When ‘Twitter’ Becomes Goldfish …

Today’s cyber world brings you the capability to control a Toast Maker in your kitchen @ California while you stay at a beautiful beach resort in Mauritius!  No wonder… if people stay connected with their Friends n Family and rest of world… just @ their fingertip!!!    The fantastic part of this life is the time and speed at which the information becomes public and instantaneous reflections to the changes made by the user and eventually everyone watching it!

Today I am going to take you through chronicles of when Twitter becomes “Goldfish”!

Cyber Evolutions are not very new to us, as we look back @ the first world wide website got published over internet 40 years ago… We use those innovations to make our life easy, simple and Fast! Of course, the usefulness of the knowledge that is being spread @ fingertips within fraction of seconds is undoubted ….

However, the realities of using such greatest powers come with responsibilities and it follows the characteristics of the Human Nature as it’s used by Still Humans!

Obviously, a set of like minded people go separate ways, make different choices and follow the freedom of thoughts and form a group or a community. One of the best parts of human life is Social Networking and we love being together, communicate with each other, express ourselves, we help each other, we care and love each other and we stay with the community.  The same principle goes into the Cyber World today and we can see a lot of opportunities to Connect, Share, Express ourselves and we can practically live a second life with our own way and within the network of our own choice!

There is always a dark side attached to the Light, where things goes beyond a level of control and a series of human acts to gain more power or to accomplish their desires with an intention or motive… This can be a threat … and that is when the simplicity becomes an easy source for Personal and Confidential Information!  

Having said that, this may not be the prime purpose of the social networks… however the amount of personal data, pictures, videos and lot of such stuff in there, creates attraction to your profile and by making use of someone’s information … No matter who we are and what we do … We put ourselves and our valuable information at a risk as long as we keep ignoring the real time essence of public nature attached to the social networks. 

Today the dark arts in the cyber world are not limited to a matter of Just for fun thing … but it’s getting sophisticated and has the capability to become a Life Threat.  Let me take you thru some of the real time examples as we see: Using Someone’s information people exploit a person’s natural tendency and they trick their victim into performing malicious action.

Cyber Bullying has grown up from teasing fun or just hurting emotions … and it has involvement for taking innocent human lives!!! The key factors for losing their life by the innocent victims, as they are repeatedly tormented, harassed, humiliated, embarrassed or otherwise targeted by another people with bad intentions…   

“Twitter” is a service for friends, family, and co–workers to communicate and stay connected through the exchange of quick, frequent messages.  People can write short updates, which are often called “tweets” These messages are posted to your profile or your blog, sent to your followers, and are searchable on Twitter search.

Few months ago a hacker was able to access a Twitter employee’s personal e-mail account … once there, the bad guy could access the employee’s Apps account which contained Documents, Calendars, and other applications and notes used by the employee. Such incidents raise some serious questions – not only about password system security itself, but also consequences and the risk which wqas not anticipated before.

Social Engineering Attacks are not very new … it’s been used since historical times by exploiting a person’s natural tendency.  Before the innovations like Internet, the attack medium is via Telephone, via in person, via snail mail etc. etc.  And now online social networks are the additional tools to gain more and sensitive information within fraction of seconds !!

Such attacks on the social networking sites are being taken seriously and have legal involvement due to the amount of information stolen and published or misused !!

However the responsibility also lies with us, as we are the users of such great inventions and we admire the flexibility and simplicity by its design itself.

Now… the simple question that comes in mind is what can I really do for this???  And I would ask the same question to myself… What I know about the tips and tricks?  Let me tell you some of them ….

I will share and Engage only with those people who I trust!

I will understand more about the Privacy Settings … and spend some time to match it with the level of comfort to my profile and network and I will review them frequently. 

Be cautious about posting Cell Phone Number, address, name of your school or school team which can identify and locate you offline.

I will not give away information that could help someone to find me. I will be careful of posting photos with things like car registration plates or identifiable landmarks in them. Look at the backgrounds of the pictures to make sure I am not giving out any identifying information without realizing it.  I avoid posting messages to blogs which says “I usually walk home down the lane by the railway tracks”.

Because there are some people out there who will piece together these little pieces of information about you over a long period of time. 

Report users and content that you feel suspicious to the appropriate channel.   

Remember, unless you’re prepared to attach something in your profile, don’t post it!

Don’t assume everyone you meet online is who they appear to be … Remember that the positive aspects always outweigh the negative ones !

Some sites and services ask you to post a “profile” with your age, sex, hobbies, and interests. These profiles help you connect and share common interests, but the bad guys can and do use these profiles to search for their victims.

You can’t really “take back” the online text and images you’ve entered. Once online, “chat” and all other web postings become public information. Many web sites are “cached” by search engines, and photos and text can be retrieved long after the site has been deleted.

Block and delete any unwanted messages or friends who continuously leave inappropriate comments. Report these comments to the networking site or Internet Service Provider if they violate that site’s terms of service.

Set privacy so that people can only be added as your friend if you approve it.

Set privacy so that people can only view your profile if you have approved them as a friend.

Remember that posting information about your friends could put them at risk.

Protect your friends also by not posting any names, passwords, ages, phone numbers, school names, or locations. Avoid making or posting plans and activities on your site.

Always remember what you post online are not private.

Can you imagine yourself working with pen and paper files and using your mechanical typewriter today?

Just imagine E-Mail System is unavailable to you for 5 days?

You are only allowed to visit internet upon your supervisor’s personal supervision?

I would like to bring in here the value of Information, freedom and usage of Social Networks at workplace. Official information sharing and Official Documents sharing with friends or related workgroup communities over the internet is getting popular, according to the study many businesses are still worried about lost productivity and due to employee’s activity on social networking could endanger security at the company.

Also a twitter message could be cyber criminal at work! Some officials say cyber crime has become beyond the drug trade as a money maker. “Cyber criminals have been targeting Twitter users by crating thousands of tweets embedded with words involving trending topics and malicious URL’s.”

In the United States, the FBI reported a 33 percent increase in Internet crime last year. According to a survey of 1000 firms worldwide, Companies lost an average of $4.6 million in intellectual property last year.  Within fraction of seconds skimmed credit card numbers and other personal-identity information stolen from computers can be found for sale on Web sites, and when police shut these Web sites down, they just mushroom up some other place within the network group somewhere!

According to Sophos, around 40% to 50% of all businesses don’t control access to Facebook, Twitter, and MySpace while few groups of enterprises allow their users to use the more business-oriented LinkedIn.  

However, enforcing policies, procedures, creating controls, compensating controls May not adequate enough and does not protect the system completely … But when I ask a simple question to myself and start developing myself with simple habits we discussed in the things I can do, this is going to bring in security and help me in protecting information from social networking attack online!

I will sum this up with simple thoughts and a small recap:

•  Being Social is Human Nature; however the Internet is a place where things are very different. The virtual nature of the internet by design brings in risk for your information published!
• As a user, we tend to admire only the simplicity, beauty, and elegance of social networking.  We often ignore simple habits of staying safe. Responsibility lies with us to protect our Information published online!

Let’s bring ‘Immunity’ under our control by integrating security habits into our thoughts, processes and operation.

As we help, care, collaborate and share our contributions back to the community!

Consider:  When twitters become like goldfish everyone outside can watch you closely and make use of your information.

So, let twitter ‘buzz’ all over the world, but with “tweets” that keep you out of danger!  

Thank you!  Please leave your comments, thoughts and valuable suggestions here!

In one of my previous post I argued that in cyber-warfare, we’re all made collateral victims for lack awareness. The following article from the WSJ harkens back to that notion. It describes how small business have been left to fend off increasing sophisticated tactical attacks, because they’re seem as soft targets of opportunity.  A simple strong password policy and management and go along way to achieve target hardening.  It’s sure to be the most sensible thing we all can do to protect our confidential information.

Passwords 101: How to Protect Your Company’s Data
Wall Street Journal (10/28/09) Richmond, Riva

Strong password protection is essential to ensure the security of company data. Small companies often do not employ the same level of protection as large companies, making them even more vulnerable to a breach. Experts say that small companies should take the time to teach employees better password strategies. Workers should choose passwords that are difficult to guess- with at least seven characters- including numbers, capital letters, and symbols. They should also have different passwords for different company and Web applications, and should change these passwords at least every 90 days. These passwords should not be written down or recorded in any way, and should not be shared with anyone. System administrators should also be sure that they can control which employees have access to data, and that they cut off access for former employees. There are a number of technologies that can help companies achieve these objectives, but the first step any company needs to take is to look at its own specific security needs. As Todd Chambers, an executive at access-management company Courion Corp. says, “There is a risk-management process that every business should go through.” Such an assessment should take into account the sensitivity of data the company stores and how much damage would be done to the company and its customers if that data were to be breached. If the company does not store sensitive data, employing the services of competent IT personnel may be sufficient to protect information. However, companies that do have sensitive data should consider hiring security experts to set up and maintain an adequate cybersecurity system.

http://bit.ly/VTWt2

By Francisco Mateo, CPP, CFE

Picture this, you’re company has worldwide operations including some places where it might be stable today, but has a long history of violence.  You’d be amazed at the number of countries you can come up with.  For the sake of brevity we’d not list them, but the fact remains that we live in a turbulent world where risk is asymmetric and extremely unpredictable. History offers many scenarios to illustrate the point; like:

“American executives isolated in towns throughout Lebanon during the Israeli-Hezbollah conflict. Businessmen in Chad stuck in a hotel in the capital, N’Djamena, as rebels bore down on the city.” 

And is not just corporate travel that is impacted by these risk scenarios. Staff at every company vacation all over the world.  Some adventurers get their thrills in some of the world’s riskiest places.  For instance:

“Ten years ago, 62 tourists and tour guides were massacred at the Temple of Hatshepsut, in Luxor. In 2004, bomb attacks on hotels in the Sinai killed 34. The following year, blasts in downtown Sharm accounted for the deadliest attack in the country’s history, killing 85. Two dozen others were slaughtered in 2006 in the Red Sea resort of Dahab.”

Now, it’s clear that employees must assume and properly mitigate their risk situation. Indeed companies are not obliged to extend aid to the staff in their own time, but it’d be a great value added service to get your people to safety when crisis strikes.  That is precisely the aim of an Evacuation Plan (EP), to get your people out of hotspots when things go awry.

As security and travel practitioners, we are always stressing the need to be prepared for the unthinkable.  We’re consistently preaching the prevention gospel to our business travelers and expatriate staff.  Our toolkit is first equipped with well crafted travel security awareness plans  which helps make our travelers and expatriate staff more resilient through training and timely information.  But we know that risk trends are like water, travelers could be faced with fluid situations which may not work in their favor. A comprehensive EP should allow us to extricate our travelers or expatriate personnel out of a hotspot in a safe and timely manner.

What are the elements of an effective country evacuation plan?

As an initial step your organization’s Crisis Management Team (CMT) must take on responsibility for the evacuation planning and execution.  The CMT is well suited for the task since they are most likely to know the risk the organization is exposed to and has created plans to mitigate them.  This superior knowledge bodes well for identifying and quickly reacting to conditions that would merit staff evacuations. 

That said, planning an evacuation is an exacting business with many moving parts.  A crisis event that merits an evacuation of staff must account for a number of potential eventualities that may include:

• political – military instability or upheaval
• a break-down in law and order, and a consequent state of chaos, or anarchy
• an unacceptable deterioration in living conditions
• widespread criminal and/or terrorist actions
• war in the region
• natural disasters such as flood, famine, earthquakes, disease and epidemics

All the scenarios mentioned above are likely to lead to situations where there are unacceptable dangers to life, or where business activities cannot profitably be pursued. The response to such scenarios is likely to be full or partial evacuation of expatriate personnel and dependants as well as foreign business visitors.

The following are guiding principles that are part of the pre-planning and execution of any EP best practice procedures:

Pre-Planning:

• Enable rational and logical decisions to be made; and create a decision-making organization
• Establish reliable sources of information/intelligence
• Establish communication requirements
• Delegate duties and responsibilities to expatriate personnel
• Establish and set up procedures aimed at enhancing the security of the evacuees
• Implement such procedures quickly and efficiently

Execution: 

• The safety and well-being of the employees and dependants is of the utmost
• importance
• Alert states and triggers are clearly defined
• The decision making authority, and individual responsibilities, are clearly defined and understood
• Timely and accurate situation reports and up-to-date threat assessments must be available to assist balanced judgments by the CMT and the organization’s senior management
• Reliable communications and reporting procedures are in place
• Affected employees and dependants would be well briefed on relevant components of the plan
• Updated records of the locations and contact details of all potential evacuees would be maintained
• Necessary administrative details and support would be pre-planned
• Business continuity and recovery plans are in place and up to date
• Security of personnel in an atmosphere of fear, speculation and rumor would be maintained
• Close liaison with relevant political, law enforcement and diplomatic missions would be maintained
• Non-expatriate staff are neither endangered nor financially disadvantaged.

A decision to evacuate a country is obviously of vital importance to the continuity of the business. For that matter a short span of control must be maintained on the decision making process. The senior most executive in-country acting as the CMT leader and in close coordination with the organization’s board of directors (or designee) should have the final say of when to evacuate.

Means of Evacuation:

 If an evacuation is inevitable and the situation requires the activation of the EP, commercial flights will be favored. However, there is a high probability of overcrowded or incapacitated national and international airports. Some airlines may cease flying to areas of conflict. A crucial provision in the EP should account for evacuation through:

• Airborne evacuation by chartered or corporate aircrafts or helicopters
• Overland evacuation by chartered coaches or private convoys
• Where practicable, sea evacuation by chartered boats

Developing Alarm Triggers

Although crisis events seldom give warnings, the type of events that would trigger an evacuations follow a cascading sequence of events that can be interpreted through a series of alert states.  It’s the duty of the security/safety practitioner to advice the CMT on a prudent course of action if economic, political or social environment would progressively deteriorate.

The Alert State are defined as follows:

Like any crisis plan the EP should consider Make the decision to partially, or fully evacuate expatriate personnel under any circumstances.  The plan should contemplate the many things that can go wrong during a crisis (breakdown in communication, mandatory curfew, martial law etc.)  .  Consider also the financial resources needed to see the evacuation to a successful completion.  Consider also the decision making and delegation of control and responsibilities.  If the senior executive is incapacitated or unable to carryout his/her duty during a crisis event, who’d assume the decision making responsibilities?  Develop your CMT task and duties and make them part of your EP.  Each incumbent should be familiar with their duties and responsibilities as well as the others within the CMT.  This can be achieved by rotating CMT duties among its members and conducting mock drills to those ends.

Communication

Communication is one of the pillars of crisis plans without an effective communications at all levels important task would go uncompleted compromising the eventual success of the EP.  Start by developing a contact list of all devices for your CMT.  Many emergency communications services offer automated call trees which seamlessly send out message blasts to designated individuals in your tree.  Make use of cutting edge crisis technology to gain speed and efficiency when executing an evacuation. 

While communicating externally the preparation of a statement also requires careful planning and consideration.

• Never make a statement without first making sure that the key messages you wish to express have been properly defined.
• Make sure you are aware of as much of the context as possible of the situation you will be discussing.
• Call upon the services of the Corporate Communications who can help give you a better understanding of the aspects you are not necessarily familiar with.
• Make sure you can refer to dispositions implemented previously in order to prevent the type of incident you are going to discuss (forms filled in prior to the event).
• Make sure you are aware of all the information that may be referred to during the statement (forms filled in prior to the event.
• Concentrate on the key messages you identified beforehand.
• Keep the statement simple, concise, precise.
• Do not extrapolate, branch out on another subject, or try to hide part of the truth; be honest sincere and credible.
• Do not accept responsibility or place responsibility on a third party for the facts.
• Always bear in mind that what is stated to the press will be read by all the company’s audiences, both internal and external.

Order of Evacuation

The general chronology of an evacuation will be:

 All dependants of expatriate employees, business visitors and third party employees.

1. Non-essential staff.
2. Stay-behind and remaining key staff.

Business Continuity

Continuity of the business concern is also of vital importance and should be treated as such in the EP.  Even under crisis situations certain products must get to market.  To ensure continuity of your business, Identify key facts about the operation; identify primary and secondary sites, as well as subsidiaries.  Consider the situation how is business likely to be disrupted? How can business continue under alternative management measures? Designate a person responsible for business operation during an evacuation and lay out their protocols.  Develop a contingency arrangement for all sites and business area (Sales, production, supply chain, finance IT, etc.).   Develop the means of communication enabling remote advice by proxy from central location away from the conflict.  Take into considerations the priority in providing services or products to your costumers.  Arrange proper protection for stay-behind staff, assets and products.      

Lastly remember that most crisis conditions arise suddenly and would allow lengthy deliberation about what to do.  A well formulated evacuation plan would give you the flexibility to operate your business anywhere in the world while maintaining your personnel safe, protecting your assets, product and perpetuating business operations. Your shareholders would not expect any less.  The truth of the matter is that such plans were reserved for exotic hot spots, but in our fragmenting world where risk is asymmetric and extremely unpredictable these scenarios are fast becoming the norm anywhere.   If you plan well, you’d execute diligently and get back to operations faster. This would ensure the most leverage from the opportunities every crisis intrinsically provides.

I came across this article through one of my network on LinkedIn.  I thought it would be important to share with all of you here.  It’s an excellent exposé (first hand account) of a phenomenon that occurs with increasing regularity.  In a nutshell kidnapping in China as reflected in the article is not a tactic used by syndicated crime groups as we know to be the MO around the world.  It is rather the result of a lack of knowledge from cavalier western businessmen about local business culture and customs.

http://bit.ly/2JR68n

I found the slideshow interesting from travel and security perspective.  Often times we focus too much attention on the risk that crime represents and neglect other factors that are equally important to evaluate before setting out to these choice places around the world.  Thanks to Peter and his crew we can obtain advance intel.

http://bit.ly/PP5BS

Peter Greenberg’s guide to the must-miss places of the world. Peter Greenberg is the travel editor for NBC’s “Today” show, CNBC and MSNBC, the author of The New York Times best-sellers “Don’t Go There!” and the “Travel Detective” book series, and host of the nationally syndicated Peter Greenberg Worldwide Radio show.

Security awareness is a job for every individual for keeping their information safe at home and while at work. A little bit of education about the computers and how the stuff works on the internet e.g safe internet browsers, antivirus and software updates will at least prevent the low level hackers from stealing the information. Education makes it better so spread the word around.

Story Highlights

•  Security experts warn Wi-Fi users to be more vigilant against hackers
• Experts say it’s difficult to distinguish between legitimate and rogue networks
• Wi-Fi Alliance says spread of Wi-Fi hasn’t led to an ‘epidemic’ of hacking
• Users urged to protect their networks, use VPN for sensitive data

http://bit.ly/CYCO7 

http://bit.ly/9zYA9

I want to start the week by focusing on online security awareness.  Many factors in our society today have combined to form a perfect storm of online scams using clever ploys.   The scams are so widespread that according to CSO’s Zulfikar Ramzan “The effects of cybercrime are far reaching. It would be a difficult task to find someone who has never been affected by malicious Internet activity, or who does not at the very least know someone who has been negatively impacted by cybercriminals”

“Oh what a tangled Web We Weave, when first we practice to deceive” Avoiding such scams is not just about sophisticated security software or timely updates, although that does help plenty. But the truth of the matter is that sophisticated social  engineers or identity thieves consistently stay one step ahead of our best defense tactics, despite the institutional efforts to bring cybercrime under control. We stand in owe at their sophistication, while the seed money that funds their evermore advance operations comes straight out of our pockets. Humankind evolved out of necessity, and so must our thinking about online victimization.   Our security posture requires us to be more, well “Hinky”, about it all.  I can only describe this as a combination of security awareness and intuitiveness; splashed with plenty of common sense about cybercrime.   

There is a precept among security practitioners in that prevention is the best policy when it comes to personal security. Good prevention strategy can disrupt 95% of all schemes. That said it is clear that even the most aware person can be get distracted and fall victim to a clever thief.  Overreacting during a mugging is most dangerous.  Only 5% of all disruptions strategies are successful once the criminal has pounced on his victim.  To improve your chances of fending off an attack it is recommendable to know how to handle yourselves through self-defense.

Just remember to be sensible in your actions before you assume a defense posture, evaluate your chances of repelling the attack, and walking away from the ordeal unhurt.

http://bit.ly/my2Kh 

http://bit.ly/3X72yg

No information-waste in this article.  My own philosophy is that applied information is a force multiplier.  Remember that an ounce of prevention is worth a pound of cure; this part of a series of 8 articles exploring unthinkable events which are becoming more comment in our world today has got it right.  Invest a bit of time and read on.  Afterwards browse over to the National Geographic site for more information.

Caught in Bandit Cross Fire  

By Damon Tabor (National Geographic Adventure)

There’s a fine line between off the beaten path and out of control. Sometimes you find it.

How it Could Happen

“You can still travel pretty much anywhere so long as you stay out of the tourist ruts, trust the locals, and don’t advertise your movements,” says adventure contributing editor Robert Young Pelton, author of The World’s Most Dangerous Places. A few notable exceptions: Yemen, where as many as nine foreigners were executed in June; bandit-and-pirate-beset Somalia; Sudan; and the eastern Democratic Republic of the Congo. Then there’s Pakistan and Afghanistan. “The real risk here is being kidnapped, held for ransom, or possibly murdered,” says Robb Maxwell, iJET regional analyst.

How to Survive

Before traveling to an unstable country, engage in what security pros call “journey management.” Set up prearranged times to call a friend who’ll alert authorities if you don’t arrive at a destination. If possible, arrange a fixer or, on the cheap, find a local university student looking to practice English. You’ll need someone who knows the terrain intimately and can get you to safe locations. “You want lily pads in the sea of hostility,” says Ed Daly, director of watch operations for iJET, a risk management company. Monitor the State Department’s website for travel warnings and find regional blogs that give a more nuanced sense of the ground scene. Wear drab clothes—no ball caps or sunglasses—and carry small gifts like cigarettes or candy that can smooth tense situations. (!!) Should a serious conflict erupt, head immediately to the airport, but remember that everyone else will too. If commercial options are no longer available, go to the closest U.S. Embassy, which will evac citizens for a price (you’ll pay the going rate for the last commercial flight out). If possible, attach yourself to a friendly military force. On the road, be prepared to encounter checkpoints: Stay calm and move slowly if stopped. Should you get kidnapped for ransom, relax. According to Clayton Consultants, a crisis management consultancy, some 95 percent of kidnappings can be resolved with a payoff. In the meantime, don’t volunteer unnecessary information. Escape attempts should be exercised only as a last resort. “If you feel like you’re going to get murdered anyway, I would try to escape—steal some food, study the guards, and look for an opportunity, since the worst-case outcome would be just as fatal as staying,” says Tim Crockett, a former British special forces soldier and executive director of AKE, an international security company.

Intrepid Travel

The State Department’s travel alerts aren’t foolproof, but they do offer a good bird’s-eye view of the global security situation. Traveling anyway? Get insurance. Journalist Robert Young Pelton uses adventure travel specialist Ingle (ingle-international.com).

http://bit.ly/LIh69

Hello fellow travelers.  Here again to warn you about one more scheme targeting tourist at international airports.  I can’t tell to what degree there is collusion between duty free shop staff, airport authorities and police to perpetrate this malicious scam, but victim accounts made them responsible for their ordeals.  If you’re travels put you at Suvarnabhumi Airport beware of the risk to falling victim to this scam.

http://bit.ly/Z2j13

The report brought to my recollection a scheme I became aware of in some Latin American airports.  It consists of Customs officials passing information about the amount of money you declared on the form to criminals alone with the victim’s description.  You’re then intercepted at an opportune time on the road away from the airport. Though not declaring the amount of currency you carry would likely get you a large fine or worse, land you in jail, if caught, you are advised to take precautions and practice situational awareness.  Protect yourself by arriving during daylight; arranging private transportation from a reputable provider well in advance; ask for the name and description of the driver and then cross check with official ID upon meeting at the airport exit. You can find more travel security tips on this site.

Staying Safe While Traveling

by Debra Ronca

The most dangerous place on Earth. It sounds like the title of an action-adventure movie. And it conjures up all kinds of images — war, earthquakes, poisonous jungle plants, killer animals, disease, terrorists and violent criminals at every turn.

Of course danger lurks everywhere. But some places are definitely more dangerous than others. How do we know which place is the most dangerous? Statisticians and think tanks consider many factors when naming a place among the world’s most dangerous. These factors include national security, war, terrorism, violent crime, insurgent activity, disease, humanitarian issues and civil unrest. As you can see, the world’s most dangerous places are usually dangerous because of human activity.

http://bit.ly/frvmp

According to a recent survey released by the Messaging Anti-Abuse Working Group (MAAWG), about 1 in 6 consumers have at some point acted on a spam message.  Those who admitted to opening a spam message said they “were interested in a product or service” or “wanted to see what would happen if they opened it.”

Wanted to see what would happen if they opened it!?   These people are not 6-year olds wanting to see what would happen if they touched the hot stove or stuck their tongue to a flag pole during an ice storm!

Nearly 2/3 of the people surveyed felt they were very or somewhat knowledgeable in information security, however 80% felt their machines would never be infected with a bot or malicious software.  This lack of awareness can only lead to one thing… expensive consequences! 

Organizations need to ensure that Lessons Learned like this are being implemented down to the individual-level.   Without ongoing education and awareness, many employees, customers, third-parties, etc. will not understand risks, threats, best practices, etc.  By implementing an organization-wide awareness program with accountability and communicating organization-specific polices for passwords, anti-virus software, online safety, etc. your users will understand how to safely and securely navigate the online world. 

I also recommend sharing internal lessons learned with your employees, such as a recent data breach or social engineering incident, so all appropriate personnel understand why they are being required to participate in an ongoing security awareness program.  If employees understand that by opening a spam e-mail, they are responsible for their actions that may potentially cost your organization millions of dollars and loss of reputation because of a data breach, they may be more likely to actually read your acceptable usage policies regarding strong passwords, e-mail safety and social networking best practices.

How are you implementing your security program and ensuring your employees understand the risks and threats of spam and other online threats?

INTRODUCTION

This part of the report reviews how the issue could occur inside the organisation, what the drivers and barriers of the information security awareness among the non-managerial employee in this organisation, how the organizational behaviour affect the employees’ attitudes and working behaviour and how the lack of information security awareness could become a risk and thread in the organisation. This report of finding’s result will highlight on how important the security awareness to the employee, management and organisation.
Moreover, information becomes the backbone of organisation, a vital business asset to support the organization’s business process. At the same time, more organizations are at risk of information security breaches. As stated by Harold E Davis and Robert L Braun, that general awareness of system vulnerability and reporting of concerns should be the responsibility of all employees (2004), it means that the employees need to be aware of the vulnerable information security on electronic information exchange within the organization.

CURRENT DRIVER OF INFORMATION SECURITY AWARENESS IN THE ORGANISATION

There are several issues related to user behaviour in information security, which need to be considered by the management. This awareness issue drives the need of change on user perception and organizational culture related to information security, which are including organisation’s security policy awareness, password sharing, sharing computers and devices, personal devices use on organization’s network, downloading and e-mail behaviour, etc. This behaviour and attitude can cause frauds in the organisation when the unauthorized person handles transactions, virus and malware system attacks from the unnecessary devices utilization.

Some issues that drive the need to change user perception and organizational culture related to information security including:

• Password Policy Awareness
  Passwords are one of the few protections users have in order to keep their private information private. Passwords haven’t been created to torture innocent users but to protect them from unauthorized access. On the other hand, no matter how secure a network, an email system, or simply a web site is, when users show gross negligence about their passwords, this is simply asking for trouble. That is why it is important to have secure passwords and above all – not to disclose them to anybody else.
  Survey said that 70% user use weak passwords such as relatives name, organization related phrase, password with less than 8 (eight) character and without combination between number, character and symbol. Furthermore, most of users never change their password and 30% user with strong password either wrote down their password on a piece of paper or records it somewhere on their computer.
  This condition becomes a big issue because company defences are only as strong as the weakest link in the chain – which can often be the users. If users decide to make their password the name of their girlfriend, favourite football team, or pet goldfish then they are risking business data from any form of password based fraud such as password cracking, password guessing, etc. Cyber criminals are becoming increasingly canny at finding ways of exploiting vulnerable users and pilfering funds. By ignoring, or not realising how easily fraudsters can crack weak passwords, some employees are practically handing their private information over on a plate.

• Password Sharing
  Based on best practice, accounts and passwords are given to individuals for individual use and should not ordinarily be shared, except when necessary to accomplish the mission of the organization. If a password has to be shared, it should be changed as soon as possible.
  However, in many organization many personnel share their password with others including password for application and operating system. This could lead to security risk if someone falsely represents oneself as another individual, to use the name or identity of another person without authorization as that individual’s delegated person, or to present oneself as the authorized person of organization or unit without proper authorization to do so.
  If there is any fraudulent action in the application or system using those shared password, investigators will unable to trace the person who involved because the fraud maybe performed by other person which have another person password.

• Sharing Work Computers and Devices
  Sharing a company computer with a user outside the company can be an invitation to security problems. Outside users have not been educated by a company’s IT organization, and are not beholden to its security policies. Nonetheless, the survey revealed that significant numbers of end users share their company computers with other users. Despite their awareness of the importance of security, 21 percent of users admitted that they allowed others to use their work computers. In fact, respondents in Japan said they allow others to use their computers for personal reasons more than they do themselves.

• Personal Devices at Organization Network
  Personal devices that users connect to the network pose serious security risks for organizations. Oftentimes, these devices may not be governed by IT and security policies, or comply with best practices.
  Some 45 percent of end users stated that they used their own personal devices to access corporate resources. In China, this number soared to 74 percent of end users. Yet only half of those who used these devices said they had antivirus or security software on the device.
  • 29 percent of users believed that access by personal devices was safe.
  • 36 percent believed using personal devices for network access was acceptable simply because they did so regularly.

• Downloading and e-Mail Behaviour
  Downloading files to the company network or to work devices has long been recognized as a particularly risky behaviour. Viruses, Trojan horses, and other types of malicious files are well-publicized, and most corporate users are well aware of these threats.
  Nonetheless, surprising numbers of users continue to open e-mail messages and attachments sent from unknown sources. Even a single instance of a user opening a virus or malicious file can cause a great deal of damage. Consider the impact of careless handling of e-mail and attachments by just 50 people in a 1,000-person company. Large organizations with thousands of users cannot tolerate this behaviour by even a small percentage of their users.
  A sizable percentage of respondents (38 percent) reported that they click on unknown e-mail messages but do not open attachments. This activity is less risky than opening unknown files, but can still present security risks.
  In India and Brazil, 10 to 20 percent of users admitted to opening unknown e-mail messages and their attachments. These figures are alarming: even one bad file can wreak havoc on an organization. Bringing one’s own personal files into the secure business environment can cause problems as well, yet the survey results show that this type of behaviour was common. Others, 46 percent of end users download personal files to corporate networks or their work devices. In both China and Australia, more than 58 percent of participants port their own files to their work environment.
  However, company has already established the IT security policy about technical rules and policy of how the information and communication technology (ICT) users in the company should work and behave. On the other hand, the end-users of the system, which is the company employee, often neglect this policy due to the lack of awareness that they have.
  Consequently, all issues motioned above may appear too technical, but in IT environment today, it could lead to a big problem to the management or event could lead to big loss in financial condition if someone were working on the system or information and conducting one or more weaknesses above.

OBSTACLES TO IMPLEMENT IT SECURITY AWARENESS IN THE IT-BASED ENVIRONMENT
There are many barriers in implementing the information security awareness in IT-based environment, especially in banking and financial company. The common obstacles in giving the employees knowledge of information security awareness are the organisational culture, perception that information security is not their responsibility but the information technology problem, implementation of new technology which cause change of the rules and policy on the organisation, lack of communication, resources and management supports, especially in providing budget for training.
Unfortunately implementing a successful security awareness program can be a difficult and seemingly impossible task. Even some of the best-architected programs are often faced with a barrage of barriers and obstacles. Before implementing a security awareness program it is helpful to understand some of these common obstacles that management face.

• User Culture – In many organizations, security is implemented as an afterthought. Because security is not always integrated from the very beginning, users have months, weeks and even years to develop bad habits. This makes the challenge of implementing a security awareness program twice as hard. Not only do you have to educate users on security, but also you have to help them unlearn any bad habits that they may have acquired. In addition, users in this situation tend to have extra trouble buying into the value of security. As far as they are concerned, the organization has operated just fine for many years without security. New security requirements are viewed as unnecessary changes that make their lives more difficult.
• The perception that security is an information technology problem - Many users share the perception that security is the sole responsibility of the IT security department and not theirs. They tend to limit their role to the bare minimum of compliance to keep their jobs rather than rather than the big picture of what they can do to help. While adhering to policy is a good start, there is much more that can be done. It is important that users understand that the IT staff cannot do it alone.
• Implementation of new technology – When new technology is implemented it often requires a behavior change or new level of understanding from the user community. This alone is not an issue, however, sometimes technology moves faster than or independently from the awareness program. Often times, the awareness team is out of the loop or not adequately informed of these types of educational opportunities until it is too late. This is why it is important for the security awareness program to stress internal communications as well as ensure an emergency or crisis communication strategy is in place.
• Perception of one-size-fits-all – Some security awareness programs fail to adequately segment their audience and deliver appropriate messages. This is a very poor strategy that results in messages getting ignored. Users receive hundreds of messages every day from all different directions. It is critical to segment your audience and ensure that people only get the messages they need. A one-size-fits-all strategy may be easy on you, but it will not be effective.
• Lack of organization – Many awareness programs fail to develop consistent processes and strategies for delivering messages to users. Without a consistent style, theme and delivery it is hard for the user to engage in the program or even know what to expect. Developing consistency in your communications will help establish an identity for the program and relationship with your audience.
• Getting the message where it counts – Often times it is a real challenge to get the right message to the right audience. This is especially true in large organizations. Even if the organization has already developed a thorough communication strategy with well-maintained process for targeted communications, this can be very difficult. Email groups based on management level and department can be helpful, but do not fully solve the problem. In some cases, although an audience has been identified, it is hard to figure out specifically who belongs in the audience. For example, you may have a message that you need to deliver to all programmers. Your organization may have a specific programming department, but also individual programmers in various pockets all over the organization. How are you going to identify and maintain a list that ensures all pertinent messages get to all of the programmers every time? This is difficult to say the least.
• Lack of management support – Obtaining management support is one of the most essential aspects of a security awareness program. Unfortunately it is also one of the most challenging (Held). In order for security messages to be effective, they must be supported from the top down. Even though many managers express their desire to support security initiatives, putting it into action is another story. This is due to the fact that managers have their own jobs and responsibilities. Their primary goal is to meet their business objectives and it is often hard to find room for security, no matter how much they believe security is important.
• Lack of resources – This usually stems from the lack of management support. Without management support, it is hard to secure adequate resources, and without adequate resources, a security awareness program is limited in what it is able to achieve.
• Lack of Communication – Many security awareness programs fail to educate their users on why security is important. They cover every other aspect, but leave out the information that is most likely to motivate users to change their behavior. Users that understand why certain behaviors are insecure are most likely to take ownership of the issue and change their behavior. For example, if you communicate a new password policy that has more stringent complexity rules, users will most likely view the new policy as a pain. On the other-hand, if you also communicate to users how passwords are cracked and misused and the potential impact that this could have, then they are much more likely to take ownership and willingly adopt the new policy.
  However, performing training to educate the non-managerial employees is considerably expensive due to the management and organisation budget, since the training that has already conducted by the managerial-level employees cannot provide a significant change within the company. They cannot communicate with their subordinate employees to educate them on the importance of information security awareness in their workplace.

FACT AND FINDING: SECURITY AWARENESS ON THE RISE

THE NECESSITY OF INFORMATION SECURITY AWARENESS
People, process and technology play an equally important role in information security (SANS Institute, 2002, p.3). “Your organization can be bristling with firewalls and IDS, but if a naïve user ushers an attacker in through the back door you have wasted your money” (Power, 2002, p.18).
Additionally, policies and technical controls are certainly become critical part of any information security (IS) programme. In order to be effective, information security awareness programmes are depend on the actions of individuals within the organisation. Employees are the real perimeter of the organisation‘s network and their behaviour is a vital aspect of the total security picture (ENISA, 2008, p.10).
Further, incidents which caused by employee’s mistakes might result in far more damage to businesses every year than external attacks. Obtaining the support and participation of an organization’s employees, requires an active awareness programme; one that’s supported by all layers of management (Olzak, 2006, p.1).

EFFECTIVE SECURITY AWARENESS
Primary objective of a security awareness programme is to educate users on their responsibility to protect the confidentiality, availability and integrity of their organization’s information and information assets. “Users are often the weakest link in a security chain, because they are not trained or generally aware of what security is all about. Management should drive employees to understand how their actions can greatly impact the overall security position of an organization” (Krutz, 2001, p.25).

Furthermore, Telders (1991, p.57) sees IS security as socio-technical. The study describes technical development as having created an increased need to improve users’ IS security awareness. Emphasizing the importance of technology represents a technical standpoint. In addition, Telders (1991, p.57) claims that the primary problem with IS security is lack of users’ motivation. This, too, represents a technical viewpoint. However, Telders’ (1991, p.58) social standpoint becomes evident in his considerations of user awareness and feasible processes and procedures as necessary for good IS security.

However, changing the employee’s habit and viewpoint is not that easy, it needs to have an accurate strategy to succeed. There are many important things that should be emphasized by the management to succeed the awareness programme, such as:

1. Commitment
   To be effective, visible support and commitment from management can also signal to all employees the importance of paying attention to IT security (NASCIO, 2007, p.5). For example, steps which need to carry out by the management to support the awareness development programme are:
   - Support the resource needed for awareness programme such as funding, human resource, employee attendance at awareness sessions, etc (Olzak, 2006, p.5).
   - Actively attend IS security awareness training and obtain an understanding of the necessary matters connected with IS security engineering (Stacey, 1996, p.22)
   - Promote IS security and set an example by complying with the company’s IS security instructions (Puhakainen, 2006, p.106). Wilson and Josh (2003, p.7) said that management should set the example for proper IT security behaviour within an organization.
2. Communication
   Creating and developing a successful awareness programme, communication is a vital factor. In choosing communication means, it is important to consider the audience and remember that different people learn in different ways. It is a good idea to use multiple vehicles for any one message so that it can reach the broadest number of individuals within the given audience (Held, 2002).
   Specifically, the most of problems in banking and financial organisation are regarding to the user behaviour. Consequently, there are many considerations to build an effective communication to compel information security behaviour, such as:
   - People have to notice the emergency or the crime before they can act. Thus security awareness programme has to include information on how to tell that someone may be engaging in computer crime (Lippa, 1990, p. 493).
   - Security awareness programme that provides facts about the effects of computer crime on society and solid information about the need for security within the organization can help employees recognize security violations as emergencies (Lippa, 1990, p. 493).
   - Presenting case-studies is likely to have a beneficial effect on participants’ readiness to examine security requirements and should include many realistic examples of security requirements and breaches (Kabay, 1993, p.5),
   On the other hand, an effective communication media have to be chosen to deliver the awareness message (Hinson, 2009) by utilizing one of the following media:
   - Direct communications (e.g., emails, memos, computer based training, etc.);
   - Indirect communications (e.g., posters, intranet, brochures, etc.);
3. Motivation
   Without sound motivation, no amount of knowledge or understanding will change staff behaviour. What is needed is appropriate knowledge and understanding accompanied by appropriate action. Parker (1998, 1999) proposes that the primary motivation for IS security must come from rewards and penalties directly associated with job performance. He also claims that conflicts between job performance and security constraints must be removed by making security a part of job performance.  One theory on how attitudes are learned suggests that rewards and punishments are important motivators. Studies show that even apparently minor encouragement can influence attitudes (Kabay, 1993).

By viewing information security as primarily a management issue, we can benefit from the mass of knowledge accumulated by social psychologists. We can implement security policies and procedures more easily by adapting our training and awareness techniques to correspond to human patterns of learning and compliance.

Consequently, an awareness programme should reinforce security policy and other information security practices that are supported by the organization. Effective security awareness helps minimize the cost of security incidents, helps accelerate the development of new application systems, and helps assure the consistent implementation of controls across an organization’s information systems.

CONCLUSIONS
The state of information security is only growing more complex with time. New viruses and vulnerabilities are reported every day. With the acceleration of technology and attacks, it is becoming even more apparent that users lack the appropriate level of awareness and training opportunities. Many users have little to no understanding of their responsibility to protect information and information assets. It is critical that management understand the value of a security awareness program and make a commitment to closing the education gap.

Moreover, securing infrastructures and applications isn’t enough to ensure protection for information assets. It’s the people who make the difference in whether security program is successful or just whitewash for auditors and investors. Management should involve their employees and help them to see the importance of information security. A well-designed and maintained security awareness program can have a great impact on strengthening the weakest link.

WHAT SHOULD WE DO???
Security is about people, most of security incident caused by user behaviour either direct or indirect. Security breach could bring organization into a big loss. To achieve its goals, awareness program need to get strong management support. To be effective, management need to determine the audience and find a suitable vehicle to communicate the awareness program. There are some recommendations suggested for the management to implement, such as:

1. Management need to address security issues related to user behaviour using a suitable awareness program and education.
2. Perform training to the managerial-level employee to develop their managerial skills, in order to accurately deliver information about information security awareness to their subordinates.
3. Execute training about information security awareness to the entire employees, both non managerial level and managerial level employees.
4. Perform familiarization program to the employee about information security policy and regulation by providing user manuals, set up pamphlets, and briefing on how important to have information security awareness. Broadcast e-mail, voicemail, company newsletter, printed materials – posters, bulletin boards and brochures, face-to-face meetings, presentations, training and security conference/fair, reminders, marketing stuffs (mugs, pens, mouse pads, key chains, sticky-notes, etc.)
5. Provide funding, employee attendance at awareness sessions, and employee perception of the importance of security all depend on support at all layers of management.

REFERENCES
Appunn, Frank D. (2008). Computer user security: A model facilitating measurement. Ph.D. dissertation, Capella University, United States — Minnesota. Retrieved April 7, 2009, from Dissertations & Theses: Full Text database. (Publication No. AAT 3304130)

Braun, Robert L, Davis, Harold E, . (2004). Computer Fraud: Analyzing Perpetrators and Methods. The CPA Journal, 74(7), 56-59. Retrieved April 8, 2009, from ABI/INFORM Global database. (Document ID: 663572891)

Casmir, R. (2005). A Dynamic and Adaptive Information Security Awareness (DAISA) Approach. Stockholm: Department of Cumputer and Systems Sciences, Stockholm University Royal Institute of Technology.

Department for Business Enterprise and Regulatory (BERR) (2008), 2008 Information Security Breaches Survey. BERR Survey Executive Summary, UK.

Griffin, Ricky W. Fundamentals of Management. Houghton Mifflin Company, 2006.

Held, Robert (2001). “Security Awareness – Are Your Users “clued in” or “clueless”?” Cited 4th April 2009 from http://rr.sans.org/policy/sec_aware.php.

Hinson, G (2009). The True Value of Information Security Awareness. IsecT Publication. Cited April 4th 2009 from http://www.noticebored.com/html/why_awareness_.html

InfoSec Reading Room (2002), Security Awareness – Implementing an Effective Strategy, Sans Institute, USA. Cited April 4th 2009 from http://www.sans.org/reading_room/papers/47/418.pdf

Krutz, Ronald L., Russell Dean Vines (2001). The CISSP Prep Guide. New York: John Wiley & Sons, USA.

Lippa, R A (1990). Introduction to Social Psychology. California: Brooks/Cole, USA.

Nahavandi, A., & Malekzadeh, A. R. (1998). Organizational Behavior, The Person-Organization FIt. New Jersey: Prentice-Hall.

National Association of State Chief Information Officers (NASCIO) (2007) IT Security Awareness and Training: Changing the Culture of State Government,

NASCIO Publication, Kentucky, USA. Cited April 5th 2009 from www.nascio.org/publications/documents/NASCIO- ITSecurityAwarenessAndTraining.pdf

Olzak,T (2006). Strengthen Security with an Effective Security Awareness Program, Erudio Security LLC, USA. Cited 6th April 2009 from http://adventuresinsecurity.com/Papers/Build_a_Security_Awareness_Program.pdf

Power, Richard (2002) 2002 CSI/FBI Computer Crime and Security Survey, Computer Security Issues & Trends. Vol. VIII, No.1 Spring, USA. Cited April 5th 2009 from http://www.gocsi.com/forms/fbi/pdf.html.

Puhakainen, P (2006) A Design Theory for Information Security Awareness, University of Oulu, Oulu. Cited 6th April 2009 from http://herkules.oulu.fi/isbn9514281144/isbn9514281144.pdf

Robbins, S., Bergman, R., Stagg, I., & Coulter, M. (2006). Management. Pearson Education Australia.

Stacey TR (1996) IS security Program Maturity Grid. Information system security 5(2): 22.

Telders E (1991) Security awareness programs: a proactive approach. Computer Security Journal 7(2): 57-58.

The European Network and Information Security Agency (ENISA) (2008); Information security awareness in financial organisations, Heraklion, Greece. Cited April 5th 2009 from http:// www.enisa.europa.eu/doc/pdf/deliverables/is_awareness_financial_ organisations.pdf

Wilson, Mark; Hash, Joan (2003) Building an Information Technology Security Awareness and Training Program, NIST special publication 800-50. Cited April 5th 2009 from http://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf.

By Francisco Mateo, CPP, CFE

I previously posted about the Lloyd’s 360 Risk Insight findings on the increased risk of “piracy, kidnapping and government expropriations, which have been exacerbated by the global financial crisis.”  Likewise, economic espionage is another threat to business value.  There has been an increase lately leading to notable cases. 

Such is the case of Sergey Aleynikov, a former Goldman Sachs Group Inc computer programmer accused of stealing secret trading codes from the financial firm which cost nearly $50 million to produce.

In a recent disclosure financial industry giant Deutsche Bank recently fired two executives, Wolfram Schmitt, head of investor relations, and Rafael Schenz, German security chief for their involvement in retaining an investigations firm to gather information on activist shareholder Michael Bohndorf and media tycoon Leo Kirch.  The improper acts took place over the last 4 years.  The case highlights how commercial espionage cases transcend companies from diverse industries.

A recent Stuff Magazine in New Zealand noted on Business spies on the rise, as they try to gain an edge over each other’s business in a tough business environment.  What is remarkable about these cases is that even small businesses are joining the act.

The current trend indicates that economic espionage would continue to grow in significance for both businesses and governments. Most recently Chinese authorities arrested 4 Australian mining firm, Rio Tinto, employees accused of “bribing Chinese steel company employees to obtain confidential information on China’s negotiating position in the talks.” The arrest of Stern Hu, an Australian national who up until his arrest was Rio Tinto’s GM in China, has been received with stern condemnation from the Australia’s foreign minister.  Ironically there have been notable espionage cases involving Chinese nationals in the US. David Yen Lee is a Taiwan native facing a five-count indictment alleging theft of trade secrets from Valspar Corp., a publicly traded maker of household paint and other coating products. Other cases include Hanjuan Jin a former software engineer at Motorola Inc. accused of stealing commercial and military secrets. The most notable case is that of Chinese citizen Dongfan “Greg” Chung former aerospace engineer at the Boeing plant in Huntington Beach, California; convicted in the first-ever trial under the Economic Espionage Act, for taking 300,000 pages of sensitive documents that included information about the U.S. space shuttle and booster rockets.

Prevention

The growing economic espionage problem highlights the difficulties of protecting intellectual property from competitors worldwide.  The trend calls for increase vigilance and counterintelligence efforts at all levels.  I recently posted on the successful strategy at Apple, which has nourished a culture of honesty and awareness. Some of the strategies include:

• Hardening R&D areas with elaborate access control schemes.
• Some companies employ Technical Surveillance Countermeasures (TSCM) like office debugging sweeps periodically.
• Keeping a tight lid on information access and dissemination, through, security awareness, non-disclosure agreement, etc.
• Security cameras in areas where employees are working on important projects.
• Cloaking and disinformation are also part of a counterintelligence/counter-surveillance strategy.

Regardless of the strategies companies use, prudence should prevail since lack of transparency regarding a company’s products or services can be counterproductive from a shareholder point of view.  Regardless of your company’s size, all strategies should be evaluated with the right internal stakeholders (Legal, marketing, corporate security, etc.) before execution.

During the attacks on Mumbai’s luxury hotels terrorists showed significant dexterity based on their superior knowledge of the hotel’s layout.  This was a new disturbing strategy which went beyond the obvious.  The terrorist planning and operation exploited holes in hotels’ active security strategies. Friday’s attack on Jakarta’s Ritz Carlton and J.W. Marriott shows similarities:

• The attacks targeted luxury hotel lobbies where foreign and local business people were most likely to interact.
• The terrorist also exploited weakness by masquerading as hotel guests and banked on the openness nature hotels must convey.
• The attackers most likely accounted for security hardening at all hotels after 2003 bombings.
• They spend several days in the hotel assembling the bombs and as video footage shows, a suicide bomber blended in with other business travelers.

The International Centre For Political Violence and Terrorism Research prepared a topped level report on the incident:

Spot Report on the Jakarta Hotel Blasts

17 July 2009

The Incident

On 17 July 2009, bomb explosions rocked the Ritz-Carlton Hotel and the JW Marriot Hotel in the upscale Mega Kuningan District in Jakarta, Indonesia. The blasts occurred at about 0730 local time or 0030 GMT.  As of 1250hours officials reported that the nearly simultaneous blasts killed nine people and wounded at least 50 others – a number of foreigners were reported to be among the victims. No group has claimed responsibility for the attacks which came just days after the Indonesian presidential elections which was won by incumbent President Susilo Bambang Yudhoyono.

Tactics and Impact

Indonesian police said that the bombs were planted at the Ritz-Carlton’s Air Langga restaurant and the basement of the JW Marriot.  There were no confirmed reports as to the structure and composition of the bombs except that they were described as “high explosive bombs”.

“Fatal blasts hit Jakarta hotels”, BBC News, 17 July 2009, http://tinyurl.com/n2qpqj

 “Officials: Jakarta hotel blasts kill 9, wound 50”, Today Online, 17 July 2009, http://tinyurl.com/n4z7fm

Witnesses reported hearing an explosion and seeing smoke coming from the Marriot Hotel.  After five minutes, another explosion was heard coming from the Ritz-Carlton.  Police have said however that the explosions were two minutes apart.  The blasts sent a huge plume of smoke into the sky; debris and shattered glass were scattered across the street.  The façade of the Ritz-Carlton and a second-storey restaurant were reported to have suffered the brunt of the damage while there was little damage to the JW Marriot Hotel that was visible from the outside.

Six people were reported to have died at the JW Marriot Hotel while there were 2 people killed at the Ritz-Carlton. The ninth fatality was an injured person who died while undergoing treatment at the Medistra Hospital. Witnesses at the scene reported seeing Indonesians and foreign nationals being evacuated from the area. Out of the 55 injured, 18 of them are foreigners including five Americans, one Italian, one Norwegian. The number of casualties from the two bombings is expected to rise.

Reports suggest that the attacks may have been perpetrated by suicide bombers due to the discovery of two headless bodies at the Ritz-Carlton Hotel. However, the information has yet to be validated by the authorities.

“Officials: Jakarta hotel blasts kill 9, wound 50”, Today Online, 17 July 2009, http://tinyurl.com/n4z7fm

 “Bombs kill nine in Jakarta hotels: police”, Google news, 17 July 2009, http://tinyurl.com/lhmx7m

 “Six killed in central Jakarta hotel blasts-police”, Reuters Alertnet, 17 July 2009, http://tinyurl.com/newej3

“Officials: Jakarta hotel blasts kill 9, wound 50”, Today Online, 17 July 2009, http://tinyurl.com/n4z7fm

  “Bombs kill nine in Jakarta hotels: police”, Google news, 17 July 2009, http://tinyurl.com/lhmx7m

Group Responsible

The Indonesian police have said that it was “too early to say whether the bombs were planted by Islamic militants”.  Members of the Islamic militant network Jemaah Islamiyah (JI) were the ones behind the 2002 Bali bombings which killed more than 200 people and the 2003 attack on the JW Marriot Hotel which killed 12 people. These past years, the Indonesian government has embarked on massive counterterrorism operations which have resulted in the significant weakening of the group. Authorities have arrested many of the top leadership of the JI including those responsible for the 2002 bombings in Bali.

   “Bombs kill nine in Jakarta hotels: police”, Google news, 17 July 2009, http://tinyurl.com/lhmx7m

JI however, is still regarded to be a capable organization and is believed to be quite capable of carrying out terrorist attacks along the scale of the recent hotel bombings.  An article from The Australian said that two recent developments may change the current assessment that the threat from the JI is waning.  The first is that the JI leadership is in turmoil and its future direction remains unclear.  Secondly, the “release from prison of former JI members, including some who reject police efforts to rehabilitate them, might now re-energize the movement towards violent attacks”.  It could be that for some dissident JI members, a bombing campaign might be the only way that they could achieve their political objectives.

Security Response

The lessons learnt from the 2002 Bali bombings and the 2003 attack on the JW Marriot have resulted in most major hotels in Jakarta improving on their security measures. Most hotels have implemented checkpoints for incoming vehicles and required hotel guests and visitors to pass through metal detectors.  It remains a question as to how the perpetrators of the 17 July 2009 Jakarta hotel bombings were able to circumvent the security measures that are in place.

Immediately following the hotel bombings, anti-terror forces and emergency teams were at the scene of both blasts. A third explosion in the Muara Angke area of northern Jakarta was initially believed to be related to the hotel bombings but further investigation revealed that the explosion was caused by a faulty battery and not a bomb.

Police response to the bombings was immediate and guests at both hotels have been evacuated and moved to secure locations. As investigators and policemen secured the scene of the bombings, they discovered what they believe was the “control center” for the attacks.  Police recovered an unexploded bomb and other explosive materials inside room number 1808 at the JW Marriot.

 “JI jihadis still plot terrorism:, The Australian, 17 July 2009, http://tinyurl.com/mw6bxz

 “Bomb blasts in Jakarta”, Straits Times, 17 July 2009, http://tinyurl.com/najf8u

 “3rd blast not a bomb”, Straits Times, 17 July 2009, http://tinyurl.com/kvsvde

  “Travelers postpone their trips to Jakarta”, News.Com.Au, 17 July 2009, http://tinyurl.com/mcf6v3

The Australian Department of Foreign Affairs and Trade (DFAT) has not raised its travel advice warning level for Indonesia despite the bombings but the overall level of advice remains to be at “reconsider your need to travel”.  The New Zealand Embassy has advised its citizens against tourist and other non-essential travel to Indonesia due to the continuing threat of terrorism amidst reports that one of their citizens died in the bombings.

Assessment

The Indonesian government has made significant progress in counterterrorism and addressing security threats from militant and radical groups which has contributed to the country’s sense of political stability in recent years. The country has been successful in building up an image of security these past few years and it has emerged as one of the biggest economies in Southeast Asia.

The attacks against the Ritz-Carlton Hotel and the JW Marriot Hotel were the first major terrorist attacks in Indonesia in more than three years since the start of the government’s counterterrorism operations. Both hotels are also seen to be among the most secure in Jakarta and the attacks could severely affect investor confidence because they occurred amidst a stable security environment and tough counterterrorist measures implemented by the Indonesian government.

   “Unexploded bomb found in JW Marriot in Indonesia”, Channel News Asia, 17 July 2009, http://tinyurl.com/metese

   “Travelers postpone their trips to Jakarta”, News.Com.Au, 17 July 2009, http://tinyurl.com/mcf6v3

    “NZ witnesses describe Jakarta bombings”, Brisbane Times, 17 July 2009, http://tinyurl.com/lgcw8w

A word of caution to security practitioners operating in trouble spots; be careful what cover stories you use. The ruse may carry more risk than just taking proper precautions.  I get the part of passing off as a neutral person, but before adopting a strategy like this think of the long term consequences to journalists every.  Despots and murderers don’t need more excuses to accuse journalists of being spies and such.  Having said that, I think everyone should adopt all necessary measures to stay safe, but not at the expense of other vulnerable professionals else down the chain.

Two French Security Advisers Abducted in Somalia

By Edward Cody

Tuesday, July 14, 2009

PARIS, July 14 — Two French security advisers posing as journalists were abducted from their hotel in Mogadishu on Tuesday by Somali gunmen, according to the Foreign Ministry and reports from the chaotic Somali capital.

The Foreign Ministry did not identify the two men or specify which branch of the French government had dispatched them to Somalia. But it said in an announcement that they were in Mogadishu on “an official mission” to assist the Western-backed government of President Sharif Ahmed in “security matters.”

A senior official in Ahmed’s government told Agence France-Presse, the main French news agency, that the two men had arrived in Mogadishu nine days ago, invited by the Somali Defense Ministry to train “their counterparts in Somali intelligence agencies.”

The men were staying at the Hotel Sahafi International, which over the years has gained a reputation as headquarters for foreign correspondents covering the violence that has ripped Somalia apart. In more recent times, however, few Western journalists have ventured into Mogadishu, where the official police and army are weak, heavily armed factions often rule the streets and kidnapping is a constant danger…. http://tinyurl.com/nrvmmc

I feel deep sorrow when I hear of a life that could have been safe had they had the right information at the right time. It can boil down to a life or death decision, practicing security awareness is that critical.  The unfortunate death of a New Zealand tourist in the moderately upscale Saint Andrew neighborhood in Kingston, Jamaica, highlights the point I’m trying to make.

By simply remaining calm, asking the armed robbers to remain calm and handing over what the criminals wanted, he could have walked away from the ordeal with his physical integrity intact.  Instead another life is lost, yet again by a mobile phone.  Think about it; as Bob Marley says in one of his song “if you know what life is really worth…” my advice to you is, adopt a security posture; learn how to prevent becoming a victim and how to act when you do become one.  Your life is precious and irreplaceable; physical objects are not.

http://securitybeyondborders.org/travel-security/

 My top security myths, or security excuses, call them what you want.

I hear these all of the time from clients and everyone believes them. 

1.  We have a firewall, therefore, we are secure.
2. It is only a test server, it does not need to be secured.
3. It’s on the internal network, it doesn’t need to be secured.
4. No one would break in like that.
5. Wireless signals do not leave the building.
6. If we apply updates, all of our servers and desktops will crash.
7. Virtual servers do not need anti virus. 
8. Everyone else does security this way, why can’t we ?   (if all of your friends jumped off a bridge, would you jump off a bridge?)
9. You only need to audit our firewalls, you do not need to check the external web servers, those are secure.
10. If someone broke into our network, we would know about it.
11. Macs and Linux don’t have security problems, never get hacked and dont need anti virus.
12. Firefox is more secure than Internet explorer.
13. Microsoft  CANT be secured.
14. A friend forwarded me an email, therefore it is true.
15. Our former employees would not attack our systems.  We trust them, even though we just fired them, we don’t need to change passwords.
16. No one would attack us, we are to small to have anything of value.

Good security awareness commentary from blogger Kai Roer, European information security professional:

What security pro’s do while waiting for the plane:

I am spending quality time at an airport again. The bar serves one of my favorite beers – Guinness. And as in all bars in an airport, there are plenty of other people who mend their thirst with alcohol. Like this bloke across my table. I know his name, The Company he is with, what he does there and similar info. He knows nothing about me. This is not uncommon, mind you. Getting people to talk is simply a matter of listening. Asking the right questions. Buying another beer. The same mechanisms you play when picking up someone on the town. So why do I care to write about it this time? This blue eyed man with light blond hair, a tendency of loosing some of it on the top, and a face that could belong to a 25 and a 45 year old. Resting carelessly on the chair, his Dell XPS laptop on the table and his beer in his hand. Midlevel executive, perhaps big accounts sales guy. He is another security guy. And now I know his story. The story of his customers, what he did in this country, where his favorite office is and who they are currently combating in court. I must admit it is very tempting to spill his gut all over my blog, but I do not believe he would learn anything at all. So I will only ask you – that is you, not him – to remember that keeping your mouth shut comes with the job. Even when you drink a beer at a foreign airport. Who knows – perhaps I where paid by your employer to check how much you talk? Then you would know. What if I where a competitor? A customer? Someone who see an opportunity? Awareness is not only for the others. Awareness is for us too. Right?

Thanks Kai….

TRAVEL ADVICE

If you need to travel to these hot spots, I would strongly suggest you skim through the list and serve yourself to some timely and actionable security information…. http://tinyurl.com/m7kwch