Johnson Controls' C●CURE 9000 and victor VMS platforms first to market
with new UL-2610 Certification

New certifications update commercial systems with cybersecurity readiness, cloud requirements

Johnson Controls has announced that its Tyco Software House C•CURE 9000 v2.8 and Tyco American Dynamics victor 5.4.1 are the first platforms to be officially certified as meeting new third-party security standards from UL (Underwriters Laboratories) for on-premise commercial security systems.

UL- 2610, which provides standards for Commercial Premises Security Alarm Units and Systems, updates the requirements for this technology to include cybersecurity provisions and cloud functionality. UL's Commercial Premises Security Alarm Units and Systems tests alarm products and systems against established criteria. This process assesses product software's vulnerabilities, weaknesses and reviews its exposure to exploitation. UL-2610 replaces UL-1076 and UL- 603 and will be mandatory by November 2021. johnsoncontrols.com
 

Talk About a Security Nightmare
As his senior security executive, how would you deal with this?

Bezo's Phone Hacked
Jeff Bezos hack: Amazon boss's phone 'hacked by Saudi crown prince'

● Investigation suggests Washington Post owner was targeted
   5 months before murder of Post Journalist Jamal Khashoggi

● Phone allegedly began leaking data shortly after being sent a video file
   from WhatsApp account linked to Prince Mohammed

● Their connection and feud goes back to Bezos' leaked penis selfies
   and the Washington Post columnist murder in Istanbul

The Amazon billionaire Jeff Bezos had his mobile phone "hacked" in 2018 after receiving a WhatsApp message that had apparently been sent from the personal account of the crown prince of Saudi Arabia, sources have told the Guardian.

Large amounts of data were exfiltrated from Bezos's phone within hours of the infected video file was sent from the account of the Saudi heir to Bezos, the owner of the Washington Post. The Guardian has no knowledge of what was taken from the phone or how it was used.

The extraordinary revelation that the future king of Saudi Arabia may have had a personal involvement in the targeting of the American founder of Amazon will send shockwaves from Wall Street to Silicon Valley.

A forensic audit of Mr. Bezos' phone by FTI Consulting, a business advisory group based in Washington, found with "medium to high confidence" that the device began leaking data shortly after being sent a video file from the WhatsApp account linked to Prince Mohammed, the person said, as part of an operation that siphoned information for months.




Bezos hack: UN to address alleged Saudi hacking of Amazon boss's phone
UN investigators are poised to release a statement about the alleged hacking of Jeff Bezos's mobile phone after the Guardian revealed details of a forensic analysis that has implicated a WhatsApp account purportedly owned by the crown prince of Saudi Arabia.

The astonishing disclosure prompted a Democratic lawmaker in the US to urgently demand more information about the malware that was allegedly used to infiltrate Bezos's phone in the 2018 hack of the Amazon founder. theguardian.com
 

2020 Security Industry Forecast: Prepare Yourself for AI, DIY, More M&A

Two dozen security industry observers explain why the future is bright for those embracing technology, service, business and competitive variables.

Electronic security industry practitioners are braced to boldly ride the momentum of recent times into not just a new year but decade as well. While there are challenges aplenty ranging from technology and competition overload to labor and training shortfalls - with everything from shifting business models to burgeoning markets in between - the ups figure to continue to outstrip the downs.

More than two dozen authorities and analysts from every corner of the security contributing perspective and analysis to the annual, comprehensive SSI Industry Forecast.

Gain mindshare as they open up on a new year set to serve as the gateway to a decade powered by artificial intelligence (AI), machine learning and analytics; cybersecurity; the Internet of things (IoT); Cloud-based solutions; managed services; smart homes, buildings and cities; 5G communications; gun and gunshot detection; and predictive anticrime and counterterrorism tools.

Fredrik Nilsson, V.P. of the Americas, Axis Communications

"As IoT continues to grow at an exponential pace, the sheer diversity of devices connected to the network dictates the need for more comprehensive, proactive cybersecurity. Manufacturers, integrators and users will need to collaborate more closely to ensure that new devices, patches and upgrades to one system don't introduce vulnerabilities in another.

Manufacturers will also need to provide tools to automate upgrades and patches as well as develop new procedures to ensure customers implement changes throughout their ecosystem in a timely manner. We'll likely see the emergence of a more layered approach to cybersecurity where each layer of hardware and software shields the layer below with additional security features."

Matt Fidler, V.P. Customer Experience, Guardian Protection

"More than ever, customers are knowledgeable about what they should expect from their security and smart home equipment. The ongoing growth of new self-serve providers and the proliferation of customer review websites have helped to create this change and it has had an accompanying negative impact on attrition.

The resulting challenge for us is that we must be able to deliver a quality experience at every point in the journey so that we can be better assured of lifelong customers. It presents an opportunity for us to better listen to our customers at every touchpoint. Proactive calling, actionable surveys, well-trained techs and memorable engagement in every channel from in-home interaction to social media responsiveness, will be the new status quo for keeping attrition under control."

See what other industry experts have to say here: securitysales.com
 

Loss Prevention's Opportunity to be Heard?

Attorney General William P. Barr Delivers Remarks at the Presidential Commission on Law Enforcement and the Administration of Justice Opening Ceremony

The Commission will comprehensively assess the most pressing issues confronting law enforcement today. It will seek to provide substantive and actionable answers to, among other questions, the following:

The Commission will principally conduct its study through hearings, panel presentations, field visits, and other public meetings. At these engagements, the Commission will receive valuable insights, counsel, and recommendations from a diverse range of voices: subject matter experts, public officials, private citizens, academia, community organizations, civil-liberties groups, civic leadership, bar associations, and victims' rights organizations.

The Commissioners are police chiefs from big cities and smaller ones, state prosecutors, county sheriffs, members of rural and tribal law enforcement, state public safety officials, federal agents, U.S. Attorneys, and a state attorney general. They have traveled from all over the country to participate in this historic moment. justice.gov

Editor's Note: Through the 30+ ORC Associations and ongoing community relationships the retail Loss Prevention community needs to be heard. Especially with respect to the increased ORC and aggression we're seeing in the stores coupled with the decriminalization efforts from the perspective of the decreasing prosecution rates and public stance a number of elected prosecutors have taken in San Francisco, Dallas, Chicago and Philadelphia - to merely name those that have been publicized.

But being that this is the first Presidential Commission appointed since President Johnson's Commission in 1965, it offers a unique opportunity to be heard at a time when the media is covering the ORC problem more so than ever before. And it might help ignite a federal initiative/law. Just a thought and certainly worth the possibility of appointing a retail committee whose objective is to address this group and share retail's story as the 'Silent Victim' of the opioid epidemic.  - Gus Downing
 

$14 Billion in Weather and Climate Disasters for US Last Year
In 2019, the U.S. experienced 14 weather and climate disasters with losses exceeding $1 billion each and totaling approximately $45 billion, according to the National Oceanic and Atmospheric Administration's annual U.S. climate assessment. 2019 was also the second-wettest year on record behind 1973.

According to NOAA, at least 44 people died and many more were injured during the course of these disasters that included:

● 1 wildfire event (affecting multiple areas in Alaska and California)
● 2 tropical cyclones (Dorian and Imelda)
● 3 inland floods (affecting the Missouri, Arkansas and Mississippi Rivers)
● 8 severe storms securitymagazine.com

U.K. police use of facial recognition tests public's tolerance
The real-time surveillance being tested in Britain is among the more aggressive uses of facial recognition in Western democracies and raises questions about how the technology will enter people's daily lives. Authorities and companies are eager to use it, but activists warn it threatens human rights.

The British have long become used to video surveillance, with one of the highest densities of CCTV cameras in the world. Cameras have been used in public spaces for decades by security forces fighting threats from the Irish Republican Army and, more recently, domestic terror attacks after Sept. 11, 2001.

"There has not been one single wrongful arrest as a result of the use of facial recognition by South Wales Police," Michael said. The force has been deploying the technology about twice a month at big events including rugby games, royal visits and yacht races; it scanned nearly 19,000 faces at a Spice Girls concert in May and identified 15 on a watchlist, including nine incorrectly. Six others were arrested. canadiansecuritymag.com

AI in the court: Are robot judges next?
As in many other industries, AI carries great promise but significant risk for the legal industry. But when it comes to certain court cases, the stakes couldn't be higher.

Even so, AI and automation are already playing a large part in the US legal system. At a conference in Portland, Oregon last week, hosted by the Legal Services Corporation, legal professionals from around the country gathered to collectively pause and consider how they're modernizing their systems -- and to what extent they should be using AI.

At the Superior Court of Los Angeles County in California -- the world's largest court -- Gina the Avatar helps residents handle their traffic citations. Gina knows five languages and helps more than 5,000 customers a month. Gina's not true AI -- she's programmed to work down predefined paths. Still, she's laid the groundwork for more sophisticated automation. zdnet.com

ReposiTrak Achieves SOC 1 and 2 Audit Recertification
ReposiTrak, Inc., the industry leader in solutions for stock replenishment, compliance, sourcing, food safety and risk management in the retail supply chain, announces the successfully completion of the Service Organization Control (SOC) 1 and 2 Type 2 annual audit recertifications, a verification standard defined by the Association of International Certified Professional Accountants. The move reinforces the company's commitment to security best practices. businesswire.com

SHRM Series Part 2
Workplace Drug Testing: What to Do When Employees Fail
You decided to screen workers for drug use because you want to maintain a safe and productive workplace. But what should you do when workers flunk the test? Should employees be fired, given another chance or referred to an employee assistance program? Employment attorneys say consistency is the key.

"Employers should have strong policies in place addressing whether or under what circumstances they will engage in dialogue with an employee or applicant who fails a drug test," said Jill Vorobiev, an attorney with Reed Smith in Chicago. Policies also should take into account any state laws that may apply to failed drug tests and whether the employer might need to make reasonable accommodations for workers with disabilities, she said.

Here are some steps employers should consider taking to ensure they respond consistently when employees don't pass a drug screen.

- Include a Medical Review Process
- Determine What Steps to Take
- Reasonable Accommodation
- Disciplinary Action

The number of workers who tested positive for drug use reached a 14-year high in 2018,
and marijuana topped the list of most commonly detected illegal substances,
according to drug-screening company Quest Diagnostics. shrm.org


This is the Time - January through March - When companies have to make tough decisions:

Lucky's Market closing 32 of its 39 stores, including 20 in FL - See the list

Fairway Market in the Big Apple Denies Chapter 7 Rumors

Southeastern Fast Food Chain Krystal (300 stores) Files Chapter 11

Travel and Hospitality Industries Create Larger ISAC Sharing Community

Two ISACs come together to strengthen overall consumer-facing industry

The Travel & Hospitality Information Sharing and Analysis Center (ISAC) and Retail & Hospitality ISAC (RH-ISAC) announce their agreement to strengthen the travel and hospitality industries by moving the Travel & Hospitality ISAC within the RH-ISAC.

The Travel & Hospitality ISAC, formed in 2018 by Hospitality Technology Next Generation (HTNG) at the request of a group of hospitality chief information security officers, is now part of the RH-ISAC community as of January 1, 2020.  

The announcement comes in response to increasing efforts to defend customers, staff, and assets against the constantly evolving threat landscape affecting the global travel and hospitality industries by strengthening collaboration and information sharing within one community.

RH-ISAC is the trusted cybersecurity community for retail, travel, and hospitality organizations. Working with cybersecurity teams, the RH-ISAC seeks to transform the way companies mature capabilities and collaborate to reduce the risk of cybercrime.

For more information, visit www.rhisac.org.

#NRF2020: How Target bolstered its security after retail's biggest breach

Collaborating to fight against cybercrime - The Perfect Case Study

Three chief information security officers (CISOs) took to the stage at NRF in New York on January 13 to discuss collaboration and the skills gap in retail cybersecurity.

Rich Agostino is the senior vice president and CISO at Target Corp, a retailer which, as he points out, "is mentioned in every single talk on cybersecurity in retail".

Agostino shared the measures taken by Target in wake of that fateful breach. "We hired hundreds of industry experts in retail, financial services, defence contractors from the government and more than doubled the size of the team. We brought all critical functions of cybersecurity in-house, reducing our reliance on contractors and outsourced services.

"We launched new capabilities like our cyber-fusion centre, where 24 hours a day, seven days a week we have Target team members looking at, monitoring and defending our company against threats."

In addition, Target built a strong engineering function and filed for more than 10 patents on security technology which the retailer's engineers have built over the years.

Target believes in appointing security advocates across the company. "The talent benefit is that you have a wider network of pseudo-cybersecurity folks," explained Agostino.

Collaborating to fight against cybercrime

"One of the most important things we've done though, is to prioritise the concept that security is a team sport. We are all stronger together and our customers are safer when we all work together to fight cybercrime." 

Agostino is not referring to his own team exclusively, but to CISOs and security teams from different retailers coming together to share best practice and advice. He discussed a coalition that Target, Best Buy and others have formed to work together and collaborate with intelligence sharing and talent pipeline development. essentialretail.com

Cloud Adoption & Technology Change Create Gaps in Enterprise Security
Many businesses that are transitioning to public cloud environments, microservices architectures, and 5G networks are creating new blind spots in the attack surface for criminals to leverage, according to a new report from Radware.

Twenty-two percent of surveyed security professionals didn't know if their organizations had been attacked recently, 27% of organizations that were attacked had no idea what their attackers might have been after, and nearly half (46%) were unable to tell if they had experienced an SSL-based distributed denial-of-service attack.

Unsurprisingly, many organizations are experiencing a very high volume of cyberattacks. Nearly one-third of those surveyed said their organizations experience attacks on either a daily or a weekly basis.

"The main takeaway is that as organizations make strategic transformations - in technology, environments, and processes - they inevitably create a lot of cracks and blind spots". darkreading.com

CaaS - The Anti-Service is Growing
Crime-as-a-Service offering extends its reach
A prolific phishing and data-stealing hacking campaign has expanded its operation with new attacks that target PayPal accounts - in addition to existing attacks against Apple, Amazon and other accounts.

Dubbed 16Shop, the phishing campaign has been active since November 2018 and typically targets potential victims via malicious links in malicious emails purporting to be from common online accounts. The campaign is sold 'as-a-service' to low level hackers on underground forums. zdnet.com

Microsoft discloses security breach of customer support database
Five servers storing customer support analytics were accidentally exposed online in Dec. 2019.

In a blog post today, the OS maker said that an internal customer support database that was storing anonymized user analytics was accidentally exposed online without proper protections between December 5 and December 31.

The leaky customer support database consisted of a cluster of five Elasticsearch servers, a technology used to simplify search operations, Diachenko told ZDNet today. All five servers stored the same data, appearing to be mirrors of each other.

For these cases, Microsoft said it began notifying impacted customers today, although it also added that it "found no malicious use" of the data. Microsoft blamed the accidental server exposure on misconfigured Azure security rules it deployed on December 5, which it now fixed. zdnet.com

What Retail Can Build on and Get From Cloud in 2020

Increasingly Violent & Erratic Theft Activity in Canada
Retail Council of Canada (RCC) Hosting Special Theft & Safety Roundtable Jan. 31

RCC Sends Detailed Recommendations & Actionable Opportunities Letter
To Minister of Justice & Attorney General of Manitoba

Retail Council of Canada Meeting Follow-up

On behalf of the Retail Council of Canada, our Manitoba members and the 67,000 Manitobans working in our stores, I would like to express our sincere appreciation for the productive discussion on the crime challenges facing the retail sector across the province.

As our members expressed, retail employees are facing increasingly violent and erratic theft activity in their stores, in part due to the rise of Organized Retail Crime, meth issues and helped along by stories highlighting "observe only" security policies designed to safeguard retail workers.

Last year an estimated $200 million was shoplifted from Manitoba stores, a cost borne by Manitoba brick and mortar retailers and shoppers, and all of Manitobans through lost taxes. However, it's the human cost that is of paramount concern to our members, as our workforce rightfully expresses anxiety as they witness or hear about violent retail crime featuring guns, machetes, clubs, bear spray and a range of other dangerous weapons. Read Full Letter

RCC hosting theft and safety roundtable in January
Retail owners and their employees in Winnipeg have been facing increasingly violent and erratic theft activity in their stores. Last year, an estimated $200 million was shoplifted from Manitoba stores, which increases costs for both retailers and shoppers, and ultimately all Manitobans through lost taxes. Retail Council of Canada continues to work very diligently to address the theft and safety issues our Retailers are facing in Winnipeg today. With that goal, RCC is collaborating with key stakeholders in the province to find solutions to the rising theft, including leading a coalition of business associations hosting a Manitoba Retail Crime Round Table on January 31, 2020. retailcouncil.org