Doug Bedell — February 14, 2020, 1:05 pm

Locked Out of the Internet: It Really Happened


Bruce Schneier provides a report on how engineers flown into two U.S. locations from around the world to do a security check on the Internet – the whole global information system – couldn’t hold the ceremony because one of the two safes at the heart of the exercise couldn’t be opened.

That was on a Tuesday night. “One of the locking mechanisms wouldn’t retract and so the safe stayed stubbornly shut… Thanks to the complexity of the problem – a jammed safe with critical and sensitive equipment inside – they were told it wasn’t going to be possible to hold the ceremony on the back-up date of Thursday, either.”

Wow, wouldn’t that make some kind of a movie – titled something like, “Locked Out of the World’s Brain”? Here’s the agenda for the ceremony that went wrong. Any screenwriters available?

Doug Bedell — February 12, 2020, 7:58 am

U.S. Disease Context for the Corona Virus


In Homeland Security provides context for the world’s current disease concern, “We Should Panic about the Flu, Not the Coronavirus.”

“As with most viruses that originate outside America, the public’s interest is only piqued when the virus spreads to America. That is what’s happening now,” Glynn Casker, Managing Editor of In Homeland Security, writes.

“Currently,” however, “there are only five confirmed cases of the coronavirus in the United States…Yet drugstores are selling out of face masks.”

Influenza is the illness that should be concerning Americans. “More than 80,000 people died from the flu in the 2017-18 U.S. flu season alone; the current flu season has killed 8,200 people in the United States so far. Yet you’ll find those precautionary statistics on the 10th page of your Google search for ‘deadly virus affecting Americans.’ The first page is all about the 2019-nCoV coronavirus.

“‘The flu is just not as new and headline-grabbing because we see it every year,’ said University of Michigan epidemiologist Emily Martin.”

Doug Bedell — February 10, 2020, 4:45 pm

School Security Gets a Boost from Cooperating Federal Agencies


A coalition of federal agencies has created SchoolSafety.gov, a website to help keep school communities safe. The U.S. Department of Homeland Security is joined in the initiative by the U.S. Department of Justice and the U.S.Department of Health and Human Services

Earlier, in March, 2018, the Federal Commission on School Safety was established to help keep schools safe. Its final report, released in December 2018, “recommended that the federal government create a clearinghouse to provide school safety strategies and serve as a central location for federal resources.” That’s what’s being done now.

The SchoolSafety.gov website has a host of suggestions and resources in nine categories to help keep schools safe. It’s a great web-based initiative. Parents and schools can create a personalized action plan around it for their own settings.

Doug Bedell — February 7, 2020, 12:07 pm

Corporate Boards Increasingly Doing Cyber Diligence; Get Aboard


A year ago, notes the Security blog, Yahoo’s board agreed to pay $29 million to its shareholders after cyberattacks that compromised three billion Yahoo user accounts. “It was the first time shareholders had successfully held a company responsible for data breaches. And it is a loud warning to corporate boards that they must start paying attention to cyber risks.”

The lesson? Corporate directors need to get involved in fighting cybercrime; it’s a real, and growing, security risk.

When corporate staff and officials lock onto such danger, it’s called an insider risk. Such threats are growing and costing companies “an average of $8 million per incident.” And “the vast majority of insider threats (64 percent) are the result of negligence and lax employee behavior, while 13 percent come from user credentials being compromised.”

We’ve reported on such corporate cyber hazards before. It’s time to pay them heed, before they get even worse.

Doug Bedell — February 5, 2020, 12:39 pm

Who’s Got the Skills, and Aren’t They Worth Them?


Who’s got the smarts in cybersecurity? The question is bandied about when the underlying assumptions need to be questioned, writes Carla Wasko on the Dark Reading blog.

Ms. Wasko thinks there is plenty of cybersecurity talent available, but potential employees need to be better appreciated. They’re not simply “hackers” or whatever. Potential employers have some soul-searching to do. According to a recent Forrester report, there’s a “deeper failure of bias, expectation, compensation, and commitment to effective recruiting and retention” in play.

“Oftentimes, recruiters and hiring managers are looking for superheroes but pay them entry-level salaries. Forrester’s Chase Cunningham notes, ‘Job postings will require a bachelor’s degree with five to seven years of experience with all kinds of technology, and a master’s degree preferred, but by the way, we only want to pay you $85,000 a year.'”

The problem may well be that talented cybersecurity pros get confused with hackers and other digital intruders and aren’t sufficiently appreciated for their guardian skills. Recruitment becomes both a winnowing process and one of payroll fairness.

Doug Bedell — January 29, 2020, 12:45 pm

Helpful Tips for ‘Keeping Security Secure’


From Tim Howard, CSSM, on the Security blog, here are “a few simple measures” for keeping security secure:

Practice need-to-know. Only share security-related information with those who need to know.

Practice compartmentalization. For larger security entities, do not permit everyone to know everything about the operation.

Employ the use of Non-disclosure Statements. People will realize you are serious about your security information if they have to sign a legally binding agreement.

Be sure those in your audience are in the security profession. If you are going to speak at a security event about detailed information regarding security vulnerabilities and mitigation, be sure those in the audience are security professionals.

Know the difference between general security information the public should know and information that is specific to your technology and your processes.

Ensure there are effective security policies in place to protect important security information.

Doug Bedell — January 27, 2020, 1:06 pm

U.S. Homeland Security Closing in on ‘Real IDs’ for Flying

The U.S. Department of Homeland Security is closing in on a deadline of October 1, 2020 for Americans to have the REAL ID-compliant drivers’ licenses that will be required then for domestic airline travel. Over 95 million Americans already have them. the U.S. Department of Homeland Security notes.

“While it is the states that are responsible for issuing cards, DHS has worked extensively with every state to provide time, technical assistance, and make grants available to support compliance with the REAL ID Act security requirements. DHS urges the states, District of Columbia, and U.S. territory officials to act to ensure that all their eligible residents obtain driver’s licenses or identification cards that meet these enhanced security standards.

“Beginning October 1, 2020, every commercial air traveler must present a REAL ID-compliant driver’s license, state-issued enhanced driver’s license, or other acceptable forms of identification, such as a valid passport or U.S. military ID, to fly within the United States. Individuals who are unable to verify their identity will not be permitted to enter the Transportation Security Administration (TSA) checkpoint and will not be allowed to fly.”

Doug Bedell — January 24, 2020, 11:07 am

Church Security Needs to Be Taken Seriously, Not Casually


Church security gets little formal attention, but it should, advises Tony Kooser on the Security website.

“First,” Kooser, President of Full Armor Strategic Solutions, writes, “where does a church find their security applicants? Most church security teams are comprised predominantly of volunteers. While it is possible to attract members with some form of experience, the truth is that volunteer security teams are the norm but are not taken seriously, nor should they be when it comes to the protection of a congregation.

“Second, we should ask, how do churches vet their applicants? A church may arm a member and allow them to carry a weapon and giving them permission to murder, which is a very tall order. But does the church ask for weapons certification or evidence of shooting skill or proficiency? In most cases, they do not. Instead, they simply take a person at their word. While sometimes well-intentioned, the reality is that this is extremely foolish and reckless.

“Complete training, not just shooting, but also safety, CPR, first aid, security awareness, escalation and de-escalation of force, verbal judo, tactics trauma and more must be part of a complete training program. The truth is most churches do not have a robust training program, and instead, what they have is a “come as you are and best of luck to you should something go wrong” approach. I say best of luck because most churches are not going to carry the burden of liability for an all-volunteer team with no vetting, no validation and no continuing education. Knowing this fact, churches often look for someone who is or was military or a first responder; yet again, they take the individual at their word with zero evidence of skill or formal training.”

The point is, effective security is a serious subject and needs to be taken seriously wherever it’s considered, not simply given a once-over. It’s rather like business security actually.

Doug Bedell — January 22, 2020, 12:24 pm

PRO Barrier Introduces a Multi-Purpose Portable Barrier


PRO Barrier has a new portable barrier, the PB-12, for use anywhere. You can see it here. The PB-12 can be readily deployed to control traffic at parades, construction sites, VIP appearances, military bases, farmers markets and street fairs.

The new barrier is manually operated; it doesn’t require electric power or conventional hydraulic systems. When it’s not needed it can be folded up and stored, ready for transport to the next event. Several units can be deployed from a single flatbed truck.

For more information on the PB-12, call PRO Barrier at (717) 944-6056.

Doug Bedell — January 20, 2020, 11:08 am

Getting Ready: FBI Gears Up for the 2020 Presidential Election


The Federal Bureau of Investigation (FBI) is getting ready for another presidential election season, with security concerns foremost in mind. Danny Bradbury on the Naked Security blog reports that “This year is shaping up to be the most challenging yet when it comes to election security. In 2020, cyberattacks against the US election will be more sophisticated than they were in the run-up to the 2016 vote.

“It’s probably a good idea, then, for the FBI to warn local and state election officials of hacking attempts, and last week, it announced just that.”

The “fragmented nature of the U.S. election system” makes that a tough challenge, but the FBI is on to it. It advises that “The FBI’s interactions regarding election security matters must respect both state and local authorities. Thus, the FBI’s new policy mandates the notification of a chief state election official and local election officials of cyber threats to local election infrastructure.”