Showing posts with label Security. Show all posts
Showing posts with label Security. Show all posts

Saturday, 2 November 2013

Senators question security clearance process

Aaron Alexis moves through the hallways of Building #197 carrying a Remington 870 shotgun in this undated handout photo released by the FBI. REUTERS/FBI/Handout via Reuters

Aaron Alexis moves through the hallways of Building #197 carrying a Remington 870 shotgun in this undated handout photo released by the FBI.

Credit: Reuters/FBI/Handout via Reuters

By Deborah Charles

WASHINGTON | Thu Oct 31, 2013 4:41pm EDT

WASHINGTON (Reuters) - Senators on Thursday questioned the government's security clearance process, calling it "shocking" that investigators doing a security check on accused Navy Yard shooter Aaron Alexis did not consult police records before giving him clearance.

In a hearing of the Senate Homeland Security Committee, senators peppered administration officials to explain how "secret-level" clearances could be given without having to check police records even if the applicant for clearance had an arrest history.

They asked Elaine Kaplan, acting director of the Office of Personnel Management for an explanation regarding Alexis, who went on a shooting rampage and killed 12 people plus himself at Washington's Navy Yard last month.

Alexis was a contract employee for the Defense Department and received a "secret" clearance in 2008 despite violent incidents in the past, including a 2004 arrest in Seattle for shooting out a car's tires.

A "secret" clearance is a mid-level security classification that allows the holder access to information considered secret and that could be damaging to national security if released. It falls below the "top-secret" clearance, which requires more frequent background examinations.

Kaplan said when the background check of Alexis was done in 2007, investigators discovered that Alexis had been arrested. But they did not check directly with Seattle police to obtain the arrest warrant, looking only into a Washington state database of court records to discover that the charges for "malicious mischief" had been dropped.

As a result, investigators did not learn that Alexis had shot out a car's tires in anger.

"I find it actually incredibly shocking that we wouldn't pursue a police report in any of these arrest situations, because the nature of the charge, looking at the underlying police report, having been a prosecutor, can tell us very different information," said Republican Senator Kelly Ayotte.

Kaplan said the OPM had followed all required protocols and had met investigative standards.

"Now, what we're looking at right now in the context of the review .. is, well, are the standards up to snuff? Should we be required to get police reports, for example?" Kaplan asked. "Should we be required to get mental health information even from someone who has a secret as opposed to a top-secret clearance? All these things need to be looked at."

Committee Chairman Tom Carper said while the committee had long urged the administration to cut its backlog of security clearance applications, investigators must not sacrifice quality for speed.

"Many national security experts have long argued the security clearance process is antiquated and in need of modernization," Carper said. "And given recent events, I think we have to ask whether the system is fundamentally flawed."

(Reporting by Deborah Charles; Editing by Peter Cooney)


View the original article here

Tuesday, 9 July 2013

Security Think Tank: Prism unlikely to change much

So the spies actually spy. Shock, horror. 

The media was full of the alleged actions of the US government and the existence of a programme called Prism.

Networks and the monitoring of them have been fair game since they came into existence and to believe otherwise is rather naive. One can only hope that any monitoring is appropriate, controlled and legal.

Given that such alleged monitoring activities are likely to be conducted by many nations and, given that those nations will have a pretty good idea what others do, I personally doubt that these revelations will significantly raise the risk level for the US government.

Yes, there will be a blip of increased malicious activity from some quarters against US systems, but upticks of such activity can be generated by many events.  

The public, left to their own devices, will quickly forget.

Peter Wenham is a committee member of the BCS Security Forum strategic panel and director of information assurance consultancy Trusted Management.


Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy$("a#eproductLogin").attr('href', function(i) { return $(this).attr('href') + '?fromURL=' + regFromUrl; });

View the original article here

Tougher EU penalties for cyber crime not enough, say security experts

The European Parliament has adopted a draft directive, toughening up the EU’s penalties for cyber crime, but security experts say this is not enough on its own.

The directive also extends EU rules that have been in force since 2005 to cover the use of botnets, the theft of online credentials, and the use of tools that enable cyber crime.

Anyone caught running a botnet of hijacked computers will face a minimum of three years in prison, and anyone attacking critical infrastructure could spend up to five years behind bars.

The directive recommends that criminals involved in some crimes should serve minimum sentences and aims to clamp down on corporate espionage by making companies liable for any online offences committed in their name.

The new rules say companies could be shut down if they hire hackers to attack rivals or steal corporate secrets, according to the BBC.

EU member states have two years to adopt the directive as law, but an existing, unofficial agreement suggests that some countries will not wait that long, according to US reports.

The changes mean the perpetrators of cyber attacks and the producers of malicious software can now be prosecuted, and will face heavier criminal sanctions, according to Cecilia Malmstrom, European commissioner for home affairs.

But security experts point out that tougher sanctions are meaningless if law enforcement authorities are not able to identify and apprehend those behind international cyber crimes.

They say the element of the draft directive that seeks to improve co-operation between EU states to investigate cyber crime is at least as important as tougher sanctions.

To apprehend the criminal masterminds, law enforcement agencies will need to have co-operation with local agencies all around the world

Etay Maor, Trusteer

One of the biggest challenges in bringing cyber criminals to justice is the fact that in most cases they do not reside in the country where the crime takes place.

“Unfortunately, in most cases the people who get caught are the money mules who may not even be aware they are committing a crime, not the bot masters or ring leaders,” said Etay Maor, fraud prevention manager at security firm Trusteer.

To apprehend the masterminds, law enforcement agencies will need to have co-operation with local agencies all around the world, he said.

“This is not an easy task. Cyber criminals know this, and this is why they usually reside in a country where they will stay safe from most western governments,” said Maor.

He believes that cyber criminals will be brought to justice only once tight co-operation between law enforcement agencies around the world is achieved.

“In the meantime, we have to make sure that users' devices stay malware-free and that organisations worldwide have a clear picture of what is targeting them and how they can mitigate the threat quickly and effectively,” said Maor.

Other cyber security experts have suggested that the tactic used by Microsoft, Adobe and others of disrupting the cyber criminal business model is also likely to be more effective than tougher sanctions.

“As long as the cost of data extraction is lower than the value of the data itself, criminal elements will continue to take advantage, irrelevant of the consequences,” said Gavin Millard, technical director for Europe at Tripwire.

“The suggested laws will do little to break these gangs, prevention being far more effective than restriction,” he said.

In January, Brad Arkin, chief security officer at Adobe, told the Security Development Conference 2013 in San Francisco that attackers are economically rational.

“They will always seek to minimise the cost and effort of developing an exploit to take advantage of software vulnerabilities,” he said.

Arkin believes that finding and fixing bugs is a waste of time because it is hugely expensive and there will always be vulnerabilities in code – attackers just have to find one to make it worthwhile.

Mitigation such as sandboxing, he said, is more effective because it changes the cost equation for the attacker.

Similarly, Microsoft’s digital crimes unit (DCU) has recognised the importance of shutting down botnets because they form the backbone of cyber criminal operations.

So far, the DCU, in collaboration with cross-industry partners, has taken down seven major botnets, effectively disabling key cyber criminal infrastructure.


Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy$("a#eproductLogin").attr('href', function(i) { return $(this).attr('href') + '?fromURL=' + regFromUrl; });

View the original article here

Saturday, 6 July 2013

Study Suggests US Health Security Research Not Balanced Enough To Meet Goals

Main Category: Aid / Disasters
Also Included In: Public Health;  Bio-terrorism / Terrorism
Article Date: 05 Dec 2012 - 1:00 PST Current ratings for:
Study Suggests US Health Security Research Not Balanced Enough To Meet Goals
not yet ratednot yet rated
Federal support for health security research is heavily weighted toward preparing for bioterrorism and other biological threats, providing significantly less funding for challenges such as monster storms or attacks with conventional bombs, according to a new RAND Corporation study.

The findings, published in the December issue of the journal Health Affairs, come from the first-ever inventory of national health security-related research funded by civilian agencies of the federal government.

Researchers say recent events such as Superstorm Sandy, tornadoes in the Midwest and major earthquakes around the world highlight the need to prepare the nation's health care system for a broad array of natural and manmade disasters.

"Although disaster preparedness requires active involvement of the private and public sectors, the federal government is the primary sponsor of the basic and applied health research needed to develop new technology and strategies to prepare for and respond to large-scale disasters," said the study's senior author, Dr. Art Kellermann, who holds the Paul O'Neill Alcoa Chair in Policy Analysis at RAND. "Our study suggests the current mix of federally-funded national health security research projects may not be ideally configured for achieving the broad preparedness goals that face our nation."

RAND researchers were asked by federal health officials to conduct a first-ever inventory of non-classified, civilian national health security research funded by the federal government. Military research and internal research conducted by the agencies themselves was not included.

Beginning in 2010, researchers canvassed seven non-defense agencies whose research addresses topics relevant to the objectives of the National Health Security Strategy, a plan completed in 2009 to guide efforts by the government and others to defend the nation from a large-scale public health threats, both natural and manmade.

The agencies surveyed by RAND researchers were the Agency for Healthcare Research and Quality, the Centers for Disease Control and Prevention, the National Institutes of Health, the Department of Homeland Security's Science and Technology Directorate, the Department of Energy, the National Science Foundation and the Veterans Health Administration.

The studies identified spanned a 13-year period, with most awarded between 2003 and 2010 when there was robust federal funding for health security research. The final list totaled 1,593 unique research projects, most of which were funded before the creation of the National Health Security Strategy.

More than 1,000 of the studies (66 percent) were directed toward biological threats, including bioterrorism, emerging infectious diseases, foodborne illness and pandemic influenza.

Fewer than 10 percent of the total pool of projects addressed natural disasters such as earthquakes, hurricanes, tornadoes or floods. The remaining projects addressed threats that were chemical (8 percent), radiological (5 percent), nuclear (4 percent) or explosive (4 percent).

The existing research heavily emphasized basic laboratory research, a likely reflection of the large role of the research sponsored by the National Institutes of Health. Far fewer studies were oriented toward translating basic research into actionable practice, or evaluating promising strategies and techniques to confirm their effectiveness.

RAND researchers say the rationale for the current mix of research projects is not clear. In the course of the project, they observed that each of the agencies studied determines its research priorities with little or no effort to coordinate their decisions with those of other agencies.

"The officials we spoke with were not only willing, but eager, to engage in cross-department information sharing to help the nation develop a more-coordinated and efficient approach to health security research," said Shoshana R. Shelton, the study's lead author and a project associate at RAND.

In order to get more bang for health security research spending, RAND researchers recommend agencies employ a risk-based approach to priority setting that takes into consideration the probability of a threat occurring, the magnitude of damage it could inflict and the availability of countermeasures to limit or reduce its consequences.

In addition, researchers recommend a voluntary process of information-sharing between agencies to improve coordination, and a shared approach to track the progress and results of research projects. This would dramatically improve future efforts to inventory health security research projects and ensure that findings quickly reach the field.

Article adapted by Medical News Today from original press release. Click 'references' tab above for source.
Visit our aid / disasters section for the latest news on this subject. Support for the study was provided by the U.S. Department of Health and Human Services through the Office of Assistant Secretary for Preparedness and Response. Other authors of the study are Kathryn Connor, Lori Uscher-Pines, Francesca Pillemer and James Mullikin.
RAND Corporation Please use one of the following formats to cite this article in your essay, paper or report:

MLA

Corporation, RAND. "Study Suggests US Health Security Research Not Balanced Enough To Meet Goals." Medical News Today. MediLexicon, Intl., 5 Dec. 2012. Web.
5 Jul. 2013. APA

Please note: If no author information is provided, the source is cited instead.


'Study Suggests US Health Security Research Not Balanced Enough To Meet Goals'

Please note that we publish your name, but we do not publish your email address. It is only used to let you know when your message is published. We do not use it for any other purpose. Please see our privacy policy for more information.

If you write about specific medications or operations, please do not name health care professionals by name.

All opinions are moderated before being included (to stop spam)

Contact Our News Editors

For any corrections of factual information, or to contact the editors please use our feedback form.

Please send any medical news or health news press releases to:

Note: Any medical information published on this website is not intended as a substitute for informed medical advice and you should not take any action before consulting with a health care professional. For more information, please read our terms and conditions.



View the original article here