INTERNATIONAL FOUNDATION FORCULTURAL PROPERTY PROTECTION
News
Reposted from Security Intelligence
Inherent to any conversation about cyber awareness training is the reality that organizations need to change their cultures, which can’t happen without strong leadership. As we’ve seen with mobile security strategies, though, business efficiency and productivity too often trump security.
The very idea that organizations need to change their corporate cultures to truly make security awareness part of their profit and loss statements might be too Pollyanna for some. The goal might be lofty, but it doesn’t have to be, and the change doesn’t need to happen overnight. After all, it’s better to take smaller steps toward slow change than to do nothing and fall victim to cyberthreats.
Promoting Cyber Awareness From the Top Down
When security awareness and training mandates don’t come from the top, there is very little potential for change. Creating a cyber-aware culture also demands a shift in the way organizations treat security. The role of the chief information security officer (CISO) is evolving, and while some are making headway toward becoming influencers at the top level, many CISOs don’t feel respected within their organization. Cybersecurity is still largely seen as part of IT rather than a profession in itself.
All the while, phishing remains a popular method of gaining initial access among cybercriminals, and 49 percent of companies that have already suffered a significant attack are targeted again within a year. Enterprises can no longer kick the can down the road and accept “good enough” as a viable solution to mitigating the risks of human error.
Many organizations understand the risks associated with the human factor but lack the time, staff or other resources to fully understand what a cyber-aware workforce means to the organization. But when it comes to creating a culture of security awareness, there are no stupid questions.
Here’s one to ponder: Why do 65 percent of CISOs spend sleepless nights worrying about phishing scams, and why do 61 percent fear disruption to processes caused by malware? It’s likely because they know that human beings represent the weakest link in their security chains.
Another question to consider: Would CISOs worry less if they felt confident that their organizations were cyber aware? Building a culture of security is not a Pollyanna dream — especially if it is supported from the top down.
Let’s face it: Any human being within any organization could fall victim to a scam. If you think you are exempt from that because you are the CEO, I’d advise you to leave your ego at the door. Phishing scams don’t discriminate, and the security of your organization is not about you or how clever you are — it’s about risk.
That’s why building a cyber-aware culture begins with risk management. According to Reg Harnish, CEO of GrayCastle Security, “A successful cybersecurity culture cannot exist without first identifying your organization’s risk tolerance.” Once you understand which systems need protection, you can make informed decisions about how to secure enterprise data and set expectations about employee behavior.
Do’s and Don’ts for Changing Corporate Culture
Changing a corporate culture is not the same as security awareness training. Awareness training is a critical part of creating a cyber-aware culture, but it is only one piece of the fiber that defines an organization. Culture is more broadly defined by its social norms. Security leaders should keep the following do’s and don’ts in mind when endeavoring to change employee behavior.
Do Expect Mistakes
Because employees are a critical line of defense when it comes to protecting against cyberattacks, it’s important to value them as much as you do any other security tool. Recognizing that no defense is foolproof, security leaders should also prepare for the inevitability of human error, regardless of how well employees are trained.
Don’t Punish Errors
When users are blamed for, reprimanded or even fired for their mistakes, they are far less likely to report incidents when they occur. Why on earth would you approach the security team to confess that you accidentally clicked a malicious link when you could be fired? You wouldn’t.
Do Build Morale
A more effective approach is to make employees feel like partners so that they know where threats are coming from and can work collaboratively to help each other avoid security incidents.
Do Not Rely on Annual Training
The standards of teaching and learning that apply in the classroom don’t change when adults become part of the workforce. If the goal is to educate, the training needs to be multifaceted, ongoing and consistent. Use alternative assessments to determine the effectiveness of the training programs you are using. If you don’t see progress, try something new.
Do Set Achievable, Companywide Security Goals
The key is to start small. A measurable goal might be to reduce the number of employees who click on a malicious link during a simulated phishing attack. When setting goals, ensure that they can be tied back to the employees. Connect the security of the organization to their own personal privacy. To convince employees to change their behaviors, security leaders must first help them understand how their actions impact the security of the organization.
A Culture of Cyber Awareness Is Attainable
When security leaders set reasonable, incremental goals and demonstrate a willingness to try new training methods when traditional approaches fail to yield results, creating a culture of cyber awareness doesn’t have to be a pipe dream. In fact, it’s an absolute necessity given the volatility and increasing sophistication of the threat landscape. Cybercriminals are masters of manipulating human nature to convince employees to do their nefarious bidding. It’s time for security leaders to better understand the human element of cybersecurity and use these insights to protect their employees and enterprise data.
See Original Post
Honeywell Security Solutions
Introducing:
NetAXS-123
Hybrid Access Control Panel
Honeywell’s web-based NetAXS controller provides solutions for installations of any size. NetAXS-123 enables users to securely manage their system anywhere there's an Internet connection—with no dedicated PC or software costs. The user-friendly design makes it simple to install and easy to operate and maintain.
NetAXS-123 gives you all the benefits of traditional access control, such as helping you secure doors, manage employee access, and manage sites remotely. It also lets you pull reports easily to meet compliance requirements. With a browser-based interface, your learning curve and training times are significantly decreased. No dedicated software is required—simply log on and you're ready to go, securely—from the office or anywhere. You can manage NetAXS-123 using the embedded browser, MAXPRO Cloud's secure cloud infrastructure, or WIN-PAK®'s integrated security suite.
NetAXS-123 has been developed with an installer-friendly design that easily adapts to existing IT infrastructure and methods, reducing installation and support costs. So as your system grows, NetAXS grows with you.
Click here to learn more from Honeywell!
Reposted from The Washington Post
Italy’s art police say they’ve recovered three paintings stolen in recent months from three small Bologna-area museums after identifying the thief from surveillance videos.
The most well-known piece was a 1363 portrait of St. Ambrose attributed to Giusto de’ Menabuoi that was stolen in March from the National Pinacoteca of Bologna while it was open to the public.
In a statement Friday, the carabinieri art squad said investigators were able to zero in on the thief using surveillance videos from the museums, and tracked him down when he acted “suspiciously” near another Bologna museum.
They then searched his apartment and found the looted works.
Reposted from Money Magazine
Another day, another online security scandal — it now just seems like a natural part of life in 2018. But this time, you really need to take immediate action.
Twitter’s chief technology officer, Parag Agrawal, revealed in a Thursday blog post that a bug in its system caused people’s passwords to be kept unmasked in an internal log. And though the social media company swears it has “no reason to believe password information ever left Twitter’s systems or was misused by anyone,” it’s recommending that all 336 million users change their passwords immediately.
But here’s the kicker: Twitter isn’t just saying you should update your password on Twitter. It’s suggesting you also change your password on all sites where you used your Twitter password.
As soon as possible, you should to go Twitter.com and mouse over to your avatar in the upper right-hand corner. Click it, navigate to “Settings and privacy” on the drop-down menu, and click “Password” on the left. Then change your information. Make sure you pick a good password — one that’s hard to guess, longer than eight characters, relatively random, has upper and lowercase letters, and contains numbers and symbols, according to USA Today.
Now, repeat this process on the other sites where you used your old Twitter password. This should be obvious, but don’t reuse the new password you just created — invent a new one entirely, or at least throw in a variation.
If you want to take your security to the next level — and you probably should — you may want to look into enabling two-factor authentication for your sensitive accounts. Also called two-step authentication, it is what is sounds like: A system that uses multiple methods, like texting you a log-in code, to confirm your identity before allowing you access to your account.
Perhaps the best way to protect your info, though, is to start relying on a password manager. It’s a type of software that generates ultra-secure passwords and keeps track of them for you in one safe place. The Verge says the best brands are LastPass, Dashlane and 1Password, all of which you can try for free. Once you find one you like, you can upgrade to a paid subscription. Those will run you less than $5 a month, which is a a small price to pay for privacy.
Then all you have to do is make sure your password manager password is really good. Ah, the circle of (modern) life.
Reposted from Ahram Online
Egyptian Minister of Antiquities Khaled El-Enany escorted members of the media on a tour of the Grand Egyptian Museum (GEM) in Giza to show that the fire that broke out at the museum last week did little damage to the museum.
The visit included a tour of the museum buildings as well as the display of the King Ramses II colossus and artefacts at the GEM’s conservation centre.
Last Sunday, a minor fire broke out on the wooden scaffolding on the museum’s rear façade.
No one was harmed and no artefacts were damaged in the fire.
One hour after the fire broke out, the museum’s fire station, with aid from Civilian Security fire trucks, succeeded in extinguishing the flames, Mostafa Waziri Secretary General of the Supreme Council of Antiquities said at the time.
An investigation has been launched to determine the cause of the blaze. The GEM is currently under construction, with scaffolding positioned outside several buildings.
The museum is being built to house antiquities from ancient Egypt, including many items currently held at the Egyptian Museum in Cairo's Tahrir Square. A partial opening is planned for later this year.
Reposted from Somersetlive
The Museum of East Asian Art's 25th anniversary celebrations are back on track after 'priceless' artefacts were stolen by masked thieves. The Bath museum was shut for more than two weeks after the break-in and is now due to reopen on Thursday (May 3).
Police have yet to make an arrest in connection with the heist, which saw 'beautiful pieces with historical and cultural value' stolen. The crime, believed to have been planned, was even more devastating due to it coinciding with the Bennett Street museum's quarter centennary.
However, celebrations can now go ahead with the opening of A Quest for Wellness, the first UK exhibition by the artist Zhang Yanzi of Hong Kong-based Galerie Ora-Ora, at the museum in Bennett Street.
Wellness as a theme will tie in with Bath's origins as a Roman spa town, organisers said: "In this exhibition, the artist explores common frailties and shared humanity, investigating the nature and meaning of wellness in China: its history, and its modern counterpoints from a Chinese perspective."
Works on display will include:
Reposted from the New York Times
The line of people snaked around the blue tablecloth, as government officials and archaeology scholars paused to admire the ancient clay tablets and seals lined in rows.
Here, in the backyard of the Iraqi ambassador’s home on Wednesday, was closure for these artifacts: a ceremonial transfer back to Iraq, where they had been looted from archaeological sites. Their coming return there will complete a long, circuitous voyage through Israel and the United Arab Emirates to Hobby Lobby, the arts and crafts chain, and eventually into the hands of the United States government.
The samples carefully lined on the table were just a small fraction of the thousands of smuggled artifacts that Immigration and Customs Enforcement formally returned on Wednesday.
“To have them in my residence is to underline that they’re coming home,” said Fareed Yasseen, the Iraqi ambassador to the United States, speaking after he and Thomas D. Homan, the acting director of ICE, signed the ceremonial transfer. “We really have a sense of kinship to these artifacts.”
The artifacts, which are from the second and third millennium B.C., will eventually be taken to the National Museum of Iraq in Baghdad to be studied and displayed. Several tablets are from the ancient city of Irisagrig and date to between 2100 and 1600 B.C.
Hobby Lobby, which is owned by evangelical Christians known for their interest in the biblical Middle East, originally bought the collection from an unnamed dealer for $1.6 million in December 2010. The purchase, prosecutors later said, was completed despite being “fraught with red flags,” including warnings from an expert on cultural property law hired by the company that the artifacts were possibly taken from archaeological sites in Iraq.
“Stealing a nation’s cultural property and antiquities is one of the oldest forms of organized transnational crime,” said Mr. Homan, who will soon retire from the agency. He said more than 1,200 items had been returned to Iraq since 2008.
The collection included cuneiform tablets, ancient clay tablets that probably served as administrative and legal documentation in ancient Mesopotamia, and clay bullae, seal impressions about the size of a coin that served as signatures and proof that an item had not been tampered with. More than a dozen packages were shipped from Israel and the United Arab Emirates in early 2011 under the guise of tile samples to Hobby Lobby and two corporate affiliates. Customs and Border Protection intercepted a few of them.
In July, the federal government brought a civil complaint against Hobby Lobby, which agreed to forfeit the items. The company also agreed to a $3 million fine, to hire qualified outside customs counsel and to submit quarterly reports on any cultural property acquisitions for 18 months.
“These artifacts are part of Iraq’s illustrious heritage and history,” said Richard P. Donoghue, the United States attorney for the Eastern District of New York, “and we’re proud of our role in removing them from the black market in antiquities and returning them to their rightful owners.”
Hobby Lobby is known for its efforts to cultivate evangelical Christianity, including its owners’ heavy financial investment in the Museum of the Bible, which opened in Washington late last year. In 2014, it was involved in the landmark Supreme Court case that found that family-owned corporations could claim religious exemptions to the Affordable Care Act’s mandate to pay for contraception coverage.
Hobby Lobby did not respond to requests for comment about the return of the artifacts. But at the time of the forfeiture in July, Steve Green, the company’s president, said the company was “new to the world of acquiring these items, and did not fully appreciate the complexities of the acquisitions process.”
Many of the officials mingling in the ambassador’s backyard with glasses of apple cider and hors d’oeuvres had been involved in the seizure and the return of the artifacts. Others were archaeologists and Middle East scholars who had come forward in support of the items’ return, collectively admiring the condition and the intricacy of the designs on the seals. They pointed to favorites: the seal with the dancing animals, the etching of what appeared to be a god or a king on a throne.
“Stunning,” one woman whispered, her hands clasped over her chest as she leaned over to get a closer look at the clay cylinders resting in indigo velvet. An archaeologist reached out to carefully straighten one small tablet in line with the others.
“This is a piece of you,” said Safaa Yaseen, the third secretary for the embassy, who helped unpack the artifacts in the ambassador’s residence. “It’s an indescribable feeling.”
The demand for stolen antiquities “always seems to be there,” said Katharyn Hanson, the executive director of the Academic Research Institute in Iraq. “It’s really nice to have these moments.”
Reposted from the Art Newspaper
A museum in southern France has handed more than half the works in its collection over to police investigators after experts said they are fakes. The Musée Terrus in the village of Elne, near Perpignan, which is dedicated to the local painter Étienne Terrus, who was friends with Henri Matisse and the sculptor Aristide Maillol, reopened after renovation on 27 April. But around 80 of the 140 works owned by the municipal museum are now believed to be falsely attributed to Terrus or outright forgeries, the mayor of Elne, Yves Barniol, revealed at the opening. The discovery represents “a catastrophe for the municipality”, he told local press.
An art historian charged with revamping the displays to incorporate the museum’s recent acquisitions, Eric Forcada, raised the alarm last August after examining photographs of the works. The local authorities sought a second opinion from a committee of experts, who judged that 82 works acquired over a 20-year period—a mixture of gifts from the museum’s friends associations and a private collector and purchases by the administration—are fake. The specialists noted glaring inconsistencies, such as views of buildings that did not exist before Terrus’s death in 1922 and supports that the artist did not use. The damages are estimated at €160,000.
Elne town council filed an official complaint for forgery, fraud and possession of stolen goods against “X”—persons unknown—in early April. Perpignan police have seized the works in question and opened an investigation into their provenance. “We will not give up,” the mayor said, pledging to uncover all the documents that “will allow us to trace the forgers”. Denouncing regional art dealers and auction houses as “corrupt”, Forcada told L’Indépendant newspaper that the case “will, at least, raise a greater awareness to protect the work of [local] artists”.
Scotland Yard is working with the British Museum and the governments of Egypt and Sudan to tackle the looting of pharaonic antiquities. The plan is to create a publicly available database of 80,000 objects that have been identified as having passed through the trade or have been in private collections since 1970, the year of the Unesco convention on cultural property. The scheme is being funded with a £1m grant from the British government’s Cultural Protection Fund, administered by the British Council.
Although the presence of antiquities on the database will not mean that they are either clean or tainted, it will assist enforcement officers and police in tracking down provenance. The database will also include some objects that are known to have gone missing from Egypt or Sudan but still remain untraced. However, the fuller records of losses held by the antiquities authorities in Egypt and Sudan are treated as confidential; the two governments only release details selectively.
The project is being overseen by Neal Spencer, the British Museum’s keeper of Ancient Egypt and Sudan, who has seen “a serious increase in the illicit trade in pharaonic antiquities in recent years”. He says the new database should “help flag up objects where there are issues”. It will also be possible to identify suspicious patterns: “One might notice an increase in funerary material of the 25th dynasty from a particular site, and enforcement agencies would be very interested in that.”
While Scotland Yard—the headquarters of London’s Metropolitan Police—is not directly involved in creating the database, it is giving advice and is one of the three key partners, along with Egypt’s ministry of antiquities and Sudan’s National Corporation for Antiquities and Museums.
At present, the available documentation is widely dispersed and not readily accessible or searchable. Many of the most important objects have passed through auction houses but their catalogues are only available online from the late 1990s. No libraries in Cairo or Khartoum have comprehensive collections of earlier paper catalogues. The major auctioneers—Sotheby’s, Christie’s and Bonhams—have agreed to provide data for the initiative. Antiquities dealers are also being approached to supply catalogues and possibly unpublished inventory material. Exhibition catalogues recording objects in private hands will be used as well.
The first tranche of data is due to go online at the end of this year, with the remainder expected to follow in 2019. Very minor objects, such as a single scarab or bead, will not be included. Eventually it is hoped to expand the database to include pre-1970 information.
Marcel Marée, the British Museum curator running the project, stresses that they “will not be proactively chasing criminals, which is the role of law enforcement agencies, but we will make the market more transparent”.
The scheme will also help train Egyptian and Sudanese antiquities staff to deal with the international market and track down illicitly exported items. A dozen trainees are due to come to the British Museum, with the first group arriving in July. If the project proves a success, it could be used as a model for other parts of the world suffering from looting.
The “circulating artifacts” database, as it is known, will be searchable on the web without charge. Although its primary purpose is to help law enforcement, it should also prove to be an invaluable resource for scholars.
Reposted from CIO Dive
Users resist change.
Despite increasing requirements for more complex and secure passwords, "123456," "password," "letmein" and "trustno1" continue to take home the trophies for most-used passwords year after year.
Even with clever tactics, such as replacing an "o" with "0" or a "s" with a "$," security practices need a makeover for users to avoid having one of the billions of passwords that will be compromised this year.
Since password hygiene can always use improvement, take a leaf or two from the books of seven security pros:
Schrader has been in the privacy and cybersecurity space for more than two decades and sticks to a password manager, VPN and passphrases to make the process easier and more secure.
Passphrases, such as "Mary had a little lamb," can make passwords easy to remember across accounts and add length, though Schrader said he does not actually use nursery rhymes as a pass phrase.
In most cases hackers are going for the easily compromised targets, so "you don't have to outrun the bear, you just have to outrun the other guy," he said. Putting loads of sensitive information on Facebook, such as a favorite ice cream flavor, school mascot or first car, can all make you an easy target.
"I would love to tell you that I am always well behaved," Dennedy said. But mantras can help with password management: Keep your passwords "exotic, keep them to yourself — do not share — and change them from time to time."
Requiring too frequent of changes adds complexity, which stops people from introducing more secure passwords.
"There are ways of doing memorable, good password management," Dennedy said. "It's not the end all be all, but it's what we go right now, so have good ones."
When it comes to the internet, you can't trust anything, and Babel makes sure he uses a different password for every single site, though there is a method to the madness.
Babel uses a password management tool, but for times when its not working or not available on a device he uses a personal nomenclature that combines a "crazy, complex thing" standard across sites with something unique to each site based on a mental algorithm.
"I'm a password nerd," said Babel. "I was a security guy for 11 years."
Former CISO of The Home Depot and Time Warner Cable, Moskites has had an extensive career in security, starting out in the actuarial trenches and moving up through the security organization.
For her passwords, Moskites uses a "weird algorithm," which uses multiple languages. "Each word is a different language, even though half the time I don't what it says and I have to go to Google to figure out what those words are," Moskites said.
But the days of the passwords are going to change, said Moskites. "Eventually down the road it will go into a persona, where [a system] will learn a little bit more about me specifically and my habits and be able to identity me that way."
To maintain consistency across platforms, Jones relies on a password manager set to 15 character, alphanumeric passwords with plenty of special characters. The password manager can autogenerate a new one for each site, though problems can arise for users of such tools if they don't have mobile app integration.
But no matter the amount of security that is injected, even the most savvy professionals can still be vulnerable.
"If you're doing something on the fly really quick, even for me it's really hard to not fall back to a standard password just as a short-term fix to log in to the create the account," said Jones. Avoiding doing this altogether is the best case scenario, but if not, at least remembering to go back and change the password to something more secure is vital.
Bacchus admits that for some sites of low importance without significant PII, shorter, easier passwords can be fine. The problem arises, however, when users carry these practices to other platforms.
Email is the "keys to the kingdom" — the platform used to reset passwords for every other account, so Bacchus makes sure to keep his locked down with a long password and two-factor authentication.
After switching from a career in government to the private sector, Menna has advised customers and clients to not use the same passwords across multiple systems in case one is compromised, which is considered a best practice in cybersecurity.
While the industry is hoping to move beyond passwords — "because they're inherently a pain in the butt and insecure" — users simply have to employ complex, unique passwords.
Password hygiene is all about "doing your best because so many people aren't," Menna said. Malicious actors are "going to go after the easiest target because there are so many easy targets, whether it's a company or individuals, unless you are particularly juicy."
QUICK LINKS
ConferenceMembershipTraining & CertificationDonate to IFCPP
TRAINING & EVENTS
1305 Krameria, Unit H-129, Denver, CO 80220 Local: 303.322.9667 Copyright © 1999 International Foundation for Cultural Property Protection. All Rights Reserved
Contact Us
