ASIS-HOUSTON CHAPTER MINUTES

2/16/06

 

The luncheon meeting was held at the Renaissance Hotel with Chairman John Brady presiding.  75 members and guests attended.

 

Pledge and Prayer:  John Brady

 

COMMITTEE ACTIVITIES

Web: Mike Crocker CPP stated they were currently finalizing sponsorship funding.  We have expanded the site content, developing a FAQ page, and new drop down and navigation tools.

Certifications: Steven Bourg CPP announced the next review class will start on 2/28 at Conoco/Phillips.  Because of security access requirements, you must register in advance and you must be a member of the local Chapter.  They need 2-3 more instructors in certain disciplines.  Please contact Steven if you would like to participate

Golf: Darin Dillon CPP announced the tournament information and registration are now posted on our web site.  The Annual Tournament will be held at the Longwood Golf Course in Cypress on May 15^th.  We are proud to announce WFI Enco Systems is our first Platinum Sponsor for this year’s event.  We need prizes and participants!

Newsletter: Tom Hamilton CPP announced the next issue will be 16 pages, a 25% increase.   However, advertising costs have remained the same.  The committee has exceeded its funding goals and the newsletter is again fully funded, which will allow for another educational scholarship and carry over money for 2007.

Treasurer’s report: Distributed on each table.

Public Service Award: 

Greg Walker, Esq, ARM, CPP has assumed the role as Liaison while Bill Hart is in Afghanistan.  We honored Lt. Robert D. Cain, HPD, who was accompanied by Capt. David Williams.

In 1977 the Houston Police Department laid the foundation for establishing the Hostage Negotiation Team (HNT) to respond to hostage taking and barricaded suspect situations.  Then Officer Robert Cain was selected for training, and as an original member, was involved in writing the first departmental policy.  He continued as a volunteer hostage negotiator as he was promoted to the rank of Detective and later, Lieutenant.  In continuing with his volunteer work, he assumed the role of volunteer coordinator and later, as the first full-time coordinator of the HNT.

 

Since that time, Lt. Cain has achieved many firsts that include lobbying for a legislative bill allowing law enforcement officers to take control of telephone lines during a hostage-taking or barricaded suspect situation.  He also designed and acquired the first mobile command post specifically for HNT operations and received local, national and international attention.  While other hostage negotiation teams throughout the country have continued to use the traditional methods and approaches, Lt. Cain has pioneered new and innovative methods in dealing with these highly volatile situations.  Because of his initiative and dedication, the FBI, ATF, SWB, United Kingdom National Negotiators and numerous law enforcement agencies have sought him for lectures, training and assistance with experimental use of portable hostage phones.  Lt. Cain has brought honor and recognition to himself, and by his work, put the spotlight on HPD for having dedicated leadership.

 

Speaker:         Paul Williams, MCSE NSA IAM

                        President and CTO for Gray Hat Research Corporation

 

Topic:               7 steps to Enterprise Network Security

 

Gray Hat Research Corporation is multi-disciplined company based in Houston.  Their employees have all levels of security clearances to support training, research and development and managed services for any type of industry.  They do not sell software or hardware.  Please visits www.grayhatresearch.com.

 

The Titanic sank because of systemic attitudes developed years before its actual construction.  These errors and failures were in policy, design and implementation; as well as human decision making.  Just because things appear to be going right, doesn’t mean it is!  Major Cyber attacks are equivalent to the Titanic; it takes years of multiple failures before the big attack.  You must defend all three attack vectors at once against determined hackers.  It may seem difficult but it is achievable through cost effective risk management strategies. 

 

First vector is an incomplete approach to mitigating attacks.  Hackers don’t play fair.  There is a 12-stage security framework that encompasses all three disciplines: physical, Cyber and human.

 

The second vector is an all or nothing network security defense strategy which results in conflicting corporate versus security needs.  They have different risk assessments because they have different functions; each talking a different “language”.  You must divide the network, not by access control, but through physical separation with no password prompts and without adding equipment.  The routing is changed.

 

The third vector is a poorly implemented network authentication process that has a hidden internal exposure to compromise.  The failure is dependent on the reliability and integrity of insiders through a secure, logical network design.  Corporations focus on protecting the network rather than protecting the data.  For example: do you want to protect the bank vault or the money in the vault?  An embedded SQL command in the password can defeat the vault.  This can be solved using “honey token” defenses. 

 

There also is frequent reliance on perimeter defenses with missing or inadequate “Plan B” strategy.  Hackers circumvent firewall defenses; this requires database precautions such as a private internal IP, non-routable protocol and an encrypted tunnel to the DMZ.  Don’t tie them through a common denominator, but employ “out of band” critical asset defenses.  You may not be able to stop the hack-attack, but you can re-route where they go.

 

Another failure is ineffective end-user training.  Using real world examples is the best form of training.  Also security defenses tend to be based on regulatory requirements instead of genuine security practices.

 

Frequently used anti-spyware programs only have a 15% detection rate.  Even if you used the three preferred programs (Pestpatrol, Adaware and Spy Sweeper) you would still only find 1 out of 5 trojans.  It requires preventive actions, behavior modification and proper network architectural design to stop it.  Hackers can intercept wireless signals up to 36 miles away; those “best practices” can still be broken.  Gray Hat Research Corporation recommends an operations-based risk assessment: what is the easiest to hack to create the worst problem?

 

A cost effective defense strategy includes:

• Security as a process not a product
• Executive level sponsorship
• Effective supporting network design
• Policy and technical controls with a physical safeguard
• Recognizing the human element is the biggest vulnerability
• A risk management strategy to cross all three risk factors.

 

Mr. Williams was awarded a plaque in appreciation of his time and presentation.

For those who could allow extra time, Mr. Williams stayed after the meeting and described a real-world hacking attack on the banking industry.

 

The next meeting is Thursday March 16.