Security Matters | Winter 2010 by MarkintoshDesign

JANUARY/FEBRUARY 2010

www.SecurityMattersMag.com

2010 SECURITY FORECAST

PREPARATION THE KEY TO SUCCESS

DATA DESTRUCTION MUCH MORE THAN JUST SHREDDING

HD VIDEO THE FUTURE OF CCTV IS HERE

PANIC ROOMS LOSS PREVENTION PANDEMIC PLANNING

Defend Your Network It’s Been Waiting For You Network threats lurk behind every kilobyte. Let Fortinet help you defend your most critical information. From data loss and malware prevention to blocking spam and phishing attacks, Fortinet has your back. Consolidated and efficient security is the key and Fortinet has the tools to get the job done. Learn more about how you can leverage Fortinet’s comprehensive suite of network security solutions and become a FortiHero... it’s what your network has been waiting for.

Become a hero today at www.fortihero.com/matters

2009

Real Time Network Protection.

C O N T E N T S

Volume 4, Issue 1 January/February 2010

FEATURES 16

LOOMING THREATS In 2010, cloud computing, virtualization and mobility will top the priority list of most IT and security professionals. However, Canadian companies shouldn’t ignore the most important aspect of security: preparedness

THE LIFEBLOOD OF CANADIAN BUSINESSES Every company has it, lots of it. It is data and without proper information management and destruction plans, policies and procedures, companies are just asking for a security breach to occur

20 THE ART OF INTELLIGENCE

With the help of security analytics, the Edmonton Police

COLUMNS 8

CYBER WATCH Brent MacLean on emerging security risks

PRIVACY MATTERS

SECURING YOUR BUSINESS

Meaghan McCluskey on how to collect employee information for pandemic planning

Frank Fourchalk on the benefits of installing panic rooms

Services is reducing crime and increasing the quality of

DEPARTMENTS

life for all of the city’s citizens

JANUARY/FEBRUARY 2010

www.SecurityMattersMag.com

2010 SECURITY FORECAST

PREPARATION THE KEY TO SUCCESS

DATA DESTRUCTION MUCH MORE THAN JUST SHREDDING

HD VIDEO THE FUTURE OF CCTV IS HERE

PANIC ROOMS LOSS PREVENTION PANDEMIC PLANNING

WWW.SECURITYMATTERSMAG.COM

NEWS & NOTES Olympics choose Panasonic • Cost of breaches on the rise • Canadian airports get full-body scanners

TRY THIS

LP CORNER

ASK AWAY

COOL STUFF

29 30

MARKETPLACE

High-definition video surveillance cameras

Retailers must learn to how to beat shoplifters at their very own game

PCI audits • Airport security • Crime prevention

Intrusion Prevention Systems

Q&A Bruce Schneier discusses cloud computing and the power of fear

JANUARY/FEBRUARY 2010 • SECURITY MATTERS 3

E D I

T O R ’ S L E T T E R

The Growth of Social Media It has become the elephant in the room. We all know it’s there. We all know it poses a problem and we all know something has to be done. The elephant in this case is social media, the fastest growing threat to both individual and corporate security. From Facebook to LinkedIn to Twitter to YouTube to MySpace, everyone is using some form of Web 2.0 at work, on the phone, at home or on the road. When one looks at social media closely, the numbers are staggering. Take Facebook for example. It boasts more than 350 million users worldwide, 52,000 different applications and 700 million new photos every single month. All of this adds up to a stockpiling of data that is “just out there” for someone to steal, manipulate, and potentially use to take one’s money and/or identity. For companies the threat extends to diminishing brand and damaging reputation. Over the past year, Twitter accounts of Barak Obama, Britney Spears and Kanye West have been compromised. In two other incidents, false rumours were spread about Apple CEO Steve Jobs’ health, causing Apple’s stock to plummet, while in the other, someone broke into a live Mac Rumors feed to announce Job’s death. But it is not just celebrities who are at risk. According to Secure Enterprise 2.0 Forum’s report, “Web 2.0 Hacking Incidents & Trends 2009 Q1,” social media attacks are on the rise and are resulting in corporate information leakage, the spreading of disinformation, monetary loss, planting of malware, network downtime and spam phishing attacks. Similar to the need for every company to balance the issues of security and privacy, every company must now strike the right chord when it comes to security and the use of social media. For some companies, allowing staff to use YouTube or LinkedIn makes sense from a business standpoint (e.g., marketing), while for other companies, the use of Web 2.0 applications has no work-related benefits and thus represents another distraction for their staff. Either way, understanding the threats social media presents is the first step companies can take to protect their data, employees and reputation. Social media is not going away either. Gartner’s recently released social media predictions for 2010 state that by 2014 social networking services will replace e-mail as the primary vehicle for interpersonal communications for 20 per cent of business users. I guess the elephant is only going to get bigger.

Paul Grossinger

Publisher/Editor Paul Grossinger paul@securitymattersmag.com

Director, New Business Development Frank Shoniker

Director, Advertising Sales Bill Begin

Art Director Mark Tzerelshtein markintoshdesign.com

Contributors Frank Fourchalk Lynn Greiner Ian Harvey Jack Kohane Brent MacLean Meaghan McCluskey Lance Naismith Theresa Rowsell Security Matters provides Canadian businesses with information that helps them secure their staff, assets, facilities and data. It is published six times a year by KAP Publishing Ltd. The views expressed by the authors are not necessarily those of Security Matters. All editorial submissions are subject to editing. No part of this publication may be reproduced without the express written consent of KAP Publishing Ltd. The content of this publication is provided for the general guidance and benefit of our readers. While efforts are made to ensure the accuracy and completeness of the information at the time of publication, errors and omissions may occur. All rights reserved.

Publications Mail Agreement No. 40752539 Return Undeliverable Canadian Addresses to KAP Publishing Ltd. 1136 Centre Street, Suite 199 Thornhill, ON L4J 3M8 ISSN 1911-5067 Printed in Canada Security Matters 1136 Centre Street, Suite 199 Thornhill, Ont. L4J 3M8 Canada Tel: 905-370-0736; Fax: 416-633-7084 info@securitymattersmag.com www.securitymattersmag.com

paul@securitymattersmag.com

ech

Infrastru a cture Teechnology ch gy Summit

For For or a Compliment Com omp plliim meen nttaary ry Pass, Pass Pa ass, Register Reg eggist steer with th Code: Cod Co dee: SMJF d SM S MJF M JJF F 4 SECURITY MATTERS • JANUARY/FEBRUARY 2010

Full Trade Show Floor Industry Leading Keynotes Networking with IT Professionals Educational Seminars

ww w ww w w.itec iite ttec ecch chs hhssummit.ca

TELUS is the Canadian leader in IT security research? Who knew.

The results of 2009 Rotman-TELUS Joint Study on Canadian IT Security Practices are now available. Get your copy and find out: How some companies were able to increase their security budget despite the current economic climate What technologies were deployed most and least, and how will this change in the next 12 months Which regulations are driving IT security investments in Canada

Get the full study results. Benchmark your company against the 600+ participants. telus.com/securityresearch

the future is friendly

速

N E W S & N O T E S During the 2010 Vancouver Olympic and Paralympic Winter Games in Vancouver, the Royal Canadian Mounted Police (RCMP) used Panasonic IP surveillance cameras in both indoor and outdoor competition venues. The Auditor General of Alberta has chosen Application Security’s AppDetectivePro to conduct its database audits. The scanning technology will perform database discovery, user rights reviews and vulnerability assessments. Recently, Twitter had to reset the passwords of some of its users after discovering malicious file-sharing sites that were set up to steal users’ login credentials. Due to the failed terrorist attack in December at Detroit Metro Airport, the Government of Canada is investing in full body scanners to enhance security at Canadian airports. The technology will give passengers a choice between a full body scan and a physical search. The full-body scanner will be used to reveal objects, including weapons and explosives, that could be concealed under clothing. Honeywell has formed the Honeywell Open Technology Alliance, a group of global security manufacturers that will collaborate to increase inter-operability between third-party IP systems and help businesses secure and protect their facilities. ASIS-Toronto recently held an event entitled Workplace Violence Prevention Legislation: How to Achieve Bill 168 Compliance by Summer 2010. The sold-out event discussed amendments to the province’s Occupational Health and Safety Act, which will require all employers in Ontario to develop and implement effective workplace violence prevention programs by June 15, 2010. Fortinet’s January Threatscape Report recorded the highest levels of mali-

6 SECURITY MATTERS • JANUARY/FEBRUARY 2010

cious code ever detected with Japan topping the list of countries with the highest volume of malware. A survey of 500 companies by Sophos found a 70 per cent jump in spam and malware attacks via social networking sites in 2009. Facebook topped the list as the perceived riskiest of the major social networking sites, followed by MySpace, Twitter and LinkedIn. According to a McAfee survey of 600 IT security executives from critical infrastructure enterprises worldwide more than half (54 per cent) have already suffered large scale attacks or stealthy infiltrations from organized crime gangs, terrorists or nation states. RSA’s 2010 Global Online Consumer Security Survey indicates that consumer awareness of phishing attacks has doubled between 2007 and 2009, while the number of consumers who reported falling prey to this type of attack increased six times during that same period of time. Soon after President Barack Obama delivered his State of the Union address in January, hackers defaced 49 websites belonging to U.S. House of Representatives’ members and committees, according to researchers at Praetorian Security Group, a managed security services and consultancy firm. Check Point Software Technologies’ global customer survey of businesses regarding endpoint security trends has found that more than 40 per cent of businesses in the last year have more remote users connecting to the corporate network from home or when travelling compared to 2008. The London Overground Rail Operations in England is implementing an IP-based video system from Verint Video Intelligence Solutions across 40 of its rail stations.

COST OF BREACHES ON THE RISE “Checklist approach” to security not working for many Canadian companies By Paul Grossinger f you think IT security is not an issue in Canada, you better have a look at the 2009 RotmanTELUS Joint Study on Canadian IT Security Practices, which reveals a major increase in annual losses related to IT security breaches. In its second year, the study supplies Canada’s business and IT communities with insight into the concerns, approaches and strategies companies have and implement when it comes to IT security. According to the study, which surveyed more than 600 Canadian IT security professionals, IT security breaches cost the average Canadian organization an estimated $834,000 last year, a 97 per cent increase from the $423,000 reported by the study in 2008. Similarly, the average number of reported IT security breaches also increased 276 per cent to 11.3 per organization in 2009, compared with an average of three in 2008. “The significant increase in reported breaches is sobering, however there are several reasons for this activity and some of them are actually positive,” says Dr. Walid Hejazi, professor of business economics at the Rotman School of Management. “Our research indicates that one of the contributing factors behind the surge in IT security-related losses is compliance regulations.” Some of the survey’s other key findings include: • Breaches and annual costs are up, while perbreach costs are down. • Application security practices are not keeping up with evolving threats. • High-performing security programs have strong governance and focus on education. • Top performing respondents spent at least 10 per cent of their IT budget on IT security. • Organizations cite damage to brand as biggest breach concern. • Disclosure or loss of customer data remains top issue. • Focus in Canada is predominantly towards afterthe-fact security, rather than “build it secure.” • Canada catching up to U.S.A. in terms of breaches. “Canadian organizations are finding it difficult to improve their security posture within the current economic climate,” comments Alan Lefort, managing director, TELUS Security Labs. “Too often organizations take a checklist approach to managing security. Without a threat-based view to security management that measures end-to-end capabilities, they are often unprepared when a new type of attack or vulnerability rises to prominence.”

1:16 AM

Car theft in progress.

2:10 AM BUSTED

Effective ouutdoor video surveillance protectts what you vaalue most, alerts you to unexpected events andd can even trigger appropriatte response. But B the cameras that achieve it must enduree heavy snowfall, intense rain and strong winds â&#x20AC;&#x201C; and still deliver usable results.

and minimizes maintenancee. They withstand extreme weather conditionss, and offer superb image quality. Because your y surveillance system needs to deliver indisputable evidence in the form of clear,r, crisp viddeo images â&#x20AC;&#x201C; even in the toughest environmen nts.

Axis outdooor cameras are exceptionally Ax easy to insstall, which saves valuable time

Get the Axis picture. Stay one step ahead. Visit www.axis.com/outdoor .axis.com/outdoor

AXIS P33 Network Camera Series: IP66-rated casing, day/night, wide dynamic range, H.264, Power over Ethernet, HDTV TV image quality, quality, remote zoom & focus, and much more.

CYBER WATCH

with Brent MacLean

ecurity has become synonymous with life, particularly when it comes to our increasing use of technology. Whether you are using a Microsoft Word file or surfing the Internet, the potential for virus, malware, spyware, identity theft or just plain destruction of information has become a real threat to our computing experience. As such, computer security is an inherent philosophy that must be integrated into every computing environment, whether it is at home or business. Hackers, crackers, script kiddies and espionage are real threats and will continually evolve and expand at an alarming and exponential rate. More and more of the “invisible bad guys” want access to our individual systems and collective corporate networks, and as our society’s economic troubles continue (e.g., unemployment rises), we see the continued exploitation of the financial crisis to scam people with fake financial transactions services, bogus investment firms and fraudulent legal services. Here are just some of the more important cyber crime trends to watch out for in 2010:

SECURITY TRENDS

TO WATCH In 2010, social networking sites, dedicated phishing attacks and exploitation of people’s economic status are just some of the dangers companies must watch and plan for when they examine their IT security strategy

8 SECURITY MATTERS • JANUARY/FEBRUARY 2010

• Social Networking Sites. Cyber criminals no longer deliver threats solely via spam. They are taking advantage of sites like Facebook and MySpace. • Personalized Threats. Continued expansion of malware in languages other than English. Cyber criminals have come to realize that by diversifying into a global market they can access even larger pools of valuable identity and confidential information. • Targeting Consumer Devices. We expect increased attacks involving USB sticks and flash memory devices used in cameras, picture frames and other consumer electronics. • Security Software Scams. The malware underworld is using

CYBER WATCH subsidiary companies of bigger companies will be exposed more frequently, forcing an overhaul of data security practices.

mail stream practices in an effort to “sell” security software that is either misleading or outright fraudulent. • Abusing Free Web-Hosting & Blogging Services. Websites, such as Geocities, Blogspot and Live.com allow anyone to create a public website for free, without the authentication necessary when purchasing a domain name website. This gives spammers the opportunity to run their underground business with minimal expense. Spam from do-it-yourself social-website-hosting providers arrives at its destination with far greater frequency than links pointing to domain names assigned by legitimate registrars.

• Localized Phishing Campaigns. Online scammers will increasingly target specific communities, especially on university campuses, where professional looking e-mails claiming to be associated with the school’s financial or scholarship department will be blasted to all the students at the school.

• Browser-Based Attacks. Cyber criminals will increasingly attack via web browsers as they are the least protected and therefore, easiest way to transfer malware.

• Increase in Forging and Abuse of Free E-mail Services. The free e-mail services have started to allow accounts to send mails with arbitrary “from” addresses. This has increased the usability of these services significantly to businesses, but has also increased the “abusability” by spammers.

• Breaches of Confidential Data. Information that is managed by partner and

Today, cyber crime and Internet fraud are extremely high profile, although de-

tecting and enforcing these novel and destructive criminal activity continues to pose enormous challenges for traditional and conservative forensic techniques and business intelligence technology. This has now become a daunting task for computer forensic analysts, as the volume of data that has now come into play is of such magnitude that it is crippling to most contemporary analytical tools. One possible solution is educating and enforcing the human component to help minimize the destruction until technology comes up with faster, more reliable avenues to catch up to this cancer that is infecting our nation at a remarkable rate.

Brent MacLean is the founder and CEO of J.B. MacLean Consulting (www.jbm.net) and Canadian Intelligence Solutions. He has more than 22 years of experience in network, security, and infrastructure design and troubleshooting.

Information Protection Consulting Document Destruction Programs Media/Hard Drive/e-Waste Destruction

WWW.SECURITYMATTERSMAG.COM

JANUARY/FEBRUARY 2010 • SECURITY MATTERS 9

PRIVACY MATTERS

with Meaghan McCluskey

ALL ABOUT

CONSENT For companies looking to develop a pandemic plan, collecting vital information from employees should be performed with great caution

ick days are common to any workplace. However, as those long winter days continue and flu season creeps up upon us, more employees are going to be staying home sick. Managing sick employees and contingency plans for pandemic levels of absenteeism creates several challenges, including what employee information can be collected and used in creating pandemic plans, what information can be collected and used when dealing with sick employees, and how sick employees can work remotely in a secure manner. (Note: In October 2009, the Office of the Privacy Commissioner of Canada, the Office of the Information and Privacy Commissioner for British Columbia and the Office of the In-

10 SECURITY MATTERS • JANUARY/FEBRUARY 2010

formation and Privacy Commissioner of Alberta released a report entitled, “Privacy in the Time of a Pandemic: Guidance for Organizations.”) When it comes to pandemic planning and dealing with sick employees, private sector privacy laws apply in the normal way during non-emergency times, and generally require that the collection of personal information from employees be reasonable and the minimum necessary to fulfill the purposes. For example, when collecting information for the purpose of pandemic planning, consent should be obtained from employees prior to collection by informing them of the purposes of the collection and how long the information will be retained. If the employer wishes

to assess how many employees may need to be absent to care for sick dependants, the Commissioner’s report notes that for the purposes of statistics, this information could be collected in the form of anonymous surveys to avoid collecting unnecessary identifiable information. Also, if the information will be used to estimate what percentage of the work force has dependants, the raw data could be destroyed once these statistics are calculated. Employers may also wish to know if their employees may be at higher risk of falling ill with the flu. Employers should be cautious in this circumstance as their collection of personal information must be only the minimum necessary to meet their purposes. The Commissioner’s

PRIVACY MATTERS report states that employers generally will not have a reasonable need to collect diagnoses such as that employees have asthma or some condition that affects their susceptibility. A less privacy-invasive alternative to collecting personal information is to communicate to employees that certain “at risk” categories of employees should take additional precautions to prevent the flu. Furthermore, employers should not ask employees if they have been vaccinated against the flu or insist that they receive vaccines; instead, provide information about vaccinations, such as times and places of vaccination clinics.

STAYING IN CONTACT Personal telephone numbers or e-mail addresses for employees may be required by employers to keep in touch with them during their absence. Again, consent will be required to obtain this information, and if the employer already has the information, consent will be required to use the information for these purposes, if they were not contemplated when the information was

originally collected. The Commissioner’s report notes that a less privacy-invasive alternative may be to have the employee call in at scheduled, regular intervals. Once an employee has fallen ill, two privacy issues that arise are 1) whether employees calling in sick can be asked if they have the flu and 2) how other employees will be told that the sick employee is unavailable for work. Employers will need to know if an employee cannot come in to work, however, given that privacy laws require that employers only collect the minimum necessary personal information, employers only need to know the prognosis, and not the diagnosis (i.e., employee is sick, not what the illness is). For planning purposes, it is reasonable for employers to ask employees to provide an anticipated date of return. Once employers are informed that an employee cannot make it to work, they should simply tell other employees that the employee is unavailable and provide an alternative contact for work-related matters. Man-

agers should not reveal the nature of the illness to co-workers. While collecting some information for the purposes of pandemic planning is possible with employee consent, employers should look at less privacy-invasive alternatives, such as posting notices about flu prevention and providing hand sanitizers. It is important to note that there are other privacy concerns related to the flu, such as whether employees can be sent home or required to undergo medical tests if they appear to be sick, and whether employees can be required to provide proof of vaccinations. Finally, in the case where authorities declare the flu a public health emergency, employers should note that privacy legislation might not prevent the sharing of information.

Meaghan McCluskey is a privacy research lawyer with Nymity Inc. (www.nymity.com), a provider of PrivaWorks, a privacy support tool.

DA SSUREU RS

LIST

’ AN LABOR ADA ATORIE S

É PA GU

DE IRES NA LABORATO DU CA

Member of

HOM OLO

INTEGRATED

RS RITE C UNDERW OF

WWW.SECURITYMATTERSMAG.COM

JANUARY/FEBRUARY 2010 • SECURITY MATTERS 11

SECURING YOUR BUSINESS

with Frank Fourchalk

NO NEED TO

Safe rooms offer businesses and their employees a place of refuge when under attack or in the midst of a robbery

n the 2002 film Panic Room, Jodie Foster plays the role of a divorced woman, who, along with her daughter, locks herself in their New York brownstone’s “panic room” when three burglars break into their home. Mother and daughter hide in the “panic room,” while the intruders look for the money they came for. The movie brought the idea of “safe rooms” or panic rooms to the forefront of mainstream society. For companies, safe rooms offer a place of refuge where people can retreat from potentially dangerous situations. They act as a barrier between vulnerable employees and dangerous intruders. Corporate safe rooms are usually constructed to prevent kidnapping for ransom or robbery. Although it may not be necessary to reinforce the walls with eight-inch concrete, you need to determine how much of a risk your business is to a robbery. For instance, a coffee shop wouldn’t necessarily need a safe room, but if you own a jewellery store, it might be a worthwhile investment. If your main concern is preventing danger to your employees from intruders, you will want your panic room to be able to protect your staff for at least 30 minutes and preferably up to two hours until the police arrive. Keep in mind, these rooms can be expensive. Construction of high-end panic rooms typically start at $30,000 and can reach amounts of $400,000, depending on amenities involved. On the lower end, the costs can be much more economical simply by converting a closet or extra room into a safe room. The cost for a project like this usually runs around $3,000, while plywood reinforcements for an average-

12 SECURITY MATTERS • JANUARY/FEBRUARY 2010

sized closet can quickly total $2,500. Of course, if you would like bullet-resistant electronic doors, it could cost you upward of $22,000. In most cases, you don’t need to spend exorbitant amounts of money constructing

a safe room. Most have one entrance in and out, and usually don’t contain windows. As such, ventilation is a must to assure employees don’t run out of air while locked inside. Businesses often convert bathrooms into safe havens for endan-

SECURING YOUR BUSINESS gered employees. These rooms should be equipped with frame and door reinforcement. Replacing doors with exteriorgrade solid core doors that open outward will prevent intruders from kicking the doors in. You should also reinforce the doorframe with steel angle iron and high security deadbolts. This tough combination will add strength when the door is closed and secured. Make sure doorframes are reinforced with solid shims to prevent the spreading or prying of the door. If you select a room with windows, make sure they are protected against attack. There are a number of products available that can either be installed on or in front of the glass to add protection against breakage. Security window films applied to the glass, polycarbonates in front of the glass or window bars are all excellent choices. Here are some other tips to remember when planning a safe room: • Always stock emergency items like a

WWW.SECURITYMATTERSMAG.COM

•

• •

•

cell phone, flashlight, first-aid kit, food, water, fire extinguisher and defensive weapons. Medications, like asthma inhalers or aspirin, should also be stored to avoid unscheduled emergency surrenders. Make sure it is equipped with an alarm system with a direct-dial phone, as well as a cell phone. Electrical outlets are a necessity for cell phone charging. It’s always a good idea to soundproof your safe room so intruders can’t hear any conversations, particularly those with law enforcement. Video monitors are recommended so employees can follow the actions of the intruder from inside the room. This will also be handy when making 911 calls. A toilet and sink should be installed. Pepper spray and other protective devices could save the lives of staff members once under siege. Electromagnetic locks are a great choice for the ultra secure room. These locks have the ability to withstand a

tremendous force when under attack. Another advantage to these locks is they are virtually pickproof and offer electronic key pads for easy entry. • A battery backup is needed in case of a power failure. The battery power source will guarantee the lock will not open if there is an interruption to the lock’s power supply. The most cost-effective way of installing a safe room is during the construction phase of your business or when renovations are taking place. So if you are contemplating building such a room in your business make sure you consult with a security firm or architect to discuss your requirements before the blueprint stage.

Frank Fourchalk is a B.C.based security consultant (www.yourhomesecurity.ca) and past winner of the British Columbia Crime Prevention Society’s “Brian G. Jones” Business of The Year Award.

JANUARY/FEBRUARY 2010 • SECURITY MATTERS 13

TRY THIS

HERE

By Lance Naismith hen it comes to television these days, it is often said, “Once you go HD, you can never go back.” Well, this may be the case in the video surveillance world too, now that high definition (HD) cameras are readily available and more and more applicable to facilities of all shapes and sizes. Originally very bulky, conspicuous and only producing a low-definition black and white picture with no option to pan or zoom, CCTV cameras have come a long way over the past 10 to 20 years. Nowadays, businesses can deploy megapixel colour surveillance cameras that can be hidden in very inconspicuous casings, not to mention allow operators to record very minute detail, thus expanding the potential forensic/intelligence of the systems. As CCTV technology advanced, more and more businesses began to expect a video surveillance camera to produce clarity that allowed them to identify a face or licence plate. However, the products that can accomplish these feats were usually cost prohibitive. With today’s HD surveillance cameras, users can have that resolution at a cost that is now compatible with the older analogue systems. To ensure a quality installation, the integrator and user must talk and “fit for purpose,” which will save money, says Dave Tynan, vice president of sales and marketing at Avigilon, a British Columbia-based developer of HD surveillance systems. If you already have a complete surveillance system with analogue cameras, he adds, don’t throw out the old cameras right away — your first upgrade could involve simply changing the software. “By changing out the engine,” explains Tynan, “it allows you to migrate over whatever time frame and whatever your budget might allow because you are preserving

With video surveillance cameras going high-definition, the CCTV possibilities for businesses are endless

14 SECURITY MATTERS • JANUARY/FEBRUARY 2010

your existing assets. You’re adding megapixel value to wherever you need it.” Through such a “hybrid system,” where analogue and digital technology co-exist, users can achieve some of the advantages (e.g., instant replay) of digital video. Hybrid systems also allow users to mix HD and analogue cameras. Paul Bodell, an electrical engineer and marketing officer for IQinVision, points out that with a hybrid system you can slowly replace older analogue cameras with HD cameras, some with on-board recording. If businesses are thinking of replacing their analogue cameras with HD cameras, they can still utilize their existing cable system. To be able to do this, users must implement cameras that feature a resolution of one to 16 megapixels, with each level of resolution being job specific, depending on just how much clarity is needed (e.g., store shelves versus licence plate recognition). Due to the wider field of view and greater resolution of HD cameras, users may be able to reduce the number of cameras by 40 to 50 per cent, says Tynan. This, in addition, to the fact that mechanical wear is reduced due to a lack of pan, tilt and zoom mechanisms in the camera,

are just several reasons the installation of the cameras can be considered compatible to analogue cameras in cost. For use in a court of law, Tynan notes, you can pan and tilt and zoom into a specific spot of an event while the whole event field of view is recorded and archived, allowing post-event forensic study. “Quality depends on the manufacturing of the camera and the quality of the lens that is put on the camera,” explains Bodell, who advises that businesses interested in installing HD cameras should request to try out sample equipment to ensure it fits their needs. Before committing, he adds, you should look at overall cost and not “by line pricing. Going with the higher end HD megapixel camera is going to be a longer term, less expensive solution than going with the cheap stuff.”

Lance Naismith is a freelance writer in Oakville, Ont.

SOURCES Arecont Vision • www.arecontvision.com Avigilon • www.avigilon.com Axis • www.axis.com IQinVision • www.iqeye.com

Products. Technology. Services. Delivered Globally.

Which of these is a bigger threat to your security investment?

The wrong cabling infrastructure can hinder the performance of even the most sophisticated video surveillance system.

The right cabling infrastructure is critical to the successful operation and useful life of a security system.

Factors that affect the performance of cabling infrastructure:

Anixter ipAssuredSM is an infrastructure assurance program that matches the cabling infrastructure to the security equipment based on the technical, application and life-cycle requirements of the user.

• The migration of a security system to IP • Minimally compliant Category 5e cable • Increasing bandwidth requirements • The need for PoE+ and beyond • Installation practices • Environmental conditions • Quality of IP cable manufacturing

Blurred, unusable video over minimally compliant Category 5e cable

Crystal clear video over ipAssured IP-ClassSM 10+ cable

Receive the best performance for the anticipated life of your security system by installing an ipAssured cabling infrastructure.

Contact your local Anixter representative or visit anixter.com/ipassured to learn how Anixter ipAssured can protect your security investment.

1.877.ANIXTER anixter.ca Anixter is a leading global supplier of communications and security products, electrical and electronic wire and cable, fasteners and other small components. We help our customers specify solutions and make informed purchasing decisions around technology, applications and relevant standards. Throughout the world, we provide innovative supply chain management services to reduce our customers’ total cost of production and implementation.

LOOMING THREATS THE NEED FOR COMPANIES TO HAVE EASY AND INSTANT ACCESS TO APPLICATIONS AND DATA ANYWHERE, ANYTIME, IS PUSHING CLOUD COMPUTING, VIRTUALIZATION AND MOBILITY TO THE TOP OF THE PRIORITY LIST OF MOST IT AND SECURITY PROFESSIONALS. HOWEVER, CANADIAN COMPANIES SHOULDN’T IGNORE THE MOST IMPORTANT ASPECT OF SECURITY: PREPAREDNESS By Ian Harvey

16 SECURITY MATTERS • JANUARY/FEBRUARY 2010

he old saying about disasters is that no one ever sees them coming — too bad modern businesses can’t hide behind that refuge. Obviously, nobody can predict the future but most people know it’s rife with security threats and 2010 will be no exception. Here’s what we know: the H1N1 pandemic is real; botnets, phishers and hackers, driven by large criminal organizations, will continue to seek out weak links to exploit for profit; devices containing sensitive data will be lost in taxis and at airports; and disgruntled em-

ployees are likely to walk out with proprietary intellectual property, which would be extremely valuable in the hands of a competitor. But the biggest threat to Canadian enterprises may not be all of the above or an earthquake or fire, it may be what you haven’t planned for and that’s what to do in the event of a crisis. “The reality is that only 25 per cent of Canadian enterprises have a business continuity plan in place, with some idea of where it is and that maybe has been tested,” says David Senf, director of an

infrastructure solutions group at IDC Canada, a security industry research firm. “One-third may have some kind of disaster recovery plan and the remainder does not have anything to look to if a server goes down, if there’s a fire or a pandemic.” In the event of a pandemic, for example, how are the needs of the business going to be met while meeting the requirements of the local health authority? “If you have a call centre, do you have technology which will let [staff] work from home if you shut the call centre down?” asks Gene McLean, president of the Canadian Society of Industrial Security and former chief security officer at TELUS. “If your people work from home, how secure are their connections and equipment?” And there are still more considerations on the horizon in the form of the convergence of three existing technologies: cloud computing, virtualization and the continuing rush to mobile. These are probably the biggest issues facing security and IT executives alike, says Senf whose thoughts are echoed by Cisco’s Chris Hoff, a forward thinker and virtual security expert. “With cloud computing we’re starting to filter the hype from reality,” says Hoff, noting under traditional models, applications and data didn’t move much, unless it was with the network inside a location. With the advent of mobile demands, the need to have applications and data available anywhere, anytime, the robust, high-speed networks to deliver that and the countervailing requirement that it be cost effective which is driving the trend to virtualization, he says. “It’s what could be called the ‘perfect storm.’” Cloud may be a boon in terms of offering on-demand data management services or software as a service but it brings with it a set of security questions: Who has access to the data? Which jurisdiction is the data held in? What are the rules of that jurisdiction in terms of privacy? How do they conflict with the jurisdiction, which governs the owner of the data? Similar questions surround virtualization. How are the servers divided? What conflicting interests share space

WWW.SECURITYMATTERSMAG.COM

CLOUD MAY BE A BOON IN TERMS OF OFFERING ON-DEMAND DATA MANAGEMENT SERVICES OR SOFTWARE AS A SERVICE BUT IT BRINGS WITH IT A SET OF SECURITY QUESTIONS on the same machines and could the data be compromised? As for mobile, it brings to the forefront the perennial questions around physical loss or theft of laptops and smart phones, and in turn, all of the sensitive data on those devices that can also provide a portal for the nefarious minded. “In some cases, like a U.S. military contract, for example, there are demands that the data can only be held in a U.S. facility and only accessed by a United States citizen and that means your cloud can’t be anywhere else,” notes James Quinn, a security analyst with IT research firm, InfoTech. Conversely, he says, the U.S. Patriot Act empowers authorities to seize and search data without notice and without warrant, which makes some Canadian and European companies uncomfortable because it’s a security threat in that it could constitute a breach of privacy laws, like PIPEDA. “Depending on how the authorities feel that day, they could go in and seize the virtualized machines, which may include your data which is now exposed,” he says, adding other concerns relate to the lack of compliance around the Payment Card Industry Data Security Standard. “There are still a lot of companies who aren’t certified,” he says and that too is puzzling since it’s a requirement and could seriously impact their bottom line if the government agency decides to lower the boom. Besides, he says, there are ancillary benefits to compliance since the system ends up more robust and, by subscribing to an industry security standard, helps mitigate compliance repercussions because the first line response is that everything that should have and could have been done, was done.

Similarly, companies still have outdated mobile devices in their fleet — ones that do not have encrypted hard drives or more sophisticated protection, such as biometrics or remote wipe capabilities. “When you add up the cost of notification under PIPEDA in the event of a security breach – such as the loss of a laptop — it could be more than a million dollars,” says Quinn. “It’s much better to upgrade the laptops because if there is a loss, with the encryption you can say there was no data breach.” Even with encrypted drives, remote wipes and boilerplate network policies, the weakest link in any security system is always going to be the “wetware,” the human component, says McLean, noting security goes beyond locking the front doors, installing a hand washing station or securing a network portal. “I saw a study the other day which found that 57 per cent of people laid off had taken proprietary information with them knowing it was the property of the company,” says Lynn Mattice of the Security Executive Council. McLean adds: “Security is everyone’s job. It’s down to stopping someone you’ve never seen in the hallway with no ID tag and asking them if they need help and what they’re doing there.” More pointedly, Mattice says that does not mean external threats should be minimized, citing a NATO annual report that revealed 108 countries around the world are actively and aggressively stealing technology to give to their own industries. No one knows what surprises 2010 has in store, but it is a safe bet that Canadians will be fighting the same challenges they faced in 2009. What is known though is that the biggest weapon in everyone’s arsenal remains preparedness.

Ian Harvey is a freelance writer in Toronto, Ont.

SOURCES CSIS • www.csis-scsi.org IDC • www.idc.com Info-Tech • www.infotech.com Security Executive Council • www.securityexecutivecouncil.com

JANUARY/FEBRUARY 2010 • SECURITY MATTERS 17

THE LIFEBLOOD OF CANADIAN

BUSINESSES

By Lynn Greiner Whether it’s sales records, credit card numbers or just product collateral, keeping it safe is the moral and legal duty of every Canadian company, association and government. Facebook found this out the hard way. A year-long investigation by Canada’s Privacy Commissioner Jennifer Stoddart, prompted by a complaint from the Canadian Internet Policy and Public Interest Clinic (CIPPIC), resulted in an order to adopt key recommendations from her office to comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) or face the possibility of being brought before the Canadian federal court. The online social media giant’s policies of retaining information on deactivated accounts, its lack of safeguards against

18 SECURITY MATTERS • JANUARY/FEBRUARY 2010

unauthorized use of user information by third-party applications and the fact that it allowed users to provide information about non-users without their consent all contravened key areas of PIPEDA. PIPEDA is one of Canada’s two federal privacy laws, and sets out ground rules for how private sector organizations may collect, use or disclose personal information in the course of commercial activities. The law gives individuals the right to access and request correction of the personal information these organizations may have collected about them. The legislation applies to personal in-

formation collected, used or disclosed by the retail sector, publishing companies, the service industry, manufacturers and other provincially regulated organizations. It does not, however, apply to the personal information of employees of these provincially regulated organizations. The second piece of federal privacy legislation is the Privacy Act. It limits the collection, use and disclosure of personal information by 250 federal government departments and agencies and gives individuals the right to access and request correction of personal information about themselves held by these federal

government organizations. There are also various pieces of provincial legislation, and alert watchdog groups, such as CIPPIC, based at the University of Ottawa, keeping an eye on things. Yet, says Claudiu Popa, president of Toronto-based security firm Informatica Corporation and author of The Canadian Privacy and Data Security Toolkit for Small and Medium Enterprises, “the great things about our privacy legislation are also the root of our data protection woes: data protection is the articulated goal of the legislation, in particular, personal information protection. However, all the underlying security controls necessary to make this happen are implied and left up to the organization.” Consequently, he says, Canadian businesses tend to be reactive, not proactive, when it comes to information security.

GETTING PRACTICAL Writing a security policy need not be an onerous task. Organizations such as the SANS Institute and WindowsSecurity.com offer advice and templates that can be customized to serve virtually any organization’s needs. For Canadian companies, one aspect of information security is knowing what they are securing, and that means information classification. “Companies should pay particular attention to the development of their data classification policy because it is fundamental to the security program and all standards and procedures depend on it,” says Popa. “Quite simply, no organization can afford to protect all information and treat it as confidential. “The costs of security controls and management would be prohibitive and impossible to scale,” he adds. “At the other end of the spectrum, organizations that do not protect their data, essentially treating it as public or shared information clearly would find themselves compromising sensitive corporate information assets, be they financial/accounting information, trade secrets/intellectual property, or worst of all, personally identifiable information belonging to individual customers.” Information classifications should also influence and reflect who is permitted to access it within the company. For example,

WWW.SECURITYMATTERSMAG.COM

PIPEDA – KEY CONCEPTS PIPEDA specifies how private sector organizations may collect, use or disclose personal information in the course of commercial activities. Under the act, under most circumstances: • Personal information must be collected for a specific purpose and cannot be used for other purposes. • The information cannot be collected unless the person that the information belongs to has been informed and has provided consent. • The information can only be kept for a specified amount of time, and must be destroyed when it is no longer needed to fulfill its original purpose. payroll data is extremely confidential, and a limited number of people are allowed access, while product sell sheets that are distributed to customers could be classified as public documents. Even if businesses diligently protect data while it’s in the office, its treatment when documents or electronic media are disposed of may compromise security too. Paper in the trash is fair game to dumpster divers, and a recent study by Kessler International, a forensics organization, found that 40 per cent of the hard drives it purchased over a six month period on eBay contained retrievable, confidential data, indicating deliberate or inadvertent neglect of basic data protection precautions on decommissioned systems. Can anyone say “disaster?” “When your company is being investigated for data loss, the first question is, does your company have a written policy – so you should have one,” says Kristjan Backman, president of Winnipeg-based Phoenix Recycling. “All companies should have a policy regarding all informationcontaining media and the approved methods of destruction.” The destruction policy should not only cover paper, but micro media like USB

keys, cell phones and PDAs, optical and magnetic media, such as CDs, DVDs and computer drives, and any other electronic equipment with magnetic storage included (e.g., photocopiers). And, he adds, the first question a customer should ask when shopping for an information destruction service provider is: Is this facility NAID AAA certified? NAID stands for the National Association for Information Destruction and is an international, non-profit trade association of the information destruction industry. It sets standards and audits certified vendors to make sure security standards are met. It also has a compliance toolkit to help companies design their own destruction policies. Because, believe it or not, secure destruction isn’t as easy as it sounds. You should, says Backman, be able to see the shredding equipment and verify that the particle size renders the media unreadable. (If not, it could lead to a serious data breach.) Companies should also ask about the average time it takes for material to be destroyed from the time it is delivered, and the vendor should supply a list of references where the work is substantially similar to the work you need done. “The effectiveness of a data protection program depends on how it is implemented and managed,” adds Informatica’s Popa. “The gaps that are left due to improper implementation and enforcement are often enough to drive trucks through, and the only way to address these challenges is using end-to-end, high-level strategy that drives policy enforcement and ensures proper control management. Without such controls, organizations will continue to experience unauthorized information disclosures, data theft, website compromises and business continuity issues.”

Lynn Greiner is a freelance writer in Newmarket, Ont.

SOURCES Blue-Pencil Mobile Shredding Solutions • www.blue-pencil.ca Informatica • www.informationsecuritycanada.com NAID • www.naidcanada.org Phoenix Recyling • www.phoenixrecycling.com

JANUARY/FEBRUARY 2010 • SECURITY MATTERS 19

THE ART OF INTELLIGENCE By Jack Kohane

20 SECURITY MATTERS • WINTER 2010

LIKE EVERY MUNICIPALITY IN CANADA, THE CITY OF EDMONTON DOES NOT TAKE PUBLIC SAFETY LIGHTLY. TO FURTHER ITS POLICE SERVICE’S GOALS OF REDUCING CRIME AND DISORDER, MAKING STREETS SAFER, DECREASING FEAR AND INCREASING THE QUALITY OF LIFE FOR ALL ITS CITIZENS, THE CAPITAL OF ALBERTA HAS TURNED TO SECURITY ANALYTICS

Staff Sgt. John Warden of the Edmonton Police Service believes security data analytics is a powerful tool for businesses too.

magine a predictive security system that pinpoints where and when a crime might occur, well before the alarm gets tripped. Not the stuff of science fiction anymore as business analytics technology has become law enforcement’s latest weapon in capturing the right information at the right time to identify crime “hot spots.” Not to mention, reduce crime rates. From arson to break-and-enters, computerdriven business analytics (BI) enables police officers to see, analyze and act on data in near real time. Edmonton Police Service (EPS) is among the first in Canada to move forward with this advanced security technology to improve force effectiveness and increase public safety. “Our job is crime prevention, and business analytics reporting is helping us to accomplish this,” says John Warden, BI project team leader for the EPS. The project began four years ago, aimed at “digging down” into police data to provide greater accountability to the public. In its phased approach of deploying this new technology developed by IBM Cognos, the first step was to look at reporting from the EPS Computer Aided Dispatch (CAD) system. Specifically, the organization needed to know what type of calls officers were asked to respond to, and what the public demand was for its services. IBM Cognos technology was able to create performance measurements that could be tracked. “BI allows us to track performance objectives specific to how long it takes police to respond to the most important emergencies, such as life-and-death, priority-one calls where the goal is to arrive on scene in seven minutes or less,” explains Warden. Once the performance measurements were set, police officials could identify trends, frequency and types of crimes happening in specific locations. From there, the service integrated IBM Cognos BI with the EPS records management system, Niche, in order to report on actual investigative work done. By breaking the picture down into various layers, EPS gained better insight into specific trends and the reasons behind those trends. Crime data analytics is increasingly being recognized worldwide as a powerful tool that enables commanders and frontline staff at law enforcement agencies to make sense of millions of historic incident, offense, arrest and call-forservice records to put a more accurate fix on crime rates and patterns. This quick access to relevant information helps enforcement officials

WWW.SECURITYMATTERSMAG.COM

work smarter and make more timely decisions about crime fighting. “Mankind is being overrun by data, and to those engaged in public safety this has a very nasty consequence,” says Jeff Jonas, the chief scientist at the IBM Entity Analytics group based in Las Vegas. “Bad things happen, and the evidence shows it could have been detected if someone simply had the right information and connected the dots.” Recently the EPS, which is responsible for policing a regional population of a million-plus, used this new technology to deal with arson activity. “We noticed an upward trend in the crime based on data made through IBM Cognos BI reporting,” says David Veitch, superintendent in charge of Edmonton's Southeast Division, pointing out that in utilizing this tool, police commanders were able to compare previous years’ data to determine an upsurge in arson incidents during the spring and summer months. “We were able to make some significant arrests and stop that actual pattern in its tracks,” he notes. Similarly, BI data showed a series of automobile break-ins to pilfer loose change clustered within several blocks of each other. “We sent in an officer to go through the neighbourhood looking for anyone suspicious,” notes Veitch. In short order, a young man was stopped and questioned. When a large amount of coins spilled out of the suspect’s pockets, he quickly confessed to his crimes. The police have also begun using IBM Cognos BI reports to inform the general public about the situation of crime in their neighbourhoods. Explains Veitch, “Now the system is having a direct impact on the public. Anyone can search any of our over 340 communities, by name, and get a visual of that community’s crime rate, as well as the eight crime indicators, one or all of the violence and property crimes. They can select a date range from ‘yesterday,’ seven-day period, the last 30 days, etc.

The crime data then plots out and the public has an idea of where and when the criminal event happened, links are provided for prevention information and people can click on the page and get a straight data overview of the last three years in their neighbourhood.” Warden spotlights the end goal of cuttingedge BI technology: the ability of his force to place resources in advance; to put police into certain areas of the city because they can better predict where and when crime will take place in that area; and help mitigate that crime with police presence. “Are we there yet? Absolutely not,” Warden affirms. “But we are on the way to these final pieces of who, how and why, and [those] are going to be exciting pieces for us — to cover off those final pieces of the picture so we have a total and complete picture of what is going on when it comes to preventing crime and victimization in Edmonton.” In his view, Veitch says the public is holding law enforcement accountable to reduce crime and disorder, to make streets safer, to decrease fear and increase the quality of life. Asked what BI security means for business owners, he explains: “In the last five to seven years there has been a nexus between police research, criminological theories, and the business world models of efficiency, effectiveness, accountability and responsibility. “Business models like gap analysis, process maps, change management and aspects of leadership have increasingly been absorbed by police managers worldwide,” he adds. “Using technology has become critical in increasing the speed and accuracy of the intelligence but also of the response to identified problems and trends. In business the bottom line is a return to stakeholders; in policing the bottom line is to reduce crime.”

Jack Kohane is a freelance writer in Toronto, Ont.

JANUARY/FEBRUARY 2010 • SECURITY MATTERS 21

LP CORNER

with Theresa Rowsell

KNOWING HOW

TO PLAY A large part of the loss prevention (LP) game is deterrence. Creating an environment that tells thieves, “You’re not welcome” is the most important part of protecting your business. It’s important to remember that shoplifters don’t play by the rules. They lie, they cheat and, of course, they steal. They prey on vulnerable retailers of all sizes, exploiting the hard work of others. However, loss prevention doesn’t have to be a losing game; you just have to know how to play.

WHAT DOES A THIEF LOOK LIKE? Thieves are diverse. They come from all walks of life, all sections of society and every age group. Some, like the impulsive person wanting a free chocolate bar, are opportunists – they steal because they think they can get away with it. Some steal to support a drug habit or other addictions. Others steal because it’s their profession. These career criminals often operate in sophisticated networks involving multiple accomplices. Even with a host of technology options available to help safeguard retailers against criminals, one of the best defenses is a store’s frontline staff. With some simple training, retailers can teach their staff to watch for certain traits that set thieves apart from honest customers. Be on the lookout for people who: • Spend more time watching the cashier or sales clerk than actually shopping; • Wear bulky clothing or clothes that don’t suit the weather conditions; • Walk with unnatural steps or shuffle, which may indicate they are concealing items; • Seem nervous and avoid eye contact; • Frequently enter the store and never make a purchase; and • Linger in areas of the store where it is difficult to see them.

24 SECURITY MATTERS • JANUARY/FEBRUARY 2010

Retailers must learn how to beat shoplifters at their own game

HOW TO DISCOURAGE SHOPLIFTERS Shoplifters want to avoid attention. It’s when they are left alone that they get the opportunity to steal. Depriving them of these opportunities will help store owners stave off the opportunists and protect against professional shoplifters. The best way to foil crooks is to provide them with the best customer service possible. Honest customers will love the service and shoplifters will hate the fact that they can’t find the opportunity to steal. If a shoplifter knows they are in a retailer’s sights, they are more likely to abandon attempts to steal. A thief will clearly get the message that someone is constantly watching them, making it less likely that they will take the risk of getting caught. Staff should greet and acknowledge anyone who enters the store. If someone looks suspicious, pay even more attention to them, make friendly eye contact and ask whether they need help. This simple tactic will help retailers be less attractive to potential thieves. While good customer service goes a long way to deter potential shoplifters, incorporating other simple measures into your loss prevention strategy can help even further. Taking frequent inventory to determine what is being stolen will tell you what factors may contribute to those items being attractive targets for criminals, while good store layout and design, including minimizing blind spots and creating a store environment free from secluded areas where thieves can steal, are important measures that can also be employed. With all shop theft, it is important to take a strong and consistent stand against thieves. Good customer service can be your frontline employees’ best defense against being targeted.

Theresa Rowsell is the director of loss prevention with the Retail Council of Canada (www.retailcouncil.org).

Expand Your Mind and Your Bottom Line UNIFIED C O M M U N I C AT I O N S VolP SECURITY D ATA C E N T E R S

Presenting

IT360 SILVER SPONSOR:

Co-located with

MEDIA PARTNER:

IT360 BRONZE SPONSORS:

MEDIA SPONSOR: PREMIER MEDIA SPONSORS:

IN COOPERATION WITH:

CIO Executive Council Leaders Shaping the Future of Business

PLATINUM ASSOCIATION SPONSOR:

CERTIFICATION SPONSOR:

CONFERENCE SPONSORS:

IT professionals and business executives maximize your success: METRO

TORONTO

CONVENTION

www.it360.ca

CENTRE, C A NADA

CONFERENCE & EXPO : 7 APRIL 2010

A S K A W AY

PCI

CRIME

AUDITS

PREVENTION

WHAT ARE SOME OF THE TOP REASONS COMPANIES FAIL PAYMENT CARD INDUSTRY (PCI) AUDITS?

enerally speaking, any organization that holds, processes or passes cardholder data must comply with the Payment Card Industry Data Security Standard (PCI DSS). Businesses that fail PCI DSS audits can face a range of penalties, from fines to retraction of credit card processing privileges. Some of the most common security mistakes companies make when it comes to PCI compliance include: • Insufficient protection of stored data: All stored credit card data must be segmented from other parts of the network, and encrypted to allow access only to authorized users. • Inadequate testing of security systems and processes: Without good logging, it is difficult to spot hacker activity. • Mis-configured firewall and virtual private networks: Appliances must be properly maintained to protect cardholder data, so look for a solution that can plug into your existing network with little tuning and includes real-time updates. Attention to these common mistakes can help organizations avoid PCI audit failure, and a potential security breach, without an infrastructure overhaul.

Graham Bushkes is the vice president of sales, Canada for Fortinet, a worldwide provider of network security appliances and unified threat management (UTM) solutions.

AIRPORT

WHAT CAN THE AVERAGE PERSON DO TO HELP PREVENT CRIME?

ecurity is everyone’s responsibility. What prevented the 9/11 terrorists from crashing a plane into the White House, what stopped the notorious “Shoe Bomber” Richard Reid, and Umar Farouk Abdulmutallab in the recent Detroit hijacking incident were the actions of everyday citizens who boldly took action and, in doing so, prevented acts of terrorism. Security professionals use a technique called Crime Prevention Through Environmental Design (CPTED) to reduce crime by creating carefully designed environments that promote natural surveillance, access control and boundaries to prevent crimes from occurring. CPTED encourages people to take ownership of their surroundings, be aware of what is going on around them and detect suspicious behaviour before crimes occur. Working in partnership with security professionals, people can maintain safe and secure environments that discourage criminals or terrorists from striking. That is the ultimate solution and one that will keep all of us safe and secure.

Paul Carson is vice president of Ontario, Manitoba and the Atlantic Provinces for Garda Physical Security, one of Canada’s largest security service providers.

HOW WORRIED SHOULD I BE ABOUT THE THE NEW BODY SCANNERS AT CANADIAN AIRPORTS?

SECURITY

ull-body scanners give a revealing look at passengers selected for secondary security screening when travelling to the United States. There are some critical privacy protections planned, including segregated review officers, private image reviews and no image retention. In recent news reports, the media briefly mentioned that there are plans to develop a program of “active behavioural observation,” likely to be a more significant personal privacy risk as a result of largely subjective data collection.

26 SECURITY MATTERS • JANUARY/FEBRUARY 2010

Plans to address the apparent failure to integrate and act on existing intelligence are also worrisome. The demand for more integrated databases and automated search functions often eliminates the best privacy protection: good information management practices. In all honesty, I’d be more concerned about the numerous programs and services that hold millions of records (i.e., information) on people across the country. In Canada, we are changing the privacy expectations and norms of society,

one system at a time. Do the body scanners contribute to that change? Absolutely. But we can and should pay much more attention to the daily routines that amount to vast personal information collection on each and every one of us.

Tracy Ann Kosa is an independent privacy researcher in Toronto, Ont. She can be reached at takosa@bell.blackberry.net.

ONLY ONE EVENT MEANS EVERYTHING TO ALL SECURITY PROFESSIONALS. E D U CATI O N: MAR C H 23-25, 2010 / EX H I B ITS: MAR C H 24-26, 2010 SAN D S EX PO AN D C O NVE NTI O N C E NTE R / L AS VE GAS, NV For the best, there’s ISC West. The newest products, leading manufacturers, training and educ ation tailored speciﬁc ally to your needs. Join the securit y industr y’s leading and largest event encompassing all of securit y with the most informative and competitive securityy resources – at just the right time and place. When it comes to securityy, ISC West is ever ything you need in a single event.

For more information and to register today, visit:

W WWW.ISCWEST.COM/SECURITYMATTERS W W.ISCWEST T.COM/SECURITYMAT TERS S P O N S O R E D BY:

P RO D U C E D BY:

E N D O RS E D BY:

C O R P O R AT E PA R T N E R S :

C O O L S T U F F Intrusion Prevention Systems EMERGING ATTACKS

NETWORK APPLIANCE Top Layer’s intrusion prevention system is comprised of an in-line, transparent network appliance, network security analyzer software, a real-time security event manager, IPS controller software, centralized management module for multi-device deployments and TopResponse, a threat

Radware’s DefensePro ODS offers both application delivery and security features to protect users from known and emerging attacks. With its real-time intrusion prevention system (IPS), DefensePro prevents non-vulnerability-based threats and zero-minute attacks, such as application misuse attacks, server brute force attacks, application and network flooding. Additional protection benefits include proactive signature updates, which safeguard against already known attacks including worms, Trojans and botnets. It also provides adaptive, behaviour-based protection capabilities at client, application server and network levels. www.radware.com

REAL-TIME MEASUREMENT Cisco’s Intrusion Prevention System (IPS) 4270 Sensor delivers protection for business continuity and safeguarding critical assets by providing up to 4GB of protection from malware and directed attacks for today’s media-rich working environment. The system can be deployed across the network to the data centre, and inline in the network to identify, classify and stop malicious traffic. For each event detected, the IPS 4270 calculates a real-time measurement of risk, allowing proper response to events with the greatest potential impact to a business. www.cisco.com

PERIMETER SECURITY

Panda’s GateDefender Integra is a unified perimeter security device providing protection in the corporate network perimeter against all types of threats, both network-level and content-based. The different types of protection include firewall, IPS, VPN, anti-malware, content filter, anti-spam and web filter. It also prevents sensitive data loss through the control of incoming and outgoing data content. www.pandasecurity.com

28 SECURITY MATTERS • JANUARY/FEBRUARY 2010

update service. It uses a multi-tiered “Protection Processor Architecture,” which requires fewer filters, meaning new protection can be delivered more quickly. www.toplayer.com

SOFTWARE BLADE Check Point's IPS Software Blade provides integrated, next generation firewall intrusion prevention capabilities at multigigabit speeds. The IPS Blade provides complete threat coverage for clients, servers, OS and other vulnerabilities, malware/worm infections and more. The Multi-Tier Threat Detection Engine combines signatures, protocol validation, anomaly detection, behavioural analysis, and other methods to provide network IPS protection. Users can graphically monitor only what is important, isolate actionable information and meet compliance and reporting requirements. www.checkpoint.com

UTM INSPECTION

The FortiWiFi-30B offers enterprise-class unified threat management (UTM) inspection, including firewall, IPS, anti-virus, anti-spyware, anti-spam, IPSec VPN, web filtering, application control, data leakage prevention and VoIP support. The system is ideal for large enterprises with hundreds or thousands of small, remote networks that need wireless LAN convenience in addition to full UTM inspection against today’s evolving threats. The FortiWiFi-30B also serves the smallest of business or home networks that do not require advanced configuration and management features. www.fortinet.com

marketplace

AD INDEX • JANUARY/FEBRUARY 2010

For more information on any of our advertisers, visit them on the web

COMPANY

WEB SITE

PAGE #

ADT/INTERCON ANIXTER CANADA AVON SECURITY PRODUCTS AXIS BLUE PENCIL MOBILE SHREDDING SERVICE FORTINET HID ISC WEST IT360 ITECH SUMMIT KING-REED & ASSOCIATES NCI RELIANCE PROTECTRON SECURITY SERVICES RETAILERS ADVANTAGE SAINT CORP. TELUS SECURITY SOLUTIONS

WWW.INTERCONSECURITY.COM WWW.ANIXTER.CA WWW.AVONSECURITYPRODUCTS.COM WWW.AXIS.COM WWW.BLUE-PENCIL.CA WWW.FORTINET.COM WWW.HIDCORP.COM WWW.ISCWEST.COM WWW.IT360.CA WWW.ITECHSUMMIT.CA WWW.KING-REED.COM WWW.NCI.CA WWW.PROTECTRON.COM WWW.RETAILERSADVANTAGE.COM WWW.SAINTCORPORATION.COM WWW.TELUS.COM

22-23 15 29 7 9 2 32 27 25 4 & 29 29 31 11 29 13 5

WWW.SECURITYMATTERSMAG.COM

JANUARY/FEBRUARY 2010 • SECURITY MATTERS 29

Q & A

With Bruce Schneier

SECURITY

GURU Bruce Schneier, an internationally renowned security technologist and author of Schneier on Security, Applied Cryptography and Secrets and Lies, sits down with Security Matters to discuss cloud computing, social networking and the power of fear Security Matters: I’ve read that you believe computer security is an economic problem. Please explain. Bruce Schneier: Security is a trade-off: you give up something and you get some security in return. That sort of trade-off is something that economics, especially behavioural economics, studies well. SM: How real of a threat is identity theft? BS: It’s one of the fastest growing areas of crime, but even with that, if people take just the littlest bit of care it’s not that much of a problem for them. Banks and other financial companies have gotten really good at cleaning up most of the normal instances of the crime. More worrisome are the rarer, but more involved forms of identity theft perpetrated on businesses. SM: What are your thoughts on the issues surrounding privacy and security? BS: The whole security versus privacy balancing thing doesn’t make any sense. Think about airline security: the only two measures that have improved security since 9/11 have been reinforcing the cockpit door and convincing passengers they have to fight back, and those have no adverse affects on privacy. Neither do door locks, tall fences or guards.

30 SECURITY MATTERS • JANUARY/FEBRUARY 2010

SM: What security-related advice do you have for companies regarding social networking applications? BS: Live with it. You can’t fight it, you won’t win and you’ll look like a dinosaur if you try. You can’t police it, either. Have corporate rules in place about confidentiality, rules that are the same for conversations in pubs after work and on Facebook, and enforce those rules. Social networking sites are how your employees socialize — it’s not something you can control. SM: Any thoughts on cloud computing? BS: Cloud computing is not a fad; it’s a necessary result of the cost of computation and the cost of networking dropping to free. Of course, businesses should be comfortable using it, but like every technology, it’s not suitable for everything. Cloud computing is a form of outsourcing, and businesses outsource important things all the time — payroll, tax preparation, legal services, corporate cafeterias and telephone service. The important aspect of all of this is trust. You need to trust your outsourcer, whether it’s cleaning your offices at night or hosting your documents in some data cloud. And cloud computing has a lot of business advantages that have nothing to do with security.

SM: How effective is anti-virus and anti-malware security software? BS: They’re pretty good. Not perfect by any means, but pretty good. I recommend that everyone have one of these installed – I don’t care much which one – and configure it to update itself at least daily. SM: What do you think drives people to take a hard look at their corporate security posture? BS: Fear. People look at security, both corporate and individual, when it’s salient. And security is only salient when you feel fear. It could be a specific fear based on an actual event, or a general fear based on ill-formed dread, but it’s still fear. Without fear, security fades into the background. SM: Are there any security misconceptions or myths you think need to be dispelled? BS: Hundreds. It’s what I spend most of my time doing. SM: Are governments doing enough to protect their citizens from IT and related computer threats? BS: No, but I can’t even convince my government to pass health-care reform to protect its citizens from illness, and that kills far more people than IT can ever expect to.

Introducing the Check Point IPS Software Blade

Total Protection Thousands of signature, behavioral and preemptive protections

The Check Point integrated IPS Software Blade is changing the face of IPS and network security as you know it. No longer do you have to make tradeoffs between price, performance and protection level. This revolutionary new intrusion

Industry-Leading Performance Up to 15 Gbps of IPS and 25 Gbps of firewall throughput

prevention solution provides unparalleled network protection and breakthrough performance, while significantly reducing your costs—up to 90% versus competing solutions.

Lowest TCO Breakthrough savings with low acquisition, deployment and operating

Get your FREE copy of “The New Face of Intrusion Prevention” white paper. Contact NCI at 1.866.3575 or info@nci.ca Or log onto www.nci.ca. NCI is Canada’s premier provider of IT Security Products and Services. We are dedicated to providing our clients with the most thorough consulting, outstanding service delivery, and best-matched solutions to to their IT Security needs.

I prefer... products and solutions that are backed by a name I can trust.

HID Global is the trusted source... providing customers with quality, value and reliability. HID Global offers customers value-added services that ensure all products are delivered, perform and are reliable, right out of the box. With lifetime warranties, enhanced management of access control credentials using Corporate 1000ÂŽ, Priority Plusâ&#x201E;˘ 48-hour delivery service and free training, we want your experience with us to be the same each time, everytime.

See the difference Genuine HID can make. Visit hidglobal.com/genuinehid/SecMat