Beware of the Nerds!

A recent study by the U.S. Secret Service, who must be considered eminently qualified to recognize the symptoms, and Carnegie Mellon University’s Software Engineering Institute CERT Program analysed insider cyber crimes across critical infrastructure sectors.

The study showed that insider sabotage was in virtually 100% of cases carried out by people who are disgruntled, paranoid, generally show up late, argue with colleagues, and generally perform poorly.

Nothing new there you might say but when the study also shows that eighty-six percent of them held technical positions and ninety percent had system administrator or privileged system access, then you have to start asking questions. After all we’re talking about a social group who relate best with machines!

For a copy of the report click on:

http://www.cert.org/archive/pdf/merit.pdf

New British Standard on Manned Guarding

British Standards intends to publish its much-awaited new standard on manned guarding (BS 7499) later this month. For a preview contact David.

Does Your Company Put Personal Employee Data on Laptops?

The Eden Project in Cornwall has confirmed that a laptop containing the names, addresses, bank details, national insurance numbers and pay rates of 500 of its employees has been stolen from the car of an employee who of Moorepay Ltd - the company which handles the Eden Project's payroll.

The Eden Project has joined the growing ranks of organisations that have lost employee and/or customer data on a laptop. In November, 2006, the Nationwide Building Society revealed a laptop containing customer data had been stolen three months earlier. Early last month, Marks & Spencer announced a laptop containing the personal details of 26,000 employees had been stolen.

ARC is about to reissue its completely revised Security Management Stage 1 handout on IT Security, which includes 25 recommendations for better laptop security. The handout is available as a PDF to all past delegates of SM1 and SMAP. For your copy contact David.

Foaming at the Mouth!

It's pretty obvious which is the counterfeit Colgate in this picture. But what if the product were almost identical in every respect? How could the consumer differentiate? Is the consumer really concerned if he/she can get the coiunterfeit product for a knock-down price? What are the risks associated with counterfeit products?

Colgate-Palmolive has announced that counterfeit tubes of its Colgate toothpaste containing a poisonous substance have been discovered at stores in Maryland, New Jersey, Pennsylvania, and New York. At present, there are no reports of anyone becoming sick after using the counterfeit products, which appear to have come from China. The poisonous compound diethylene glycol (DEG), which is used in antifreeze, has been discovered in the counterfeit toothpaste. This chemical, if ingested, can lead to kidney failure.

There was very little to differentiate the counterfeit product from the real thing. The suspicions of observant consumers were raised, however, when they noticed package misspellings such as "isclinically," "SOUTH AFRLCA" and "South Arican Dental Assoxiation" on the package.

Colgate-Palmolive has said it does not import toothpaste from South Africa.

IPR and Counterfeiting is one of the many subjects covered on Security Management Stage 3, 24 September – 5 October 2007. For further details and a full syllabus, contact Janet.

Suicide Tanker Terror Threat

According to media reports in the UK emerging last week, counter terror police are stopping and checking petrol tankers travelling into London amid fears they may be used in a terrorist attack.

Officers are searching vehicles and questioning drivers in a bid to disrupt any plans to use hijacked lorries as travelling “bombs”.

Scotland Yard said the tactic has been used for several months as part of a range of measures to counter the terrorist threat to the capital. It is part of a wider operation by traffic police who are targeting unsafe and overloaded heavy goods vehicles.

£200,000 of Property Stolen in Five Years – From London’s Police Stations!

Embarrassed faces at the Metropolitan Police have admitted that more than £200,000 of property has been stolen from London’s police stations during the past five years. The stolen property includes police uniforms, bicycles, books, computers, firearms and even a dog.

Also, in a raid on the company responsible for the force's pay and pensions services, burglars stole bank account details of more than 15,000 Scotland Yard officers following a huge security blunder, it emerged in December. Sensitive financial information about high-ranking officers, thought to include Metropolitan Police Commissioner Sir Ian Blair, and anti-terrorist detectives were stored on three laptops stolen.

Cyber Sabotage – An Emerging Threat

Legitimate businesses are turning to cyber criminals to help them cripple rival websites, say security experts. The rise in industrial sabotage comes as some suggest cyber criminals are turning away from using web-based attack tools in extortion rackets.

Instead the tools, usually hijacked home computers, are being used to pump out junk e-mail. Often these hijacked PCs, known as bots, are used for "Distributed Denial of Service" (DDoS) attacks that attempt to knock a site or server offline by bombarding it with huge amounts of data.

For the full story go to:

http://news.bbc.co.uk/1/hi/technology/6623673.stm

DDoS attacks are just one of many IT vulnerabilities addressed in the IT Security session during Security Management Stage 1, 30 July – 10 August 2007.

Delegate Profile: Nandan Bisht CPP

Congratulations to Capt Nandan Bisht of the Reserve Bank of India on his success in passing the CPP certification, joining an elite cadre of less than ten CPPs in India. Nandan’s first encounter with corporate security management training was in 2002 when he attended the Security Management and Asset Protection Course (now Security Management Stage 1) at ARC in 2002, during which he displayed a particular aptitude for further, high-level professional development.

Commenting on the CPP, Nadan remarked, “Most of the CPPs here are in the private sector (MNCs) and are doing well. Some of them are drawing salaries here in India which are equivalent to their US counterparts. Such is the value of this designation.”

The story of Nandan's CPP journey can be found on his blog:

http://www.nandanbisht.blogspot.com/

If you would like to know more about CPP certification and don’t have an active ASIS International chapter in your country please contact David who, as Chairman of the ASIS UK Chapter Professional Development Committee, will be happy to assist.

Illicit Cigarettes Funding Terrorism – Report in Police Journal Claims

Because of the immense profits in the illicit cigarette trade, as well as the potentially low penalties for getting caught, illicit cigarette trafficking now rivals drug trafficking as the method of choice to fill the bank accounts of terrorists and terrorist groups. Investigators have discovered that traffickers in the United States and the United Kingdom are providing material support to both domestic and international terrorist groups.

The full contents of the report can be found at:

http://policechiefmagazine.org/magazine/index.cfm?fuseaction=display_arch&article_id=226&issue_id=22004

One area where concerted action is being taken to tackle head on violations of IPR is the CIS, comprising countries of the former Soviet Union. At the vanguard of this action is the Coalition for Intellectual Property Rights. Visit the CIPR site for more information:

http://www.cipr.org/news/index.php

IPR and Counterfeiting is one of the many subjects covered on Security Management Stage 3, 24 September – 5 October 2007.

Personnel Security - Managing the Risk

‘Insiders’ is the term used to refer to staff or contractors who try to use their access to your organisation’s assets for unauthorised purposes. This includes many forms of criminal activity, from minor theft through to terrorism.

Personnel security is the term used to describe the policies and procedures put in place to try to minimise the risk. Robust personnel security helps your organisation employ reliable people, minimises the chances of staff becoming unreliable once they have been employed, detecting suspicious behaviour, and resolving security concerns once they emerge.

For information on how to improve your personnel security measures contact David or download the guideline: "Personnel Security - Managing the Risk" from:

http://www.cpni.gov.uk/ProtectingYourAssets/PersonnelSecurity/personnelSecurity.aspx

Access Control Feature - Electronic Programmable Door Keys

One of the most vulnerable parts of any building security system is its users. Their keys and tokens can be lost, compromised or copied, putting all their colleagues at risk.

ASSA ABLOY Architectural Solutions has launched its answer to this problem: CLIQ.Lock systems with built-in intelligence. The new CLIQ technology combines the best of design and electronics in the smartest possible manner. This intelligent lock system is built into the new generation of ASSA dp™ lock cylinders. CLIQ makes intelligent, flexible and high security lock systems possible.

The system's mechanical design creates the basic foundation, which is made up of different security zones or levels. The electronic programming of the keys gives authorisation to individuals or to groups of individuals, allowing you to manage and control your security electronically.

For further details contact David.

A Window into Security Management Stage 1, Which Takes Place in the UK, 30 July - 10 August

Premises security is one of the many key areas addressed during the forthcoming Security Management Stage 1 (Core Skills) Course, which runs 30 July to 10 August 2007.

Working on the principle that any security system should comprise deterrence, delay, detection and response, a key building vulnerability is window security. Before resorting to electronic (intrusion detection) protection of windows, there are a range of delay options to be considered. These include window bars, grilles, polycarbonate panels, window film, shutters, window mesh, security blinds and basic window locks.

For more information on options available contact David. To reserve on place on Security Management Stage 1 contact Janet.

Still Time to Register for Security Management Stage 2 - Just!

The forthcoming Security Management Stage 2 Course, 2-13 July 2007, looks set to be an exciting exchange of best practice. Already booked on the programme are delegates from the government sector, international logistics, oil and gas, alternative energy, manufacturing and banking.

Peter Horsburgh CPP, PSP will be the course leader, and will guide delegates through subjects such as Developing Security Risk Management, Business-Integrated Security Operations Management, Security Technology, Crime Prevention and Fraud Management, IT and Information Security Management, Anti-Terrorism, Investigations Management, Transportation Security, Business Travel Security etc.

For those pursuing the ARC/Middlesex University MSc, the course constitutes 30 postgraduate credits, or one sixth, of the overall programme.

The course is still open to registration for a further week. For details on this, and other ARC Training courses, contact Janet.

Building Security - An Architect's Guide

A little old, but still some very useful advice, for example:

"Waiting until the last stages of the design process to begin thinking about security system requirements can spell trouble for budgets and construction schedules, and is a sure way to guarantee that the system installed will be less than optimal.

Without attempting to make a complete list of the security-related issues architects should be aware of at the outset of a design, let us mention several of the most important. First, effective security is always an interplay of three elements: natural and architectural barriers, including anything from landscaping strategies that discourage access, to the number, location, size, and type of doors and windows; human security, including the protection provided by guards and other personnel; and electronic security, provided by any one of the array of systems now available.......... "

Read on at:

http://jya.com/archsec.htm

"Protect - Detect - React"

When next preparing security policies it may be worth paying a visit to the website of the New Zealand “Security in the Government Sector” for some basic hints on what to include.

Primarily focused on government sector security, the site nevertheless has some useful pointers to essential security considerations, especially, but not exclusively, those to do with information and personnel security.

The site can be found at:

http://www.security.govt.nz/sigs/html/index.html

ARC Training is pleased to announce that it has established a Security Consultancy Services division to assist you in writing policies and procedures, carrying out security surveys, security risk analyses, security vulnerability assessments etc. Contact David for details.

40% of Companies Don't Monitor Their Databases, Survey Reveals

Despite all the data losses that are filling the headlines and leaving hundreds of thousands of people exposed to identity theft, 40% of companies don't monitor their databases for suspicious activity, according to a study released this week.

And it's not that IT managers don't realize how sensitive the information in these databases really is. Seventy-eight percent of those polled said their databases are either critical or important to their business, with customer data most commonly contained within them.

In an increasingly precarious balancing act, IT professionals said their companies are caught between trying to protect data from misuse by external and internal threats, while at the same time giving greater access to the same data in order to drive business initiatives.

The full article can be accessed at:

http://www.informationweek.com/news/showArticle.jhtml?articleID=199900995

And Staying on the Subject of the Police.......

A Northern Ireland police station which was targeted by burglars had been left with its windows open and its alarm switched off, it has emerged. The station in Ballynahinch, County Down, was broken into last month. Assistant Chief Constable Duncan McCausland told the Policing Board officers went on patrol and forgot to lock up properly.

Northern Ireland Assembly member Alex Maskey wondered if perhaps "the 20 unopened bottles of milk" on the doorstep had tipped off the burglars"!

It's a Funny Old World!

Extra police officers are to patrol the streets of Brighton on nights when there is a full moon. It follows research by the Sussex police force which concluded there was a rise in violent incidents when the moon was full - and also on paydays.

Inspector Parr of Sussex Police told the BBC: "From my experience, over 19 years of being a police officer, undoubtedly on full moons, we do seem to get people with, sort of, stranger behaviour - more fractious, argumentative.

The legend that people can become violent, or even turn into werewolves, can be traced back to ancient times.

Follow the following link to the full story:

http://news.bbc.co.uk/2/hi/uk_news/england/southern_counties/6723911.stm

Physical Security Alone Isn't Sufficient to Protect You against Sabotage, Warns MI5

SCADA (Supervisory Control and Data Acquisition) is the term given to IT systems which control essential processes such as electric power generation, transmission and distribution, water management systems, mass transit systems, manufacturing systems, oil and gas sector manufacturing and pipeline processes, supply chain management and logistics network management etc.

SCADA systems are vulnerable to hacking, misoperative and sabotage (eg loss of containment) attacks, both by criminals and terrorists. Alarmingly, many delegates attending security management courses at ARC Training are not aware of the term SCADA, let alone the inherent vulnerabilities of SCADA. This in indicative of a lack of liaison between those responsible for IT security on the one hand and physical/operational security on the other.

According to MI5’s Centre for the Protection of National Infrastructure, threats to such IT-based systems continue to escalate and the fact that many systems are remotely supported by vendors increases their exposure to hacking and virus attacks. MI5 concludes that there may be insufficient security measures to keep such systems safe.

For further information navigate to:

http://www.cpni.gov.uk/ProtectingYourAssets/ElectronicSecurity/scada.aspx

For additional information on how to protect SCADA systems contact David.

Many Corporate Wi-Fi Networks Still at Risk from Hacking - ARC Publishes New Handout on IT Security

One year ago almost 40% of wi-fi networks in London’s business districts were operating without encryption, according to Kaspersky Lab - a developer of secure content management solutions - in its latest wireless security report. Since then the situation has been gradually improving. This year the survey has indicated:

- 31% of wireless networks in London as a whole are failing to encrypt traffic.

- 35% of wireless networks in Canary Wharf are failing to encrypt traffic.

The report drew particular attention to the unsatisfactory situation in Canary Wharf, which is home to many companies high on hackers’ targeting lists.

The full report can be found on:

http://www.viruslist.com/en/analysis?pubid=204791945

The vulnerabilities of wi-fi networks are just one of the topics covered in ARC Training’s Information and IT Security Workshop, which is held three times a year or on-site, by request.

For delegates who have attended Security Management Stage 1, or SMAP, a new IT Security Handout is now available on request.