- -- SANS Security West 2011, San Diego, CA, May 3-12, 2011 23 courses. Bonus evening presentations include The Emerging Security Threat Panel Discussion; and Emerging Trends in Data Law and Investigation http://www.sans.org/security-west-2011/
- -- SANS Cyber Guardian 2011, Baltimore, MD, May 15-22, 2011 8 courses. Bonus evening presentations include Windows Exploratory Surgery with Process Hacker and State of the Hack: Stuxnet. 8 courses. http://www.sans.org/cyber-guardian-2011/
- -- SANS Rocky Mountain 2011, Denver, CO, June 25-30, 2011 7 courses. Bonus evening presentations include SANS Hacklab and Why End Users are Your Weakest Link http://www.sans.org/rocky-mountain-2011/
- -- SANSFIRE 2011, Washington, DC, July 15-24, 2011 40 courses. Bonus evening presentations include Ninja developers: Penetration testing and Your SDLC; and Are Your Tools Ready for IPv6? http://www.sans.org/sansfire-2011/
- -- SANS Boston 2011, Boston, MA, August 8-15, 2011 12 courses. Bonus evening presentations include Cost Effectively Implementing PCI through the Critical Controls; and More Practical Insights on the 20 Critical Controls http://www.sans.org/boston-2011/
- -- SANS Virginia Beach 2011, August 22- September 2, 2011 11 courses. Bonus evening presentations include SANS Hacklab; and It's Time to Rethink Everything: A Governance, Risk & Compliance Primer http://www.sans.org/virginia-beach-2011/
The US Federal Trade Commission (FTC) said that two companies have settled changes the Commission brought against them for failing to implement adequate security controls to protect sensitive information. Ceridian, a payroll services provider, and Lookout Services, which provides immigration services software, both falsely claimed to offer adequate protection. Both companies experienced breaches that exposed sensitive personal information of consumers. The settlement agreements call for the companies to obtain third-party security audits every two years for the next 20 years. -http://www.informationweek.com/news/security/attacks/229402828 [Editor's Note (Schultz): Having to undergo a security audit every two years borders on being a joke. Having to instead submit snapshots of information (such as syslog output from critical servers) that reveals the security state of these companies every month, something that is more in accordance with the relatively new continuous monitoring initiatative within the U.S. government, would be far better. ]
FBI Responds to Audit Report Critical of its Cyber Security Expertise (May 3, 2011)
Steven Chabinsky, who is the deputy assistant director of the FBI's cyber division, disputes conclusions drawn in a recently released audit report that the FBI lacks sufficient cyber security investigation skills. Chabinsky says that the information gathered is out of date as the audit in question began in 2008. The FBI's approach to cyber crime has changed within the last two years with the addition of a new training program that incorporates real-world experience. The FBI's cyber unit and the National Cyber Investigative Joint Task Force (NCIJTF), which is led by the FBI and which coordinates intelligence and investigations across 18 agencies, have both received praise for the results of their efforts. -http://www.informationweek.com/news/security/government/229402636 [Editor's Comment (Northcutt): What I would like to see is an audit of the Office of the Inspector General to determine how qualified they are to assess a government agency's cyber capabilities! No agency has a more well trained cyber-law enforcement team than the FBI? None! The FBI has been taking cyber workforce development very seriously for years, starting even before the military. ]
DEVELOPMENTS IN SONY BREACH
SOE Intrusion Discovered During PSN Breach Investigation (May 5, 2011)
Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.
Rohit Dhamankar is a security professional currently involved in independent security research.
Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).
Alan Paller is director of research at the SANS Institute.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/