********************* Sponsored By Norwich University *******************
Norwich University's Master of Science in Information Assurance program allows information security professionals to integrate their technical competencies with business management skills. A comprehensive core curriculum and an individual case study project equip graduates with the skills to manage and lead an organization-wide information security program. http://www.sans.org/info/44748
Register now for free webcast Preview of New SANS course: 20 Critical Security Controls: Planning, Implementing and Auditing, by Alan Paller and Eric Cole, PhD Live! from SANSFIRE 2009, Monday, June 15, 2009 To register, visit https://www.sans.org/athome/details.php?nid=19609
1) SANS Vendor Demo Spotlight: Cisco Enterprise Policy Manager - XACML-based solution for administering, enforcing, and auditing entitlements to portals, applications, and databases. http://www.sans.org/info/44753
2) SANS Recommended Webcast Replay featuring Novell - Novell ZENworks Endpoint Security Management- A Technical Demonstration http://www.sans.org/info/44758
Aetna Named In Class Action Data Security Breach Lawsuit (June 9, 2009)
A class-action lawsuit filed in Pennsylvania District Court names Aetna as a defendant, alleging that the Hartford-based health insurance company "failed to maintain reasonable systems and procedures to protect (the plaintiffs' personal) information." Intruders allegedly gained access to Aetna's computer systems and compromised the Social Security numbers (SSNs) and other sensitive information of approximately 65,000 current, former employees and job applicants. -http://www.hartfordbusiness.com/news9190.html [Editor's Note (Pescatore): There is always a hope in security circles that threats such as class action lawsuits or "downstream liability" will cause a light bulb to go off in boards of directors' heads and they will say "Aha - information security is important, increase the budget, promote the CISO!!" In reality, when boards hear "liability" they tend to mostly make sure that the corporate Directors and Officers Liability insurance coverage is sufficient. The actual business damage of incidents is usually the bigger driver for action by boards of directors. ]
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
Army Allows Access to Some Social Networking Sites (June 10, 2009)
A US Army document recently made public ordered Army network managers to allow soldiers access to several social media sites, including Facebook, Twitter and Flickr. The document, dated May 18, 2009, also allows soldiers access to web-based email. The order does not apply to all overseas bases or to bases operated by other branches of the US armed services. Certain sites, including MySpace, YouTube and Pandora, will continue to be blocked. -http://www.wired.com/dangerroom/2009/06/army-orders-bases-stop-blocking-twitter- facebook-flickr/ [Editor's Note (Pescatore): Access to social network sites has been overly demonized. The majority of security issues are the same as any other web site access. There is certainly malware being planted at those sites - just like at other websites we allow users to go to. There is definitely a data leakage issue as far as what users might post at social network sites - just as the same problem exists when they post at other web sites. The big differences come in when the business or mission side wants to have an official presence on the social network site. A lot of the reflex-action block of access has been due to a feeling that they are time wasters, not needed for business - like most felt about Internet access in general not all that long ago. (Northcutt): I know when my son was deployed to Iraq and posted an update on Facebook, it meant a lot to Kathy and me. Granted there is an OPSEC risk and soldiers must be briefed on what they can and should not say at least yearly, but near instant communication is a valuable thing. I just blogged two more interesting articles of unique uses of Twitter, jump straight to the last two paragraphs for the meat: -https://blogs.sans.org/security-leadership/2009/06/11/business-and-social-media/ (Skoudis): The balance between the security risks and information leakage possibilities of these sites versus the morale-improving effects of giving such access is a tough one to get right. I do hope that the process of granting access to some bases is combined with security awareness campaigns for social networking sites in those same bases, as well as some pretty careful filtering and monitoring for malicious activity. (Weatherford): The Navy and Air Force have made similar policy changes. My prediction is that in two years we won't even be having the discussion about whether social media in the workplace is acceptable or not...the train has already left the station. Are there security concerns? Of course, but we as security professionals need to address them up front and not pretend the social media movement is some kind of fad. It's not, so unless we want to find ourselves shuffled to the side of the road and marginalized, we need to avoid the hand-wringing that undermines our credibility and become solution providers. The social media train ain't stoppin'.]
Security Issues at Dulles Still Need Attention, Says DHS IG Report (June 10, 2009)
According to a report from the US Department of Homeland Security (DHS) Office of Inspector General, US Customs and Border Protection (CBP) and the Transportation Security Administration (TSA) at Dulles International Airport still need to address certain security concerns that could compromise the "confidentiality, integrity, and availability of the automated systems used to perform their mission critical activities." Both CBP and TSA have made "significant progress in improving technical security for information technology assets at Dulles;" however, the report recommends that both organizations take steps to improve "their operational controls over the physical security of their information technology (as well as their) technical controls." Some servers in use appear not to be running the most current release of operating system software. -http://www.dhs.gov/xoig/assets/mgmtrpts/OIG_09-66_May09.pdf -http://fcw.com/Articles/2009/06/10/Dulles-IT-security-needs-work-IG-says.aspx [Editor's Note (Pescatore): The physical security discrepancies seem to be the highest level issues here given the real threat. ]
Survey Shows Losing Internet Connection is Strong Motivation to Stop Piracy (June 10 & 11, 2009)
Just 33 percent of people who receive warning letters would stop downloading content in violation of copyright law, according to the results of a survey from media law firm Wiggin. However, 80 percent of the respondents said they would stop pirating digital content if they thought their Internet connections would be cut off. The UK's Strategic Advisory Board for Intellectual Property estimates that seven million Internet users in the UK use filesharing networks once a week to pirate content. The UK government is expected to publish a report next week that will include "recommendations that ISPs investigate 'technical solutions' to piracy, which could involve slowing down connection speeds." The survey also found that people would be willing to pay more for various levels of content services through their ISPs. -http://www.macworld.co.uk/news/index.cfm?newsid=26261 -http://news.bbc.co.uk/2/hi/technology/8091107.stm [Editor's Comment (Northcutt): No joke, evidence is starting to become available that suggests the Internet has more of an attraction than television, especially for younger people: -https://blogs.sans.org/security-leadership/2009/06/03/im-sane-yaayyyyy/ (Pescatore): Of course, if they question had been phrased "would you still download music if it meant having to change ISPs?" the survey response might have been different... ]
UPDATES AND PATCHES
Microsoft Malicious Software Removal Tool Now Detects Certain Scareware (June 9, 2009)
********************************************************************** The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.
Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.
Alan Paller is director of research at the SANS Institute
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/
I've been managing multi-million dollar projects for years but always felt muddled as to the formal activities required. Halfway through the SANS PM course, things are becoming clear at last. -Matt Harvey, US DOJ