Homegrown Terrorist Threat Highlighted

The convictions this week of ‘home-grown’ terrorists in the UK brings into focus the insider threat to society. The details of the group’s training and other activities revealed after the convictions showed that terrorists are now conducting training and team-building activities on home soil without the previously common requirement to travel overseas to training camps. Telephone conversations, also released to the media, indicated that terrorist groups have a wish to cause large-scale civilian casualties.

Developing trends in terrorism such as this (and risk mitigation) are of concern to us all and are covered in detail during our Security Management Courses. If you want to know more contact Janet.

Malicious Programs Hit New High

Source: BBC

The number of malicious programs found online has reached an unprecedented high, say security firms. Reports vary but some estimates suggest there were five times as many variants of malicious programs in circulation in 2007 compared to 2006.

Security company Panda Software said it was getting more than 3,000 novel samples of so called malware every day. Criminals pump out variants to fool anti-virus programs that work, in part, by spotting common characteristics.

Security software testing organisation AV Test reported that it saw 5.49 million unique samples of malicious software in 2007 - five times more than the 972,606 it saw in 2006.

Read on here.

Keeping Cool in Kuala Lumpur - Crisis Management

As the two-week Security Management Stage 2 draws to a close in Kuala Lumpur, the 13 delegates have been put through their paces in a simulated crisis management exercise. The exercise is based around a multi-site hi-tech manufacturing and retail enterprise, which suffers – in a single day – a series of potentially debilitating events, including a bomb evacuation of the production plant, an armed hold up at a retail outlet, a product recall, and a relocation of the corporate HQ following a gas leak, with all that this entails in terms of maintaining business continuity and the integrity of IT systems.

The 10-hour exercise allowed delegates, within the context of syndicates, to peer-evaluate their decision making skills in a pressurised environment, producing throughout the day some excellent responses to fluid and often simultaneous crisis events.

The course will culminate tomorrow with syndicates producing three-year security plans to secure a notional multi-site enterprise as it embarks on an ambitious expansion plan. The solutions are delivered as “Board-standard” presentations, and, in many cases, represent at least 20 hours of self-directed group private study.

Fingering Insiders

New technology has been developed in the USA to analyze employees’ emails in order to identify nefarious intent or activity. The Air Force Institute of Technology at Wright Patterson Air Force Base is carrying out research based on the assumption that individuals who have shown unusual interest in a sensitive topic are often the most likely to be an insider threat. The research was backed up by analysis of the emails transmitted during the ‘Enron’ affair.

Although there may be issues in some organizations with employee privacy – the technology may have future applications in detecting potential malicious activity.

http://www.continuitycentral.com/news03767.htm has more.

Security Coordination and Management Tests the Professionals

A multinational group of security professionals is currently undergoing a testing and demanding Security Coordination and Management (SCM) programme at our training centre in the UK. Phil Wood is leading and pushing delegates representing oil, gas, academic, digital technology, finance and even a security consultant through a wide ranging series of sessions and a challenging in-course exercise, which will culminate in a ‘board-level’ presentation of risk-based solutions to a security scenario.

Phil reports that the course is progressing extremely well, with the delegates responding with alacrity to the challenge and expects ‘great things’ from the presentation!

If you want to know more about this course, please see the website or brochure; or contact Nicky (pictured saluting!) direct.

A Message from Beyond the Wire

Click on image for a better view.

Is Encryption All It’s Cracked up to Be? Researchers Find Way to Steal Encrypted Data

A group led by a US computer security researcher has developed a simple method to steal encrypted information stored on computer hard disks.

The technique, which could undermine security software protecting critical data on computers, is as easy as chilling a computer memory chip with a blast of frigid air from a can of dust remover.
The move, which cannot be carried out remotely, exploits a little-known vulnerability of the dynamic random access, or DRAM, chip.

Those chips temporarily hold data, including the keys to modern data-scrambling algorithms. When the computer’s electrical power is shut off, the data, including the keys, is supposed to disappear.

In a paper that was published last week on the Web site of Princeton’s Center for Information Technology Policy, the group demonstrated that standard memory chips actually retain their data for seconds or even minutes after power is cut off.

CCTV Cameras That Get Under Your Skin. Could This Spell the End for Inflatable Car Companions?

A new CCTV camera that counts car occupants by detecting blood and water content on skin is being tested. How does it work?

Read on here.

Automatic Data Destruction if Laptop is Stolen

Hardly a week goes by without a new corporate data loss expose. Now a British company has developed an intelligent security technology that can wipe data if a laptop is moved from its designated space.

Backstopp, from technology company Virtuity, works by using wireless network, such as WiFi, to monitor a laptop's location. If the laptop is moved from its allowed zone, the software steps in to remove sensitive data.

Virtuity claims the software, designed to be used in conjunction with encryption software, provides another layer of protection from data theft. The system can provide details of which laptops contain what data, and their level of security.

Read on here.

2008 Control Risks RiskMap

This year’s Control Risks RiskMap has been written against a backdrop of growing economic uncertainty and a resurgence of political risk – the unifying theme of this year’s publication. With the global boom apparently drawing to a close, a tougher business environment typified by falling margins will force investors to pay more careful attention to risk.

For a copy of the risk map and accompanying report click here.

Will the FAA Ban Laptop Batteries? New Rules for Laptop Batteries in Checked-in and Carry-On Luggage in the USA.

Laptops are the best thing that ever happened to airline travel. They enable you to catch up on your work, play games or watch a movie while you are traveling. Better still, many airlines are now installing costly equipment that enables you to access the Internet during flights. Most of these systems use your laptop's built-in Wi-Fi to connect.

Unfortunately, this laptops-in-the-sky nirvana probably won't last. The problem: Laptop batteries can explode catastrophically. It's happened before, and it will happen again. It's only a matter of time before it happens in-flight.

New rules came into effect Jan. 1 that ban spare laptop batteries in checked luggage. Batteries actually installed inside devices are allowed, and most spare batteries in your carry-on are fine, too. But carry-on batteries are now governed by a complicated new set of rules.

You can carry batteries with 8 grams of lithium or less in your carry-on luggage, but they must be carried in plastic bags. Cell phone, PDA and other gadget batteries, plus most laptop batteries, contain less than 8 grams of lithium.

You're now limited to a maximum of two batteries with between 8 and 25 grams of lithium in them. The most common batteries in this category are "extended life" laptop batteries, but also batteries used in larger devices like projectors. If you carry on three such batteries, security will take one of them away.

Read more about this here.

Digital Video Storage Solutions - The RAID Explained....

Installing a new CCTV system and can’t decide between a RAID-1 storage system and a RAID-5? Jeff Whitney of IP data storage firm Intransa has some advice:

RAID 1 is also referred to as a 'storage mirror' or a 'mirroring solution'. All data is recorded on not just one but two identical drives, so that two copies exist at all times. If one drive fails, the exact copy on the other continues to function and no data is ever lost. While many DVRs have no RAID protection at all, some do feature RAID 1 support.

Simply put, RAID 5 delivers the best overall balance of data protection and performance and makes the most efficient use of drive capacity of all RAID techniques. As a result, RAID 5 is the most widely used technique in IT and is also found in the best DVR and IP storage systems.

Still confused? Study this advice in more detail at:

http://www.securityinfowatch.com/article/article.jsp?siteSection=430&id=13093&pageNum=1

The new Specifying Security Systems Course, 21-25 July 2008, will look at CCTV specification, as well as the specification of other technological security systems, in detail. Contact Janet for more information.

Let Sleeping Dogs Lie!

New research indicates that it may be a good thing to allow your guards to sleep on shift – but not for more than 6 minutes!

http://news.bbc.co.uk/1/hi/health/7254555.stm

The Corporate Manslaughter Act

The Corporate Manslaughter (Homicide) Act becomes law in the UK on 6 April 2008 The Act is one of the most significant legislative changes to corporate responsibilities since the principles of the modern company were crystallised in a case in 1373. The new law will apply not just to the UK’s 2.3 million companies but to partnerships, other employers like trade unions, and to some non-commercial organisations.

In summary, an organisation is guilty of the offence if the way in which its activities are managed or organised causes a death and amounts to a gross breach of a relevant duty of care to the deceased. A substantial part of the breach must have been in the way activities were managed by senior management.

The offence is concerned with the corporate liability of the organisation itself and does not apply to individual directors, senior managers or other individuals. Nor is it possible to convict an individual of assisting or encouraging the offence. However, individuals can already be prosecuted for gross negligence manslaughter/culpable homicide and for health and safety offences.

Read more about it here:
Download the Act here:
Download guides to the Act here and here.

Foreign Travel Advice - Keep up to Date

Travelling to a destination and want to know the prevalent risks? The first place you should look is the UK FCO Country Advice website:

http://www.fco.gov.uk/servlet/Front?pagename=OpenMarket/Xcelerate/ShowPage&c=Page&cid=1007029390590

And you don’t need to take just HMG’s word. Clicking on the following link opens up a portal to the travel advice sites of other governments, such as France, Germany, the US, Canada and Australia.

http://www.fco.gov.uk/servlet/Front?pagename=OpenMarket/Xcelerate/ShowPage&c=Page&cid=1041594829400

By clicking here you can even have the FCO deliver the latest business travel alerts direct to you inbox.

Remember that if you are a UK company, you have an extraterritorial duty of care to staff travelling overseas, so, in the absence of an outsourced travel advice provider, you should post these links on your intranet.

An Israeli Air Strike against Iran Drawing Closer?

Arabian Gulf security is again in the spotlight with Iran's nuclear programme is being discussed by senior diplomats from the US, the UK, Russia, China, Germany and France meeting in Washington this week.

The US has said there is a "very strong case" for a third round of sanctions after the UN's nuclear watchdog said on Friday it could offer no "credible assurances" that Iran was not building a nuclear bomb.

In 2005 the UK newspaper Times Online reported that Israel had drawn up secret plans for a combined air and ground attack on targets in Iran if diplomacy fails to halt the Iranian nuclear programme. Such an event would be sure to split public opinion in the Arab world and prompt a swift response from Hizbullah.

Security Management Training Focus - Continuing Business in Asia

Delegates attending the Security Management Stage 2 Course in Kuala Lumpur have been studying how security managers can make a more effective contribution to their organisations’ business continuity planning, an essential element of good corporate governance.

Almost all of the 13 delegates are involved, to a greater or lesser extent, in BC planning in their respective organisations and the BCM workshop on Monday presented latest best practice in business continuity as well as some practical examples of how to make business continuity planning more successful.

The workshop also shed light on the subtle differences, and interactions, between risk management, crisis management, business continuity management and disaster recovery.

The course, which reflects the international flavour of ARC's UK programmes, includes participants from the UK, South Africa, Nigeria, China, Bangladesh, Pakistan, India, Korea, Malaysia and the United Arab Emirates.

CPP – Take the Plunge!

With the 1st March deadline for the 3rd May CPP examination in the UK fast approaching, now is the time to start thinking about registering for the 1 November examination.

There are eight study domains to this certification, widely acknowledged as the only true international professional security certification for senior security professionals:

Domain 01 Security Principles & Practices
Domain 02 Business Principles & Practices
Domain 03 Personnel Security
Domain 04 Physical Security
Domain 05 Information Security
Domain 06 Emergency Practices
Domain 07 Investigations
Domain 08 Legal Aspects

For details on how to prepare for the CPP, contact Janet.

International Maritime Bureau’s 2007 Annual Report Available for Download - Sharp Rise in Nigeria Coast Piracy

Sea piracy has recently received renewed attention with the release in January 2008 of the International Maritime Bureau’s (IMB) 2007 annual report, reports security consultants red24.

Based on statistics compiled by the IMB’s piracy-reporting centre in Malaysia, the paper revealed a ten percent increase in reported incidents of piracy worldwide in 2007 (263 incidents) compared to 2006 (239 incidents).

The report also identified the Gulf of Guinea, located off the coast of West Africa and extending from the western coast of Cote d’Ivoire, past Nigeria, to the Gabon estuary, as one of the world’s most dangerous maritime regions with regards to piracy. In particular, the report highlighted a sharp escalation in piracy-related activity off the coast of Nigeria, and the region now challenges both the Malacca Straits and the Somali coastline as one of the world’s most piracy prone maritime environments.

During 2007, some 42 incidents of piracy were reported in these waters, compared to 12 in 2006. The majority of these attacks occurred around Lagos, Nigeria’s main port and commercial centre, and in the oil rich Niger Delta region.

In the Delta, the problem of piracy has been compounded by a growing insurgency, where militants are fighting for an increased share of the region's oil wealth and have attacked shipping interests in pursuit of this cause. Given the number of piracy incidents over the past 18 months and the level of continuing instability in the Delta region, it appears likely that Nigeria’s maritime security environment will remain precarious for the foreseeable future.

For a copy of the IMB report click here or contact David.

Terrorism in SE Asia. What Does It Mean for Business? - New Report from LLoyds

Businesses that operate in Southeast Asia need to better understand that the Asian terrorism threat is unique, complex and specific to the region, according to Lloyd’s, the world’s leading specialist insurance market.

A new report from Lloyd’s and the International Institute for Strategic Studies (IISS), ‘Terrorism in Asia: What does it mean for business?’, launched at Lloyd’s 360 Risk Debate in Singapore, warns that traditional forms of terrorism in Asia are being superseded by area specific threats, such as criminal gangs with political agendas, and businesses need to respond to these.

The report can be downloaded free by clicking here.

David Cresswell will be delivering a one-day workshop on the Corporate Response to Terrorism this week to the 13 delegates attending the Security Management Stage 2 Course, currently underway in the Malaysian capital Kuala Lumpur.

The next Security Management Stage 2 Course takes place 30 June – 11 July 2008 in the UK. Contact Janet for details.

ARC's Phil Wood Speaking at TAPA EMEA Conference

Phil Wood will be addressing the Transported Asset Protection Association (TAPA) EMEA Conference in Warwick, UK on 20th March. The Conference theme will be "Mature Markets - New challenges" and Phil will cover the need for business continuity planning and management following security incidents. This follows his very successful crisis and business continuity management workshop recently held in Dubai. TAPA is the leading association for transport and logistics security and the conference will be attended by managers and logistics professionals who will be exposed to best practice and developing risk information relevant to their business activities. More information on the conference can be found here.

If you would like to know more about business continuity or crisis management, our courses can provide the information that you need – or we can provide bespoke training for your organisation. Contact Phil for more information.

"This Course Has Helped so Much. 5 Months into My New Role as an Investigator I have Been Promoted to Senior Loss Prevention Investigator"

In November 2007 ARC launched its new 4-day Investigating and Interviewing Course, delivered by partners Linx International.

The first course was a huge success for the eleven participants and feedback was exceptionally good. The presenters place great emphasis on examining the various legislative criteria (see slide above) that needs to be taken into account by security managers and investigators in order to bring a successful action, disciplinary or criminal, against perpetrators of crimes.

By the end of the programme delegates should have the confidence, skills and ability to carry out an investigation in a corporate setting, ensuring that all investigative activities are carried out in accordance with best practice. The key objective is that participants are then able to lead investigations that are rigorous, thorough and result in desired outcomes.

To book a place contact Janet.

Media Puts Data Losers in the Spotlight (While the UK Information Commissioner Puts Companies on Notice)

The media onslaught continues relentlessly against organisations whose employees, or contractors, lose laptops containing sensitive data, especially those of a personal nature. It seems almost every day one company or other is being named and shamed and accused of taking insufficient measures to protect laptop computers in particular.

- Reuters reported on 20 January that Brazilian company Petrobras has confirmed that four laptops have been stolen from a transport container owned by the U.S. oil-field service company Halliburton. Press speculation is that this was a targeted theft by data thieves, eager to get their hands on sensitive data about a major natural gas deposit struck by the company in January.

- The Wall Street Journal is reporting today that German prosecutors say they are investigating the internal theft of confidential client data from Liechtenstein bank Liechtensteinische Landesbank AG, or LLB. Investigators allege the bank, which is the alpine principality's second largest, paid blackmailers millions of euros to try to keep the affair secret.
- And yesterday the Irish Parliament, the Dail, was briefed about the mugging of an employee of the New York Blood Service in New York on 7 February and the subsequent theft of CDs containing details of 170,000 Irish blood donors. The loss has been described as “sloppy”.

- The San Francisco Chronicle reported on January 17th that a back-up tape belonging to GE Money containing personal credit card information on about 650,000 customers of J.C. Penney and up to 100 other retailers went missing while in the care of data storage specialists Iron Mountain.

- In January a healthcare media subsidiary of CBS News reported that a medical doctor at a US fertility clinic had lost a flash drive containing sensitive personal details of over 3,000 patients.

- On the 29 January the Georgetown University newspaper reported that a hard drive containing the Social Security numbers of nearly 40,000 Georgetown students, alumni, faculty and staff was reported stolen from the office of Student Affairs on Jan. 3, potentially exposing thousands of students to identity theft.

Companies that fail to address this fast-growing problem, and fail to apportion responsibilities for data security, risk being named and shamed on the website http://attrition.org/dataloss/. And the website will prove to be a useful investigative tool for those whishing to litigate against, or prosecute, organisations for data loss.

Is this an IT staff issue, or should responsibility rest with line management? And what are security managers doing about protecting their companies against this insidious reputation exposure from what is, after all, common theft?

For an easy-to-follow feature on the pros and cons of data encryption, click here.

Help Wanted!

Message From Angus D.I. Darroch-Warren

Dear All

I am currently studying for my MSc in Security Management at Loughborough University and I am undertaking research into the impact of the UK Privacy Laws on the private investigation process. As part of my research I have compiled an online questionnaire/survey pertinent to those that conduct investigations in the commercial sector.

As with all research, the larger the sample size, the more valid the results will be and I hope you will be amenable to disseminating the questionnaire to other contacts who might be interested in participating. Completion of the questionnaire should only take +/- 10 minutes.

The following link will take respondents to the questionnaire:
http://www.surveymonkey.com/s.aspx?sm=ur4QFL7UkfGLoyZLm2_2bL9g_3d_3d
(Alternatively, the link can be copied and pasted into a web browser)

The survey will be open for responses until March 21 2008.

Upon completion of the project I would be happy to share with you my results, which I hope will contain significant outcomes that will be of benefit to the security industry as a whole.
If you have any questions, please do not hesitate to make contact with me.

Is It Unethical to Use Your Business Travel Airmiles for Personal and Family Use?

UK Speaker of the House of Commons is coming under sustained criticism for using airmiles, accumulated on official travel, for personal family travel.

http://www.timesonline.co.uk/tol/news/politics/article3386821.ece

The use of business-accumulated airmiles for personal use was discussed by delegates during the Fraud Risk Management session of Security Management Stage 2, currently taking place in Kuala Lumpur. There was a general consensus that the use of airmiles for personal use was acceptable provided:

1. It was clearly stated in terms and conditions or company ethical standards to whom the airmiles were “transferable”, eg close family members?

2. There was a centralised system for booking air flights which could not be influenced by business travellers to gain an airmiles advantage.

The group was less receptive to the idea of employees accepting for personal use loyalty points from business suppliers.

Rise of the Cyberdoormen!

Cyberdoorman is a technologically advanced security system that will revolutionize the way we look at security for apartment buildings and complexes in the 21st century. Not only is Cyberdoorman a cost-effective way to fully protect your building from the threats of intruders and fire, it is also a way to provide security while eliminating human error.

Read about this new concept at the following link:

http://news.bbc.co.uk/1/hi/programmes/click_online/7244445.stm

Specifying CCTV Storage Systems

In recent years, the physical security industry has seen more changes than just about any other time in modern memory. Digital or IP (Internet Protocol) cameras, based on CCD technology, have replaced more familiar analog surveillance cameras in most new installations. And to support them, DVRs (Digital Video Recorders) have virtually eliminated the use of tape and VCRs.

Combined, these two IP technologies have opened the way for the physical security industry to dramatically improve video surveillance and other common applications while greatly reducing costs and increasing service levels.

The benefits of scalable, open IP architecture for CCTV systems far outweigh the problems. Most IP storage problems in DVRs (the weakest component) can be either fully eliminated or the risk mitigated with the application of basic techniques and strategies that are common in the IT industry.

One way to avoid data losses is to use RAID technology, either built into the DVR system or added on as an external IP storage array. But what is the difference and what are the relative benefits and drawbacks of RAID 1, 2, 3, 4, 5 & 6? According to IP CCTV specialist Jeff Whitney you should only be specifying Raid 5 for CCTV systems. Read why here.

The ARC Specifying Security Technology Course, 21-25 July 2008, addresses the specification of CCTV, and other physical security systems, and the application of latest security technologies. For more details, contact David.

More than 1% of Google Search Results Contain Malware, Threatening the Integrity of Your System's Data. 180,000 – the Number of "Attacker" Sites

Web browsing and searching are becoming increasingly risky activities, according to a report recently published by Google. "In the past few months, more than 1% of all search results contained at least one result that we believe to point to malicious content and the trend seems to be increasing," said Niels Provos, a security engineer at Google.

Provos said that in the year and a half since Google began tracking malicious Web pages, the company has found more than 3 million unique URLs on more than 180,000 web sites that attempt to install malware on visitors' computers.

A white paper co-authored by a Google technician and two Johns Hopkins University computer scientists describes the increasing impact of "drive-by downloads," the exploitation of web browser vulnerabilities to download and run malware automatically on the computers of web site visitors.

For more in this click here.

BCI Publishes New Guidelines on Business Continuity Management Best Practice

Picture: Delegates attending ARC’s Business Continuity and Crisis Management Workshop at the landmark Burj Al-Arab Hotel, Dubai.

Business Continuity Management is an holistic management process that identifies potentialimpacts that threaten an organisation and provides a framework for building resilience and the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities.

.

BCM aims to improve an organisation’s resilience. By identifying, in advance, the potentialimpacts of a wide variety of sudden disruptions to the organisation’s ability to succeed it is able to prioritise the efforts of various other specialists aiming to achieve resilience in their areas of expertise such as security, facilities and IT.

BCM must be owned and fully integrated into the organisation as an embedded management process. Source: BCI

.

These and other key principles of BCM have been discussed by delegates attending Day 3 of the Business Continuity and Crisis Management Workshop in Dubai, delivered by Phil Wood MBE. The Business Continuity Institute has recently published its 2008-updated BCM Good Practice Guidelines, which can be accessed by clicking here.

ARC Creates a Crisis in Dubai!

The second day of the three-day Business Continuity and Crisis Management open course being held at the world-famous Burj Al-Arab Hotel in Dubai has seen participants role play in a simulated fast-paced crisis management exercise. The scenario is based on a multinational company with global operations, which faces a compound crisis situation. Delegates working in syndicates representing crisis management teams are pressured to make instant decisions to a range of inputs, and their responses are analysed in a subsequent debriefing session. The course concludes tomorrow with a day-long workshop on Business Continuity Management.

Delegates from a wide range of companies and organisations, including government agencies, are attending the course, which is being led by Phil Wood MBE.

Great Security Minds Gather in Kuala Lumpur

Delegates from the UK, Malaysia, Korea, Bangladesh, China, Hong Kong, Nigeria, South Africa, The United Arab Emirates, Pakistan and India have assembled in the Malaysian capital, Kuala Lumpur for ARC Training’s first ever open course in SE Asia - the postgraduate-level, university-accredited Security Management Stage 2 Course.

Day 1 of the course, delivered by David Cresswell, has included a detailed study of the latest trends in security risk management. The two-week course continues tomorrow with an interactive day-long workshop on how to better integrate security management into day-to-day business activities.

All of the delegates are highly experienced and capable security managers, whose interaction and contributions add great value to the learning experience.

Further Security Management Stages 1 and 3 courses are planned for the region. Contact David for details.

ARC Training’s Security Management Consultancy Services

Taking the same international security management best practice taught on our courses, ARC is currently conducting consultancy projects for a number of clients. Some examples of what we can offer you directly:

- Full site security surveys
- Security risk assessments
- Security audits of your security management system
- Writing your procedures or assignment instructions
- Writing your security manual
- Writing plans for specific contingencies
- Security consultancy for special events
- Security workshops with your top management team
- Crisis management exercises
- Business continuity audits
- Systems installation project management
- On-site security management and team coaching
- Penetration testing
- Bomb countermeasures audits
- Confidential investigations
- Evacuation contingency planning
- Maritime security consultancy, surveying and audits
- Security awareness programmes

For all of the above we will always offer you a CPP-certified security consultant, experienced in security work with many sectors of business and industry both within the UK and internationally, and you will be pleasantly surprised by our consultancy charges!

Some examples of what we can also offer you via our specialist partners:

- Tender document preparation for security services
- Security systems installation design (access control, CCTV etc)
- Information breach investigations
- Forensic IT investigations
- Fraud investigations

For further information contact Phillip Wood MBE

Don’t Open Attached MS Word Documents Unless You are ABSOLTELY Confident about the Authenticity of the Sender

Addressing the recent ASIS Asia Pacific Security Conference in Singapore, IT Fraud expert Jon MacDowall gave a live demonstration of how opening an MS Word file from an unknown source can compromise an entire hard drive:

“If you bear with me for just a moment I want show you what a fraudster can do with some access. What you’re going to see here is basically two personas. The first is an employee of any of our businesses shall we say, and the second will be a fraudster. In this particular case our employee receives an email with a word document, and she’s asked to review the document and get back to the sender. Happens quite a bit in our environment, wouldn’t you agree? We all get word documents on a regular basis. In this particular case she’s an excellent corporate citizen, she’s actually going to right click on the document and run a virus scan before she opens it – we all do that, right? Nobody does that right? Nobody actually runs virus scans before they open them. But what I want to show you according to the antivirus provider here there are twenty seven sub files found within the word document, zero detections, zero cleans, zero quarantines, zero deletions. In other words according to the antivirus provider this is a clean document. It seems OK for her to open it………

Now, acknowledging that nobody really takes the time to run a virus scan before we open documents, she’s done her job. She’s been asked to review the document and that’s exactly what she does. What she doesn’t realise is that right then, when she opens that word document, malicious code has been deposited on her computer. You don’t see the anti-virus program reacting and that’s typical, what we have, what we’re seeing on a regular basis is that 83/86% of these malicious codes are escaping detection by antivirus programs. The majority of them are not being detected.

So now you see with a free program, one of dozens of programs available on the internet for would be hackers, fraudsters. I want to show you what now this fraudster does as far as capabilities. He’s going to enable his remote screen capture capability. He can see the document that our employee is working on in real time. He’s going to enable his keystroke logger, we’re going to talk a little bit more about that in just a moment. Please watch this area closely because it happens very quickly. You saw him click and what he clicked on was an icon that said ‘dip drives’. And then he clicked another button to confirm it and then you saw his file store there in that list. What you actually saw happen was from the victim’s machine the hacker copied all of the files off of her C drive onto his computer. Now he has those files and they’re accessible to him at a later time if he wants to come back and go through those."

Under no circumstances should MS Word files from unknown sources be opened. Recently, there have been circular emails purporting to come from well-know oil companies recruiting for staff. These emails have attached MS Word files. The possibility that opening the attachments may deposit spyware on your PC and compromise the contents of you hard drive cannot be discounted. If you have opened such an attachment you disconnect your computer from the internet and seek immediate expert. Do not reconnect until you are satisfied that your computer has not been compromised by spyware.

The Threat from Home-Grown Terrorism

Speaking at the ASIS Asia Pacific Security Conference in Singapore last week, Dr Rohan Gunaratna warned of the threat from home grown groups in SE Asia who seek inspiration and know-how from the internet, rather than gaining front-line combat experience.

In the UK the picture is somewhat more complicated, if reports in the UK newspapers The Metro and The Sun can be relied upon. Quoting an unnamed RAF source, the newspapers claim that British regional accents have been detected in communications emanating from Taliban positions in Afghanistan’s Helmand Province. For further details on the story click below:

http://www.metro.co.uk/news/world/article.html?in_article_id=98358&in_page_id=64

And it appears much of the insurgency know-how being obtained on the battlefields of Afghanistan is being transferred back to the UK. A February 2007 report in the Daily Telegraph alleged that UK security forces are foiling terror plots in the UK at the rate of one every six weeks:

http://www.telegraph.co.uk/news/main.jhtml?xml=/news/2007/02/04/nterr04.xml

Imminent Threat of Deadly Nuclear Material Falling into Terrorists' Hands Warns UN

The Los Angeles Times reports that the United Nations nuclear watchdog is now painting a singularly bleak vision of a world ‘in disarray’, warning that the most imminent threat is not a new nation joining the nuclear club, but deadly material falling into the hands of extremists.

The International Atomic Energy Agency chief Mohamed El Baradei warned of the danger of nuclear material falling into the hands of extremist groups, nurtured on ‘anger, humiliation and desperation’ in the Middle East or elsewhere.

He said the IAEA each year is handling 150 cases of illicit trafficking of nuclear material. Some material that is reported stolen is never recovered, he said, and conversely, “a lot of the material recovered has never been reported stolen.

Meanwhile, two employees of Pakistan's atomic energy agency have been abducted in the country's restive north-western region abutting the Afghan border, according to Pakistani police sources.

Terrorism and Chemical Security

The US DHS has identified three security issues related to chemicals:

Release—Toxic, flammable, or explosive chemicals or materials that, if released from a facility, have the potential for significant adverse consequences for human life or health.
Theft or Diversion—Chemicals or materials that, if stolen or diverted, have the potential to be misused as weapons or easily converted into weapons using simple chemistry, equipment or techniques, in order to create significant adverse consequences for human life or health.
Sabotage or Contamination —Chemicals or materials that, if mixed with readily available materials, have the potential to create significant adverse consequences for human life or health.

Guidance on chemical security and threshold limits can be found on the following link:

http://www.dhs.gov/xprevprot/programs/gc_1185909570187.shtm

Recently, the Associated Press obtained a NYPD video detailing how investigators set up a fake company that bought 300 pounds of chlorine and had it delivered to Brooklyn with little hassle or human interaction. Investigators say the operation proves there are few barriers to buying liquid chlorine and using it as a deadly gas by exposing it to air. New York City hasn't experienced a specific terror threat involving chemicals, but police recently put more emphasis on screening shipments of chlorine after learning it's now favoured in homemade bombs in Iraq.

ARC Takes Business Continuity Management Training to Africa, Middle East and South East Asia

Disaster recovery and business continuity planning are processes that help organizations prepare for disruptive events - whether an event might be a hurricane or simply a power outage caused by an accident. The security manager's involvement in this process can range from overseeing the plan, to providing input and support, to putting the plan into action during an emergency.

ARC is this year seeing much greater interest in training in business continuity planning. In January, David Cresswell delivered a one-day BCP workshop to oil and gas delegates in Lagos, Nigeria. In an environment where power cuts are a normal feature of life, alongside other regular disruptions, business continuity needs to be imaginative.

On Sunday 17th February Phil Wood MBE will begin a three-day Crisis and Business Continuity programme in Dubai for delegates from a wide range of Arabian Gulf countries.

And on Monday 25th February David will lead a one day BCP workshop in Kuala Lumpur for delegates representing a range of business sectors.

If you have an in-house business continuity management or crisis management training requirement, contact Phil Wood MBE.

Mounting IT Threats Resulting in Mounting Losses – 2007 Computer Crime and Security Survey Reports Significant Upswing in Cybercrime

The 2007 Computer Security Institute (in association with the FBI) Computer Crime and Security Survey is available from the following site:

http://www.gocsi.com/

If you would rather not submit your contact details, contact David for a copy.

The survey begins with an ominous warning:

For the past five years, this survey - perhaps the most widely quoted set of statistics in the industry - has shown a drop in average estimated losses due to cybercrime. This year, however, the tide has turned and respondents have reported a significant upswing.

Though it’s wrong to project a trend from a single year’s results, and particularly from an informal survey such as this one, there is nevertheless a strong suggestion in this year’s results that mounting threats are beginning to materialize as mounting losses.

CCTV Cameras and Access Card Readers Take Power from Ethernet

Power over Ethernet (PoE) is a technology for wired Ethernet LANs (local area networks) that allows devices such as low power CCTV cameras, access control mechanisms etc. to take their electric current directly from a CAT 5e Ethernet cable.

An increasing number of PoE compliant devices are being offered by security vendors. A number of “legacy” devices may sometime also be connected in to a PoE network, by means of a component called a picker or tap, which must be installed to remove the current from the cable. This "picked-off" current is routed to the power jack of the device.

Although the IEEE has a PoE standard called IEEE 802.3af - stipulating 48 Volts DC - in practice different equipment vendors use different PoE voltages and CAT5 pin configurations to provide the DC power. Therefore, great care must be taken in specifying.

The following weblinks provide more information:

http://www.hyperlinktech.com/web/what_is_poe.php
www.poweroverethernet.com/
http://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci846792,00.html
http://en.wikipedia.org/wiki/Power_over_Ethernet

PoE is addressed during the Integrating and Specifying Security Technology session in Security Management Stage 2. A more detailed examination of this new protocol takes place during Specifying Security Technology, 21-25 July 2008. Contact Janet for details.

This Qualification Would Make Me Stand out from the Crowd

“(Throughout the study programme) I held onto the fact that this qualification would make me stand out from the crowd and be the only one in my field in my organisation with a specialist qualification.”

Successful PSP Candidate from Major UK Bank, 2007

The PSP (Physical Security Professional) qualification is an ASIS certification designed to enhance your ability and demonstrate your competence in specifying physical security systems, and overseeing the installation project. The programme is ideal for those whose job requires them to procure physical security systems for their organisation.

The syllabus is very detailed and is broken down into three domains:

Domain I: Physical Security Assessment

- Identify assets to determine their value loss impact and criticality.
- Assess the nature of the threats so that the scope of the problem can be determined.
- Conduct a physical security survey in order to identify the vulnerabilities of the organization.

Domain II: Application, Design and Integration of Physical Security Systems

- Establishing security system requirements and performance specifications
- Apply Physical Security Measures and Select Appropriate System Components.
- System Design and Integration and Recommendations

Domain III: Implementation of Physical Security Measures

- Outline criteria for pre-bid meeting to ensure comprehensiveness and appropriateness of implementation.
- Procure system and implement recommended solutions to solve problems identified.
- Conduct final acceptance testing and implement/provide procedures for ongoing monitoring and evaluation of the measures.

The next UK examination takes place on 3 November. For details on how to prepare for this very worthwhile internationally-recognised qualification contact David.

How Criminals Steal Your Information

"Half of all identity fraud is committed by friends, family members, relatives, employees, and live-in caregivers with access to privileged information. Information such as personnel records, payroll information, insurance files, account numbers, or sales records can be great help to crooks. "

This, and other sources of ID theft, can be found by clicking on the following link:

http://www.identitytheftassistance.org/How_Criminals_Steal.html

Sample Template for a Business Emergency Plan

A sample 7-page template for a business emergency plan. Not adequate to meet the needs of a major multinational company but an ideal "business continuity capability assurance" adjunct for a contract with any critical supplier.

This and other useful templates, posters, advice etc can be downloaded from http://www.ready.gov/, a US site dedicated to emergency preparedness.

Right click here to download the plan directly.

World-Famous Authority on Al-Qaeda Dr Rohan Gunaratna Briefs Security Managers on Latest Thinking in Combating International Terrorism

Dr Rohan Gunaratna, world-famous authority on Al-Qaeda, was one of the keynote speakers at the recent ASIS International Asia Pacific Conference. Addressing 300 security managers from almost 40 different countries, Dr Gunaratna used this opportunity to deliver the following key messages:

1. The threat of terrorism against Europe and the US has increased “very significantly” since the shifting of the international terrorism “epicentre” from Afghanistan to Iraq.

2. The desire to inflict mass-fatality attacks. “Today the groups are discussing and talking about conducting catastrophic terrorist attacks.”

3. Today terrorists are interested in using chemical, biological, radiological devices - and poisons. This, and other changes such as greater networking with “local” groups, are likely to change the landscape of terrorism in the next five years.

4. The propaganda war is heating up. Al Sahab, the propaganda arm of Al Qaeda, last year released 97 videos, up from 42 in 2006 and just 1 in 2001. According to Ayman al-Zawahri himself, the principle architect of the global AQ movement, 90% of the “war” is being fought in the media.

Dr Gunaratna offered the following strategy for defeating international terrorism:

- Anti-terrorism – the protection of infrastructure and people.

- Operational counter-terrorism - Catch, kill, and disrupt terrorist operations.

- Profiling – identifying out-of-the-ordinary purchases, which could be an indication of explosives-making components, and out-of-the-ordinary behaviour.

- Root cause treatment - Rehabilitation of detainees, community engagement, and focus on delivering the true, peaceful, messages of the Holy Quran.

For a more detailed written account of the presentation contact David.

ASIS Asia Pacific Conference in Singapore - Thank-You

David and Janet would like to thank the many visitors to the ARC Training stand at the recent ASIS International Asia-Pacific Security Conference in Singapore. It was a great pleasure to meet so many new faces and to reacquaint ourselves with some of the older ones as well!

The conference attracted over 300 visitors from 38 different countries and was a great success. The topics delivered were truly international in character and their appeal and relevance extended far beyond security practice in the AP region.

The next ASIS International Asia-Pacific Security Conference will take place in Hong Kong, February 3-5, 2009. We look forward to seeing you there!

Forthcoming Security Management Training

Security risk management, security design and implementation, introduction to security surveying, physical and electronic security, access control, intrusion detection systems, CCTV, lighting, manpower selection and leadership, procedures and emergencies, information security, IT security, investigations, protection against explosive devices, protection of at-risk personnel.

These are the core security management subjects addressed in the forthcoming fast-paced Security Coordination and Management Course, 25-29 February 2008, conducted by ARC Training in the UK and delivered by Phil Wood MBE.

The course is designed for multi-tasked managers and security managers unable to attend the university-accredited Security Management Stage 1 Course. The Security Coordination and Management Course is accredited by Skills for Security, the Skills and Standards setting body for the security business sector.

For registration details email Nicky.

Crisis Management and Business Continuity Training in Dubai

The world-famous Burj Al-Arab is the venue for the three-day Crisis and Business Continuity Workshop, 17-19 February 2008, delivered by ARC Training’s Phil Wood MBE in association with Precept.

This programme, details of which can be found by clicking here, is now at full capacity, but there are plans to conduct similar training in the future; for more information contact Precept.

UK Companies Failing to Protect Staff Abroad Face Litigation, Warns ArmorGroup

UK employees are in danger from inadequate risk management procedures, warns security company ArmorGroup International, in a feature published on the Strategic Risk website. Click here for the full story.

Almost one in ten (9%) UK-based companies fail to insure their employees and other critical company assets when they are deployed abroad, according to new research by Armorgroup. The security provider also reveals that the majority of these companies do not provide insurance cover abroad, with only a fraction (3%) doing so in high risk regions such as Iraq and Afghanistan.

ArmorGroup warns senior company executives that this lack of adequate insurance cover is a glaring example of companies’ failure to properly address the critical issue of duty of care to their employees and could leave them open to litigation as a result. ArmorGroup believes that this failure is due in part to the fact that around one in five (19%) companies has absolutely no risk management programme in place.

The sectors least likely to insure staff or assets abroad are transport/storage and construction firms, with just a third doing so compared to manufacturing firms who tend to make adequate arrangements.

Recommended Security Measures for Construction Sites as Equipment Thefts Rise

In the UK about £1 million worth of construction equipment goes missing from construction sites every week, according to Norwich Union. Businesses also face continuity problems because of the long lead times involved in replacing stolen specialist machinery.

With less than 5% of stolen items ever recovered and low levels of prosecutions by the police, plant theft is regarded as a low risk opportunity for the criminals involved.

Norwich Union recommends marking all equipment and machinery under the CESAR, (Construction Equipment Security and Registration) scheme. The scheme includes various levels of markings for the equipment, from highly visible six-character triangular registration plates, down to multiple covert markings and hidden transponders.

Physical security measures include immobilisers for any driven item and mechanical devices such as boom locks, arm locks or leg locks on machinery can also be a good deterrent. Tracking devices can also be used and although they do not prevent the item being stolen, it will certainly increase the chance of recovery.

Whilst walls or fences surrounding the site are a must, employing security guards or having monitored CCTV with the back up of a police response is also recommended. Where possible, valuable items should be stored within a building or a purpose built storage facility, and this should also have security measures in place.

For more information on the CESAR scheme click here.

For an informative paper on construction site security measures click here.

For an example of a construction site GPS tracking system click here.

Are You Doing Enough to Protect Your Company’s Bottom Line against Fallout from ID Theft? Laptops with P2P a Key Exposure

Data security breaches will grow in importance as a business issue, reports 2008 ITAC Report on ID theft.

Fall out from the TJX Companies, Inc. data breach, in which 45.6 million credit and debit card numbers were stolen from one of the company’s systems, continued throughout 2007, according to the Washington-based non-profit Identity Theft Assistance Center. This is a stark reminder of how information security can impact a company’s bottom line.

According to Ernst & Young's 10th annual Global Information Security Survey, 64 percent of the senior executives they surveyed said legal compliance was the top driver for security, followed by 58 percent who identified privacy and data protection as security’s number driver.

In September last year over 5,000 social security numbers and other personal information on customers of a bank were exposed over a P2P file sharing network. A former business analyst joined a file sharing network where people trade music and video. Work-related information that she had downloaded onto her personal computer was inadvertently shared.In June over 17,000 social security numbers of current and former employees of a company were exposed by a laptop owned and used by an employee. The employee's spouse used a P2P file sharing program and inadvertently shared documents containing the personal information.

For more on the ITAC story click below:

http://www.strategicrisk.co.uk/story.asp?storycode=368850
http://www.identitytheftassistance.org/

More Warnings over Bluetooth Insecurity

Bluetooth wireless phone headsets can be intercepted by simple off-the-shelf radio scanners unless they are encrypted. For a few dollars would-be buggists can purchase a commercial scanner capable of monitoring frequencies in the 900 MHz and 1.2 GHz ranges, which is where many of the popular hands-free headsets operate.

Not only are the phone conversations susceptible to intercept, but sometimes, when the other party has hung up, the wireless connection remains open and you can hear what (the party at the intercepted end) is saying afterwards. Off the shelf scanners can have a range of up to 200m. More sophisticated scanners can intercept at ranges of up to 2km. And with software programs like Bluescanner a complete user profile can be completed.

At present, most off-the-shelf headsets do not incorporate encryption, and the simple pairing code does not provide any defence against intercept.

Smarter companies are likely to have adopted encryption, reports United Press International, giving as an example the large pharmaceutical companies, which use encryption even for internal presentations employing wireless microphones. But according to the UPI report most companies seem unaware of the risks or are ignoring them, on the assumption that the communications are not being intercepted.

Click here for more.

IT Threats – 2008 Is about to Get a Whole Lot Worse Warns Vice Chairman of the ASIS Economic Crime Forum

For too many years companies have relied too heavily on their IT departments to protect them from harm, and have been lulled into a false sense of security. From 2008 things are about to get a whole lot worse.

Delegates attending this week's ASIS International Asia Pacific Security Conference in Singapore listened to IT security expert and Vice Chairman of the ASIS Economic Crime Forum, Jon McDowall, explain how, with just a simple click onto a MS Word file attached to an email from an unknown source, the contents of an entire C drive, or worse still a network drive, can be remotely copied by an internet user thousands of miles away.

Not only will this intrusion not be stopped by a firewall, anti-virus software or anti-spyware software, but the data transfer activity will most likely not flag up as abnormal activity, and you will never know that your most secret or personal data is in the hands of an adversary, competitor, fraudster or ID thief.

How do your adversaries get hold of this spying software? It’s freely available on the internet, and no special skills are required in order to use it.

A cause for concern? An understatement, suggests McDowall!

The solution? 2008 must see companies intensify their education of all IT users against social-engineering threats such as these. If you are holding another company’s sensitive data and one of your employees is tricked into opening a “malware-seeded” MS word file from an unknown source – and the sensitive data is compromised – you should prepare to be sued, and possibly named and shamed.

By attending programmes such as ARC’s Information and IT Security Seminars, you will be made aware of threats such as these, and many others. Ignorance is no defence if the worst happens!

Seminar dates for 2008 are:

7 April, 11 August, 24 November

Seminars are also available in-house, on request.

Exclusive: Children as Young as 4 Being Trained in Europe to Combat Al-Qaeda

According to official US and Iraqi sources, videotapes seized during US raids on suspected al Qaeda in Iraq hide-outs this month show the group training young boys to kidnap and assassinate civilians.

Paradoxically, the ARC blog has learnt that since 2003 children as young as 4 in Western Europe have been undergoing training in the fundamentals of security. Playmobil, world-famous manufacturer of toys designed to stimulate young brains, has produced an airport security checkpoint. Demand for the toy (possibly from bored security guards on long night shits) has outstripped supply and it is now on the “Collectobil” list!

The following is a genuine customer review, which can be found on the Amazon web site.

I was a little disappointed when I first bought this item, because the functionality is limited. My 5-year old son pointed out that the passenger's shoes cannot be removed. Then, we placed a deadly fingernail file underneath the passenger's scarf, and neither the detector doorway nor the security wand picked it up. My son said "that's the worst security ever!". But it turned out to be okay, because when the passenger got on the Playmobil B757 and tried to hijack it, she was mobbed by a couple of other heroic passengers, who only sustained minor injuries in the scuffle, which were treated at the Playmobil Hospital. The best thing about this product is that it teaches kids about the realities of living in a high-surveillance society. My son said he wants the Playmobil Neighbourhood Surveillance System set for Christmas.

Edinburgh ASIS Breakfast Briefing

Phil Wood continued his globetrotting "evangelism campaign" in February at the ASIS Chapter 208 Breakfast Briefing in Edinburgh.

The briefing was held at Royal Bank of Scotland’s superb headquarters complex and was attended by some 25 security and management professionals from across the region. Phil discussed ‘The Power of Certification’, stressing the value of the CPP™ and PSP™ to security professionals in the corporate environment. Further such briefings and meetings are planned in the future and information will be available on the ASIS UK Chapter website, accessible through this link.

Meanwhile, David Cresswell (who obviously gets to choose who goes where) was delivering a similar message about the power of certification in Singapore! More to follow.

ARC and Skills for Security Advancing Security Operations

ARC and Skills for Security have teamed up to produce a new training programme for security supervisors. The level 3 course, Advanced Security Operations, is designed to provide comprehensive training in core security management skills, health and safety and legal and liaison issues.

Advanced Security Operations’ syllabus will be linked closely to the forthcoming issue of National Occupational Standards in Security Management and will be available to organizations and individuals in various formats. Launch will be in May 2008 – watch this space for details about issue dates and availability.

IT Risks Mythunderstandings

One of the problems with managing IT security is that many organisations believe that they are protected when that may not be the case. Many still misunderstand the basics of protecting systems and to illustrate this Symantec have produced a report on the Four Myths of IT Risk Management. These fundamental myths are:

- The myth that IT risk management is focused only on IT security;

- The myth that IT risk management is project driven;

- The myth that technology alone can manage IT risk;

- The myth that IT risk management has already become a formal discipline.

Symantec’s report analyses and exposes the security gaps that belief in the myths can cause and underlines the importance of understanding IT vulnerabilities and convergence (which is covered in depth in a range of ARC’s 2008 courses). If you want to know more this link takes you to the report:

http://www.symantec.com/business/theme.jsp?themeid=itrisk_report

The Symantec site also has a three-part podcast concerning the report available to download.

Hints When Specifying Access Control Systems

Layered security – contactless smart cards – the perils of using CSN readers – Wiegand, RS485, F/2F and TCP/IP protocols – conduit-protected wiring – avoiding swap-out readers – use of security screws for readers – anti-pass back – tamper detection – real-time integrity monitoring – geographic monitoring – use of keypads – use of proprietary card formats – card holograms.....

These are all issues discussed in an excellent article written by HID's Michael L Davis, which can be found in December’s issue of the India Safe security magazine. To read this article, click here.

The basics of access control are covered in Security Management Stage 1, 31 March – 11 April 2008. Electronic access control systems are discussed in more technical detail during the Specifying Security Technology Course, 21-25 July 2008.

For details contact Janet.

Oil Rig Security in the Media Spotlight

Following a highly unusual bomb alert last week on an oil workers' accommodation platform used by a joint venture in the North Sea - and the subsequent evacuation costing $2 million - the media discusses oil rig security. For more, click here.

For more on the incident which has promted the debate, click here and here.

Travelling to the US from the UK?

Following a Monday meeting between the US Homeland Security Secretary and the UK Home Secretary, both governments are confident that the visa waiver programme for Britons entering the US can be mainlined, subject to closer advance scrutiny of air passengers.

For the full story click here.

Pipeline Security and Community Partnering

In a measure to increase pipeline security and avoid disasters such as the explosion which killed 60 people in Victoria Island State, The Nigerian Government announced in December it would henceforth award contracts for the protection of petroleum pipelines across the country to communities hosting the pipelines, in effect making them an extension of the owners of the pipelines.

Community partnering has been a long-established pillar of pipeline management. If you are in the oil and gas industry – and known to ARC – please contact us for a useful guideline on pipeline security containing advice on community partnering.

US Efforts to Avert Homeland Nuclear Terrorism

US federal scientists play a large role in protecting the United States from a nuclear attack, routinely being placed in the field in an effort to find and disarm nuclear weapons, reports Security Management daily citing the Los Angeles Times.

About every three days, unknown to most Americans, an elite team of federal scientists hits the streets in the fight against nuclear terrorism. And scientists fly in helicopters containing radiation detectors that search for signs of nuclear weapons and walk around major sporting events with instruments that can identify enriched uranium or plutonium. Although they have not uncovered any terrorist plots, experts say that they could be the last line of defense against a nuclear attack. Since 2001, the Energy Department's National Nuclear Security Administration has created 26 rapid-response teams designed to locate and defuse armed nuclear explosives.

In the meantime, the United States is retrieving and locking down nuclear fuels abroad, has created a line of radiation detectors at foreign and domestic ports, and has increased intelligence efforts.

For more on this story, click here.

RFID Could Be Used By Terrorists to Remotely Detonate IEDs, Experiment Finds

Security Management daily reports that technology designed to track shipping containers could make ports more vulnerable to a terrorist attack, according to a study conducted by private security firm Powers International.

Radio frequency identification (RFID) technology is used in a variety of ways, including in retail anti-theft systems and to collect highway tolls. However, it has also been described as a way to make ports safer by giving officials the ability to track the contents of shipping containers from suppliers to delivery.

The Powers International study illustrated a flaw in the system that could allow terrorists to easily set off explosives hidden in a container. The RFID system includes an electronic tag, which is activated using a radio signal. In November 2007, a detonator used an RFID reader signal to detonate a small explosive placed in an empty container.

For more, click here.

Predicting the Main Internet Threats for 2008 - How Safe Is It to Click on the Keyboard?

Internet security company BitDefender has identified mobile malware, botnets, phishing and identify theft as the main IT threats for 2008. Defending against this virtual onslaught requires a joined-up approach between security managers, IT staff and users, especially those who use PDAs, laptops or who dial in from home PCs.

In summary the key threats are:

- Targeted expoits of malware and money driven actions (because of a significant rise in organised criminal activity on the internet).

- Attempts to target private databases, financial information and internet banking details. The use of SSL authentication by phishing websites to get the 'lock icon' look in the victim's browser is expected to increase.

- An increase in filter-circumventing spam.

- Mobile devices, largely because connectivity via channels like Wi-Fi, GPRS and Bluetooth will continue to allow opportunities for malware applications to steal sensitive data.

- Botnets, which remotely take control of computers. Would you know if your home PC was already a victim?

- Worms, Trojans and viruses. The new and improved backdoor Zlob Trojan is predicted to become one of the major threats over the next year.

The company warns that while traditional antivirus and other security providers are focused on protecting computer applications, today's biggest threats and most prominent emerging threats are targeted at the online lifestyle, employing subterfuge and social engineering to deceive users into becoming victims. For more click here.

IT Security is addressed in detail on Security Management Stages 1, 2 and 3. Forthcoming courses are as follows:

18-29 February 2008 – Security Management Stage 2 – Kuala Lumpur
31 March – 11 April – Security Management Stage 1 – UK
12 – 23 May - Security Management Stage 3 – UK

Last year ARC produced a comprehensive 40-page handout to enable security managers to better understand IT security. If you have previously attended any of Security Management Stages 1, 2 or 3, and wish to obtain a copy of this handout, contact David.

Security Guard Pulls of Crime off the Century in Prague

In a vivid example of what can happen if you don’t vet your security staff, especially after amalgamating with another company, a security guard at a cash counting depot in the Czech Republic Prague pulled off the crime of the century when he got away with 560 million Kč ($31.2 million) in used Czech Kroner notes.

The incident sent shockwaves through the professional security community in Prague.

For the full story, click here.

http://www.praguepost.com/articles/2007/12/05/record-heist-nets-half-a-billion-kc.php