Thursday, July 31, 2008

Travelling by Plane – Are You Being Spied On?

A prototype surveillance system being tested by the European Union would place cameras inside the back of every passenger seat to track the facial expressions of travellers and catch would-be terrorists and unruly flyers on the brink of "air rage." Read on at:

http://blog.wired.com/27bstroke6/2008/05/spy-cams-in-pla.html

The surveillance systems is part of Project SAFEE, an EU project, the baseline of which is past experience, which has demonstrated that hostile persons may go through the different airport controls and security measures, access an aircraft, and even initiate hostile actions. There is therefore a need to secure the aircraft itself as the last barrier to attacks. The project is focused on the implementation of onboard threat detection systems and the provision of reliable threat information to the flight crew.

How to Catch Those Commiting Fraud.....

The ARC Training weblinks page http://www.arc-tc.com/pages/resources_publications.asp#F contains links to some useful resources on Fraud. ARC Training will be conducting a new Fraud Investigation Course, 1 -3 December, led by former senior police investigators in fraud. With fraud one of biggest drains on precious company finances, and with most of those who commit fraud – especially employees - going undetected, this course will help you identify where fraud might be taking place in your organisation, typical perpetrators, and how to investigate. For details, contact Janet.

Extra Security at Train Stations amid Terror Attack Fears

Source: Telegraph.co.uk

Teams of police with sniffer dogs and bomb detecting equipment are now patrolling the rail network amid fears over a transport system terror plot. The move will see passengers facing tighter checks at a number of stations around the country. Police will also use their powers under the Terrorism Act to stop and search anyone who arouses suspicion. The latest development will see dogs capable of sniffing out explosives wandering among passengers at some of the country's busiest stations.

Tuesday, July 29, 2008

Ways Used by the “Enemy” to Get at Your Company’s Most Sensitive Data

Source: ASIS International

The greatest threat to a business' network security is its staff. Employees frequently click on email attachments, which hackers use to infiltrate the corporate network. In addition, USB thumb drives are often embedded with keylogger software and additional viruses as handed out to employees at trade conferences. The December 2007 Microsoft Security Intelligence Report stated the amount of trojan downloaders and droppers rose by 300 percent during 2007's second half. The report discovered that malicious software is the favorite tool among criminals for targeting computers.

For more resources on Information Security click on the link below:

Bribing the Police - Business Principles

Surveys consistently indicate that as many as 90% of locals have been forced to pay bribes to police and other government officials in various countries around the globe. The situation is most acute with traffic police.

It is standard policy in multinational businesses to expressly forbid the payment of bribes. This is not just on ethical grounds, but may also be against the law of the home country. But this should be balanced with a company’s statutory duty of care to protect employees from potential sources of harm. What if the police threaten violence? Recently, for example, a bus driver in Nigeria was beaten to death by traffic police at a checkpoint for refusing to pay a bribe.

If employees are required as part of their business to travel by road in countries where bribe paying to police is common practice, the risks of refusal to pay should be a consideration in the journey management security risk assessment. For business travellers often an "official" letter from an influential host in the local language may solve the problem.

Transparency International, in collaboration with a number of leading companies, such as BP, Shell, HSBC, Tata, PwC and others, has produced a useful corporate guide entitled Business Principles for Countering Bribery.

The guide can be accessed at the following link:

www.transparency.org/content/download/29197/443933/file/BusinessPrinciples_SME30Jan2008.pdf

Or from the Guest Resources section of the ARC Training Extranet. Access to the Guest Resources is free, and you can request a login account at http://www.arc-tc.com/extranet/login.asp

If You Want an Automatic Notification Each Time a New Story Is Posted….

Go to http://www.changedetection.com and sign up for their free service.

Loss of Containment Risks – Links to Resources

The risk of loss of containment is a major concern within the petrochemical sector. Loss of containment accidents are often the result of some sort of breakdown between the human/technical interface, but may also be caused by malicious acts such as sabotage, extortion, physical terrorist attack (including insider collusion) and SCADA (IT systems) attack.

The Seveso chemical plant accident in Italy in 1976 prompted the EU to adopt legislation aimed at the prevention and control of major accidents involving chemical plants. The Seveso II Directive applies to some thousands of industrial establishments where dangerous substances are present in quantities exceeding the thresholds in the directive, but exclude such areas as transportation, ports and pipelines.

For more on this, go to the ARC Resources weblinks page at http://www.arc-tc.com/pages/resources_publications.asp. Chemical Plant Security, which provided hyperlinks to sites explaining Seveso II, can be found under the letter C.

Can Your Laptop Be Taken for Inspection by Frontier Customs Officers?

The answer, in most cases, is yes.

US border officials have reasserted their right to search the laptops of persons entering the US - which can be conducted without a warrant or reasonable suspicion - in the interests of national security. Meanwhile, in the UK, a 12-year old schoolboy who teachers caught distributing Al-Qaeda beheading videos to classmates via mobile phone has been branded by police as a potential extremist recruit.

Security managers should remind all travelling staff that mere possession of such videos in some countries may constitute an offence under anti-terrorism legislation and that to attempt to take computer equipment containing such into some countries may render the traveller liable to arrest.

Many companies operate a zero-tolerance policy and punish violators in the same manner as an employee caught storing or distributing pornography.

This and many other aspects of Business Travel Security are covered in the Business Travel Security Workshop, 20 October. On-line business travel security resources can be accessed at the following link:

http://www.arc-tc.com/pages/resources_publications.asp

Access Control Best Practice – New 33-Page Handout Available

Delegates who have previously attended Security Management Stage 1 can now obtain the latest Access Control Handout, with 33 pages packed full with access management best practice.

A PDF version of the handout is online on the ARC Extranet: http://www.arc-tc.com/extranet/login.asp. If you are a former Security Management Stage 1 delegate you can sign up for a free account, which will give you access to the handout and hundreds of other useful background documents.

The Access Control handout can be found in the subfolder “new or revised handouts”.

Wednesday, July 23, 2008

Beware of Angelina Jolie.......

Delegates attending this week’s Specifying Security Technology Course have been hearing about the many advantages of putting physical security technology, such as access control systems, CCTV and building intrusion detections systems onto an IT backbone.

But IT expert Derick Burton has warned about the potential exposures that this brings with it.
Citing a parallel and often precarious situation with SCADA systems (the IT systems that control critical operational processes) he advised that IT networks carrying security systems should be separated from those which provide general IT services, especially Internet connectivity.

One risk, highlighted by David Cresswell is that of security guards who might be tempted to use the Internet to access webmail or other Internet services, and inadvertently introduce malware into the IT programs managing the physical security systems. Social engineering scams designed to trick users abound, such as the latest email scam (pictured above), which claims to come from MSN and attempts to dupe users into running a video, at which point their computer and its programs become infected with the Trojan Trojan.Agent.AGGZ.

Another risk is that of the "drive-by download" – by simply landing on certain web pages the computer becomes infected automatically. It is estimated that as many as 1 in 100 web pages may be infected. A third risk is that of opening email MS Word attachments such as those asking users to fill in a form for a job search. Some of these activate malware which allows other Internet users to hack directly into the host’s hard drive and steal data. Thus, theoretically system compromise by social engineering of an IT system managing a CCTV network could allow your confidential CCTV images to be viewed from anywhere on the planet without your knowledge.

The solution to this is NEVER to allow Internet access or email on those systems which manage physical security technology unless you have a very IT-savvy and completely trustworthy security operator, who is kept fully up-to-date with the dangers of IT-based malware and social engineering.

For more details on the Specifying Security Technology Course click here. To register your interest for the next course, or to obtain a detailed product sheet, contact Janet.

Biological Attack a Real Possibility Warns US Government Medical Expert

Source: Homeland Security Today

The prospect of a biological weapon attack by terrorists has again hit the headlines in the US this week. Jeffrey Runge, assistant secretary of Homeland Security for Health Affairs, told the House Committee on Homeland Security Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology, that Al Qaeda continues to plot terror attacks that would include biological agents, and the terror group has focused specifically on the use of anthrax as a weapon.

Runge warned: "Given the challenges we face in assessing current terrorist capabilities and identifying plots, it is unlikely that we will receive actionable or specific warning of an imminent biological attack. Furthermore, many of these deadly biological agents, including anthrax, are readily available in nature, relatively easy to procure, culture, and weaponize,"

Runge added that If a virus or a biological attack such as airborne anthrax spread through a mid-sized city it may not be detected for several days. And then, many people would suddenly flood into doctors’ offices and hospital emergency rooms, overwhelming the health-care providers who’d be attempting to treat the ill and find out the cause. By then, the illness would have progressed and spread, become difficult to treat and its effect would be felt at every level of society.

Tuesday, July 22, 2008

Congratulations! You Have All Passed!

All thirteen delegates attending the recent Security Management Stage 2 Course successfully graduated this intensive two-week programme, achieving excellent results in both the course project and the end-of-course examination.

For most of the delegates, this was the second in a series of three graded security management courses, which lead towards an MSc in Work-Based Learning Studies (Corporate Security Management) with Middlesex University. The course addressed many of the more advanced concepts of corporate security management, especially within a multi-site context.

Depicted in the image are course delegates from the Russian Federation, the UK, West and South Africa, The Middle East and the Caribbean, representing sectors as diverse as oil and gas, shipping an logistics, finance, manufacturing, and retail and leisure.

Forthcoming University-Accredited Courses are as follows:

Security Management Stage 1

4 – 15 August 2008 (UK)
4 – 15 August 2008 (Nigeria In-House)
28 August – 5 September (India)
22 September – 3 October (India)
17 – 28 November (UK)
18 – 29 January 2009 (Bahrain)
9 – 20 March 2009 (South Africa)

Security Management Stage 2

13 – 24 October (UK)

Security Management Stage 3

22 September – 3 October (UK)

16 – 27 February 2009 (Malaysia)

A Synopsis of the Terrorist Threat Facing the O&G Industry

“The Oil & Gas industry forms part of the Critical National Infrastructure (CNI) of every developed nation in the world. Local terrorism and militant action regularly impinge on the safety of personnel and operational activities but more recently there is an increased risk of global terrorism from threats such as Al-Qaida. Upstream operations are particular vulnerable since they are often located in regions where the host nation cannot provide effective security.”

Earn an MSc - Forthcoming University-Accredited Security Management Training in India

The ARC Training International Academy for Security Management will be conducting two university-accredited Security Management Stage 1 courses in India in the coming months. The first will take place 28 August – 5 September, and the second 22 September – 3 October. Both courses will take place in Gurgaon, near New Dehli.

Slightly modified for the oil and gas sector, the programmes are nevertheless suitable for delegates from a wide range of sectors and are designed to provide a thorough grounding in the essentials of corporate security management.

This is a unique opportunity to attend this world-renowned programme in India with the option of embarking upon a programme of study towards a MSs Work-Based Learning Studies (Corporate Security Management) with Middlesex University, London.

For further details or to reserve a place, please contact Janet Ward.

Security Metrics - Are You Doing It?

“Across the industry, there are CSOs and security programme managers who still don't get it, who think security-related metrics are a waste of time or who don't have a clue where to look to build a metrics program. Every business manager to develop and deliver programs and services that demonstrate measurable results, whether good or bad, positive or negative - and that includes security”, writes George Campbell in Security Technology and Design.

“How many CEOs can you count who have been sacked for having bad performance metrics? If you are a security manager looking across the table at your information security counterpart, he or she can drown you in measures and metrics to assess the effectiveness of his or her safeguards. These are all metrics-rich functions led by managers who understand and depend on specific measures and associated metrics”.

For the full article, see

http://articles.directorym.net/Its_Time_to_Get_Security_Metrics_Savvy-a879674.html

The Most Popular Course in Security Management in the World

ARC Training’s two-week Security Management Stage 1 Course has become the most popular university-accredited security management course in the world, having been attended by hundreds of delegates from literally all over the world. The programme is highly interactive and covers the core essential subjects of security management in a corporate setting.

The next course takes place 4-15 August. Details of the syllabus can be found at

http://www.arc-tc.com/pages/university_acredited_sm.asp#sm1.

For further information please contact Janet.

Next year will see the Security Management Stage 1 Course being held in Bahrain in January and South Africa in March, in addition to the regular UK dates. Contact Janet for further information.

Well-Designed Access Control Badges Help Prevent Loss

Robert Pearson writing in Security Technology and Design says that the security badge indicates a great deal about the security department. It reflects the quality of the security program and the level of support the security department receives from upper management. If the badge is not well designed, it is apparent that it is more an instrument of necessity than a part of an orchestrated security program, and this may make the company a target for criminals. A poorly designed badge may also be easy to counterfeit.

Read on at:

http://www.allbusiness.com/management/risk-management/10573577-1.html

Laboratory Security

A recent request from a delegate asked for detailed information on Laboratory Security. With current concerns about theft of precursor chemicals (for IEDs and chemical attack devices) it makes sense to share the findings. Therefore, a new section on the ARC Training weblinks page has been added. Go to



and navigate down the page to Laboratory Security.

How to Specify Technical Security Systems

ARC’s new Specifying Security Technology Course began on Monday, with delegates from Switzerland, the UK, Singapore and the Yemen. On Day 1 David Cresswell spoke about trends in convergence and the benefits - and obstacles to be overcome - when putting physical security technology onto the IT network. Delegates related stories in which IP-based physical security systems had been procured only to be met with a refusal on the part of IT to attach them to the corporate IT backbone. As well as addressing some of the technical issues, the session looked at how to bring in IT administrators into the project from the outset, and how to avoid being seduced by often exaggerated vendor claims of integrateability.

Following this, Derick Burton MSc CISSP, who contracts in IT security for one of the UK’s largest multinationals, briefed participants on the basics of IT network infrastructure and IT network security – an essential knowledge prerequisite when planning to put physical security systems onto an IT network.

Peter Horsburgh CPP PSP will lead Day 2 with an interactive session on systems specification and project management, drawing on his many years of experience in this field. For much of this year Peter has been on site, consulting in this field.
Phil Wood MBE CPP PSP will join the programme on Wednesday and Thursday to deliver sessions on automated access control systems, asset tracking technologies and intrusion detection systems, culminating in a an all-day module on Friday on CCTV, delivered by acknowledged CCTV guru Jon Laws B.Sc. C.Eng. M.I.E.T. F.ConsE.

There are plans to repeat this course in Dubai in the near future. Contact Janet for further information.

Do You Trust Your Partner?

Source: Information Age

External threats from partner organisations pose the greatest risk to corporate data security, according to a report detailing 500 forensic data investigations by Verizon Business.
The Verizon report analysed hundreds of corporate data breaches, including three of the five largest ever reported, and found that while insider threats were the most devastating in terms of impact, the higher number of data breaches attributable to partners made them a greater risk factor. Read on at:

http://www.information-age.com/home/information-age-today/443066/business-partners-pose-the-greatest-security-threat-report.thtml