Security News And Views

Library Reference – Security News And Views

Equifax will be first of many victims of Apache Struts vulnerability, says cyber specialist

PATCHING PROBLEMS Equifax is probably just the first known victim of a software vulnerability that could take years to remedy, a top cyber expert has warned. Credit monitoring company Equifax recently revealed that hackers gained access to names, social security numbers, dates of birth, addresses and driver s license numbers of 143 million Americans between mid-May and July of this year. Credit card numbers for about 209,000 US consumers were also accessed.

Traced to a vulnerability in a web app framework called Apache Struts CVE-2017-5638, the Equifax breach is the biggest-ever theft of social security numbers, eclipsing the 2015 hack at health insurer Anthem Inc that exposed the personal data of 80 million people. While it isn t the biggest data breach in history Yahoo claims that mantle it could be the most damaging, because the data stolen is routinely used to verify people s identity by banks and other institutions. A patch for Apache Struts, a commonly used open source component used by companies to absorb and process data, was apparently available at the time of the breach. We should expect a long tail of incidents and breaches in the months and potentially years to come. Jeff Luszcz, vice president, product management, Flexera Unpatched systems According to Flexera Vulnerability Review 2017, patches were available at the time of disclosure for 81% of the vulnerabilities in 2016. The WannaCry attacks in May also exploited unpatched systems, which hackers can do faster than organisations can patch them up. Equifax is probably just the first known victim, said Jeff Luszcz, vice president of product management at Flexera, which provides tracking for open source components, vulnerability intelligence and tools to simplify remediation. Once a case like this hits the news, it ignites the fire in the cybercrime community and hackers start poking around for new opportunities. We should expect a long tail of incidents and breaches in the months and potentially years to come, as we still see attacks targeting Heartbleed, a vulnerability more than three years old.

Offering tips on how organisations can protect themselves, Kasper Lindgaard, senior director of secunia research at Flexera, said: Patching this type of vulnerability is certainly not as simple as patching a desktop application. When it comes to vulnerabilities affecting the software supply chain, it s important to align software design and engineering, operational and security requirements. This isn t an easy task. However, the time frames of initial disclosure of the vulnerability and its patch on March 7 up to two months before the first reported unauthorised access at Equifax, and the further delay of the actual detection of the breach on July 29 currently indicates that the vulnerability was not handled with the priority that it should have. This is a common issue across industries that business leaders need to address rather sooner than later. Free Download: the CyberSecurity Crashcourse Are you even aware if you have been the victim of a cybersecurity breach? This report will help you to find out and protect yourself, Eric Hansleman from 451 Research presents a rapid-fire overview of cybersecurity , because a firewall just won t do, you need multi-layered defences to truly protect your data.

Click here to download now Related Topics Shocking levels of neglect and complacency among responsible persons reported by fire installers GDPR gives CCTV operators chance to tackle negative image head-on , says white paper HID Global to buy Mercury Security Products from ACRE LLC

Watch: The consequences of badly specified and fitted fire doors plus 5 tips for getting it right

Fire DOor safety week The video below demonstrates the how badly an incorrectly specified and installed fire door performs during a fire however smart it might appear the untrained eye. Produced by the BWF Certifire Fire Door Scheme, it shows footage of a live fire door test, pitting a fully compliant fire door against a badly fitted equivalent. The video, put together for Fire Door Safety Week, also details a simple five-step checklist to ensure your fire doors are specified and installed properly.

IFSEC Global is proud to support Fire Door Safety Week, which runs from 25 September to 1 October.

You can pledge your support for the campaign here, and by tweeting under the hashtag #FireDoorSafetyWeek and sharing or using the wealth of resources found in the campaign s toolkit.

embedded content Related Topics Fire-door safety campaigners renew calls for public register of responsible persons Willmott Dixon issues fire door guidance to 3,000 staff thanks to Fire Door Safety Week The dodgy fire door gallery 2016

Shocking levels of neglect and complacency among responsible persons reported by fire installers

More than a third of installers report that up to 80% of sites they visit don t comply with fire safety regulations, research from Hochiki Europe has revealed. Based on feedback from installers across Europe, the survey also found that more than 60% of respondents attended sites at least once a month where the responsible person for fire safety was unknown. Almost a third (32%) regularly encountered buildings with poorly positioned or outdated life safety equipment.

Asked about systems maintenance, 70% of installers got the impression their customers generally saw the upkeep of life safety systems as merely a tick-box exercise , with just 11% believing they recognised it as a potentially property- and life-saving process. Two in five (40%) installers say their customers are not even aware of their legal obligations regarding system maintenance. On average, 55% of fire detection logbooks and 64% of emergency lighting logbooks were not up to date, despite these being legal requirements. Top 5 maintenance and emergency lighting issues Asked what the most commonly encountered fire safety maintenance issues were, installers most frequently cited the following: Change of building/room use without correctly altering the fire system (50%) Inadequate logbook records (43%) Original installer didn t install the best system for the environment (40%) Detectors need cleaning (32%) Detectors need replacing (26%) The top five emergency lighting maintenance issues, meanwhile, were: Broken/faulty lamps (44%) Inadequate logbook records (42%) Inadequate emergency lighting signage (39%) Batteries not charged in emergency lighting units (35%) Inadequate lux levels (25%) Having a correctly designed safety system installed by a qualified engineer in a building is vital when it comes to protecting lives, said Tracy Kirk, general manager of sales and marketing for Hochiki Europe. This being said, a fire detection device or emergency lighting unit can only safeguard occupant safety if it is in working order. This year s installer study has resulted in some stark findings for the industry and sheds light on serious gaps in terms of our customers attitudes towards life safety in Europe. It s clear that there needs to be an increased focus on educating duty holders throughout our built environment on how important it is to look after life safety systems. Those with the responsibility of system upkeep should also ensure they are up to speed with the latest legislation and regulations to keep building occupants safe. Hochiki Europe offers training courses and technical information to support building owners and facilities managers in understanding their legal obligations and how to protect assets and building occupants.

Related Topics How to choose the right life safety system: Hochiki Europe reveals FIREX 2017 plans 95% of life safety installers say fire industry is falling short over training provision Hochiki Europe launches FIREscape lite mains-powered emergency lighting system with back-up power

Deliveries on your doormat even if you re out thanks to a smart new service from ASSA ABLOY and PostNord

In Sweden, a new smart door lock from ASSA ABLOY is making the While you were out delivery card a thing of the past. PostNord customers can now choose to have parcels delivered inside their front door, if it is equipped with an ASSA ABLOY smart lock. It should be simple and convenient to shop online, says Johan Hellman, Head of eCommerce at PostNord.

We ll now be able to deliver items inside the front door in a secure way. The recipient doesn t need to be at home or be available at a particular time, which makes it both simple and convenient. The new service works via a PIN code issued automatically to an authorised PostNord delivery driver. The code opens a recipient s front door just once, so PostNord can leave a parcel on the inside. Now, there s no need for customers to wait in all day, or make a special journey to a collection point. It s another real-world example of smart door locks making life easier. The new service is simple to operate. Customers select home delivery from a participating e-retailer, in the usual way, and approve a specific delivery time slot using their mobile phone. If customers select home delivery inside the front door , their PostNord driver automatically receives a single-use PIN code to open the lock.

The code becomes invalid instantly and automatically after delivery; the customer s phone is notified again when the parcel is delivered. Pilot project A pilot project is already under way in Lerum, near Gothenburg, in conjunction with some of Scandinavia s major e-retailers. Approximately 100 households are trialling this new, ultra-convenient delivery option. With new and innovative products, such as our Yale Doorman lock, customers have an opportunity to simply and securely avail themselves of different services without having to be at home, says Kristoffer Wadman, Director Business Development at ASSA ABLOY Scandinavia. The project illustrates one of many ways a smart door lock can boost convenience and security for everyone. With a smart front door, homeowners no longer have to carry cumbersome keys; there s no need to cut a spare set for a cleaner, the kids or a cat-sitter. With a smart lock, you can let guests in remotely via an app, send them a digital key, or provide a temporary or single-use PIN to open the door. Digital keys are also safer than metal ones: they can t be copied or stolen, and can be instantly revoked if they fall into the wrong hands. Find out more about how smart locks from ASSA ABLOY make in-home delivery with PostNord possible.

embedded content About ASSA ABLOY ASSA ABLOY is the global leader in door opening solutions, dedicated to satisfying end-user needs for security, safety and convenience. Since its formation in 1994, ASSA ABLOY has grown from a regional company into an international group with about 47,000 employees, operations in more than 70 countries and sales close to SEK 71 billion. In the fast-growing electromechanical security segment, the Group has a leading position in areas such as access control, identification technology, entrance automation and hotel security. About PostNord PostNord is the leading supplier of communication and logistics solutions to, from, and within the Nordic region. We ensure the provision of postal services to households and businesses in Sweden and Denmark. With our expertise and strong distribution network, we put in place conditions for tomorrow s communication, e-commerce, distribution and logistics in the Nordic region. In 2015 the Group had 35,000 employees and sales of around SEK 40 billion. The parent company, PostNord AB, is a Swedish public limited company headquartered in Solna, Sweden. Visit us at www.postnord.com.

Related Topics For connected home and residential service providers, smart locks open doors to new opportunities The pioneer behind the world s first unpickable lock: Abloy celebrates 110th birthday At IFA 2017, smart locks open doors to the connected, integrated home services of the future

GDPR gives CCTV operators chance to tackle negative image head-on , says white paper

DATA PROTECTION A white paper exploring the implications for CCTV of the forthcoming GDPR has been published by cloud-based surveillance company Cloudview. The General Data Protection Regulation (GDPR) comes into force across the EU including the UK from 25 May 2018. The upper limit of possible penalties has been raised considerably: organisations found in breach of the law could be fined amounts up to 79 times greater than those levied under the existing data protection regime.

When installing a new system or upgrading an old system, any CCTV user or service provider will be expected to identify security risks and how those risks are to be addressed. Excerpt from Watching the Watchers Watching the Watchers: CCTV, the GDPR and the third wave of Data Privacy Regulation charts the history of data protection law, examines the changes introduced by the GDPR, identifies a shift from compliance to accountability , offers advice to CCTV operators and asks whether the new law might present an opportunity as well as a legal and administrative burden. Indeed, the white paper s introduction offers a positive take on a law that is causing great anxiety for organisations in most sectors: The CCTV industry has, almost from its inception, been portrayed in popular culture as the unofficial face of unaccountable surveillance overreach and invasion of privacy, it says. This position has been cemented by a popular perception of a lack of transparency and public engagement on the part of its users. More recently, it has become the unwilling poster child for the hazards of engaging with the Internet of Things. The General Data Protection Regulation (GDPR) thus provides a welcome opportunity for the CCTV industry and its users to tackle this negative image head-on. The paper has been written by Andrew Charlesworth, a reader in IT and Law and director of the Centre for IT and Law at the University of Bristol (CITL). Cloudview which commissioned the report, provides a service that mobilises cloud computing and IoT technology to centralise and store visual data from CCTV systems, meaning the data can be analysed like any other form of big data. Connected to analogue or IP cameras, Cloudview securely transports visual data to cloud servers that the company says are secure and resilient.

Once stored, it can be instantly accessed, used and managed from anywhere on any device. Free Download: the CyberSecurity Crashcourse Are you even aware if you have been the victim of a cybersecurity breach? This report will help you to find out and protect yourself, Eric Hansleman from 451 Research presents a rapid-fire overview of cybersecurity , because a firewall just won t do, you need multi-layered defences to truly protect your data.

Click here to download now Related Topics

Breaking: HID Global to buy Mercury Security Products from ACRE LLC

ACQUISITION HID Global, a subsidiary of ASSA ABLOY, is on the cusp of acquiring Mercury Security Products from ACRE LLC, the group that owns Vanderbilt Industries and ComNet. Founded in 1992 Mercury Security Products supplies OEM access control hardware, with an installed base of four million control panels worldwide. HID Global, which was acquired by ASSA ABLOY in 2000, develops products, services and solutions related to the creation, management and use of secure identities .

Headquartered in Austin, Texas, the company has over 3,200 employees worldwide and operates in more than 100 countries. Subject to regulatory approval and customary closing conditions, the deal is expected to go through in the final quarter of 2017. Financial terms of the agreement are not being publicly disclosed. Houlihan Lokey Capital Inc and Raymond James & Associates Inc acted as financial advisors to ACRE and Mercury. Strategic move Divesting Mercury after many years of success since ACRE purchased the business in 2013 is a strategic move that allows ACRE to focus on its core access control, video and intrusion businesses under the Vanderbilt and ComNet brands, said ACRE CEO Joseph Grillo. HID is the perfect home to provide for the continued growth and success of Mercury, which will remain a valued technology supplier to Vanderbilt. We caught up with Grillo, who came third in our roll call of the top 10 influencers among security manufacturers/service providers 2017, at IFSEC 2017, where he emphasised that ACRE is still very much in the market for more acquisitions.

ACRE (Access Control Related Enterprises) has acquired several security businesses since it was formed in 2012 by Grillo, including Schlage SMS from Ingersoll Rand in 2012, Mercury itself in 2013, the Security Products Division of Siemens AG in 2014, and Access Control Technology (ACT) and ComNet in 2016.

Related Topics Eagle Eye Networks acquires Panasonic Cloud Management Services Europe BV Veracity acquires command and control specialist iComply FLIR Systems acquires developer behind world s smallest drone: Prox Dynamics

GJD detectors and Dahua NVRs now interoperable for detector-activated surveillance

INTEGRATION Network video recorders (NVRs) from Dahua Technology can now integrate directly with IP-based outdoor detectors from GJD Manufacturing. The D-TECT IP range of detectors and Clarius PLUS IP illuminators can now work in concert with Dahua s NVR6-4KS2 range, comprising 4K-capable NVRs aimed at the enterprise space. After GJD s AP was incorporated into special firmware, the NVR can now accept alarms from the detectors and link them to the recorder s functions.

Based on open architecture the NVR6-4KS2 range supports multi-user access and is compatible with ONVIF 2.4, making it interoperable with third-party 4K cameras. The range also features in-built video analytics for people and object detection, abandoned or missing objects, tripwire detection, people counting and facial detection. GJD s IP detectors, which are BS8418-compliant, can support intruder monitoring, CCTV surveillance and other alarm warning requirements with volumetric and long-range narrow field-of-view sensing. The detectors can also be programmed remotely. We are thrilled to have integrated our class-leading NVRs with GJD s IP detectors, providing a professional detection and alarm monitoring solution that is a fantastic addition to our security portfolio, said Eric Wang, Head of Product Support for Dahua UK & Ireland. Said GJD managing director Mark Tibbenham: We are delighted to partner with Dahua Technology, a leading solution provider in the global video surveillance industry. The integration of Dahua s surveillance products with GJD s D-TECT IP motion detectors and Clarius illuminators will provide users with high-quality, reliable and efficient surveillance solutions. Free download: The video surveillance report 2017 Sponsored by IDIS The Video Surveillance Report 2017 covers all things video surveillance based on a poll of hundreds of security professionals. Specifically looking at topics such as open platforms, 4K, low-light cameras, video analytics, warranties and this year due to the growing threat posed, the cybersecurity landscape.

Click here to Download now Related Topics Dahua Technology UK and Ireland announces interactive technology showcase Security big beasts, low-cost Chinese brands and end-to-end solutions the winners in market snapshot Benchmark Innovation Finalists 2016: Video Surveillance Hardware

How 360 cameras are a hit in casinos and why Oncam is relishing its Milestone partnership

Oncam is a leader in 360-degree network cameras and recently launched a 360-degree dewarping preview tool and a visualisation tool to give users a way of virtually sampling its signature innovations. To find out more about the company s latest products and strategy for growth, we spoke to Simon Reed, regional sales director for EMEA at Oncam. IFSEC Global: Hi, Simon.

So how did IFSEC 2017 go? Simon Reed: It was a super busy show for us. We were, for the first time, exhibiting in the main hall, as one of the partners featured on the Milestone Systems stand. Over the course of three days we did 70 presentations to individual companies, so we felt we had a really good response from the people coming to the booth and hearing about our technology and vertical market offerings. An Oncam 360-degree camera can cover an entire gaming table up close or several gaming tables while still maintaining picture quality and retention rates While retail is one of our strongest vertical applications, we have made significant strides within the casino and gaming industry, as well as hospitality, transportation and manufacturing. So overall, the show was good for us as a brand and a team. IG: Interesting that you have a strong present in gaming and manufacturing; they must have quite specific requirements? SR: Yes, they typically do and this applies to the global market. There are stringent regulations in place that have to be met when implementing security technology, such as video surveillance cameras, and the 360-degree camera we produce does lend itself well to the environment.

An Oncam 360-degree camera can cover an entire gaming table up close or several gaming tables in an area while still maintaining picture quality and retention rates. Within a manufacturing environment, larger areas can be monitored with fewer cameras which isn t the same with fixed and pan-tilt-zoom cameras that only cover specific focused areas. Additionally, the day-to-day mechanisms in use within the plant can be seen using the advanced picture quality found in Oncam cameras, so security managers can be made aware if people are putting foreign objects into food being processed, for example; so the development of this camera has been a big win for us in these applications. embedded content IG: Did you launch any new products at the show? SR: While we didn t launch new products, we did demonstrate a rewritten version of our software development kit (SDK) as it works with products from Milestone Systems. As they released their upgraded version of their product line, we delivered our updated SDK, ensuring that our products integrate seamlessly with one another for customers. As a result, we re able to speak with Milestone customers about our technology, and they are able to recommend panoramic cameras like ours to their customers. Over the last year, we introduced our new Evolution Stainless Steel camera in both 5MP and 12MP solutions, which has opened up a world of possibility within the pharmaceuticals, food processing, industrial/chemical plants, ports and marine industries. It was specifically designed to meet the needs of customers operating in more extreme environments, with special attention to ensuring the casing is resistant to corrosion from power washing and extreme heat/cold.

NSF International recently certified the camera in the United States with the NSF mark for food service, and it s the first video surveillance camera to have such a distinction. It also boasts IP69K/IK10 ratings, which make the enclosure resistant to high-pressure water jets, dust and vandalism. It s a very unique offering with multiple uses across applications. IG: What s the company s strategy? Where are the most auspicious areas for growth? SR: As we continue to grow and add more technology to our portfolio, there are several vertical market applications that are natural fits for our technology. We have a strong client base in retail, and anticipate adding to that in the coming years, while adding significant presence in the hospitality sector, such as on cruise ships and hotels/resorts. These facilities with their wide-open expanses are ideal for the 360-degree technology we offer. We will also continue to grow within the casinos and gaming market.

Free download: The video surveillance report 2017 Sponsored by IDIS The Video Surveillance Report 2017 covers all things video surveillance based on a poll of hundreds of security professionals. Specifically looking at topics such as open platforms, 4K, low-light cameras, video analytics, warranties and this year due to the growing threat posed, the cybersecurity landscape. Click here to Download now Related Topics Would you wait two minutes to retrieve three-month old surveillance footage if it slashed costs by 50%?

ONVIF Q&A: Latest profiles, cybersecurity and the Highways England project People of interest were known weeks before terrorist incidents but data was part of an unsearched, unstructured archive

Women in Security Awards 2017: Winners announced

Picture above, left to right: Richard Jenkins (NSI), Michelle Bailey (Active Response ) Keeley Watson (Wilson James), Samantha Bamford (Pelco by Schneider), Siobhan Plunkett (GSLS), Roy Cooper (Professional Security magazine) Samantha Bamford from Pelco by Schneider, Michelle Bailey from Active Response, Siobhan Plunkett from GSLS and Keeley Watson from Wilson James have triumphed in the Women in Security Awards 2017. Hosted by the National Security Inspectorate (NSI) and organised by Professional Security Magazine, the ceremony took place on 14 September aboard the Harmony cruise boat of Bateaux London on the River Thames. The awards were founded six years ago by Una Riley, CEO of iAudit Consultants, to recognise the outstanding achievements of women working in the security sector.

Here is confirmation of the victors, chosen from among more than 150 nominations, across four categories: Technical Samantha Bamford, Pelco by Schneider Contribution to industry Michelle Bailey, Active Response (NSI Guarding Gold-approved) Best manager Siobhan Plunkett, GSLS Frontline Keeley Watson, Wilson James (NSI Guarding Gold-approved) Left to right: Richard Jenkins (NSI), Dianne Gettinby (NSI), Javeria Ayaz Malik (ActionAid International), Roy Cooper (Professional Security magazine) Some 120 guests attended the black tie event, which featured a welcome address from NSI CEO Richard Jenkins and a four-course dinner. And Javeria Ayaz Malik, international security advisor and head of the staff security department at ActionAid International, delivered an address on coordinating the organisation s safety and security policy and establishing external relationships with global security networks. Roy Cooper, publisher of Professional Security Magazine, and Una Riley introduced the awards. It was a pleasure to host these awards and see so many people gather to celebrate achievements of women within our industry, said Richard Jenkins. The evening was a huge success and we were delighted with the number of nominations received. The security sector has a wealth of varied and fulfilling roles, including product development, technical support, managerial and frontline and it s encouraging to see more and more women choosing careers which have been traditionally male dominated. I congratulate last night s winners and finalists on their outstanding achievements and contribution and have no doubt they will help to inspire other women to take forward their careers in the security sector. NSI certifies security companies by auditing their compliance with relevant British and European standards, codes of practice and certification schemes. The IFSEC International team Free Download: The key to mitigating cybersecurity risks Exploiting IoT technology without creating cybersecurity vulnerabilities is one of the defining challenges in today s security landscape.

This report will help you to see why third parties should adhere to secure by design principles and why the necessary convergence of IT and security departments demands a holistic approach .

Download now Related Topics 6 Things you need to know about FIM Expo Dahua Technology UK and Ireland announces interactive technology showcase Axis Partner Showcase: Don t miss out on connected surveillance and access control solutions from 37 partners

Three data breaches that should alarm the healthcare industry

Recent data breaches from the past several years seem to be following a trend. More and more target health service providers, and it s little wonder why. Few industries regularly hold as much sensitive data as the health industry.

Everyone including researchers, insurance providers and doctors keeps not only sensitive health information, but also billing data and unique identifiers, such as social security numbers. While plenty of legislation aims to provide extra protections for patient data, the fact is that anywhere there are humans, there will be errors. What happens in the doctor s office may not be as confidential as we all hope. Here are three of the most recent data breaches in the health industry. Anthem Blue Cross Blue Shield This disaster was one of the biggest data breaches of 2016. The health insurance company is one of the top Medicare providers and partners, and in July, it announced a breach of Medicare members data. Over 18,000 Medicare recipients received notification that their data was no longer secure. Retirees and the elderly have always been a favorite target for spammers and fraudsters. This breach increases their risk significantly.

According to Anthem, the attack came through one of their vendors, LaunchPoint Ventures. Indiana Medicaid Due to an oversight, Indiana s Health Coverage Program left an active hyperlink open that gave direct access to Medicaid recipients information. This data breach revealed full names, addresses, Medicaid ID numbers, doctor information, patient numbers and more. The state of Indiana had over one million people enrolled in their Medicaid programme this April, and the information was available starting in February of this year. The hyperlink was available to the public, so it s difficult to say who had access to the information. Fortunately, Indiana s Health Coverage Program believes the breach has caused no damage to patients. They have offered all notified individuals a free year of credit protection, however, just to be safe. Washington State University This April, Washington State University discovered that a hard drive containing sensitive information concerning survey participants had been stolen. The hard drive was kept in a locked safe, but the safe itself was stolen from storage and has not been found.

Approximately one million individuals may be compromised by this breach. Most survey participants provided names and social security numbers, which are a valuable prize for identity fraudsters. Some participants health data may also be jeopardized. Although there is no sign of the stolen hard drive or its protective safe, WSU has notified all parties put at risk by the breach. Like Indiana s Medicaid programme, WSU has offered a year of free credit monitoring for every notified individual. The university is also taking measures to upgrade and strengthen security procedures to ensure this kind of incident does not happen again. Unfortunately, these three examples are only the tip of the iceberg. New reports and notifications keep hitting the news. Even doctors aren t safe from ransomware.

Ultimately, there is little patients can do to protect themselves, and the burden of responsibility falls heavily on the healthcare industry itself. Free Download: the CyberSecurity Crashcourse Are you even aware if you have been the victim of a cybersecurity breach? This report will help you to find out and protect yourself, Eric Hansleman from 451 Research presents a rapid-fire overview of cybersecurity , because a firewall just won t do, you need multi-layered defences to truly protect your data.

Click here to download now Related Topics Healthcare fire safety: The innovation that outperforms conventional smoke detectors on false alarms and early detection Architect says sprinkler installation at Glasgow Hospital was used as an excuse to flout other buildings standards NHS cyber-attack: cybersecurity experts reflect on the lessons