I would like to thank Hector for putting together the Banking & Financial Services Community Newsletter. If you are interested in assisting the community in the development of the newsletter, please reach out Hector or myself.
Hybrid GSX Demonstrates Strength of the Security Community, Attracting 8,600 Global Registrants
The synchronous portion of Global Security Exchange (GSX) 2021 has concluded at the Orange County Convention Center in Orlando, FL. Presented by ASIS International, the world's largest association for security management professionals, the event offered discussion and idea exchange for the global security community. Attendance exceeded projections, with 8,600 registrants from more than 80 countries and 300 exhibitors demonstrating the latest security solutions. More than 7,200 of the registrants were for the in-person portion of the event.
|
Council Leadership
Omar Valdemar, CPP
Council Chair
omar.valdemar@CNB.com
David Aflalo, CPP
Council Vice Chair
david.aflalo@gmfinancial.com
Steve Ryker, CPP
Council Vice Chair
rykersstl@wellsfargo.com
Stephanie Clarke, CFSSP
Council Secretary
stephanie_a_clarke@keybank.com
|
“I’m proud of my friends and colleagues for arranging what is by all metrics a fantastic GSX,” said John A. Petruzzi, Jr., CPP, 2021 president, ASIS International. “We’ve received an overwhelming response from exhibitors and attendees commenting on the high quality of this year’s show. We’re pleased that the new event footprint—placing learning theaters in the exhibit hall—was well received, allowing for ease of access between our event’s best-in-class education and the solutions offered by our exhibiting companies. I’m incredibly thankful to our show’s international contingent for the lengths that they went to in order to gather here in person. The dedication of these individuals just proves the commitment of our profession to make GSX the industry’s premier event.”
GSX 2021 kicked off on Wednesday 15 September with a digital preview event that featured a Security 2030: Crossroads of Innovation and Transformation general session presentation from #1 bestselling author and motivational speaker Erik Qualman. From this date, attendees were able to get acquainted with the digital platform and prepare their game plan for the remainder of event.
The main event began on Monday 27 September. Following an 8:30 am How to Make Time Your Ally, Not Your Enemy general session presentation by bestselling author Daniel Pink, the exhibit hall opened at 9:30 am—marking a change to the GSX footprint where the exhibit hall is now open each day of the in-person event. Exhibiting companies Azena, Boon Edam, Cognyte, Cloudastructure, Evolv Technology, Everbridge, OnSolve, RaySecur, Smiths Detection, Trackforce Valiant, and Thermal Radar debuted products on the GSX exhibit hall. On Tuesday 28 September, award-winning journalist Amanda Ripley gave a general session presentation examining Breaking the Spell of High Conflict.
Military and Law Enforcement Appreciation Day (MLEAD), the final day of GSX, featured a Leading Through Uncertainty general session presented by Lieutenant General (ret) Nadja West. As a thank you to all active duty and veteran military, law enforcement, and first responders, these groups were invited to attend GSX for free this day. More than 90 individuals registered using the MLEAD discount code.
New to GSX this year was SM Live, a daily broadcast featuring conversations between industry leaders and editor-in-chief of ASIS International’s award-winning Security Management magazine, Teresa Anderson. In all, SM Live shared 20+ discussions about topics ranging from digital transformation to workplace violence.
Daily Game Changer sessions provided panel discussions focusing on new and future-focused strategies to elevate professionals’ expertise in key areas of security management—tackling cyber threats, employee mental health and wellness, and management lessons from female military leaders.
Sessions from the technology-focused X Stage in the exhibit hall touched on issues regarding robotic process automation, ransomware, facial recognition, autonomous vehicle safety, and more.
While the in-person portion of GSX has concluded, on-demand broadcasts of all sessions will be available to All-Access attendees through the digital platform until the end of 2021. During encore events taking place 20 October and 10 November, ASIS will rebroadcast top-attended sessions from GSX with presenters in attendance to answer audience questions in real-time.
The industry is excited for GSX 2022, taking place 12-14 September in Atlanta, GA—advance booth space selection for GSX 2022 represents more than 90% of GSX 2021’s exhibit floor space. For more information about this year’s show, upcoming encore events, or GSX 2022, visit GSX.org.
SECURITY NEWS
Securing Financial Institutions: Four Ways Modernizing Physical Access Control Promotes Strong Network Security
Security Technology, 6/1
The financial services (FinServ) sector must meet a high bar when it comes to security. Facing constant risk of physical and cyber breaches, financial institutions must safeguard not only their employees and guests at physical locations, but also vast monetary resources, along with the data stores of customers’ financial and personally identifiable information (PII).
Adding to the risk, legacy and fragmented physical access control systems (PACS) persist as financial institutions largely manage multiple facilities across regional, national, or global locations. At the same time, the rise in cybersecurity threats has elevated the stakes as physical and logical access increasingly converge, requiring Security and IT team collaboration. Without collaboration it becomes easier for attackers to compromise physical access to networks and digital resources, leading to loss of institutional assets, compromised PII, and damage to an organization’s brand reputation.
To mitigate the growing cyber and physical security risks, FinServ institutions must migrate from legacy access control technology to more secure solutions, like high-frequency smart cards and mobile-enabled, multi-tech readers. Such a move supports the convergence of physical and logical access control — securing physical spaces containing critical data while boosting network security, a key requirement in the industry. “In the financial industry, we are regulated, and we are required to protect our customers' information, and when we don't it can be very expensive and very embarrassing. There is a high reputational risk.” – A FinServ Security Professional, Los Angeles, CA (Omar Valdemar, VP-Manager, Corporate Security Systems, City National Bank).
The current credential technologies landscape features a mix of legacy solutions with some modern elements. In some cases, institutions may utilize heterogeneous solutions to address the varied levels of security needed to protect both high- and low-risk areas. Outer perimeters like parking garages and elevator access, often managed by a third party, may employ 125 kHz low-frequency prox or magnetic stripe, while the office suite requires a more secure iCLASS® or Seos® credential, managed by the institution. Layers of access control may be implemented on a single card depending on the party controlling access to the space, or the sensitivity and restrictions required for that line of business.
But security professionals know that employing legacy credentials like Prox and magnetic stripe fall short of their desired threat mitigation. According to a survey of 96 FinServ security and IT professionals conducted by ASIS International and HID Global, just 45 percent say their current solutions — including credentials as well as readers and controllers — satisfy essential requirements, and a slim 14 percent say their current deployments exceed requirements. More than 50 percent say their readers and controllers are three to six years old or older. More worrisome is the following: under six percent say their existing physical access control system meets or exceeds their current and planned requirements.
Executive Arrested and Charged for Bribery and money-Laundering Scheme
Department of justice, 6/4
A South Florida resident was arrested yesterday in Miami on charges related to his alleged role in a scheme to bribe Venezuelan officials and launder funds to obtain contracts from Venezuela’s state-owned and state-controlled energy company, Petróleos de Venezuela S.A. (PDVSA), and Venezuela’s state-owned and state-controlled food company that purchased food for Venezuela, Corporación de Abastecimiento y Servicios Agrícola (CASA).
According to court documents, from 2010 continuing through at least September 2017, Naman Wakil, 59, of Miami, a Syrian national and U.S. lawful permanent resident, allegedly conspired with others to make bribe payments to CASA officials and officials at joint ventures between PDVSA and various foreign companies in the oil-rich Orinoco belt of Venezuela. Wakil allegedly paid these bribes to obtain at least $250 million in contracts to sell food to CASA and do business with the PDVSA joint ventures, including obtaining highly inflated contracts (worth at least $30 million) to provide goods and services to the PDVSA joint ventures. Wakil laundered funds related to the bribery scheme to and from bank accounts located in south Florida and purchased 10 apartment units in south Florida, a $3.5-million plane and a $1.5-million yacht, among other things. Wakil also used a portion of the funds to make payments to or for the benefit of the Venezuelan officials.
Wakil is charged with conspiracy to violate the Foreign Corrupt Practices Act (FCPA), violating the FCPA, conspiracy to commit money laundering, international promotional money laundering and three counts of engaging in transactions involving criminally derived property. If convicted, Wakil faces a maximum penalty of 80 years in prison. A federal district court judge will determine any sentence after considering the U.S. Sentencing Guidelines and other statutory factors.
Don’t Lose the Democratizing Effect of Remote Work
Havard Business Review, 6/4
People are calling it “the big quit.” Employees are leaving workplaces that don’t suit their needs anymore, as more and more organizations return to in-person work after more than a year of working remotely. Half of workers now report that they will not return to jobs that do not offer remote work. The good news for employees is that 90% of large companies are embracing the hybrid model, which combines on-site work with remote work, according to a recent McKinsey survey of 100 executives at large organizations. The not-so-good news is that mishandling the transition to hybrid work threatens to reinforce social inequalities and jeopardize companies’ diversity, equity, and inclusion (DEI) efforts. Employers should follow five simple steps to set up a hybrid workplace that ensures historically excluded groups won’t see setbacks:
Step 1: Set your target return date and give employees plenty of notice.
Make sure to give employees at least 45 days’ notice to prepare for their return. Employees may need to make or revise child or eldercare arrangements, or to request and set up accommodations. Plenty of advance warning also gives employers a chance to make sure they are complying with all safety laws and recommendations, and it gives HR staff time to review accommodation requests. When you have chosen your date, let employees know with a thoughtfully crafted return-to-work announcement where you also share your safety plan.
Step 2: Recognize that some workers have a legal right to remote work.
The shift to remote work has been great for many employees with disabilities. The Americans with Disabilities Act entitles disabled employees to reasonable accommodations that do not impose an undue hardship on their employers. This means that employers that abruptly ordered everyone back to work are likely to get sued. Even if you were not accommodating an employee with a disability before the pandemic, the fact that that person has been working remotely for over a year can serve as evidence that a permanent accommodation does not present an undue hardship to the employer. Other workers may also have rights to continue remote work. Employees who are pregnant or breastfeeding may be legally entitled to workplace accommodations, too, under federal and/or state laws. An organization’s abrupt order of all workers back to on-site work also risks a legal challenge if the order has a disproportionate impact on women — and that’s a lot of organizations. The ACLU sued South Carolina alleging exactly that.
Step 3: Create a hybrid model policy that works for your organization.
Start by asking employees what they want. You may be surprised to learn how many employees are unwilling or unable to return to the office full time. Exploring what your workers want — and the barriers they are facing — may lead to a discovery that you can actually deliver many of the things they are looking for and keep you from losing top performers. Hybrid work (where some employees are remote and some work in-person) is different from having all employees either remote or in-person. There are many different formats to consider:
- Each employee works some days in the office.
- Some employees are always remote, while some are always in person.
- Employees can change work schedules depending on seasonal or external demands.
Think about what the hybrid format you are choosing means for your company and whether you want to have the same format across the organization or leave it up to departments or teams. This may mean you need to reconsider the size and setup of your office.
Step 4: Take action to avoid on-site favoritism.
On-site favoritism is when employees who work on site get more advancement opportunities than employees who don’t. If more women and people of color choose hybrid schedules, and more men and white people choose to be fully on-site, the results are predictable. Research shows that on-site favoritism will predictably happen unless organizations take steps to ensure it doesn’t.
Step 5: Rethink meetings.
Meetings with a hybrid team can be tricky. Instead of trying to hold meetings with some employees around a table and others calling in, consider holding meetings as all-remote or all in-person. That way, nobody has the upper hand — and you won’t miss out on hearing insights from your remote workers. If you don’t take any actions, the same problems that would come up for women and people of color in meetings before the pandemic — getting interrupted, getting floor time, or even being invited to the meeting — are likely to be exacerbated for your remote workers. While you’re at it, pay attention to your meeting schedule. If meetings are taking place in the evenings or at the school drop-off time, that can make it difficult or impossible for parents and caregivers to attend. Consider setting up “core hours” where all team members are expected to be available and make an effort to schedule meetings during those times. And don’t forget to account for remote employees who may be working in different time zones.
Switching to hybrid work is going to require thoughtful and careful planning, but it’s an opportunity to shape future of work. If employers do things right, they will democratize access to remote work and equalize access to career-enhancing opportunities at their organizations — and they can expect to see better retention of top talent as a result.
Stop Holding On to an Outdated Access Control System
Security Technology, 6/5
Maintaining a legacy access control system is time-consuming and expensive. And while it continues to protect your people and assets, it exposes you to new threats, such as cyberattacks, and can’t keep up with your organization’s changing needs. Migrating to a new system might seem like a daunting task, but it doesn’t have to be.
A Proven Recipe for a Successful Migration
1- Project management - Clearly define scope of work and responsibilities
Many individuals are involved in the migration process: the system integrator, the provider, and the end-user. It’s essential to define a clear scope of work and identify individual responsibilities that will evolve with the project.
Genetec uses a handheld approach to ensure that all elements of the project have been taken into consideration and that the right people are in place for a successful deployment.
2- Communication is key- Communicate early and often
Proper communication is essential. Scheduling regular calls with stakeholders early on is important for laying out what is being done, when, and the impact it will have. Regular updates through dashboards also lets leadership easily track the project’s progress.
3- Standardized documentation - Use documentation to standardize processes worldwide
It’s equally important to customize those documents for your project. Standardize them to your needs so you can streamline the process globally. Finally, ensure that all documentation is deposited in a central location that can be easily accessed by all stakeholders.
4- Phased approach - Use a phase approach for deploying your system
It's best practice to use a phased approach for migrations, especially when multiple sites and locations must be converted. Start with smaller locations that have little impact on your operations. Use these sites for lessons learned as you move on to larger, more complicated installations.
5- Secure your organization now and for the future
Do not let misgivings about the access control migration process prevent you from anticipating threats and proactively planning to address them. By modernizing your system, you will be able to tap into the benefits of an open and unified solution.
FBI Reports Another Rise in Hate Crime in 2020
Today in Security, 9/1
Hate crime in the United States hit a 12-year high in 2020, according to the latest numbers from the FBI.
The FBI received reports of more than 10,000 offenses that were motivated by bias against race, gender, sexuality, religion, or disability in 2020, and the number of crimes against Asian and Black Americans surged 70 and 40 percent, respectively. Hate crimes in the United States have increased almost every year since 2014.
The United States saw reported hate crimes rise in 2019 to their highest level in a decade. This, researchers say, did not happen in a vacuum.
In 2020, there were 7,554 single-bias incidents and 205 multiple-bias hate crime incidents. Among single-bias cases, 61.9 percent of victims were targeted because of race, ethnicity, or ancestry, 20.5 percent because of their sexual orientation, 13.4 percent because of their religion, and 2.5 percent because of their gender identity.
Reporting hate crime incidents to the FBI is not required by many law enforcement agencies, and many victims never come forward, so these numbers are likely significantly lower than the actual rate of hate crime.
The majority of reported cases against persons were classified as intimidation (53.4 percent), followed by simple assault (27.6 percent) and aggravated assault (18.1 percent). There were 22 murders and 19 rapes that were reported as hate crimes in 2020.
Among known offenders—meaning that some aspect of the suspect was identified—55.2 percent were white, and 20.2 percent were Black. Among victims, Black Americans had the highest percentage of reported incidents—amounting to 2,755. There were 274 anti-Asian hate crimes in 2020, which some advocates link to anti-Asian rhetoric around the COVID-19 pandemic, according to the BBC.
At the beginning of the COVID-19 pandemic, the FBI warned that it expected a surge in hate crimes against people of Asian descent. Recent data is proving that to be true.
According to the Center for the Study of Hate and Extremism at California State University, anti-Asian hate crimes spiked 149 percent across 16 of the largest cities in the United States between 2019 and 2020.
Location-wise, 28.3 percent of reported hate crimes occurred in or near residences, and 19.9 percent occurred on highways, roads, alleys, streets, or sidewalks.
CYBER NEWS
USB Cyber Threats Are on the Rise. Here’s What You Can Do to Stop Them
Security Technology, 8/1
The year 2020 was an unprecedented one on many levels. Alongside the devasting health impact of COVID-19, the pandemic unleashed a wave of new cybersecurity challenges as many businesses shifted to a work-from-home model. One of those challenges was rising USB threats that can cause serious and costly business disruptions. These threats rose dramatically during a year in which the usage of removable media and network connectivity skyrocketed as more and more employees worked remotely.
Indeed, the work-from-home revolution led to a growing dependence on removeable media. That’s likely one of the reasons the use of USB media climbed by 30 percent in 2020 compared to the previous year, according to the 2021 Honeywell Industrial USB Threat Report. The report, based on anonymized cybersecurity threat data collected, aggregated, and analyzed from hundreds of industrial facilities globally, also found that 37 percent of cyber threats in 2020 were specifically designed to utilize removable media—almost doubling from 19 percent in 2019.
The research highlights the growing and pernicious nature of USB-borne threats. In fact, 79 percent of cyber threats found on USBs in 2020 were capable of causing critical disruptions in operational technology (OT) environments, up from 59 percent the previous year. Along with USB attacks, the report reveals a rising crescendo of cyber threats associated with USB removable media including remote access, Trojans, and content-based malware, which all have the potential to severely cripple industrial infrastructure.
The reality is that even though many industrial and OT systems are air-gapped or cut off from the Internet to shield them from cyber threats, adversaries are using removeable media and USB devices as an initial attack vector to penetrate networks and open them up to major attacks. And once those back doors are open, cybercriminals can then establish remote connectivity to download additional payloads, exfiltrate data, and establish command and control.
Another interesting trend identified in 2020 is the growing number of threats targeting altered or infected documents, with 12 percent of the total threats detected leveraging native document structures with embedded scripts and macros. This rise in content-based malware likely corresponds to the shift toward remote work in 2020 and underscores the fact that cyber criminals were savvy enough to make adjustments to take advantage of these organizational changes.
Several factors clearly indicate that the bad guys are deliberately targeting USBs to circumvent the air gap that protects industrial environments. The first indication is the use of malware specifically designed to propagate via USB media. Combined with a high concentration of malware that seemed to target OT, and an even higher concentration of malware designed to establish persistent remote access, it’s easy to infer the intent. Clearly, adversaries see USBs as an initial penetration vector and are leveraging removable media as part of a larger cyber-attack campaign on industrial operators.
So, what can be done in the face of USB-borne cyber intrusions that are growing in strength and volume? Well, organizations must adopt a formal security program to protect against intrusions and avoid potentially costly downtime. To combat USB-related threats, organizations need several layers of OT cybersecurity that can deliver advanced threat detection for critical infrastructure by monitoring, protecting, and logging use of removable media throughout industrial facilities. This includes the ability to monitor for vulnerabilities such as open ports or the presence of USB security controls to strengthen endpoint and network security, while also ensuring better cybersecurity compliance.
Detecting malware is more complex than ever and, unfortunately, no single malware detection tool or technology will ever be completely effective. This is especially true as new malware variants come on the scene at alarming rates—as many as 220 million per year. The sheer volume of threats in existence makes it ever-more difficult to maintain strong detection efficacy. However, organizations can improve detection by using a layered detection and response strategy. This involves leveraging the specific strengths of certain techniques against specific classes or families of malware. One such approach is to use a tool that proactively combines and correlates the latest security research to identify emerging threats as early as possible in a malware’s lifecycle. Doing so allows organizations to gain visibility into these early day threats. These are threats that many commercial anti-malware software solutions might not catch simply due to the growing volume of sophisticated malware that is capable of evasive behaviors.
The bottom line is that more threats are attempting to enter industrial environments, and these threats are more sophisticated than ever, resulting in a clear and present danger to operations. USBs are a prime target because they provide an easy entry point that can then be exploited by the bad guys to wage larger cyber campaigns against industrial targets. Organizations are advised to be aware of these attacks and show continued diligence is defending against the growing USB threat.
ASIS Blog, 10/6
In our current connected operating environment, the allure of digital transformation and innovation has led security leaders to embrace digitalization as a means to enhance both efficiency and profitability. The adoption and integration of IoT and IIoT devices has led to an increasingly interconnected mesh of cyber-physical systems, which expands the attack surface and blurs the once clear functions of cybersecurity and physical security.
Megan Knodell, program lead for the United States Cybersecurity and Infrastructure Security Agency (CISA), is leading a Cybersecurity and Physical Security Convergence webinar on 26 October. Supported by the ASIS Information Technology Security Community, this webinar is presented as a free resource for security professionals as part of Cybersecurity Awareness Month.
Why should security professionals have convergence on their radar? Together, cyber and physical assets represent a significant amount of risk to physical security and cybersecurity – each can be targeted, separately or simultaneously, to result in compromised systems and/or infrastructure. Yet, despite a general consensus around these interconnected risks, physical security and cybersecurity divisions are often still treated as separate entities.
When physical security and cybersecurity divisions operate in siloes, they lack a holistic view of security threats targeting their enterprise. As a result, successful attacks are more likely to occur. Organizations can overcome the potential risks of siloed security functions by implementing this concept of formal collaboration between cybersecurity and physical security functions. The benefits of this formalized collaborative approach often outweigh the challenges of organizational change efforts and enable a flexible, sustainable strategy that is anchored by shared security practices and goals.
What advice you would give security professionals interested in convergence? CISA recommends critical infrastructure organizations and security professionals consider establishing formal collaboration between CSO and CISO departments. A structured approach to converge security functions will enhance an organization’s ability to:
- communicate across the security enterprise;
- identify physical-cyber risk;
- align cyber and physical security policy and goals; and
- coordinate incident response.