se volvió una lección en potencia, y cada interacción una oportunidad para el traspaso de información.</p><p>Ambos nos reuníamos alrededor de dos veces a la semana para discutir las operaciones generales de la fuerza de guardias de seguridad. En esas reuniones, frecuentemente me serían asignadas tareas; lo que sea, desde redactar un borrador de una política sobre un tema en particular hasta desarrollar un plan para la cobertura de un evento especial. Yo volvería a mi oficina para trabajar en el proyecto, y entonces llevaría un borrador funcional a la próxima reunión.</p><p>George sacaría su bolígrafo rojo y, sin remordimientos, hacer correr la tinta por todos mis borradores. Él explicaría los errores cometidos, devolviéndome los documentos para que los corrija y vuelva a entregarlos.</p><p>Tal vez el obsequio más grande que recibí de George fue su paciente y firme rechazo a aceptar trabajo por debajo de los estándares o pobremente investigado. Desde entonces, me di cuenta qué tan tentador puede ser, cuando estamos muy ajetreados, reunir documentos e informes entregados con errores y enviarlos al siguiente destinatario, sólo para seguir de largo. Pero en el final, lo único que éso garantiza es que vas a continuar viendo documentos presentados con errores. Tomarse el tiempo para explicar qué está mal en un documento y devolvérselo al aprendiz para que lo arregle toma paciencia y un deseo por instruir.</p><p>La mentoría no tiene que ser unidimensional o exclusiva. De vez en cuando, yo recurriría al consejo de otros cuando la situación lo requería. Los dueños de la empresa de seguridad para la que trabajaba tenían una extensa experiencia como contratista de seguridad, así que fueron mi fuente primaria cuando necesité experticia específica en esa subárea. No hay una escasez de buenos mentores, así que no hay motivo para limitarte a ti mismo con uno sólo cuando buscas consejos.​</p><h4>TRANSICIÓN</h4><p>A medida que continuamos trabajando juntos, la complejidad de las tareas que me eran asignadas naturalmente creció. Cuanto más aprendía, más era capaz de hacer, y mayor era la cantidad de proyectos en los que me involucraba.</p><p>George y yo escribimos en conjunto artículos y desarrollamos programas de entrenamiento para guardias de seguridad de<em> campus </em>y para gente en transición a la seguridad desde otras industrias. Aprendí que no hay mejor manera de reforzar el conocimiento sobre un tema que enseñarlo. Ésto se vuelve aún más cierto si tus estudiantes son adultos. Cuando sea que creas que te has vuelto conocedor de una materia, intenta pararte en frente de una clase de adultos que creen que también lo son, y afronta sus preguntas.</p><p>Éste es un momento de transición profesional: el aprendiz ya no es un principiante, pero definitivamente aún no es un experto. Avanzar de los conceptos básicos hacia los más avanzados puede ser apasionante y gratificante, y puede presentarse una peligrosa tentación para el aprendiz: creer que la mentoría ha terminado. Por supuesto, alguna vez ese pensamiento me cruzó la cabeza, especialmente durante días difíciles y pesados en la oficina, cuando la última cosa que quería era a George señalando qué había hecho mal.</p><p>Sin embargo, me di cuenta que la relación todavía era muy valiosa para mí como para descontinuarla; pero sí tenía que cambiar. Cuando la mentoría alcanza un estadío avanzado, se debe reemplazar el énfasis por obtener conocimiento específico del trabajo y enfocarse más en el aprendizaje estratégico y el desarrollo de la carrera.</p><p>Las habilidades operacionales, tales como realizar cronogramas, entrevistar candidatos y desarrollar políticas y procedimientos estándar, ya fueron aprendidas. Ahora, tanto el mentor como el aprendiz se pueden enfocar en cultivar habilidades de alto nivel, así como saber predecir dónde y cuándo se puede necesitar una nueva política, y analizar tendencias actuales en prevención del crimen o seguridad de <em>campuses</em>.</p><p>De manera muy similar al liderazgo tradicional, el estilo de la mentoría puede ser alterado y ajustado a lo largo del tiempo, a medida que la relación se profundiza.</p><p>En las últimas etapas de mi mentoría, George me animó a tomar ventaja de cada vez más oportunidades de desarrollo, tales como educación profesional, cursos en línea de la Agencia Federal de Gestión de Emergencias de USA (FEMA), conferencias de los Servicios del Departamento de Justicia Criminal estatal, y muchas otras clases y seminarios de entrenamiento, incluyendo el evento <em>ASIS International Seminar and Exhibits </em>de 2011 en Orlando, Florida.</p><p>El seminario de ASIS fue una experiencia reveladora que permitió a un gerente de seguridad relativamente nuevo como yo explorar la profesión en toda su profundidad. En una semana, descubrí que no importa cuánto haya creído que aprendí durante mis tres años trabajando con George: sólo había tocado la superficie.</p><p>No obstante, mi primer seminario de ASIS sirvió como el perfecto catalizador para que George me presionara a proseguir mi designación como CPP, la cual eventualmente obtuve.</p><p>Dos años después de certificarme, un colega de ASIS me reenvió una nota sobre una oportunidad de trabajo como el administrador de seguridad para la ciudad en la que vivía. Era una oportunidad demasiado buena como para dejarla pasar, y, sorprendentemente, el anuncio buscaba específicamente un CPP con experiencia en gestión de seguridad en instalaciones múltiples.</p><p>Obtuve el trabajo, y me volví el administrador de seguridad para la Ciudad de Newport News, Virginia. George prosiguió a convertirse en el mentor de un gerente de seguridad física que fue contratado antes de que yo me vaya.​</p><h4>EL APRENDIZ SE VUELVE MENTOR</h4><p>George y yo aún nos mantenemos en contacto, poniéndonos al día a través de algún almuerzo ocasional en el que comparamos estrategias en asuntos similares. Cuando avancé a mi nuevo puesto, encontré nuevos mentores con extensa experiencia en el sector público que me ayudaron a navegar los campos minados que existen en los gobiernos locales.</p><p>Me topé con un ritmo de operaciones aún más rápido en este nivel, y hay menos paciencia por compartir conocimiento de nivel de básico porque las expectativas de mí ya se ven reflejadas en las responsabilidades añadidas del nuevo puesto. Sin embargo, la dinámica de mentoría se mantiene igual: yo trabajo para un individuo con un enorme nivel de conocimiento en administración municipal, y sus consejos en esa área de mi trabajo son inestimables.</p><p>Intenté compartir conocimiento con la gente a mi alrededor de una manera muy parecida a la que George lo hizo conmigo: pacientemente animando a quienes me rodean a aprender más sobre la industria y sus funciones dentro de ella. Mi aproximación, sin embargo, ha sido algo diferente a la suya. Mientras George dedicaba una cantidad significativa de tiempo a ser el mentor de una sola persona, yo he intentado influenciar a toda persona con la que entro en contacto.</p><p>Mirando atrás, no hubo ningún momento de película exacto en el que yo pudiera decir “fui enseñado para lograr exactamente ésto”. La mentoría no funciona así, en mi experiencia. Es un proceso gradual que requiere trabajo constante e infinita paciencia de ambas partes.</p><p>También se trata de una asociación que ayuda al desarrollo de ambos individuos, y potencialmente inculca en ellos una apreciación por aprender y enseñar que se mantendría durante todas sus carreras. Este interés nos lleva a continuar avanzando en nuestra industria, buscar nuevos mentores, y tomar el rol de mentores para aquellos que vienen detrás de nosotros; elevando a la profesión entera, un aprendiz a la vez.</p><p>--<br></p><p>Yan Byalik, CPP, es el administrador de seguridad para la Ciudad de Newport News, Virginia. Tiene más de 15 años de experiencia incluyendo seguridad en educación superior, parques temáticos, e infraestructuras críticas. Byalik es el vicepresidente asistente para la región 5A.</p>
https://sm.asisonline.org/Pages/Business-Theft-and-Fraud--Detection-and-Prevention.aspxBook Review - Business Theft and Fraud: Detection and PreventionGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​<strong>Business Theft and Fraud: Detection and Prevention.  CRC Press; crcpress.com; 338 pages; $79.95.</strong></p><p>More than two-thirds of employee theft cases occur in small business operations, and more than half of victimized businesses have fewer than 25 employees. These statistics, from <em>Business Theft and Fraud: Detection and Prevention</em> help explain why even the smallest organizations need to know how to detect and prevent fraud and theft.<br><br>With experience in the military, law enforcement, and the private sector, and degrees in financial management and criminal justice, author James Youngblood, CPP, has the appropriate credentials to write a definitive book on the subject. He understands the differences between the operations of small and large businesses, and he offers techniques to thwart theft in all types of organizations.</p><p>For instance, background investigations for potential employees are important for all organizations Small companies may be hindered from conducting adequate background investigations due to budgetary restrictions, time constraints, and reduced applicant pools. Large organizations have greater monetary resources for background checks, are able to distribute the workload until replacement help is acquired, and usually attract more applicants for various reasons.</p><p>In any case the insider threat is a primary concern of the text. Other timely topics include the protection of brand integrity and brandjacking, the sale of bogus or counterfeit brand name merchandise, cybersecurity, technology-based fraud, data breaches, and ransomware. Encompassing a breadth of information for those concerned with theft and fraud, this book explains such important concepts as how to identify sales underreporting, track sales by shifts, and educate employees to be aware of computer scams. Throughout the work the thread of internal theft and shrinkage is prevalent.</p><p>Some suggestions to enhance the utility and flow of the book include using a linear presentation of information for easier understanding. Chapters of few pages could be consolidated with other relevant chapters, and many sub-topics could be combined. For example, both chapters 4 and 5 deal with financial statements: consolidation of these might be more effective. While some sub-headings are presented as questions, others are statements, possibly creating some confusion. The explanatory endnotes might better be incorporated into the text, while a bibliography would help readers find further resources in some subject areas.</p><p>The overall visual presentation is professional with quality materials and clear typeset. Two appendixes list organized retail crime associations and examples of phishing emails, and there is an extensive index. This book is recommended for security and business management professionals as well as loss prevention practitioners desiring a roadmap for the detection and prevention of business theft and fraud. It could also be used as a primary or supplemental textbook in college courses focusing on internal and external theft and fraud, as well as cyber issues.</p><p><em>Reviewer: Paul D. Barnard, CPP, CISM (Certified Information Security Manager), SFPC (Security Fundamentals Professional Certification) is an adjunct professor in loss prevention and security management programs. He has been a member of ASIS International since 1975</em></p>
https://sm.asisonline.org/Pages/Report--Most-InfoSec-Professionals-Think-Their-Companies’-Security-Solutions-Are-Outdated.aspxReport: Most InfoSec Professionals Think Their Companies’ Security Solutions Are OutdatedGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​A majority of information security professionals said they believe some of their organizations’ existing security solutions are outdated and inadequate, according to a new report released this week.</p><p><em><a href="https://www.citrix.com/content/dam/citrix/en_us/documents/analyst-report/ponemon-security-study.pdf" target="_blank">The Need for a New IT Security Architecture: Global Study,</a> </em>sponsored by Citrix and conducted by the Ponemon Institute, is a three-part report that surveyed 4,268 IT and IT security practitioners in 14 countries to find out why security practices and policies need to evolve to deal with threats from disruptive technologies, cybercrime, and compliance.<br></p><p>In response, 69 percent of respondents said their organizations’ security solutions are outdated and inadequate, making them unable to manage emerging risks.<br></p><p>“What is needed, according to 74 percent of respondents, is a new IT security framework to improve their security posture and reduce risk,” the report found. “A new strategy is especially important in order to manage such potential risks from the Internet of Things (IoT).”<br></p><p>The report also found that 83 percent of respondents think their organization is at risk of a security breach because of the complexity of business and IT operations. <br></p><p>“Business and IT complexity are leading to more employees circumventing security policies and sanctioned apps,” wrote Stan Black, CISSP, chief security officer and vice president of Citrix, in a <a href="https://www.citrix.com/blogs/2017/01/10/ninety-nine-problems-and-security-is-the-biggest-one/" target="_blank">blog post.</a> “Bottom line, if it’s too complex, employees will find a way around it in order to do their jobs effectively and according to their own preferences.”<br></p><p>Additional factors that respondents said are putting their organizations at risk include:<br></p><ul><li><p>The growth of data assets (78 percent)<br></p></li><li><p>Integration of third parties into internal networks and applications (76 percent)<br></p></li><li><p>Silos and the lack of collaboration between IT security and lines of business (76 percent)<br></p></li><li><p>Inability to secure access rights (74 percent)<br></p></li><li><p>Inability to integrate disparate technologies (67 percent)<br></p></li><li><p>Lack of funding to support cyber defense (67 percent)<br></p></li></ul><p>To address these concerns, the respondents said their organizations’ new IT security infrastructure should include technology for identity and access management (78 percent), machine learning (77 percent), and configuration and log management (76 percent), among other technologies. <br></p><p>Black agreed with this assessment and wrote that virtualization, containerization, and enterprise mobility management and visibility will be needed to get employees to follow security rules. <br></p><p>“Containerization affords employees anytime, anywhere access on their device of choice while still protecting any apps and data accessed,” he explained. “Virtualization allows for information to be delivered at the pixel level, ensuring it doesn’t leave the data center. Combined, using these can significantly reduce the available attack surface, since information is delivered only via the secure channel and can be revoked or removed at any time.”<br></p><p>Black also suggested companies adopt identity and access management protocols to create trust and grant access based on contextual awareness.<br></p><p>“Without it, your business will be stuck in the dark ages as more new technologies surface in the workplace,” he wrote.<br></p><p>To read all three <em>The Need for a New IT Security Architecture</em> reports, visit <a href="https://www.citrix.com/it-security/resources/ponemon-security-study.html">Citrix’s landing page.</a><br></p><p><br> </p>
https://sm.asisonline.org/Pages/¡PRESTA-ATENCIÓN!.aspx¡PRESTA ATENCIÓN!GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>¿Cómo pueden los operadores humanos evitar terminar exhaustos en el trabajo, o permanecer alerta tras conducir por extensos lapsos de tiempo? ¿Cómo pueden los guardias de seguridad asegurarse de no perderse una alerta crítica durante un largo turno?</p><p>El programa Factores Humanos y Cognición Aplicada (HFAC en inglés) de la George Mason University, ubicada en Fairfax, Virginia, está realizando pruebas con sujetos sobre la fatiga de vigilancia para averiguar más acerca de cómo y por qué el poder mental se merma, y cómo se lo puede reponer. A los sujetos en el Laboratorio Arch de la institución se les encarga una variedad de tareas para realizar en una gama de escenarios.</p><p>"Constantemente estamos haciendo que la gente haga lleve a cabo varias labores al mismo tiempo," dice la Dra. Carryl Baldwin, quien dirige el programa. "En uno de los supuestos, los sujetos deben realizar cinco tareas simultáneas, intentando alternar su atención entre tres pantallas, de una a la otra."</p><p>Baldwin explica que la fatiga de vigilancia ocurre cuando nuestros cerebros se ven abrumados por la tarea que están realizando. “La teoría principal explicando por qué experimentamos esta reducción de atención es porque nuestros recursos cognitivos se ven agotados," dice. “Y nos preguntamos, ‘Si ése es el caso, ¿cómo restauramos esos recursos?’ Así que empezamos una serie de experimentos, de los cuales muchos siguen en curso, buscando qué podemos hacer para que esa persona pueda retomar el ritmo, intentando paliar esa disminución de desempeño."</p><p>Una hipótesis, señala Baldwin, es que dejar que el intelecto deambule (que también se conoce como conectar a la red predeterminada de la mente) ayuda a restaurar el flujo sanguíneo en la parte del cerebro que se emplea al completar una tarea, la red dorsal de atención. "A esta idea se la llama l<i>a hipótesis de desacople</i>, ya que trata del ciclo de alternar entre dos grandes redes de atención," cuenta. "Tienes que realizar este ciclo constantemente para lograr sostener tu desempeño durante cualquier cantidad de tiempo."</p><p>En un campo como el de la seguridad, Baldwin señala que la falta de incidentes durante cualquier turno puede llevar a una fatiga aumentada, así como con cualquier actividad que tiene poco o ningún estímulo para el cerebro. “¿Cómo puedes mantenerte motivado para mirar pantallas si, turno tras turno, nada sucede?," dice. “Es probable que pierdas las señales, porque es difícil prestar atención cuando raramente obtienes alguna."</p><p>Los investigadores están trabajando en restablecer la efectividad de los sujetos para realizar tareas con una variedad de técnicas. “Una de las cosas que puedes hacer en las investigaciones de vigilancia es insertar falsas alarmas… para despertar a los sujetos," dice Baldwin. “Porque si estás esperando una señal que no va a tomar lugar durante todo el turno de ocho horas, es realmente difícil permanecer comprometido."</p><p>Ofrecer recompensas también puede ayudar a que la gente permanezca enfocada. “Estamos experimentando con retribuir a los sujetos de vez en cuando… principalmente para aumentar los niveles de dopamina, lo que creemos que, a su vez, aumentará su habilidad de mantener la atención en la tarea."</p><p>Baldwin comenta que simplemente estar de buen humor también pareciera promover la efectividad y el estado de alerta. “Hemos intentando reproducir música de un cierto tipo, particularmente con vibras positivas, música lenta que es popular y disfrutable, y a la gente le gusta," dice. “Éso tiende a que los sujetos se relajen y tengan una actitud positiva."</p><h4>Ciberfatiga</h4><p>La fatiga también afecta a aquellos que toman decisiones relacionadas a la seguridad. La mayoría de los usuarios de computadoras en los Estados Unidos de América se sienten “abrumados,” “resignados,” y “sin esperanza” respecto a la seguridad y privacidad de su comportamiento en línea. Ésto los lleva a tomar pobres decisiones de ciberseguridad, según el estudio realizado por el Instituto Nacional de Estándares y Tecnología (NIST) en Octubre de 2016, llamado <em>Fatiga de Seguridad.</em></p><p>Los autores del informe le cuentan a <em>Security Management</em> que ellos no necesariamente buscaban ofrecer conclusiones sobre la fatiga de seguridad en su investigación, sino que deseaban aprender más sobre el comportamiento de seguridad en línea del usuario típico de computadora. “Realmente estábamos tratando de entender las percepciones, creencias y conductas de las personas respecto a la ciberseguridad," dice Mary Theofanos, científica de computación en la Oficina de Datos e Informática del NIST.</p><p>Theofanos, junto al coautor Brian Stanton del Grupo de Visualización y Usabilidad del instituto, entrevistaron a personas oscilando entre las edades de 20 y 69 años de zonas rurales, urbanas y suburbanas de los EUA. Realizaron preguntas tales como: ¿qué haces en línea? ¿Con qué frecuencia cambias tu contraseña? ¿Cómo te sientes respecto a la ciberseguridad?</p><p>“Cuando empezamos a hablar con ellos, se percibía esta sensación avasallante de resignación, pérdida de control, derrotismo, y abstinencia de tomar decisiones," explica Theofanos. “Cuando realmente empezamos a buscarlas, nos dimos cuenta que éstas son las características de la fatiga de seguridad”.</p><p>Las siguientes son algunas señales de fatiga de ciberseguridad observadas por los investigadores:</p><p>• Evitar tomar acciones innecesarias</p><p>• Elegir la opción más fácil disponible</p><p>• Tomar decisiones conducidas por motivaciones inmediatas</p><p>• Comportarse impulsivamente</p><p>• Resignarse y sentir una pérdida de control</p><p>Stanton, de profesión psicólogo, comenta que los usuarios están cansados de que constantemente se les pida cambiar sus contraseñas, actualizar sus sistemas, y participar de otras buenas prácticas básicas de ciberseguridad e higiene.</p><p>“Cuando sobrepasas un cierto umbral, ya no tienes ninguna capacidad para ocuparte de las cosas, y éso es lo que estamos observando en el terreno de la seguridad," explica. “Esta gente ya no tenía la capacidad para tomar más decisiones sobre seguridad.”</p><p>Sentirse abrumado lleva a los usuarios a tomar decisiones pobres, así como no cambiar sus contraseñas o actualizar sus equipos, o fallar en la protección de su información personal, abriéndole la posibilidad a los ciberataques o al robo de datos.</p><p>El reforzamiento positivo, uno de los métodos clásicos para contrarrestar la fatiga de vigilancia, no necesariamente está disponible en el mundo virtual. “Es difícil obtener una recompensa en el ciberespacio porque no hay una relación directa de causa y efecto”, dice Theofanos. Por ejemplo, si los usuarios cambian su contraseña cada treinta días pero sus sistemas se ven infiltrados de todos modos, sentirán que sus prácticas de seguridad no los protegieron y que, por lo tanto, no vale la pena realizarlas.</p><p>“En ciberseguridad no te dan ninguna devolución si haces todo bien,” agrega Stanton.</p><p>Aquellos entrevistados también creían que, para empezar, los hackers nunca tendrían a su información en la mira, porque consideraban que no poseían nada de valor. Declararon que alguien más debería proteger sus datos, como el banco que emite sus tarjetas de crédito o sus empleadores.</p><p>Para combatir la problemática de la fatiga de seguridad, la investigación sugirió que las compañías tomen algunas medidas para asegurarse de que los usuarios no se sientan agobiados:</p><p>• Limitar el número de decisiones de seguridad que los usuarios deben tomar</p><p>• Hacer que tomar la decisión correcta de seguridad sea simple para los usuarios</p><p>• Diseñar buscando una constancia en la toma de decisiones cuando sea posible</p><p>Theofanos señala que los usuarios están al tanto de las ciberamenazas existentes, y muchos habían mencionado intrusiones de alto perfil que llegaron a las noticias. Aun así, ella indica que la buena ciberseguridad tiene que volverse un hábito, y la concientización no es suficiente. “No pueden reposar sobre un grupo de hábitos, porque todavía no los han desarrollado. Es el clásico concepto de practicar y practicar,"​ dice. “Es un paso mayor que sólo obtener educación y concientización generales."</p>
https://sm.asisonline.org/Pages/Changing-Course-for-Success.aspxChanging Course for Corporate SuccessGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Conventional wisdom suggests that businesses have a natural life cycle wherein new solutions, evolving markets, and misguided management play a significant role in the probable failure of the company. According to this model, every firm—from family businesses to the largest multinationals—falls into decline. Even those businesses that come back after one downturn may not prevail in the next one. These organizations are replaced by new companies that are born to meet evolving market needs, new technology voids, or changing business environments, and the cycle repeats. But some notable companies—IBM and Apple, for example—have overcome periods of decline and have emerged with a new focus, strong core values, and a powerful new leadership position. </p><p>There are many possible paths to this success, but for a large technology company, regaining its leadership position after a major decline requires several critical ingredients, including: </p><ol><li>A clear target-market focus with in-depth understanding of the customer</li><li>A strong, complete offering that cannot be easily duplicated</li><li>A clear market position and message</li><li>Strong organizational alignment with outstanding team commitment</li><li>A financial foundation that will support the necessary actions<br> </li></ol><p>While these elements may seem obvious to any start-up entrepreneur, they may be harder for an established, enterprise-level company to achieve. Here's a look at how these five key initiatives can be applied.</p><p><strong>1. Clear Target Market<br></strong>A statement of mission, vision, and values can help an organization create a roadmap of where it wants to go and how it will get there. A basic underlying tenet of the statement is that the organization, regardless of its nature (i.e., school, auto dealership, technology company, etc.) will provide a high-quality product or solution that the market needs. Organizations must also identify the right way to communicate to the defined market that their product or service has value and is the best choice. They must support that communication with a solid foundation in marketing, sales, and infrastructure. It's a broad "pull" rather than "push" approach that benefits not only the organization but the market as well. </p><p><strong>2. Strong, Complete Offering<br></strong>Businesses that have grown and prospered offer a strong, quality product line designed specifically for the defined market. Maintaining that portfolio is an ongoing process that requires both a commitment and a product roadmap that will position the organization not only as a product leader but also as a technology leader. </p><p>Crystal balls aside, listening and responding to a changing industry is necessary to ensure that the portfolio offers solutions as well as products. Offerings today must feature greater intelligence and performance capabilities that will make a difference to the industry. In the physical security market, for instance, some of these solutions include products with increased connectivity, cybersecurity features, and an understanding of the Internet of Things (IoT). The offerings should be positioned to work in combination with the expertise of select technology partners to deliver an integrated system that solves customer problems through meaningful innovation. </p><p><strong>3. Clear Market Message<br></strong>Successful companies have an aggressive integrated marketing program that combines the best of traditional marketing with new social media and digital techniques to get their message to the market. These companies have implemented and will continue to refine consistent and aggressive public relations, new print and digital advertising campaigns, and advanced inbound marketing. This is all in addition to updated websites that include significant support tools and search engine optimization. <strong> </strong><strong> </strong><strong><br></strong></p><p><strong>4. Organizational Alignment<br></strong>The successful business operation must fit the needs of the market as it exists today. Many companies start the restructuring with the sales organization to create a closer, more-direct line to the reseller and customer. This approach serves customers by ensuring more direct contact, feedback, and intervention. By listening carefully, understanding what the market needs, and giving value, the company, in return, will receive value.  </p><p>Along with a restructured sales organization, an updated marketing organization can better engage in highly strategic and integrated marketing efforts that are designed to reshape the company's image and drive new business opportunities. Populating the department with internal and external teams of experienced industry professionals who have proficiency in both traditional and digital marketing further helps in achieving company goals. </p><p>Finally, in any technology-based organization, the restructuring of the engineering organization is critical to meet the continual challenge of developing and delivering mainstream solutions with meaningful innovation. Ultimately, it is the close collaboration and alignment of these three primary functions—sales, marketing, and engineering—that will eventually drive the organization towards its new goals.<strong> </strong></p><p><strong>5. Firm Financial Foundation<br></strong>Although a company may have been profitable throughout its history, change is costly. Strong financial backing allows an organization to move forward with its redevelopment in a manner that better ensures success. As an example, the capability of sustained restructure has been a key component in the success of Pelco's reinvention. </p><p>Even when these five critical elements are implemented, success is still not a sure thing. Economic uncertainty, fast-moving markets, and competition from nontraditional sources can take a toll. Companies with entrenched or outdated business models are particularly susceptible to business failure. As it becomes harder to hit performance targets, virtually all organizations need to consider some type of strategic restructuring if they want to avoid the end-of-life paradigm. </p><p>If this sounds radical, it's likely due to the negative connotations associated with restructuring. For many, restructuring conjures up images of court-supervised negotiations with different classes of creditors trying to reach consensus. But when viewed more broadly, restructuring represents an opportunity for companies to examine their operating models with the ultimate goal of optimizing their business for the long term. Companies that follow this process can remain a dominant force for many years to come.​</p><p><em>Sharad Shekhar is CEO of Pelco by Schneider Electric.</em>​​<br></p>
https://sm.asisonline.org/Pages/Survey-Of-InfoSec-Professionals-Paints-A-Dark-Picture-Of-Cyber-Defenses.aspxSurvey Of InfoSec Professionals Paints A Dark Picture Of Cyber DefensesGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​A majority of information security professionals believe that U.S. critical infrastructure will be breached by a cyberattack sometime in the next two years, according to a new survey by Black Hat. </p><p>“Most also believe that their own enterprises will be breached in the next 12 months,” the survey said. “And most believe that the defenders of those infrastructures are not ready to respond.”<br></p><p>The survey,<em><a href="https://www.blackhat.com/docs/us-17/2017-Black-Hat-Attendee-Survey.pdf"> 2017 Black Hat Attendee Survey,</a></em> polled 580 top-level cybersecurity professionals that have attended the Black Hat USA conference during the last two years. <br></p><p>“The survey results offer a dark picture of tomorrow’s cyber defenses, which are being increasingly tested by sophisticated hacking and social engineering exploits, including ransomware worms such as WannaCry and nation state​ sponsored hacks such as those emanating from Russia and North Korea,” the survey said. <br></p><p>For instance, while 60 percent of respondents said they believe a successful cyberattack on U.S. critical infrastructure will occur before 2020, just 26 percent of respondents said they are confident the U.S. government and defense forces are equipped and trained to respond appropriately.<br></p><p>“In essence, the survey is a warning from the industry’s most experienced and responsible IT security professionals that successful cyberattacks on essential infrastructure and business could be imminent, but defenders do not have the resources and training they need to efficiently respond.”<br></p><p>Respondents also said they believe that state-sponsored hacking, such as from Russia and China, has made U.S. enterprise data less secure. And only 26 percent of survey participants said they thought the Trump administration would have a positive impact on cybersecurity policy, regulation, and law enforcement.<br></p><p>Survey respondents were also not optimistic about the state of corporate cybersecurity with almost two-thirds predicting that their own organizations will have to respond to a major security breach in the next year. <br></p><p>“Sixty-nine percent say they don’t have enough staff to meet the threat; 58 percent believe they don’t have adequate budgets,” according to the survey. <br></p><p>And while ransomware remains a major threat that information security professionals are concerned about, the top worry for most respondents two years from now is Internet of Things (IoT) security.<br></p><p>“Digital attacks on non-computer systems—the Internet of Things—currently ranks 10th among security professionals’ chief worries; but when asked what they believe they will be most concerned about two years from now, IoT security ranks first on the list at 34 percent,” the survey said. “These concerns appear to be well-founded, as security researchers continue to prove vulnerabilities in non-computer systems such as automobiles and medical devices.”<br></p><p><br></p>
https://sm.asisonline.org/Pages/It-Takes-a-Network.aspxIt Takes a NetworkGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​After more than four years of investigation, a global investigations team of 57 agents commenced an operation to take an international criminal infrastructure platform known as Avalanche offline at the end of November 2016. </p><p>Launched in 2009, the Avalanche network was used to facilitate malware, phishing, and spam activities. Criminals used the network to send more than 1 million emails with damaging attachments or links each week to victims in 189 different countries, according to Europol.</p><p>“The Avalanche network was used as a delivery platform to launch and manage mass global malware attacks and money mule recruiting campaigns,” a Europol press release said. “It has caused an estimated €6 million in damages in concentrated cyberattacks on online banking systems in Germany alone.”</p><p>German authorities began investigating the Avalanche network in 2012 after ransomware spread by the network infected several computer systems, and millions of private and business computer systems were injected with malware that allowed criminals using the network to obtain bank and email passwords.</p><p> “With this information, the criminals were able to perform bank transfers from the victims’ accounts,” Europol said. “The proceeds were then redirected to the criminals through a similar double fast flux infrastructure (an evasion technique used by botnets), which was specifically created to secure the proceeds of the criminal activity.”<img src="/ASIS%20SM%20Callout%20Images/0717%20Feature%204%20Stats.png" class="ms-rtePosition-2" alt="" style="margin:5px;" /></p><p>German authorities investigating the network found that Avalanche was using as many as 500,000 infected computers worldwide. After analyzing 130 terabytes of data, they were able to identify Avalanche’s server structure. Working with the U.S. Attorney’s Office for the Western District of Pennsylvania, the U.S. Department of Justice, the FBI, Europol, Eurojust, the Verden Public Prosecutor’s Office, and the Lüneburg Police arrested five individuals, conducted 37 searches, seized 39 servers, and took 221 additional servers offline via abuse notifications.</p><p>“Avalanche shows that we can only be successful in combating cybercrime when we work closely together, across sectors and across borders,” said Julian King, European Union commissioner for the Security Union, in a statement. “Cybersecurity and law enforcement authorities need to work hand-in-hand with the private sector to tackle continuously evolving criminal methods.”</p><p>International law enforcement cooperation on investigations has always been important, but it has become critical as more crimes are taking place in cyberspace—beyond national borders.</p><p>“Criminals have figured out that borders mean absolutely zero, yet for countries and law enforcement agencies, sovereignty is important—our authorities generally remain within our borders,” says Richard Downing, U.S. Department of Justice (DOJ) Criminal Division acting assistant attorney general.</p><p>And that leads to complications when victims of a crime are in one country, the offender is in another country, and evidence of the crime is in yet another country. </p><p>“Of course, nowadays, it’s more likely to be that you have victims in 20 countries, offenders in 20 countries, and the evidence in 20 other countries,” Downing adds. “Criminals understand this problem for us, and they exploit it.”</p><p>To find out how law enforcement is addressing this problem, Downing led a panel discussion with law enforcement officials at the 2017 RSA Conference in San Francisco to share how agencies are working together to combat cybercrime. </p><h4>Information Sharing</h4><p>Law enforcement agencies use various avenues to legally share information with other nations, including treaties, conventions, and investigative teams.</p><p>One type of agreement is called a Mutual Legal Assistance Treaty (MLAT), which allows law enforcement to exchange evidence and information in criminal cases and related matters. In the United States, MLATs are negotiated by the U.S. Department of State in cooperation with the DOJ to help facilitate cooperation during investigations. The United States has MLATs with the European Union, as well as with numerous other nations around the world.</p><p>These treaties are often referred to as an “18th century tool for a 21st century law enforcement,” says John Lynch, DOJ Criminal Division Computer Crime and Intellectual Property section chief. “But over the last 30 years, we’ve innovated in the sense that we’ve gone from this very slow court process to mutual legal assistance treaties.”</p><p>And building off those MLATs is the Convention on Cybercrime, which was completed in 2001 and went into effect in 2004. Sometimes referred to as the Budapest Convention on Cybercrime, it was the first international treaty that sought to address Internet and computer crime by harmonizing national laws, enhancing investigative techniques, and increasing international cooperation.</p><p>The Council of Europe drafted the original convention, but Canada, Japan, South Africa, and the United States also played a role in its creation. Since going into effect in 2004, 52 nations have ratified the convention. Russia, Brazil, and India are among the nations that have not joined.</p><p>The convention “provided innovation in that it recognized that cooperation had to occur quickly, and so it recognized an [evidence] preservation scheme,” Lynch adds. </p><p>This preservation scheme was implemented via the Group of Eight (G8)—France, Germany, Italy, the United Kingdom, Japan, the United States, Canada, and Russia—through the 24/7 Network made up of prosecutors and police officers who work to quickly preserve evidence for cybercrime investigations. </p><p>For instance, they often make requests to Internet service providers to freeze data so it can be obtained for an investigation. The government authorities then use existing MLATs to obtain the data and begin their investigation.</p><p>And as cybercrime has evolved and increased during the past decade, countries have started using joint investigative teams—what Lynch calls a hybrid of MLATs and police-to-police cooperation. </p><p>These teams “usually consist of some sort of agreement to essentially conduct an investigation together, and then establish rules of the road for how information is going to be exchanged and how it’s going to be treated by each of the departments,” he says. “Europe, in particular, has taken the lead be­cause of the need for close cooperation among those countries.”</p><p>This type of process is key for cybercrime investigations, Lynch says, because the most efficient way to tackle the threat is by running a joint investigation where police-to-police cooperation, real-time sharing, and MLATs combine to authenticate evidence as it’s recovered.</p><p>An example of this is the takedown of the Avalanche network. Steve Wilson, head of business for the European Cybercrime Centre (EC3), was involved in the investigation into Avalanche and said it worked because it used the joint investigative team method.</p><p>“We brought together large groups of investigative officers from across the world, all under one roof so they could share evidence and problems, and get things done together,” Wilson says. The EC3 brought together 57 officers—40 on day shift and 17 on night shift—as well as industry partners to help locate Avalanche’s server structure and identify those involved. </p><p>“We were dealing with probably one of the most complex cybercrime gangs we had ever seen,” Wilson says, adding that Avalanche had infiltrated 880,000 devices and 200 servers around the globe—37 of which were eventually seized by law enforcement.</p><p>Coordinating the investigation into Avalanche was a “huge challenge for us,” Wilson says, and it required using the MLATs Europe had with the DOJ and other nations to conduct the investigation, share information, and ultimately decide on how to prosecute the individuals involved.</p><p>“We arrested five key individuals who were running this network; and if any of you have an idea that cybercrime is committed by…teenagers behind computers, when we searched the house of one of the main individuals involved in this, he began shooting at the police with an AK-47,” Wilson says. “Cybercrime is now every bit as bad as serious organized crime. And investigating these international networks actually takes a network, so that’s how we’re starting to tackle this.”​</p><h4>Prioritizing Cases</h4><p>Another issue facing law enforcement investigating cybercrime is coordination among different agencies on what crimes are being investigated—so agencies aren’t stepping on each other’s toes or potentially tipping criminals off.</p><p>One way the FBI is staying abreast and informed about other investigations is by communicating regularly with Europol, and within the Bureau itself, about what cases are being worked on, says Steven Kelly, FBI International Cyber Crime Coordination Cell (IC4) unit chief.</p><p>“The best way we can help is when we’re getting investigators together, we’re getting requests for information from them, and then we’re seeing what it is that folks are asking about, we’re reporting on that, and helping enrich that feedback,” he explains. “That helps us to know what people are working on and interested in.”</p><p>The IC4 has also tried to prioritize cases to ensure that it’s focusing on the top-level schemes and actors. “Because there’s so much crime, if we take an uncoordinated approach—a country and agency are working on this, and we’re working on that—and all these investigations are taking two, three, four, or five years, we’re never going to have an impact on the crime problem,” Kelly says. </p><p>To prioritize cases, IC4 works with Europol and Interpol to develop a project plan for cases and initiatives it wants to prioritize for the next year. It then reviews and refreshes that plan every six months, most recently in April 2017.</p><p>“That’s a very useful process for getting on the same page and deciding what’s the important thing you want to focus on so we can actually focus on it and drive progress,” Kelly adds. </p><p>The FBI also depends heavily on the private sector to help inform the Bureau about what it should be investigating. </p><p>One initiative that keeps this dialogue open is the National Cyber-Forensics and Training Alliance (NCFTA) in Pittsburgh, Pennsylvania. The NCFTA is a nonprofit founded in 2002 that focuses on identifying, mitigating, and neutralizing cybercrime threats around the globe. </p><p>“The NCFTA operates by conducting real time information sharing and analysis with subject matter experts in the public, private, and academic sectors,” according to its website. “Through these partnerships, the NCFTA proactively identifies cyber threats in order to help partners take preventative measures to mitigate those threats.”</p><p>To do this, the NCFTA provides forums for partners, staff who spec­ialize in their respective initiatives, meetings and events for targeted cyber initiatives, intelligence feeds, monthly initiative calls on trends, and assessments and reports based on NCFTA intelligence.</p><p>The NCFTA is a “great platform for banks and tech firms to come together and share information, and help tip law enforcement off as to what’s important,” Kelly adds. “And if we have questions on our investigation, we can ask them.”</p><p>This model has been so effective, Kelly says, that the NCFTA is expanding its offices into two new locations: one in Newark, New Jersey, to focus on the financial sector; and one in Los Angeles, California, to focus on the technology and entertainment industries.</p><p>EC3 is also getting involved in the NCFTA after Wilson signed a memorandum of understanding with the center while at the RSA Conference in February. EC3 is making this move, Wilson says, because it mirrors similar efforts to partner with the private sector in Europe.</p><p>“We’ve got advisory groups from industry, Internet service providers, and the security industry and financial services,” he says. “We meet three times a year in relation to the problems they see…and very much in the last year we’ve recognized that law enforcement has been guilty of telling industry what they should be reporting and what they should do.”</p><p>In an effort to change that, EC3 has tried to be more open and encourage industry to bring its top two or three main problems to see how they overlap with law enforcement. “It’s really surprising how many common problems we have,” Wilson says.</p><p>Since adopting this approach, EC3 has introduced a European threat assessment that allows law enforcement to focus on the key priorities for the industry in each European country. It’s also helped foster better relationships with the private sector, which Wilson says Europol depends on for the assistance.</p><p>“We will never have staff at the top level that industry has,” Wilson explains. “We depend on that assistance, and what I’m seeing increasingly is the willingness of industry to work with us pro bono to do something—to put something good back into it.”</p><p>This dynamic is similar in the United States, according to Lynch, who says that the DOJ has found it can cooperate with the private sector to accomplish things neither law enforcement nor industry could do on its own, either due to lack of authority or expertise in an area of cyber.</p><p>“We have figured out ways so that we’re sitting together, we’re sharing information using established protocols, and can effectively take down a botnet or a criminal organization while respecting privacy and adhering to the national laws and the constitution of the United States,” Lynch says.​</p><h4>New Challenges</h4><p>While law enforcement and industry have been cooperating in some areas, a new challenge stemming from a court case involving Microsoft might prohibit future collaboration.</p><p>The case (Microsoft v. United States, U.S. Court of Appeals for the Second Circuit, No. 14-2985, 2017) was brought when Microsoft challenged a search warrant issued by a court in New York City for information that was in Microsoft’s possession but stored in a data center in Ireland.</p><p>Microsoft acknowledged that it could access the information from inside the United States, but said that because the information was stored outside of the country, the U.S. Electronic Communications Privacy Act and the U.S. Stored Communications Act did not require it to provide the information to law enforcement.</p><p>Instead, Microsoft argued, the U.S. government should use its MLAT with the Irish government to request the information.</p><p>The DOJ sued Microsoft, and a U.S. district court sided with the government. Microsoft appealed the decision, however, and the U.S. appeals court agreed with Microsoft in a ruling issued in July 2016. </p><p>The U.S. Second Circuit Court of Appeals explained that the Stored Communications Act “does not authorize courts to issue and enforce against U.S.-based service providers warrants for the seizure of customer email content that is stored exclusively on foreign servers.”</p><p>Lynch says that the DOJ is still weighing its options about whether to appeal the Second Circuit’s ruling, but in the meantime the decision will have some effect on the U.S. government’s ability to get access to information for investigations.</p><p>“On the one hand, not everyone stores their data the same way Microsoft does,” Lynch explains. “For example, Google stores its information all over the world—it sometimes splits it up and puts it into databases so it doesn’t even assemble the data until there’s a request. And in those cases, Google has made the choice that the information is only available in the United States.”</p><p>Google’s approach has also caused problems for international law enforcement wanting access to information the company has in its servers. </p><p>“Because for information located outside the United States, there’s essentially no law that can reach the data—the United States can’t reach it because of the Microsoft decision,” Lynch adds. “Foreign law enforcement can’t reach it because there’s no one in that country who has authority to access the data.”</p><p>The DOJ has also challenged Google’s position, and a district court in Philadelphia sided with the government requiring Google to turn over data to law enforcement, but the matter is far from settled.</p><p>“There’s going to be ongoing litigation in this area, and it continues to be a very difficult issue for law enforcement,” according to Lynch “We’re trying to grapple with it, because it is a problem when we can’t get the data under any regime. It can stymie an investigation altogether.”</p><p>Another major challenge for law enforcement is the perception that there are no consequences to committing cybercrime—few people appear to be charged, arrested, and then convicted of cybercrimes. This is a problem because “we’re not going to develop and build a deterrence model for cybercrime if we can’t get our hands on these people,” Kelly says. </p><p>As of February 2017, there were 123 individuals who had been charged with U.S. cybercrimes but have not been arrested, Kelly says. </p><p>“It’s a lot of people who have not been brought to justice because they are all over the world,” he explains. “They are in places we can’t get them—maybe there’s not an extradition treaty, and that’s a problem. If we’re spending a couple of years to make a case, bring it to a grand jury, get it charged, and then we can’t get the guy or gal, then that’s a problem. We’re not going to deter cybercrime if people continue to act with impunity and in safe havens.”</p><p>A recent example of this was the DOJ’s charges against two Russian spies and two criminal hackers in connection with the 2014 Yahoo data breach. One of the hackers, Karim Akehmet Tokbergenov, 22, was a Canadian national and was arrested. The other three individuals—Dmitry Aleksandrovich Dokucahaev, Igor Anatolyevich Suschin, and Alexsey Alexseyevich Belan—remain at large because Russia does not have an extradition agreement with the United States.</p><p>To address this problem, the FBI is looking at how it keeps track of cases where an individual has been charged with a cybercrime but has not been arrested. If it’s a priority apprehension, such as for a major crime, then the FBI will look at its options to possibly arrest the individuals while they are on vacation or traveling to a country that does have an extradition treaty with the United States.</p><p>And while Russia doesn’t have an extradition treaty with the United States and often refuses to extradite its own nationals, it has been known to cooperate with law enforcement for certain types of crimes, such as child exploitation charges.</p><p>“This is the one area where countries drop their individual stances,” Wilson says. “Police forces drop their egos and agree that the only thing to do is work together. I’ve seen some countries we’ve spoken about here who will not cooperate on extradition, but they will take immediate action against people who are passing out child pornography.”</p><p>Wilson says that law enforcement should use cases and moments of collaboration like this to open a dialogue about how they can work together to extradite individuals facing cybercrime charges.</p><p>“We need to keep these channels open to see if these countries will take on some of these investigations, because if we can’t have these people—if there’s no consequence to commit cybercrime—they’ll just continue to commit time and time again,” Wilson adds.</p><p>And for cases where dialogue isn’t effective, Wilson says that the European Union is looking at the possibility of using diplomatic responses and sanctions to pressure nations into cooperating. </p><p>The EU already has an agreement that if there is a terrorist attack on a member state, all of the members will stand together in response—whether it’s issuing a statement of condemnation or taking military action.</p><p>“There’s a process coming underway right now in the EU to look at the practicalities of this in relation to cyber—to actually put a consequence back to a country that either condones or actively decides to push people to commit this type of crime,” Wilson says. </p><p>The United States has taken a similar approach. Former President Barack Obama issued an executive order that allows the president to place sanctions on a nation and other actors in response to cyberattacks. </p><p>“At the end of last year, we actually implemented [the order] against a couple of actors who had been charged in the United States with ransomware schemes, botnets, and involvement in some major data breaches,” Lynch says. </p>
https://sm.asisonline.org/Pages/Surveillance-on-the-Fly.aspxSurveillance on the FlyGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Long before Jack Hanagriff was tasked with creating a temporary camera deployment for Super Bowl LIVE, he called on Keith Drummond, senior director of sales for IDIS America, for help supplementing the city’s camera infrastructure. Drummond traveled to Houston for the NCAA Men’s Final Four tournament in April 2016 to better understand the city’s needs, and found that Houston was dealing with a common problem: it needed temporary coverage of the event area but didn’t have time to deploy a whole surveillance system.</p><p>“They have an existing video surveillance system with hundreds of cameras, but when they have these special events they don’t always have cameras where they need them,” Drummond explains. “And IP-based video surveillance is just inherently very difficult to employ and very time consuming.”</p><p>Although the Final Four was at a known location, Drummond said last-minute changes could leave officers scrambling: bad weather could force an outdoor event to relocate, or companies or celebrities might decide to throw their own side events at the last minute. “These celebrities will decide they want 10,000 people in an outdoor gathering for their party, and the city finds out last minute and now needs cameras where they don’t have them,” Drummond explains. </p><p>After visiting Houston and talking with Hanagriff about the city’s needs, IDIS and integrator Edge360 created a rapidly redeployable solution to be used during Houston’s 2016 Freedom Over Texas Fourth of July event. The solution they created could be deployed in under four hours by untrained personnel—setup only requires a place to hang the camera and a power source, Drummond notes. </p><p>John Rezzonico, CEO of Edge360, says that his military background taught him the importance of being able to adapt in the field, and he applied that logic to surveillance systems. “We came up with a solution that allows police officers to deploy cameras wherever they want, and if something changes they can quickly grab them, power them down, move them, stand them back up, and they come back up online,” Rezzonico explains. “The goal of the project is freedom of movement of the camera sensors, so that way they augment and support existing infrastructure of security that’s already in place.”</p><p>Rezzonico noted that the biggest challenge was overcoming bandwidth saturation to send the video feeds to command centers or mobile devices. “If everyone is using their cell phones at the same time, bandwidth goes away and everyone relying on it for public safety loses the video feed,” he explains. “Houston wanted a wireless solution that could augment their fixed security that was mobile and easy to deploy but could also utilize whatever bandwidth was available. Our solution didn’t just include cellular, it included WiFi and point-to-point transmission. It was all built in.”</p><p>The Freedom Over Texas event took place at Discovery Green, a 12-acre park, and 50,000 people were expected to attend. The park already had some broad camera coverage, but Drummond explains that there were a few areas where more specific views were needed. Four pan-tilt-zoom cameras were installed to focus on high-volume areas such as the stage. IDIS had to address the unique environment, taking the event itself into account. Because the fireworks show was going to be the centerpiece of the event—making the camera image go from nighttime to broad daylight with each explosion—cameras that could handle the fluctuation were required. </p><p>Video feeds were sent to the city’s main command center where they could be viewed side-by-side with the city’s existing camera feeds, but unlike the existing cameras the redeployable cameras could be viewed on mobile devices at satellite command centers and in the field. Since the main goal of the solution was to create a rapidly redeployable surveillance system, Drummond says IDIS and Edge360 tried to be as hands-off as possible during the deployment.</p><p>“We set ourselves up for failure—the concept is that they need to be deployed quickly by untrained personnel, in some cases the utility guy who had never seen them,” Drummond says. “We were obviously available if needed, but we didn’t give them any training and let them do things how they wanted.” The deployment went as expected, and there was no connectivity trouble.</p><p>During the Freedom Over Texas event, the cameras were able to use the cell network almost exclusively, but experienced occasional blips in the service. During those moments, video continued to be recorded on the camera’s SIM card, and that footage was transmitted back to the control center once the live feed was active again. </p><p>“Frankly, most of the time it’s the recorded video that’s most important, not the live video,” Drummond explains. “They are watching those cameras in real time, but most of the time there’s no action to be taken. But if an event does take place during an outage, you didn’t record it for evidence purposes. The smart failover technology changes that.”</p><p>“It’s key for cities to be able to share this system,” Rezzonico notes. “If a municipality buys it, they can send it to another one that needs it for easy deployment.” ​</p>
https://sm.asisonline.org/Pages/Houston’s-Game-Day-Solutions.aspxHouston’s Game Day SolutionsGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The city of Houston, Texas, was in a football frenzy during the days leading up to the 2017 Super Bowl showdown between the New England Patriots and Atlanta Falcons at Houston’s NRG Stadium. A nine-day fan festival, pop-up clubs hosting acts such as Bruno Mars and Taylor Swift, National Football League (NFL) and ESPN activities, and other events were scattered throughout the sprawling metropolis, home to 2.2 million people. </p><p>Just four months before a million visitors converged on Houston for the festivities, Jack Hanagriff, the infrastructure protection coordinator for Houston’s Office of Public Safety and Homeland Security, was tasked with expanding the city’s surveillance program and implementing a solution that would support emergency communications while overcoming the expected strain on the mobile network. </p><p>“Although our system is robust and can handle things normally, when you get a national event coming in, our cell service gets interfered with and then our cameras get hindered by blockages,” Hanagriff explains. Especially tricky was Super Bowl LIVE, the nine-day fan festival held in Discovery Green, a 12-acre urban park, and in five surrounding parking lots. The area is also home to the George R. Brown Convention Center and several hotels, high-rise condominiums, and businesses—all of which contribute to high usage of wireless and mobile networks, even when no events are taking place. </p><p>Hanagriff had to figure out how to deploy additional cameras to Discovery Green and other high-traffic areas such as team hotels, pop-up clubs, and the Galleria shopping center, while addressing the network strain that was sure to hinder communication and video feeds during the events. </p><p>“In public safety, we’re using other sources of technology beyond the actual emergency radio communications—such as cell phones and field reporting devices and cameras—and it works fine,” Hanagriff explains. “But when you start coming in with a mass of people and commercial carriers putting in their infrastructure and tents, the ecosystem of the venue changes so that our existing permanent solution is not adequate because it may get blocked.”</p><p>Hanagriff pulled together a robust team for the task, including vendors, wireless providers, and federal, state, and local players. Axis Communications donated 40 cameras to the cause, Vidsys provided information management middleware, and Siklu’s radios were used to transmit some of the video surveillance. Wireless carrier Verizon had already been working for months to beef up its network capacity in the city, and Hanagriff said it agreed to allow the city to connect its cameras to the fiber network it was laying.​</p><h4>The Buildout</h4><p>While NRG Stadium and the Galleria already had robust camera networks established, the city had to prepare Discovery Green and its surrounding parking lots for Super Bowl LIVE, where more than 150,000 people were expected to attend each day.</p><p>“We were confident we would get some coverage, but when I saw the footprint of the event…Discovery Green is one thing, but those five additional parking lots? That’s a lot of coverage,” Hanagriff says. “We knew we needed some really big players.”</p><p>In the weeks leading up to the kickoff of Super Bowl LIVE, workers spent 480 hours deploying the solution. Several cameras were installed on permanent structures surrounding Discovery Green, but most of the installation occurred in sync with the construction of the Super Bowl LIVE infrastructure. </p><p>“As they built the gates and kiosks and stages, we attached the cameras to those structures,” Hanagriff explains. “But even while they were building, they kept moving things, so we kept having to move the cameras. We had to put flyover cables where they didn’t exist—we were literally dropping 3,000-pound flagpoles to attach cables to and run them across the street.”</p><p>Fixed cameras were installed at all entry and exit areas, and pan-tilt-zoom cameras were used at every gate to observe the outer perimeter of the festival’s footprint. VIP and high-density areas were also a high priority—Discovery Green’s main stage was expected to draw at least 20,000 people for its major events, such as nightly light shows and a concert by Solange Knowles. Hanagriff said the city worked with intelligence officials to set up cameras in areas where potential threats could be carried out. Cameras were also outfitted with audio sensors that could detect and triangulate gunshots, as well as a sensor that detects an elevated anger response in human speech that often occurs before an argument.</p><p>The 40 Axis cameras, as well as 26 of the city’s existing cameras, were brought together under one dashboard through Vidsys middleware and were connected with fiber because of Verizon’s infrastructure buildout. Additionally, the 40 new cameras streamed to the Verizon cloud, allowing for mobile access and redundancy. “If we lost our main system, we could still run the temporary system off the cloud,” Hanagriff explains. “The cloud gave us versatility to bring in mobile applications and partners that did not have access to our existing system.”</p><p>Hanagriff wanted to deploy a camera on top of a hotel a block from the Super Bowl LIVE footprint for an all-encompassing view of the festival, but ran into connectivity problems. The fiber did not extend to the hotel, and radio frequencies completely saturated the area, making a wireless network solution impossible. The city ended up working with Siklu to install a millimeter wave radio that used narrow beam technology to transmit the video feed on an unoccupied spectrum. </p><p>“There was so much radio frequency you could walk on air,” Hanagriff says. “The Siklu radio beamed right through all of it.” </p><p>Security officials set up an emergency operations center in the convention center next to Discovery Green, where the camera feeds—including setups at NRG Stadium and the Galleria—were consolidated. Although many of the existing cameras were part of a closed network, the temporary cameras could be accessed via mobile devices from the cloud, which was crucial in integrating new partners into security operations. Hanagriff described the operations center as a huge room with dozens of partners: event coordinators, Houston officials and first responders, the Harris County Sheriff’s Department, the Texas Public Safety and Transportation Departments, the FBI, and other federal agency representatives. </p><p>Whether they were at the center itself or out in the city, officials could access the camera feeds via mobile devices. The Harris County Sheriff’s Department set up a mobile command post at the Galleria, where more activities and protests were taking place. It was able to use the mobile application to review the Galleria’s camera feeds and correspond with the main command post, Hanagriff says. And during the Super Bowl game itself, several groups were able to access the city’s cameras at NRG Stadium, including NFL security directors and another mobile command post closer to the event.  ​</p><h4>Emergency Operations</h4><p>While Hanagriff’s role was coordinating the technology infrastructure ahead of the festivities, Patrick Hagan, technical specialist and engineer operator for the Houston Fire Department, saw firsthand how the camera setup helped emergency operations in such an unpredictable environment.</p><p>During Super Bowl LIVE, members of Houston’s police and fire departments were dispatched via portable devices that operate on Band 14, a broadband spectrum reserved for first responders. The devices can run active GPS for an entire 16-hour shift, serve as trackers for the officers, and share information, location, and images from the field to command center or vice versa. </p><p>“Because of the nature of the footprint, Super Bowl LIVE was closed off with a hard barrier, so we had to have teams inside that didn’t have vehicle apparatus,” Hagan explains. “Because of that they were on foot or on bike, so we dispatched them via GPS, which was new to us.” </p><p>A few weeks before the Super Bowl events, first responders tested out the devices to communicate via Band 14 during the Houston Marathon. “We gave the GPS a run for its money—we tried to max out the system, wanted to see what it would do under a lot of traffic, and never got any failure points,” Hagan says. But that wasn’t the case for Super Bowl LIVE.</p><p>Due to the massive amount of radio frequency traffic in Discovery Green, which Hagan agreed was the most he had ever experienced, the officers’ GPS signals experienced reflectivity and weren’t totally precise.</p><p>“Our GPS wasn’t quite true,” Hagan says. “It was off in some cases by 150 yards, which when you’re in a sea of people, is a few thousand people. We had to work around that.”</p><p>Hagan and others in the emergency operations center were able to coordinate with officers in the field by using the video feeds and verbal commands to guide them to called-in emergencies.</p><p>“We’d leverage those video systems to give our bike teams a better location,” Hagan explains. “We could see the officer’s blue dot with the tracking system and I’d compare it to the map of where I knew the patient was by looking at a video feed. Then I could verbally walk them there via radio and cellular communication. I can’t just say that the patient is over by the food truck when there are 80 food trucks.”</p><p>Using GPS and video feeds for dispatching was a first for the Houston Fire Department. “We don’t show up when things work. We show up when things break,” Hagan notes. “It’s a very fine line that we walk between using cutting-edge technology versus tried and true methods that are much lower tech. We have to utilize the technology to our advantage when we can, but when it fails we need to have contingency for that, and still be practiced in that contingency.”</p><p>Hagan made sure that contingency plans were in place during the Super Bowl, explaining that officials were prepared to resort to voice and radio dispatching if the GPS or video feeds failed. The dual capability of the video feeds allowed even the giant command post to be completely mobile, he notes. </p><p>“Everything in the command post was done on a laptop and broadcast on these giant screens, so at a moment’s notice we could drop and run and take all that with us and still have all our capabilities,” Hagan says. “We could still share data…still communicate—that’s the point of the redundancy. We had the hard connection but we wanted to be able to see all of our video streams and everything on mobile if we had to.”​</p><h4>Technology Forward</h4><p>After nine days of fans, football, and a Patriots win in overtime, Hanagriff and Hagan agree that the technology-forward security approach was a success. And while the pop-up clubs have been deconstructed and Discovery Green has reverted back to an urban oasis, the technology used remains in the city. Verizon’s citywide enhancements will continue to benefit Houstonians, city businesses and public officials will continue to strengthen their partnerships, and ​the 40 cameras Axis provided will be part of what Hanagriff calls a technology playground.</p><p>The cameras will be redeployed in high-traffic areas such as Discovery Green and the Galleria, and businesses, first responders, and industry partners will test ways to further integrate security technology into Houston. Hanagriff plans on forming a partnership with everyone invested in the project to determine the direction and scope of the testing.</p><p>“We all get exposure to all these different technologies, and there are benefits for everybody, and it’s all done by in-kind services,” Hanagriff says. “Everybody gets a big bang with no buck.” </p><p>Public safety officials will be able to learn more about video analytics and other cutting-edge technology without disrupting their current camera system, industry partners who provide the equipment and software will be able to conduct research and development and receive direct feedback from subject matter experts, and private businesses that allow the city to put equipment on their buildings will have access to systems that are normally out of reach. </p><p>“Most business partners are usually on the inside looking out, and this system gives them the ability to be on the outside looking in on their property,” Hanagriff notes. </p><p>Hagan says that in the past the fire department has only had access to the city’s camera feeds and has been unable to manipulate them. Being able to take full advantage of the cameras’ capabilities during the Super Bowl events showed how helpful they could be during dispatch, and he hopes the fire department can continue to access the city’s camera infrastructure more fully. </p><p>“We have a lot of the same goals and a lot of people doing the same exact job,” Hagan notes. “If we as a city can get three or four people who can perform that function and share that information with each department in real time, that would make sense. If someone calls into this joint operation and says, ‘I need eyes here, do you see anything?’ those people can give immediate feedback to any department. That’s the plan.”   ​</p>
https://sm.asisonline.org/Pages/Flawed-Forensics.aspxFlawed ForensicsGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Scientifically sound forensic evidence is one of the cornerstones of the U.S. legal system. But recent research by a presidential advisory committee has questioned the soundness of some evidential techniques. This is only the latest critique of the practices of forensic science, which has faced a call for reform from some quarters.    </p><p>The most recent research has its roots in another report, which was issued in 2009 by the National Research Council on the state of the forensic sciences. That report, conducted at the behest of the U.S. Congress, was highly critical; among many other things, it found that strong protocols and standards for reporting on and analyzing evidence were lacking. </p><p>In response, various initiatives were undertaken by different U.S. government agencies, and the National Commission on Forensic Science, aimed at raising forensic standards, was formed. Additionally, in 2015, the Obama administration asked the President’s Council of Advisors on Science and Technology (PCAST) to investigate additional scientific steps that could help ensure the validity of forensic evidence used for legal matters. PCAST is a presidentially appointed advisory group of scientists and engineers.</p><p>As requested, PCAST produced a report, Forensic Science in Criminal Courts: Ensuring Scientific Validity of Feature-Comparison Methods, issued several months ago. </p><p>The report found two existing knowledge gaps. The first gap was the need for more clarity regarding the scientific standards upholding valid forensic methods. The second gap was the need for specific forensic methods to be evaluated, to better prove their validity.</p><p>To help close these gaps, the report examined seven forensic “feature-comparison” methods, which are used to determine whether an evidence sample is associated with a potential source sample, such as from a suspect. </p><p>The seven methods evaluated were for DNA analysis of single-source and simple-mixture samples, DNA analysis of complex-mixture samples, bite marks, latent fingerprints, firearms identifications, footwear analysis, and hair analysis. </p><p>Based on their analysis, PCAST recommended that judges should not admit into evidence four of the methods: bite marks, firearms identifications, footwear analysis, and hair analysis. </p><p>PCAST also suggested that judges be cautious when admitting DNA from complex-mixture samples, and it recommended that juries be advised that fingerprint examinations have a high error rate.</p><p>Several months after the release of the PCAST report, another significant development occurred: the U.S. Department of Justice announced that it was disbanding the National Commission on Forensic Science. Some experts now say that the absence of research and guidance from the commission could make the future task of challenging questionable scientific evidence in court even harder.</p><p>“Even if defense attorneys jump up and down and complain about [questionable evidence], they won’t have the power of a national commission to back them up,” Erin Murphy, a professor at New York University School of Law, told the Associated Press in April. “The status quo right now is to admit it all. The status quo is where things are likely to stay.”  ​ ​</p>
https://sm.asisonline.org/Pages/July-2017-Industry-News.aspxJuly 2017 Industry NewsGP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<h4>​Video Update for the Council</h4><p>The Council of Europe is an international organization that was created to promote democracy and protect human rights and the rule of law in Europe. Located in Strasbourg, France, the organization focuses on issues such as child protection, online hate speech, minority rights, corruption, and judicial reform.</p><p>The headquarters campus has five distinctive buildings, including the Agora (pictured here). The video surveillance systems throughout the campus needed updating, and security managers called on Securitas and ENGIE Ineo to design and implement a new system. ENGIE Ineo partnered with Milestone Systems for video management software and Axis for network cameras. The team replaced the analog system with a full network video surveillance solution that delivers better performance, ease of access to video assets, and flexibility in tailoring how different locations are secured. The work was done with a minimum of disruption and completed early in 2017.​</p><h4>PARTNERSHIPS AND DEALS</h4><p>Hyatt Guns of Charlotte, North Carolina, deployed 3xLOGIC thermal cameras to increase security for the store. Sonitrol Carolinas installed the cameras and now oversees the video monitoring.</p><p>AMAG Technology and CodeLynx integrated AMAG’s Symmetry Access Control software and CodeLynx’s ARIES Mixed Reality platform.</p><p>Amika Mobile announced that the Amika Mobility Server platform for critical communications is now integrated with the Guardian Indoor Active Shooter Detection System from Shooter Detection Systems.</p><p>Point Blank Enterprises will distribute ARMORVENT systems to the U.S. commercial and law enforcement markets.</p><p>ASSA ABLOY announced the integration of its Aperio wireless lock technology with ProdataKey’s pdk io cloud managed access control solution. </p><p>V5 Systems is partnering with Axis Communications to create a self-powered solution to protect people outdoors.</p><p>Bosch Security Systems and Sony Corporation are partnering in sales, marketing, and technical collaboration for video security solutions.</p><p>Brivo and Mercury Security integrated the Authentic Mercury open platform into Brivo’s flagship OnAir access control system.</p><p>CBC AMERICAS Corp. announced a strategic business alliance with CrucialTrak to introduce CrucialTrak’s range of products to Japan, Australia, North America, and Latin America.</p><p>Centerra Group, LLC, was selected as the protective services contractor at URENCO USA’s site in New Mexico. </p><p>Checkpoint Systems is implementing electronic article surveillance systems at approximately 2,800 Dollar General retail locations. </p><p>Delta Scientific provided temporary vehicle barriers to restrict vehicle access to Bourbon Street in New Orleans during Mardi Gras.</p><p>Flexera Software is working with the Financial Services Information Sharing and Analysis Center to offer verified software vulnerability intelligence alerts to critical sector entities worldwide.</p><p>Genetec integrated gunshot detection technology from ShotSpotter in its Security Center.</p><p>Huawei is collaborating with Honeywell to create smart building offerings and make them sustainable, secure, and energy efficient.</p><p>HySecurity commercial, industrial, and antiterrorist automated gate systems are now available to PSA Security Network integrators.</p><p>Ergos Group and IndigoVision worked together to improve surveillance at the stadium of the Santos </p><p>Futebol Clube in Santos, Brazil.</p><p>Netsurion was named a Fortinet MSSP Platinum Partner.</p><p>Free2Move, a mobility app for car-sharing providers, including companies such as Car2Go, Flinkster, Multicity, Zipcar, and DriveNow, selected Jumio Netverify Trusted Identity as a service to verify customers’ driver’s licenses.</p><p>Kentec gas extinguishing fire safety panels are helping protect Specsavers’ new West Midland manufacturing and distribution center. The new fire safety system was designed and installed by Leader Systems LLP. </p><p>Lenel and Everbridge, Inc., announced an alliance to interface their leading solutions for comprehensive security management and critical communications.</p><p>March Networks announced a strategic partnership with Oncam for its banking, retail, and transportation solutions.</p><p>Mount Airey Group, Inc., is partnering with Acuant to launch a comprehensive authentication solution for border control and to minimize the acceptance of fraudulent passports.</p><p>Henry County Hospital in Ohio is using the Netwrix Auditor from Netwrix Corporation.</p><p>A collaboration between nuPSYS and Bosch Video Management System integrates the nuPSYS 3D-mapping solution to allow assets, sensors, alarms, and critical points to be plotted onto a 3D mapping surface.</p><p>Park Assist was awarded the Parking Guidance System contract for the University of Texas at Dallas in its new garage.</p><p>Deutsche Telekom entered a strategic partnership with Radiflow to collaborate in securing industrial networks. </p><p>Raytec LED lighting improved security at a multisite installation for the National Bank of Romania. </p><p>SALTO Systems hired Warren Associates to sell SALTO’s security products in northern California, northern Nevada, Utah, Colorado, Montana, New Mexico, Wyoming, and Idaho. Bassett Sales Corporation will represent SALTO in the Southwest United States and Hawaii.</p><p>Semafone is partnering with Australian compliance specialist SecureCo to protect customer payment data.</p><p>Sharp Robotics Business Development appointed U.S. Security Associates as an authorized guard services reseller of the Sharp INTELLOS Automated Unmanned Ground Vehicle.</p><p>Suprema announced that its SFU-S20 fingerprint modules are integrated in BioWolf LE rugged tablet PCs from BioRugged.</p><p>London development New Ludgate chose Tyco Security Products C·CURE 9000 Security and Event Management system to unite building management, access control, and video surveillance systems.</p><p>Vanderbilt integrated its award-winning Lite Blue and Bright Blue access control solutions with Allegion’s Schlage NDE series wireless locks with Engage technology.</p><p>An official partnership agreement was signed by SMR Links Consultants and VSTEP, making SMR Links the exclusive partner of the NAUTIS maritime simulators and RescueSim Incident Command Simulator in the United Arab Emirates region.​</p><h4>GOVERNMENT CONTRACTS</h4><p>American Public University was selected by the U.S. Transportation Security Administration Institute of Higher Education to provide academic programs to up to 20,000 TSA employees at 147 airports nationwide.</p><p>Fredericton Police Force in Canada is testing Axon body cameras.</p><p>The U.S. Department of Commerce and First Responder Network Authority selected AT&T to build the first nationwide wireless broadband network dedicated to America’s first responders. </p><p>BioTrackTHC partnered with the Hawaii Department of Health to deploy a live seed-to-sale cannabis traceability system in a FedRAMP authorized environment. </p><p>Bittium received a purchase order from the Finnish Defence Forces for Bittium Tactical Wireless IP Network system products.</p><p>Edesix is the body-worn camera provider of choice for Her Majesty’s Prison Service throughout the United Kingdom.</p><p>Central Lake Armor Express, Inc., was awarded a new contract with the San Francisco Police Department and San Francisco Sheriff’s Department to provide its Vortex ballistic vest.</p><p>Police in the Canton of Graubünden, Switzerland, where the World Economic Forum was held, employed a drone defense system from Dedrone to monitor critical airspace above the area.</p><p>Boise Airport updated its security infrastructure with Genetec Security Center to manage cameras, access control points, and video analytics software.</p><p>The City of Deagu, South Korea, is using Hikvision cameras in an integrated atmospheric information system.</p><p>J & S Franklin Ltd. delivered DefenCell MAC geotextile lined metal gabions to the Tunisian authorities for deployment on the Tunisian-Libyan border.</p><p>Milestone Systems open platform IP video management software was installed at JFK International Airport. </p><p>Mutualink and Rave Mobile Safety announced a technology deployment in Warwick, Rhode Island, public schools as an effort to help save lives through enhanced collaboration with the local police, fire departments, and hospitals. </p><p>Colquitt County Jail in Georgia worked with local systems integrator Ace Technologies to deploy a new video system from Pelco by Schneider Electric. </p><p>Safran Identity and Security supplied a facial recognition solution to the National Police of The Netherlands.</p><p>SRC was awarded a U.S. Army contract to deliver, integrate, and sustain 15 counter-UAS systems. </p><p>SuperCom announced that its M2M division was selected by the Czech Republic Ministry of Justice to deploy its PureSecurity Electronic Monitoring Suite.</p><p>Total Recall Corporation will work with the City of Chattanooga and the Chattanooga Police Department to provide a citywide safety solution that includes CrimeEye-RD-2 rapid deployment portable video systems.</p><p>Vialseg combined forces with Vivotek’s local distributor Selnet and LPR software partner Neural Labs to provide red light enforcement systems for Argentinian cities.</p><p>Zenitel is providing IP-based security systems for Oslo Schools.​</p><h4>AWARDS AND CERTIFICATIONS</h4><p>ByteGrid achieved the SOC2+ HITRUST designation, to go along with its EHNAC accreditation.</p><p>The office of the Ohio Secretary of State certified that Verity voting from Hart InterCivic meets all state requirements to ensure fair and accurate elections.</p><p>IBM announced that its scientists have been granted a patent around a machine learning system that can dynamically shift control of an autonomous vehicle between a human driver and a vehicle control processor in the event of a potential emergency.</p><p>Intelligent Protection International Limited was granted Conseil National des Activités Privées de Sécurité status and is licensed for Close Protection activities in France. </p><p>Frost & Sullivan recognized Karamba Security with the 2017 North American New Product Innovation Award for the Automotive Industry.</p><p>Milestone Systems was named one of the 100 Best Companies to Work for in Oregon by Oregon Business Magazine.</p><p>PinPoint Initiative from PinPoint won a Platinum Govie award from Security Today in the category of User Authentication/Identification/Credentialing and Management.</p><p>Secure I.T. Environments Ltd. achieved new quality management standards for design, construction, and management of data centers. The new accreditations are SOHSAS 18001:2007 (ISO 45001), ISO 14001:2015, and BN ES ISO 9001:2015.</p><p>Sielox LLC recognized MCM Integrated Systems of Van Nuys, California, as its National Business Partner of the Year.</p><p>Snap Surveillance achieved the status of Milestone Certified Solution with its integration to XProtect Corporate IP video management software. </p><p>Sword & Shield Enterprise Security was named to the Cybersecurity 500, a global compilation of leading cybersecurity solutions and service companies.</p><p>Tosibox won the Industrial and Security Category Awards at the IOT/M2M Innovation World Cup.</p><p>Tyco Security Products announced that its Innometriks Cheetah high assurance physical access reader achieved UL 294 certification, and the complete Innometriks Infinitas FICAM solution is now listed on the U.S. General Services Administration Approved Product List.</p><p>Vinson Guard Service, Inc., and company president Christine Vinson were honored with the James J. Coleman, Sr., Corporate Partner Award at the Annual Crimestoppers of Greater New Orleans Awards Luncheon. </p><p>Virtual StrongBox, Inc., was named a finalist for a Blue Diamond Award, which recognizes the best technology in the greater Charlotte area.​</p><h4>ANNOUNCEMENTS</h4><p>ASSA ABLOY completed an additional seven Environmental Product Declarations, third-party reports that document the ways in which a product affects the environment.</p><p>Blancco Technology Group opened a new office in Beijing, China. </p><p>The Community Security Service is launching a new app, the Jewish Security Application, allowing individuals to report suspicious activity and document anti-Semitic incidents quickly and accurately from their smartphones.</p><p>Constellis entered into a definitive agreement to acquire Centerra Group, LLC, and its subsidiaries.</p><p>DNA Labs International relocated to a larger laboratory near its current facility in Deerfield Beach, Florida.</p><p>A new shipping facility for eDist Security in Dallas offers more space.</p><p>Intelligent Protection International Limited opened an office in Paris on the Champs-Elysées.</p><p>MorphoTrak will donate access to MorphoCloud to West Virginia University. The donation will support research and education in biometrics and forensics.</p><p>The National Association of Police Equipment Distributors is welcoming online distributors and retailers within the law enforcement, public safety, and military markets to its general membership.</p><p>NEC Corporation and Infosec Corporation established Infosec America, Inc., as a security operations center in Santa Clara, California.</p><p>Pelco by Schneider Electric launched a new informational website for the security industry: securityinsights.pelco.com.</p><p>Red Hawk Fire & Security acquired  two companies: Alarm Tech Solutions of the Washington, D.C., metropolitan area and Integrated Systems of Florida.</p><p>RiskIQ revealed that its intelligence and external threat investigation system was used by the Citizen Lab in the discovery of commercial spyware that targeted the mobile phone data of United Arab Emirates human rights activists.</p><p>The Security Industry Association established the SIA International Relations Committee to engage with international trade officials, to facilitate education for SIA members on topics related to trade/export programs, and to collaborate with global security trade associations.</p><p>SecurityScorecard launched the Risk Ratings Alliance Program aimed at developing strategic partnerships to help the world’s companies become more secure through collaboration and trust. </p><p>Security Innovation’s security division, OnBoard Security, is placing all of its NTRUEncrypt patents in the public domain, so that they may be freely used under the Creative Commons CC0 1.0 Universal License.</p><p>The Smart Card Alliance is changing its name to the Secure Technology Alliance.</p><p>Tyco Security Products launched a new partner portal to enhance the third-party integration process with its brands.</p><p>Unisys Corporation plans to launch the Unisys Artificial Intelligence Center of Excellence, allowing users to gain free access to online tools to help them develop capabilities in advanced data analytics.</p><p>ViSTA Networking Solutions announced that its network video recorder configuration tool is now available for download. ​</p>
https://sm.asisonline.org/Pages/Extreme-Measures.aspxExtreme MeasuresGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​When it comes to preventing radicalization in at-risk communities, counterterrorism and countering violent extremism (CVE) programs often go hand-in-hand. While counterterrorism focuses on collecting evidence and making arrests before an event has occurred, CVE attempts to prevent radicalization from occurring in the first place through community engagement and counseling. Many countries have implemented CVE programs to various degrees, including the United States, which began its CVE efforts in 2011. Supported by the Obama administration and viewed as a way to create ties with marginalized communities, the U.S. CVE program strives to address causes of radicalization.</p><p>Over the past six years, the U.S. CVE program has faced its share of challenges, including confusion over strategy and implementation of its objectives, shifting threats, and criticisms that it stigmatizes American Muslims. In January 2016, a new CVE task force was formed to further coordinate government efforts, and U.S. Department of Homeland Security (DHS) and U.S. Department of Justice (DOJ) leaders once again emphasized the importance of CVE in preventing terror attacks. Former DHS Secretary Jeh Johnson told Security Management last year that building bridges with Muslim communities was imperative to deradicalization efforts.</p><p><img src="/ASIS%20SM%20Callout%20Images/0717%20NS%20Chart%202.png" class="ms-rtePosition-1" alt="" style="margin:5px;" />However, a new U.S. Government Accountability Office (GAO) report finds that the program’s leaders have no way to assess whether CVE measures are effective. “[GAO] was not able to determine if the United States is better off today than it was in 2011 as a result of these tasks,” the report notes. “This is because no cohesive strategy with measurable outcomes has been established to guide the multi-agency CVE effort.”</p><p>Paired with the uncertainty of the program’s effectiveness is the Trump administration’s approach to terrorism. U.S. President Donald Trump plans to shift the CVE program’s efforts to focus primarily on Islamist extremism, going so far as to switch the program’s name from “Countering Violent Extremism” to “Countering Islamic Extremism,” Reuters reports. </p><p>At least four of the community organizations former U.S. President Barack Obama awarded CVE grants to have turned down the awards because of the anticipated policy shift. One Michigan-based group declined a $500,000 grant it was offered “given the current political climate and cause for concern,” according to an email to Reuters from a representative of the organization.</p><p>The shift in policy contradicts GAO findings: of the 85 violent extremist incidents that have resulted in death since 9/11, 73 percent were carried out by right-wing violent extremist groups, while radical Islamist violent extremists were responsible for 27 percent. Diana Maurer, GAO’s director of homeland security and justice issues, tells Security Management that the statistics should frame conversations about the future of the program.</p><p>A recent Brennan Center report on CVE is more critical of the program due to its Muslim profiling and disproven methods, and states that these flaws will only be exacerbated by an administration that is “overtly hostile towards Muslims.”  </p><p>“Regardless of whether CVE is called ‘Countering Radical Islam’ or not, the programs initiated under this rubric by the Obama administration—while couched in neutral terms—have, in practice, focused almost exclusively on American Muslim communities,” the Brennan Center report states. “This is despite the fact that empirical data shows that violence from far-right movements results in at least as many fatalities in the U.S. as attacks inspired by al Qaeda or the Islamic State.”</p><p>Maurer says that while terrorism isn’t anything new, the threats are constantly evolving, requiring a robust counterterrorism program supplemented with an effort to combat violent extremism. “It’s important for agencies to take some actions to work with state and local officials to help prevent people from going down the path of terrorism in the first place,” she says.</p><p>At the start of the CVE program, 44 tasks to address radicalization on a domestic front were outlined, but efforts to implement them “were scattered across a number of components and lacked specific goals and tangible measures of success,” according to the GAO report, Countering Violent Extremism: Actions Needed to Define Strategy and Assess Progress of Federal Efforts, authored by Maurer. As of December 2016, almost half of the tasks were implemented. Yet to be implemented are a few of the most controversial goals, including FBI involvement in the program and prison outreach.</p><p>Throughout the program’s six years, the American Civil Liberties Union has lambasted CVE for focusing on monitoring at-risk individuals and communities instead of merely supporting them. Maurer acknowledges that this is still a problem with the program on a fundamental level.</p><p>“On the one hand, there’s a First Amendment in this country, which means people can express views on a wide variety of things, and those are constitutional rights that need to be protected and respected,” she explains. “At the same time, from a policy and political perspective, there’s a desire to try to figure out a better way to get advanced warning signs—that we should have known that someone was going to take action or commit a violent act because we should have been monitoring Facebook or Twitter.”</p><p>DHS has been meeting with the social media industry and officials to discuss how to address violent extremism online, but community outreach in the digital environment is a task that continues to need attention, according to the report. DHS is also having trouble developing countermessaging tactics. Although they have been working with the Los Angeles Police Department and YouTube to develop campaigns against violent extremism, officials want more access to former violent extremists to learn how to directly challenge radical narratives. Maurer notes that speaking with former terrorists is fraught with legal complications. </p><p>The report also points out that agencies have not yet taken action on implementing CVE in federal prisons, which Maurer says surprised her. “Even beyond CVE, we’re talking about gangs, and that is a well-known issue within the prison environment,” she notes. “There are all kinds of ways the federal prison system tries to mitigate or reduce the impact of gang activity and affiliations within the federal prison system, so why haven’t they done more on the issue of radicalization?”</p><p>One controversial aspect of CVE that has plagued it since its inception is that the outreach efforts are coming from the same agencies that investigate terrorist activity. Johnson and the Obama administration were vocal about using the program to build bridges, especially with Muslim communities that had been stigmatized by the government in the past. But Maurer explains that the role of some government agencies in CVE is a gray area.</p><p>“Obviously, the FBI knows quite a bit about pathways to terrorism and potential profiles and ways people become radicalized in all different forms,” she notes. “That could be an important part of having meaningful CVE activities. But at the same time, the FBI’s primary role is to investigate and arrest and get people ready for prosecution. That’s further downstream. Finding the right role specifically for the FBI is one of the main challenges to CVE.”</p><p>While financial support from the government may be critical to CVE efforts—DHS designated $50 million to addressing emergent threats in 2016 alone—other countries have developed similar programs with experts not directly affiliated with the government. </p><p>A task force of 100 counterterrorism experts is examining radicalization in prisons in England and Wales and will help train personnel on how to prevent extremism among prisoners. After a study showed that prisons in England are filled with more than 1,000 prisoners identified as extremist or vulnerable to extremism, the effort was accelerated. And organizations such as the Global Center on Cooperative Security encourage more holistic approaches to deradicalization, including using women to prevent violent extremism and rehabilitating juvenile violent extremist offenders.</p><p>“It’s a delicate dance,” Maurer acknowledges. “I know other countries have done more on this than we have in the United States, but they have very different systems.”</p><p>GAO was able to identify the challenges the U.S. CVE program faces based on the status of the 44 outlined tasks, but was unable to determine whether the efforts have made the United States safer, the report explains. </p><p>“We recognize it’s not like sticking a thermometer in someone’s mouth and taking their temperature,” says Maurer. “We know it’s challenging trying to develop these kinds of measures, but it’s something the White House tasked the agencies to do, and they didn’t do it.”</p><p> This isn’t the first time GAO has brought up CVE’s lack of evaluation measures. After a July 2015 report found that there was no cohesive strategy to implement program recommendations, a new CVE task force updated the program’s strategic implementation plan to coordinate federal efforts. </p><p>However, the lack of measurable outcomes makes the success of the program uncertain.</p><p>“Absent a cohesive strategy with defined measurable outcomes, CVE partner agencies have been left to develop and take their own individual actions without a clear understanding of whether and to what extent their actions will reduce violent extremism in the United States,” the report finds.</p><p>Maurer says the lack of measurable progress is disappointing and makes it difficult to understand the strengths and weaknesses of the current CVE program, as well as what its future will be. She says she hopes the Trump administration will take current research on the threat picture to inform decisions on how to proceed. “There are a variety of domestic terrorist threats facing this country, and the government should take into consideration those threats, the risk environment, and the current state of research, as well as the current capabilities of the various federal agencies and their state and local partners, to combat violent extremism.” </p><p>The Brennan Center report notes that “it is unlikely that either new or existing CVE programs will carry tangible security benefits” and while a shift by the new administration to target Muslim extremists would damage critical relationships, it may also provide an opportunity to rethink the government’s approach to CVE.</p><p>“Even if the federal government pulls back from its active sponsorship of CVE or renames it to make clear that the target is ‘radical Islam,’ the infrastructure for these programs has already been developed at the local level,” the Brennan Center report notes. “It is therefore critical that government agencies, particularly at the state and local levels…dismantle, or at the very least substantially reconfigure, their CVE programs.” ​</p>
https://sm.asisonline.org/Pages/Seeking-a-Cyber-Agenda.aspxSeeking a Cyber AgendaGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>After being elected as the next U.S. president, Donald Trump put out a statement saying that he would create a national cybersecurity plan within 90 days of taking office on January 20. </p><p>“We must defend and protect federal networks and data,” Trump said in a statement. “We operate these networks on behalf of the American peo​ple, and they are very important and very sacred.”</p><p><img src="/ASIS%20SM%20Callout%20Images/0717%20Cyber%20Chart%202.png" class="ms-rtePosition-1" alt="" style="margin:5px;" />While creating that plan, the U.S. Commission on Enhancing National Cybersecurity released a report that commission creator, then-U.S. President Barack Obama, requested to aid the next administration. </p><p>“We have the opportunity to change the balance further in our favor in cyberspace—but only if we take additional bold action to do so,” said Obama upon the report’s release in December 2016. “My administration has made considerable progress in this regard over the last eight years. Now it is time for the next administration to take up this charge.”</p><p>The commission’s study, Report on Securing and Growing the Digital Economy, recommended that the Trump administration focus on deepening public-private cooperation to protect critical infrastructure and respond to cyber incidents. It also recommended investing in research and development to improve products and technologies, expanding the use of strong authentication to improve identity management, and continuing to prioritize and coordinate cybersecurity efforts across the federal government.</p><p>At the same time, another cybersecurity initiative—the Center for Strategic and International Studies (CSIS) Cyber Policy Task Force—also released a report on a comprehensive cybersecurity strategy for the United States.</p><p>“The goals of our recommendations for the next administration’s cybersecurity efforts remain the same: to create a secure and stable digital environment that supports continued economic growth while protecting personal freedoms and national security,” the task force said in a statement. “The requirements to achieve these goals also remain the same: central direction and leadership from the White House to create and implement a comprehensive and coordinated approach, since cybersecurity cuts across the mission of many different agencies.”</p><p>Both commissions briefed the Trump administration on their recommendations, and in May—just past Trump’s self-imposed 90-day deadline—the president took action on them and signed an executive order laying out his cybersecurity agenda for the next four years.</p><p>The order takes the commissions’ and experts’ best ideas, combined with the Trump administration’s priorities, and puts them into action to “keep Americans safe, including in cyberspace,” said Tom Bossert, assistant to the president for homeland security and counterterrorism, in a White House press briefing.</p><p>The order is broken down into three sections: securing U.S. government networks, enhancing critical infrastructure cybersecurity, and cybersecurity for the nation. </p><p><strong>Networks.</strong> Trump’s first priority, Bos​sert said, is to protect federal networks. To do this, the president will hold agency and department heads accountable for managing cybersecurity risk to their enterprises.</p><p>“Agency heads will be held accountable by the president for implementing risk management measures commensurate with the risk and magnitude of the harm that would result from unauthorized access, use, disclosure, disruption, modification, or destruction of IT and data,” according to the order.</p><p>Mike Schultz, president and CEO of Cybernance, a cyber risk governance technology solutions provider, says he supports any initiative that aims to hold agency heads accountable for data breaches and lax cybersecurity.</p><p> Schultz was one of the many victims of the U.S. Office of Personnel Management (OPM) data breach in 2015, and explains that he was disappointed with how the government responded to the breach and its failure to fire OPM Director Katherine Archuleta.</p><p>If the same kind of breach had happened in the private sector, Schultz says Archuleta would have been fired immediately. He believes the federal government needs to have that same level of accountability for agency heads and those responsible for cybersecurity.</p><p>Agency heads will also be held accountable for implementing the National Institute of Standards and Technology (NIST) cybersecurity framework and any subsequent documents NIST may release to manage their agency’s risk. </p><p>For too long, “we’ve practiced one thing and preached another,” Bossert said, adding that it’s time for the U.S. government to implement the NIST framework as it’s encouraged the private sector to do for several years. </p><p> As part of this effort, agency heads had to submit to the secretary of homeland security and the director of the Office of Management and Budget (OMB) a risk management report detailing the strategic, operational, and budgetary considerations for implementing the NIST framework; any accepted risk, including from unmitigated vulnerabilities; and an action plan to implement the framework.</p><p>The OMB director will then use these action plans to craft an overall plan to implement the NIST framework, along with creating a process for addressing future “recurring unmet budgetary needs necessary to manage risk to the executive branch enterprise,” according to the order.</p><p>However, Sameer Bhalotra, cofounder and CEO of cybersecurity startup StackRox and cochair of the CSIS task force, says he does not see the requirements for the NIST framework in the federal government as the beginning of an effort to require implementation by private companies. </p><p>Bhalotra formerly served as the senior director for cybersecurity on the National Security Council during the Obama administration. He says that one of the things that held the Obama administration back from pushing the framework was the private sector’s fear that the voluntary framework would become a mandatory regulation. </p><p> “Under the new administration, there’s a lot less concern that Congress in the near term is going to pass regulatory requirements,” Bhalotra adds. “With that concern behind us, I think the NIST framework is going to be awesome.”</p><p>Each agency implementing the NIST framework will also help unify the federal government’s cybersecurity posture, which Bossert explained will now be viewed as a centralized system with each agency doing its part to keep it secure. </p><p>The federal government’s network needs to be looked at as an enterprise, instead of viewing departments and agencies individually, to assess where the biggest risks are and increase or decrease resources accordingly, based on that risk posture, Bossert said. </p><p>This marks a dramatic cultural shift in the way the federal government views cybersecurity, Schultz says. </p><p>“Currently, all federal agencies have their own cybersecurity processes in place to protect their own systems,” he explains. “However, critical information is leaking on a constant basis. Trump’s order mandates that the security of federal agencies has to be controlled on an entire enterprise level—instead of building security protocols for specific systems, all people, processes, and policies within the agency must be analyzed and reported on.”</p><p>As part of this initiative, agency heads will be instructed to show preference in their procurement for shared IT services—to the extent permitted by law—for email, cloud, and cybersecurity services.</p><p>“I’m not here to promote that the president has created a cybersecure world and a fortress USA,” Bossert said. “But if we don’t move to secured services and shared services, we’re going to be behind the eight ball for a very long time.”</p><p> This move was one of the recommendations the CSIS task force made in its report and that Karen Evans, national director of U.S. Cyber Challenge and a cochair of the CSIS task force, says she hoped the administration would act on.</p><p>Using resources like cloud services might not result in cost savings for the federal government, but Evans says it would reduce the government’s risk of a breach.</p><p>“There is a lot pushing toward that direction and using those technologies for security purposes to reduce risk—not necessarily for cost efficiencies, but actually making use of the newer technologies to be able to reduce risk,” she explains.</p><p> This is because outsourcing basic security functions allows organizations to focus their attentions elsewhere, such as on critical or uncommon cyber risks that are the “most consequential to their organization,” the task force report said.</p><p><strong>Infrastructure. </strong>The second portion of the executive order mandates that the executive branch will use its authorities and capabilities to support the cybersecurity risk management efforts of the owners and operators of U.S. critical infrastructure. </p><p>This includes identifying agencies that could support the cybersecurity efforts of critical infrastructure entities at greatest risk of attacks that could result in “catastrophic regional or national effects on public health or safety, economic security, or national security,” according to the order.</p><p>The order also calls for an assessment by the secretaries of energy and homeland security and the director of national intelligence of the United States’ ability to handle a prolonged power outage associated with a significant cyber incident.</p><p> Brian Harrell, CPP, director of security and risk management for Navigant Consulting and former director of critical infrastructure protection programs at the North American Electric Reliability Commission (NERC), says electric utilities are well positioned to provide input for this report.</p><p>“The NERC Grid Security Exercise is a notable example of how the industry has taken cyber threats seriously, and while many lessons have been derived from the national exercise, industry understands the magnitude of a wide-area disruption due to a security event,” Harrell says. “I would strongly recommend that the U.S. Department of Energy reach out to NERC, utilities, and trade associations to compile their findings as many lessonslearned have already been documented and acted upon.”</p><p><strong>National security.</strong> The final section of the executive order focuses on cybersecurity for the nation and highlights the need for the United States to support the “growth and sustainment” of a skilled cybersecurity workforce to maintain an advantage over other nations.</p><p>To accomplish this, the order tasks the secretaries of commerce and homeland security, with others, to assess current efforts to educate and train the cybersecurity workforce of the future, report on those efforts, and craft recommendations to support these efforts.</p><p>The order also directs the director of national intelligence to review workforce development efforts of America’s cyber peers “to help identify foreign workforce development practices likely to affect long-term United States cybersecurity competitiveness.”</p><p>Including this initiative on workforce development was an encouraging sign, Harrell says, because massive data breaches and major cyberattacks will continue.</p><p>“As Americans become more dependent on modern technology, the demand to protect the nation’s digital infrastructure will continue to grow,” he explains. “Many organizations are desperate to find qualified security professionals and fill key staff positions. Therefore, promoting professional education, training, and STEM classes will start to bridge the cybersecurity workforce gap.”</p>
https://sm.asisonline.org/Pages/Healthy-and-Secure.aspxHealthy and SecureGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​With more than 8,000 Locations across the United States and approximately 247,000 employees, drugstore chain Walgreens puts a priority on protecting its assets, employees, and customers. The company’s security team, located at Walgreens headquarters in Deerfield, Illinois, strives to respond to any incident that requires attention in a timely manner, whether it be a robbery or a door alarm.</p><p>“Responding to events and dispatching is extremely important, especially in critical situations where we want to provide the best services to our people,” says Hal Friend, director of physical security and fire prevention for Walgreens.</p><p>The corporate headquarters, known as the support office, is home to around 7,000 employees. The security department, referred to as Asset Protection Solutions, is made up of asset protection officers (APOs), a physical access control systems team, and security specialists, among others.</p><p>About five years ago, the company was looking to upgrade its access control solution at its corporate headquarters and distribution centers. “We realized that we had outgrown the old platform we were on, and it wasn’t going to be able to keep up with us,” Friend notes. <img src="/ASIS%20SM%20Callout%20Images/0717%20Case%20Study%20Stats.png" class="ms-rtePosition-2" alt="" style="margin:5px;width:289px;" /></p><p>Walgreens turned to the Genetec Security Center platform, which offered an integrated video and access control solution with various features to meet the corporation’s needs. The installation was rolled out over the last few years across the corporate campus’s more than 40 buildings and distribution centers, and the last phase of the installation was completed in February 2017. </p><p>Synergis, the access control platform from Genetec, is unified with Genetec’s Omnicast video management platform through Security Center, tying the support office’s 700 cameras into one system. </p><p>Synergis operates card readers and turnstiles located throughout Walgreens’ support office campus and allows Walgreens to easily issue temporary badges for employees who forget or misplace their credentials. If workers forget or misplace their cards, they must produce identification to one of the company’s APOs. “The APOs verify in Genetec that the person is a badged employee, and then we have a process in Synergis to issue them a temporary badge that will expire at the end of that business day,” Friend explains.  </p><p>Through Synergis, the company can also set an expiration date for temporary badges for vendors, consultants, and contractors who need access for only a certain amount of time. </p><p>Walgreens has a handful of high-security locations, such as data centers, which require two-factor authentication. The employees with access to these areas must present their card to the reader, and place their fingerprint on a biometric scanner. </p><p>The company has also deployed anti-passback measures, which means the worker must badge in and badge out of the high-security location to prevent the badge from being shared. “If you leave without badging out, it will prevent you from badging back in, because the system thinks you’re still in there,” Friend notes. “It helps enforce compliance in high-value areas, so that we have exact record keeping on who was where, when.”</p><p>Through Synergis, the security team can also generate ad hoc reports that show the company who has access to specific locations. “We send those reports to the managers of those high-value areas, such as the data centers, and they audit them routinely to ensure that people who have access still require access,” he says.</p><p>Security Center from Genetec integrates into the company’s own security operations center, a 24/7 monitoring location staffed with trained officers called security specialists. If an alarm goes off anywhere on campus, the officers can click the associated alarm notification to view the video. “It’s really easy to immediately get that footage to see what happened,” he notes. </p><p>Many of the cameras on campus are situated around the perimeter or pointed at access control points. This allows for easy review of video footage related to any alarms triggered by doors forced open or turnstiles that appear obstructed. If an alert goes off, “we can immediately dispatch an asset protection officer to respond to that alarm, realizing that most of the events are mistakes,” he says. “But we investigate them all in case we do have an intrusion.”</p><p>In addition to protecting the support office, these officers monitor Walgreens locations across the country and provide dispatch calls to local law enforcement in the event of an emergency, using a video management platform from a different vendor.  </p><p>When a burglar alarm goes off at any of the store locations, security specialists use high definition video to go back and view the video associated with the alarm. If they can confirm that an intruder set off the alert, they call the police. “We dispatch only on verified alarms to cut down on false alarm dispatching, which is appreciated by law enforcement,” Friend notes. </p><p>With the headquarters located in a suburban environment, near major roads and highways, Friend says that unwelcome visitors can wander onto campus, though it is a rare occurrence. “There was an instance where the Genetec platform helped us identify an individual who came to the campus, and was not supposed to be here,” Friend says. Using video, which they turned over to law enforcement, “we identified how he got in, and then assisted the police in the investigation to apprehend that individual and resolve the matter.” </p><p>Walgreens does retain video for a specified amount of time to remain in compliance with the various audits that the company participates in. </p><p>Friend says that Genetec Security Center gives the corporation the flexibility it needs to maintain business efficiencies while providing security. “We’re ensuring security, but at the same time we never want security to impede the needs of the workforce at the campus,” Friend says. “We really feel we have that experience today with what we have.”</p><p><em>For more information: Beverly Wilks, bwilks@genetec.com, www.genetec.com, 866.684.8006</em></p>
https://sm.asisonline.org/Pages/A-Psychological-Price.aspxA Psychological PriceGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>After 9/11, several studies aimed to capture the psychological footprint of the attacks that killed nearly 3,000 people. A landmark study conducted by the New York Academy of Medicine in 2004, Redefining Readiness: Terrorism Planning Through the Eyes of the Public, put the importance of anticipating behavioral response plainly: “Research shows that even if the nation gets all of the [logistics, equipment, and preparation] right, the plans that are being developed now are destined to fail because they are missing an important piece of the puzzle: how the American public would react to these kinds of emergency situations.” </p><p>Research shows elevated levels of post-traumatic stress disorder (PTSD) in those living in New York City and the surrounding area months after the 9/11 attacks; an article in the Journal of Nervous & Mental Disease revealed that Americans exposed to television coverage and images of the terrorist attack also suffered symptoms of PTSD. </p><p>More recent terror attacks have resulted in similar behavioral responses. Following the Pulse Nightclub shooting in Orlando, Florida, in June 2016 that left 49 people dead, several first responders reported suffering from symptoms of PTSD. Months after the attack, many responding law enforcement officers had yet to return to work because of the severity of their symptoms, The New York Times reported in October 2016. </p><p>When properly diagnosed, these victims can receive help from their organizations, communities, and medical professionals. Last year, for example, approximately 400 victims and first responders affected by the 2015 Paris terror attacks were given the opportunity to participate in a clinical trial aimed at curtailing their PTSD symptoms, The International Business Times reported in April 2016. </p><p>Understanding key human factors will create a solid foundation for organizational counterterrorism planning. These concepts can help security practitioners mature and validate their plans against the behavioral impact of terrorist attacks, enhancing plans, procedures, and exercises. ​</p><h4>Environmental Response</h4><p>There cannot be a one-size-fits-all approach to anticipating behavioral reactions to a crisis. The psychological response to fires, floods, and other natural disasters is radically different from that experienced after an active shooter incident or disease outbreak. </p><p>Anticipating the response to an anthrax scare in an organization’s mailroom based upon how employees react to an armed intruder alert will lead to a grossly ineffective security response. Security professionals must understand the different types of behavioral reactions associated with various types of emergencies to properly plan for and respond to these events. </p><p>PTSD is a possible psychological consequence of any traumatic event, but the likelihood of this condition varies. Active shooter and other purposefully violent events result in mental health diagnoses at a level almost three times higher than the diagnoses after natural disasters. That’s according to a study that appeared in the publication Psychiatry in which approximately 60,000 disaster victims were interviewed in 2002. </p><p>Mental health diagnoses in victims of purposefully violent attacks ranged from 10 percent to 36 percent; in natural disasters, those same types of diagnoses ranged from 11 percent to 15 percent, according to the study. </p><p>Tactics. Distinguishing conventional from unconventional terrorism will help emergency management experts plan for various types of events, because tactics and the types of violence employed in a terrorist attack affect victims differently. Conventional terrorism is the use of shooting, bombing, kidnapping, and hostage-taking. Recent vehicular attacks in Paris, Berlin, Stockholm, and London, while less common, also fall within this category. </p><p>Unconventional terrorism involves more exotic weapons, such as chemical, biological, radiological, and nuclear (CBRN) materials. There are critical differences in the behavioral response to conventional versus unconventional terrorism, as discussed throughout this article, and failure to appreciate these differences can lead to fatal flaws in plans, exercises, and response.      </p><p>The timeline of an attack, and the amount of time that has passed since the incident took place, also play a crucial role in shaping the response. Responders and security personnel can expect extreme stress reactions (ESRs) in the first minutes to hours after a terror attack. </p><p>The characteristics of ESRs include: frantic, unfocused behavior; difficulty following directions; deterioration of fine motor skills and problem-solving ability; freezing up; and autopilot behaviors, where the victim seems to be relying on primitive, perfunctory responses. </p><p>Panic. Panic is an inevitable response to terrorism, and is driven by two factors: perception of limited opportunity for escape and perception of limited critical supplies. </p><p>Consider the stampede of travelers running for their lives in active shooter scares at international airports, stadiums, or other crowded venues. </p><p>Attacks that disrupt the supply chain can cause people to fend for food, water, and other basic necessities. Unconventional terrorism can lead to higher levels of panic, because fear of illness drives people to compete for medications or to escape from potentially contaminated areas. </p><p>Bystanders. Planners and first responders rely on some level of bystander intervention in certain attack scenarios, such as active shooter incidents. This may include distracting, disrupting, or disarming the shooter, or rendering basic first aid to the wounded. </p><p>But ESRs may cause people to become part of the problem, rather than the solution. There may be a significant delay in psychological symptoms as victims and witnesses cycle through the stages of disbelief, denial, indecision, and action. Anticipating a slowness in bystander response will help inform emergency plans and procedures. ​</p><h4>Unconventional Terrorism</h4><p>Acts of conventional terrorism tend to have clear stages—those affected can observe and recall when the attack began and ended and if they were in or out of the threat environment during each phase. </p><p>Unconventional terrorism employs CBRN hazards, which often cannot be detected by the senses. These acts frequently produce a set of behavioral responses that do not resemble the traumatic stress reactions seen following acts of conventional terrorism.</p><p>The invisibility of the threat drives the powerful behavioral reaction to CBRN scenarios. The hazards may be odorless, colorless, tasteless, or silent. The effects of CBRN terrorism come from the action of the substance on the brain and body, and the psycholog­ical implications of the terrorist act. CBRN incidents are unique in their psychological power due to public’s intense fear and limited knowledge of these hazards.</p><p>Acts of unconventional terrorism produce a unique cluster of psychosocial reactions that manifest as physical signs and symptoms. These effects can confound response and recovery efforts. </p><p>Concern about long-term or delayed health effects of exposure to CBRN materials can result in a chronic stress response, unlike responses to attacks that have clear bookends. Some segments of the exposed population will have additional health concerns; for example, pregnant women may fear damage to the fetus. There may be multiple casualties, limited availability of treatments, and uncertainty about effectiveness of treatments, all of which can complicate and confuse response and recovery efforts. </p><p>These symptoms cannot be explained through contemporary medical, anatomic, physiological, or scientific methods. The individual’s signs and symptoms may be consistent with those related to exposure or contamination, reinforcing people’s beliefs that they are, in fact, injured or ill and require medical attention.</p><p>Sociogenic illness. Sometimes referred to as epidemic hysteria, sociogenic illness is the social phenomenon of experiencing a cluster of symptoms for which there is no apparent medical cause. This is a type of social suggestion that can trigger psychosomatic reactions throughout a community or workforce, resulting in significant disruption and overwhelming the local healthcare system. </p><p>The advent of social media and the ubiquity of mobile communications are important factors in the potential for sociogenic illness. Social media can further the dissemination of misinformation and rumors. It is important for leaders and decision makers to realize the difficulty of calming people once frightening information begins to move through the population.</p><p>Misattribution of fear. The misattribution of fear is the misinterpretation of normal physiological arousal as serious illness. Individuals who are frightened by a threatening incident are likely to experience elevated heart rates, blood pressure, respiration, and other uncomfortable sensations related to the fight or flight response. </p><p>Unfortunately, some people having these physiological reactions are likely to misinterpret them and believe they are proof that they have been exposed or contaminated, further driving the surge in demand for emergency medical services.     </p><p>Distrust. Distrust is another atypical response to terrorism. The advent of “fake news” only further complicates this type of reaction. The public often believes that government or community leaders may downplay the seriousness of a health risk to prevent panic. Conspiracy theories only cause further confusion when the public is seeking clarity. ​</p><h4>Community Response </h4><p>Terrorism has a profound impact on the community in which it occurs, and three types of community response to emergencies should guide plans, procedures, and exercises related to disaster response. </p><p>Neighbor helps neighbor. This altruistic response to a threating event is the most common, and the one that planners typically count on. While it is human nature to reach out to help others in distress, that response is not always feasible when fear enters the equation.</p><p>Having several employees trained in psychological first aid will help reduce fear and arousal in the immediate response to a violent or traumatic event. </p><p>For example, in active shooter plans and exercises, students and workers may be trained in lock-down or shelter-in-place tactics. It is essential that they know how to calm and soothe a seriously distressed coworker who is frantic to the point of giving away the group’s secure location to the attacker. </p><p>Neighbor fears neighbor. If a person is injured in a violent attack, coworkers or bystanders will likely rally around to try to find ways to help. But if that person or coworker may be infected with a highly contagious disease, or was exposed to a hazardous substance in an attack, most people would have an understandable hesitation in providing aid for fear of becoming exposed or infected. </p><p>This type of response is more likely in unconventional terrorism scenarios and can seriously erode community or workplace cohesion. It can also result in stigma that hinders resilience and recovery efforts.</p><p>Neighbor competes with neighbor. Acute fear can trigger panic and competition to flee a threat or grab up the last of essential supplies. Looting is a possibility in the wake of certain acts of mass violence; some of these incidents are crimes of opportunity, while others are acts of survival. It is important for leaders to understand this behavioral risk and work to keep group cohesion intact in emergencies and violent attacks.   </p><p>Understanding human factors in critical incidents can help explain why people behave in a certain way in disasters, emergencies, and violent incidents, and should inform every aspect of the planning, response, and recovery phases of the event.</p><p>Terror is fear, and fear is one of the most powerful forces affecting human behavior. An act of terror, or the belief that a terror attack is imminent, creates changes in the character of people and nations in a way that plays to the terrorist’s narrative. Understanding and counteracting fear is just as important as physical security measures when it comes to defeating the terrorists. </p><p>The question is not if a terror attack will occur, but when. Getting the behavioral piece of the response and recovery puzzle is critical. Applying these human factor concepts can help security practitioners validate and mature their plans and procedures, and should inform exercise design, facilitation, and evaluation.  </p><p><em><strong>Steven Crimando</strong> is the principal of Behavioral Science Applications, a training and consulting firm focused on human factors in crisis prevention and response. He is a Board Certified Expert in Traumatic Stress (BCETS). He is a consultant and trainer for multinational corporations, government agencies, major city police departments, and military programs. ​</em></p>
https://sm.asisonline.org/Pages/The-Meaning-of-a-Merger.aspxThe Meaning of a MergerGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​For years, the idea of a merger between Universal Services of America and AlliedBarton Security Services made all the financial sense in the world. The numbers seemed clear: if the two firms joined forces, they would create the largest security company in North America, one that could offer tremendous resources and one-stop shopping for many in need of contract security services. And the two companies had complementary strengths—for example, Universal’s integrated security offerings and AlliedBarton’s security officers, when added together, further strengthened the appeal of a merger.  </p><p>Although the industrial logic was undeniable, making the merger a reality proved to be a daunting task. Start-and-stop discussions had been ongoing for several years, and at different times, each firm courted the other for a possible acquisition, but neither organization was ready to seal the deal. The reasons why were not always entirely clear. </p><p>In any circumstance, a number of factors may make a deal of this magnitude difficult to accomplish. Because a merger of this type usually starts right at the top and involves the leadership of both companies, there’s always a risk of a power struggle. This can present a hurdle to change management—both leadership teams in a merger fighting for supremacy when deciding key issues like the new company name, leadership titles, or where the company should be headquartered.</p><p>Furthermore, merging two separate corporate cultures can be quite thorny, especially when the two companies were former competitors for many years, and both are deeply invested in being the industry leader. </p><p>Universal and Allied Barton had frequently talked about a union over the years, with no agreement coming to fruition. But then, a new window of opportunity appeared, changing the landscape and making a merger possible.​</p><h4>A Window Opens</h4><p>In 2015, the Blackstone Group, the private equity firm that owned AlliedBarton, announced it was selling the company to the French investment firm Wendel SE. Universal Services of America had a good relationship with Wendel, so the idea of a merger of Universal with AlliedBarton under the auspices of Wendel seemed like one that would have strong private equity support. Indeed, Warburg Pincus and Partners Group, Universal’s equity partners, both indicated that they would back a merger.</p><p>And this new development took place in a broader business environment that continued to ripen for a possible merger. As profit margins in the industry remained tight, the economic efficiencies that could can be gained from the horizontal integration of two companies with complementary strengths were becoming more and more compelling.  </p><p>Of course, there was still the “power struggle” issue to deal with between the two competing leadership teams. Sometimes, this struggle can be the most troublesome at the top; a merger between two large companies with tenured CEOs can turn into a clash of egos that cannot be tamed. </p><p>AlliedBarton and Universal avoided this conflict. In the case of our companies, the two CEOs (myself and Bill Whitmore of AlliedBarton) had a relationship that seemed to get stronger as time passed. I like to call it a “fierce and friendly” relationship—we were fierce competitors in the marketplace, but outside the arena, we always got along well. If any two leaders of rival companies had a chance to come together and make it work, we did. Moreover, Bill had made it clear that he was ready to move on from his CEO position to become Allied Universal’s board chairman, so we would not be competing for that role at the new company.  </p><p>Given these conditions, a merger began to make even more sense. After nearly two years of serious discussion, both parties decided to move forward. Universal Services of America and AlliedBarton Security Services announced the merger to the public on May 3, 2016. By August 1, the merger was finalized between the two, forming Allied Universal, which is now a $5.1 billion company with more than 150,000 employees.</p><p>There was no shortage of challenges in getting to that endpoint. I believe our merger could serve as a case study in change management, because we faced a host of integration issues from cultural fit to staffing to operational procedures and processes. What follows are some of the key takeaways from the integration exercise that generated both lessons learned and best practice guidance.​</p><h4>Competitors to Comrades    </h4><p>We started out with the help of trusted consultants. The Boston Consulting Group (BCG) handled the organizational process, and West Monroe Partners focused on the IT integration. Since BCG had worked with Universal during our acquisitions of Guardsmark and ABM Security, they knew us and our business and were able to quickly ramp up to help develop our integration plan.  </p><p>Our timetable was ambitious given the scope of the project. In March and April, we conducted a thorough evaluation of each functional area in both companies. That gave us a good idea of where each organization’s strengths and weaknesses were, in terms of reaching our business goals like creating value, customer service, and the use of technology within our service offerings.</p><p>Then came an even more intense period. After the merger announcement in May, a few hundred executives from both companies—who had formerly led rival leadership teams—met in Dallas for a weeklong process of hashing out key components of the new company. Issues ranged from its new name to its core values to its areas of emphasis, department by department and function by function. For instance, in one case, we had to choose to use one accounting procedure over another. And there were times when we selected a single vendor for a service that had been previously handled by two different outfits.</p><p>Once these parameters were established, we went through several days of one-on-one interviews to form the leadership teams of the new company. At the start, we knew that this would be a challenging time for many. Given what was at stake, we tried to make the process as open and transparent as possible. We discussed the particulars of the process, the timetable, and the severance arrangements for people who would not be transitioning to the new organization.</p><p>In May, June, and July, we took our show on the road to visit key locations. We replicated the process we had just completed in Dallas for nonexecutive-level employees—roughly 150,000—who populated about 250 branch offices, many of which were being consolidated. We visited all regional offices and, as we did in Dallas, shared with employees our aspirations for the new company in terms of desired culture, core values, and our plans for getting there. </p><p>This three-month project was one of the most challenging components of the merger. Since many positions required staffing around the country (including regional leaders, HR, and sales associates), a tremendous amount of front-end work was needed. </p><p>Making these difficult hiring decisions was the most intense aspect of the entire merger. The initial presentations of the future goals, values, culture, and objectives of the new company were well-received and highly motivating. But then, you need to have “the conversation” about the reality that not everyone would be transitioning to the new company. During these times, it became clear how significantly a merger could affect the lives of employees. </p><p>It was also abundantly clear how unnerving the process can be–in addition to fulfilling current job responsibilities, employees basically have to “reinterview” for their jobs, with no guarantee that they will have one by the time the merger is finished. Again, given what was at stake, it was imperative for us to be as upfront, honest, and transparent as possible.  ​</p><h4>The Integration Process</h4><p>Although the staffing consolidation may be the most intense facet of a merger, it is not the only challenging aspect. Merging the culture and processes of two companies was a complicated project that had its fair share of bumpy passages and difficulties. </p><p>Each company is unique. Companies may have similar values and corporate perspectives, as did AlliedBarton and Universal, but there will always be differences in processes and operations. This includes differences in management styles, resource allocations, engagement strategies, and procedural protocols.   </p><p>To complete this part of the merger, we literally outlined each function of the two companies’ operations, and compared the similarities and differences. From there, we determined the best way to design each function for the new company. In some cases, we chose one company’s process over the other’s; in other instances, we took attributes from both to create a new one. In a few situations, we decided that a newly created process would be best. For example, human resources designed new employee recognition and evaluation programs.</p><p>I don’t want to sugarcoat this part of the merger–these were some of the more difficult discussions we had. Given that leaders from both companies were hashing out these processes, it was natural for them to be wedded to, and advocate for, their own company’s methods for doing business. But allowing this to occur would have defeated the purpose of the exercise, because we wanted to design the new company functions on merit. </p><p>So, we challenged our executives to overcome their own biases and aspire to objectivity in coming up with the best methods for operations. This meant scores of candid, searching discussions, with multiple stakeholders present at every meeting to ensure all points of view were taken into account. </p><p>In the end, we decided to have two corporate headquarters: one in Conshohocken, Pennsylvania, where finance, payroll, and billing would be housed, and the other in Santa Ana, California, where human resources and sales/marketing would be centralized. Additionally, we carved out seven regional territories that would be serviced by Centers of Excellence to provide operational and field-level support. </p><h4>Business Continuity </h4><p>Six months after the May announcement, we were able to complete the integration of security services for our seven U.S. regions (Northeast, Mid-Atlantic, Southeast, Midwest, Central, Northwest, and Southwest) and Canada.</p><p>Given that these regions contained more than 200 branch offices, this meant working days that stretched from early morning to late at night, running at a rapid clip to keep the process moving forward, and covering all bases. I scheduled meetings and calls with each region to discuss areas that required more focus and opportunities that would showcase our new strengths. I worked with legal and HR teams to refine and enhance business operations and employee retention, and spent time in the field with clients and employees to share the vision and mission of the new brand. We traveled around the country rolling out our culture initiatives. These initiatives included challenging employees to focus on the positives of the merger, to anticipate changes that would benefit the business and our clients, and to embrace new policies and programs.</p><p>But a merger as large as this one comes with its own business continuity issues. We knew that sustaining normal operations and retaining talent would be a challenge during such a large-scale integration. We spent just as much time, preparation, and focus on business as usual during the transition as we did before the merger occurred. </p><p>Still, we recognized that clients might be nervous that the merger process could mean a downgrade in our customer service. Countering that line of thought was a priority for us. So, during the first week of our announcement, we reached out to all customers, and explained to them what would be happening. From a customer perspective, we wanted everything to be clear, so there would be no question marks in their minds about our ability to deliver our usual service. We were also direct in communicating the positives the merger would mean for them.</p><p>In essence, we guaranteed our clients that their service would not be interrupted. To ensure this, we held weekly management calls with our leadership team, and hashed out any client issues and concerns. We made sure that any internal problems did not hinder our external service. ​</p><h4>Acquisitions Ahead</h4><p>Internally, mergers can be a disquieting experience for some, even for workers who anticipate staying with the company. At times, employees would want to discuss what the merger process might mean for them, or even talk about a job opportunity they had elsewhere.</p><p>The latter situation sometimes led to a dilemma for us. Employees are vital to our success and retention is also critical, but we did not want to hold anyone back from promising career opportunities. We always made ourselves available and would walk through these issues with people, while being as honest as possible. </p><p>Overall, it is a simple economic reality that mergers and acquisitions are the norm in many business sectors, despite all their difficult passages, because they enable companies to grow exponentially, and expand in areas and markets that previously may have been out of reach. Perhaps the final lesson learned is that integrating organizations and aligning cultures always requires an all-in collaborative approach. Not only the leadership team, but employees, customers and constituents—all those whose depend on the company—must be in it together to achieve success.   </p><p><em>Steve Jones, former CEO of Universal Services of America, is the CEO of Allied Universal. Mark Tarallo is senior editor of </em>Security Management. ​</p>
https://sm.asisonline.org/Pages/Only-Two-Facilities-Participated-in-a-New-CFATS-Program.aspxOnly Two Facilities Participated in a New CFATS ProgramGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The U.S. Department of Homeland Security’s (DHS) chemical facility management program is struggling to get facilities to create security frameworks under an updated program. The Chemical Facility Anti-Terrorism Standards (CFATS) Expedited Approval Program, which was fully implemented in June 2015, allows lower-risk chemical facilities to develop expedited security plans and gain CFATS compliance. The new program was seen as a way to encourage chemical facilities to more easily develop security plans that identify and assess the risk posed by the facilities, as well as a way for DHS to assess all chemical facility sites and security plans.</p><p>However, as of April, only two of the 2,496 eligible facilities opted to use the Expedited Approval Program, according to a new U.S. Government Accountability Office (GAO) report, <em><a href="http://www.gao.gov/assets/690/685520.pdf" target="_blank">DHS Has Fully Implemented Its Chemical Security Expedited Approval Program, and Participation to Date Has Been Limited. </a></em>The expedited program was in response to the longer, more complicated CFATS program that made facilities slow to gain approval.</p><p>GAO had intended to assess the effects on facility security, if any, as a result of using the Expedited Approval Program versus the standard program. However, with just two facilities participating in the program, it could not assess its impact on facility security or reducing DHS’s site approval backlog. </p><p>The report notes that there are several factors to why more facilities did not participate in the expedited program. By the time DHS approved the new CFATS program in 2015, most facilities had already begun the standard security plan approval process. Also, by taking away some in-depth assessments to make the approval process quicker, the new program requires more strict and less flexible security procedures, so some facilities still preferred developing the standard security plan, even if it took longer. Similarly, some facilities preferred the more thorough security assessment and review provided by the standard program—“DHS conducts in-person authorization inspections to confirm that security plans address risks under the standard process, but does not conduct them under the expedited program,” the report notes. “DHS officials noted that some facilities may prefer having this inspection because it provides them useful information.”</p><p>The future of the expedited program is uncertain—in part due to lack of participation, but also because of recent changes to the CFATS program. In fact, one of the two facilities that were approved through the expedited process is no longer deemed high risk after DHS changed its methodology for determining the level of risk at chemical facilities. </p>
https://sm.asisonline.org/Pages/Ukraine-Among-Countries-Affected-by-Petya-Ransomware-Attack-.aspxUkraine Among Countries Affected by Petya Ransomware Attack GP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p><a href="http://www.npr.org/sections/thetwo-way/2017/05/15/528451534/wannacry-ransomware-what-we-know-monday" target="_blank">​Ukraine was hit by a large ransomware attack on Tuesday</a>, along with at least five other countries, NPR News reports. The ransomware is being referred to as "Petya," and affected "key parts of Ukraine's infrastructure," including electric grids, government agencies, and businesses. Experts fear the threat of Petya is similar to the WannaCry ransomware attack in April, which affected computers in 150 countries.</p><p>In addition to Ukraine, the ransomware attack has hit "thousands of users" in Russia, Poland, Italy, the United Kingdom, Germany, France, and the United States. The U.S. Department of Homeland Security said it is "monitoring reports of cyberattacks affecting multiple global entities and is coordinating with our international and domestic cyber partners."</p><p>Users affected by the attack are shown a locked screen demanding a payment of $300 in bitcoins to receive their files, the same ploy used by WannaCry. But security researchers say Petya uses exploits WannaCry did not to spread in internal systems, meaning patched machines can also be affected. </p><p>Ukraine's official<a href="https://www.vox.com/world/2017/6/27/15879844/ukraine-gif-russia-cyber-security-attack-hacks-this-is-fine-meme-wannacry" target="_blank"> Twitter account announced the attack</a> had hit the country with a message to assuage fears. The country tweeted a GIF of a dog drinking coffee in the middle of a room that is burning in flames. The post reads, "Some of our gov agencies, private firms were hit by a virus. No need to panic, we're putting utmost efforts to tackle the issue." </p><p>The adviser to Ukraine's interior minister, Anton Gerashchenko, says he believes the attack is the work of Russian agents to destabilize the country, and <a href="https://www.facebook.com/anton.gerashchenko.7/posts/1415938421826334" target="_blank">said on his Facebook page</a> the attack likely took weeks to set up before going into effect. </p>
https://sm.asisonline.org/Pages/Responding-to-Violence-in-Healthcare.aspxResponding to Violence in HealthcareGP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​</p><p>Violence in healthcare settings—especially in hospital emergency departments—is on the rise. A well-trained security team working in concert with the medical team can help manage this increasing violence.</p><p><strong>The problem.</strong> In February 2017, The Joint Commission, a healthcare accreditation organization, reported, "Anyone in a health care facility can become a victim of violence. Since January 2010, The Joint Commission has received 201 reports from its accredited organizations of violent criminal events. Excluding the 16 reports of shootings…the database includes 118 reports of rape, 32 reports of homicide, 28 reports of physical assault, and seven reports of sexual assault." More than half of the incidents were patient-on-patient violence; six of the physical assaults were patient-on-staff violence.​ </p><p>While healthcare workers make up less than 10 percent of the U.S. workforce, there are nearly as many violent injuries in the healthcare industry as in all other industries combined, Alexia Fernández Campbell reported in a December 2016 article in <em>The Atlantic.</em> She also cited a 2015 study, where 76 percent of nurses at a private hospital system in Virginia said they had experienced physical or verbal abuse from patients in the previous year. </p><p>According to The Joint Commission, "A recent Occupational Safety and Health Administration report on workplace violence in healthcare highlights the magnitude of the problem: while 21 percent of registered nurses and nursing students reported being physically assaulted, more than 50 percent were verbally abused…in a 12-month period. In addition, 12 percent of emergency nurses experienced physical violence, and 59 percent experienced verbal abuse during a seven-day period." </p><p>The California Division of Occupational Safety and Health adopted standards requiring hospitals to establish workplace violence prevention plans to protect healthcare workers and other facility personnel from aggressive and violent behavior. To identify risks, to report them, and to annually evaluate them are normal safety requirements in at least 16 U.S. states. </p><p>Joint Commission standard EM.02.02.05, EP 3 calls for hospitals to clearly explain how personnel are to respond to violence in their management plans. Specifically, "The Emergency Operations Plan describes how the hospital will coordinate security activities with community security agencies." Hospitals are to include preparation for emergencies such as an active shooter situation. </p><p><strong>Training.</strong> When the incident rate of aggression is high, the security team can be trained to use advanced confrontation techniques which enable them to manage the most aggressive patients. Of course, security officers work under the supervision of medical staff, and they should use only defensive techniques to control patients. </p><p>Training for de-escalation and other responses to aggressive behavior is provided by such companies as Crisis Prevention Institute, MOAB Training International, and AVADE. It is important for the trainer to address the healthcare facility's security management plan during the sessions. </p><p>Security officers can learn verbal judo and simple defensive techniques in as little as four hours; however, those working in high-incident areas will benefit from longer training sessions. Costs usually include a student workbook, the trainer's fee, and the student's wage. </p><p>At one facility where more than 20 patient watches occur each day, the staff is subject to potential violence. The immediate availability of highly trained security specialists helps to keep the area as safe as possible. The security team finds weapons, places aggressive patients into restraints (on medical authority), and occasionally assists police with responses to violence in the hospital. </p><p>The training of the security specialists at that facility focuses on use of the AVADE (Awareness Vigilance Avoidance Defense Escape/ Environment) defensive techniques. This training shows how a 120-pound person can quickly take down an attacker weighing more than 250 pounds. Size of the security officer is not as important as the quality of the training. </p><p>Proper training can not only improve the security response but also help prevent injuries to security, staff, and patients. When medical staff observe a demonstration of a physical response by a well-trained security officer, confidence in the whole security team is enhanced. </p><p>Securitas has five area trainers who provide de-escalation training and emergency department response team training at a large healthcare system. In class, the trainers address the safety issues of the environment, position of staff, responses to aggressive behavior, and restraints. After such training, the medical staff and the security staff work much more efficiently together. Additionally, the trainers provide security awareness training for all staff for normal security issues such as identity theft, safety in parking lots, and other personal safety issues. </p><p><strong>Response.</strong> Techniques for responses to aggression usually address early identification of violence or escalation of violence so that efforts to de-escalate could prevent a crisis, such as an assault. Security teams working in the emergency department are in position to identify the escalation of unacceptable behavior. When intervention is needed, the security team and medical personnel should work together as a response team. </p><p>Typical incidents to which security may respond are: a person with a severe behavioral health disorder who becomes combative; a dementia patient who walks away from healthcare, is lost, and does not communicate coherently; and a drug seeker who threatens medical staff when specific drugs are not prescribed. All of these examples may result in injury to the medical staff if physical intervention does not occur promptly. Security officers may attempt to de-escalate and control the patient so that the medical staff are safe to continue their work. </p><p>In one situation, police responded to de-escalate a behavioral health patient. When the situation appeared to be safe, the officer left the facility. While walking out of the building, the patient attacked the officer and removed his weapon. The security supervisor quickly took hold of the patient and removed the weapon from the patient. With the help of other security officers, the supervisor controlled that person until the police arrived, and arrested the assailant. This is just one of many examples in which the security staff, using physical skills authorized by post orders, successfully responded to an incident. </p><p>Fortunately, in most incidents where the security team responds to assist medical staff, the situations are resolved satisfactorily through verbal persuasion, and the aggressive person is escorted away. Security will conduct an investigation, record the details of the incident, and make notifications as required by policy. In those rare situations that demand a police  response, the security team manages the situation and provides police information. </p><p>One key for success is that the security team understands the medical protocols and that the medical team understands the security protocols. In other words, they must work as a team to keep the environment safe. In a monthlong study at one hospital, there were 59 CODE Gray calls—requests for security response to an aggressive person. In 30 of those instances, physical restraints were applied on request of medical staff. </p><p>Early reporting of an escalating situation and early involvement of the security team is critical for reducing risks. The security team can manage the aggressive persons, de-escalate them if needed, and move them either back to medical care or away from the conflict area if the medical team has completed any treatment. The security response helps to reduce risks to medical staff, helps to keep them safe, and saves them time from working with potentially aggressive persons. And finally, the security team reports back to the medical team after situations are resolved. </p><p>Teamwork and proper training help a security team to manage critical incidents of aggressive behavior that occur almost daily in healthcare. </p><p><em>Lee Cloney, CPP, is region director of training and development for Securitas Security Services USA. He is a Certified Healthcare Protection Administrator (CHPA) and serves on the ASIS Foundation Board of Trustees.​</em></p>
https://sm.asisonline.org/Pages/NIST-Releases-Digital-Identity-Guidelines.aspxNIST Releases Digital Identity GuidelinesGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The U.S. National Institute of Standards and Technology (NIST) released its final guidelines for digital identity verification after a year-long cross-industry effort to craft them.</p><p><em><a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-3.pdf" target="_blank">Digital Identity Guidelines</a></em> was released Thursday and includes a score of documents that address digital iden​tity from risk assessment to deployment of federated identity solutions. The guidelines are designed to “provide technical requirements for federal agencies implementing digital identity services” and cover “identity proofing and authentication of users (such as employees, contractors, or private individuals) interacting with government IT systems over open networks.”​<br></p><p>Identity proofing is the practice of proving a person is who they claim to be, a process that has become more complicated with the increased use of technology and rise of digital identities. <br></p><p>“Digital identity presents a technical challenge because this process often involves proofing individuals over an open network, and always involves the authentication of individual subjects over an open network to access digital government services,” the guidelines explained. “The processes and technologies to establish and use digital identities offer multiple opportunities for impersonation and other attacks.”<br></p><p>To prevent impersonation and mitigate risk, the guidelines provide new ways to strengthen the identity proofing process while also creating options for remote and in-person proofing, wrote Paul Grassi, senior standards and technology advisor at NIST, in a<a href="http://trustedidentities.blogs.govdelivery.com/2017/06/22/mic-drop-announcing-the-new-special-publication-800-63-suite/" target="_blank"> blog post about the guidelines release.</a><br></p><p>“No longer will agencies be required to ask for ‘one government-issued ID and a financial account,’” he explained. “The proofing guidance moves away from a static list of acceptable documents and instead describes ‘characteristics’ for the evidence necessary to achieve each Identity Assurance Level (IAL). Agencies can now pick the evidence that works best for their stakeholders.”<br></p><p>Evidence for authentication identity is based on three cornerstones: something a user knows (like a password); something a user has (like a badge); and something the user is (like biometric data). <br></p><p>“The strength of authentication systems is largely determined by the number of factors incorporated by the system—the more factors employed, the more robust the authentication system,” the guidelines said. “For the purpose of these guidelines, using two factors is adequate to meet the highest security requirements.”<br></p><p>These factors may be incorporated in two ways, according to the guidelines:<br></p><ol><li><p>​The system may be implemented so that multiple factors are presented to the verifier; or</p></li><li><p>Some factors may be used to protect a secret that will be presented to the verifier.</p></li></ol><p>“For example, item 1 can be satisfied by pairing a memorized secret (what you know) with an out-of-band device (what you have),” the guidelines explained. “Both authenticator outputs are presented to the verifier to authenticate the claimant. For item 2, consider a piece of hardware (the authenticator) that contains a cryptographic key (the authenticator secret) where access is protected with a fingerprint. When used with the biometric, the cryptographic key produces an output that is used to authenticate the claimant.”<br></p><p>The guidelines also make changes to what can be used to authenticate an individual’s digital identity, including no longer allowing mother’s maiden name to be used to recover a lost, stolen, or forgotten credential; email to be used for one-time passwords; and text messages to be used to send one-time-passwords.<br></p><p>“The new guidelines also enable server-side biometric matching and include a comprehensive set of biometric performance and security requirements,” Grassi wrote. “Biometric sensors are common in the devices that so many of us carry with us every day, so we felt we needed to provide guidelines that can prevent unreliable or weak biometric approaches from sneaking their way into federal digital services, while allowing these powerful tools to play a large role in doing digital identity right.” <br></p><p>The guidelines were released this week, and NIST plans to release implementation guidance for government agencies to adopt them with the first set of guidance focused on identity proofing.<br></p><p>“Our ability to predict and respond to changes in the market and technology needs to match the speed of innovation, as well as threats,” Grassi wrote. “We look forward to working with agencies and the private sector to improve these guidelines based on real implementation of digital identity services. Over time, we want them to become even more outcome-based and reliant on proven performance metrics, as well as adaptive to innovations in the market so anyone, public or private, can better serve their users.”<br></p><p><br></p>
https://sm.asisonline.org/Pages/DHS-Official-Says-Russia-Tried-to-Hack-21-States-in-2016-Election.aspxDHS Official Says Russia Tried to Hack 21 States in 2016 ElectionGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The Russian government tried to <a href="https://www.washingtonpost.com/world/national-security/homeland-security-official-russian-government-actors-potentially-tried-to-hack-election-systems-in-21-states/2017/06/21/33bf31d4-5686-11e7-ba90-f5875b7d1876_story.html?utm_term=.be27b9e66441">hack election-related U.S. computer systems in 21 states during the 2016 election,</a> a U.S. Department of Homeland Security (DHS) official testified to a congressional panel Wednesday.</p><p>Samuel Liles, DHS's acting director of the Office of Intelligence and Analysis cyber division, said the hackers appeared to be scanning for vulnerabilities and successfully exploited some networks. He also maintained that vote counting mechanisms were not affected.</p><p>Liles was testifying before the Senate Intelligence Committee, which is investigating Russia's efforts to interfere in the 2016 presidential election.  Bloomberg, citing anonymous sources, reported earlier this month that Russian hackers were able to hack systems in 39 states. </p><p>Officials declined to say which 21 states were targeted.</p><p>Also at the hearing, FBI Assistant Director of Counterintelligence Bill Priestap testified that the Russian government also pushed false news reports and propaganda online. He said Russia has tried to influence U.S. elections for years, but its efforts in 2016 were at a higher scale and level of aggressiveness.</p>
https://sm.asisonline.org/Pages/Average-Cost-of-Data-Breach-Declines-Globally-First-Time.aspxAverage Cost of Data Breach Declines Globally for First TimeGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>The average cost of a data breach declined 10 percent in 2017 to $3.62 million globally, marking the first time there’s been an overall decrease in the cost, according to a report from IBM Security and the Ponemon Institute. ​​​</p><p>The breaches on average run at about $141 per lost or stolen record. But for healthcare organizations a lost record had an average cost of $380; in financial services, the average cost was $245.</p><p>For the survey, Ponemon Institute researchers surveyed IT, compliance, and information security professionals representing hundreds of organizations in 12 different countries. The United States and Canada had the most expensive per capita cost per data breach ($225 and $190, respectively). Germany saw the biggest decrease in average total cost, followed by France, Australia, and the United Kingdom. The Middle East, Japan, and the United States saw the highest increase in average total cost.</p><p>Data breach notifications are costliest in the United States, ($690,000 on average), whereas India had the lowest ($20,000 on average).  Data breach response costs include “the creation of contact databases, determination of all regulatory requirements, engagement of outside experts, postal expenditures, email bounce-backs and inbound communication setups,” according to the report. </p><p>Most of the breaches were caused by hackers and criminal insiders, according to the report, with 47 percent of all breaches caused by malicious or criminal attacks. The study also found that third party involvement in a breach increased the cost of the hack by as much as $17 per customer record; organizations undergoing cloud migration at the time of the breach saw an increase of $14 per customer record. </p><p>Read the<a href="http://www-03.ibm.com/press/us/en/pressrelease/52643.wss" target="_blank"> press release on the report here</a> or download the full <em><a href="https://www-01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=SEL03130WWEN&" target="_blank">2017 Cost of Data Breach Study: Global Overview</a>. </em></p>
https://sm.asisonline.org/Pages/Protecting-Executives-at-Home.aspxProtecting Executives at HomeGP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​</p><p dir="ltr" style="text-align:left;">Maybe it's temporary copycatting, or it could be a new trend, but more and more executives and other high-profile figures are experiencing protest attacks at home.</p><p dir="ltr" style="text-align:left;">In just the first five months of 2017, protesters have gathered outside the homes—not offices—of the following U.S. executives, political leaders, and other prominent persons:</p><ul dir="ltr" style="text-align:left;"><li>Wells Fargo CEO Tim Sloan</li><li>Facebook CEO Mark Zuckerberg </li><li>U.S. Bank CEO Richard Davis</li><li>Robert Mercer, co-CEO of hedge fund Renaissance Technologies</li><li>Ivanka Trump</li><li>U.S. Senator Mitch McConnell</li><li>U.S. Representative Maxine Waters</li><li>U.S. Federal Communications Commission Chairman Ajit Pai</li></ul><p dir="ltr" style="text-align:left;"><br></p><p dir="ltr" style="text-align:left;">Protests at executives' homes are wildly unpredictable in their timing and other characteristics. Throngs ranging from a dozen to hundreds of protesters may appear overnight after a news report or a social media posting. This can happen despite the real possibility that the account that led to the protest is inaccurate, exaggerated, or even completely false. </p><p dir="ltr" style="text-align:left;">Regardless, spontaneous mobs or paid protesters may show up at an executive's house to express their displeasure, disturb the neighbors, block access to the home, and frighten the home's occupants by bombarding them with chants, signs, and angry marchers. </p><p dir="ltr" style="text-align:left;">One client of ours was targeted at home by protesters opposed to his company's marketing, which appealed to children. The protesters' presence and aggressive tactics caused the executive's special-needs son to panic and attempt to escape the home from a second-story window. Protests at homes are not always innocent. They are sometimes belligerent and can lead to bad outcomes for the family or the protesters. </p><p dir="ltr" style="text-align:left;">What can a security department or its executive protection division do to minimize the potential harm to executives (a duty they owe to those important, exposed employees) and even to protesters (whose injury could lead to bad press for the company)? </p><p dir="ltr" style="text-align:left;">The answer is anticipation and preventive measures. As for anticipation, one of our clients, a large multinational corporation, takes special efforts to track mentions of the company and its executives—not only in news sources but also in social media. The company's intelligence team also joins the distribution lists of adversarial organizations and, when possible, uses geofencing to monitor social media activity that mentions executives' homes or originates near them. Staff members also conduct research on the specific individuals who make potentially threatening comments online to gauge their possible dangerousness. </p><p dir="ltr" style="text-align:left;">In addition, it makes sense to delist the executive's home phone number to minimize the risk of abusive calls and to make it harder to find the executive's address. Delisting is difficult and not reliably permanent, but it is worth a try. A dedicated adversary may still be able to find the phone number and address, but there is no reason to make the task easy, especially for less-organized, spur-of-the-moment, or unbalanced persons. </p><p dir="ltr" style="text-align:left;">This anticipatory work, along with planning, makes it possible to implement special measures quickly when risk spikes. The following are some of the measures security personnel can put in place when they detect a plausible risk of protests at an executive's home:</p><ul dir="ltr" style="text-align:left;"><li>Provide security driving services to the executives and possibly to members of their families. Protesters may swarm or attack personal vehicles, and a security-trained driver would be better equipped to avoid or otherwise handle such incidents.</li><li>Contract for a law enforcement presence outside the executive's home. If the protesters remain on public property and are not violating the law, police may not do anything to protect the executive. However, a police officer in a marked or unmarked patrol car parked in front of the house may help keep the situation from escalating. </li><li>Set up temporary exterior video cameras, viewing 360 degrees outward from the home, to monitor and document protester behavior, especially any trespassing or throwing of projectiles.</li><li>Make sure the home has bright floodlights shining outward at night so protesters cannot easily trespass undetected.</li><li>Remind the family to turn on its security alarm system.</li><li>Consider having the family live elsewhere for a few days.</li></ul><p dir="ltr" style="text-align:left;"><br></p><p dir="ltr" style="text-align:left;">Protests at executives' homes are disturbing and potentially dangerous. They cannot be prevented, but with careful research and planning, they can be managed.</p><p dir="ltr" style="text-align:left;"><em>Robert L. Oatman, CPP, is president of R. L. Oatman & Associates, Inc.</em></p>
https://sm.asisonline.org/Pages/Most-U.S.-Hospitals-Have-Not-Deployed-DMARC-To-Protect-Their-Email-Systems.aspxMost U.S. Hospitals Have Not Deployed DMARC To Protect Their Email SystemsGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Only six of the 50 largest U.S. public hospitals are protecting their email domains from being seized by hackers attempting to trick patients into giving up their personal information,<a href="https://www.globalcyberalliance.org/global-cyber-alliance-finds-u-s-healthcare-providers-email-security-critical-condition.html" target="_blank"> a new survey finds. </a></p><p>The survey from the <a href="https://www.globalcyberalliance.org/about.html" target="_blank">Global Cyber Alliance (GCA)</a>, a partnership started by law enforcement and research organizations, looked at 100 hospitals in the United States and surveyed them on their email security. It found that for-profit hospitals fared somewhat better as 22 of the top 48 have deployed Domain-based Message Authentication, Reporting, and Conformance (DMARC) protocol in a limited capacity. <br></p><p>DMARC is an email-validation system designed to prevent email spoofing. The protocol is free to use, and prevents unauthorized users from creating fraudulent email accounts on an organization’s website domain.<br></p><p>“Only one of the hospitals using DMARC has it deployed at a level that prevents spam from being delivered to inboxes,” GCA said in a press release. “The remaining 27 hospitals using DMARC are still at the lowest level of deployment which monitors emails from their domain but does not prevent spam from being delivered to inboxes. Reasons for this can vary, including that these hospitals are early in the process of DMARC implementation. In the end, not one of the 100 hospitals scanned is experiencing the full benefits of DMARC implementation.”<br></p><p>This and the fact that healthcare providers have terabytes of personal data from patients means they are vulnerable to hackers, who often use email to gain access to organization’s networks. <br></p><p>“Specifically, attackers are using phishing emails with malicious attachments to target valuable medical records stored on hospital networks,” GCA said. “These records include personally identifiable information such as home address and Social Security numbers.”<br></p><p>To help hospitals combat this threat, GCA released a new<a href="https://dmarc.globalcyberalliance.org/" target="_blank"> DMARC Setup Guide</a> that walks security professionals through a step-by-step process to install DMARC. <br></p><p>“As cyber threats mount against healthcare providers, deploying DMARC is an essential solution to protecting their patients’ data privacy,” said Philip Reitinger, president and CEO of GCA. “The protocol has been proven effective, and deployment can reasonably be done by organizations of all sizes, making it an invaluable resource for hospitals who need to protect their patients’ digital health.”<br></p><p><em>For more on DMARC, read <a href="/Pages/Spoofing-the-CEO.aspx" target="_blank">“Spoofing the CEO” </a>from the October 2016 issue of</em> Security Management.<br></p><p><br></p>
https://sm.asisonline.org/Pages/Worse-Than-Hyperbole.aspxOverpromising Security: Worse Than HyperboleGP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p><em><br></em></p><p><em>Total peace of mind. <br></em><em>Bulletproof protection. <br></em><em>The most qualified officers.</em></p><p>These phrases likely sound familiar—security firm websites are sprinkled with them. Security firms, like many businesses, spend ample time and resources building slick websites, buying prime ad space and building a social media audience, all to make the business stand out from their competitors. For the most part, that entails telling the world about your company's areas of expertise. There is nothing wrong with that. The trouble begins when seemingly benign marketing messages make claims that can never be substantiated or promises that cannot be kept. </p><p>Overpromising on a website is more than harmless rhetoric. To clients, you may look like you're making promises you cannot keep, and that can compromise your security firm. Simple statements that may seem at first glance merely boastful can establish expectations that are impossible to meet: Our guards offer the best possible protection. We guarantee your property is 100 percent safe in our care. </p><p>Security firms and officers may aspire to these zeniths, but they are as difficult to prove as they are to achieve. Some firms go so far as to make promises they have historically failed to keep, such as stating their officers are highly qualified and the best in the industry. If such a firm fails to subject new hires to routine background checks, the company may be put in a difficult position if a client accuses an officer of wrongdoing.</p><p><strong>Legal problems. </strong>Making difficult-to-prove promises creates problems when clients allege negligence or harm caused by officers. Such issues are unseen and often beyond the awareness of security firm leadership until a claim arises. That is understandable—Web copy does not constitute a contract. Yet it arguably creates expectations in customers and can put a security firm in an untenable situation when defending itself.</p><p>It is unlikely a firm will be taken to court simply for embellishing their successes in their web copy. But consider this scenario: An officer was entrusted with protecting a mall where a patron was physically assaulted. That patron attempts to hold the security firm liable for the assault. His attorney can make a case that the website's promise of "total protection against harm" creates a service-level expectation that the firm or officer has failed to meet. </p><p>I have seen slogans and Web copy come into play in mediations. But if an attorney argues creatively enough to move a case past summary judgment, it may move to a jury trial. In many cases, jury trials result in higher settlements or unfavorable verdicts. Claims of being "the best" or "bulletproof" might sound irresponsible to a jury asked to determine whether a security officer was negligent.</p><p><strong>Underwriting concerns. </strong>Potential clients are not the only audience considering the promises that firms make on their websites. When receiving an application for insurance coverage, one of the first things insurance underwriters do is open a Web browser. They want to learn more about who the security firm says it can protect and how that matches up with reality: Does the website claim it protects any type of client? Does it claim specialization in high-risk areas like riot control?</p><p>Few security firms actually specialize in these areas, but some worry that they will miss out on potential clients by failing to name every possible specialty area. Still, if underwriters see a mention of a high-risk industry on a company's website, they may refuse coverage or offer it at a higher premium. It is better for firms to for​go descriptions of services they do not provide and have no intention of providing.</p><p><strong>Simple solutions. </strong>The solution to the problems of overpromising in digital marketing is simple and low-tech. I recommend a practice that we follow at my organization: get feedback. When developing a new campaign or website, the marketing team can involve all department heads and other internal experts. Those stakeholders can review written materials for factual accuracy and identify claims the company cannot substantiate. Review Web materials on a regular basis to ensure that they reflect any changes in service offerings.</p><p>Erring on the side of caution can go a long way. Refrain from embellishing qualifications or overpromising. The safest approach is to be realistic about what you are able to offer. A sprinkling of hyperbole may not hurt, but make sure any claims are grounded in reality. Consider how many companies claim to be the "largest" in their specialty area. Realistically, only one company can be the largest, but dozens claim to be. "One of the largest" is a more realistic assertion. </p><p>Claims involving Web copy and marketing may be covered under a commercial general liability insurance policy. But other coverages may or may not apply to specific problems caused by false claims in Web copy. For example, if a firm's website indicates that officers undergo thorough background screening, but they do not, the firm may be liable if an officer is involved in a theft. This may trigger crime coverage, if you carry it.</p><p>The ubiquity of business websites has made it easier to connect with potential clients, but it also makes it easier for the public to fact-check marketing messages. Every security firm has its strengths. By focusing on those unique fortes, firms can attract the right kind of clients without attracting difficult court cases and high settlements in the event of a lawsuit.</p><p><em>Tory Brownyard is the president of Brownyard Group, a program administrator that pioneered liability insurance for security guard firms more than 60 years ago. He can be reached at tbrownyard@brownyard.com or 1-800-645-5820.</em></p>
https://sm.asisonline.org/Pages/Book-Review-In-Pursuit-of-Foresight.aspxBook Review: In Pursuit of ForesightGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​</p><p><strong><strong>In Pursuit of Foresight: Disaster Incubation Theory Re-imagined.</strong> <strong>By Mike Lauder. Routledge; Routledge.com; 248 pages; $126.</strong>​</strong></p><p>Disasters produce both winners and losers, but most of those affected lack the analytical skill to understand why. <em>In Pursuit of Foresight </em>explores the multiple fields of study that nibble at the edges of disaster and the individuals trapped in social structures that too often fail. It merits widespread attention.</p><p>Drawing on an earlier work by B.A. Turner, this book extends Turner's thinking and develops a tool that security professionals, disaster management professionals, and risk managers can use to anticipate possible future disasters. Building on disaster incubation theory, author Mike Lauder develops a three-dimensional framework useful in developing foresight. He offers varied examples of practical usage and illustrates how updated thinking can help to avoid mistakes of dysfunctional organizational momentum. Lauder also discusses the plowman effect, which is the unintended adverse consequences of plans in place, as well as practical drift, which is the efficacy of standards and precautions reduced over time as the environment changes. Its advanced concepts use many critical thinking and emerging innovation techniques that are found today in big data analysis and analytics.</p><p>Overall, the book provides real-life information, informative theories, and concepts. It offers advice on what to expect and how to prepare for in an emergent situation. However, it is not a quick read. This book is an excellent text for disaster management professionals and anyone who is looking for a comprehensive all-hazards type text that discusses disaster mitigation. In addition, it provides a clear look at the policy process and how it works or, as is often the case, doesn't work. </p><p>This comprehensive book on disaster management includes case studies and useful updates on matters that readers will find useful in transmitting the core elements of disaster management. The critical thinking elements are relevant and helpful to those looking for an overview of disaster theory, and those who are seeking clarification of the concepts employed in the discipline. The book provides foundational information while actively engaging readers to gain a deeper understanding of the material, encouraging them to contemplate and learn more, rather than simply absorb what is given to them. The readings for each chapter create a climate for active learning, emphasizing the importance of what's being learned and how it can be applied. </p><p>In whole or in part, this book will help the public, public safety personnel, and policy makers understand why disaster policy too often is short-sighted and poorly implemented. This impressive work of scholarship makes an important contribution to disaster studies and would be an excellent text for graduate courses. Further, because the book is detailed, interdisciplinary, and reflects a broad perspective, it adds to the body of knowledge in disaster studies and theoretical research.</p><p><em>Reviewer: Dr. Mark H. Beaudry, CPP, is a frequent reviewer for Security Management and a member of ASIS.</em></p>
https://sm.asisonline.org/Pages/EU-Needs-Comprehensive-Strategy-To-Address-Cybersecurity-Risks,-Think-Tank-Finds.aspxEU Needs Comprehensive Strategy To Address Cybersecurity Risks, Think Tank FindsGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>The European Union needs a strategy for addressing cybersecurity risks and empowering its digital security agency, according to a new report by a European think tank.</p><p>The report,<em> <a href="http://www.epc.eu/documents/uploads/pub_7739_europeancybersecuritypolicy.pdf" target="_blank">European cybersecurity police—Trends and prospects,</a></em> by Iva Tasheva, a junior policy analyst at the European Policy Centre, found that recent cyberattacks, such as the WannaCry ransomware attack, are exploiting EU critical infrastructures' computer systems.</p><p>WannaCry "enabled hackers to lock (encrypt) the victims' computer files until they paid a ransom," the report explained. "It spread within a few hours, affecting 200,000 computers, compromising the security and preventing the work of critical infrastructures, such as hospitals (National Health Service), public transport (Deutsche Bahn), banks (Deutsche Bank), service providers (Telefónica), delivery services (FedEx), and businesses across the globe."</p><p>To prevent future cyberattacks from having a similar impact, the report argues that the EU needs to create a risk management framework that assesses the risks of cyberattacks, analyzes the appetite for risk—and the acceptable level of risk—and supports the creation of mitigation tools for that risk.</p><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read 2b65542d-69e7-4798-a932-fe6326e1881a" id="div_2b65542d-69e7-4798-a932-fe6326e1881a"></div><div id="vid_2b65542d-69e7-4798-a932-fe6326e1881a" style="display:none;"></div></div><p>The EU has the opportunity to do this, the report says, in September when it will update its Cybersecurity Strategy.</p><p>"Based on achievements so far, this will be an opportunity to reflect on cybersecurity threats' evolving nature and address persisting issues related to resilience, capacity, and cooperation," according to the report. "To achieve these goals, the EU should live up to its ambition and keep cybersecurity high on the policy agenda, while being realistic given legal and technical limitations."</p><p>The report also calls for the EU to take action on six areas:​</p><ol><li><p>​ Work across silos</p></li><li><p>Reduce Single Market fragmentation</p></li><li><p>Manage cybersecurity risks</p></li><li><p>Raise awareness to develop skills</p></li><li><p>Strengthen the role of the European Union Agency for Network and Information Security (ENISA)</p></li><li><p>Strengthen the EU-NATO and international cooperation</p></li></ol><p>"The initiatives outlined in this paper, alongside other measures in the pipeline, would help the EU to improve its resilience, build capacity, and strengthen the internal and international cooperation on cybersecurity issues," the report explained. "These are needed to improve information and systems' security, tackle cybercrime, counter cyberespionage and attacks on critical infrastructure, and improve citizens' se​curity online." </p>
https://sm.asisonline.org/Pages/Trade-Secret-Asset-Management-2016.aspxTrade Secret Asset Management 2016GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p><strong>Trade Secret Asset Management 2016: A Guide to Information Asset Management Including the Defend Trade Secrets Act of 2016. By R. Mark Halligan and Richard F. Weyand. Weyand Associates, Inc.; available from amazon.com; 270 pages; $19.95.</strong></p><p>While this book is an excellent guide for the decision maker with responsibility for protecting intellectual property using trade secret provisions, that mission should not be considered a do-it-yourself endeavor. The services of security professionals in both traditional security and information assurance arenas are necessary to adequately translate the concepts and principles discussed in the book into actionable protection measures. Coordination with an attorney knowledgeable in trade secret law would also be prudent. The authors acknowledge they are not discussing "specific methods of information security," because "the recommendations would be obsolete before this book is even published."  </p><p>Defining the two goals of trade secret security measures—prevention of information loss and a favorable result in the event of trade secret litigation—the authors contend that the latter goal is typically where organizations fail. They go on to discuss the establishment of the burden of confidentiality, valuation of intellectual assets or trade secrets, and lifecycle management.</p><p>Even if security around trade secrets is highly effective, managers must also be vigilant to ensure that they are not liable for the inappropriate actions of employees, which could result in high litigation costs. Special attention needs to be paid regarding the hiring of new employees, especially from direct competitors. Compartmentalization and documentation of specific projects or information accessed and shared with an individual employee could be critical in defending against unlawful appropriation of a competitor's information. Further, it is the employee's responsibility to bring questionable or inappropriate situations or assignments to the attention of the new employer. </p><p>Many organizations are careless with the information they publicly release, allowing it to be collected, analyzed, and possibly exploited by those practicing competitive intelligence techniques. However, competitive intelligence practitioners may correctly argue the difference between lawful analysis and criminal theft of trade secrets.</p><p>Overall, the book's visual presentation is professional with quality materials and clear typeset. There is a table of contents by topic, but the book lacks an index. There are no footnotes, references, or a bibliography. Four primary sections are further divided into 16 chapters, each beginning with an executive summary and ending with a summation. Five appendices provide applicable laws, important cases, a checklist of materials that could be potential trade secrets, and sample formats for a nondisclosure agreement and employee exit interview.  </p><p>This book is recommended for business managers responsible for intellectual property protection, as well as security professionals desiring a roadmap for this critical area of asset protection.  The book could also be used as a primary or supplemental textbook in college courses focusing on the prevention of loss of intellectual property and security management considerations. </p><p><em>Reviewer: Paul D. Barnard, CPP, CISM (Certified Information Security Manager), SFPC (Security Fundamentals Professional Certification), is an adjunct professor in loss prevention and security management programs. He has been a member of ASIS International since 1975. The opinion expressed is solely that of the reviewer, and does not imply a view of any organization.</em></p>
https://sm.asisonline.org/Pages/UN-MUSEO-DEL-MUNDO-Y-PARA-EL-MUNDO.aspxUN MUSEO DEL MUNDO Y PARA EL MUNDOGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>En una mañana lluviosa a comienzos de primavera, un grupo de profesionales de seguridad se hizo camino a través de la calle Great Russell, en el moderno y animado barrio de Bloomsbury en Londres. Pasaron por bolardos que separan vehículos, entraron a través de la puerta de una gran valla negra de hierro, y recorrieron un vasto patio para llegar a un edificio neoclásico que data de la época georgiana.​</p><p>Después de una inspección de seguridad, los profesionales visitantes atravesaron el Gran Patio Reina Elizabeth II con su elevado techo, formado de mosaicos azules de vidrio. Previamente siendo el patio al aire libre en la salida de la sala de lectura de la Biblioteca Británica, el área fue remodelada en el año 2000 para convertirse en un épico recinto digno del tesoro ubicado en las galerías circundantes.​</p><p>“El Museo Británico es del mundo y para el mundo” dijo a los profesionales de seguridad David Bilson, CPP, jefe de seguridad y atención al visitante, durante una congregación por un programa especial en el Salón de Conferencias BP del Centro Educativo Clore. Fue el día anterior a la apertura de la 15ta Conferencia y Exhibición de Seguridad Europea de ASIS International, de la que Bilson fue el anfitrión y el primer presentador. “La gente a veces cree que el museo trata de la historia de Gran Bretaña, pero no es así”, explica. “Trata de la historia de la humanidad.”</p><p>Sólo algunos de los objetos invaluables que cuida el Museo Británico son: la Piedra de Rosetta, una estela de roca con la misma inscripción en tres idiomas, que ayudó a resolver los jeroglíficos egipcios; el tesoro de los restos del barco funerario anglosajón Sutton Hoo; las clásicas esculturas griegas de Partenón; cabezas enormes de granito del templo Ramesseum en Tebas, Egipto; el Ajedrez de la isla de Lewis del Siglo XII, una figura gigante de la Isla de Pascua (Hoa Hakananai’a); y un par de toros con alas y cabeza humana de Khorsabad, Irak, que datan de alrededor del 710 a.C. (en Febrero de 2015, extremistas del Estado Islámico destruyeron un par similar, en la antigua ciudad de Nínive).​</p><p>En el museo, dijo Bilson, “presentamos objetos que datan de hace dos millones de años atrás al día de hoy, en una colección que continuamos construyendo”. El físico y emprendedor del Siglo XVIII Dr. Hans Sloane sentó la base para la colección. Tras su muerte en 1753, le heredó todo al Rey Jorge II. Una lotería pública recaudó los fondos para la construcción del edificio original. “Le dimos la bienvenida aquí a nuestros primeros visitantes en 1759, así que éste es nuestro cumpleaños número 257”, añadió Bilson. Desde entonces, el museo ha crecido hasta albergar más de ocho millones de objetos.</p><p>“Somos una de las casas del tesoro de la nación”, le contó Bilson a su audiencia. “Actualmente recibimos 6,8 millones de visitantes por año, lo que nos hace la fuente de atracción principal de visitantes del Reino Unido, y no lo digo a la ligera, porque ésto nos trae grandes asuntos de seguridad interna y pública. Somos uno de los ‘espacios concurridos’ de Londres, por lo tanto tenemos importantes riesgos de seguridad”.</p><p>Los ladrones de arte también son una amenaza. Por ejemplo, el precio del arte chino en subastas se ha disparado, permitiendo a los ladrones vender fácilmente objetos robados en el mercado negro. En 2012, la Policía Metropolitana de Londres New Scotland Yard interceptó a una pandilla que tenía en la mira artículos de una de las galerías públicas del lugar. Trabajar junto a las fuerzas de seguridad pública es un aspecto clave de las operaciones de seguridad en el museo.</p><p>Además, Bilson dijo que el museo “es un lugar que se transforma de noche. Si te paras en el salón frontal del museo a las 5 o 6 de la tarde, verás a todos mis colegas de seguridad escoltando a los visitantes hacia afuera y agradeciéndoles por venir. A las 6 de la tarde, entran todos los contratistas, y cinco minutos antes de las 7, el lugar entero se ve transformado con mesas para cenas o eventos corporativos… lo que es para nosotros otra demanda de los servicios de seguridad que proveemos”.</p><p>Más tarde ese mismo día, los profesionales de seguridad visitantes presenciaron tal transformación cuando la Galería de Esculturas Egipcias fue la sede de una recepción de ASIS. Los variados aspectos del programa de seguridad del museo estaban presentes y funcionando durante todo ese tiempo, pero aún para los practicantes de seguridad invitados, éstos fueron imperceptibles.</p><p>Luego, Bilson se sentó con Security Management para conversar sobre el programa de seguridad del museo y su abanico de preocupaciones de seguridad.</p><p>Panorama. El contexto de seguridad cambió tremendamente para todos los museos, dice Bilson, nombrando como ejemplos el ataque al Museo Judío de Bruselas en Mayo de 2014, el asalto frustrado en el Louvre de París también en 2014, y el ataque en Marzo de 2015 al Museo Nacional del Bardo en Túnez.</p><p>Durante los últimos cuatro años, el Museo Británico invirtió en varios aspectos de su infraestructura de seguridad. Una parte de la inversión se completó en Abril de 2016 cuando el personal de seguridad actualizó sus comunicaciones: “cambiamos a un nuevo sistema de radio digital con mucha mejor cobertura a través de nuestras diferentes ubicaciones”, dice Bilson.</p><p>También se implementaron defensas vehiculares. “Espero que cuando ingresaron por la entrada frontal esta mañana, hayan admirado nuestros bolardos de alejamiento de vehículos, los cuales son una significativa mejoría para nuestra resiliencia”, añade.​</p><p>En 2013, el museo se volvió una zona en construcción con la creación del Centro Mundial de Conservación y Exhibición en el rincón noroeste de la hacienda. Éste consta de laboratorios científicos, instalaciones de oficinas, y un gran salón de exhibiciones, “el cual nos da el espacio mucho más grande y flexible que alguna vez hayamos tenido, y en el subsuelo, tenemos un área segura para almacenar las colecciones”, él cuenta.</p><p>El área de seguridad se vio involucrada en el diseño de las nuevas instalaciones, menciona Bilson. “De hecho, hemos subido de categoría nuestra seguridad en gran parte por la naturaleza de esa construcción. Éso se ha vuelto nuestro punto de referencia para la seguridad en todo el resto de la finca. Integra toda nuestra moderna tecnología de cámaras, alarmas, control de accesos, y ahora el nuevo sistema de radio.”</p><p>Fuerza de Guardias. Desde que el Gran Patio fue construido hace 16 años, el número de visitantes anuales del museo se ha disparado por casi 3 millones de personas. “Estamos encantados de recibir más visitantes pero, por supuesto, ésto impacta nuestras operaciones; queremos asegurarnos de que los visitantes vivan una experiencia disfrutable y segura”, dice Bilson.</p><p>La orientación en la gestión de eventos en el Reino Unido también sufrió cambios. Ésto llevó a una modernización (aún en curso) de la fuerza de guardias, que consiste de 300 agentes propios a tiempo completo. “Estamos buscando tomar lo mejor de esa orientación, así como de alzar los estándares de seguridad para todos nuestros agentes, hasta llegar a un alto nivel de profesionalismo”, agrega. “Todos ellos son excelentes personas, y queremos seguir llevándolos hacia nuevas maneras de trabajar.”</p><p>“En el Reino Unido, hay dos categorías de agentes de seguridad: pueden ser propios si están trabajando en tu organización y en tu espacio, pero si provees un servicio de seguridad a un tercero… debes estar autorizado”, explica. “Por el momento también estamos usando personal licenciado de apoyo mientras llevamos a cabo nuestras mejorías.”</p><p>En el museo hay una sala de comando central de seguridad manejado por personal las 24 horas del día. “No sólo hacen vigilancia de seguridad, también custodian los sistemas del edificio y la condición en la que se deja el lugar durante la noche, mientras cumplen su función primaria de proteger la colección”, señala.</p><p>Inspección de Equipaje. Mientras que el terrorismo es una amenaza clave para el museo, “El mayor desafío de seguridad afectándonos por el momento es la inspección de los visitantes”, dice Bilson. “No es precisamente preciado por mí. Estamos trabajando duro para mejorarlo, pero es un desafío cuando en un día ingresan 20.000 visitantes que pueden llegar en cualquier momento, por lo que tenemos ciertos picos con gran demanda. Más del 50 por ciento de ellos llevan algún tipo de bolso o mochila.” Las revisiones se reforzaron en el museo, resultando en un aumento en el descubrimiento de armas. </p><p>“Por supuesto, la mayoría de nuestros visitantes son respetuosos de las leyes y están aquí para disfrutar la colección”, cuenta. “Pero me sorprendió que una minoría haya traído objetos inapropiados que podrían posar ciertos riesgos.”</p><p>Para asegurarse de que el museo pueda protegerse de armas traídas en equipaje a través de las entradas, se instalaron recientemente nuevas instalaciones de inspección en las afueras del edificio. La dirección ejecutiva apoya decisiones como ésta. “Tenemos un gran apoyo aquí. La junta directiva que supervisa las operaciones del museo está en favor de hacer más en torno a la seguridad, pero manteniendo un balance”, explica Bilson. “Queremos que los visitantes sepan que están ingresando a un espacio seguro, pero también que están accediendo a una experiencia amigable.”</p><p><strong>Seguridad Perimetral.</strong> Bilson cuenta que la seguridad perimetral experiencia cambios dependiendo del estado del museo en diferentes momentos del día.</p><p>Por ejemplo, explica que cuando el museo está completamente cerrado por la noche, cuentan “con una clara definición de límites por la disposición de las paredes y las barandillas. Estos límites están protegidos por tecnología 24 horas al día. Usamos una gran gama de medidas tecnológicas, ya sea se trate de detección de intrusión, vigilancia, cerraduras o control de accesos”.​</p><p>Cuando el establecimiento abre, el perímetro se vuelve abierto, pero con límites para el público, cuenta. “Hay diferentes capas de defensa dentro del lugar.” Cuando los visitantes parten, el perímetro se endurece nuevamente. “Al explicarle ésto al personal, les digo que actuamos de la misma manera que un aeropuerto: el lado aire, que es el seguro, y el lado tierra”, explica. “Por lo que la condición de las áreas dentro del museo cambia, pero en términos generales el área ‘tras bastidores’ permanece segura las 24 horas del día, los 7 días de la semana.”</p><p>La planificación y la coordinación anticipadas entre el personal de seguridad y el del museo son “extremadamente importantes”, declara. “Trabajamos muy duro con la gestión de las instalaciones y con la organización de cada evento para pensar en diferentes niveles de detalle.”</p><p>Protección de la Colección. El personal de seguridad del museo protege su colección en una manera muy similar a como un negocio protege sus propios activos. “La tecnología de seguridad ayuda, pero también necesitamos la intervención de personas”, dice Bilson.</p><p>Como en todos los grandes museos, se montan allí grandes exhibiciones temporales, como Life and Death: Pompeii and Herculaneum, que atrajo durante la mayor parte de 2013 a 400.000 visitantes; y la más reciente, Sunken Cities: Egypt’s Lost Worlds, que cerró en Noviembre y rompió récords de visitas.</p><p>La llegada y partida de exhibiciones especiales es constante y el área de seguridad juega un importante rol. Antes de que se le realicen préstamos al museo, “tenemos que hacerle a los prestamistas un informe sobre la calidad de nuestros procesos ambientales y de seguridad”, cuenta Bilson.</p><p>El museo también presta artefactos y hasta grandes colecciones a otros museos alrededor del globo. “Aplicamos todos nuestros propios estándares de seguridad en el sitio al que va una exhibición”, explica. “A veces ésto es una experiencia de aprendizaje para quienes reciben el préstamo, y nosotros tratamos de ayudarlos para que lleven su nivel de seguridad a tal estándar que en el largo plazo puedan tener un establecimiento más seguro para ellos mismos y que puedan recibir préstamos de aun más colecciones a lo largo del mundo.”</p><p><strong>Viajes.</strong> “El museo está constantemente en cambio, siempre alimentándose de nuevas ideas y cosas para hacer”, declara Bilson. “Es una organización atareada que se encuentra estudiando, investigando y evolucionando continuamente.”</p><p>Bilson cuenta que las políticas y los procedimientos relacionados con el personal trabajando en el exterior no estaban para nada cerca de lo robustos que tendrían que ser. Un incidente que involucró empleados del museo en otro país causó que el museo reconsidere este asunto. “Nos preguntamos, ‘¿Dónde está nuestra gente hoy? ¿Sabemos en qué país se encuentra? ¿Está asegurada? ¿Pensamos sobre su seguridad y sobre las medidas que se han tomado?’”, explica.</p><p>Bilson descubrió que había servicios complementarios al seguro del museo y los servicios de viaje que no habían sido utilizados previamente, incluyendo “reportes de riesgo, informes sobre países, acceso a servicios que pensamos que alguna vez necesitaríamos… Ahora hacemos planes de emergencia en caso de tener que traer equipos de vuelta desde el extranjero”, dice. “Pusimos en marcha un buen plan personal de emergencias para todos, buen apoyo de Londres en el área de casas, y evaluaciones de riesgos, asesorando al personal antes de marcharse.”</p><p>Colaboraciones. El museo se asocia activamente con la policía, “ya se trate del nivel operacional o de antiterrorismo, servicios de inteligencia, o consejeros de diseño de seguridad”, comenta Bilson. “Tenemos fuertes vínculos con especialistas relacionados con delitos contra el arte y las antigüedades. Contamos con el Grupo Nacional de Seguridad en Museos, y más recientemente, establecimos una mesa de debate europea con directores de seguridad de manera que podamos conectar entre colegas. Luego de los acontecimientos terroristas en París y Bruselas, apoyamos a nuestros aliados a través de ese grupo, intercambiando consejos y ayudándolos con cosas para hacer en sus museos.”</p><p>El área de seguridad también trabaja con los equipos de patrullaje que funcionan alrededor del establecimiento. Además, el museo interactúa con sus vecinos, involucrándolos en planes de emergencia y avisándoles sobre eventos especiales que podrían afectarlos, como cuando Una Noche en el Museo fue filmada en el lugar o cuando se proyectan películas en el césped exterior durante las noches de verano.</p><p>Bilson asegura que como caso de estudio, la seguridad del Museo Británico es especial porque éste alberga una colección mundial que debe ser protegida junto un gran número de visitantes y personal, más un edificio histórico de 200 años.</p><p>Mientras que el museo no habla en detalle sobre sus sistemas de seguridad, insiste Bilson, los visitantes quieren saber que la seguridad está en orden. “Los visitantes pacíficos y obedientes de la ley están buscando ese tipo de protección”, dice. “Cuando inspeccionamos su equipaje, somos agradecidos por hacerlo y sabemos que les da alivio.” ​</p>
https://sm.asisonline.org/Pages/Most-Companies-Take-More-Than-A-Month-To-Detect-Cyberattackers.aspxMost Companies Take More Than A Month To Detect CyberattackersGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​It took companies an average of 38 days to detect attackers responsible for data breaches between 2014 and 2016, according to a new report published Friday by the Aberdeen Group. </p><p>“This means that in half of the successful data breaches, detection by the defenders took five to six weeks or less,” the report said. “In the other half, detection took as long as four years.”<br></p><p>The findings come from <a href="https://www.mcafee.com/resources/reports/rp-aberdeen-cybersecurity-2017.pdf" target="_blank">Cybersecurity: For Defenders, It’s About Time, </a>a report from the Aberdeen Group sponsored by McAfee that leveraged data from Verizon’s Data Breach Investigation Report to determine “dwell times,” or the total time attackers had in a defender’s network before being detected. <br></p><p>“Time has become a critical capability in being able to extract the business value enterprises want from their data and computing infrastructure, as well as to protect the business value that has already been created,” wrote report author Derek E. Brink, CISSP, vice president and research fellow at Information Security and IT GRC. “In multiple areas of cybersecurity, time is currently working in favor of the attackers—and time is the strategic advantage that the defenders need to regain.”<br></p><p>For instance, Aberdeen’s research found that the business impact of a data breach is greatest at the beginning of an exploit.  <br></p><p>“Capabilities for faster detection and response reduce the business impact of a successful breach,” according to the report’s<a href="https://www.mcafee.com/us/resources/reports/rp-aberdeen-cybersecurity-2017-summary.pdf"> executive summary.</a> “Indeed, by incorporating this assumption into Aberdeen’s…analysis, it turns out that responding twice as fast to data breaches can lower the business impact by about 30 percent.”<br></p><p>To help companies, the report focused on four examples of how recapturing a time advantage—reducing time to detection and response—impacts four areas of cybersecurity: data protection, incident response, cloud security, and endpoint security. <br></p><p>The report suggested that moving forward, companies should “prioritize investments in capabilities that are aligned with the current reality of threats and vulnerabilities.” <br></p><p>These include focusing on capabilities that reduce the likelihood and business impact of cyberattacks while decreasing time to detection and response, that maintain the productivity of users, and that increase the productivity of defenders.<br></p><p>For more on time to detection of cyber incidents, read <a href="/Pages/An-Integrated-Defense.aspx">“An Integrated Defense”</a> fr​om the November 2016 issue of Security Management.<br></p>
https://sm.asisonline.org/Pages/Power-Play---Resilience-and-Infrastructure.aspxPower Play: Resilience & InfrastructureGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Standardization is often seen as a positive in modern society, but there are risks in creating a monoculture—a homogenous culture lacking diversity—especially in cyberspace. </p><p>In a paper published in 2003 by the Computer & Communications Industry Association, a team of researchers outlined the risks of a Microsoft monopoly on global cybersecurity. A majority of the world’s computers at the time were running Microsoft’s operating system, so they were vulnerable to the same kinds of viruses and worms.</p><p>“Because Microsoft’s near-monopoly status itself magnifies security risk, it is essential that society become less dependent on a single operating system from a single vendor if our critical infrastructure is not to be disrupted in a single blow,” the authors of CyberInsecurity: The Cost of Monopoly, said. “The goal must be to break the monoculture.”</p><p>The authors suggested that governments create policies and regulations that would require critical infrastructure operators to diversify the operating systems they were using, thereby preventing a single virus from wreaking global havoc.</p><p>In 2010, two of the authors wrote an essay explaining that their views on the monoculture threat had changed. One reason for their change in perspective was because, in 2003, they had assumed that the IT monoculture was relatively simple, but it’s not. </p><p>“Two computers might be running the same [operating system] or applications software, but they’ll be inside different networks with different firewalls and [intrusion detection systems] and router policies; they’ll have different antivirus programs and different patch levels and different configurations, and they’ll be in different parts of the Internet connected to different servers running different services,” wrote Bruce Schneier, now chief technology officer at IBM Resilient, for Information Security magazine. “That’s one of the reasons large-scale Internet worms don’t infect everyone—as well as the network’s ability to quickly develop and deploy patches, new antivirus signatures, new IPS signatures, and so on.” </p><p>The risks of a monoculture on critical infrastructure were brought to light outside of cyberspace in December 2015 when Ukraine’s electric grid was hit by a cyberattack, leaving approximately 225,000 people without power. Ukraine recovered, but was hit by another cyberattack in the fall of 2016, which again cut the power.</p><p>The electric grid in Ukraine, as in most of eastern Europe, was created when it was part of the Soviet Union. Ukraine’s system was standardized and designed to operate exactly the same way, across the board. Since Ukraine became an independent nation in 1991, it has built some diversification into its electric grid. </p><p>“But the culture, the thinking, the older system are all fairly standard across the country and look just like Russia—its adversary to the east—because it was all built on the old Soviet model,” says Marcus Sachs, CSO of the North American Electric Reliability Corporation (NERC). “That becomes a weakness when you repeat things and you don’t have diversity in thinking, and diversity in the way you run stuff.”</p><h4>The Ukraine Attack</h4><p>On December 23, 2015, three Ukrainian regional electrical distribution centers—called oblenergos—went down within 30 minutes of each other, cutting power to approximately 225,000 people. The cause of the outage: a coordinated cyberattack that was the first publicly acknowledged attack to result in a power outage.</p><p>The oblenergos were forced to use manual operations to restore power to the electric grid and restored power quickly after an initial outage of several hours. However, the impacted oblenergos continued to run their distribution systems in an “operationally constrained mode,” according to Analysis of the Cyber Attack on the Ukrainian Power Grid, issued by SANS Industrial Control Systems and the Electricity Information Sharing and Analysis Center (E-ISAC).</p><p>After restoring power, Ukraine worked with security vendors and government partners—including the U.S. Department of Homeland Security (DHS) and NERC—to investigate how the cyberattack was carried out.</p><p>They discovered that the attackers used spear phishing emails sent to administrative or IT network operators to gain access to the oblenergos’ business networks. The emails included an attachment—an Excel spreadsheet—that was embedded with BlackEnergy malware that, once opened, installed Secure Socket Shell backdoors on the oblenergos’ networks.</p><p>These backdoors allowed the attackers to gather information on the environment and enable access to other areas of the network more than six months before the December 23 attack. </p><p>“One of their first actions happened when the network was used to harvest credentials, escalate privileges, and move laterally through the environment,” the analysis says. “At this point, the adversary completed all actions to establish persistent access to the targets.”</p><p>The attackers used these stolen credentials to pivot into network segments where supervisory control and data acquisition (SCADA) dispatch workstations and network segments were located. Using these connections, the attackers learned how to interact with the oblenergos’ distribution management systems (DMSs) and developed malicious firmware to use later.</p><p>They gained access to the oblenergos’ industrial control systems (ICS) components, and installed a malicious software—called a KillDisk—across the environment. The attackers then combined their work to execute the attack, opening the oblenergos’ breakers and taking at least 27 substations offline. They also uploaded the malicious firmware they had created to prevent operators from using remote commands to bring the substations back online.</p><p>“During the same period, the attackers also leveraged a remote telephonic denial-of-service attack on the energy company’s call center with thousands of calls to ensure that impacted customers could not report outages,” the analysis says. “Initially, it seemed that this attack was to keep customers from informing the operators of how extensive the outages were; however, in review of the entirety of the evidence, it is more likely that the denial of service was executed to frustrate the customers since they could not contact customer support or gain clarity regarding the outage.”</p><p>The analysis authors also note that the power outage was not caused by BlackEnergy, the backdoors, KillDisk, or the malicious firmware. Instead, these components of the attack were used to access the oblenergos’ systems and then delay the restoration of power.</p><p>“However, the strongest capability of the attackers was not in their choice of tools or in their expertise, but in their capability to perform long-term reconnaissance operations required to learn the environment and execute a highly synchronized, multistage, multisite attack,” according to the analysis.</p><h4>Why Ukraine? </h4><p>No one has claimed responsibility for the attack on Ukraine’s electric grid. Ukraine’s Security Service has pointed a finger at Russia, but has not offered publicly available evidence to corroborate that claim.</p><p>However, there are many reasons that an attacker would see Ukraine as an attractive target for this kind of cyberattack, says Ernie Dennis, a cyber intelligence analyst at the Retail Cyber Information Sharing Center who was formerly with Arbor Networks.</p><p>Russia annexed part of Ukraine—Crimea—in 2014 and has stationed military troops along the border of eastern Ukraine since then. After the annexation occurred, there was not a great deal of pushback from the European Union or the United States, except in the form of sanctions. </p><p>If Russia had been developing the ability to conduct a cyberattack on an electric grid, and wanted to test the method and face few consequences for doing so, targeting Ukraine might be a good idea, Dennis says.</p><p>“Ukraine makes a great playground to test your neighbor’s resiliency to push more boundaries,” he explains. “If [the attackers] were to have done this in a legitimate European Union nation or a NATO ally, there’s a whole lot of other concerns that they have to worry about.”</p><p>Those concerns include being able to stay on the distributor’s network, facing a more robust defensive posture, and retaliation.</p><p>“But if you muck around in a country you’re already playing around in, and you haven’t had any issues, why not push it a little bit further and see what else you can get away with?” Dennis adds.</p><p>His thinking is in line with findings from Booz Allen Hamilton, which released the report When the Lights Went Out: A Comprehensive Review of the 2015 Attacks on Ukrainian Critical Infrastructure. The report says the December 2015 cyberattack was just the latest in a series of attacks.</p><p>“This long-running campaign likely reflects a significant, concerted effort by a single threat actor with a well-organized capability and interest in using cyberattacks to undermine Ukraine’s socio-political fabric,” the report says. </p><p>For instance, other cyberattacks were carried out against Ukraine’s electric sector, railway sector, television sector, mining sector, and regional government and public archives beginning in 2014. BlackEnergy—the malware used in the December 2015 cyberattack—was used in some of these previous attacks.</p><p>These attacks could have been undertaken to send a message because they were not designed to provide the attackers with a financial return, says the report.</p><p>“While politically motivated cyberattacks are not a novel foreign policy tool, the industries and organizations that serve as potential targets are expanding,” the report says. “Cyberattacks present a powerful political tool, particularly those against critical infrastructure providers. Industrial control systems operators are not above the fray in geopolitical rows, and may in fact be the new primary target.”</p><h4>What the Hack Means for Defenders</h4><p>While it’s not definite who was behind the December 2015 cyberattack, the culprit was well-resourced, well-organized, and able to identify the biggest points of failure in Ukraine’s electric grid system: the operator’s security posture that allowed remote access to the control environment without two-factor authentication.</p><p>The attack also marked an escalation from previous destructive attacks that targeted computers and servers—like the Saudi Aramco hack in 2012 and the Sony Pictures attack in 2014.</p><p>“Several lines were crossed in the conduct of these attacks, as the targets could be described as solely civilian infrastructure,” the SANS report found. “Historic attacks, such as Stuxnet [attack on Iran’s nuclear program]…could be argued as being surg­ically targeted against a military target.”</p><p>Some areas of the world also might be at greater risk of a similar type of cyberattack, Dennis says.</p><p>“If someone really wanted to affect Africa and take out the power, I believe that they would have similar success to what they did in Ukraine,” he explains. “The reason why the United States and the European Union are so headstrong about their power infrastructure is because they know for a fact that they’ve taken the time, money, and effort to make it robust and secure, in light of ongoing thoughts of doom and gloom that it could happen any day.”</p><p>A destructive cyberattack has not hit U.S. critical infrastructure, but in fiscal year 2015, members of the U.S. energy sector reported 46 cybersecurity incidents to the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), according to the Booz Allen report.</p><p>“ICS-CERT does not publish a breakdown of the types of incidents by sector, but it revealed that 31 percent of total incidents reported across all sectors involved successful intrusion into operators’ assets, a third of which included accessing control systems,” the report says. </p><p>One of the few disclosed incidents was a BlackEnergy campaign that the U.S. government suspected was sponsored by the Russian government. However, the campaign did not attempt to “damage, modify, or otherwise disrupt” the electric grid.</p><p>This type of campaign is in line with the findings from a DHS Office of Intelligence and Analysis intelligence assessment that found that the “threat of a damaging or disrupting cyberattack against the U.S. energy sector is low.”</p><p>Nation-state cyber actors are targeting the U.S. energy sector enterprise networks, the report found, but mainly to conduct cyber espionage.</p><p>“The APT activity directed against sector industrial control system networks probably is focused on acquiring and maintaining persistent access to facilitate the introduction of malware, and likely is part of nation-state contingency planning that would only be implemented to conduct a damaging or disruptive attack in the event of hostilities with the United States,” the assessment says. </p><p>The DHS analysis was released in the spring of 2016, and DHS did not respond to requests for an updated threat analysis for this article. </p><p>However, other experts doubt that an attack—like the one against Ukraine—would be effective against the U.S. or Canadian electric grids because regulators have taken steps to address cyber risks to the grid.</p><p>In 2006, NERC started the effort to create reliability standards for cybersecurity for the North American bulk power system, which is a major target with more than 450,000 miles of high voltage transmission lines and more than 55,000 transmission substations, says Brian Harrell, CPP, director of security and risk management for Navigant Consulting and former director of critical infrastructure protection programs at NERC.</p><p>“NERC and the industry have gone through multiple iterations of mandatory Critical Infrastructure Protection Standards (CIPS) that focus on security protections,” Harrell says. Not complying with these standards can result in fines of up to $1 million per day, per violation. </p><p>And, Harrell adds, “it’s important to remember that these are minimum standards, and should be looked </p><p>at as a baseline from which to im­prove. Utilities should constantly be assessing their systems, patching their software, and testing their recovery procedures.”</p><p>Also aiding the United States in preventing a similar attack from being effective is a robust information sharing system between NERC, the E-ISAC, the  federal government, and the private sector. </p><p>“Over the past few years, DHS, the FBI, and the U.S. Department of Energy have made considerable strides in improving information sharing and giving classified access to intelligence products, such as  bulletins, alerts, and secret-level briefings,” Harrell says. “These data points have been used to mitigate threats, reduce risk, and update internal security policies.”</p><p>This system exists in the United States and NERC is working with the Canadian government and Canadian power companies to create a similar information sharing network, Sachs says. </p><p>However, Sachs says it’s important that these information sharing centers remain a voluntary practice for private companies to participate in.</p><p>“There’s very little critical infrastructure that’s government owned, and that’s frustrating because you can’t really demand the private sector share with the government, because if you do that, they will only share the bare minimum required to meet the law,” Sachs explains. “You want to encourage voluntary sharing, that way they’ll share more.”</p><p>To help bolster the electric grid in the United States and Canada, NERC has sponsored four biennial exercises, called GridEx, to provide utility operators with the opportunity to demonstrate how they would respond to and recover from a simulated coordinated cyber and physical security threat. </p><p>The first exercise took place in November 2011, and NERC will hold its next exercise—GridEx IV—in November 2017. NERC will provide participants with a detailed scenario that grid operators can then adapt to their own training needs, Sachs says.</p><p>“We try to build an exercise that stresses the operator community, makes them think about how they would respond and not so much looking into how the electricity is turned off,” Sachs says. “This helps eliminate people reading into a scenario and saying, ‘Well, that physically can’t happen.’”</p><p>But the final factor that bolsters North America’s electric grid security is the fact that it is a mostly privately owned and operated system that is diverse, despite its regulatory framework.</p><p>“Even though we may agree on what the outcome needs to look like, we will allow an asset owner to have maximum flexibility in designing a system that can achieve that outcome,” Sachs says. “So then you have all these different approaches, and a bad actor who is trying to get in, if he finds success somewhere, that success isn’t necessarily going to work elsewhere because the approaches were different.”</p><p>The North American system wasn’t initially designed to be diverse, Sachs says, but was instead designed to be resilient and adapt to problems.</p><p>“What tends to work here is you adapt the design of the grid to the local conditions, and working on our behalf in North America is the culture in the U.S. and Canada of diversity—a culture that says, ‘It’s okay to do things differently. We don’t have to be uniform, by the book, precise,’” Sachs says. </p><p>And this diversity in the design and implementation of security makes the North American grid more secure, Sachs says, because an attacker couldn’t use the exact same approach to take down multiple aspects of the grid.</p><p>“But that also doesn’t mean we turn off our vigilance,” Sachs adds. “When we’re up against a thinking enemy—a human mind—the defenders have to be on the lookout for new methods on the attacker side and never let their guard down. They have to use the strengths they have, and diversity is one of those big strengths.” </p><br>
https://sm.asisonline.org/Pages/Mentor-and-Me.aspxMentor & MeGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​As security practitioners, learning from our own mistakes can be costly. “We are all just one bad day away from termination,” is how a colleague once summarized our condition. The remark was an all-too-true reminder that security managers cannot make mistake after mistake and still hope to remain successful in the profession.</p><p>With that in mind, stepping up to lead a security operation can be a frightening experience, especially for a young professional making his or her debut as a leader. I certainly felt my share of anxiety when I assumed the role of contract security manager at a large community college in 2008.</p><p>At the time, the media seemed to feature a new story every week about a tragedy in a mall, workplace, school, or other public space where lives were lost or forever changed. Each time, I would follow the story and try to understand exactly what happened from a security point of view. Would my own program have fared any better—or would it have resulted in tragedy and my termination?</p><p>Fortunately for me, I was not alone. I had a mentor, who took the time to help me develop into a seasoned security professional. Through mentorship, a new security manager can experience professional situations and even make decisions that turn out to be wrong without suffering the consequences of on-the-job mistakes. Such an opportunity is invaluable, because having a safe space to fail is crucial for professional growth and skill development.​</p><h4>Explore Compatibility</h4><p>Mentorship is a symbiotic partnership between an expert and a novice in which knowledge and trust are equally shared. But finding a good mentor can be tricky; it requires finding a veteran manager with both significant expertise and a passion for sharing it.</p><p>Professional security organizations, such as ASIS International, are a great place to turn when looking for mentors within the industry. In addition, a security manager’s employing organization may have a formal mentorship program. However, formal permission from anyone outside yourself and the expert you wish to learn from should never be necessary to begin a mentorship relationship.</p><p>In my case, the expert was George, the security director of the community college where I was working as a contract security manager. The college hired George about a month before I was hired; in fact, my start date was delayed a bit so he could settle in first, and have a chance to interview me.</p><p>Prior to George’s arrival, one of the college’s vice presidents was charged with overseeing the security program at the college. But a security assessment conducted by an outside contractor led the college to hire a new security director—George—to build up a standalone security department. I was brought in as a permanent contract security manager for the account. The security firm made me an informal offer shortly before George arrived; the offer was conditional on a successful interview with George, which would constitute final approval.</p><p>As it happened, George and I used our initial interview to have a far-ranging and comfortable conversation about everything from work ethic to security knowledge. This interview was important, because the success of a mentor and mentee relationship depends on the compatibility of both individuals.</p><p>In general, the potential mentor and mentee should always have the opportunity to meet and determine individually if they are going to be able to work together—a concept that formal mentorship programs need to consider before matching up participants. If not, the relationship may be doomed to fail before it gets off the ground.​</p><h4>Do Your Research</h4><p>In deciding on the right mentor, the mentee may want to consider a number of variables, including the mentor’s level of expertise, his or her willingness to share his or her knowledge, and the general alignment of the interests of both parties. Some expertise, credentials, and accomplishments can be ascertained through online research; records of high-profile failures can sometimes be discovered, too.</p><p>In George’s case, his online profile showed that he was a successful university police lieutenant who transitioned into the security industry by first heading up a multicampus hospital system, before coming to the security directorship at the community college. He was also a longtime member of ASIS and a Certified Protection Professional© (CPP); all in all, a veteran security professional.</p><p>Of course, the process of assessing a mentor’s expertise does not have to end once the selection process is complete. A mentee can continually assess the mentor’s expertise by conducting his or her own analysis through independent research. This is a great tool to see if the actions of the mentor are consistent with national best practices.</p><p>In my case, as I became more involved with ASIS and my own professional development progressed, I could see why George made the decisions and took the actions that he did.</p><p>For example, I remember creating a revised incident report template for the security department, which included a glossary of incident types with definitions. The idea was to make it easier for security officers to choose an incident type for a report and create more unified reporting between campuses and individual officers.</p><p>I used FBI Unified Crime Reporting categories as a basis for the incident types. When George reviewed the incident types, he made a number of edits that combined categories or renamed them, and crimes like burglary, arson, and nonnegligent homicide were added to the list.</p><p>George had revamped the list of incident types to follow U.S. Clery Act categories, which made more sense given that our workplace was a higher education facility. (The Clery Act requires colleges and universities to report information about crime on and near their campuses.) I was familiar with Clery at that point, but it didn’t hit home for me until I started researching why we changed the names and found that Clery actually specified what incidents should be named.</p><p>This became a recurrent pattern: The more I learned, the deeper I could research; the deeper my research, the more my own findings validated George’s expertise. But the process of assessing expertise independently has another benefit—it can sometimes reveal that the knowledge gap between mentor and mentee is too large, and cannot be bridged.</p><p>For example, if a mentee is barely able to use email, he or she will need a mentor who uses email daily, not a software developer who wrote the code that makes email work. An overly large knowledge gap can lead to a breakdown in communication between the mentor and mentee, in which the mentee cannot fully grasp concepts that the mentor believes are common sense. It’s almost as if they are speaking different languages.</p><p>That is not true in every case, of course; some highly accomplished professionals are also gifted communicators and teachers who can bridge a wide skills gap. But sometimes the gap leads to so much frustration that both parties give up. In a worst-case scenario, this bad experience can preclude both parties from trying again with a more suitable partner in the future, thus missing out on the mutual benefits of mentoring.</p><p>If either party feels that the match is untenable, they should amicably end the partnership and try again with another person. The industry needs experts and novices to seek each other out and work together, so neither party should allow a relationship to deteriorate.</p><p>Independent research can be valuable in another way—as a great educational tool for mentors. They may use it to develop exercises that allow mentees to analyze situations on their own and select appropriate actions based on the conditions faced.</p><p>Exercises like these illustrate that mentorship is not just hand-holding; the mentees must be willing and able to act and think for themselves. Practicing these skills in an exercise setting is an excellent way to learn.</p><p>Finally, a mentor-mentee relationship may not work if both are considered competitors for the same job. The modern workplace can be territorial, and being mentored by someone who is concerned that you will ultimately take his or her job (rather than succeed him or her when he or she voluntarily moves on or retires) will be problematic. It is likely that concerns about employment will erode the trust of one or both parties, causing the relationship to fail.</p><p>Given this, many of the best mentors are those who are nearing the end of their professional career, are experts in the niche of the security industry that the mentee wants to excel in, and are eager to pass on their knowledge to promising young professionals.</p><h4>Move Forward</h4><p>Once you have identified a mentor, and you firmly believe that the mentor’s expertise is genuine and there is mutual trust and a desire to work together, you should commit to the partnership in full.</p><p>When George and I began working together, there was no real separation between our jobs and learning. We didn’t set aside one day a week for mentorship activities, with the other four taken up by operational assignments or disciplinary meetings. Instead, the opposite occurred: traditional work and mentorship blended together seamlessly. Every activity became a potential lesson, and every interaction a potential opportunity for the transfer of information.</p><p>George and I met about twice a week to discuss the general operations of the security guard force. In those meetings, I would often be assigned tasks—anything from drafting a policy on a particular topic to developing a plan for special event coverage. I would return to my office to work on the project, and then bring a working draft to our next meeting.</p><p>George would bring out the red pen and, quite unapologetically, bleed it all over my drafts. He would explain the errors made on the drafts and then send me back to correct and resubmit them.</p><p>Perhaps the most important gift I received from George was his patient, steady refusal to accept substandard or poorly researched work. I have since realized how tempting it can be when we get busy to simply fix documents and reports that are submitted with errors and send them on, just to keep them moving. But ultimately, that guarantees that you will continue to review submitted documents with mistakes. It takes patience, and a desire to instruct, to take the time to explain what is wrong with a document and hand it back to the mentee to fix it.</p><p>Mentorship doesn’t have to be one dimensional nor exclusive. From time to time, I would draw on the advice of others when the situation warranted. The owners of the security firm I worked for had extensive expertise in contract security, so they were the go-to source for me when I needed expertise specific to that subfield. There is no shortage of good mentors, so there is no reason to limit yourself to only one when seeking counsel.​</p><h4>Transition</h4><p>As we continued working together, the complexity of the tasks that I was assigned naturally grew. The more I learned, the more I was able to do, and the more projects I was involved in.</p><p>George and I coauthored articles and developed training programs for campus security officers and for people transitioning to security from other industries. I learned that there is no better way to reinforce knowledge of a subject then to teach it. This is doubly true if your students are adults. Whenever you think you have become knowledgeable about a subject, try standing in front of a class of adult learners who think they are, too, and take on their questions.</p><p>This stage is a time of professional transition: the mentee is no longer a novice, but certainly not yet an expert. Moving away from the basics to more advanced concepts can be exciting and rewarding, and there can be a dangerous temptation for the mentee to believe that the mentorship is over. It certainly crossed my mind on occasion, especially during difficult, busy days at the office, when the last thing I wanted was for George to point out what I had just done wrong.</p><p>However, I realized that my mentorship was still too valuable to discontinue. It did need to change, however. When the mentorship reaches an advanced stage, an emphasis on strategic learning and career development should gradually replace basic job-specific knowledge.</p><p>Operational skills, such as making schedules, interviewing candidates, and developing policies and SOPs, have all been learned. Now, both mentor and mentee can focus on cultivating higher-level skills, such as knowing how to predict where and when a new policy may be needed, and analyzing current trends in crime prevention or campus safety.</p><p>Much like traditional leadership, a mentorship style can also be altered and adjusted over time, as the relationship deepens.</p><p>In the later stages of my mentorship, George pushed me outward to take advantage of more and more development opportunities, such as professional education, online U.S. Federal Emergency Management Agency classes, conferences with the state’s Department of Criminal Justice Services, and many other training classes and seminars, including the 2011 ASIS International Seminar and Exhibits in Orlando, Florida.</p><p>The ASIS seminar was an eye-opening experience that allowed a relatively new security manager like myself to explore the full depth of the profession. In one week, I discovered that as much as I thought I had learned in my three years working with George, I had barely scratched the surface.</p><p>Nonetheless, my first ASIS seminar served as the perfect catalyst for George to push me into pursuing my CPP designation, which I eventually obtained.</p><p>Two years after I earned my CPP, a colleague in ASIS forwarded me a note about a job opportunity as the security administrator for the city in which I lived. It was too good an opportunity to pass up, and, amazingly enough, the job post specifically sought a CPP with multisite security management experience.</p><p>I got the job, and became security administrator for the City of Newport News, Virginia. George transitioned to mentoring a physical security manager who was hired before I left.​</p><h4>Mentee Becomes Mentor</h4><p>George and I still keep in touch, catching up for an occasional lunch to compare strategies on similar issues. As I moved into my new position, I found new mentors with extensive public sector expertise to help me navigate the landmines that exist in local government.</p><p>I have found that the pace of operations is even faster at this higher level, and there is less patience for sharing entry-level knowledge because expectations reflect the added responsibilities of the new job. However, the mentorship dynamic remains the same—I work for an individual with tremendous knowledge of municipal administration, and his counsel in that segment of my job is invaluable.</p><p>I have tried to share knowledge with the people around me in much the same way that George helped me, by patiently pushing the people around me to learn more about the industry and their functions within it. My approach, however, has been somewhat different from George’s. While George dedicated a significant length of time to mentoring one person, I have tried to influence everyone I come into contact with.</p><p>Looking back, there was no cue-the-swelling-music moment where I could say, “I was mentored to achieve exactly this.” Mentorship doesn’t work like that, in my experience. It is a gradual process that requires constant work and endless patience from both sides.</p><p>It is also a partnership that helps develop both individuals, and potentially instills in them a career-long appreciation for learning and teaching. This appreciation leads us to continue to move forward in our profession, seek out new mentors, and mentor those coming behind us, elevating the entire profession, one apprentice at a time.  </p><p>--<br></p><p><em>William Cottringer, Ph.D., Certified Homeland Security (CHS) level III, is executive vice-president for employee relations for Puget Sound Security Patrol, Inc., in Bellevue, Washington, and adjunct professor OF criminal justice at Northwest University. ​</em></p>
https://sm.asisonline.org/Pages/Pay-Attention.aspxPay Attention!GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465​How can human operators avoid becoming exhausted on the job, or stay alert while driving for long periods of time? How can security guards ensure that they don’t miss a critical alert during a long shift?<br>​<br><p>The Human Factors and Applied Cognition program at George Mason University in Fairfax, Virginia, is conducting vigilance fatigue testing with subjects to find out more about how and why mind power becomes depleted, and how to best replenish it. Subjects at the institution’s Arch Lab are given a variety of tasks to perform in a range of scenarios. </p><p>“We are constantly having people do many different tasks at the same time,” says Carryl Baldwin, director of the program. “In one of the scenarios, they are doing five different tasks at the same time, trying to alternate their attention back and forth between three different screens.” </p><p>Baldwin explains that vigilance fatigue occurs when our brains become overwhelmed by the task we are performing. “The leading theory of why you experience this vigilance decrement is because your cognitive resources become depleted,” she says. “And we asked, ‘If that’s the case, how do we restore those resources?’ So we started a series of experiments, many of which are ongoing, looking at what can we do to try to bring that person back up to speed, to try to alleviate that performance decrement.” </p><p>One hypothesis, Baldwin notes, is that letting one’s mind wander—which is also known as engaging the default mode network—helps restore blood flow to the part of the brain that engages in completing a task, the dorsal attentional network. “This theory is called the decoupling hypothesis, which is that we cycle back and forth between two major attention networks,” she says. “You have to cycle back and forth between those in order to sustain performance for any length of time.” </p><p>In a field such as security, Baldwin notes that the lack of incidents that occur during any one shift can lead to increased fatigue, just as with any task where there are little to no stimuli for the brain. “How do you stay motivated to watch screens if, shift after shift, nothing happens?” she says. “You’re likely to miss the signs, because it’s difficult to pay attention when you so rarely get signals.”</p><p>The researchers are working on replenishing subjects’ effectiveness at performing a task with a variety of techniques. “One of the things you can do in vigilance research is periodically insert false alarms...to revive the subjects,” Baldwin says. “Because if they’re waiting for a signal that doesn’t happen during a whole eight-hour shift, it’s really tough to stay engaged.” </p><p>Offering rewards can also help subjects stay on task. “We’re experimenting with giving people rewards once in a while…primarily to increase dopamine levels, which we think will, in turn, increase their ability to sustain attention on the task.” </p><p>Baldwin says simply being in a good mood also appears to promote the subjects’ effectiveness and alertness. “We’ve looked at playing music of a certain type, particularly positive-affect, slow music that’s popular and enjoyable—and people like it,” she says. “That tends to promote relaxing and having a positive attitude.” </p><h4>Cyber Fatigue</h4><p>Fatigue also affects those who make security-related decisions. Most computer users in the United States feel “overwhelmed,” “resigned,” and “hopeless” about the security and privacy of their online behavior, leading them to make poor cybersecurity decisions. That’s according to research by the National Institute of Standards and Technology (NIST) in an October 2016 study, Security Fatigue.</p><p>The authors of the report tell Security Management that they didn’t necessarily set out to draw conclusions about security fatigue in their research, but wanted to learn more about the typical computer user’s online security behavior. “We were really trying to understand people’s perceptions, beliefs, and behaviors with respect to cybersecurity,” says Mary Theofanos, computer scientist at the NIST Office of Data and Informatics. </p><p>Theofanos, along with coauthor Brian Stanton from the NIST Visualization and Usability Group, interviewed people ranging in age from 20 to 69 from rural, urban, and suburban areas of the United States. They asked questions such as: What do you do online? How often do you change your password? How do you feel about cybersecurity?</p><p>“As we started talking to them, there was just this overwhelming sense of resignation, loss of control, fatalism, and decision avoidance,” Theofanos says. “As we started really pursuing this, we realized these are the characteristics of security fatigue.” </p><p>The following were some of the signs of cybersecurity fatigue observed by the researchers: </p><p>• Avoiding unnecessary decisions</p><p>• Choosing the easiest available option</p><p>• Making decisions driven by immediate motivations</p><p>• Behaving impulsively</p><p>• Resignation and loss of control</p><p>Stanton, a psychologist, says that users are tired of constantly being asked to change their passwords, conduct system updates, and engage in other basic cybersecurity hygiene best practices. </p><p>“When you reach a certain threshold, you don’t have any more capacity to deal with things, and that’s what we were seeing in the security realm,” he explains. “People didn’t have the capacity to make any more decisions about security.” </p><p>Being overwhelmed leads users to make poorer decisions, such as not changing their passwords or updating their machines, or failing to safeguard personal information, opening them up to possible cyberattacks or data theft.</p><p>Positive reinforcement, one of the classic ways to fight vigilance fatigue, isn’t necessarily available in the cyber world. “It’s hard to get that reward in the cybersecurity space because there’s no direct cause-and-effect relationship,” Theofanos says. For example, if users change their passwords every 30 days, but they get hacked anyway, they will feel as if their security practices didn’t protect them and are, therefore, not worth doing. </p><p>“In cybersecurity you don’t get any feedback if you do it right,” Stanton adds.</p><p>Those interviewed also believed that hackers would never target their information in the first place, because they don’t believe they possess anything of value. They stated that someone else should protect their data, such as the bank issuing their credit cards or their employer. </p><p>To combat the issue of security fatigue, the research suggested companies take a few steps to ensure that users don’t feel overwhelmed: </p><p>• Limit the number of security decisions users need to make</p><p>• Make it simple for users to choose the right security action</p><p>• Design for consistent decision making whenever possible</p><p>Theofanos says that users are aware of the existing cyberthreats, and many mentioned high-profile hacks in the news. Still, she says that good cybersecurity has to become a habit, and awareness isn’t enough. “They can’t fall back on a set of habits, because they haven’t formed those habits. It’s the whole concept of practice, practice,” she says. “It’s a bigger step than just greater education and awareness.” ​</p>
https://sm.asisonline.org/Pages/Who’s-Who-in-Retail-Loss-Prevention.aspxWho’s Who in Retail Loss PreventionGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<h4>​Retail Loss Prevention Council, ASIS International</h4><p>One of 34 industry- or topic-specific councils of ASIS International. It develops and provides programming and resources for loss prevention practitioners, including session recordings, webinars, magazine articles, book excerpts, newsletters, reference guides, white papers, and case studies.</p><h4>Loss Prevention Foundation</h4><p>Its stated mission is to “advance the retail loss prevention and asset protection profession by providing relevant, convenient, and challenging educational resources.” It offers the LPQualified and LPCertified industry certifications, a career center, and a bimonthly magazine, among other benefits.</p><h4>Loss Prevention Research Council</h4><p>Affiliated with the University of Florida, its mission is to use an evidence-based approach to fighting retail crime. It tests loss prevention solutions in real world environments. Previously, LPRC operated at the store level, but its operations are now equally geared to corporate decision makers and corporate emergency operations centers. Shoplifting and employee theft are still high priorities, but the council now delves into fraud, supply chain protection, violent crime, point of sale crime, burglary, situational awareness, and other issues.</p><h4>National Retail Federation</h4><p>The world’s largest retail trade association, the NRF has a Loss Prevention Council and constituent committees that meet to discuss problems and share solutions. The NRF also hosts an annual loss prevention conference, advocates for the loss prevention industry, and provides news and resources.</p><h4>Loss Prevention Industry Professionals Association</h4><p>This organization holds an annual conference and vendor showcase, as well as offering networking and other benefits.</p><h4>Retail Industry Leaders Association</h4><p>Describing itself as the premiere advocate for America’s most sophisticated retailers, RILA offers education, networking, and a forum for problem solving. It contains a council and committees that focus on various asset protection issues, such as auditing and technological innovation.</p><h4>National Anti-Organized Retail Crime Association</h4><p>Established in 2012, this organization fights organized retail crime through education on such techniques as skimming, cargo theft, and return fraud.</p><h4>Mystery Shopping Providers Association</h4><p>Characterizing itself as “the largest professional trade association dedicated to improving service quality using anonymous resources,” the group has more than 450 member companies worldwide. Its membership includes marketing research, private investigation firms, and mystery shopping fieldwork services.​ ​</p>
https://sm.asisonline.org/Pages/Accesos-Bajo-Control.aspxAccesos bajo ControlGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​​Las compañías desembolsan recursos significativos en equipos de control de accesos. Se estima que el tamaño de este mercado mundial oscila entre los 6 y los 22 billones de dólares estadounidenses, y una encuesta realizada recientemente por ASIS International indica que el 57% de los negocios en los Estados Unidos de América incrementará los controles de acceso durante el 2016.<br> <br>Los costos anticipados son sólo el comienzo. Los profesionales de la seguridad se toman tiempo para determinar qué puertas necesitan bloquearse y cuándo. Ellos y ellas deciden dónde instalar los lectores, e indican cómo procesar a los visitantes. Pero, a pesar del esfuerzo invertido en la disposición y el mantenimiento de los equipos, a lo largo del tiempo la base de datos de control de accesos puede terminar mal gestionada. Las solicitudes para modificar la categorización de los lectores y los niveles de acceso son continuas. Un grupo puede desear restricciones de tiempo para el equipo de conserjería; otro grupo puede necesitar acceso a una puerta pero querer restringir otras. Si estas acomodaciones son hechas sin consideración por el sistema general, se crea, en cierto momento, un embrollo de niveles de acceso. Cuando uno se da cuenta, la seguridad ya no controla el acceso: el control de accesos determina y limita la seguridad de la organización, resultando en un caos desastroso.<br> <br>La compañía Branch Banking and Trust (BB&T), una gran prestadora de servicios financieros con oficina principal en Winstom-Salem (Carolina del Norte), tiene en orden protocolos que aseguran una acertada y apropiada administración de los sistemas de control de accesos en sus locales corporativos. La compañía, incluida en la lista Fortune 500, posee más de 1.800 centros financieros en 12 estados de USA. A esto se suman aproximadamente 120 edificios empresariales–centros de datos, de operaciones y de llamadas, así como sedes corporativas y regionales–que mantienen sistemas de control de accesos.</p><p><strong>DESAFÍOS</strong><br>Los avances regulatorios durante la última década tornan necesario mantener atentamente los datos de control de accesos. En los Estados Unidos de América, el Acta de Transferibilidad y Responsabilidad de Seguros Médicos (1996) y su semejante, el Acta de Modernización de Servicios Financieros (1999), exigen que las entidades de salud y financieras, respectivamente, permanezcan en estricta vigilancia sobre datos sensibles o personales. Por su parte, la Ley Sarbanes Oxley (2002) forzó un endurecimiento del control interno dentro de las corporaciones del país. Más recientemente, el Estándar de Seguridad de Datos para la Industria de Tarjetas de Pago (2004) requiere que las compañías mantengan serio control sobre los datos de tarjetas de crédito y débito.<br> <br>Estas regulaciones, así como otras que afectan a industrias específicas, han traído un mayor escrutinio a la administración de los datos de control de accesos. La mayoría de las grandes organizaciones, especialmente en aquellas industrias que están reguladas, han experimentado un incremento en la actividad de auditoría cuando se refiere a los controles físicos de acceso. Esto significa que, en muchos casos, serán requeridas revisiones regulares de los informes de acceso. Por este motivo, es crucial que la información contenida en las bases de datos de una compañía sea clara y precisa.<br> <br>Pueden surgir numerosos desafíos por fallar al mantener apropiadamente un sistema de control de accesos. Los períodos de mantenimiento pueden resultar en robos cuando, por ejemplo, empleados despedidos ingresan a una instalación. ¿Qué bien hay en un sistema de control accesos si, por la negligencia al mantener el mismo, la gente puede entrar en lugares que no debería? Si tu base de datos de control de accesos ha estado funcionando por años y se ha tornado en una intrincada red de autorizaciones de acceso, ¿qué pasos pueden ser tomados para tomar control de los datos?<br> <br>Los administradores de la base de datos de control de accesos deben tener un proceso continuo en marcha para mantener la precisión de los datos. Una aproximación basada en estándares es esencial para gerenciar cualquier programa efectivo en esta área. Los estándares contemplan la definición de los tipos de usuarios en el sistema (empleados, comerciantes, visitantes, usuarios temporales de tarjetas, etc.) y la instauración de credenciales que deberán ser gestionadas y revisadas  en cada una de esas categorías. Una vez que las categorías de usuarios son definidas, se deberán establecer determinaciones de zonas y procedimientos de mantenimiento continuo.<br> <br><strong>GESTIÓN DE LA BASE DE DATOS </strong><br>BB&T categoriza a los titulares de sus tarjetas en tres grupos basándose en la red de identificación de usuarios. Hay empleados y contratistas con  identificación en la red empresarial; vendedores, locatarios y otros sin identificación en la red empresarial; y usuarios temporales. La empresa utiliza las cuentas de usuario para los trabajadores dependientes y autónomos porque la identificación en la red empresarial también es usada para la base de datos de seguridad informática. Esto permite que el personal de seguridad pueda cotejar los registros de acceso a la red interna con los datos de acceso físicos. Para realizar esta comparación, los datos del área de recursos humanos fueron considerados, pero el banco determinó que muchos vendedores, empleados temporarios, y contratistas que poseen una cuenta de acceso a la red no están incluidos en su sistema de recursos humanos. En cambio, corresponder los datos con las cuentas ya mencionadas abarca la mayoría de los usuarios de la organización. Si los registros no coinciden, se concluye el permiso de acceso para el usuario.</p><p> <br>Para las tarjetas no involucradas con el proceso de emparejamiento ya explicado, la compañía identifica a un empleado que pueda servir como representante de cada comerciante y locatario. La organización conduce revisiones cuatrimestrales de esas tarjetas, durante las cuales el delegado de la compañía establece si el individuo continúa trabajando para un tercero autorizado y sigue necesitando la tarjeta de acceso.<br> <br>Todas las credenciales temporales del sistema son asignadas a los individuos que tienen las tarjetas en su posesión. Estas pueden ser usadas por visitantes, aprendices, comerciantes externos, y empleados que olvidaron su identificación en casa. La información sobre el titular de la tarjeta es alojada dentro de la base de datos de control de accesos. Una persona se encarga de revisar los reportes cuatrimestrales de las tarjetas temporarias, para asegurarse de que su distribución está justificada.<br> <br><b>ESPACIO​</b><br>BB&T ha establecido criterios y definiciones sobre el espacio físico en su entorno, y lo separa en tres categorías: crítico, restringido, y general. Cada categoría tiene establecido un criterio propio de acceso.<br> <br>La categoría crítica está reservada para áreas de alto riesgo e infraestructuras indispensables para el funcionamiento de la organización, como las salas de servidores o los cuartos de ventilación. El espacio restringido consiste en las oficinas de los departamentos que la compañía considera que deben tener acceso limitado. Ambas categorías tienen asignadas un “titular de espacio” quien es el responsable de aprobar o denegar el acceso de las personas a cada área. Las áreas de acceso general son los pasillos y puertas de uso común.<br> <br>En cada categoría del espacio, se establecen estándares para gestionar el acceso. Por ejemplo: los estándares para el centro de datos pueden negar el acceso a los conserjes o al personal no esencial si éstos no son escoltados. También dictan quién puede aprobar el acceso a cierto espacio y con qué frecuencia los reportes de acceso deberán ser analizados: como ejemplo, los informes de las áreas críticas y restringidas se revisan mensual o cuatrimestralmente.<br> <br><strong>AGRUPACIONES</strong><br>Los dispositivos de acceso se agrupan en base a la categoría del espacio en el que se encuentran y a los usuarios que acceden el mismo. Esto dinamiza el proceso de solicitud de acceso y facilita a los solicitantes la comprensión sobre qué clase de acceso están solicitando: agrupando tantos lectores como sea viable se minimiza el número de posibles grupos de dispositivos, lo que significa una reducción en la cantidad de opciones que tendrán aquellos que soliciten acceso. Esto también torna más fácil asegurarse de que los informes de acceso son acertados, y simplifica los procesos de aprobación y revisión. Por ejemplo: si todos los lectores para los espacios críticos son agrupados, sólo una autorización para accederlos  sería necesaria, y luego se tendría que revisar un sólo reporte.<br> <br>De todos modos, en algunos casos minimizar los grupos puede no ser posible. Por ejemplo: un grupo de usuarios puede ser admitido en el área de tecnologías de la información pero sólo un subconjunto de ese grupo puede tener acceso a la sala de servidores que allí reside. En este caso, los grupos serían categorizados por los usuarios más que por los lectores.<br> <br>También es importante asegurarse de que los niveles de acceso y los agrupamientos de dispositivos no se superpongan. Las anteposiciones pueden complicar el proceso de solicitud de acceso y las revisiones de los informes, y causar que los reportes reflejen una lista incompleta de usuarios que tienen acceso a un espacio. Por ejemplo: en un edificio con tres lectores, la categoría número 1 podría incluir las puertas frontal y trasera; la categoría nro. 2 podría abarcar la sala de comunicaciones. Si, además de estos dos agrupamientos, hay un tercer grupo que incorpora los tres lectores (como podría ser uno llamado “primer piso”), se podría crear un problema ya que los lectores pertenecen a dos diferentes agrupaciones. En este supuesto escenario, si se realizara una solicitud para determinar quién tiene acceso a la sala de comunicaciones,  se necesitaría tanto un informe de la categoría de lectores de la sala como de un reporte adicional que contemple la agrupación de los tres lectores. En muchas organizaciones, este segundo paso se obvia, lo que causa una imprecisa representación de aquellos con acceso a un área específica. Esto puede tornarse un problema mayor si se descubre durante una auditoría.<br> <br>Otro método para remediar este asunto sería ejercer informes sobre los lectores una puerta a la vez: en este ejemplo, únicamente se realizaría un reporte del lector en la sala de comunicaciones. La mayoría de los sistemas de control de accesos permiten gestionar este tipo de informes. Sin embargo, en compañías con un gran número de lectores de tarjeta individuales, esto requeriría demasiados reportes. A menudo, los mismos usuarios necesitan acceso a múltiples puertas, por lo que combinarlas en categorías que no se superponen con otras tiene más sentido que realizar informes individuales sobre los lectores.<br> <br>Como regla, BB&T no permite que un lector que haya sido atribuido a una zona crítica o restringida pertenezca a más de una agrupación de lectores. Esto asegura que los reportes de acceso sean certeros y completos.  La medida requiere que un usuario que necesite acceso a un edificio completo, como un encargado de limpieza o un guardia de seguridad, deba solicitar acceso a cada área de las instalaciones a la que intente ingresar, en lugar de requerir un permiso único para acceder a todo el establecimiento. Esto es beneficioso no sólo en lo relacionado a los reportes, sinó que también requiere que los titulares deban autorizar a todos los usuarios que accedan a su espacio, por lo que tales se tornan responsables de saber quién está ingresando a su área. Se pueden establecer algunos controles en el proceso de revisión de informes para asegurarse de que el responsable de un espacio no le suprima el acceso a un conserje o un guardia. Algunos sistemas permiten marcar tarjetas y requieren un mayor nivel de escrutinio antes de remover el acceso; no obstante, esta es una manera más prolija de establecer niveles de acceso y asegura que los propietarios de espacios comprueben un reporte de todos los usuarios que tienen acceso a su sector, que es lo que la mayoría de los auditores buscan.<br> <br><b>LIMPIEZA</b><br>Si un sistema de control de accesos se ha embrollado con el tiempo, se recomienda una limpieza de la base de datos. Un buen lugar para empezar es desactivar todas las tarjetas que no han sido usadas en un rango específico de tiempo, como los últimos seis meses. De este modo habrá menos tarjetas que revisar. Entonces, el departamento de seguridad podrá buscar coincidencias entre la base de datos de control de accesos y alguna que indique los empleados actuales de la compañía. Los datos del departamento de recursos humanos o de seguridad informática son los más útiles para determinar si los portadores de tarjeta activos en el sistema aún trabajan para la organización. Respecto a las demás tarjetas para los no empleados, visitantes, locatarios y contratistas, se deberá investigar si los usuarios pueden ser asociados con un gerente o un empleado de la compañía. Los responsables de seguridad pueden trabajar con estos socios internos para implementar una revisión regular de las tarjetas.<br> <br><strong>MANTENIMIENTO </strong><br>Realizar habitualmente una comparación con los datos de recursos humanos o seguridad informática asegura que las tarjetas sean desactivadas para los usuarios cuya información no coincida con la de la tarjeta. Si un usuario no es captado en la comparación, esa persona deberá ser asignada a un representante        que revisará de forma cuatrimestral qué credenciales deben ser dadas de baja. Los informes correspondientes a todos los espacios que no sean de acceso general deberán ser comprobados para confirmar que los usuarios aún necesitan acceso a las áreas designadas. Tal comprobación deberá tomar lugar en intervalos regulares de tiempo, no mayores a un cuatrimestre. Una parte importante del proceso de solicitud de acceso es asegurarse de que se captura toda la información necesaria para soportar los nuevos estándares que se establezcan y facilitar la revisión de los reportes. Por ejemplo: si el permiso es para un visitante, el personal de seguridad deberá capturar, durante el proceso de petición, el nombre de la persona que tendrá la tarjeta en su posesión.<br><strong> </strong><br><strong>AUTOMATIZACIÓN</strong><br>BB&T está trabajando para subir de categoría la automatización de su sistema de solicitudes e informes de auditoría de control de accesos a fines de 2015. Está considerando utilizar un programa informático que automatice todo el proceso de gestión de la base de datos relacionados con el acceso, abarcando tanto el sistema de control de control de accesos como el de recursos humanos. Esta actualización incluiría el uso de una interfaz que estaría completamente integrada con el sistema de credenciales de seguridad informática. La aplicación ideal se integraría totalmente con el sistema de control de accesos, donde la autorización de acceso sería provista automáticamente sin intervención humana.<br>Los costos son un factor decisivo al implementar un proyecto como éste. Algunas compañías eligen automatizar sólo algunas partes del proceso: varias de ellas utilizan un simple formulario web que se comunica vía correo electrónico con aquellos que deben aprobar el acceso, o que provee un tablero de mando para que el equipo encargado del control de accesos pueda visualizar las solicitudes; muchas otras tienen integrados los datos de recursos humanos y seguridad informática para actualizar el sistema de control de accesos, lo que permite la desactivación automática de tarjetas para empleados y contratistas de los que se haya prescindido. Algunas han encontrado un modo de automatizar las revisiones de informes. Pocos fabricantes de equipos de control de accesos proveen estas herramientas junto a su programa informático: algunos trabajan junto a soluciones de terceros, o los dirigen hacia ellos; otros están empezando a notar esta creciente necesidad de automatización y están incorporando y mejorando ciertos elementos en su paquete estándar de aplicaciones, como capacidades de reporte más robustas.<br> <br>Estos esfuerzos pueden parecer abrumadores, pero una vez que los estándares son establecidos, la base de datos está limpia, el mantenimiento es regular y se implementa cierto nivel de automatización, el sistema estará eficazmente gestionado. Es imperativo que los profesionales de la seguridad vean más allá de los equipos y su instalación, y que no dependan únicamente de éstos al buscar protección. Un sólido programa de mantenimiento asegura que si alguna vez los procesos de control de acceso son puestos en tela de juicio, el departamento de seguridad puede estar seguro de que el programa está bajo control.<br> <br><em><strong>Briggette Jimenez, CPP,</strong> es gerente de seguridad física en BB&T, donde dirige el centro de comando de seguridad de la compañía, así como las operaciones de seguridad y los programas de prevención de la violencia laboral.</em></p>
https://sm.asisonline.org/Pages/Security-Incidents-Caused-By-IoT-Devices-Could-Be-‘Catastrophic,’-Survey-Finds.aspxSecurity Incidents Caused By IoT Devices Could Be ‘Catastrophic,’ Survey FindsGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Almost every industry official surveyed said they believe a security incident related to internet-connected devices could be catastrophic, a new survey finds.</p><p>A majority of respondents (78 percent) said a data breach involving an unsecured IoT device is likely to occur within the next two years; most respondents (76 percent) also said a DDoS attack leveraging IoT devices is likely to occur in that same time frame. <br></p><p>“Ninety-four percent of respondents say it is likely that either incident would be catastrophic,” according to <em><a href="https://sharedassessments.org/summit/SA_2017_Ponemon_IoT_Third_Party_Risk_Report_WP.pdf">The Internet of Things (IoT): A New Era of Third-Party Risk</a></em> by the Ponemon Institute and sponsored by Shared Assessments. <br></p><p>The report surveyed 553 individuals who have a role in their organizations’ risk management process and are familiar with the use of IoT devices. It found that “companies are relying on technologies and governance practices that have not evolved to address emergent IoT threat vectors.” <br></p><p>“Such potential risks include the ability of criminals to harness IoT devices, such as botnets, to attack infrastructure and launch points for malware propagation, SPAM, DDoS attacks, and anonymizing malicious activities.”<br></p><p>The finding shows a concerning trend in corporate security that efforts to mitigate third-party risks to the IoT ecosystem are lagging, as only 30 percent of respondents said managing third-party IoT risks is a priority for their organization.<br></p><p>“More and more enterprises are turning to IoT to improve business outcomes and this growth is creating a breeding ground for cyberattacks,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, <a href="http://sharedassessments.org/internet-things-iot-new-era-third-party-risk/" target="_blank">in a press release.</a> “What’s shocking about these findings is the complete disconnect between understanding the severity of what a third-party security breach could mean for businesses, and the lack of preparedness and communication between departments.”<br></p><p><em>For more on IoT devices and botnets, read <a href="/Pages/Rise-of-the-IoT-Botnets.aspx" target="_blank">“Rise of the IoT Botnets”</a> from the February issue of </em>Security Management. ​<br></p>
https://sm.asisonline.org/Pages/Britain-To-Remain-at-‘Critical’-Threat-Level-Over-Weekend.aspxBritain To Remain at ‘Critical’ Threat Level Over WeekendGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Britain will remain at its highest terror alert level—critical—throughout the holiday weekend, authorities said. This means that another attack "is expected imminently."</p><p>The threat level remains at critical because of concerns about copycat attacks and attacks by a possible network that may have aided Manchester Arena bomber Salman Abedi, the <a href="http://www.bbc.com/news/uk-40056102" target="_blank">BBC News reports.</a></p><p>Detectives confirmed that they had "got hold of a large part of the network" and made "immense" progress arresting people suspected of aiding Abedi, <em></em><a href="https://www.theguardian.com/uk-news/2017/may/26/manchester-attack-police-arrest-man-and-search-barber-shop-moss-side-st-helens" target="_blank"><em>The Guardian</em> reports.</a></p><p>"Clearly, we haven't covered all the territory we want to but we have covered a large part of it so our confidence has been increasing in recent days," said Britain's top counter-terrorism officer, Mark Rowley. "But there's still more to do."</p><p>As of Friday afternoon, authorities had arrested eight men in connection to the Manchester Arena bombing. Their names have not been released to the public. </p><p>Detectives are also focusing on how the bomb used in the attack was made.<br></p><p>"Investigators believe aspects of the way the bomb was built point towards the maker having made improvised explosive devices before," according to <em>The Guardian.</em> "It showed considerable power and the nuts and bolts had been packed to maximize their murderous effect."</p><p>Immediately after the bombing, authorities were attempting to determine if Abedi had made the device himself or if someone else made it for him. </p><p>New information, reported by media outlets including <em><a href="https://www.nytimes.com/2017/05/26/world/europe/manchester-attack-uk-bomber.html?rref=collection/sectioncollection/europe" target="_blank">The New York Times,</a></em> revealed that Abedi "opened a bank account about a year ago, drew money from it to buy nails and screws from two hardware stores, and rented an apartment where he built the explosive device" he eventually detonated at the arena.</p><p>U.S. Representative and Chair of the House Homeland Security Committee Michael McCaul (R-TX) also confirmed that Abedi's backpack—which he used to carry the bomb in—contained triacetone triperoxide, the same explosive used in the London 2005, Paris 2015, and Brussels 2016 attacks.</p><p>While the threat level remains at critical, Britain is preparing to hold 1,300 events across the country this weekend for a bank holiday. Police have reviewed security procedures and increased patrols in areas where more boots on the ground are needed, <em>The Guardian</em> reports.​</p><p>"Extra armed police will patrol the FA Cup final at Wembley, where armored vehicles will be deployed, and the rugby premiership final at Twickenham," <em>The Guardian</em> said. "Fifty percent more firearms officers have been deployed on the streets, including some who were seen patrolling on Scarborough beach on Friday."</p>
https://sm.asisonline.org/Pages/Soft-Targets---What-Security-Professionals-Can-Learn-From-the-Manchester-Attack.aspxSoft Targets: What Security Professionals Can Learn From the Manchester AttackGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p><em>Michael J. Fagel is a crisis management expert with more than 30 years of experience in emergency planning and response. He has written several books and is co-author of </em>Soft Targets and Crisis Management: What Emergency Planners and Security Professionals Need to Know<em>. He is a member of the ASIS School Safety and Security Council. </em></p><p>Security Management <em>Associate Editor Holly Gilbert Stowell</em> <em>spoke to Fagel about the recent terror attack in Manchester, England, and what security professionals can do to prevent soft target attacks. Their conversation has been lightly edited for clarity.</em></p><p><strong>Stowell: From what we've seen over the last few months, attacks on soft targets—places of worship, study, and leisure—seem increasingly commonplace. What type of target is the Manchester Arena—a typical soft target, or some sort of hybrid with unique features? </strong></p><p><strong>Fagel: </strong>It is a typical soft target, given the fact that there are more and more security measures in place as people get closer to the venue. It's a pretty common occurrence in stadiums, to have nonsecure areas where people are approaching the building. Just think of an airport, think of a baggage claim, think of queuing up before you get in the airport. Everybody's milling about in these commons spaces before they go through security. </p><p><strong>Stowell: The Manchester attacker detonated a suicide bomb on the perimeter of the event as people were filing out of the concert. Do you think the perimeter is actually a bigger concern for a soft target than inside the venue itself? </strong></p><p><strong></strong><strong></strong><strong></strong><strong></strong><strong></strong><strong></strong><strong>Fagel:</strong>I think they're equally as critical. The perimeter is of equal significance and of equal danger as inside, because nobody knows who's walking about the perimeter and the nonsecure area. A backpack looks innocuous, a lunchbox, a briefcase, a shopping bag—any one of those things would be very common in a place of commerce and wouldn't look out of the ordinary. So anybody could be wandering with that object, and you would never know that they were engaging in malicious activity. </p><p><strong>Stowell: Are U.S. arenas, and other facilities similar to the Manchester Arena in the United States, now vulnerable to attack? If so, in what ways? </strong></p><p><strong>Fagel: </strong>I don't want to be an alarmist, I want to be a realist. Nothing is invulnerable to this type of attack. I've worked in the Middle East and all over the world. Our society right now is not prepared for this type of event. I've been training police officers, firefighters, and rescue personnel for the last 20 years, and we are continually striving to be better than we are, but the bad guys learn from each incident. Every time something occurs, they will get better, and if you look at the terrorist propaganda, there are explicit instructions on how to carry out these sort of events. These elements are cookbooks for the bad guys. </p><p>Terrorists take advantage of our openness, of our fairness, and our way of life, which they don't like for whatever reason. They use that against us. Do we want to change that? No. We're built on freedoms, but we have to be cautious that the bad guys are learning minute by minute—and nothing is off limits now. </p><p><strong>Stowell: Speaking of limits, this was an attack on a venue containing children and teenagers. Do we have a moral boundary in our minds that causes us to treat security differently for events concerning younger people? </strong></p><p><strong>Fagel: </strong>Have the bad guys crossed a line? The answer is yes. Have they done something that is heinous? Yes. I worked the Oklahoma City bombing in 1995 and carried out rescue and recovery during the attacks. I thought that was the worst thing I had ever seen, and having been a medic, firefighter, and police officer for many years, and seeing infants killed—I thought that crossed a line. </p><p>But bad guys now targeting the concert with a younger crowd, people as young as eight years old, to me that crosses every moral boundary. After September 11, people were really vigilant about security for the first few months, but then they started to get more lax. You can never let your guard down. As soon as you start to relax and think the threat is over with, the bad guys are watching our behaviors and will seize ​on that opportunity. They're watching our security postures. They're watching how we react to things. </p><p><strong>Stowell: What lessons can security professionals take away from this attack to help increase security at soft target venues? </strong></p><p><strong>Fagel: </strong>Think of soft targets like a bullseye with rings around it. Picture an airport where security needs to start prior to the secure area. If the airport is the bullseye, security needs to start in the parking lot, baggage delivery, at ticket counters. It needs to start way before you approach the secure zone, so that security is the culture of the entire area. </p><p>You have layers of defense, layers that protect you as you move closer and closer to the soft target in the middle. Let's say in an office building there's a security server for the Internet. If that's the bullseye—I have to prevent people from ever getting there. And an office​ worker is the softest target with Internet access and passwords. It's the concept and culture of hardening people, and hardening your venues so that you're more aware, and preventing something before it even gets close to your bullseye. </p><p>There must be a personal awareness. It's not somebody else's job, it's our responsibility as alert citizens to be cognizant of our surroundings, see something say something. If it doesn't look right, it probably isn't right. </p><p>Finally, the solution is having an attitude and an awareness for things that may be out of place. I'm not talking about profiling people, I'm talking about profiling behaviors and actions. The Virginia Tech shooter, [Seung-Hui​] Cho, was at the gun range, shooting holes in paper targets face down. That's a behavior. Omar Mateen wanted to buy body armor in Florida before carrying out the Pulse Nightclub massacre. Is the person acquiring weaponry? Are they buying precursory devices and material? Are they buying powder for explosives? Are they buying ammunition? Are they taking shotgun shells apart? Are they asking weird questions at the gun range, the gun shop, or the fireworks store? </p><p>Use commonly available tools and information to develop your intelligence quotient and your ability to see what may be happening. It's all about awareness. ​</p>
https://sm.asisonline.org/Pages/Terror-Attack-Strikes-Manchester-Arena—What-We-Know.aspxTerror Attack Strikes Manchester Arena: What We KnowGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<h4>what we know<br></h4><ul><li><p>A bomb exploded outside Manchester Arena on Monday as an Ariana Grande concert was ending, killing at least 22 people and wounding 59 others.</p></li><li><p>The bomber, who was killed in the explosion, was identified as Salman Abedi, 22, of Manchester.</p></li><li><p>ISIS claimed responsibility for the bombing, but officials have not verified that claim.</p></li><li><p><em>Security Management</em> created a master list of references and resources for security professionals on stadium and soft target security. Access them, for free, <a href="/Pages/Stadium-and-Soft-Target-Security-Resources.aspx">here.</a></p></li><li><p>The United Kingdom raised its terror threat level from severe to critical, meaning that a further attack may be imminent.</p></li></ul><h4>Ariana Grande puts 'dangerous woman' tour on hold</h4><p><strong>Update: 3:10 p.m., May 24, 2017</strong></p><p>Ariana Grande is putting her "Dangerous Woman" tour on hold following the Manchester Arena bombing, the pop star said in a statement.</p><p>"Due to the tragic events in Manchester the 'Dangerous Woman' tour with Ariana Grande has been suspended until we can further assess the situation and pay our proper respects to those lost," the singer's management team said in a <a href="http://money.cnn.com/2017/05/24/media/ariana-grande-cancels-shows-tour/index.html?sr=twcnni052417ariana-grande-cancels-shows-tour0701PMVODtopPhoto&linkId=37975750" target="_blank">statement obtained by CNN.</a></p><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read 53e3cc06-f932-44d7-88de-e618f8f3b3b2" id="div_53e3cc06-f932-44d7-88de-e618f8f3b3b2"></div><div id="vid_53e3cc06-f932-44d7-88de-e618f8f3b3b2" style="display:none;"></div></div><p>The postponement means Grande's performances scheduled for tomorrow and Friday in London will be canceled, along with a show in Switzerland on June 5.</p><p>"We ask at thsi time that we all continue to support the city of Manchester and all those families affected by this cowardice and senseless act of violence," the statement continued. "Our way of life has once again been threatened but we will overcome this together."</p><h4>Bomber's Brother, Father, arrested abroad</h4><p><strong>Update: 3:00 p.m., May 24, 2017</strong></p><p>Authorities have arrested two family members of the Manchester Arena bomber, Salman Abedi, as they continue to investigate whether he was working with a network to carry out the attack.</p><p>Libya counterterrorism officials arrested Abedi's younger brother, Hashem Abedi, who<em> </em><a href="https://www.washingtonpost.com/world/british-prime-minister-raises-nations-threat-level-saying-another-attackmay-be-imminent/2017/05/24/dd5367e8-3fec-11e7-b29f-f40ffced2ddb_story.html?utm_term=.8da72f106f0b&wpisrc=al_alert-COMBO-world%252Bnation&wpmk=1" target="_blank"><em>The Washington Post</em> reports</a> was suspected of planning an attak in Tripoli.</p><p>The Post spoke to Ahmed Dagdoug, a spokesman for Libya's counterterrorism Reda Force, who said Hashem was in "frequent contact with his brother Salman in Manchester and was aware of the plans to attack the concert."</p><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read d901b6ac-a7e5-4479-922a-5d3e9a15760a" id="div_d901b6ac-a7e5-4479-922a-5d3e9a15760a"></div><div id="vid_d901b6ac-a7e5-4479-922a-5d3e9a15760a" style="display:none;"></div></div><p>Authorities also arrested Abedi's father, Ramadan, on Wednesday. Ramadan, known as Abu Ismail,<a href="https://www.nytimes.com/2017/05/24/world/europe/manchester-uk-bombing-live.html?hp&action=click&pgtype=Homepage&clickSource=story-heading&module=b-lede-package-region&region=top-news&WT.nav=top-news" target="_blank"> spoke to <em>The New York Times</em></a><em> </em>earlier this week and said that he did not believe his son carried out the attack at the arena.</p><p>"His ideas and his ideology were not like that," Abu Ismail said. "He was born and raised in Britain. He's a British citizen and he does not hold such ideologies."</p><h4>What security professionals can learn from the Manchester attack</h4><p><strong>Update: 12:35 p.m., May 24, 2017</strong></p><p>Following the Manchester Arena bombing, <em>Security Management </em>reached out to several crisis management and soft target security experts to find out what security professionals can learn from the attack. </p><p>One of those experts was Michael J. Fagel, a crisis management expert with more than 30 years of experience in emergency planning and response. He sat down with Associate Editor Holly Gilbert Stowell to talk about the attack and what security professionals can do to prevent future similar attacks.</p><p><strong>Stowell: From what we've seen over the last few months, attacks on soft targets--places of worship, study, and leisure--seem increasingly commonplace. What type of target is the Manchester Arena--a typical soft target, or some sort of hybrid with unique features?</strong></p><p><strong>Fagel:</strong><strong> </strong>It is a typical soft target, given the fact that there are more and more security measures in place as people get closer to the venue. It's a pretty common occurrence in stadiums, to have nonsecure areas where people are approaching the building. Just think of an airport, think of a baggage claim, think of queuing up before you get in the airport. Everybody's milling about in these commons spaces before they go through security.</p><p><em>Continue reading their conversation by clicking </em><a href="/Pages/Soft-Targets---What-Security-Professionals-Can-Learn-From-the-Manchester-Attack.aspx"><em>here.</em></a></p><h4>Manchester Attack Victims' named</h4><p><strong>Update: 11:00 a.m., May 24, 2017</strong></p><p>Twenty-two people were killed in the Manchester Arena bombing, and the Greater Manchester Police Department said it is "confident" it knows the identity of all of the individuals.</p><p><a href="https://www.theguardian.com/uk-news/2017/may/24/go-sing-with-the-angels-families-and-friends-pay-tribute-to-manchester-victims">Twelve victims </a>have been named by their families, <a href="https://www.theguardian.com/uk-news/live/2017/may/24/manchester-arena-bombing-terror-attack-victims-threat-critical-ariana-grande-concert-live-news?page=with:block-592582cfe4b0e2555d2b2b40#block-592582cfe4b0e2555d2b2b40"><em>The Guardian</em> reports:</a></p><ul><li><p>Jane Tweddle-Taylor, 51</p></li><li><p>Nell Jones, 14</p></li><li><p>Martyn Hett, 29</p></li><li><p>Angelika Klis, 40</p></li><li><p>Marcin Klis, 42</p></li><li><p>Georgina Callander, 18</p></li><li><p>Saffie Rose Roussos, 8</p></li><li><p>John Atkinson, 28</p></li><li><p>Kelly Brewster, 32</p></li><li><p>Olivia Campbell, 15</p></li><li><p>Alison Howe, 45</p></li><li><p>Lisa Lees, 47</p></li></ul><p>The National Casualty Burea has an emergency number available for those concerned about anyone who may have been impacted by the Manchester Arena bombing. The number to call is: 0800 096 0095.</p><h4>details begin to emerge about Arena bomber</h4><p><strong>Update: 10:45 a.m., May 24, 2017</strong></p><p>Two days after the Manchester Arena bombing, new details have emerged about Salman Abedi, the man who carried out the attack on Monday night. </p><p>Abedi was born in Manchester and was the son of Libyan immigrants, who moved back to Libya after spending decades in the United Kingdom, <a href="https://www.nytimes.com/2017/05/24/world/europe/manchester-bomber-salman-abedi.html?hp&action=click&pgtype=Homepage&clickSource=story-heading&module=first-column-region&region=top-news&WT.nav=top-news&_r=0" target="_blank"><em>The New York Times</em> reports. </a></p><p>Abedi had visited Syria and also went to visit his parents in Libya, who raised concerns to him about his radicalization, according to an individual who spoke with The Times.</p><p>He was known to security services, <a href="https://www.theguardian.com/uk-news/2017/may/23/manchester-arena-attacker-named-salman-abedi-suicide-attack-ariana-grande" target="_blank"><em>The Guardian</em> reports</a>, but Abedi was "not part of any active investigation or regarded as a high risk." Instead, he was "viewed as a peripheral figure in much the same way as the Westminster attacker, Khalid Masood."</p><p>Authorities are still working to determine where the bomb Abedi used was created, and if he had help assembling the device. </p><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read 1fe616f0-5455-4efc-921e-05300bf59981" id="div_1fe616f0-5455-4efc-921e-05300bf59981"></div><div id="vid_1fe616f0-5455-4efc-921e-05300bf59981" style="display:none;"></div></div><p>"It seems likely--possible--that he wasn't doing this on his own," said Britain's Home Secretary Amber Rudd.</p><h4>SM is Signing off for the night</h4><p><strong>Update: 5:15 p.m., May 23, 2017</strong></p><p><em>Security Management</em> is signing off for the night and will not be providing updates to this post until tomorrow morning at approximately 10 a.m. EST.</p><p>For live updates, follow feeds from<a href="https://www.theguardian.com/uk-news/live/2017/may/22/manchester-arena-ariana-grande-concert-explosion-england"> <em>The Guardian</em></a> and the <a href="http://www.bbc.com/news/live/uk-england-manchester-40007967">BBC.</a></p><h4><span>UK Raises Terror Level from severe to critical</span></h4><p><strong>Update: 5 p.m., May 23, 2017</strong></p><p>The United Kingdom is increasing its terror threat level from severe to critical.</p><p>"It is a possibility that we cannot ignore that there is a wider group of individuals linked to this attack," said UK Prime Minister Theresa May. </p><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read 4714a6c9-3a8f-4f7e-a847-54612fdb1457" id="div_4714a6c9-3a8f-4f7e-a847-54612fdb1457"></div><div id="vid_4714a6c9-3a8f-4f7e-a847-54612fdb1457" style="display:none;"></div></div><p>The Joint Terrorism Analysis Center has been monitoring intelligence throughout the day, and based on its findings May said it is raising the threat level.</p><p>"This means not only that an attack remains highly likely but that a further attack may be imminent," May said.</p><p>With the raising of the threat level, Operation Temperer is now in force, <a href="https://www.theguardian.com/uk-news/live/2017/may/22/manchester-arena-ariana-grande-concert-explosion-england?page=with:block-59249e1de4b0533caf41a9f4#block-59249e1de4b0533caf41a9f4"><em>The Guardian</em> reports, </a>and armed police who normally protect the Houses of Parliament and other sites in the United Kingdom will be replaced with military personnel. </p><h4>DHS official: no plan to make security changes due to manchester arena bombing</h4><p><strong>Update: 3:20 p.m., May 23, 2017</strong><br><br>A U.S. Department of Homeland Security (DHS) official who spoke to ABC News said there are currently no plans in place to make <a href="http://abcnews.go.com/Politics/dhs-official-plans-change-security-measures-manchester-attack/story?id=47589691" target="_blank">"significant security changes"</a> in the United States in response to the Manchester Arena bombing.</p><p>"The DHS official said that the federal security posture in the U.S. is already at high levels and that there is not much more to be done in the aftermath of the attack," ABC News reports.</p><p><a href="https://www.dhs.gov/news/2017/05/22/dhs-statement-incident-manchester-arena" target="_blank">DHS issued a statement</a> hours after the attack on Monday, saying it was closely monitoring the situation and is working with its foreign counterparts to obtain additional information about the incident. </p><p>"At this time, we have no information to indicate a specific credible threat involving music venues in the United States," DHS said. "However, the public may experience increased security in and around public places and events as officials take additional precautions."</p><h4>Manchester Arena to remain closed</h4><p><strong>Update: 2:10 p.m., May 23, 2017</strong></p><p>Manchester Arena announced that it will postpone two concerts scheduled for later this week due to the bombing on Monday. </p><p>In a statement via Twitter, the arena said it will postpone two shows by Take That, an English pop group, on Thursday and Friday. </p><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read 55f58b8d-107b-497e-a18b-744a6670ce82" id="div_55f58b8d-107b-497e-a18b-744a6670ce82"></div><div id="vid_55f58b8d-107b-497e-a18b-744a6670ce82" style="display:none;"></div></div><p>"We are assisting the police in any way we can," Manchester Arena said on Twitter. "We cannot praise the emergency services enough for their response and have been inspired by the way the people of this great city of Manchester rallied round last night and have continued to respond today. It shows the very best of this city."</p><p>Take That  was scheduled to perform in Liverpool tonight, but announced that it would be <a href="https://twitter.com/takethat?ref_src=twsrc%5egoogle%7ctwcamp%5eserp%7ctwgr%5eauthor" target="_blank">postponing the show </a>as a sign of respect to those affected by the Manchester Arena bombing. <br><br>Ariana Grande has not cancelled any future dates for her Dangerous Woman Tour, but <a href="http://ew.com/music/2017/05/23/ariana-grande-tour-not-canceled/"><em>Entertainment Weekly</em> reported</a> that her team is assessing whether to continue. </p><p>"Right now, the focus is on the victims and grieving for them. We're not focused on the tour," a source told EW. <br><br>Grande's next performances are scheduled for London's O2 arena on Thursday and Friday. The venue released a statement earlier today saying that it is working with Grande's promoters and will provide an update on whether the concerts will go on as planned.<br></p><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read 559052de-3dbf-4053-8811-28b936306441" id="div_559052de-3dbf-4053-8811-28b936306441"></div><div id="vid_559052de-3dbf-4053-8811-28b936306441" style="display:none;"></div></div><p><strong></strong> </p><h4>Authorities Identify Manchester Arena Suspected Bomber</h4><p><strong>Update: 1:30 p.m., May 23, 2017</strong><br><br>UK authorities identified the suspected bomber who carried out the attack on Manchester Arena as Salman Abedi, 22, who was born in Manchester, the <a href="http://www.bbc.com/news/uk-40020168">BBC reports.</a></p><p>"Abedi, who had at least three siblings, and lived at several addresses in Manchester, including a property at Elsmore Road, Fallowfield, which was earlier raided by police," according to the BBC.</p><p>Police are still working to confirm if Abedi planned the bombing alone, or was working with others to carry out the attack. Greater Manchester Police Chief Constable Ian Hopkins declined to provide further details about Abedi to <a href="https://www.nytimes.com/2017/05/23/world/europe/manchester-arena-attack-ariana-grande.html" target="_blank"><em>The New York Times,</em></a> and also said that a coroner has not officially identified him.</p><p>"The priority remains to establish whether he was acting alone or as part of a network," Hopkins said.</p><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read 499524ec-fde7-4b66-8eff-6ee419f433cb" id="div_499524ec-fde7-4b66-8eff-6ee419f433cb"></div><div id="vid_499524ec-fde7-4b66-8eff-6ee419f433cb" style="display:none;"></div></div><p><strong></strong> </p><h4>experts say bombing points to vulnerabilities</h4><p> <strong>U</strong><strong>pdate: 12:15 p.m., May 23, 2017</strong><br><br>Stadiums and event spaces often have metal detectors, bomb detection technology, cameras, and security guards inside. But the attack at Manchester Arena shows the need for more vigilance in areas outside security zones, an expert told <a href="http://www.latimes.com/local/lanow/la-me-security-manchester-local-20170522-story.html" target="_blank"><em>The Los Angeles Times.</em></a></p><p>Michael Downing, executive vice president of security for Prevent Advisors, told the Times that extra attention needs to be paid to transportation centers, walkways, and parking lots at event spaces. </p><p>"Obviously, we are going to have to look at ingress and egress," he said, because terrorists tend to target areas where large crowds gather.</p><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read 81290113-5d11-4d25-8947-34b014d6add3" id="div_81290113-5d11-4d25-8947-34b014d6add3"></div><div id="vid_81290113-5d11-4d25-8947-34b014d6add3" style="display:none;"></div></div><p>Other security experts who spoke with Reuters said they expect countries around the world to tighten security ahead of major cultural and sporting events following the bombing. However, they do not anticipate that these measures will stop determined attackers.</p><p>"Whatever is done--and in this case it's British intelligence which is considered among the best in the world--it won't prevent such incidents happening," said Jean-Charles Brisard, president of the Centre for the Analysis of Terrorism.</p><p>"You can bring back the perimeter, add security gates, and as many controls as you want, but that will not change the fact that a determined individual will carry out his act if he is not caught before."<br> </p><h4>Bombing at Manchester Arena Kills at Least 22 People, Injures Scores More</h4><p><strong>Update: 11:15 a.m., May 23, 2017</strong></p><p>A man detonated a bomb at Manchester Arena Monday night, killing at least 22 people and injuring scores more in the deadliest terror attack in Britain since 2005.</p><p>The bomber—who has not been identified—was killed in the blast, and ISIS has claimed responsibility for the bombing; however, the terrorist organization's claim has not been verified.</p><p>ISIS claimed the attack as revenge against "Crusaders," <a href="http://www.reuters.com/article/us-britain-security-manchester-idUSKBN18I2OP">according to Reuters.</a> "But Western experts were skeptical, noting it had offered two accounts of the attack partly contradicting each other and the British police version."</p><p>The 21,000-seat Manchester Arena was full of teenagers and their families on Monday night for a concert by American pop star Ariana Grande. </p><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read 42752f1a-16d7-48bb-a046-f0bffe8e5966" id="div_42752f1a-16d7-48bb-a046-f0bffe8e5966"></div><div id="vid_42752f1a-16d7-48bb-a046-f0bffe8e5966" style="display:none;"></div></div><p>As the concert was ending, around 10:30 p.m. local time, a blast tore through the entrance hall next to the Victoria Station and concertgoers panicked to exit.</p><p>"There was this massive bang. And then everyone just went really quiet. And that's when the screaming started," Ryan Molloy, a concert goer, <a href="https://www.apnews.com/e0112659f579401a93a769517d7d8d89/Islamic-State-group-claims-deadly-Manchester-concert-bombing">told the AP</a>. "As we came outside to Victoria Station, there were just people all over the floor covered in blood."</p><p>Authorities closed the station and shut down public transportation from the arena, so many Manchester residents offered to allow concertgoers stay in their homes overnight.</p><p>Authorities are actively working to determine if the bomber acted alone, and if not, to identify and arrest his accomplices.</p><p>"The police said that they were canvassing leads and poring over surveillance footage to determine if the assailant—who died in the assault—had acted with any accomplices," <em></em><a href="https://www.nytimes.com/2017/05/23/world/europe/manchester-arena-attack-ariana-grande.html?hp&action=click&pgtype=Homepage&clickSource=story-heading&module=a-lede-package-region&region=top-news&WT.nav=top-news">The New York Times reports.</a> "Shortly before noon on Tuesday, the police announced that they had arrested a 23-year-old man southwest of the city center 'with regards to last night's incident,' but they did not provide additional details."</p><p>Manchester Mayor Andy Burnham has also made plans to host a vigil on Tuesday night in Albert Square. "Whilst the area around Manchester Arena is still cordoned off, we want to remind people that Manchester will not be defeated—the city is open for business," Greater Manchester Police said.​</p><div class="ms-rtestate-read ms-rte-wpbox" unselectable="on"><div class="ms-rtestate-notify ms-rtestate-read 82c98c15-7b7e-461f-b205-a61760dfca22" id="div_82c98c15-7b7e-461f-b205-a61760dfca22" unselectable="on"></div><div id="vid_82c98c15-7b7e-461f-b205-a61760dfca22" unselectable="on" style="display:none;"></div></div><p>This is an ongoing story. <em>Security Management</em> will continue to update this post as more information is confirmed and becomes available. ​ ​</p>
https://sm.asisonline.org/Pages/Stadium-and-Soft-Target-Security-Resources.aspxStadium and Soft Target Security ResourcesGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>In the wake of the Manchester bombing, <em>Security Management </em>​is committed to providing resources and expertise that address ​the protection of soft targets such as stadiums and public venues. Following are articles, reviews, and reports that can be used to understand the attack in a wider context as well as strengthen security measures. <a href="/Pages/Terror-Attack-Strikes-Manchester-Arena—What-We-Know.aspx" target="_blank">Click here​</a> for <em>Security Management'</em>​s coverage of the attack.</p><h4>​Articles<br></h4><ul><li><p>​Last night's attack took place exactly two months after <a href="/Pages/Four-Killed-In-U.K.-Parliament-Attack.aspx">a man drove into a crowd of people​</a> then stabbed a police officer outside of the UK parliament, killing four. </p></li><li><p>The incident was reminiscent ​of the November 2015 attacks in Paris, which occurred outside of a stadium as well as in a concert venue.​​ <a href="/Pages/A-Defensive-Stance.aspx" target="_blank">This ​2016 article discusses stadium security and the fan experience.</a><br></p></li><li><p><a href="/Pages/Vehicle-Access-at-Stadiums.aspx" target="_blank">Vehicle access to stadiums</a> is another vulnerability that could be taken advantage of by attackers.</p></li><li><p>There are a number of <a href="/Pages/Securing-the-Fan-Experience.aspx">government resources and checklists ​</a>for securing stadiums.</p></li></ul><div><br></div><h4>ASIS Toolkits and reports<br></h4><ul><li><p>​​ASIS-curated resources for<a href="https://www.asisonline.org/Membership/Member-Center/Security-Spotlight/Pages/Protecting-Soft-Targets.aspx" target="_blank"> protecting soft targets​</a></p></li><li><p>Crisis management and <a href="https://www.asisonline.org/Membership/Member-Center/Security-Spotlight/Pages/Crisis-Management.aspx" target="_blank">emergency preparedness toolkit​</a></p></li><li><p><a href="https://foundation.asisonline.org/FoundationResearch/CRISP-Reports/CRISP-Report-Library/sports-team-travel-security/Pages/default.aspx">CRISP Stadium Security report​</a></p></li></ul><h4>Book Reviews​</h4><p></p><ul><li><p><a href="/Pages/Book-Review---Disaster-Management.aspx">Introduction to International Disaster Management , 3rd edition​</a><br></p></li><li><p><a href="/Pages/ASIS-News-April-2017.aspx" target="_blank">Managing Critical Incidents and Large-Scale Event Security</a><br></p></li><li><p><a href="/Pages/Book-Review---Counterterrorism.aspx" target="_blank">Counter-terrorism: Reassessing the Policy Response</a><br></p></li><li><p><a href="/Pages/Book-Review---Active-Shooter.aspx">Active Shooter: Preparing for and Responding to a Growing Threat</a><br></p></li><li><p><a href="/Pages/Book-Review---Emergency-Management-and-Social-Intelligence.aspx" target="_blank">Emergency Management and Social Intelligence: A Comprehensive All-Hazards Approach</a></p></li><li><p><a href="/Pages/Book-Review---Bomb-Threats.aspx">A Law Enforcement and Security Officers' Guide to Responding to Bomb Threats, 3rd Edition</a></p></li><li><p><a href="/Pages/custom-search-results.aspx?k=Soft%20Target%20Hardening" target="_blank">Soft Target Hardening​</a><br></p></li></ul><h4>Podcasts<br></h4><p></p><div><ul><li><p><a href="https://soundcloud.com/security-management/bonus-soft-targets-continued" target="_blank">Securing Soft Targets</a> <br></p></li><li><p><a href="https://soundcloud.com/security-management/bonus-fighting-isis-in-europe" target="_blank">Fighting ISIS in Europe</a><br></p></li><li><p><a href="https://soundcloud.com/security-management/special-edition-london-terror-attacks">London Terror Attacks</a>​ ​<br></p></li></ul></div><div></div><a href="https://soundcloud.com/security-management/special-edition-london-terror-attacks"><em></em><p></p><p><em></em></p><div><em></em></div></a><a href="/Pages/Book-Review---Emergency-Management-and-Social-Intelligence.aspx" target="_blank"></a>
https://sm.asisonline.org/Pages/On-Site-and-Cloud-Access-Control-Systems.aspxOn-Site and Cloud Access Control SystemsGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Back in the 1970s, electronic access control systems were rudimentary by today’s standards. Those early systems consisted primarily of simple keypads for inputting PIN (personal identification number) codes, or ID cards and readers using magnetic stripe or Wiegand technology to grant or deny access while also maintaining a record of user access. There were few choices when it came to options, integration, and vendors.</p><p>Fast forward to today: now access control systems are frequently the main control platform in a physical security system. These evolved systems allow authorized staff to move freely while keeping a facility or an area secure—and they do much more. Network connectivity allows integration with security subsystems, as well as with business and operational systems such as retail and HR functions. Open architecture designs allow for compatibility with multiple technologies. Smartphones are becoming a mainstream tool in access control systems, and they can sometimes be used in place of an access card. </p><p>Even the most basic access control solution provides some level of tracking, auditing, and reporting. The combination of advanced functionality, flexible features, and integration with other systems allows current systems to provide in-depth information that far exceeds the capabilities of earlier systems.</p><p>Considering these many sophisticated features and functions can be a challenge for the end user, who must not only select an access control system but also determine how and where it will be managed and which solution best meets the organization’s financial and operational needs. Because physical security is vital to the protection of people, premises, and assets, it’s a decision that requires understanding of the technology and the applications. Following are a few examples of the options available for managing an access control system and where they are best suited.</p><h4>Credential Type</h4><p>In addition to incorporating biometrics and other advanced access credentials, today’s solutions can support PIN pads, magnetic stripe and/or Wiegand cards, proximity readers, and other technologies that organizations already use. This provides customers with the flexibility to select the credential type that best suits their needs. </p><p>For example, magnetic stripe and Wiegand access cards offer the convenience of embedding user-specific information in addition to access privileges. Because they incorporate embedded wires as opposed to magnetic material and can be used with contactless sensors, Wiegand technologies are less susceptible to extreme temperatures and other hostile environments. Cards used in systems that require contact with readers suffer from wear and tear and therefore must be replaced on a regular basis.</p><p>Proximity readers offer tremendous ease of use and the ability to quickly deactivate lost cards and issue new credentials. Because no contact is required between card and reader, credentials don’t suffer from the wear and tear common with magnetic stripe and Wiegand systems. </p><p>PIN pads are often employed for single-door applications, and their lower cost makes them attractive to organizations with limited budgets. They are extremely easy to use but also less secure, because users can easily share their codes with others.</p><p>In addition to cost, security level, and system size, organizations must also consider each technology’s ability to work with a range of access control software, as well as the ability to deploy and manage the solution using any or all of the below models.</p><h4>User-Managed on Site</h4><p>In this scenario, the customer purchases or leases equipment from an authorized reseller/integrator, who installs the system and provides training. A service contract may be included in the sale or lease. The customer is responsible for all programming activity on the dedicated PC, including data entry and updating for names, scheduling, reports, backup, and software updates. Depending on the system, badging may also be included. Other than the installation and training and any service agreement, the reseller/integrator has no additional responsibility.</p><p>Systems managed by the user on site are ideal for small to medium-sized businesses, local government offices, sporting facilities, and the like, where one or two individuals are tasked with maintaining the database, software upgrades, and infrastructure maintenance.  </p><h4>User-Managed Cloud </h4><p>Like the on-site user-managed scenario, this version starts with equipment that is purchased or leased from an authorized reseller/integrator, who installs the hardware and provides training. The difference is that the software is in the cloud and is managed, along with the supporting infrastructure, by the integrator or service provider. All backup, software upgrades, system monitoring, programming, scheduled door locking and unlocking, and other vital access control actions are performed remotely by professional monitoring providers. The user may manage only the simple functions of entering, deleting, and modifying names, and possibly badging via a Web portal.</p><p>User-managed cloud systems work well for sites with few or no IT staff—such as franchise locations or property management sites. Each location can handle the day-to-day functions of database maintenance and scheduling via a Web portal, but reports, applying patches and updates, backup, and other group functions are handled in the cloud by the integrator. One useful advantage of this scenario is that the browser application can be accessed at any time and from any device by the user. </p><h4>Remotely Managed Cloud   </h4><p>The user has little or no access to the head end software in this scenario, and all activity is performed by the service provider. Sometimes known as ACaaS (Access Control as a Service), this service is popular with enterprise-level organizations. Hardware can be new or legacy, owned or leased. When modifications are required, the service provider makes the changes. Reports can be run and sent to the end user on a scheduled or as-requested basis. Credentialing is also handled by the service provider.</p><p>Access control systems for several organizations may be hosted in the cloud by the service provider, and the security of the data is ensured with AES encryption. Multilayered filtering and partitioning allows end users to access only their own information (cardholders, access groups, hardware, etc.), while the service provider has full access to all customers’ data.</p><p>By working with a knowledgeable technology partner, such as an integrator or vendor, users will find the help they need to identify which of these solutions best meet their needs. Expertise and experience can help the end user make better and more confident decisions about an access control installation.</p><p><em>Robert Laughlin is president at Galaxy Control Systems. </em></p>
https://sm.asisonline.org/Pages/Trump’s-Cybersecurity-Executive-Order-Well-Received-by-Experts.aspxTrump’s Cybersecurity Executive Order Well Received by ExpertsGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​After months of waiting and leaked drafts, U.S. President Donald Trump signed a <a href="https://www.whitehouse.gov/the-press-office/2017/05/11/presidential-executive-order-strengthening-cybersecurity-federal" target="_blank">cybersecurity executive order </a>yesterday that aims to strengthen U.S. government networks and critical infrastructure.</p><p>The executive order is broken into three parts—securing U.S. government networks, enhancing critical infrastructure cybersecurity, and cybersecurity for the nation—and is an effort to change the course of the U.S. government’s cyber posture, said Tom Bossert, White House homeland security advisor, in a <a href="https://www.whitehouse.gov/the-press-office/2017/05/11/press-briefing-principal-deputy-press-secretary-sarah-sanders-and">press briefing on the order.</a><br></p><p>A key element of the executive order is looking at the U.S. government’s cybersecurity as a whole—not as 190 separate agencies, Bossert explained.<br></p><p>“We need to look at the federal government as an enterprise, so that we no longer look at the Office of Personnel Management (OPM) and think, ‘Well, you can defend your OPM network with the money commensurate for the OPM responsibility,’” he said. “OPM, as you know, had the crown jewel, so to speak, of our information and all of our background and security clearances.<br></p><p>“What we’d like to do is look at that and say, ‘That is a very high risk, high cost for us to bear. Maybe we should look at this as an enterprise and put collectively more information in protecting them than we would otherwise put into OPM looking at their relevant importance to the entire government.”​<br></p><h4>Government Networks</h4><p>“The first priority for the president and for our federal government is protecting our federal networks,” Bossert explained. “I think it’s important to start by explaining that we operate those federal networks on behalf of the American people, and they often contain the American people’s information and data, so not defending them is no longer an option. We’ve seen past hacks and past efforts that have succeeded, and we need to do everything we can to prevent that from happening in the future.”</p><p>As part of that effort, the executive order said the president will hold executive department and agency heads accountable for managing cybersecurity risk to their enterprises. Under the order, they will implement risk management measures “commensurate with the risk and magnitude of the harm that would result from unauthorized access, use, disclosure, disruption, modification, or destruction of IT and data.”<br></p><p>Anthony J. Ferrante, senior managing director in the Global Risk & Investigations Practice at FTI Consulting and former director for cyber incident response at the National Security Council, says he’s glad to see this change in the federal government’s posture.<br></p><p>“In the years following the OPM attack, it is nice to see that the administration recognizes that it operates federal networks on behalf of the American people, and it is a strong move to say that the president is going to hold the heads of departments and agencies accountable for the cybersecurity of their networks,” Ferrante adds.<br></p><p>Additionally, agency and department heads are required to use the National Institute of Standards and Technology (NIST) Cybersecurity Framework to manage their respective organization’s risk. Each agency has been instructed to provide a risk management report to the secretary of the Department of ​​Homeland Security and the director of the Office of Management and Budget (OMB) within 90 days.<br></p><p>“We have practiced one thing and preached another,” Bossert said. “It’s time for us now…to implement the NIST framework. It’s a risk-reduction framework.”<br></p><p>Requiring government agencies to adopt the NIST framework—like the private sector has been encouraged to do—is a positive step, says Brian Harrell, CPP, director of security and risk management for Navigant Consulting and former director of critical infrastructure protection programs at the North American Electric Reliability Corporation (NERC).<br></p><p>“The acknowledgement of risk acceptance is significant,” Harrell explains. “Within all IT systems, we have the ability to accept, avoid, mitigate, or transfer risk.”<br></p><p>Also part of the executive order’s plan to modernize government IT and manage risk is a directive that agency heads show preference in their procurement for shared IT services, including e-mail, cloud, and cybersecurity services.<br></p><p>“We have 190 agencies that are all trying to develop their own defenses against advanced protection and collection efforts,” Bossert said. “I don’t think that that’s a wise approach.”<br></p><p>Utilizing shared IT services does come with risk, but it will put the federal government in a better position to manage those risks, Bossert added.<br></p><p>“I’m not here to promote for you that the president has signed an executive order and created a cybersecure world in a fortress USA,” he said. “That’s not the answer. But if we don’t move to secure services and shared services, we’re going to be behind the eight ball for a very long time.”<br></p><p>This is a positive step, says Will Ackerly, chief technology officer at Virtru and former lead security architect for the National Security Agency’s (NSA’s) first cross-domain cloud. <br></p><p>“It’s positive if managed well. The risk and threat change with on-premise to cloud,” Ackerly explains. “When you move to Google, you now all of a sudden have many security engineers online on a real-time basis available to essentially protect your data. The trade is, you don’t have the same kind of direct control or insight…into how your data is being accessed.”<br></p><p>Agencies and departments will also have to avoid creating a monoculture, or choosing the same platform across the board,​​ because if there is a problem with the technology or an attack on it, there could be a “massive issue,” Ackerly adds.<br></p><p>Overall, however, utilizing shared services is a step in the right direction as it will free agencies up to “focus on what they’re good at—their core mission—instead of having to figure out over and over the same IT programs,” he says.<br></p><p>The government’s ability to do this successfully, however, will depend on its ability to secure funding and change its purchasing constraints around technology—which may require Congressional action.<br></p><p>“The majority of [these agencies’] budget is spent on legacy systems,” says John Dickson, CISSP, principal at Denim Group and former U.S. Air Force officer who served in the Air Force Information Warfare Center. “If you are spending a lot of money, and 75 percent of that is to maintain what you have, you simply are not going to be able to put a dint in this problem.”<br></p><p>Another area that gives some experts pause, however, is that the agency risk management reports may be classified in full—or in part—and not available to the public. <br></p><p>“Particularly when you’re talking about trying to manage risk across many, many agencies, that requires good information sharing,” Ackerly adds. “I think it can be a lot harder when there isn’t transparency, at least at the core level.”<br></p><p>He also raised concerns about the number of reports and assessments the executive order has asked government officials to compile to analyze the federal government’s cybersecurity posture and path forward. <br></p><p>“A lot of these reports end up sitting on shelves; a lot of work is going to go into producing these things and updating them,” Ackerly says, adding that it might have been a better idea to create a position of a cybersecurity czar to manage this process so there’s “clear central authority that coordinates actions that the CISOs are accountable to…I worry that this might be another paper exercise.”​<br></p><h4>Critical Infrastructure</h4><p>The second portion of the executive order focuses on critical infrastructure cybersecurity and calls for reports to identify ways that agencies could support the cybersecurity efforts of critical infrastructure entities that are at “greatest risk of attacks that could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security,” according to the order.</p><p>In particular, the order asks for the secretaries of energy and homeland security, with the director of national intelligence and local authorities, to assess the potential scope and duration of a prolonged power outage associated with a significant cyber incident.<br></p><p>Harrell says electric utilities are well positioned to aid the government in this effort and provide a report to the president. <br></p><p>“The NERC Grid Security Exercise is a notable example of how the industry has taken cyber threats seriously, and while many lessons have been derived from the national exercise, industry understands the magnitude of a wide-area disruption due to a security event,” Harrell explains. “I would strongly recommend that the Department of Energy reach out to NERC, utilities, and industry trade associations to compile their findings as many lessons-learned have already been documented and acted upon.”<br></p><p>The executive order also calls for the secretaries of commerce and homeland security to identify and promote action by stakeholders to improve the resilience of the telecommunications industry to “dramatically” reduce the number of botnet attacks in the United States. <br></p><p>This will require cooperation from the private sector, particularly from Sprint, AT&T, Verizon, and other carriers, Dickson says. “All the people that are essentially providing Internet and phone connectivity, because there’s certain things they can do in real-time to make it harder for those types of attacks to propagate.”<br></p><p>Not to be ignored, however, are potential strides the government could make with device manufacturers, Ackerly says, who could be encouraged to create devices that are inherently more secure and less likely to be compromised and part of a botnet.​<br></p><p>One action Ackerly says he thinks would be a risky choice for the government would be to encourage active attacks to prevent botnet attacks.</p><p>“The military has authority to do active attacks,” he explains. “I don’t think we want to encourage companies to break the law and respond directly to take down systems that are not their own that are trying to interfere with their services.”</p><h4>National Security</h4><p>The final section of the executive order deals with ensuring that the Internet remains valuable for future generations by deterring cyberattacks and investing in the nation’s future workforce. </p><p>The order calls for the secretaries of state, treasury, defense, commerce, homeland security, and the attorney general, amongst others, to submit a report to the president on the nation’s strategic options for deterring adversaries and protecting Americans from cyber threats. It also requires the secretaries to document a strategy for international cooperation in cybersecurity.<br></p><p>“The Russians are not our only adversary on the Internet, and the Russians are not the only people that operate in a negative way on the Internet,” Bossert said. “The Russians, the Chinese, the Iranians, other nation states are motivated to use cyber capacity and cyber tools to attack our people and our governments and their data.<br></p><p>“That’s something we can no longer abide. We need to establish the rules of the road for proper behavior on the Internet, but we also then need to deter those who don’t want to abide by those rules,” he said.<br></p><p>The executive order also calls for an assessment of the scope of current efforts to educate and train the American cybersecurity workforce of the future to maintain the United States’ competitive advantage.<br></p><p>Harrell says he found this inclusion in the executive order encouraging. “In a world of constant cyberattacks and massive data breaches, cybersecurity is more important today than ever before,” he adds. “As Americans become more dependent on modern technology, the demand to protect the nation’s digital infrastructure will continue to grow. Many organizations are desperate to find qualified security professionals and fill key staff positions. Promoting professional education, training, and STEM classes will start to bridge the cybersecurity workforce gap.”</p>
https://sm.asisonline.org/Pages/The-Most-Resilient-Countries-in-the-World.aspxThe Most Resilient Countries in the WorldGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Property loss prevention consultant FM Global released its <a href="http://www.fmglobal.com/research-and-resources/tools-and-resources/resilienceindex/explore-the-data/?&sn=1" target="_blank">fifth annual <em>Resilience Index</em></a><em>,</em> which ranks 130 countries on their enterprise resilience to disruptive events. The ranking is data-driven and assesses categories such as economic factors, risk quality, and supply chain. It allows executives to plan supply chain and expansion strategies based on insight regarding risks and opportunities, according to the FM Global website. </p><p>Giving a nod to new trends that affect supply chain resilience, FM Global introduced three new drivers of resilience to its assessment: supply chain visibility, urbanization rate, and inherent cyber risk. Supply chain visibility addresses the ease of tracking goods across a country’s supply chain. “The more visible and robust the supply chain and the faster it can begin functioning as normal following a major local event, the greater its resilience,” the report notes.</p><p>The urbanization rate is based on the percentage of the country’s population that lives in urban areas. While urbanization is typically associated with a country’s development, it can prove to be risky in an area with high natural hazards. And rapid and unplanned urbanization can create pressure on utilities and infrastructure, which can be a significant threat to the country’s resilience, according to the report.</p><p>2017 is also the first year that the threat of cyberattacks has been acknowledged in the report. The inherent cyber risk driver is defined as “a blend of a country’s vulnerability to cyberattack, combined equally with the country’s ability to recover.” This is calculated by determining the percentage of citizens with access to the Internet, as well as how the government responds to cyberattacks. “Countries that recover well from major events are those with a thriving industry in malware or cybersecurity, and where governments are willing to step in and help citizens in the event of a nationwide hacking,” the report says.</p><p>At the top of the list for the fifth year is Switzerland, an “acknowledged area of stability for generations” with infrastructure and political stability that makes its supply chain reliable and resilient. However, natural disasters and cyberattacks remain a threat to the country. </p><p>Also notable is Luxembourg, which was ranked eighth in 2013 but placed second this year. A growth in the country’s services sector, combined with its reduced economic reliance on oil and its business-friendly regulations, makes Luxembourg a safe place to expand operations to, the report finds. And due to its location, Luxembourg may serve as a new home for companies following the United Kingdom’s departure from the European Union.</p><p>At the other end of the spectrum, Haiti is ranked last due to its lack of supply chain and standards and its high rate of poverty. Similarly, Venezuela fared poorly due to corruption, natural disasters, poor infrastructure, and ill-perceived quality of local suppliers.  ​</p>
https://sm.asisonline.org/Pages/IT-Security-Professionals-Admit-To-Hiding-Data-Breaches,-Survey-Finds--.aspxIT Security Professionals Admit To Hiding Data Breaches in New SurveyGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>IT security professionals admit they've quietly paid hackers a ransom for their data without telling anyone, according to a survey by cybersecurity company Bromium. In ransomware attacks, cyber thieves obtain users' data and threaten to destroy or not return it if a certain amount of money isn't paid within a set timeframe. The<a href="http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/" target="_blank"><em> 2017 Verizon Data Breach Investigations Report </em>found there was a 50 percent increase in ransomware attacks over the last year. </a>​</p><p>An average of ten percent of IT security professionals said they've silently met hackers' ransomware demands, or hidden a security breach without telling their team. In a blog post, Bromium says the re​search began as a survey at the RSA Conference in San Francisco in February, but it was so surprised by the findings, it expanded on the research by talking to more IT professionals in both the United States and the United Kingdom.  </p><p>At RSA, five percent of IT security professionals said they had hidden a breach from their corporate security team; fifteen percent in the extended study admitted the same. In addition, 38 percent of those at RSA and 32 percent from around the United States and the U.K. admitted to going around, turning off, or bypassing corporate security settings to get their job done. </p><p>"While we expect employees to find workarounds to corporate security…we don't expect it from the very people overseeing the operation," said Simon Crosby, cofounder and chief technology officer of Bromium, <a href="https://blogs.bromium.com/security-pros-pay-ransom-hide-breaches/" target="_blank">in the blog post. </a>"Security professionals go to great lengths to protect their companies, but to learn that their decisions don't protect the business is frankly rather shocking. To find that security pros have actually paid ransoms or hidden breaches speaks to the human- factor in cybersecurity."</p>
https://sm.asisonline.org/Pages/Solar-Technology-Can-Help-Secure-Military-Grids,-New-Paper-Finds.aspxSolar Technology Can Help Secure Military Grids, New Paper FindsGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Distributed microgrid systems, using solar technology, can help secure the electric grids at military bases to reduce the impact of cyberattacks, physical attacks from terrorists, and natural disasters, researchers say in a new paper.</p><p>Vulnerabilities in the power grid are one of the most prevalent national security threats. The technical community has called for building up the resiliency of the grid using distributed energy and microgrids for stabilization. This is because power production from multiple sources increases the difficulty of triggering cascading blackouts. In addition, following an attack or natural disaster, microgrids can provide localized energy security.<br></p><p>In a new paper published in the scholarly journal <em>Renewable and Sustainable Energy Reviews</em>, an interdisciplinary team of engineering and energy policy experts from Michigan Technological University says the first step is to outfit military infrastructure with solar photovoltaic (PV)-powered microgrid systems. <br></p><p>Currently, only 27 of the more than 400 domestic U.S. military sites have either fortified PV microgrids running now or have plans to do so. This means the majority are vulnerable to long-term power disruptions. Most military backup systems rely on generators, which are also vulnerable to fuel supply disruption.<br></p><p>The researchers found that the military would need 17 gigawatts of PV to fortify all its domestic bases. <br></p><p>An abstract of the new paper, and instructions for obtaining a complete copy, can be found here: <a href="http://www.sciencedirect.com/science/article/pii/S1364032117306081">http://www.sciencedirect.com/science/article/pii/S1364032117306081</a></p><p>For more on U.S. Department of Defense utilities, read <a href="/Pages/Ramping-Up-Resilience.aspx" target="_blank">"Ramping Up Resilience"</a> from the March 2017 issue of <em>Security Management. ​</em></p>
https://sm.asisonline.org/Pages/DHS-Warns-Congress-Of-Security-Threats-to-Government-Mobile-Devices.aspxDHS Warns Congress Of Security Threats to Government Mobile DevicesGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The U.S. Department of Homeland Security (DHS) sent Congress a study on Thursday warning it of security threats to members’ mobile devices and a need for increased device security. </p><p>“The study found that the threats to the federal government’s use of mobile devices—smartphones and tablet computers running mobile operating systems—exist across all elements of the mobile ecosystem,” according to a <a href="https://www.dhs.gov/science-and-technology/news/2017/05/04/news-release-dhs-delivers-study-government-mobile-device" target="_blank">DHS press release.</a> “These threats require a security approach that differs substantially from the protections developed for desktop workstations largely because mobile devices are exposed to a distinct set of threats, frequently operate outside of enterprise protections, and have evolved independently of desktop architectures.”<br></p><p>The report, <em></em><a href="https://www.dhs.gov/sites/default/files/publications/DHS%20Study%20on%20Mobile%20Device%20Security%20-%20April%202017-FINAL.pdf" target="_blank"><em>Study on Mobile Device Security, </em></a>was mandated by the Cybersecurity Act of 2015 and compiled by the DHS Science and Technology Directorate with the National Institute of Standards and Technology and the National Cybersecurity Center of Excellence. <br></p><p>The study reveals that the threat to the mobile device ecosystem—smartphones and tablets—is growing. These threats range from those perpetrated by nation states to organized criminal gangs to hackers to regular loss or theft of mobile devices. <br></p><p>U.S. government mobile device users are also susceptible to threats that target consumers, including social engineering, ransomware, and identity theft. “Further, federal government mobile device users may be targeted with additional threats simply because they are public-sector employees,” DHS said.<br></p><p>The study also warns that government employees’ mobile devices might be targeted to give attackers access to sensitive computer systems.<br></p><p>“Government mobile devices—despite being a minor share of the overall market—represent an avenue to attack back-end systems containing data on millions of Americans in addition to sensitive information relevant to government functions,” according to the report. “Systems managed by the Department of Defense, DHS, the Department of the Treasury, the Department of Veterans Affairs, Health and Human Services, the Office of Personnel Management, and others hold significant amounts of sensitive but unclassified information, whose compromise could adversely impact the organization’s operations, assets, or individuals.”<br></p><p>To address these threats, the report recommends that the federal government—and DHS in particular—take action to enhance mobile device security for government employees. <br></p><p>“DHS has a responsibility to not only secure the means of communication used by department and agencies, but to safeguard the nation against emerging threats in both the physical and cyber domains,” DHS said. “Mobile technology is essential to the United States not just for government use, but also for the security and integrity of communications for businesses and citizens.”<br></p><p>The study recommended the government take the following actions:<br></p><ul><li><p>Adopting a framework for mobile device security based on existing standards and best practices<br></p></li><li><p>Enhancing the Federal Information Security Modernization Act metrics to focus on securing mobile devices, applications, and network infrastructure<br></p></li><li><p>Including mobility within the Continuous Diagnostics and Mitigation program to address mobile device security <br></p></li><li><p>Continue the DHS Science and Technology applied research program on Mobile Application Security <br></p></li><li><p>Establishing a new program on mobile threat information sharing <br></p></li><li><p>Coordinating the adoption and advancement of mobile security technologies into operational programs<br></p></li><li><p>Developing cooperative arrangements and capabilities with mobile network operators to detect, protect against, and respond to threats<br></p></li><li><p>Creating a defensive security research program to address mobile network infrastructure vulnerabilities<br></p></li><li><p>Increasing active participation in mobile-related standards bodies and industry associations<br></p></li><li><p>Developing policies and procedures on government use of mobile devices overseas based on threat intelligence and emerging threats.​<br></p></li></ul>
https://sm.asisonline.org/Pages/How-Smugglers-and-High-Risk-Travelers-Enter-the-US.aspxHow Smugglers and High Risk Travelers Enter the United StatesGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​It’s no secret that transnational crime organizations get creative when it comes to smuggling contraband from Mexico to the United States, but with increased security along the border comes increasingly extravagant efforts by criminals to avoid security measures, a new U.S. Government Accountability Office (GAO) report released earlier this week found. </p><p>Smugglers build cross-border tunnels, which range from rudimentary, shallow tunnels to interconnected tunnels with lighting, railways, and ventilation and connect to existing municipal infrastructure such as sewer systems. Single seat, ultralight aircraft weighing 250 pounds or less can carry large baskets of drugs across the border. And a variety of boats, pangas, and submarines can shuttle large quantities of contraband. </p><p>In its report, titled <em><a href="http://www.gao.gov/assets/690/684408.pdf">Border Security: Additional Actions Could Strengthen DHS Efforts to Address Subterranean, Aerial, and Maritime Smuggling</a></em>, GAO discovered 67 cross-border tunnels, 54 of which were sophisticated and interconnected. The U.S. Customs and Border Protection (CBP) and U.S. Immigration and Customs Enforcement (ICE) share responsibility for countering tunnel threats and found that the drug most confiscated in the tunnels was marijuana—from 2011 to 2016, more than 106,600 pounds of marijuana was seized, the report found. Smuggling rates via tunnels, air, and boats have generally decreased since 2011, although GAO found an increase in migrant smuggling via panga and recreational boats off the Florida coast.</p><p>The GAO report concluded that CBP and ICE should increase their use of technology, performance measuring, and agency collaboration to better address the smuggling threat. “By establishing performance measures and regularly monitoring performance against targets, managers could obtain valuable information on successful approaches and areas that could be improved to help ensure that both technology investments and operational responses to address smuggling through cross-border tunnels, ultralight aircraft, panga boats, and recreational vessels are effective,” according to the report.</p><p>But what about identifying high-risk travelers that could pose a threat to the United States? DHS has a number of programs in place to identify and interdict high-risk travelers seeking to arrive in the United States via airplane, such as foreign fighters and potential terrorists, human traffickers, and drug smugglers. CBP identified and prohibited more than 22,000 travelers from flying to the United States in 2015 alone, but there is no way to evaluate the overall effectiveness of the high-risk traveler programs, GAO found in its report <em><a href="http://www.gao.gov/assets/690/684443.pdf">Progress and Challenges in DHS's Efforts to Address High-Risk Travelers and Strengthen Visa Security</a></em>, released yesterday.</p><p>The report also addressed the Visa Waiver Program (VWP), which allows nationals from 38 countries to apply for a temporary visa to travel to the United States. The VWP has been around since 1986, but was updated in 2015 to address the modern-day terrorist threat. ​As part of the agreement, countries participating in the U.S. VWP agreed to share information regarding lost or stolen passports, identity information about known or suspected terrorists, and criminal history information. </p><p>However, GAO found that a third of the countries are not sharing terrorist identity information, which the report noted “has enhanced U.S. traveler screening capabilities and improved U.S. agencies’ ability to prevent known and suspected terrorists from traveling to the United States.” DHS has agreed to continue to work with VWP companies to implement all program requirements.</p>
https://sm.asisonline.org/Pages/Insuring-Data-Loss.aspxInsuring Data LossGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Historically, one of the most catastrophic risks to cities was fire. Prior to the modern concept of fire departments, most businesses and residents relied on private departments that they funded to come put out the blaze, should the need arise.</p><p>In 1751, Benjamin Franklin created the first fire company in the U.S. colonies to sell fire insurance: the Philadelphia Contributionship. </p><p>Participants in Philadelphia paid fees that were then used to cover other participants’ fire-related losses, according to Allstate. The first year of the contributionship, 143 policies were purchased to cover a seven-year period. None of the insured properties caught fire during that time. </p><p>As time went on, society made greater strides in fire prevention, and insurance carriers gathered data on these measures to assess how they reduced or increased the risk of fire, adjusting premiums accordingly.</p><p>However, one of the newest forms of insurance on the market has forged a different path. Cyber insurers are still in the process of amassing data to price risks for a cyber incident that results in data theft—and no company has data to price risk for destructive attacks, according to Robert Knake, Whitney Shepardson senior fellow at the Council on Foreign Relations (CFR). </p><p><img src="/ASIS%20SM%20Product%20Images/0517%20Cybersecurity%20Facts.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;width:257px;" />“Moreov​er, insurers do not typically offer premium reductions in exchange for improving cybersecurity practices,” Knake wrote in a cyber brief for CFR’s Digital and Cyberspace Policy Program. “This market decision reflects a sad reality for the cybersecurity industry: there is no clear consensus on which cybersecurity practices work and which do not, though some insurers are developing closer relationships with cybersecurity providers in order to access information necessary to accurately price risk.”</p><p>Despite being unable to accurately price risks associated with cyberattacks, the cyber insurance market is projected to grow from approximately $2.75 billion to $7.5 billion by 2020, according to PricewaterhouseCoopers’ (PwC) Insurance 2020 & Beyond: Reaping the Dividends of Cyber Resilience. </p><p>“Businesses across all sectors are beginning to recognize the importance of cyber insurance in today’s increasingly complex and high risk digital landscape,” the report explained. But this awareness has been coupled with skepticism about the true value of cyber insurance.</p><p>“Given the high costs of coverage, the limits imposed, the tight terms and conditions, and the restrictions on whether policyholders can claim, many policyholders are questioning whether their policies are delivering real value,” said Paul Delbridge, an insurance partner at PwC, in a statement on the report. </p><p>Cyber insurance is a  relatively new concept in the insurance world that got its start in the 1990s. Businesses started to look to the insurance market to cover risks associated with e-commerce, but found that none of the existing insurance models were relevant, says Graeme Newman, chief innovation officer at CFC Underwriting.</p><p>“The worry wasn’t that the building would burn down, or that they wouldn’t be able to trade on their physical premises, it was that their systems would go down and they wouldn’t be able to trade,” he explains. “Their biggest asset was their data…. They wanted a product they could use to insure that data—and that’s where cyber insurance was born.”</p><p>Cyber liability policies were created to cover identity theft, business interruptions when hackers shut down a network, damage to a business’s reputation, and costs associated with damage to data records caused by a hacker. Policies can also cover the theft of digital assets, malicious attacks via computer code, human errors that disclose sensitive information, credit monitoring services, and lawsuits, according to the National Association of Insurance Commissioners.</p><p>In the late 2000s, society began to see a major shift in crime with physical crime morphing into cybercrime—phishing scams, business email compromise, ransomware, and more. This helped push cyber insurance as more of a mainstream line of insurance, Newman says, and health institutions are leading the way.</p><p>Hospitals generally have “lots of sensitive patient data on generally old, legacy IT systems with good risk management departments but little idea about IT security and really high penalties from regulators,” Newman adds, especially in the United States under the Health Insurance Portability and Accountability Act (HIPAA).</p><p>Retailers were the next major vertical to begin purchasing cyber insurance following the string of mega breaches at Target, Home Depot, and Neiman Marcus in 2013 and 2014 when hackers targeted retailers to acquire customer payment card information.</p><p>“That got the retailers to purchase cyber insurance, and we saw financial institutions buying cyber insurance,” Newman says.</p><p>This activity has created a cyber insurance market worth roughly $3 billion today, with 90 percent of all cyber insurance purchased in the United States. This is for a variety of reasons, including the aggressive class action lawsuit culture in the United States, state attorneys general who have taken a tough stance against businesses that compromise consumer data, and regulators who can levy fines under the law.</p><p>“When a business loses data, you’ve got a whole load of ambulance chasers trying to make a buck out of it,” Newman says. “They’ll bring lawsuits against businesses that lose data.” </p><p>Despite these motivators, however, only 25 percent of U.S. businesses and 2 percent of U.K. businesses have purchased cyber insurance policies. This could be because of the price of premiums due to the limited data on the scale and financial impact of attacks, according to the PwC report.</p><p>“Insurers and reinsurers are charging high prices for cyber insurance relative to other types of liability coverage to cushion some of the uncertainty,” the report explained. </p><p>PwC’s former U.S. Cybercrime and Breach Response Senior Managing Director Don Ulsch saw this in action just two years ago. One of his clients, a global manufacturing firm, attempted to buy cyber insurance and found that the carrier would only provide $1 of coverage for each $1 in premiums. The client ultimately purchased the policy because it felt it was necessary to meet U.S. Securities and Exchange Commission (SEC) guidelines, Ulsch says.</p><p>“As you start looking at what your requirements are as an SEC registrant, you will likely start looking at cyber insurance,” he explains. This is because in 2011, the SEC released guidance on cyber insurance and has since adopted a prebreach‑centric approach to managing cyber risks—meaning that boards have informed investors and shareholders how they will manage a cyber risk in the event of a cyber breach. </p><p>And for those carriers that do issue cyber insurance policies, PwC found that they are putting a ceiling on potential losses through restrictive limits, exclusions, and conditions. For instance, common conditions include state-of-the-art data encryption or 100 percent updated security patch clauses, which are difficult for businesses to maintain.</p><p>Another area that may be stalling actual growth is confusion over how to cover new risks associated with cybersecurity. One area that Ulsch says carriers are still assessing is how to cover a physical event that stems from a cyber incident.</p><p>For instance, Internet of Things devices at a restaurant could be compromised, allowing a hacker to leverage them in an attack that causes a gas line in the restaurant to malfunction, resulting in an explosion.</p><p>Since an incident like this would cause bodily injury and property damage, “should that be an extension of cyber insurance?” Ulsch asks. “Or should it be part of your commercial general liability insurance? How does it get covered?”</p><p>This is one of the big questions that insurers have today in response to new kinds of cyberattacks that are emerging on an almost daily basis. “This is something that is relatively new, but it’s growing in significance,” he adds.</p><p>One development that might help spur the adoption of cyber insurance policies, however, came in December 2016 when the U.S. Department of the Treasury issued guidance in the Federal Register that included these policies in the Terrorism Risk Insurance Program (TRIP).</p><p>TRIP was initially created in the aftermath of 9/11 as part of the Terrorism Risk Insurance Act (TRIA) as a federal stopgap to allow private companies to purchase terrorism insurance. Under the program, the U.S. treasury secretary and the attorney general can certify an event as an act of terrorism. If damages from the act exceed $200 million, TRIP is triggered to cover the remaining losses. </p><p>Before 2016, there was confusion as to whether TRIP would be triggered for cyber incidents. To clarify, Treasury issued the new guidance confirming that “stand-alone cyber insurance policies” reported as “Cyber Liability” are included in the “property and casualty insurance” under TRIP. </p><p>Security Management reached out to Treasury for further explanation about the guidance, but it did not return requests for comment.</p><p>Adding cyber insurance to TRIP is a step that Knake recommended in his cyber brief, published prior to Treasury’s guidance. He advocated for the creation of a federally sponsored cyber insurance program.</p><p>“The federal cyber insurance program should be developed under TRIP…given that much like terrorist attacks, catastrophic cyber incidents affecting the United States will be rare,” Knake wrote. “TRIP should be expanded to cover cyber events and renamed to allow for coverage of all catastrophic cyberattacks—whether they are carried out by terrorists, state actors, or criminals—including cases in which attribution cannot be determined.”</p><p>One way that TRIP falls short, Knake tells Security Management, is that it doesn’t place requirements on insurance policies and on companies themselves to improve their own security. Knake, who is the former U.S. National Security Council director for cybersecurity policy, says this was discussed at the time that TRIP was created but ultimately decided against.</p><p>When it comes to cybersecurity, where the threat and the fundamental responsibility is on companies to protect themselves, a “model that is like TRIA but creates a situation in which the insurance is being used to promote cyber hygiene, better practices, and information sharing makes a lot of sense,” he says.</p><p>For instance, Knake recommends that regulators set minimum requirements for cyber insurance for companies that want to take advantage of TRIP’s protections. One example of this is the approach that U.S. financial regulators have taken to cybersecurity to address the potential of systemic risk throughout the entire system should a major financial institution be hit with a cyberattack.</p><p>“Being able to quantify that risk and then say, ‘You need to have insurance up to that amount,’” Knake says. “It’s like car insurance. You need to have car insurance, as the minimum standard.”</p><p>Ultimately, a federally sponsored cyber insurance program should be used to limit financial liability and promote participation in “initiatives that benefit the security of the Internet as a whole and reduce systemic risk,” Knake wrote. </p><p>“Initially, the government’s goal should be to use the program to promote the sharing of data on incidents so that insurers can accurately price risk and set premiums. Doing so could provide the data necessary to judge the effectiveness of existing best practices and identify new practices that should be widely adopted.” </p><p>Whether that happens remains to be seen, but insurance carriers are already projecting that the international market for cyber insurance will grow by 400 percent. Most forms of insurance typically only see 1 to 2 percent growth year over year, Newman says.</p><p>“Cyber insurance is exciting,” Newman adds. “Cyber is the class of insurance that is growing in the world.” ​</p>
https://sm.asisonline.org/Pages/Cyber-Travel-Tips.aspxCyber Travel TipsGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Security managers must be aware of their physical surroundings when they travel, but electronic devices frequently place employees and their companies at risk. To help keep devices and corporate data secure while traveling, Security Management reached out to several security experts to learn about their own travel best practices.​</p><h4>Do a Cleanse</h4><p>Before packing your laptop, Bruce McIndoe, CEO of integrated risk management company iJET, recommends doing some device cleansing. </p><p>“That’s the first level of defense when you are getting ready to leave on a trip—slim down and remove as much data as you can,” he says.</p><p>This means assessing whether you actually need to take a laptop with you and, if so, removing all the sensitive data from it that you can. “That way if the laptop is stolen or infiltrated or lost, you’re not going to have all that data exposed,” McIndoe says.</p><p>Take the same approach with your smartphone, and pare down your USB devices to the essentials. Then make sure that all your devices are encrypted in case they are lost or stolen.​</p><h4>Talk to IT</h4><p>After you’ve assessed what you need to take with you, it’s a good rule of thumb to check with your IT department to see if they have travel devices for you to take with you, such as travel laptops, phones, and even routers.</p><p>IT can also review with you any policies or procedures in case your devices are lost, stolen, or breached while you’re away from the office.​</p><h4>Take the Right Bag</h4><p>When traveling, sometimes your devices are out of your sight—whether they’re tucked in your checked bag or stowed in the hotel while you’re out at dinner. This is when a zippered bank bag comes in handy, says former U.S. Secret Service Agent John Toney. He and other agents used zippered bank bags, such as an A. Rifkin bag, to store guns, electronic equipment, and anything else they wanted to keep away from prying eyes.</p><p>“When agents go en masse overseas, everyone throws their bag into the same Pelican case for customs,” says Toney, who is now senior manager of forensic technology and discovery services at Ernst & Young LLP. “That way, customs agents can scan the outer carrier but don’t get inside the bags.” ​</p><h4>Avoid Free Wi-Fi</h4><p>While a wonderful invention, Wi-Fi does come with risks, which is why McIndoe says he doesn’t connect to airport Wi-Fi or pub­lic Wi-Fi. </p><p>“What I try to do is use Gogo and AT&T hotspots,” McIndoe explains. “I can use Gogo on flights and get onto Wi-Fi only from access points that I know about.”</p><p>He also says travelers should be cautious about connecting to hotel Wi-Fi. As a precaution, consider using a VPN to access systems at work and ensure that you have an HTTPS connection. If you do access a website without an HTTPS connection, McIndoe says you should not consider that information private.​</p><h4>Talk to IT, Again</h4><p>After you’ve returned from your trip and before you connect any of your devices to your company’s network, go talk to IT. They can scan the devices to make sure you didn’t pick up any malware while you were abroad. Many companies require employees who have been in designated countries to have their laptops scanned before connecting them to the network.</p><p>“A lot of companies have more sophisticated malware detection on the company network than on your laptop and will detect a virus that your local virus scan did not detect,” McIndoe says.  ​</p>