Wednesday, January 3, 2007

SEC Exposes Online Fraudster


DECEMBER 26, 2006 | An online fraudster who manipulated the stocks of at least 21 companies and stole more than $350,000 from investors is now on the lam, according to law enforcement officials.

The Securities and Exchange Commission Friday issued a complaint against Grand Logistic, S.A., and its sole owner and operator, Evgeny Gashichev. The SEC accused Gashichev of committing a series of online crimes between Aug. 28 and Oct. 13, 2006, to influence stock prices and take over the accounts of online investors.

The SEC has closed down Grand Logistic, but Gashichev's whereabouts are unknown, according to the complaint. "Although Gashichev's trading through the Grand Logistic account has been stopped, it is highly likely that the fraud continues," the agency warns.

In a traditional "pump and dump" scheme, a fraudster buys many shares of a low-priced stock and then attempts to influence other investors to invest in the stock through false or misleading information. When the stock price goes up, the fraudster quickly sells his shares, reaping a profit and disappearing while the other investors helplessly watch the stock's price plummet.

Gashichev added an online twist to this classic scam. He stole the identities of some 25 individual investors, according to the complaint, and he then used all the money in their accounts to buy up as many shares of a targeted stock as possible. These online thefts and purchases helped to raise the price of a stock owned by Gashichev, which he then sold, pocketing the profit and leaving the account holder with hundreds -- sometimes thousands -- of shares of near-worthless stock.

With an initial investment of $30,000 placed into the Grand Logistic account, Gashichev made approximately $353,000 in about six weeks, according to the complaint.

Forensic experts have thus far been able to track down Gashichev, who used several different IP addresses -- or sometimes, the IP addresses of his account holder victims -- to mask his identity and location for the online transactions.

The SEC is working with law enforcement authorities to find Gashichev, who is believed to be hiding somewhere in the St. Petersburg area. The agency warns investors not to provide sensitive information via email or to accept offers of free software or games, which may lead to the theft of account information


Innovators & Influencers: Prediction: Hackers Will Crack The Corporate Firewall

Security pro Jeremiah Grossman warns corporate guardians to start hardening their Web sites now.

Jeremiah Grossman has no qualms about being labeled a false prophet. That would mean companies are writing secure Web applications, and he'd have done his job as a security researcher by spotlighting yet another dangerous Web app flaw.

Grossman, a former Yahoo security officer, started WhiteHat Security, a software and services firm, in 2001. He's also the co-founder of the Web Application Security Consortium, where he does re- search for its database of Web hacking incidents.

At the Black Hat conference last July, Grossman warned that the corporate world was only 18 months away from cybercrooks hijacking employees' Web browsers and using them to attack systems inside the firewall. There are 100 million Web sites, he says, and many of them have flaws that let outsiders insert malicious code that can infect browsers with malware. Those infected browsers let the attackers steal important information, such as logon names and passwords, as users navigate through intranet-based HR apps or send print jobs over the network.

Security pros have knocked themselves out building perimeter security, says Grossman, but that will mean little if they don't stop outsiders attacking from the inside.


IBM Scrutinized In Moscow

An armed special forces team from Russia's Interior Ministry swept through IBM's offices in central Moscow last week, seizing documents and gathering other evidence. No arrests were made, and IBM says its operations in the city "are continuing uninterrupted."

The ministry is investigating what it says is a $4 million computer equipment kickback scheme involving IBM employees, employees at Russia's national pension fund, and staffers at IBM local partners R-Style and Lanit.

Russia is increasingly important to IBM as both a tech market and a source of programming talent, so lasting damage to its reputation there could prove costly.


Boeing Employee Fired After Laptop With Employee Info Is Stolen

The employee violated company policy by downloading the information onto the laptop and not encrypting it, according to a Boeing spokesman.

Boeing has fired an employee whose stolen laptop contained identifying information on 382,000 current and former employees.

The employee, who hasn't been identified, was fired because he violated company policy by downloading the information onto the laptop and not encrypting it, says Tim Neale, a spokesman for Boeing. The laptop, which had been taken out of the office, was stolen the first week of December, he added.

This was the third laptop theft in two years that resulted in lost employee data at Boeing. This latest missing laptop contained the names, Social Security numbers, and in some instances the home addresses of both current and former (mostly retired) employees.

The theft is under investigation.

"This was somebody who was authorized to be working with the data," says Neale. "The company policy discourages people from saving those types of files with personnel info to their laptop. We encourage people to work off the server, which would keep the information behind the firewall. If you do download the information onto a laptop, it's supposed to be temporary and the information is supposed to be encrypted."

Neale adds that the employee "had fair warning" because after the other laptop theft incidents, Boeing managers had made sure that everyone working with employee data was educated about the rules.

"If there's any good piece of news in all of this, it's the fact that [the laptop] was not turned on," said Neale. "Whoever may have that computer would have to know or figure out the user's password to get into the files."

On Thursday, Boeing's president and CEO Jim McNerney sent an e-mail about the data loss to the company's 156,000 employees. The memo was printed in The Seattle Times. Neale confirmed the memo's legitimacy.

"I've received many e-mails over the past 24 hours from employees expressing disappointment, frustration, and downright anger about yesterday's announcement of personal information belonging to thousands of employees and retirees being on a stolen computer. I'm just as disappointed as you are about it," McNerney wrote. "I know that many of us feel that this data loss amounts to a betrayal of the trust we place in the company to safeguard our personal information. I certainly do."

McNerney also told employees he believes it was a petty theft and not an attempt at identity theft.

The company is providing credit monitoring services to affected employees for the next three years.


U.K. Scales Back National Identity Plan

Still, efforts toward a national ID system have not been scrapped completely, and the British government also is still considering requiring foreign nationals to register biometric data.

The United Kingdom has canceled plans for a national identification database and plans to collect biometric data on all citizens and visitors.

Still, efforts toward a national ID system have not been scrapped completely. They remain in a strategic action plan released this week.

The British government also is still considering requiring foreign nationals to register biometric data, and instead of building one massive database for the identification system, the government plans to use three existing databases.

Privacy International campaigned against the national identity cards using research from the London School of Economics & Political Science. In a 2005 report, researchers, using existing studies and information, concluded that the system could benefit society but the U.K. proposals were not safe or "appropriate."

"There was an overwhelming view expressed by stakeholders involved in this report that the proposals are too complex, technically unsafe, overly prescriptive, and lack a foundation of public trust and confidence," the report stated.

The report suggested that the British government could achieve its objectives of preventing identity theft and terrorism by giving people greater control over the disclosure of their own personal information and increased border patrols and resources for conventional police intelligence. It warned against new and unforeseen problems -- related to technical, security, and oversight issues -- with implementing a program on such a massive scale.


Chinese Hackers Launch New Office Attack

Popular Christmas PowerPoint slide show circulating by e-mail contains a security threat developed by paid-for-hire hackers.

A Microsoft PowerPoint presentation circulating via e-mail is the latest example of a 2006 trend in which paid-for-hire Chinese hackers target Western businesses with malicious Office documents, a security researcher said Wednesday.

The newest threat, said Ken Dunham, director of VeriSign iDefense's rapid response team, hides within an apparently innocent PowerPoint slide show, "Christmas+Blessing-4.ppt," which is attached to an e-mail message. The PowerPoint file, which circulated sans exploits last year around Christmas, has been making the rounds since Sunday.

"The reality is that this is a very popular file," said Dunham, "and poorly detected by most antivirus scanners." However, some security companies, including F-Secure, have created signatures to sniff out the threat.

More important is that Christmas+Blessing-4 shares characteristics with the Office document-based attacks that began seven months ago. "This is very similar to other Office attacks from May and June," Dunham said. "It's a targeted attack, this time [against a company] in the public utility sector."

Other Office document exploits--which included ones leveraging zero-day vulnerabilities in Word, Excel, and PowerPoint--also were limited in scope. But that doesn't make them less dangerous, said Dunham. "This kind of attack will be one of the most concerning during 2007. It will be the one that keeps CEOs up at night."

Unlike those earlier attacks, Christmas+Blessing-4 is not a zero-day exploit taking advantage of a vulnerability that hasn't been fixed. "It doesn't work on fully patched computers," Dunham said. After a user opens the PowerPoint file, a variant of the "Hupigon" backdoor Trojan horse is installed on the PC. The Trojan then silently adds two additional files, "msupdate.dll" and "sdfsc.dll," to the system.

IDefense said that the crew responsible for the newest Office attack was Chinese, another similarity with the summer's Word and Excel exploits. Calling the writers "hackers for hire," Dunham said that the rapid shift in China from politically motivated attacks to for-profit hacks is "a cause for concern."

"They're getting paid a whole lot of money," Dunham said. "The capitalist attitude is infiltrating Chinese hackers."

Dunham recommends that users patch their systems--Microsoft Office applications as well as Windows--and refuse to open unsolicited PowerPoint files, especially any attached to e-mails with the subject of "Merry Christmas to our hero sons and daughters!"

Warned Dunham, "If you're not patching promptly, you can expect attacks in 2007."


How To Spot Insider-Attack Risks In The IT Department

They're one of the biggest security risks because of their knowledge and access. IT managers need to learn to identify and stop insider malcontents before they do some serious damage.

By Larry Greenemeier,  InformationWeek
Dec. 11, 2006

Roger Duronio faces up to eight years in a federal prison when he steps before a judge this week to be sentenced for sabotaging UBS PaineWebber's IT systems in 2002. If you think there are no potential Duronios in your organization, consider this a brief history lesson on tech employees gone bad, and a refresher course on how to identify and stop insider malcontents before they do some serious damage.

As a system administrator, Duronio, convicted this summer, placed a "logic bomb" to knock out much of UBS's network, then made financial bets that would pay off if the company's stock tanked as a result. A former VP of IT at SourceMedia, Stevan Hoffacker, was arrested in mid-November on charges he hacked into his former company's E-mail system so he could warn people still working there that they were going to be laid off. Prudential Insurance IT staffer Donald McNeese in 2002 stole records from a Prudential database containing information on about 60,000 employees and was caught trying to sell identities for credit card fraud.

Nearly two-thirds of the 616 security pros surveyed this year by the Computer Security Institute say insiders account for some portion of the financial losses their organizations experience because of breaches. Some 39% of respondents attribute more than 20% of their organizations' financial losses to insider attacks, while 7% estimate that insiders account for a whopping 80% of financial losses.

Insiders aren't the most common security problem, but they can be among the most costly and the most damaging to a company's reputation. Insider attacks against IT infrastructure are among the security breaches most feared by both government and corporate security pros, says Eric Shaw, a psychologist and former CIA intelligence officer who has studied insider threats the past decade.

What to do? The risks can be lessened first by doing background checks on potential IT employees--something far more companies are doing this year, according to Carnegie Mellon University's CERT (see story, The Case For Background Checks). If an employee is terminated, it's crucial that all system access be revoked immediately. It sounds obvious, but that doesn't mean it's always done. About half of all insider attacks take place between the time an IT employee is dismissed and his or her user privileges are taken away, says Dawn Cappelli, a senior member at the CERT Coordination Center, part of Carnegie Mellon's Software Engineering Institute.

When it comes to current employees, IT managers must do something they might not have a taste for: Keep an eye out for insubordination, anger over perceived mistreatment, or resistance to sharing responsibility or training colleagues--all warning signs someone may be capable of system sabotage or data theft. "The biggest misconception about preventing insider attacks is that IT needs to worry only about technology issues and HR has to worry only about personnel issues," Cappelli says.

Defending against insiders isn't easy, but knowing what to look for and understanding who you're up against certainly helps, says Shaw, who co-authored a report last year titled, "Ten Tales Of Betrayal: The Threat To Corporate Infrastructures By Information Technology Insiders."

IT managers must be watchful any time someone with access to sensitive systems has a falling out with his or her bosses. That's what happened with Duronio, who was upset his bonus fell about $15,000 short of his expectations. It's also the story of Claude Carpenter, who worked for government contractor Network Resources doing part-time systems administration on three Internal Revenue Service servers. In May 2000, suspecting he'd be fired after a dispute with a co-worker, Carpenter inserted several lines of code that would command the three servers under his care to wipe out data if network traffic reached a certain level. He tried to conceal his activities by turning off system logs and removing history files, but he aroused colleagues' suspicion by calling several times during the next two weeks to ask "if the machines were running OK" and "if anything was wrong with the servers," says a July 2001 Justice Department description of the case. Carpenter was sentenced to 15 months in prison and ordered to pay $108,800 in restitution.

Managers must not only monitor system access, but also let employees know their system changes can be tracked. Employers should be wary of people unwilling to share their knowledge about systems or uncomfortable with the fact that their activities accessing systems or data can be tracked.

One related element: Make sure each IT worker has just enough system access to get his or her job done. "Usually, a person who does damage was given more access than they needed," says Bill Moylan, senior director of Aon Consulting's IT risk consulting group, who spent 25 years with Long Island's Nassau County Police Department. One financial services CIO makes that point by not giving himself data center access, since he doesn't need to be in there to do his job. Access can be something of a status symbol, so don't wait for IT staffers to complain they have too much, Moylan says.

This is the CIO's problem to solve. Though technology is everywhere in companies, system attacks are nearly all driven by scoundrels working in IT who have the knowledge and access to pull them off. A recent survey by the Secret Service and CERT Coordination Center/SEI indicates that 86% of internal computer sabotage incidents are perpetrated by tech workers.

The rise of identify theft and the heightened sensitivity around customer and employee data have raised the stakes. One of the first insider cases to drive this point home was that of former Prudential database administrator McNeese, who was charged with identity theft, credit card fraud, and money laundering for stealing records from a Prudential database. He even sent E-mails to victims, trying to incriminate his former boss. McNeese received three years' probation, was ordered to pay $3,000 in restitution, and was required to get psychiatric treatment.

Employees most likely to commit insider theft or sabotage share a number of characteristics, which can include mental health disorders, personalities that clash with authority, and a history of behavioral violations in the workplace, often documented by HR, says Shaw, who has worked as a consultant to the Defense Department profiling characteristics of insiders who commit computer crimes.

Other clues are less academic but no less important. Simply getting to know employees will create loyalty and may even tip off potential problems. "If a guy on your staff needs an extra $20,000 to pay for his kid's college tuition, he might try to sell credit card numbers," says David Giambruno, VP of global service delivery for cosmetics company Revlon and formerly the director of engineering, security, and deployment at Pitney Bowes.

Technology also plays a key role in thwarting insider attacks. Giambruno believes in encrypting data that "could remotely be seen as sensitive." Revlon encrypts sensitive data in applications and databases using Ingrian Networks' DataSecure network appliance, with its built-in encryption software and middleware for connecting to servers. Giambruno advocates creating an audit trail, where employees who want access to encrypted data have to state their reasons and get executive sign-off on the decryption key. By encrypting data, he says, "you take away the low-hanging fruit for insiders."

Risk management software and services can help, too. IBM last week announced plans to buy Consul Risk Management and add Consul's products to the Tivoli line of IT management software. Consul and rival risk management offerings from Elemental Security and others are designed to alert IT managers when data or systems are improperly accessed, whether from the outside or by staffers.

Technology plays a vital role when an IT worker is fired. Immediately cutting network, system, and data access privileges is only the start. If there's a reason for concern, managers should, ideally before termination, audit projects the employee worked on to understand his or her access privileges and look for backdoor access programs they may have created in anticipation of being fired. "Termination doesn't end the risk," Shaw says. "It probably just escalates it."

If you doubt such steps will be enough to deter angry IT employees, Shaw suggests laying it on the table that you'll be keeping tabs on them. "Hold something over the former employee's head, such as their severance package or continued benefits," he says. "Let them know that if you see any problems with your IT systems, you'll have the police pay them a visit."

Sound like the kind of stuff you'd prefer to let HR handle, so you can get back to working with your talented, trusted employees? When it comes to insider threats, IT departments must accept that they're the first line of defense, with HR as their closest partner, CERT's Cappelli says. "They need to have an understanding of both the psychology and the technology behind these attacks to prevent them from happening," she says.

Great, like IT managers need another hat to wear--now they're psychologists. But it's true that all IT pros are in this together against the rotten few, whether the rogue who's "just" peeking at documents he shouldn't access or the saboteur who's knocking out a company on which tens of thousands depend for their livelihoods. Thwarting them--and keeping the respect and trust an entire profession has earned--is what's at stake.

--With Sharon Gaudin


»  E-Mail
»  Print
»  Discuss
»  Write To Editor
»  Digg
»  Slashdot

From Yap To Growl, Israeli Device Dogs Intruders

Harnessing technology that interprets barking -- to see if an animal is responding to a threat instead of just routinely woofing -- a new security system aims to replace expensive electronic surveillance systems.

BEERSHEBA, Israel, Jan 3 - An Israeli firm has designed a security system to ensure jailbreakers or intruders find a guard dog's bark can indeed be worse than its bite.

Harnessing technology that interprets barking -- to see if an animal is responding to a threat instead of just routinely woofing -- the company aims to replace or supplement expensive electronic surveillance systems.

"There is currently very little utilisation of the watchdog's early warning capabilities," says privately owned manufacturer Bio-Sense Technologies, based in the Israeli town of Petah Tikva, on its Web site.

The company -- which says dogs have better night vision than humans and a vastly superior sense of smell and hearing -- used computers to analyse 350 barks and found dogs of all breeds and sizes barked the same alarm when they sensed a threat.

If the dogs sense an intruder or attempted security breach, dozens of sensors around the facility pick up their "alarm bark" and alert the human operators in the control room.

Dubbed "Doguard", the Dog Bio Security system is in place in high-security Eshel Prison as well as Israeli military bases, water installations, farms, ranches, garages and in Jewish settlements in the occupied West Bank.

Eshel Prison installed the system last year to supplement its existing network of electric fences and human guards, prison officer Bazov Moris told Reuters.

Now Rex, a brown American Staffordshire Terrier, Emmy, a white Caanan, and 27 other dogs guarding the prison are tracked by sensors to alert guards to any attempted breakout at the jail, which houses about 3,000 prisoners including Israelis and Palestinians.

There have been no escape attempts since the system was installed, but Moris is convinced it works. He said prisoners at other facilities had been able to escape "because dogs barked but no alert was sent to the guards".

During a demonstration an alarm wailed as Rex and Emmy raced, growling and snarling, alongside one of the facility's metal fences, which a man in a brown uniform was trying to scale from the other side.

Officers in a small basement office nearby watched on a surveillance video and spoke into their walkie-talkies as a wall of computer screens flashed in red: "Dog alarm in Sector 12".

Seconds later, several prison guards, wielding clubs, raced to the scene and tackled the man to the ground.


The dog bark-reader is just one of a batch of innovative security systems to emerge from Israel, which business magazine Forbes said in December had emerged as "the go-to country for anti-terrorism technologies".

By monitoring not just the dogs' barks, but also their physiological responses -- like heart rates -- it joins a trend for computer systems building on animal knowledge that humans also share.

Another Israeli example, from Suspect Detection Systems, offers border checkpoints a computer quiz that alerts guards if travellers show a marked physiological response to particularly tough questions.

However, Doguard is not foolproof. When first set up at Eshel Prison and at a water installation and farm in central Israel, the dogs triggered several false alarms, officials said.

"The dogs need two to three weeks to adapt -- they must get to know their territory," said Daniel Low, chief executive officer of Meniv Rishon, the municipal water system of the Israeli town of Rishon Lezion.

Low said he had installed the system in several places to replace guards.

Galia Alon, an official at Modi'in Ezrahi, a large Israeli security company that supplies private guards and equipment, cautioned against relying on dogs as a first line of defence.

"Dogs are excellent at spotting intruders -- they are well trained and have a more sharpened sense of smell than humans," she said. "But people can identify people by looking at them and talking to them, and they are more inclined to catch them."

Yossi Brami, manager of a dairy at Kibbutz Gezer, a communal farm, had the system installed two months ago. He said he was told dogs work better in pairs because one signals to the other if an intruder appears, so two were placed to guard his calves.

The dogs used in the alarm system were rescued from shelters, Bio-Sense chief executive officer Eyal Zehavi said, adding some clients asked for them to be trained professionally first.

Eshel Prison's dogs live in individual kennels. Several times a day, they are let out to patrol buildings, where they are unleashed in a fenced-in compound.

At Kibbutz Gezer, dogs Chief and Lola are kept on a long chain and are released to run around the farm several times a day. The dogs guarding Meniv Rishon are also chained.

Israeli animal rights societies said they knew little about the system but it was preferable for dogs to live indoors and unleashed.


Outsource Security Carefully, And Carry A Big Audit Plan
By Alice LaPlante
Dec 15, 2006 at 03:51 PM ET

»  Weblog Main
»  View Entries By Topic
»  View Entries By Date

Are IT managers desperate if they outsource security?

That’s the provocative question Larry Greenemeier asks in today’s issue of InformationWeek. His conclusion? A resolute no. In fact, hiring an independent service provider might just be your best bet for staying safe in the midst of rising threats against malware, hackers, and internal saboteurs.

It’s a good question, though. After all, handing over the job of keeping your all-important networks, systems, and data safe can seem like an act of last resort, acknowledging—as Greenemeier points out—that the job is simply too much for you. Yet isn’t it better to make such an acknowledgement and seek appropriate help rather than denying evidence that you may be putting your organization at risk?

Still, outsourcing shouldn’t be done casually and without stepping exceedingly carefully through the vendor selection process. Greenemeier outlines the minimal actions you must take with this regard.

One thing he doesn’t mention, however, which should be at the top of any IT professional’s list: active risk management of vendors using independent third-party auditors. And a just-released study by Ernst & Young indicates that IT managers are woefully unprepared when it comes to protecting themselves against incompetent, unskilled, or generally ineffectual third-party security service providers. Only 14 percent of the 1,200 global IT professionals surveyed have formal security risk management procedures in place that are properly validated by auditors. And let’s face it: independent auditing of vendor effectiveness is the single—perhaps the only—way to sleep at night when outsourcing something as important as security.

Indeed, although 60 percent of the survey participants who had outsourced information security activities already--or who were planning to do so--said they were doing it to focus valuable IT resources on other key areas, most were “overwhelmingly emphatic” about their determination not to outsource security functions because of the risks involved.

What do you think? Have you outsourced all or part of your security activities? Why or why not? Let me know what you think by responding below.


A Matter of Trust

Nov 1, 2006 12:00 PM

The $11 billion Somers, N.Y.-based Pepsi Bottling Group (PBG) is the world's largest manufacturer, seller and distributor of Pepsi-Cola beverages.

Yet the company's security staff consists of about a half dozen people. Terry McKinney, senior director of security, maintains a staff of two administrators at the company's headquarters. Three regional security managers cover the Mid-Atlantic, Southeast and West Coast operations. A fourth will soon come on board to monitor Canadian facilities.

Six or seven people seem too few for a company that operates 45 U.S. plants (98 worldwide), manages 260 U.S. distribution centers (527 worldwide), and employs nearly 35,000 people in the United States (66,000 worldwide).

McKinney keeps his department lean by outsourcing the company's security technology requirements. McKinney and his assistants manage the work of outsourced providers.

PBG buys the security technology and pays a fee for services but does not have to hire, train and update or pay a staff to monitor and administer the systems. Instead, the company purchases services from a menu offered by an outsourcing company — the Security Support Center (SSC), a division of Aegis Protection Group, Louisville, Ky.

As security technology grows more complex and expensive to own and use, a handful of companies have begun to market outsourced security technology services.

Is security outsourcing a good idea? Providers say security directors can afford to buy or lease (see related story, page 13) top-of-the-line security technology from an outsourcing provider because the labor costs for operating, maintaining, monitoring and administering an outsourced system decline dramatically as the provider spreads costs among a number of clients.

Others suggest that outsourcing conflicts with one of the most important goals of modern security practice: making security an integral part of a company's business. Take the contribution that security technology might make to the process of complying with certain federal regulations. Sarbanes-Oxley, for example, requires CEOs to sign statements saying they have reviewed and certified the delivered by financial reports. Part of what the CEO is certifying is that no unauthorized person had access to systems that would allow fiddling with the numbers.

Access control systems can help comply with these rules. The systems can restrict access to computers and rooms containing financial data, and they can provide an audit trail of the identities of those who did have access to the data.

Doesn't outsourcing conflict with this emerging role for corporate security? Just the opposite, says Brandon Reich, vice president of corporate development with SSC. “Security is becoming more and more integral to corporate strategy,” he says. “Outsourcing gives the security executive the tools necessary to execute that strategy in a more efficient and cost-effective manner.”

Lauris Freidenfelds, vice president of Sako & Associates Inc., a Chicago-based security consultant with expertise in technology, agrees, calling outsourcing a preference issue. “It is a concept that has been around for 25 or 30 years but is not always embraced by traditionalists,” he says. “Outsourcing today is a way of thinking outside of the box.”

Outsourcing is still the exception rather than the rule, although it has captured pockets of the security market.

For instance, Kastle Systems LLC of Arlington, Va., has been providing outsourced security technology services for 34 years. In the company's home market, the Washington, D.C., metropolitan region, outsourcing has become an accepted mode of operation, according to Jim Mustard, senior vice president. “Because Washington, D.C., is our corporate headquarters, we have done a tremendous job of changing the way building security is operated here,” he says.

Several factors appear to be broadening interest in outsourcing:

·         the effect of 9/11 on some corporate markets;

·         the need to bring in security expertise immediately;

·         security needs of businesses that operate from many small branch offices;

·         the arrival of open access control; and

·         video technology that can be deployed across all sites within large corporate organizations; and lower costs.

The 9/11 effect

The terrorist attacks of 9/11 led a number of property owners and businesses based in high-profile cities like Washington, D.C., New York, Chicago, Los Angeles and others to explore outsourcing security technology and services to experts.

For example, after 9/11, a major office real estate owner with a large Washington, D.C., property portfolio asked Kastle to recommend electronic security systems for 40 of its Washington-based buildings. Of primary concern were buildings located near the White House and other landmarks.

Kastle audited existing security technology and operations in each building, identified patterns and defined platform requirements for centralized system management. The system, now up and operating, offers capabilities similar to any well-designed security technology system. It provides management with an emergency lock-down ability on the premises. It streamlines visitor processing with an Internet-based system managed by Kastle. It includes a Web-based database management and photo-ID card administration system that tracks and responds to new hires, terminations, and permanent or temporary changes in privileges. Finally, it provides single-card access to multiple buildings, a particularly valuable service for the building owner's employees.

Early this year, an investment group acquired Carr-America's nearly 300 U.S. office properties. As part of that transaction, New York City-based Tishman Speyer acquired a portion of the Washington-based buildings. Despite the changes in building ownership, the outsourced security relationships continue.

Outsourcing provides immediate expertise

Tenants in multi-tenant urban office buildings also turn occasionally to outsourcing. Dickstein Shapiro Morin & Oshinshky LLP, a 500-plus-attorney law firm with offices in Washington, DC, and New York City, has outsourced security to Kastle since 1986.

The reason? “We're experts at practicing law; we're not experts in security,” says Sharon O'Meara, the firm's chief administrative officer.

Kastle designed and installed an access control system that it continues to maintain and operate. The system provides a single access card that works in the firm's two offices. The system also tracks the movement of guests and employees and provides an audit trail for investigating thefts.

Kastle monitors the system 24 hours a day, tracking alarms for fire, mechanical and electronic systems, and controlled access doors. When an alarm triggers, Kastle responds appropriately and notifies the firm. Kastle regularly updates the systems and adds features. At Dickstein Shapiro, a single employee administers the card distribution system and runs reports for both offices. The rest of the work is done in the Kastle operations center.

Multiple branch offices

Companies with numerous offices or locations may find outsourcing particularly economical. Diebold Inc., Canton, Ohio, for example, looks after access control technology and operations for a large financial services firm that Diebold executives prefer not to name. “This customer has 1,000 branch offices,” says Vince Lupe, director of product management with Diebold. “Bank branches have a lot of turnover among tellers and branch sales people.

“We took over the function of adding and deleting people. We also set up the door controls for area access. At night, you might want the cleaning people to have access to a specific area but nowhere else. An administrator runs the system and sets up the access permissions.”

In the end, the customer asked Diebold to perform the function of adding and deleting people to the rolls as they turned over. Diebold also developed an operating manual that specifically addressed the bank's alarm system.

Network security technology arrives

Back in the days when security technology used proprietary systems that could not be networked across existing company lines, outsourcing came with costs so high that many could not afford it. “Today, you don't have to buy new hardware for every corporate location, along with multiple copies of the software,” says SSC's Reich. “A single server in a data center somewhere will handle all of the corporation's facilities across the country. The same is true for an outsource provider.”

As access control systems move onto corporate networks, continues Reich, they have become bigger and more technologically complex. They differ from older proprietary systems that were relatively easy to figure out. Today, many corporate security departments do not have the IT skills necessary to run these systems internally.

The security officer or outsourcing employee that monitors a system works with an application and graphical user interface designed for an end-user. “Making the end-users' system simple enough requires people on the back end that can program and configure it,” Reich says. “That's part of what we do. We also manage and administer user accounts, and badging systems.”

Higher value management and lower cost administration

“Without outsourcing, I would spend all my time making sure that doors open and close properly, that the badging stations were operating, and that the equipment was receiving proper maintenance,” says PBG's McKinney. “With outsourcing, I have professionals from the electronic side of the business that handle problems — that no corporate security head really has time to handle properly.”

McKinney can spend his time developing strategy and managing security instead of fussing with details.

Overall, it costs less. A company that outsources security technology services does not have to hire, train, pay and maintain a staff to monitor the technology. Nor does it have to hire a staff to handle time-consuming administrative jobs like monitoring when individual employees come on board and depart.

“Photo ID badging is probably the single greatest opportunity for a company to cut costs,” he says.

According to Reich, setting up a badging system with a badge printer, camera, software, card stock and other supplies costs approximately $6,000. Annual recurring costs for maintenance and supplies total about $5,500. If a company has 100 facilities, each with a badging center, the corporate tab comes to $550,000 per year.

“I can't give you an exact cost for what we would charge, but I can say it will be as much as 80 percent less,” Reich says. “I think that when a company gets up to three badging stations, it becomes economical to outsource that service.”

And badging is just one available outsourcing service. There are others:

  • electronic security administration and hosting;
  • security service management;
  • project and change management;
  • compliance audits;
  • employee orientation and training; and
  • security incident reporting.

“If your security department can cut costs by outsourcing, while maintaining the same or even a higher level of security, then your company can justify future capital expenditures in other areas,” Reich says. “Sometimes the money you save by outsourcing will flow directly to the bottom line.”

Buying Or Leasing Equipment When Outsourcing

WHEN YOU OUTSOURCE ACCESS CONTROL SERVICES, you should also think about what kind of equipment deal to make. You can buy the equipment or you can pay a little more and lease it.

Why not take the least expensive alternative and buy? “If your company is stable or not changing very much, owning the equipment will be cheaper than leasing in the long run,” says Lauris Freidenfelds, a vice president with Sako & Associates, Inc., a Chicago-based security consultancy. “But if you know that you will have to upgrade and downgrade and change your equipment mix on a regular basis, leasing is the better decision.”

Just be sure, continues Freidenfelds, that you strike a deal that permits you to make changes, to add and delete equipment and locations.


Mobile security, RFID to have largest impact on IT security

Jan 2, 2007 3:54 PM

IT security managers may want to take heed: emerging technologies like mobile security and RFID should be making a significant blip on your radar screens.

According to David Strom's article in InformationWeek, mobile security and RFID are two of the top five technologies projected to have a major impact on IT managers in 2007 and beyond.

Of most significance to security departments is mobile security. "The traditional security perimeter is gone -- and the enterprise needs to protect itself from potentially infected remote users. Of course, there are numerous endpoint security solutions available.

Today's IT managers have to worry about infected laptops that can bring down their networks, Strom says. The trick is delivering a consolidated mobile and endpoint security solution across the enterprise that will cover multiple desktop operating systems, non-desktop network devices such as Web cameras and print servers, and various switch and router vendors and operating system versions. That's a tall order, especially as most IT shops already have some collection of perimeter security devices that will need to work with whatever end-point solution is concocted.

As for RFID, it may have been around for years, but several factors have come together to make it a bigger deal in 2007, Strom says.

First, there are new developments in the integration of supply chain infrastructure, which has made it easier to manipulate RFID data directly into inventory, supply chain and manufacturing systems. These changes have stimulated other entrepreneurial efforts and created more of a market for RFID-related products. Second, the standards are solidifying, making it easier to develop applications and interoperate various pieces.

Anyone trying to master RFID will need to examine its three key components: scanners, radios and warehouses, Strom says. The reason for putting scanning expertise first is because the transition from bar codes to radio tags is a relatively easy transition. Any successful RFID deployment also needs to take into account potential radio issues and how wireless networks are deployed across the enterprise. Finally, warehousing and inventory experience are needed to collect the scanned information and integrate into any existing supply chain applications.

The other three top-5 technologies focus more on IT-related issues. They include Web services, server virtualization and graphics processing.


Security concerns influence school design

Jan 2, 2007 3:52 PM

A 2005 school security and land price study has prompted school officials in Collier County, Fla., to change the way they build new schools.

Officials sought a new design for schools to keep students in a more enclosed space, according to a report in the Bonita Daily News. Veterans Memorial Elementary School, scheduled to open in the fall, will be the last one-story, open-air school built in Collier County, says Alvah Hardy, executive director of facilities management for the district.

Beginning with an elementary school scheduled to open in August, Collier County schools will become two-story buildings, with one main access point, Hardy tells the newspaper. Three like-schools are scheduled to open in 2008, he adds.

"There are 70 ways to get onto our campus through 70 doors," says John Kasten, current principal of the open-air Oakridge Middle School. "In a self-contained school, there is one main entrance, so we know who's coming onto campus, and we can get a good picture of them on security cameras when they come in."

"The wide-open campus is wonderful, but we have to be very careful today," adds Jan Messer, current principal at Golden Terrace Elementary. "I prefer (a two-story building), because it's easier to secure and monitor."


Will the rapid rise of cyber-crime continue in 2007?

Left to itself, it just gets worse...

Will the rapid rise of cyber-crime continue in 2007?

Jan 2, 2007 3:48 PM

Computer security experts say 2006 saw an unprecedented spike in junk e-mail and sophisticated online attacks from increasingly organized cyber crooks. Few of them believe 2007 will be any brighter for the millions of fraud-weary consumers already struggling to stay abreast of new computer security threats and avoiding clever scams when banking, shopping or just surfing online, according to a Washington Post report.

One of the best measures of the rise in cyber-crime this year is spam. More than 90 percent of all e-mail sent online in October was unsolicited junk mail messages, according to Postini, a San Carlos, Calif.-based e-mail security firm. The volume of spam shot up 60 percent in the past two months alone as spammers began embedding their messages in images to evade junk e-mail filters that search for particular words and phrases.

As a result, network administrators are not only having to deal with considerably more junk mail, but the image-laden messages also require roughly three times more storage space and Internet bandwidth for companies to process than text-based e-mail, Daniel Druker, Postini's vice president of marketing, tells the newspaper.

Spam volumes are often viewed as a barometer for the relative security of the Internet community at large, in part because most spam is relayed via "bots," a term used to describe home computers that online criminals have compromised surreptitiously with a computer virus or worm. The more compromised computers that the bad guys control and link together in networks, or "botnets," the greater volume of spam they can blast onto the Internet.

"Botnets have become the moving force behind organized crime online, with a low-risk, high-profit calculation," Gadi Evron, a botnet expert who managed Internet security for the Israeli government before joining Beyond Security, an Israeli firm that consults with companies on security, tells the Washington Post. He estimates that organized criminals would earn about $2 billion this year through phishing scams.

Another interesting measure of the growth of online crime is data showing that criminal groups have shifted their activities from nights and weekends to weekday attacks, suggesting that online crime is evolving into a full-time profession for many.

Cuptertino, Calif.-based Internet security provider Symantec Corp. found that the incidence of phishing scams dropped significantly on Sundays and Mondays in the United States. "The bulk of the fraud attacks we're seeing now are coming in Monday through Friday, in the 9-5 U.S.-workday timeframe," Vincent Weafer, director of security response at Symantec, tells the newspaper. "We now have groups of attackers who are motivated by profit and willing to spend the time and effort to learn how to conduct these attacks on a regular basis. For a great many online criminals these days, this is their day job: They're working full time now."

2006 brought a steep increase in the number of software security vulnerabilities discovered by researchers and actively exploited by criminals. The world's largest software maker, Microsoft Corp., this year issued software updates to fix 97 security holes that the company assigned its most dire "critical" label, meaning hackers could use them to break into vulnerable machines without any action on the part of the user. In contrast, Microsoft shipped just 37 critical updates in 2005.



Made4biz Security Translating real-world security knowhow into state of the art security systems.
Made4biz Security

Turn on Sound for Demos:
Bill Gates Demo (Location-based)
Elvis Demo (Location/Context-based)
Clint Eastwood Demo (Temporal-based)

Powered by Blogger

Subscribe to
Posts [Atom]

Technorati Profile

RSS Syndication

Made4Biz Security Inc