Enterprise Risk Management

 

 

SM Online February 2017https://sm.asisonline.org/Pages/SM-Online-February-2017.aspxSM Online February 2017GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a43444652017-02-01T05:00:00Z<h4>​BOTNETS</h4><p>The Mirai botnet has been used to launch Distributed Denial of Service (DDoS) attacks with widespread ramifications. Made up of at least 500,000 Internet of Things devices, including Internet-enabled digital video recorders, surveillance cameras, and other embedded devices, the botnet serves as the basis of an ongoing DDoS-for-hire service, which allows attackers to pay a fee to use the botnet to attack the ta​rget of their choice. Higher concentrations of Mirai nodes were observed in China, Hong Kong, Macau, Vietnam, Taiwan, South Korea, Thailand, Indonesia, Brazil, and Spain, according to a<a href="https://www.arbornetworks.com/blog/asert/mirai-iot-botnet-description-ddos-attack-mitigation/" target="_blank"> threat intelligence report by Arbor Networks.​</a></p><h4>DRIVERLESS CARS​</h4><p>In hopes of jumpstarting the development of driverless cars—known as highly automated vehicles (HAVs) in industry parlance—U.S. officials have released <a href="https://www.transportation.gov/AV/federal-automated-vehicles-policy-september-2016" target="_blank">new guidelines ​</a>for operating the vehicles safely and securely. </p><h4>FACIAL RECOGNITION</h4><p>The <a href="http://www.gao.gov/products/GAO-16-267" target="_blank">U.S. Government Accountability Office​</a> reports on the privacy and accuracy of two FBI programs that use facial recognition technology to search a database of 64 million Americans’ images and fingerprints.</p><h4>CYBERSECURITY</h4><p>China passed a <a href="https://www.hrw.org/news/2016/11/06/china-abusive-cybersecurity-law-set-be-passed" target="_blank">controversial cybersecurity bill​</a> that effectively makes it illegal for users to go online anonymously, among other provisions. The law requires companies to verify users’ identities by collecting users’ real names and personal information. </p><h4>INAUGURATION</h4><p>Listen to a special<em> Security Management</em> podcast about the U.S. Presidential Inauguration.</p><h4>RADIOACTIVE MATERIALS</h4><p>Researchers from the U.S. Government Accountability Office (GAO) <a href="http://www.gao.gov/assets/680/678170.pdf" target="_blank">went undercover</a> and were able to buy radioactive material through a fake company, revealing weaknesses in nuclear material regulations. A <a href="http://gao.gov/products/GAO-12-473T" target="_blank">2012 GAO report​</a> found weaknesses in the way medical facilities handled radioactive material; these findings led to changes in the way this material is handled.</p><h4>SURVEILLANCE</h4><p>The United Kingdom enacted legislation dubbed the <a href="http://www.publications.parliament.uk/pa/bills/lbill/2016-2017/0066/17066.pdf" target="_blank">“Snooper’s Charter”​</a> that gives the government widespread powers to spy on citizens and limit the use of encryption.</p><h4>MONITORING</h4><p><a href="http://law.justia.com/cases/federal/appellate-courts/ca7/15-3756/15-3756-2016-10-31.html" target="_blank">A U.S. appellate court decided </a>that a rule requiring electronic logging devices to monitor truck driver compliance doesn’t violate the Fourth Amendment. </p>

Enterprise Risk Management

 

 

https://sm.asisonline.org/Pages/SM-Online-February-2017.aspx2017-02-01T05:00:00ZSM Online February 2017
https://sm.asisonline.org/Pages/Trade-Secrets-2.0.aspx2017-02-01T05:00:00ZTrade Secrets 2.0
https://sm.asisonline.org/Pages/Book-Review---Secrets.aspx2017-01-01T05:00:00ZBook Review: Secrets
https://sm.asisonline.org/Pages/December-2016-Industry-White-Papers.aspx2016-12-01T05:00:00ZDecember 2016 Industry White Papers
https://sm.asisonline.org/Pages/Book-Review---Security-Matters.aspx2016-12-01T05:00:00ZBook Review: Security Matters
https://sm.asisonline.org/Pages/Metrics-and-the-Maturity-Mindset.aspx2016-12-01T05:00:00ZMetrics and the Maturity Mindset
https://sm.asisonline.org/Pages/What-If-It’s-Real.aspx2016-11-01T04:00:00ZWhat If It’s Real?
https://sm.asisonline.org/Pages/Book-Review---COSO-ERM.aspx2016-11-01T04:00:00ZBook Review: COSO ERM
https://sm.asisonline.org/Pages/Bringing-Clarity-to-Chaos.aspx2016-10-01T04:00:00ZBringing Clarity to Chaos
https://sm.asisonline.org/Pages/CSO-Center’s-Petri-Ponders-a-Matter-of-Trust.aspx2016-09-13T04:00:00ZCSO Center’s Petri Ponders a Matter of Trust
https://sm.asisonline.org/Pages/Compliance-Trends.aspx2016-09-01T04:00:00ZCompliance Trends
https://sm.asisonline.org/Pages/Insights-on-Asia.aspx2016-08-01T04:00:00ZInsights on Asia
https://sm.asisonline.org/Pages/A-Strategic-Response.aspx2016-08-01T04:00:00ZA Strategic Response
https://sm.asisonline.org/Pages/Book-Review---Risk-Analysis-and-Security-Countermeasure-Selection.aspx2016-07-29T04:00:00ZBook Review: Risk Analysis and Security Countermeasure Selection
https://sm.asisonline.org/Pages/Book-Review---Biological-Laboratory-Applied-Biosecurity-and-Biorisk-Management-Guide.aspx2016-07-29T04:00:00ZBook Review: Biological Laboratory Applied Biosecurity and Biorisk Management Guide
https://sm.asisonline.org/Pages/Book-Review---Kidnap-Face-to-Face-with-Death.aspx2016-07-29T04:00:00ZBook Review: Kidnap: Face to Face with Death
https://sm.asisonline.org/Pages/Threat-Assessment-Goes-to-the-Dogs.aspx2016-07-29T04:00:00ZSeminar Sneak Peek: Threat Assessment Goes to the Dogs
https://sm.asisonline.org/Pages/SM-Online-June-2016.aspx2016-06-01T04:00:00ZSM Online June 2016
https://sm.asisonline.org/Pages/Book-Review---Anti-Fraud-Program-Design.aspx2016-06-01T04:00:00ZBook Review: Anti-Fraud Program Design
https://sm.asisonline.org/Pages/Six-Questions-Security-Experts-Should-Ask-in-a-Crisis.aspx2016-05-23T04:00:00ZSix Questions Security Experts Should Ask in a Crisis

 You May Also Like...

 

 

https://sm.asisonline.org/Pages/ASIS-News-February-2017.aspxJack Lichtenstein Leaves ASIS, Offers Insights on Trump<p>At this, the end of my 22 years as staff executive for ASIS International’s legislative and public policy work, I have been asked to provide some insights into the political near-future of security.   </p><p>These are unnerving times. Rarely has there been such uncertainty about America’s direction at home and abroad as there is at the end of 2016.  All this is in the face of mounting threats to our security and to that of our friends.</p><p>Eventually, Americans will sort it out; they always have. But there are dangers. The sorting may be long and uncertain.  And uncertainty is not the friend of security. Security requires planning, analysis, and agility, none of which can be done well in an environment filled with unknowns. Security is the antithesis of politics, which tends to be careless and messy in democracies. </p><p>The new American administration will be led by a man without credentials in government, who has pledged to change how Washington works. He was elected not as much to keep America secure but because so many Americans feel alienated from their own political and governmental institutions. They see their standard of living in decline; they sense that they have been overlooked, even disdained. More than anything, that explains the election of Donald Trump.</p><p>Trump seems to espouse two overarching themes, both recurring repeatedly in his pronouncements and appointments. One is to restore the U.S. economy to a position of world leadership. The other is to keep America and Americans secure.</p><p>The president has tools to invigorate the economy. His early aims will include accelerating job creation via infrastructure programs and tax and regulatory relief. Nearly all avenues will be aimed at job creation in the United States, despite many economic factors that are out of his control.</p><p>Security is more manageable by the White House, a result not only of presidential control of the bureaucracy but of strong (some would say excessive) executive actions in the form of Presidential Directives issued by the George W. Bush and Barack Obama administrations.</p><p>It is too early to tell which of Trump’s positions—many of which have been incomplete, infeasible, or conflicting—will find their way into practice. But I offer the following recommendations based on what is possible and likely:</p><p>• Pay attention to what he does, not what he says. Trump is known for impromptu statements, which get attention but are not always useful to understanding.</p><p>• Expect emphasis to be on U.S. domestic issues during the first two years. Trump will enjoy a Republican majority in Congress for that long, which he will need to get his domestic agenda passed. He is most comfortable with economic and infrastructure issues, including job creation. He knows he was elected by Americans who want first to restore their country’s economic vitality.</p><p>• “The Wall” is a metaphor, but border security will be real. U. S. Department of Homeland Security selectee and retired U.S. Marine Corps General John F. Kelly commanded the U.S. Southern Command. He understands border issues and security and will be charged with assessing vulnerabilities and determining the right combinations of physical, technological, and personnel means for dramatically reducing illegal immigration.</p><p>• In other matters of security, America will continue to be a reliable ally if for no other reason than that conflict disrupts growth. Trump will expect U.S. allies to invest heavily in their own security. This means that there will be more spending on prevention and response programs, but also avoidance of political positions, for example immigration policies, that lay bare their vulnerabilities.</p><p>• Finally, in any dealings between the United States and other countries, America must emerge a winner. That does not mean the only winner; there can be many. But the United States will not be a loser. As those familiar with Trump’s pronouncements know so well, he abhors the very thought of being a loser.</p><p>As I move on to new professional challenges, I believe more than ever that government relations is an essential role for security professionals. Its aim must be creation and maintenance of effective public-private partnerships in security. This should be part of the mission not only of ASIS but of every ASIS chapter in every country.</p><p>The people of democracies expect those overseeing government and corporate security to coordinate in the public interest. Failure to do so is unacceptable. It not only weakens security, it leaves private practitioners exposed to needless government oversight and overreaction when politicians respond, as they will, to security failures that are sometimes unforeseeable.</p><p>I thank the membership of ASIS International for the privileges of being their counsel and representing their interests these many years. Few pursuits are more vital, and few professions more important. </p><p>--<br></p><p><em>Jack Lichtenstein, former vice president, ASIS Government Affairs and Public Policy ​</em></p>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/SM-Online-February-2017.aspxSM Online February 2017<h4>​BOTNETS</h4><p>The Mirai botnet has been used to launch Distributed Denial of Service (DDoS) attacks with widespread ramifications. Made up of at least 500,000 Internet of Things devices, including Internet-enabled digital video recorders, surveillance cameras, and other embedded devices, the botnet serves as the basis of an ongoing DDoS-for-hire service, which allows attackers to pay a fee to use the botnet to attack the ta​rget of their choice. Higher concentrations of Mirai nodes were observed in China, Hong Kong, Macau, Vietnam, Taiwan, South Korea, Thailand, Indonesia, Brazil, and Spain, according to a<a href="https://www.arbornetworks.com/blog/asert/mirai-iot-botnet-description-ddos-attack-mitigation/" target="_blank"> threat intelligence report by Arbor Networks.​</a></p><h4>DRIVERLESS CARS​</h4><p>In hopes of jumpstarting the development of driverless cars—known as highly automated vehicles (HAVs) in industry parlance—U.S. officials have released <a href="https://www.transportation.gov/AV/federal-automated-vehicles-policy-september-2016" target="_blank">new guidelines ​</a>for operating the vehicles safely and securely. </p><h4>FACIAL RECOGNITION</h4><p>The <a href="http://www.gao.gov/products/GAO-16-267" target="_blank">U.S. Government Accountability Office​</a> reports on the privacy and accuracy of two FBI programs that use facial recognition technology to search a database of 64 million Americans’ images and fingerprints.</p><h4>CYBERSECURITY</h4><p>China passed a <a href="https://www.hrw.org/news/2016/11/06/china-abusive-cybersecurity-law-set-be-passed" target="_blank">controversial cybersecurity bill​</a> that effectively makes it illegal for users to go online anonymously, among other provisions. The law requires companies to verify users’ identities by collecting users’ real names and personal information. </p><h4>INAUGURATION</h4><p>Listen to a special<em> Security Management</em> podcast about the U.S. Presidential Inauguration.</p><h4>RADIOACTIVE MATERIALS</h4><p>Researchers from the U.S. Government Accountability Office (GAO) <a href="http://www.gao.gov/assets/680/678170.pdf" target="_blank">went undercover</a> and were able to buy radioactive material through a fake company, revealing weaknesses in nuclear material regulations. A <a href="http://gao.gov/products/GAO-12-473T" target="_blank">2012 GAO report​</a> found weaknesses in the way medical facilities handled radioactive material; these findings led to changes in the way this material is handled.</p><h4>SURVEILLANCE</h4><p>The United Kingdom enacted legislation dubbed the <a href="http://www.publications.parliament.uk/pa/bills/lbill/2016-2017/0066/17066.pdf" target="_blank">“Snooper’s Charter”​</a> that gives the government widespread powers to spy on citizens and limit the use of encryption.</p><h4>MONITORING</h4><p><a href="http://law.justia.com/cases/federal/appellate-courts/ca7/15-3756/15-3756-2016-10-31.html" target="_blank">A U.S. appellate court decided </a>that a rule requiring electronic logging devices to monitor truck driver compliance doesn’t violate the Fourth Amendment. </p>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Six-Questions-Security-Experts-Should-Ask-in-a-Crisis.aspxSix Questions Security Experts Should Ask in a Crisis<p>​<span style="line-height:1.5em;">I was on my way to work in December of 2012 when my cell phone started ringing. On the other end a voice asked: “Chief, where are you?”</span></p><p><span style="line-height:1.5em;">I told the supervisory deputy calling me that I was in my car, on the expressway. The deputy then cut in, saying “I think there was an escape from the Metropolitan Correctional Center. The deputies are over there and are saying the place is on lockdown because the count is off.”</span><br></p><p><span style="line-height:1.5em;">The count is off means a prisoner or prisoners are missing. I was only minutes away and assumed that by the time I got to my office, I would receive word that it was a mistake—all would be well with the world. </span><br></p><p><span style="line-height:1.5em;">I was wrong. Two inmates, held on bank robbery charges and awaiting sentencing, had escaped out of a window on the 17th floor. They’d scaled down the building on bed sheets and a homemade harness crafted from a medical stretcher. It was the first time an inmate had escaped from the center in downtown Chicago since 1983.</span><br></p><p><span style="line-height:1.5em;">During my career as an assistant chief deputy and chief deputy U.S. Marshal in the Northern District of Illinois-Chicago, these types of incidents were not uncommon. I’d often be notified about a crisis that was brewing with a phone call from a familiar voice asking “Where are you?”</span><br></p><p><span style="line-height:1.5em;">I’d answer with my location, the voice on the other end would give me a brief description of the crisis, and my mind would start spinning. I’d go into risk mitigation mode and begin to ask myself questions:</span><br><ol><li>​<span style="line-height:1.5em;">How can I minimize the damage?</span></li><li><span style="line-height:1.5em;"></span><span style="line-height:1.5em;">How fast can I start to prioritize the massive list of things that need to be done? And who can I mobilize to help with the efforts?</span></li><li><span style="line-height:1.5em;"></span><span style="line-height:1.5em;">Is there going to be media interest? And how do I manage to feed the media beast?</span></li><li><span style="line-height:1.5em;"></span><span style="line-height:1.5em;">Is this going to be a negative story? How far out in front can I get?</span></li><li><span style="line-height:1.5em;"></span><span style="line-height:1.5em;">Who has the most factual information, and how can I obtain it quickly?</span></li><li><span style="line-height:1.5em;"></span><span style="line-height:1.5em;">What proactive steps can I take immediately to help minimize the risk to people?</span></li></ol></p><p><span style="line-height:1.5em;">Immediately after learning of the two inmates’ escape in 2012, I used that thought process to begin: </span><br></p><ul><li><span style="line-height:1.5em;">​Getting the command post up and running.</span></li><li><span style="line-height:1.5em;">Notifying the U.S. Marshals Service Communication Center at the national headquarters in Washington, D.C.</span></li><li><span style="line-height:1.5em;">Separating fact from rumo</span><span style="line-height:1.5em;">r.</span></li><li><span style="line-height:1.5em;">Getting the media under control.</span></li><li><span style="line-height:1.5em;">Determining how much the situation had already spun out of control.</span></li><li><span style="line-height:1.5em;">Identifying the danger to the community.</span></li><li><span style="line-height:1.5em;">Controlling the situation as soon as possible.</span></li></ul><p><span style="line-height:1.5em;"><br>Locating the inmates took coordination and cooperation between numerous agencies, including the Federal Bureau of Prisons, the FBI, the Chicago Police Department, and the U.S. Marshals Service Regional Fugitive Task Force.</span><br></p><p><span style="line-height:1.5em;">All of the agencies played a major role in locating and arresting both fugitives in less than two weeks. One was captured within days with the help of an FBI informant. But finding the other fugitive was not as easy. After regrouping and discussing strategy, the agencies developed a plan. </span><br></p><p><span style="line-height:1.5em;">FBI agents, U.S. deputy marshals, and state and local task force officers descended on a possible location and interviewed dozens of people. From these interviews, the fugitive was located and local law enforcement officers were able to make an arrest within a few minutes after a call to 911.</span><br></p><p><span style="line-height:1.5em;">During this scenario, it was imperative to remain as calm as possible so I could collect my thoughts and be proactive. As part of this process, I used the following takeaways to deal with the crisis at hand:</span><br></p><ul><li><span style="line-height:1.5em;">​Gather factual information from sources close to the situation.</span></li><li><span style="line-height:1.5em;">If you are unable to do it yourself, deploy personnel to gather information from a trusted source and have them report back to you with high-level highlights of the incident.</span></li><li><span style="line-height:1.5em;">A</span><span style="line-height:1.5em;">void rumors and verify as much as possible before disseminating information to your chain of command.</span></li><li><span style="line-height:1.5em;">Avoid micromanaging those you have delegated to a specific mission. Trust them to do their jobs while concentrating on the big picture.</span></li><li><span style="line-height:1.5em;">Gather briefing points as the crisis is ongoing so you can summarize events and actions to report to your chain of command.</span></li><li><span style="line-height:1.5em;">Schedule regular briefings if possible so the information flow is accurate and everyone who needs to know is informed at the same time.</span></li><li><span style="line-height:1.5em;">Be prepared to put people back into their swimming lanes when they begin to interfere with responsibilities delegated to others.</span></li><li><span style="line-height:1.5em;"></span><span style="line-height:1.5em;">Don’t be afraid to give bad news when it is the truth.</span></li><li><span style="line-height:1.5em;">Don’t minimize the totality of the situation.</span></li><li><span style="line-height:1.5em;">Use every source available to you to mitigate the risk and maximize your capability in managing the situation.</span></li><li><span style="line-height:1.5em;">Catapult your star players into leadership roles and encourage them to step up to the plate to handle key pieces of the crisis so you can focus on the decision making process.</span></li><li><span style="line-height:1.5em;">Have a spokesperson handle media inquiries at first—if possible. Once you speak, they will want to hear from you each time.</span></li><li><span style="line-height:1.5em;">Try to control sound bites. If you don’t provide them, the media will get them from someone else.</span></li></ul><p><em style="line-height:1.5em;"><br>John O’Malley retired after 25 years of service with the U.S. Marshals Service. He spent his entire career in Chicago and now works in corporate security. During his career, he was involved in more than 1,000 fugitive investigations and participated in more than 600 felony arrests of wanted offenders. He is a member of ASIS International’s Executive Protection Council.</em><br></p><p><br></p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465