President Obama posted his agenda for protecting networks; see the first story. And the last item has another very interesting email about the security job market and prospects. And for the best and brightest pen testers (and others who might need to know how to build effective attack software) a new training program has received off-the-chart high ratings. It teaches how to write exploits that go far beyond what the automated pen testing tools can do. It is our first 700 level course, Security 709, Developing Exploits for Penetration Testers and Security Researchers. It was a huge hit in DC and London and will be given in Orlando in early March along with the two highest rated pen testing courses (http://www.sans.org/sans2009/) Alan
************************************************************************* SANS NewsBites January 23, 2009 Volume: XI, Issue: 6 *************************************************************************
******************* Sponsored By Palo Alto Networks *********************
Reduce Cost and Complexity of PCI Compliance with Network Segmentation. Join Forrester Research for a live webinar that will show you how organizations are using network segmentation with strict user and application control policies to significantly reduce the cost and complexity of PCI compliance, and protect customer data. Don't miss this. Register now to attend. https://www.sans.org/info/37524
White House Posts Network Security Agenda (January 22, 2009)
In its recently posted Homeland Security Agenda, the Obama administration has outlined its six major information network protection goals: strengthen federal leadership on cyber security; initiate a safe computing R&D effort and harden our nation's cyber infrastructure; protect the IT infrastructure that keeps America's economy safe; prevent corporate cyber espionage; develop a cyber crime strategy to minimize the opportunities for criminal profit; and mandate standards for securing personal data and require companies to disclose personal information data breaches. Notable under the first item is that the administration plans to "establish the position of national cyber advisor who will report directly to the president and will be responsible for coordinating federal agency efforts and development of national cyber security policy." -http://www.whitehouse.gov/agenda/homeland_security/ -http://www.scmagazineus.com/President-Obamas-cybersecurity-plan-released/article /126252/ -http://voices.washingtonpost.com/securityfix/2009/01/obama_administration_outlin es.html?wprss=securityfix -http://news.cnet.com/8301-1009_3-10148263-83.html?part=rss&subj=news&tag =2547-1009_3-0-20 [Editor's Note (Northcutt): The first link is worth reading. I think I will make a copy of this and see how we are doing in a year, those are some hefty goals. In the meantime, if we can just figure out how to disable AutoRun, that would be a start. I will say this, a national cyber advisor reporting to the President is a really good idea and should have been done long ago. (Paller) I noted especially the words in the agenda item: Protect the IT Infrastructure That Keeps America's Economy Safe. The president said he would "Work with the private sector to establish tough new standards for cyber security and physical resilience." Perhaps we are going to take security seriously - with the first step being to change federal IT procurement and grant language. ]
Millions Infected by Sophisticated Worm Conficker (January 21, 2009)
US Supreme Court Will Not Hear DoJ's COPA Appeal (January 21 & 22, 2009)
The US Supreme Court will not hear an appeal from the US Department of Justice to reinstate the Child Online Protection Act (COPA). The law has been criticized as overreaching and vague from the time it was introduced; COPA was signed into law in 1998 and was immediately enjoined by a federal judge in Philadelphia. It would have required private companies to ensure that any content they create or distribute that is deemed harmful to minors was not available to people under the age of 17 or face civil and criminal penalties. This was the third time the Supreme Court has been asked to determine COPA's constitutionality. -http://www.cnn.com/2009/TECH/01/21/supreme.court.reject/index.html?eref=rss_tech -http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti cleId=9126479&source=rss_topic17 -http://www.nytimes.com/2009/01/22/washington/22scotus.html?scp=1&sq=child%20 online%20protection%20act&st=cse -http://www.washingtonpost.com/wp-dyn/content/article/2009/01/21/AR2009012101330. html?sub=AR -http://news.cnet.com/8301-13578_3-10147171-38.html [Editor's Note (Ranum): It's funny to hear moralizing from Washington about Yahoo! and Google giving in to pressure from other countries, when the US' own Department of Justice is trying to enforce global bans on bare breasts and buttocks because of its own fundamentalist right-wing leadership. Laws like COPA had none of the desired "cooling effect" on the Internet, and cost the taxpayers tens of millions of dollars to defend and defeat. We need less government on the internet, not more. (Paller) Marcus may or may not be correct about COPA but I completely disagree with his idea that less government on the Internet is what we need. The only place where cybercrime can be actively fought in real time is "on the wire." Companies that provide those wires have spent a fortune on "government affairs employees" in Washington with special access to government officials who protected them form taking their rightful responsibility. I am hopeful that the pendulum is starting to swing toward more balance between the power of companies and the needs of the country. (Ranum Counterpoint) Calling for more government intervention makes sense if there is any indication that government intervention is likely to work and be cost-effective. Obviously, "past results do not predict future performance" but I don't think there's evidence that we'll get anything except more expensive boondoggles. The only way that cybercrime has, historically, been fought effectively, is by individual organizations and private citizens defending their own interests. Blaming the companies that "provide the wires" for holding cybersecurity back is similar to the argument that the tobacco industry should bear 100% of the responsibility for people's choosing to smoke; the truth is somewhere in between. But, like with smoking, the best way to protect oneself is to defend one's own interests and not look to a government that has proven time and again that it is incompetent at cybersecurity. ]
Apple Issues Patches for QuickTime Vulnerabilities in Mac OS X and Windows (January 22, 2009)
Apple has released a pair of patches to address security flaws in the QuickTime media player for both Mac OS X and Windows. The first patch fixes seven remote code execution vulnerabilities in the way the player handles user input. The second patch addresses one flaw in the MPEG-2 component of QuickTime for Windows. All of the vulnerabilities addressed in the patches fall under the h4eqading of improper input validation, one of the most pernicious of the recently released list of the 25 Most Dangerous Programming Errors. Internet Storm Center: -http://isc2.sans.org/diary.html?storyid=5725 -http://www.securityfocus.com/brief/890
"Invited Article: New Security Standards Adopted by Massachusetts"
By: Janine Hiller, Professor of Business Law, Virginia Tech. Massachusetts security regulations adopted in 2008 are so controversial that the deadline for compliance has already been extended, and comments about possible amendments will be heard January 16th, 2009. The requirements, intended to prevent identity theft, incorporate a good deal of the standard FTC security provisions; a comprehensive security program, identification of internal and external risks, employee security policies, and the like. Furthermore, the regulations list specific security actions that must be implemented. Several highly debated provisions include mandatory encryption of personal information of Massachusetts residents held in a laptop or portable device, contractually requiring third party service providers to comply with security protections, and a written certificate of compliance from those providers. The January 1, 2009 deadline was extended to May 1, 2009 for contractual compliance and general provisions of the regulation, and January 1, 2010 for encryption and certification. These seem to be the most specific and strongest security regulations to date. The importance of one state's specific security requirements for the protection of residents' personal information can not be overemphasized; as the Data Breach Notification laws showed, one state's laws can affect other residents, and can spur action by other states. Standards are found here: -http://www.mass.gov/?pageID=ocaterminal&L=3&L0=Home&L1=Consumer& L2=Identity+Theft&sid=Eoca&b=terminalcontent&f=idtheft_201cmr17& csid=Eoca See Massachusetts Office of Consumer Affairs and Business and Business Regulation for further information.
Another Interesting Email on The Job Market
(used with permission) *From:* Kevin Hemsley *Sent:* Tuesday, January 20, 2009 7:05 PM *Subject:* Re: FINANCIAL ASSISTANCE FOR DISPLACED SECURITY PROFESSIONALS I too have found myself unemployed due to a recent lay off. I have been working very hard to bring my certifications current, and to obtain new certifications. In the process, I have been burning my reserve cash and find myself wishing for two more certifications with diminishing funds. I was very fortunate to be accepted in the SANS work study program and will be serving as the class facilitator in Las Vegas for the SANSR +ST Training Program for the CISSPR Certification Exam. In addition to completing my CISSP, I very much desire to pursue the GCIH and GPEN certifications. I recently missed an employment opportunity because I didn't have these certifications that another candidate had. I was told that if I would have had the certifications, I would have been their number one pick. As it stood I, was number two out of 21 and number 1 got the job. The training that I am trying to find a way to get is: SEC504: Hacker Techniques, Exploits & Incident Handling SEC560: Network Penetration and Ethical Hacking As you know, there is still a lot of demand for security professionals. However, there is also an increasing number of applicants for these positions. Competition is getting stronger, and experience and good certifications are key in today's world. I think what you are doing to help SANS alumni is very commendable. If you should have any available seats, I would be very grateful for the help. Thank you, Kevin Hemsley
********************************************************************** The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)
John Pescactore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Ron Dick headed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.
Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/
I have never seen such high quality training, distilled to a perfected message, and compressed into a timeframe that any organization should willingly commit employee time to taking as a risk reduction strategy. -- Jim Richards III