Information Security Management - Social Engineering

Social engineering (SE) is the practice of obtaining confidential information by the manipulating of legitimate holders of sensitive information. Often the attacker will try to convince the victim that that they are in a formal position of authority and they will trick the person to reveal sensitive information or carry out an act which is contrary to the organisation’s policies.

Approaches can be made:

- By telephone
- Face to face
- Email (exploratory or spoofed – eg appearing to come from a colleague)
- By searching through waste
- Web searches
- Statutory company returns
- Online open information, such as CVs
- Advertising

The UK’s CPNI, formerly the National Infrastructure Security Co-ordination Centre, has some excellent background on SE, with explanations of the above categories of attack, and provides advice on how to reduce the risk of it happening to you. Click here to download a copy of their publication.

Physical Security Professional (ASIS PSP) Training

Following Peter Horsburgh’s recent Physical Security Professional Course to prepare candidates for the ASIS PSP examination, there have been so many accolades flooding in that the director of training’s email account is almost at capacity.

Peter was the first UK security management professional to become dual certified as PSP and CPP and has been successfully conducting PSP review programmes since the introduction of the qualification to the UK in 2003.

"The week was of huge benefit."

"I thoroughly enjoyed the time we spent together."

"The course was great, I learned so much in such a short space of time."

"Thanks for an excellent course and your company."

How can a group of people be so happy when it is still four weeks until publication of the results??

Contact Janet for details of how to join the 2008 study programme.

2007 CPP Examination in UK Attracts Record Number of Candidates

The record number of candidates who sat the CPP exmanination in the UK on 3 November (pictured left) has necessitated a restructing of the CPP Review Programme. From 2008, there will be two examinations, one in May and the other in November.

The 2008 examinations will be on May 3, 2008 and November 1, 2008. Each examination will be preceded directly by a one-week condensed “crammer”-type course, for which a distance learning preparation programme will be available four months earlier.

Precise dates are as follows:

Examination 1/2008

Distance study begins: End January

Preparation programme: 28 April – 2 May

Examination: 3 May

Examination 2/2008

Distance study begins: End July

Preparation programme: 27 – 31 October

Examination: 1 November

For details on how to register, contact David or Janet. Upon registration and receipt of payment you will be sent a copy of the CPP Study Guide.

Please note that there is no change to the PSP certification schedule:

Distance study begins: End July

Preparation programme: 27 – 31 October

Examination: 1 November

The Mutation of the Illicit Trade Market

The connection between organized crime and the illicit trade market has undergone a mutation of sorts, to the extent that organized-crime entities have morphed from the traditional fixed hierarchies with controlling leaders or families to more decentralized, loosely linked, multiple networks that come together and cooperate only on an opportunistic basis and then separate.

Read on at:

http://www.policechiefmagazine.org/magazine/index.cfm?fuseaction=display_arch&article_id=1177&issue_id=52007

Is the Person Who Says That He Is You Who He Says He Is?

We all know that Identity Fraud is a serious risk to anyone who uses electronic systems – or even has a credit card. Increasing vigilance and care in our dealings are essential to ensure integrity of personal information – as recently highlighted in the UK’s National ID Fraud Prevention Week, which sought to raise awareness of this multi-million dollar global criminal problem.

A handy guide has been produced to support the awareness campaign at the following link.
http://www.webitpr.com/writeitfiles/ProtectingYourIdentityAPracticalGuide.pdf

The document provides many examples of threats and prevention measures applicable to individuals and organisations in a simple, easy to understand format.

Aviation Security Management - Millimetre Wave Virtual Strip Searching

Whole-body millimetre wave scanners, being introduced at airports across the world, have the ability to virtually strip search passengers. For business class passengers travelling through Moscow’s Domodedovo airport there is no choice – you are ordered into the machine by two strict looking females who then proceed to probe your most intimate areas by computer, using clothes-penetrating rays. Expect this system at an airport near you soon!

For more details on millimetre-wave technology and airports, click on:

http://weblog.infoworld.com/zeroday/archives/2007/04/newest_airport.html

http://www.asmag.com/asm/common/article_detail.aspx?module=4&c=1&id=1713

http://www.cnn.com/2007/TRAVEL/10/11/airport.screening/

The American Civil Liberties Union has branded the scanner an "assault on the essential dignity of passengers that citizens in a free nation should not have to tolerate,” claiming that the technology can pick up graphic body images and even medical details like whether a passenger has a colostomy bag.

Note: It is blog policy not to show naked pictures. If you want to see what the ladies operating the millimetre-wave machine at Domodedovo Airport can see, enter millimetre wave into Google images!

Preventing Terrorist Suicide Attacks

In his handbook for police officers entitled Preventing Terrorist Suicide Attacks, Michael Aman offers the following advice to law enforcement officers when approaching a suspected attacker:

- Form two engagement teams with two officers in each
- Attempt to corner the suicide bomber
- Do not be concerned with property damage, except flying glass
- Continuously shout verbal commands at the suicide bomber
- Do not make eye contact with the suicide bomber
- Remain behind cover when available and always maintain a distance of at least 15m
- Attempt to reinforce the suicide bomber’s hesitation by pointing out that his leaders will survive and escape, whereas he will die
- Order the suicide bomber to remove any clothing that might conceal an explosive device
- Order the suicide bomber to lie face down with his arms away from his body and hands palms up; wait for a bomb squad to disarm the bomber
- Never attempt to tackle a suicide bomber who is still armed with his explosive device

Of course, all this presumes that you have a weapon with which to "convey" your authority. Nevertheless, there are some potentially interesting points for security guards here, but a parallel concern for security guards should also be on immediately attempting to disperse the target, usually an assembly of people.

If you are a hotel security manager, in charge of security for restaurants, night clubs, sporting events, conferences, rock concerts etc, you should be discussing immediate response options and expectations with your security officers. By the time the attacker has joined the queue to go through security it will be too late!

Preventing Suicide Attacks is one of the subjects addressed in the Protection against Explosive Devices session on Security Management Stage 1 (19 – 30 November 2007). The session, which takes place on Monday 26th November, is also available as a one-day workshop. Contact Janet for details.