Cybersecurity

 

 

https://adminsm.asisonline.org/Pages/Book-Review-CISSP-Exam-Guide.aspxBook Review: CISSP Exam GuideGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a43444652019-04-01T04:00:00ZShon Harris and Fernando Maymi; Reviewed by Ben Rothke, CISSP<p>​McGraw-Hill Education; <a href="https://www.mheducation.com/" target="_blank">mheducation.com</a>; 1,408 pages; $70.​</p><p>The Certified Information Systems Security Professional (CISSP) is the most popular information security certification today. Those in the security field often find that the CISSP certification is a prerequisite for hiring. Human resources departments often use it as a filter to determine qualified candidates, and information assurance personnel in the U.S. military are required to be certified. Because the certification is so important, a wide array of authors and publishers have written study guides. </p><p>The framewor<em></em>k of the certification is the (ISC)2 Common Body of Knowledge, which underwent a major update a few years ago. The biggest change was that it went from 10 domains to eight. The eighth edition of <em><a href="https://www.mheducation.com/highered/product/cissp-all-one-exam-guide-eighth-edition-harris-maymi/1260142655.html" target="_blank">CISSP All-in-One Exam Guide</a></em> goes into significant detail for all preparatory areas and more. It is a solid, albeit potentially overwhelming, study guide for the serious CISSP candidate.</p><p>Previous editions of the book included a CD-ROM with the additional study material and test questions. For this edition, the study material and questions have moved online. </p><p>The CISSP test has been called an inch deep and a mile wide. That may be an exaggeration, but it is clear that the test requires knowledge of a lot of information. This reviewer believes that the recent update of the CISSP All-in-One Exam Guide will help candidates prepare for and pass the CISSP certification exam.</p><p><em>Reviewer: Ben Rothke, CISSP (Certified Information Systems Security Professional), PCI QSA (Qualified Security Assessor), is a senior security consultant with the Nettitude Group.</em></p>

 

 

https://adminsm.asisonline.org/Pages/Top-Five-Challenges-for-Managing-Cybersecurity-Risk.aspx2018-12-01T05:00:00ZTop Five Challenges for Managing Cybersecurity Risk
https://adminsm.asisonline.org/Pages/TEAM-Software.aspx2018-09-01T04:00:00ZTEAM Software
https://adminsm.asisonline.org/Pages/Blockchain-Buzz.aspx2018-07-01T04:00:00ZBlockchain Buzz

 

 

https://adminsm.asisonline.org/Pages/How-to-Bridge-the-Gap.aspx2019-04-01T04:00:00ZHow to Bridge the Gap
https://adminsm.asisonline.org/Pages/Book-Review-CISSP-Exam-Guide.aspx2019-04-01T04:00:00ZBook Review: CISSP Exam Guide
https://adminsm.asisonline.org/Pages/Book-Review-Hacking-for-Dummies.aspx2019-03-01T05:00:00ZBook Review: Hacking for Dummies

 

 

https://adminsm.asisonline.org/Pages/The-Cost-of-a-Connection.aspx2019-02-01T05:00:00ZThe Cost of a Connection
https://adminsm.asisonline.org/Pages/The-Privacy-Problem.aspx2019-01-01T05:00:00ZThe Privacy Problem
https://adminsm.asisonline.org/Pages/Avoiding-Breaches.aspx2018-12-01T05:00:00ZAvoiding Breaches

 

 

https://adminsm.asisonline.org/Pages/When-The-Money’s-Gone.aspx2019-04-01T04:00:00ZWhen The Money’s Gone
https://adminsm.asisonline.org/Pages/Book-Review-Hacking-for-Dummies.aspx2019-03-01T05:00:00ZBook Review: Hacking for Dummies
https://adminsm.asisonline.org/Pages/A-Warm-Up-Election.aspx2019-03-01T05:00:00ZA Warm-Up Election

 

 

https://adminsm.asisonline.org/Pages/Release-the-Robots.aspx2018-11-01T04:00:00ZRelease the Robots
https://adminsm.asisonline.org/Pages/Cybersecurity-for-Remote-Workers.aspx2018-02-12T05:00:00ZCybersecurity for Remote Workers
https://adminsm.asisonline.org/Pages/Mobile-Mayhem.aspx2017-10-01T04:00:00ZMobile Mayhem

 You May Also Like...

 

 

https://adminsm.asisonline.org/Pages/Guidance-on-Threat-Assessment-Teams.aspxGuidance on Threat Assessment Teams<p>​Recent guidance from the U.S. Secret Service, <em><a href="https://www.dhs.gov/publication/enhancing-school-safety-using-threat-assessment-model">Enhancing School Safety Using a Threat Assessment Model: An Operational Guide for Preventing Targeted School Violence,</a></em> offers baseline information for developing a threat assessment team (TAT) to mitigate potentially violent or devastating events at K-12 schools in the United States. </p><p>The Secret Service advocates for a five-step process to establish a TAT with a multidisciplinary approach to information sharing. For each step, the author will provide guidance that extends beyond the scope of the Secret Service report with additional threat prevention measures.</p><p><strong>1. Establish a multidisciplinary team.</strong> The TAT is designed to direct, manage, and document threat assessment processes. Assemble a team from a variety of disciplines, which may include teachers, school guidance counselors, coaches, school resource officers, mental health professionals, and school administrators. Have a designated leader with the authority to act immediately in cases where time is of the essence. Meet on a regular basis and when needed if there is an emergent concern. These meetings should include dealing with potential threat indicators, training and role-playing focused on building confidence and capability, and building rapport and confidence in other team members.</p><p><strong>Additional guidanc</strong><strong>​e:</strong> Threat assessment is an intelligence-led activity and requires a certain skill set to synthesize information. Schools could partner with an agency or consider employing an employee with an intelligence background. The Multi-State Information Sharing and Analysis Center (MS-ISAC) also offers valuable trend information on physical and cyber threats that could be useful for the TAT. </p><p><strong>2. D</strong><strong>efine prohibited and concerning behavior</strong><strong>.</strong> Concerning behavior progresses through a continuum, and policies must consider warning signs, which include “a marked decline in performance; increased absenteeism; withdrawal or i<strong></strong>solation; sudden or dramatic changes in behavior or appearance; drug or alcohol use; and erratic, depressive, and other emotional or mental health symptoms,” according to the report. Policies and procedures should be set in place to monitor and direct action to collect additional information to consider if these are indeed a concern.</p><p><strong>Additional guidance:</strong> The Secret Service does allude to a continuum, but there is no specific guidance on how to categorize threats. A more in-depth understanding of transient and substantive threats is needed. It may be advisable to develop a tailored process map for each TAT, which describes each step and indicates responsibility in each phase to avoid anything falling through the cracks. </p><p><strong>3. Create a central reporting system.</strong> Establishing a central reporting system is crucial to all other threat assessment activities. Schools should establish multiple streams of information that could include online reporting, email, phone, and face-to-face communication. No reporting should be dissuaded but educating the school community on what to report will increase the validity of information. Document thoroughly when responding to each report, categorizing threats, and determining whether to act. Anonymous reporting should be an option for those who are uncomfortable coming forward in a formal or public way. It is important to handle each case with professionalism, considering privacy and confidentiality concerns.</p><p><strong>Additional guidance: </strong>Consider partnering with an Information Sharing and Analysis Center (ISAC), which is a nonprofit organization that provides an avenue for two-way sharing between the public and private sectors. Though ISACs have traditionally dealt with cyber and physical security, the model could be used to develop information sharing practices related to threat assessment. ​</p><p><strong>4. Determining the threshold for law enforcement intervention.</strong> Law enforcement intervention may be needed in some cases, though it may not be involved in all threat assessment efforts. Create policies and procedures to indicate when law enforcement should be involved—for example, in cases that deal with weapons, threats of violence, and physical violence. Law enforcement should be involved when elements of a crime are present.</p><p><strong>Additional guidance: </strong>Certain privacy laws set limitations on law enforcement activity when it comes to minors. School administrators and the TAT should familiarize themselves with state law before developing policies and procedures around law enforcement response.</p><p><strong>5. Establish assessment procedures.</strong> Establishing threat assessment procedures will help paint an accurate picture of the student’s thinking and behavior, formalize a reporting structure, and identify appropriate interventions. Documentation is once again stressed, with creation of forms and templates to capture necessary information. The report recommends a community-wide approach and encourages a brainstorming exercise on sources of potentially helpful information. This exercise can be repeated once an individual of concern is identified for information more specific to that person. Additionally, social media should be examined to gain information, interviews should be conducted, and the student’s locker should be searched. </p><p><strong>Additional guidance: </strong>The Secret Service guidance seems to only consider internal threats—mainly students—but narrowing the focus is a risk in and of itself. A threat could be anyone: a teacher, contractor, administrator, or someone not associated with the school. </p><p>Threat assessment is a necessary part of threat prevention at every K-12 school. Threat assessment programs and teams will be more successful if they are a function of an overarching enterprise risk management process, fueled by both internal and external sources of information.</p><p><em>Cody Mulla, CPP, has 20 years of experience in security and crisis management. He has worked supporting both the private and public sectors and is a member of the ASIS International School Safety and Security Council and the Utilities Security Council.​</em></p>GP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://adminsm.asisonline.org/Pages/On-Duty-and-Vulnerable.aspxOn Duty and Vulnerable<p>Awareness of police misconduct and calls for reform in the United States have increased over the last decade. In some cases, officers were investigated and prosecuted at the state level for their actions. Other incidents investigated by the U.S. Department of Justice resulted in criminal prosecution of a police officer for violating a person’s constitutionally protected rights.</p><p>For example, from 2009 to 2012 the U.S. Department of Justice charged 254 police officers throughout the United States with violating the individual rights of Americans. </p><p>The private security industry remains historically insulated from claims of civil rights-related violations and the resulting criminal sanctions that can be imposed against security personnel. The private security industry in the United States is much larger than the public sector police force; the industry outnumbers public police by a ratio of at least three to one. This growing number of security personnel could lead to increased civil rights violations. </p><p>The security industry is also less regulated, meaning that security personnel have varying amounts of training while public sector police counterparts have mandated training programs. This discrepancy in training can also become a problem because many private security personnel have direct contact with the public, often performing quasi-judicial police-related activities. ​</p><h4>Criminal Sanctions</h4><p>One federal statute that has been used to prosecute police officers for civil rights violations is Title 18 of the United States Code, Section 242. It makes it a crime for anyone acting “under color of any law, statute, ordinance, regulation or custom” to willfully deprive a person of a right or privilege protected by the U.S. Constitution or state and local laws. </p><p>The statute also applies to public officials violating a person’s civil rights, including elected officials, public facilities’ care providers, correctional officers, court staff, and security officers.</p><p>For example, if a police officer assaults a citizen, the officer can be prosecuted for assault and battery and be charged at the federal level for violating the citizen’s Fourth Amendment rights under Section 242.</p><p>A conviction under the statute re­quires three elements. First, the act must violate a protected right guaranteed by the U.S. Constitution. If defendants reasonably understand that their actions are constitutionally impermissible, they can be held accountable for their actions. </p><p>Second, the accused must be acting under “color of law,” meaning an officer authorized under state or federal law and acting in his or her official capacity.</p><p>Lastly, there must be intent to “deprive a person of a right which has been made specific either by the express terms of the Constitution or laws of the United States or by decisions interpreting them,” according to <em>Screws v. United States</em> (U.S. Supreme Court, 1945). </p><p>This case clarified that a defendant violated Section 242 when engaged in activities to deprive an individual of his or her rights and was also “aware that what he does is precisely that which the statute forbids,” according to the Court’s opinion. </p><h4>​Prosecutions</h4><p>Few federal Section 242 prosecutions have involved security personnel. Of those cases, however, private security personnel were prosecuted when they conferred with police powers, were working off duty or moonlighting, or when they were employed as security guards under government contracts.</p><p><strong>Police powers. </strong>Some security personnel were prosecuted under Section 242 when they were granted state-related powers and considered “state actors.” In the events leading to <em>Williams v. United States</em> (U.S. Supreme Court, 1951). Williams was a private detective with a special police officer’s card issued by the City of Miami. He had also taken an oath. Lindsey Lumber Company hired Williams to investigate a series of thefts, and during the investigation Williams used “brutal methods,” displayed his badge, and included the presence of a policeman to “lend authority” to the interrogations of four suspects who were “unmercifully punished for several hours,” according to court documents.</p><p>A jury convicted Williams of violating Section 242. He appealed the ruling, ultimately appearing before the U.S. Supreme Court to answer the question of whether private persons could be prosecuted under the statute.</p><p>In its opinion, the Court reasoned that Williams was acting under color of law and was not a private person. The Court concluded Williams’ actions were an “investigation conducted under the aegis of the state” because a regular police officer attended the interrogation and Williams was “asserting the authority granted him and not acting in the role of a private person.”</p><p>The Court upheld his conviction and noted that Williams was “no mere interloper but had the semblance of a policeman’s power from Florida” and his conduct violated the due process right to be free “from the use of force and violence to obtain a confession.”</p><p>Another case where private security personnel were convicted under Section 242 was <em>United States v. Hoffman </em>(U.S. Seventh Circuit Court of Appeals, 1974). In the case, two members of the Penn Central Transportation Company’s police force were convicted for physically assaulting trespassers on or near company property.</p><p>The officers admitted that they attacked trespassers but argued that they were not acting under Illinois law. Instead, they said they were acting in a purely private capacity and as private persons at the time they committed the crimes.</p><p>Ultimately, the appellate court determined the officers were acting under color of law because Illinois state statute had given the railroad company’s police force “police powers as those conferred upon the police of cities,” according to court documents.</p><p><strong>Moonlighting.</strong> Off-duty police officers granted government powers in a private security capacity have also been prosecuted and convicted of civil rights violations, such as in 2003 when a federal court ruled that a security guard in a strip club was acting under the color of law when he assaulted a dancer.</p><p>The off-duty police officer, moonlighting as a private guard, was wearing his badge and gun during the assault, identified himself as a police officer, and prevented the victim from calling the police. He also filed an arrest report against the victim for allegedly assaulting him.</p><p>The officer was found guilty under Section 242 and received a 27-month sentence as well as three years of supervised release. The officer appealed the decision, and the federal circuit court upheld the original ruling <em>(United States v. White, </em>U.S. Court of Appeals for the Sixth Circuit, 2003). A federal judge found that “displaying signs of state authority” by wearing his gun and badge, declaring himself to be a police officer while off-duty, and filing a police report “underscores his imposition of state authority,” according to court documents.</p><p><strong>Government contract.</strong> The third identified theme is that security personnel can be prosecuted under Section 242 when operating under a contractual relationship with the state. In cases where security personnel employed as contractors for the state were prosecuted under Section 242, private security personnel had positions within a state agency, making the parties liable for their actions under the statute. Private security personnel working in correctional settings have also been prosecuted under similar circumstances.</p><p>Some of these cases are based on violations of a person’s Eighth Amendment right to be free from cruel and unusual punishment. In <em>United States v. Mendez </em>(U.S. District Court for the Eastern District of Texas, 2009), the defendant, an employee of a privately-owned prison transport company, received six months imprisonment and one year of supervised release for assaulting an inmate in her care and custody.</p><p>In another case, <em>United States v. Fuller</em> (U.S. District Court for the District of New Mexico, 2009), four defendants who worked for the Wackenhut Corporation, a contractor for a New Mexico county correctional facility.</p><p>Employed as correctional officers, two of the defendants physically assaulted an inmate, kicking him in the head multiple times. Prosecutors charged another defendant with failing to prevent the attack and indicted the fourth defendant with conspiracy for fabricating evidence, lying to, and providing false statements to police investigators. A jury convicted three of the defendants—the two defendants directly involved in the assault and the employee that lied to investigators—for violating Section 242.</p><p>Fifth Amendment violations involving contract security also exist. In <em>United States v. Loya</em> (U.S. District Court for the Southern District of Texas, 2009), Loya was employed as a contract guard at an Immigration and Customs Enforcement (ICE) detention facility. </p><p>While working in the facility’s infirmary, Loya sexually assaulted female inmates—a violation of the detainees’ Fifth Amendment right, to “life and liberty, including the right to bodily integrity.” Loya pleaded guilty to Section 242 violations and served a 36-month sentence.</p><h4>Lessons</h4><p>These cases show that private security personnel can be prosecuted under Section 242, but also raise questions as to why so few cases have been brought. This may be because people fail to report violations, prosecutorial discretion, or the use of other federal statues to prosecute security personnel for civil rights-related violations.</p><p>For example, federal prosecutors can recommend a case for diversion instead of prosecuting suspects under Section 242 when the accused agree to probation and dismissal of the charges upon completion of probation. </p><p>Additionally, proving all requirements to secure a Section 242 conviction can be a barrier. “Color of law” and the “willfulness” standards can be difficult to establish, subsequently insulating security officers from prosecution.</p><p>Despite these factors that may limit prosecutions of private security personnel, the security industry should be aware of these liabilities, which could become greater as public-private partnerships expand to fight crime. Security managers should train their officers to protect the constitutional rights of the people they serve.  </p><p><em>Brian Johnson, Ph.D., is a professor in the School of Criminal Justice at Grand Valley State University. He is the author of four books, including Principles of Security Management. HE specializes in private security, criminology, and law enforcement. Naoki Kanaboshi, S.J.D., is an associate professor in the School of Criminal Justice at Grand Valley State University. He writes on constitutional law, civil rights, and legal issues for criminal justice practitioners.</em></p><p></p>GP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://adminsm.asisonline.org/Pages/Top-Five-Challenges-for-Managing-Cybersecurity-Risk.aspxTop Five Challenges for Managing Cybersecurity Risk<p>​Cybersecurity threats continue to grow and evolve. Trusted identities combat these threats as part of holistic, end-to-end solutions that combine multifactor authentication, credential management, and physical identity and access management (PIAM) and are supported by real-time risk profiling technology plus digital certificates, all bringing trust to the Internet of Things (IoT). Following are five of the top cybersecurity risks where trusted identities provide critical protection:  </p><p><strong>1. Fighting fraud. </strong>Today’s risk management solutions use trusted identities and analytics to protect transaction systems and sensitive applications. Employing a combination of evidence-based capabilities, behavioral biometrics, and machine learning, these solutions help organizations detect phishing, malware, and fraudulent transactions. They can also prevent account takeovers and session stealing. </p><p><strong>2. User experience and business decisions.</strong> Besides detecting threats, adding an analytics engine behind an organization’s archiving solutions, digital certificates, and user location information enables organizations to realize other valuable benefits. Predictive analytics help pinpoint threats and facilitate countermeasures by defining a user’s attributes and behavior so that risk can be assigned to people and areas. It also provides insights around personnel movement in a building so organizations can optimize workflows and the usage of facilities, common areas, and individual rooms.</p><p><strong>3. Securing the IoT.</strong> Digital certificates add trust in the IoT and are becoming a core component for combating cybersecurity risks. Trusted cloud services are used to issue unique digital IDs to devices ranging from mobile phones, tablets, video cameras, and building automation systems to connected cars and medical equipment. One example is cloud-based secure issuance, in which the use of digital certificates creates a trusted relationship between the cloud and all issuance consoles, printers, and encoders. Industrial IoT is another area that is seeing huge adoption in critical industries like utilities, oil and gas, chemicals, pharmaceuticals, transportation, and more, being able to collect and correlate physical, IT, and operational events from IoT devices. This multidimensional information can provide indicators of compromise that are otherwise hard to detect with traditional means.</p><p><strong>4. Plugging gaps in security defenses.</strong> The move to unified identity management reduces risk by extending multifactor authentication across an entire identity and access management lifecycle. A cloud-based model is used to provision IDs and perform authentication for physical and logical access control. The next step is to migrate to convergence solutions that pull everything related to identity management into a unified system capable of granting and managing access rights. PIAM software is a key element, unifying identity lifecycle management by connecting the enterprise’s multiple and disparate physical and IT security systems to other parts of the IT ecosystem, such as user directories and HR systems, as well as cloud-based card issuance systems, wireless locks, and location-based services.  </p><p><strong>5. Minimizing risks associated with GDPR compliance. </strong>PIAM software also simplifies General Data Protection Regulation (GDPR) compliance for physical security departments, automating previously manual processes of ensuring and documenting that all requirements are being met and data breach notification guidelines are being correctly implemented. It centralizes and applies policy- and rules-based automation for all compliance processes, from identity enrollment through auditing. It also ensures no individual names or other details are transmitted to access control systems, simplifies user consent procedures related to personal information, applies deep system integration to identify threat patterns, and provides robust compliance reporting.  </p><p><em>Pan Kamal is vice president, product and segment marketing at IAM Solutions with HID Global.</em></p><p><br></p>GP0|#69b4a912-eafa-43d2-b6a4-8aed47f69245;L0|#069b4a912-eafa-43d2-b6a4-8aed47f69245|Security Technology;GTSet|#8accba12-4830-47cd-9299-2b34a4344465