Three quick questions for CISOs and operations directors, penetration testers, and security architects:
1. Do you know how to find the hackers already inside your systems? More than 1,000 US, Canadian and UK organizations, including the entire defense industrial base and many government agencies, have been penetrated by sophisticated attackers. Many more have malicious software inside their systems. Some of the victims have not yet found the attackers, but in others, system administrators have noticed something out of the ordinary, and in tracking the anomalies, they found the infestations. A new course, pioneered at two US Department of Energy (DoE) nuclear energy laboratories provides system administrators with the tactics, techniques, and procedures (TTPs), along with case studies, showing how to find the wily hackers and verify their presence. For the first time that course is being opened to people outside DoE. Hacker Detection for System Administrators: San Diego, May 14-15, http://www.sans.org/security-west-2010/description.php?tid=4337 Baltimore, June 13-14, http://www.sans.org/sansfire-2010/description.php?tid=4337
2. Are your pen testing techniques current with the newest threats? If they are not your results are misleading your organization and your clients. The Pen Test Summit is the best place to make sure your techniques are current and state of the art. Baltimore, June 14-15 http://www.sans.org/pen-testing-summit-2010/
3. Do you know why most security architecture efforts fail to pay off? And do you hope to be a valuable security architect? The Security Architecture Summit, with Cisco, NSA, and SANS architects and other great speakers, is the only meeting in the world focused on making security architectures and architects successful. May 25-26, Las Vegas, http://www.sans.org/security-architecture-summit-2010/
************************************************************************* SANS NewsBites April 16, 2010 Volume: XII, Issue: 30 *************************************************************************
**************** Sponsored By Entrust Technologies *********** Entrust Unified Communications Certificates provide greater flexibility to support powerful communications products like Microsoft Exchange Server 2007 and Microsoft Office Communications Server 2007, without sacrificing security controls. Up to 10 host names included, 128/256-bit SSL encryption, quick issuance and one to four year certificate lifetimes available. Now from only $387 per year. Learn more at http://www.sans.org/info/57998 *************************************************************************
TRAINING UPDATE -- SANS Security West 2010, San Diego, May 7-15, 2010 23 courses. Bonus evening presentations include Killer Bee: Exploiting ZigBee and the Kinetic World http://www.sans.org/security-west-2010/
-- SANSFIRE 2010, Baltimore, June 6-14, 2010 38 courses. Bonus evening presentations include Software Security Street Fighting Style and The Verizon Data Breach Investigations Report http://www.sans.org/sansfire-2010/
-- SANS Rocky Mountain 2010, Denver, July 12-17, 2010 8 courses. Bonus evening presentations include Hiding in Plain Sight: Forensic techniques to Counter the Advanced Persistent Threat http://www.sans.org/rocky-mountain-2010/
The US Department of Homeland Security (DHS) is several weeks into the third phase of testing on Einstein 3, a network traffic monitoring program for government agencies. This current stage of testing involves technology developed by the National Security Agency (NSA) that might allow Einstein 3 to detect and pinpoint cyber threats. The test will welp determine whether Einstein 3 makes it easier for agencies to share cyber security information, send out threat alerts to the agencies and target and disarm threats before they cause damage. Einstein 2, which has fewer capabilities, is currently being deployed at agencies. The Einstein program has raised concern among privacy advocates, who say not enough is known about the scope of the program. -http://techinsider.nextgov.com/2010/04/testing_of_einstein_3_underway_dhs.php [Editor's Note (Pescatore): Network IPS use in private industry is pretty mature, very odd to see government agencies being forced to wait for government-developed technology to be tested. Even odder to see the strange deployment scenario for Einstein 3 which almost guarantees it will only be used for saying "look, that attack just got through to those agencies" vs. simply blocking well known attacks and moving on. ]
Report Says Attacks on Water and Power Computer Systems on the Rise (April 14, 2010)
According to data gathered by the Repository of Industrial Security Incidents (RISI), the computer systems used to monitor and control water, wastewater and utility plants have seen the number of cyber security incidents climb over the last five years. The 2009 Annual Report on Cyber Security Incidents and Trends Affecting Industrial Control Systems says that incidents involving water and wastewater have increased 300 percent over that period, while incidents involving power and utilities have increased 30 percent. Incidents involving petroleum and petrochemical systems have fallen 80 percent. The data include information from process control, manufacturing and Supervisory Control and Data Acquisition (SCADA) systems. Twenty-five percent of the incidents were intentional system breaches, either by outsiders or insiders; the rest were evenly split between equipment failure and malware infections. Even if systems are not connected to the Internet, they can be vulnerable to Windows-based malware through USB drives and infected laptops, particularly because those systems do not usually get updated in a timely manner. -http://www.darkreading.com/insiderthreat/security/attacks/showArticle.jhtml?pgno =1&articleID=224400280 [Editor's Note (Paller): RISI offers interesting examples. But utilities DO NOT REPORT their breaches; they actively mislead people looking for data about breaches. Drawing conclusions of any kind from the RISI database is silly. The numbers are not representative of anything other than what the researchers found in public articles and what they learned because of access they were given through contractual relationships with individual companies or groups. ]
Zeus Exploiting PDF Flaw to Infect PCs (April 15, 2010)
Anti-Piracy Company Defends Aggressive Tactics (April 15, 2010)
DigiProtect, an anti-piracy company based in Germany, is defending its practice of mass mailings to alleged filesharers asking them to pay fines of approximately GBP 700 (US $1,080) or face legal proceedings. UK consumers have complained, and at least one Internet service provider (ISP) has spoken out against the company's actions. DigiProtect acknowledges that it gathers information through an automated process and that some people may be wrongly accused, but is unapologetic in its attempts to protect its clients' rights. The UK's BPI, while an ardent supporter of the recently passed Digital Economy Bill, has distanced itself from the methods used by DigiProtect, saying that legal action should be pursued only in egregious cases of piracy. -http://news.bbc.co.uk/2/hi/technology/8619407.stm
Bank of America ATM Malware Author Stole More Than US $300,000 (April 13, 2010)
Rodney Reed Caverly has pleaded guilty to one count of unauthorized computer access for installing malware on Bank of America (BofA) ATMs that allowed them to dispense cash without generating records of the transactions. Caverly stole more than US $300,000 from the bank through his scheme; more than half of the money has been recovered. More than 100 ATMs were infected with the malware. The thefts took place over a seven-month period ending in October 2009; BofA discovered the activity internally. Caverly faces up to five years in prison and a fine of US $250,000. -http://www.wired.com/threatlevel/2010/04/malware-targeted-100-atms
Not All Security Advice is Equal (April 11 & 15, 2010)
A new study says that frequent password changes do not increase security. Cormac Herley, principal researcher for Microsoft Research, said that "Most security advice simply offers a poor cost-benefit trade-off to users." Herley's rough calculation of the cost to employers of time spent by employees following the security advice they are normally given finds that the costs far outweigh the benefits. There is a glut of information about good security practices, but it has not yet been prioritized. Computer security experts lack the hard data that doctors and road-safety professionals have at their disposal to make their points about effective protective measures. -http://www.boston.com/bostonglobe/ideas/articles/2010/04/11/please_do_not_change _your_password/?page=full -http://www.pcmag.com/article2/0,2817,2362692,00.asp -http://news.yahoo.com/s/ytech_wguy/20100413/tc_ytech_wguy/ytech_wguy_tc1590 [Editor's Note (Pescatore): Sarbanes Oxley audit nonsense has been one of the largest culprits behind reviving the "changing user passwords every three months is required" silliness. Since auditors can measure when passwords were changed, it becomes an audit item, not for any real security reason. Now, just saying pay for anti-virus and anti-spyware is top of the list is just as silly - using software that isn't constantly vulnerable to viruses and spyware is a much better strategy. (Schultz): I'd hesitate to draw such a sweeping conclusion after the result of just one study concerning the lack of impact on security of frequent password changes. It appears that Herley is not aware of other empirical studies on the impact (or lack thereof) of other password settings. If he were, he could have made a much more powerful argument for his case. For example, Dr. Robert Proctor of Purdue University, Dr. Kim Vu of California State University-Long Beach and I have published the results of empirical studies concerning password policy settings. Some of our findings were that longer passwords were under a number of conditions no more difficult to crack than were shorter ones, something that attests to the power of today's password cracking tools, and that more difficult-to-generate passwords were not significantly more difficult- to-crack, either, although they were more difficult to remember. ]
Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.
Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.
Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.
Alan Paller is director of research at the SANS Institute
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/