Update: A short and powerful new document was released yesterday by the Defense
Signals Directorate of the Australian Department of Defense (DSD). DSD is
responsible for security of military and civilian agencies in Australia. The new
document condenses the findings from DSD investigations of all known targeted cyber
attacks against Australian government systems (civilian and defense) into an updated
list of 35 mitigations that are the best hope for stopping or mitigating the
targeted attacks that are decimating government and industry around the world. Four
of the mitigations are set apart as the ones that must be done first. The most
important use of this document is as an audit targeting system so that government
inspector generals, private auditors, and CISOs benchmark their organizations'
effectiveness in implementing the first four this year and the rest of them as soon
the first four are fully and effectively in place. The DSD 35 is a perfect match to
the 20 Critical Controls (CAG) developed by DHS and NSA and the Department of Energy
and SANS and others in the US, but the new document adds a critically valuable level
You will find it at http://www.dsd.gov.au/infosec/top35mitigationstrategies.htm Alan
************************************************************************* SANS NewsBites July 22, 2011 Volume: XIII, Issue: 58 *************************************************************************
- --SANS Boston 2011, Boston, MA, August 8-15, 2011 12 courses. Bonus evening presentations include When Prevention Fails: Extending IR and Digital Forensics Capabilities to the Corporate Network; and More Practical Insights on the 20 Critical Controls http://www.sans.org/boston-2011/
- --SANS Virginia Beach 2011, August 22- September 2, 2011 11 courses. Bonus evening presentations include SANS Hacklab; Offensive Countermeasures; and Evolving VoIP Threats http://www.sans.org/virginia-beach-2011/
- --SANS Ottawa 2011, Ottawa, Ontario, August 28- September 2, 2011 6 courses. Bonus evening presentations include DNS Sinkhole: Peer Into Your Network While You Sleep; and I See What You Did There: Forensic Time Line Analysis http://www.sans.org/ottawa-2011/
- --SANS Network Security 2011, Las Vegas, NV, September 17-26, 2011 45 courses. Bonus evening presentations include Securing the Kids; Who is Watching the Watchers?; and Emerging Trends in the Law of Information Security and Investigations http://www.sans.org/network-security-2011/
- --SANS Chicago 2011, Chicago, IL, October 23-28, 2011 6 courses. Bonus evening presentations include Computer Forensics in the Virtual Realm and Electrical Grid Security http://www.sans.org/chicago-2011/
- --SANS Seattle 2011, Seattle, WA, November 2-7, 2011 5 courses. Bonus evening presentations include Future Trends in Network Security; and Ninja developers: Penetration Testing and Your SDLC http://www.sans.org/seattle-2011/
Sony Insurer Asks Court to Say it's Not Liable to defend Sony Against Breach Actions (July 21 & 22, 2011)
Sony's insurance company Zurich American Insurance Company (ZAIC) and its parent company the Zurich Insurance Company are suing the media company, saying that the series of security breaches the company suffered earlier this year are not covered by its policy with Zurich. Zurich's complaint alleges that Sony has demanded that it defend the company against the plethora of lawsuits and "potential actions instituted by one or more state attorney general's offices." ZAIC maintains that Sony's policy covers "bodily injury," "property damage," and "personal and advertising injury." -http://www.theregister.co.uk/2011/07/22/sony_breach_insurance/ -http://www.computerworld.com/s/article/9218577/Sony_insurer_says_it_s_not_liable _for_breach_related_costs?taxonomyId=17 -http://www.reuters.com/article/2011/07/21/us-insurance-sony-idUSTRE76K3PY2011072 1 -https://iapps.courts.state.ny.us/fbem/DocumentDisplayServlet?documentId=tirVQewp 3WujFno1EgNuTA==&system=prod [Editor's Note (Pescatore): No cyber insurance policy ever protected your customers' data, and many of them even fail to provide any meaningful bounding of the financial exposure from a cyber-incident. Since software engineering is an oxymoron, it is impossible for insurance companies to have a meaningful basis for assessing risk and thus premiums are high, payouts are limited and, as the ZAIC suit illustrates, the definition of a qualifying "injury" or event may also be very limited. (Paller): A few years ago the White House cyber coordinator was being pressured, by people paid by a major insurer, to back cyber insurance as an incentive for better security - "just as fire insurance and resulting building standards helped improve building safety." The coordinator asked me to find out how well cyber insurance was working. I met with the representatives of nearly every organization selling cyber insurance in the U.S. and was surprised that they were unable to provide even one example where any of their insurance policies ever paid for the kinds of losses that weak cyber security facilitated. It turns out the problem they face is lack of reinsurance, without it insurers will not take the risk. Reinsurance requires that a fire in Chicago not also be happening in New York and Atlanta and everywhere else. The cyber threat can and does affect many victims in many places; its losses simply cannot be re-insured effectively. Without reinsurance, the insurers had to radically constrain the losses they covered. If you bought a cyber policy, don't bet your career on telling your boss that your company "is covered for cyber losses." ]
Arrests Made Following Raids on Homes of Anonymous and LulzSec Suspects (July 19 & 20, 2011)
Phony Apple Stores Reported in China (July 21, 2011)
An American ex-pat blogging from Kunming, China, has reported finding three phony Apple stores in that city. The blogger said that the staff at the establishments appeared to believe that they were actually employed by Apple, but certain details, including the words Apple Store outside the storefronts, led to suspicion that the establishments were bogus. The origin of the merchandise being sold has not been determined. The Wall Street Journal cannot speak reporter managed to speak to one of the store's employees who appeared to know that the store was not official. Apple has not commented on the situation. Apple has four official stores in China and several official resellers, but the Kunming store appears to be neither. -http://www.bbc.co.uk/news/technology-14236786 -http://www.pcmag.com/article2/0,2817,2388826,00.asp -http://www.usatoday.com/tech/news/2011-07-21-apple-china-piracy_n.htm
Man Arrested for Allegedly Infecting Computers with Malware (July 21, 2011)
Details Emerge About How Attackers Infiltrated DOD Lab Network (July 20 & 21, 2011)
The cyber attack on the US Department of Energy's Pacific Northwest National Laboratory (PNNL) was carried out through a web server flaw and a zero-day Adobe Flash vulnerability. The attack was detected the Friday prior to the July 4th holiday; the lab then shut down most internal network services and blocked Internet traffic. The attackers gained their initial foothold through public-facing web servers that are considered "low impact" and therefore subject to less stringent security requirements than other components of the lab's network. The attackers used a flaw in the server to plant the Adobe Flash exploit, which was designed to infect the computers of those who visited the site. An analysis of the attack found that the attackers were unable to move laterally within the PNNL network. -http://www.darkreading.com/advanced-threats/167901091/security/attacks-breaches/ 231002231/attack-on-pacific-northwest-national-lab-started-at-public-web- servers.htmldark [Editor's Comment (Northcutt): Sounds like defense in depth in action. Hurrah for the PNNL team!]
Apple Updates Safari, Releases OS X 10.7 (July 20 & 21, 2011)
US House Subcommittee Passes Breach Notification Bill (July 20 & 21, 2011)
The trade subcommittee of the US House Energy and Commerce Committee has approved a data breach notification bill. The Secure and Fortify Electronic Data Act has met with criticism from some committee members because they say it contains "loopholes that sacrifice data security and privacy." The bill would require organizations to report most data breaches within 48 hours and also calls for the Federal Trade Commission (FTC) to establish data security regulations for organizations that retain personal information. The bill now goes to the full committee. Concerns about the proposed legislation include the fact that it would take precedence over stronger state notification laws. This bill does not cover email addresses, payroll records, online video and pictures. Notification would be mandatory only when names, phone numbers or credit card numbers are compromised along with Social Security numbers (SSNs). Compromises of SSNs, bank account or credit card account numbers on their own would not mandate notification. -http://www.computerworld.com/s/article/9218554/House_panel_approves_data_breach_ notification_bill?taxonomyId=17 -http://www.scmagazineus.com/breach-law-passes-hurdle-but-faces-opposition/articl e/208067/
IRS Chastised for Dragging Feet in Breach Notification (July 19, 2011)
The US Internal Revenue Service has been reprimanded by the Treasury Department Inspector General for Tax Administration for failing to notify taxpayers of data security breaches in a timely fashion. In fiscal 2009 and fiscal 2010, the IRS experienced more than 4,000 instances of inadvertent taxpayer information disclosure. A sampling of cases from the two-year period found that 20 percent of the time, the IRS took 86 days to notify affected taxpayers of breaches. Of instances in which taxpayers were not notified at all, five percent were due to the identities of the affected taxpayers not being documented; 10 percent were due to the exposed information not fitting the definition of sensitive personal information; and 21 percent because the information was exposed to individuals and entities that the IRS did not perceive as a threat. -http://www.washingtonpost.com/local/dc-politics/auditors-scold-irs-over-cybersec urity-issues/2011/07/19/gIQAWEOgOI_story.html
Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978. Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.
Rohit Dhamankar is a security professional currently involved in independent security research.
Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).
Alan Paller is director of research at the SANS Institute.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account/