Cybersecurity Angst: Cyber and TravelGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a43444652019-02-01T05:00:00Z, Michael Gips<p>​Now in its 33rd year, OSAC brought together thousands of security professionals from U.S. organizations to explore global security issues and challenges, hear from corporate and government thought leaders, and receive regional brief­ings from OSAC analysts in November 2018. Topics ranged from social media disinformation in India and emerging autonomous threats to creating a contemporary operations center and building a 21st century security program. But two topics stood out: cyberwarfare and travel risk management.</p><p><strong>Cyberwar.</strong> In the waning days of the Second World War, U.S. President Franklin D. Roosevelt, U.K. Prime Minister Winston Churchill, and Soviet Premier Joseph Stalin met in Yalta to demand Nazi Germany’s unconditional surrender. Stalin emerged from that conference with control over Eastern Europe. The Soviet Union’s collapse half a century later eviscerated Russia’s sphere of influence, but the country is dramatically reasserting its claim as a world power player largely through its vast cyberwarfare activities. Russia’s return to prominence, the diversification of nation-state hacking among new actors, and the cyberthreat to both governments and businesses emerged repeatedly as areas of grave concern at the OSAC 33rd Annual Briefing, held in Washington, D.C.</p><p>Russia is effectively out to create a “Yalta 2,” said Heather Conley, a senior vice president at the Center for Strategic and International Studies, during a session on new-generation warfare. Russian President Vladimir Putin’s objective is to “retain his power structure, restore Russia as the United States’ equal, and stave off long-term Russian decline,” Conley said.</p><p>Cyber activities are key to Russia’s reassertion of dominance in Eastern Europe and beyond, where it is deploying a combination of cyber activities, including economic investment, politicized nongovernmental organizations, proxy groups, and political patronage. For their cyber activities, “Ukraine is the lab,” Conley said. Putin is looking to not only identify which techniques are effective, but also to gauge the West’s reaction, she said. A main objective: “Get U.S. citizens to lose confidence in elections” and other democratic institutions.</p><p>Of course, Russia is far from the only combatant on this virtual battlefield. China and Iran are also prevalent sources of advanced persistent threats, with instances of unauthorized and stealthy access to a network for an extended period of time. Kevin Mandia, CEO of FireEye and the author of the groundbreaking 2013 report documenting the Chinese military’s cyberattacks on 141 Western organizations, noted in a separate OSAC session that Iran has been vastly improving and increasing its cyber aggression. Even Vietnam has joined the fray, he said.</p><p>“Eighty percent of breaches we respond to are corporations hacked by nation-states,” Mandia said. And almost every breach reflects geopolitical conditions or developments.</p><p>Given the vast resources of Russia, China, Iran, and countless other nation-state cyberwarriors, how can corporations mount their relatively meager resources in defense? Emily Heath, the CISO of United Airlines, who presented on Mandia’s panel, noted that the airline emphasizes sharing intelligence between its physical and cybersecurity departments. “Almost every incident has a cyber component today,” she said. Boeing Senior Director Scott Regalado added that security executives should be closely following the news and proactively reaching out to the C-suite, especially if a development might somehow involve their company or industry.</p><p>Panelists stressed that tabletop exercises are critical, as is creating an enterprisewide information security committee. “Consider preparedness for media response as well as internal response,” advised Heath. Preplanning is essential because breach-disclosure regulations put victimized organizations on the clock.</p><p>Defense starts with good cyber hygiene, security consultant Stevan Bernard told Security Management following the panel. He is in a good position to know: Bernard previously served as executive vice president for Sony Pictures Entertainment, which was the victim of a high-profile breach believed to have been committed by the North Korean government. The key is to change behavior, which is best accomplished through personalizing the message, he said.</p><p>For example, companies can encourage cyber vigilance by explaining how employees are personally at risk and how they have assets worth protecting. Good home habits transfer to the workplace. In addition, companies might consider providing employees with dedicated computers—that aren’t connected to the corporate network—for personal Internet browsing. Corporate cybersecurity basics should include 12-character passwords that must be changed every 90 days, two-factor authentication, regular encryption and purging of data, and phishing-education campaigns. Yet despite increasingly sophisticated attacks and the growing involvement of state actors, Bernard said, “the biggest vector is still email.”</p><p><strong>Travel.</strong> In early 2018, due to work commitments, a U.S.-based corporate executive was unable to join his wife and two teenaged daughters at a resort on the Riviera Maya in Mexico. He felt comfortable sending them, despite general travel warnings issued by the U.S. State Department and highly publicized media accounts about tourists caught in gang crossfires, because the incidents were remote and isolated, and he was familiar with the airport, the transportation, the travel route, and the resort. </p><p>Additionally, transportation to and from the resort had been set up in advance, his family followed good travel security practices, and the executive had assets on the ground to assist if necessary.</p><p>Happily, the family had a great time and returned safely. But during their stay an American tourist was killed only a few miles from their resort. In the aftermath, the CEO questioned the executive’s judgment, citing the murder, media reports, his recall of travel advisories for Mexico, and third-hand horror stories of trips gone awry. What the CEO lacked was an objective assessment of the risk.</p><p>Many organizations turn to travel risk management firms to drill down into specific locations, routes, times of year, and other factors to protect their traveling staff, students, and volunteers. But OSAC has recently introduced a free matrix tool available to its constituents that enables a nuanced view of travel risk for specific locations.</p><p>With the OSAC framework, a user selects a country and completes six modules related to risk—crime, terrorism, civil unrest, environment, health, and operational/information security. For each of these modules, companies answer a series of questions, typically with checkboxes or prepopulated answers contained in a pull-down menu. OSAC provides the links to objective data, such as the types of natural disasters that have occurred in the last 24 months, while companies answer many of the questions based on their interests in the country and their own risk tolerance.</p><p>For example, under the “civil unrest” module, a travel security manager might identify recent civil demonstrations and gauge the prospect for future incidents, as well as discern the underlying cause, average size, and participant makeup of demonstrations. The manager can also determine their frequency, location, and the frequency and nature of any attendant violence. In one possible example, the framework can help a travel manager conclude that demonstrations reflect opposition to host-country politics or practices, average between 500 and 1,000 participants, occur in areas where the company has significant operations, and spill over into looting and rioting that local security forces cannot control. That information would help inform the company’s security practices, for example choosing alternate travel routes or rescheduling visits.</p><p>At the end of the framework is a section on countermeasures and guidance. It includes space for travel security managers to enter risk summaries, travel requirements, traveler guidance, and transportation countermeasures.</p><p>Questions for the matrix were chosen based on their ability to provide clarity on the overall security picture, says OSAC Regional Analyst Morgan Dibble. For instance, to gauge crime, organizations frequently consult homicide rates, which most nations report. But homicide rates—which can be underreported, unavailable, or manipulated—do not truly reflect overall crime rates. Therefore the “crime” module also includes common crimes such as smash-and-grab theft and drink spiking, popular scams, discernible targeting patterns, and police response.</p><p>OSAC constituents can access the tool via the secure <a href="" target="_blank">OSAC website.​​</a></p> Five Challenges for Managing Cybersecurity Risk Software Buzz Weaknesses Shock to the System Scrutiny Cost of a Connection Privacy Problem Breaches Cost of a Connection Review: Digital investigations Review: One False Click the Robots for Remote Workers Mayhem

 You May Also Like... Five Challenges for Managing Cybersecurity Risk<p>​Cybersecurity threats continue to grow and evolve. Trusted identities combat these threats as part of holistic, end-to-end solutions that combine multifactor authentication, credential management, and physical identity and access management (PIAM) and are supported by real-time risk profiling technology plus digital certificates, all bringing trust to the Internet of Things (IoT). Following are five of the top cybersecurity risks where trusted identities provide critical protection:  </p><p><strong>1. Fighting fraud. </strong>Today’s risk management solutions use trusted identities and analytics to protect transaction systems and sensitive applications. Employing a combination of evidence-based capabilities, behavioral biometrics, and machine learning, these solutions help organizations detect phishing, malware, and fraudulent transactions. They can also prevent account takeovers and session stealing. </p><p><strong>2. User experience and business decisions.</strong> Besides detecting threats, adding an analytics engine behind an organization’s archiving solutions, digital certificates, and user location information enables organizations to realize other valuable benefits. Predictive analytics help pinpoint threats and facilitate countermeasures by defining a user’s attributes and behavior so that risk can be assigned to people and areas. It also provides insights around personnel movement in a building so organizations can optimize workflows and the usage of facilities, common areas, and individual rooms.</p><p><strong>3. Securing the IoT.</strong> Digital certificates add trust in the IoT and are becoming a core component for combating cybersecurity risks. Trusted cloud services are used to issue unique digital IDs to devices ranging from mobile phones, tablets, video cameras, and building automation systems to connected cars and medical equipment. One example is cloud-based secure issuance, in which the use of digital certificates creates a trusted relationship between the cloud and all issuance consoles, printers, and encoders. Industrial IoT is another area that is seeing huge adoption in critical industries like utilities, oil and gas, chemicals, pharmaceuticals, transportation, and more, being able to collect and correlate physical, IT, and operational events from IoT devices. This multidimensional information can provide indicators of compromise that are otherwise hard to detect with traditional means.</p><p><strong>4. Plugging gaps in security defenses.</strong> The move to unified identity management reduces risk by extending multifactor authentication across an entire identity and access management lifecycle. A cloud-based model is used to provision IDs and perform authentication for physical and logical access control. The next step is to migrate to convergence solutions that pull everything related to identity management into a unified system capable of granting and managing access rights. PIAM software is a key element, unifying identity lifecycle management by connecting the enterprise’s multiple and disparate physical and IT security systems to other parts of the IT ecosystem, such as user directories and HR systems, as well as cloud-based card issuance systems, wireless locks, and location-based services.  </p><p><strong>5. Minimizing risks associated with GDPR compliance. </strong>PIAM software also simplifies General Data Protection Regulation (GDPR) compliance for physical security departments, automating previously manual processes of ensuring and documenting that all requirements are being met and data breach notification guidelines are being correctly implemented. It centralizes and applies policy- and rules-based automation for all compliance processes, from identity enrollment through auditing. It also ensures no individual names or other details are transmitted to access control systems, simplifies user consent procedures related to personal information, applies deep system integration to identify threat patterns, and provides robust compliance reporting.  </p><p><em>Pan Kamal is vice president, product and segment marketing at IAM Solutions with HID Global.</em></p><p><br></p>GP0|#69b4a912-eafa-43d2-b6a4-8aed47f69245;L0|#069b4a912-eafa-43d2-b6a4-8aed47f69245|Security Technology;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 Manual of Private Investigation Techniques<div class="body"> <p> <em> <strong> <span style="color:red;">*****</span> A Manual of Private Investigation Techniques. Edited by William F. Blake. Charles C. Thomas Publishers, Ltd.;; 326 pages; $39.95; also available as e-book. </strong> </em> </p> <p>The editor of this volume was able to amass an amazing number of beneficial articles for both aspiring and experienced investigators. Although clearly developed for private investigators, its breadth of topics pertaining to various types of investigations gives it significance for investigators working in the public sector as well.</p> <p>The book presents the reader with an array of interesting essays on useful topics such as premises liability, undercover operations, integrity investigations, protecting assets, mortgage fraud, arson investigations, and homicide investigations. Many other investigative topics are explored in this tome as well.</p> <p>The authors of these articles often incorporate information on how the various types of investigations should be conducted. There is worthwhile information in these articles that will enable private investigators to educate their respective clients on potential issues in their businesses that could create vulnerabilities for criminal exploitation. Collectively, the contributing authors adequately spell out the applicable best investigative practices as they survey the various types of investigations.</p> <p>In short, this work is a valuable contribution to the field of investigation, especially in the private sector. The editor did a superb job of collecting meaningful articles pertaining to the study of investigation as well as the investigative process.<br></p> <hr /> <span style="color:#800000;"> <strong>Reviewer: </strong> </span>Hugh J. Martin is a retired police chief from Wisconsin. He is a graduate of the FBI National Academy and a member of ASIS. <p></p></div>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 Trends<p>​<span style="line-height:1.5em;">The security industry changes daily. And it’s fair to say that cybersecurity is changing even more rapidly as new threats, new attack methods, and new technologies continuously emerge. This means that cybersecurity professionals need to stay up to date as the threat landscape rapidly evolves to ensure that they are ready to meet the challenges of modern- day data security. Here, we look at some of the major issues that these professionals will be tasked with over the course of the remaining year and heading into 2017.</span></p><p>Brexit. In a historic decision in June, the United Kingdom voted to leave the European Union (EU)—a decision commonly known as Brexit. Approximately 52 percent of the population voted to leave the EU, while 48 percent voted to remain—including all of Scotland and a large portion of the population in Northern Ireland.</p><p>While immediate concerns were focused on the economic upheaval, Brexit will also have an impact on data sharing and data privacy agreements that the United Kingdom was previously part of as a member of the EU and its digital single market.</p><p>One major area of regulation that will need to be ironed out is around the EU General Data Protection Regulation (GDPR), which is scheduled to go into effect in 2018. It creates new privacy rights for EU citizens and requirements for businesses that handle EU citizens’ data (for more on this, read “Cybersecurity” from our August issue).</p><p>When the United Kingdom exits the EU, Britain may no longer be subject to the GDPR and may have to adopt its own framework. </p><p>Furthermore, the EU and the United States had negotiated for months to create the Privacy Shield program, which was designed to replace the Safe Harbor agreement that was previously ruled invalid by the EU. The United Kingdom’s exit from the EU, however, means that it may not be covered by Privacy Shield—which went into effect earlier this year.</p><p>Brexit could also be the catalyst to create a different framework altogether, says Yorgen Edholm, CEO of Accellion, a private cloud solutions company based in the United States.</p><p>“The one EU effort we have looked at very carefully is the new Safe Harbor agreement—Privacy Shield,” Edholm says. “I think the United Kingdom can say, ‘We have two options; we’re going to piggyback off of what the EU is doing, or we’re going to do something else with the United States.’”</p><p><strong>Talent shortage</strong>. Another major concern related to Brexit is whether the United Kingdom will be able to recruit talented cybersecurity workers. A recent study highlighted the lack of “digital skills” among people in Britain, which has looked to the EU to recruit employees to fill the void, according to a report by the Science and Technology Committee that was presented to the House of Commons earlier this year.</p><p>“Removing a flow of talent and expertise from Europe could deprive U.K. tech companies of an essential ingredient for sustained growth,” the International Business Times reported before the Brexit referendum. “Additionally, given that Britain’s tech scene—especially in London—is quite multicultural, start-up founders worry that leaving the European Union will make it much harder to hire the best employees.”</p><p>And this is not just a U.K. problem. Globally, 94 percent of executives reported that they are having trouble finding skilled candidates for cybersecurity jobs, according to a recent survey by the Information Systems Audit and Control Association (ISACA). </p><p>This problem, which is not a new one, is unlikely to go away anytime soon. The 2015 (ISC)² Global Information Security Workforce Study projected that by 2020, there will be 1.5 million unfilled information security positions. </p><p>“Signs of strain within security operations due to workforce shortage are materializing,” the report explained. “Configuration mistakes and oversights, for example, were identified by the survey respondents as a material concern. Also, remediation time following system or data compromises is steadily getting longer.”</p><p>This, in turn, results in IT security professionals increasingly cornered into a reactionary role of identifying compromises and addressing security concerns as they arise, instead of proactively mitigating the contributing factors, according to the report.</p><p>To combat this, many information security departments are increasing expenditures on security tools and technologies, and for managed and professional security service providers to augment existing staff.</p><p>However, more needs to be done to attract qualified workers to the cybersecurity industry. One new effort to do this was announced by Cisco earlier this year. The company will invest $10 million in a Global Security Scholarship and make enhancements to its security certification portfolio to help close the industry skills gap. </p><p>“Many CEOs across the globe tell us their ability to innovate is hampered by their security concerns in the digital world,” said Jeanne Beliveau-Dunn, vice president and general manager of Cisco Services in a statement. “This creates a big future demand for skill sets that don’t exist at scale today. We developed this scholarship program to help jump-start the development of new talent.”</p><p>The scholarship is a two-year program that is designed in partnership with Cisco Authorized Learning Partners to address the critical skills deficit and provide on-the-job readiness needed to meet current and future challenges of network security, according to a press release. As part of the scholarship program, Cisco also plans to offer training, mentoring, and certifications that align with the job of an analyst in a security operations center.</p><p>Scholarship awards became available on August 1 and are available to applicants who meet certain qualifications until the end of July 2017. To be considered for a scholarship, applicants must be at least 18, proficient in English, and have basic competency in one area, such as three years of combined experience in approved U.S. military job roles or Windows expertise.</p><p>Part of Cisco’s efforts will also concentrate on diversifying the IT security workforce so it includes veterans, women, and those just at the start of their careers. Reaching this audience is critically important, says David Shearer, CEO of (ISC)².</p><p>“New young people are not coming into the workforce,” Shearer explains. “That’s not a one- or two-year fix. Only 6 percent of the industry is below the age of 30. That’s a train wreck.”</p><p>Instead, the median age for information security professionals is 42, and workers are 90 percent male. These individuals are working longer hours, which can create problems with burnout and may cause many to move into a different career path “because the grind of the pace of the work is too much.”</p><p><strong>Accountability. </strong>The talent shortage, paired with the rise of cyber incidents, is also placing additional pressure on IT and security executives to communicate actionable data to their boards of directors—or risk termination, a new report says.</p><p>Research of U.S. corporations by Bay Dynamics, a cyber risk analytics company, found that “59 percent of board members say that one or more IT security executives will lose their job as a result of failing to provide useful, actionable information.”</p><p>This may be because boards are placing an ever-higher value on cybersecurity, with 89 percent of board members reporting that they are very involved in making cyber risk decisions for their organizations. </p><p>Twenty-six percent of board members also reported that cyber risks were their highest priority, while other risks, like financial, legal, regulatory, and competitive risks were termed “highest priority” by only 16 to 22 percent of surveyed members.</p><p>Coupled with that, the report found that 34 percent of board members indicated that they would provide warnings that improvements in reporting would need to be made before firing <span style="line-height:1.5em;">a</span><span style="line-height:1.5em;">n executive.</span></p><p>But the report also highlighted “significant contradictions, such as while the majority (70 percent) of board members say they understand everything they’re being told by IT and security executives in their presentations, more than half believe the data presented is too technical.”</p><p>Overall, however, the report shows that boards are engaged and holding IT and security executives accountable for reducing risk, said Ryan Stolte, chief technology officer at Bay Dynamics, in a statement.</p><p>“Companies are headed in the right direction when it comes to managing their cyber risk,” Stolte explained. “However, more work needs to be done. Part of the problem is that board members are being educated about cyber risk by the same people (IT and security executives) who are tasked to measure and reduce it. Companies need an objective, industry standard model for measuring cyber risk so that everyone is following the same playbooks and making decisions based on the same set of requirements.”</p><p><strong>Encryption. </strong>By the end of this year, 65 to 70 percent of Internet traffic will be encrypted in most markets, according to a report by Sandvine, an intelligent broadband networks company. This year, 2016, was a major milestone in the life of encryption as companies from Apple to Facebook to Twitter to cloud service providers to WhatsApp embraced encryption across the board.</p><p>However, this move has ramifications for corporate security, which can’t always see what’s happening in its network due to encrypted traffic, and for law enforcement as it loses its ability to gather certain kinds of digital evidence—an issue the FBI terms “Going Dark.”</p><p>“The issue for us is the inability to get access to digital evidence,” says Sasha Cohen O’Connell, the FBI chief policy advisor for science and technology. “This is not a situation where the U.S. Department of Justice is looking for new authorities; it is about exercising the authority we already have…and our inability to access content data, even with due process.”</p><p>To combat this, the FBI has gone to court against private companies to demand access to encrypted data, such as when it filed suit against Apple to gain access to an iPhone 5c used by one of the San Bernardino, California, shooters.</p><p>It has also been encouraging companies to use a form of encryption it terms provider access—where, for example, the data is encrypted on a smartphone but the smartphone’s manufacturer has the key to decrypt that data if it’s served with a court order to do so.</p><p>This approach, however, has been met with criticism by technical experts who say that introducing that access point into encrypted data is making it vulnerable. </p><p>“Academically, they are correct,” O’Connell says. “Any entry point, no matter how managed, does introduce vulnerability. Of course it does. But over in the real world, where we use real products every day that for convenience, for advertising, for spam tracking, for a thousand reasons that make sense to us, we’re still within a reasonable risk or what the market has accepted as a risk.”</p><p>For more on the FBI’s stance on encryption and Going Dark, visit Security Management’s website for an exclusive interview with O’Connell.  </p>GP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465