Social Engineering Review: Social Media Risk and GovernanceGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a43444652016-11-01T04:00:00Z<p>​Kogan Page;; 232 pages; $37.95.</p><p>Phil Mennie is an international expert on social media, risk management, and information technology governance. His latest publication, <em>Social Media Risk and Governance</em>, is a must-read for the intermediate to advanced risk management security practitioner. It is a captivating book depicting the importance of identifying social media and information technology risks in an organization, outlining ways to address each of these risks immediately and to the benefit of an organization.</p><p>Governing the safety of social media inside and outside of the workplace is a challenging task. Mennie articulates a clear and concise social media strategy that can be adopted by risk management professionals both domestically and internationally, with specific protocols and tools. He uses example from real-world companies—like MasterCard—to support his points. Diagrams, matrixes, case studies, images, graphs, flowcharts, procedure assessment methods, and other forms of multimedia further support the text. </p><p>One shortcoming in the book is its lack of information on cloud computing. Many organizations are migrating to cloud-based storage options, such as OneDrive, Dropbox, and Google Drive. Research indicates that organizations should be very cautious about storing sensitive data in the cloud. The author reflects on the importance of data privacy, but does not expand on specific steps for properly uploading and transferring data to the cloud safely. </p><p>Also in the text, the author notes that certain legislation is being considered by several states and jurisdictions. However, the description is vague and does not contain specific pieces of legislation for reference.</p><p>The book urges technology professionals, compliance regulators, and risk management leaders to ask difficult questions: Is our organization embracing the power of social media? Are we keeping both internal and external stakeholders safe? What governance protocols do we have in place? How are we measuring the success of our protocols?</p><p>In sum, this book will benefit security professionals, social media experts, search engine optimization professionals, and risk managers. It is a true asset to the security management and information technology sector.</p><p>--</p><p><em>Reviewer: Thomas Rzemyk, Ed.D., <strong>is a professor of criminal justice at Columbia Southern University and director of technology and cybersecurity instructor at Mount </strong>Michael Benedictine School. He is a criminology discipline reviewer in the Fulbright Scholar Program, and he is a member of ASIS.</em></p>

Social Engineering Review: Social Media Risk and Governance Top Five Hacks From Mr. Robot—And How You Can Prevent Them the CEO Review: Cybervetting to Protect PII and Secure Review: Social Crime Review: Online Riskón-del-Internet-de-las-Cosas.aspx2015-11-12T05:00:00ZLa Revolución del Internet de las Cosas IOT Revolution a Man to Phish in Crisis and the Security Implications of the Internet of Things New Recruits Lone Terrorist Answers for Everyone Face in the Crowd Generation Security Awareness the Spearphisher's Barb

 You May Also Like... Review: Cybervetting<p>​<span style="line-height:1.5em;">CRC Press. 322 pages. $79.95.</span></p><p>In today’s world where Big Data has become much more than a buzzword, security leaders may need a guide to navigate the information available to them. In the second edition of his book, <em>Cybervetting: Internet Searches for Vetting, Investigations, and Open-Source Intelligence</em>, Edward J. Appel provides that guidance. </p><p>Appel brings an impressive pedigree to his work. Since retiring from the FBI where he specialized in counterintelligence and terrorism, he has held executive roles in corporate security and operated his own investigation firm. In this book, he provides a thoughtful tour of the Internet and explains how it can benefit today’s professional investigator. The tour culminates with a guide to the groundwork that a reader needs to build a Web-based intelligence program, including resources, pitfalls, and search methods.</p><p>If there is any criticism, it is that readers may find descriptions of concepts such as the Internet, blogs, and Google too basic. Although the work includes basic information for the neophyte, it also offers solid resources, original research, and recent case law, so even seasoned investigators will gain useful nuggets of knowledge. Heavy annotation and comprehensive indexing make this book highly searchable, providing not just a good initial read but also a go-to reference.</p><p>--</p><p>Reviewer: Drew Neckar, CPP, CHPA, is a member of the ASIS Healthcare Security Council, and has extensive experience in threat assessment and investigations.</p>GP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 New Recruits<p>​<span style="line-height:1.5em;">“Leave our children alone!” That’s the message a Bolingbrook, Illinois, mother wants Islamic State (ISIS) leaders and recruiters to hear. In January, Zarine Khan’s oldest son, 19-year-old Mohammed Khan, tried to travel with his 17-year-old sister and 16-year-old brother to Istanbul to join ISIS. The three were stopped at Chicago O’Hare International Airport, and Mohammed Khan, an American citizen, is now being charged with attempting to provide material support to ISIS militants.</span></p><p>Zarine Khan told news outlets she believes her children were recruited over social media and secretly saved money to purchase passports and airline tickets. “We condemn this violence in the strongest possible terms,” she said after her son’s courthouse appearance. “We condemn the brutal tactics of ISIS and groups like it. And we condemn the brainwashing and the recruiting of children through the use of social media and Internet.”</p><p>If Mohammed Khan is found guilty of providing material support to a terrorist organization—a provision of the U.S. Patriot Act—he will face up to 15 years in prison. </p><p>Unfortunately, this is not an isolated incident. A new report by the International Centre for the Study of Radicalization and Political Violence (ICSR) found that some 20,000 foreign fighters from 50 countries have traveled to Iraq and Syria to join terrorist organizations since 2012, and more than 4,000 of those are from Western nations.</p><p>Disturbing reports seem to surface every month of Westerners—many of whom are teenagers or young adults—attempting to travel to join ISIS as fighters or brides, often after being recruited over the Internet. </p><p>Another increasingly prevalent issue is the return of radicalized Westerners to their home countries. Governments are struggling to address the issue in the absence of proof that the returning citizen actually committed a crime.</p><p>“The propaganda of the Islamic State, the ability to communicate in message, is better than any I have seen to date since we had the development of Al Qaeda in the early ’90s,” says Charlie Allen, who has served with the CIA and the U.S. Department of Homeland Security (DHS). “It is a very interesting thing—we’re going to have people self-radicalized, and it’s hard to stop traffic and travel to and from Europe.”</p><p>The exodus of American and European citizens to the Middle East—mainly Syria or Iraq—began in 2012 during the height of the Syrian civil war after ISIS urged Muslims to fulfill their religious duty to wage a holy war against the enemies of Islam. Although some foreigners took up arms with other terrorist organizations, such as Al Qaeda and Jabhat al-Nusra, most are flocking to aid ISIS, which is considered to be the dominant force of Syrian opposition and currently controls about a third of Syria. </p><p>More than 100 Americans have traveled to the region to fight, but experts are more concerned about jihadists from European countries, where thousands of citizens—mainly from Belgium, France, Germany, and the United Kingdom—have crossed through Turkey’s porous border into Syria and Iraq.</p><p>Veryan Khan, editorial director for the Terrorism Research and Analysis Consortium (TRAC), a political violence database, says that in terms of modern global jihad movements, the current exodus is the third and the most popular call to jihad. ICSR, which has kept track of the global jihad to Iraq and Syria since 2012, notes that the current numbers surpass those of the Afghanistan conflict in the 1980s and the 2006 flight from Somalia, making the conflict in Syria and Iraq the largest mobilization of foreign fighters in Muslim-majority countries since 1945.</p><p>Veryan Khan says a large percentage of foreign fighters are young men and women—some not even out of their teens. The Bipartisan Policy Center’s 2014: Jihadist Terrorism and Other Unconventional Threats points out that many young adults who attempt to join ISIS “are far from threatening.” At least eight 18- to 20-year-old Americans have been apprehended attempting to join ISIS over the past two years, one of them admitting in court that “concerning my fighting skills, to be honest, I do not have any.” </p><p>Other cases are more serious. One high-profile Western jihadist is 22-year-old Maxime Hauchard, a Frenchman identified as one of the executioners in an ISIS video depicting the decapitated body of American aid worker Peter Kassig. Hauchard converted to Islam when he was 17 and was recruited online to ISIS, according to media outlets. </p><p>Veryan Khan explains that young jihadists may be looking to belong because they do not feel at home in Western culture. “There are many other reasons for radicalization: the need for redemption, the perceived obligation to one’s motherland, the guilt of living a good life in the West while others suffer, a personal retribution for the death of a family member or friend, the list goes on and on,” he explains.</p><p>Europe has taken a step to curb the relentless—and effective—online propaganda by ISIS. Last summer, nine European nations endorsed an initiative to work with Internet providers to take down the hundreds of ISIS recruitment websites and messages. But the biggest online draw may come from radicalized Westerners themselves.</p><p>Foreign fighters who have made the journey to Iraq or Syria have told their stories via Twitter, Facebook, and other blogging websites, encouraging their peers to join them. The posters speak of the friendships they have made with their brothers and sisters of the Islamic State, or the pride they feel in answering the call to jihad.</p><p>“Allahu Akbar, there’s no way to describe the feeling of sitting with the Akhawat [sisters] waiting on news of whose Husband has attained Shahadah [martyrdom],” tweeted one British woman who traveled to Syria and married a fighter. </p><p>The call to join ISIS in the Middle East is not the only trend that concerns experts. Many foreign fighters are returning to their home countries after fighting alongside ISIS in the Middle East, and Allen points out that having trained, radicalized fighters traveling back to their homes in the West is a potentially dangerous situation.</p><p>“We have the worst possible storms that are now erupting in the Middle East, and the foreign fighters, those from North America and Europe, are likely to return,” Allen explains. “Some have been martyred, including Americans, but some will continue their extremist ways and proselytize to get other Americans to join them.”</p><p>Individual governments are left trying to figure out what to do with returning fighters. Turkey, considered the main passageway from Europe to Syria and Iraq, announced at the end of January that it is beefing up security along its borders to stem the flow of potential jihadists to the battlefield. The country is also constantly updating a database of more than 10,000 individuals suspected of traveling through to aid ISIS.</p><p>The problem that Turkey and many other countries face is that they cannot indict individuals for aiding a terrorist organization without proof. Traveling to and from the region alone does not hold enough weight for law enforcement to intercept an individual.</p><p>Some countries have passed laws that make it easier to detain potential jihadists. In Austria, Belgium, Britain, France, and Germany, authorities hastily passed legislation allowing governments to detain individuals suspected of involvement in a terrorist organization abroad. </p><p>Other countries, such as Denmark, are taking a soft-handed approach in handling returning fighters by offering free counseling services, as well as assistance in finding jobs or enrolling in school.</p><p>U.S. lawmakers are worried that foreign fighters coming to America may be able to slip through the cracks—under the Visa Waiver Program, residents of 38 European countries can travel to the United States without a visa. Former Senate Intelligence Committee Chairwoman Dianne Feinstein has announced plans for legislation that would tighten the program.  </p><p>Allen says that most foreign fighters aren’t secretive about their involvement in Syria and can be easily tracked, so the threat of a jihadist slipping into the United States unseen is small.</p><p>“I believe we have good legislation, good tools, and a good understanding of who may be in Syria, and we’re very careful to ensure when they return that we know who they are and what they’re doing,” Allen explains. “The Customs and Border Patrol does an excellent job of sorting through these people as they return. It’s hard to charge them if you don’t know whether they’ve committed crimes, but I think the collaboration between DHS and the FBI is improving.”</p><p>TRAC’s Khan speculates on the bigger picture—why are these young fighters, coming back home? He says the list of grievances from foreign fighters is critical to combatting radicalization efforts. </p><p>“They get to their perceived holy war only to find out that they are just killing other Muslims, which is haram (forbidden),” Veryan Khan explains. “There’s this perceived hypocrisy within the movement, as well as the realization that they are not merely fighting against the Assad regime to create a heavenly Caliphate but more than likely fighting other opposition groups.”</p><p>There are a number of firsthand accounts explaining the grievances, Veryan Khan explains, but they’re not as prevalent as the propaganda-filled tweets and blogs convincing young people to join ISIS in the first place.</p><p>“Using those firsthand accounts to our advantage is the best tool to curb the momentum,” Veryan Khan says. </p><p><em>To read in Spanish, <a href="/Pages/Los-Nuevos-Reclutados.aspx">click here.​</a></em></p>GP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 for Everyone<p> It’s ubiquitous. From targeted ads on Facebook to customer loyalty cards to Gmail cookies, companies are hungry for information about you. Business intelligence—the gathering and analyzing of information for purposes of commerce—is rapidly advancing, on several fronts, not least in security. The amount of information available to organizations and employees is ever increasing. Big Data keeps getting bigger, analytical methods grow more and more sophisticated, and the number of tools available to extract meaning from that information multiply. </p><p>The most prevalent trend in business intelligence, some experts say, is the democratization of data crunching. The use of sophisticated analytical tools is no longer the exclusive province of one or two specialized analysts in the organization. Instead, these tools are being made available to employees on the front lines, whether they be members of a sales team or security officers working at a remote location. Mobile applications and cloud computing are making access to these tools easier.</p><p>Here, Security Management takes a look at few examples of cutting-edge business intelligence practices and how they apply to security, such as a solution derived from creative analysis of social media data and the mobile use of integrated analytics for crisis management situations. We then look at the big picture and survey some broader trends in business intelligence and their relationship to security, and take a peek at a few challenges the future may hold. </p><p>Social Media </p><p>Social media monitoring is becoming a popular practice in the business community. Whether it be for a reputation management program or for obtaining feedback on a particular service or product, more organizations are monitoring channels like Twitter and Facebook. </p><p>For example, international security expert Hart Brown has developed a business intelligence tool that goes beyond monitoring. Brown, who sits on the ASIS International Crisis Management and Business Continuity Council, is an intelligence veteran who has worked at both the U.S. Department of Defense and the U.S. State Department. A few years ago, Brown was international security manager for a company that was highly active in various regions of Mexico. Given its engagement, the firm needed timely news coverage of all the regional markets in Mexico that it was involved in. </p><p>But this proved hard to come by. In regions outside of major cities, there was often sparse coverage; CNN-type breaking news reports did not exist. And sometimes, when sufficient media were present, news agencies were pressured by criminal cartels not to report certain developments. “In that country, news is very complicated, and in many cases censored,” Brown says. “We just could not get reliable information about what was going on.” Twitter, however, had the reach that traditional media did not. </p><div><p>As Brown describes it, he was in need of a system that would accomplish two main objectives. First, he needed an early warning or alert system that the stability of a particular town or region was being threatened. Be it a fire, earthquake, gunfight, kidnapping, or some other event, he wanted to know as soon as the incident started happening.</p><p>Second, he wanted to be able to gauge the event’s severity—specifically, how disruptive it would be, and whether its impact was increasing or diminishing over time. This included an ability to assess how much stability had returned the day after an event, which would help the company decide if it had to alter its operations on the ground. A straightforward social media monitoring system would not be sufficient to achieve these two objectives, according to Hart: “It certainly wasn’t enough for me. We had to put some analytics to it,” he says. </p><p>So Brown built a solution through the use of Netvibes, a program popular in the advertising and marketing fields for social media and news tracking. First, he had to ensure that he knew the language spoken by the local community. Whatever the event, he learned the various phrasings used to describe it, including colloquialisms that locals might use on Twitter. He did this by combing through volumes of reports of traditional media and identifying keywords to use in the algorithm. </p><p>He then established baselines for the keywords, which represented how many times they would occur in normal everyday Twitter discourse. Brown could then measure the rate of change when an event occurred and usage of the keyword shot up. For example, on a normal day without incident, the Spanish word for gunfight may occur 10 times—in innocent contexts, such as in a movie description. When a real gunfight occurs, the usage number may spike to 100, or a rate of change of 10 times the baseline.</p><p>Brown arranged for the system to send out an e-mail alert when the spike reached a certain level–signifying a noteworthy event was under way. Typically, such an alert would go out less than hour after the actual start of the event—a testament to the real-time power of Twitter.</p><p>Once the tool saw frequent use, it became evident that the steepness in the keyword usage spike correlated to the severity of the incident in question. For example, in April, the city of Tampico “turned into a war zone” due to violence from drug cartels and gangs. “We were able to see the war was starting within an hour,” Brown says. The spike was roughly 40 times above the normality baseline, and from that steep spike Brown could tell that the local reaction was serious enough to drive many residents and businesses into lockdown mode. “As far as the initial shock—there’s absolutely a correlation,” Brown says. </p><p>The correlation is so solid that it helps Brown make real-life operations decisions. For example, after one violent event, Brown was unsure whether the company’s equipment trucks could drive through the area. Brown gauged the level of chatter, and made the assessment: “There’s a lot of checkpoints and it’s going to be slow, but there’s not violence.” The trucks were sent forward; the assessment held true. <br><br></p><p>Crisis Intelligence </p><p>Brown’s intelligence tool, in essence, uses social media data to analyze the extent of an event’s destabilizing force. Some businesses, however, use intelligence tools that deploy analytics on the fly, and in equally challenging situations.</p><p>Imagine, for example, that you are a chief of security for a large company that has a strong presence in Colombia. There is an earthquake in Bogota, where your company has several offices and many employees. The city is engulfed in chaos, and your employees have no idea who might be affected, or if anyone is in distress and needs assistance.</p><p>Such a situation demands a rapid analysis of all available information, so that some sort of response can be taken. However, “you can’t act if you don’t have good information, and you don’t know where your people are,” says Dan Richards, CEO of Global Rescue, an emergency evacuation and field rescue firm. </p><p>During these challenging situations, some firms use a type of business intelligence tool that consolidates different platforms within crisis management and response environments into a mobile application, Richards says. These types of systems combine and correlate different data sets, such as the firm’s enterprise footprint and the parameters of the event, to give each user a quick and clear picture of where employees and assets are and what areas of the city have been affected. </p><p>These tools also integrate with a communication component that allows for messages to be sent to selected employees or to everyone. The system tracks who received and replied to messages and who did not, analyzes this information, and then continually updates each employee’s status.</p><p>“When you look at any major crisis when there’s a lot of people involved, a lot of time is wasted in trying to confirm that people who may be in distress are actually hurt,” Richards says. The system also keeps track of all operational responses that the company has taken in real time and automatically informs employees who need to know such updates. </p><p>In addition, these systems can be set up to periodically ping a staffer’s smartphone, so that the return ping “leaves a breadcrumb trail” as to the employee’s location, Richards says. In this way, if an event like an earthquake or flood disables a staffer’s device, the last location before the device stopped working can be ascertained.</p><div><p>In Richard’s view, the use of such business intelligence systems for crisis management is growing, in part because “there’s relatively lean staffing in security.” A company of 10,000 employees, for example, may have only six crisis management executives. “That’s not an advantageous ratio,” Richards says. “You need to have a set of tools that will be extraordinarily effective.” <br><br></p><p>Data Analysis</p><p>A tool such as the one Richards describes, which tracks the whereabouts and status of employees in the field, may also be used in noncrisis situations by a company with a highly mobile work force. “With more people working at home, and off site, keeping track of this decentralized work force has become an increasing challenge,” Richards says.</p><p>But whether it is used in chaotic or calm times, it can be used by any employee who needs to know the status of workers in the field. And that’s reflective of a current trend discussed in a report, The Top Ten Business Intelligence Trends for 2014, recently issued by Tableau Software.</p><p>The report finds that the practice of data science is moving from the high-level specialist to the employee in the business community. Data analysis is becoming part of the skill set of ordinary business users, not just a few experts. “We’re starting to see a mass adoption of data tools,” says Ellie Fields, a vice president at Tableau, which specializes in business intelligence. </p><p>Part of this trend is what Fields calls “embedded analytics.” More firms are making analytical tools available to employees on the front lines, such as members of a traveling sales force or security guards patrolling a site. By way of explanation, Fields offers a hypothetical scenario: “Wouldn’t it be great if security guards knew that between 1 and 3 is the time when most threats happen, and that they usually happen on this side of the perimeter?”  </p><p>And that security officer who uses a mobile application for a crime data analysis may also be representative of another business intelligence trend—the increased use of predictive analytics. “We’re collecting data on things we didn’t used to have,” Fields says, and that means there is more raw material to analyze and construct sophisticated performance prediction models. “Now people are saying, ‘Let’s see if we can predict when we will have machine failure, based on past results,’” she says.  </p><p>The increased use of business analytical tools has intersected with the rise of cloud computing, and this combination has spawned another recent trend: cloud analytics. So far, this has not occurred on a wide scale, as some organizations still have security concerns about moving sensitive data to the cloud. “I don’t think the three-letter agencies are adopting the cloud anytime soon,” Fields says. </p><p>But other organizations have become comfortable with cloud security and have embraced the concept. Cloud storage can make data access from mobile devices easier; the same advantages apply to analytical programs in the cloud, which can be accessed from mobile devices, like an iPad, and make for more agile, self-serve intelligence, Fields explains. <br><br></p><p>Big Data</p><p>Overload is not the only challenge when it comes to the advance of business intelligence and the growing reliance on Big Data. The increased use of intelligence tools will likely also increase privacy concerns. Take, for example, the crisis intelligence tool that pings smartphones to track the recipient’s whereabouts. Such knowledge could be abused. “Some humans don’t want to be found,” Richards says. “As a society, we will have to grapple with those issues.” </p><p>Data collection itself, even for business purposes, can also be viewed as intrusive. To take just one example, Amazon is now offering brick-and-mortar stores a payment-processing device, called Local Register, which will allow the online giant to track a consumer’s offline purchases. Such technologies will spur more discussion about letting people opt out of some data collection processes. </p><p>Moreover, while business intelligence tools are indeed becoming much more common, the skills needed to use those tools to best advantage are less widespread, Brown says. </p><p>This is particularly true for analytic tools that require queries to obtain information. “Everyone wants a piece of the Big Data scene, but what you find is that it becomes very, very complicated and the queries that you are using become very sensitive,” Brown says. “We have a lot of people using analytics that may not really understand what it is they are querying. Every minor change in the query can have a significant impact on findings,” Brown said.  </p><p>Overall, the proper use of intelligence tools is an “art meets science” proposition, and collectively the business community “still has a ways to go” before analytical data skills become commonplace among company staff, Brown says. “I don’t think we’ve reached the point now where we can fully migrate from analysts.” <br></p></div></div>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465