Very good news: The Wall Street Journal's Siobhan Gorman stepped out
ahead of other journalists in highlighting what works for companies and
agencies to defend effectively against targeted and other attacks (see
the first story below). I hope this is the beginning of news reporting
in cybersecurity moving beyond highlighting the problems and
vulnerabilities (the easier part) toward discussing and contrasting the
effective solutions - like that at the US Department of State where they
automated the 20 Critical Controls. State's innovation is one of the
winners of the 2011 National Cybersecurity Innovation Awards along with
NASA's and Los Alamos' cloud security initiatives and several very cool
cloud security testing, mobile security improvement, the best cyber test
range, and APT risk mitigation innovations. The winning innovators will
share the lessons they learned and how to replicate what they did, at
the National Cybersecurity Innovation Conference Oct 11-12 in
Very sad news: Gene Schultz, a cybersecurity pioneer and NewsBites
editor, founder of the Department of Energy's CIAC and one of the
greatest teachers of security, suffered a severe brain injury from a bad
fall on Friday afternoon at the Minneapolis Airport. His family is with
him at the hospital and our prayers are as well. If you are one of
Gene's students, colleagues, and friends and want to follow his
progress, visit the web site his family has set up at
************************************************************************* SANS NewsBites September 27, 2011 Volume: XIII, Issue: 77 *************************************************************************
************* Sponsored By Raytheon Trusted Computer Solutions ***********
Manually hardening operating systems to DISA STIGs, PCI, or SANS Consensus Audit Guidelines is cumbersome and time consuming. Automate it with Security Blanket(r) for consistent and predictable lock down results. Security Blanket now supports SELinux 'targeted' policy for Red Hat(r), Enterprise Linux(r) and Fedora(r). Learn more by registering for a free demonstration today!
- -- NCIC: The National Cybersecurity Innovations Conference, DC, Oct. 11-12, 2011 3 tracks - Cloud computing, Continuous Monitoring and Enterprise Mobile Security training http://www.sans.org/ncic-2011/
- --SANS Chicago 2011, Chicago, IL, October 23-28, 2011 6 courses. Bonus evening presentations include Computer Forensics in the Virtual Realm and Electrical Grid Security http://www.sans.org/chicago-2011/
- --SANS Seattle 2011, Seattle, WA, November 2-7, 2011 5 courses. Bonus evening presentations include Future Trends in Network Security; and Ninja Developers: Penetration Testing and Your SDLC http://www.sans.org/seattle-2011/
- --SANS San Francisco 2011, San Francisco, CA, November 14-19, 2011 6 courses. Bonus evening presentations include The Worst Mistakes in Cloud Computing Security; Offensive Countermeasures; and Watching the Wire at Home http://www.sans.org/san-francisco-2011/
- --EURO SCADA & Process Control System Security Summit, Rome, Dec 1-2, 2011 Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them. http://www.sans.org/eu-scada-2011/
- --SANS San Antonio 2011, San Antonio, TX, November 28-December 5, 2011 7 courses. Bonus evening presentations include Effective Methods for Implementing the 20 Critical Security Controls; and Assessing Deception: Are They Lying to You? http://www.sans.org/san-antonio-2011/
- --SANS London 2011, London, UK, December 3-12, 2011 16 courses. Bonus evening presentations include IPv6 Challenges for Intrusion Detection and Understanding How Attackers Bypass Network and Content Restrictions. http://www.sans.org/london-2011/
- --SANS CDI 2011, Washington, DC, December 9-16, 2011 26 courses. Bonus evening presentations include Emerging Trends in Data Law and Investigations, and Critical Infrastructure Control Systems Cybersecurity. http://www.sans.org/cyber-defense-initiative-2011/
State Department Network Security Serves as Model for Other Large Organizations (September 26, 2011)
The US State Department has developed an effective approach to network security that makes it easier for managers to identify and address problems. The program has proven such a success that it is serving as a model for other large organizations. The State Department is responsible for guarding networks around the world, in a multitude of offices and in all time zones, much like a multinational company. The system assigns a value to security issues; the larger the problem, the larger the value, which lets officials know how to prioritize their attentions. A number of companies have made inquiries at the State Department regarding the program. The program was created by four people, including State CISO John Streufert. Requests have been made for the program's code, which Streufert offers at no cost. Of course, no program is perfect, and this program addresses only known vulnerabilities. It scans only Windows computers, not routers or other network equipment, although the program is being expanded to include these devices. The State Department's greatest innovation is the "monetization" of risk by computing the risk from various mis-configurations and vulnerabilities on a single "risk-point" scale and then providing the data to system administrators every day in a form that shows the sysadmins what action will provide the highest risk-point reduction that day. -http://online.wsj.com/article/SB10001424053111904353504576566802789426680.html [Editor's note (Murray): It would be wonderful if our security was a function of the strength of our walls rather than the guards at our gates. (Paller) Federal agencies that have purchased tools like HBSS and BigFix and/or vulnerability management systems, but have not taken the final step of computing a common risk-score and delivering task prioritization data to system administrators every day, are wasting their software investment and leaving their agencies at risk. IOW they are grasping defeat from the jaws of victory. This is especially true given the State Department's active program of providing its NSA-verified risk-point scoring system and sysadmin prioritization tools to other agencies and companies around the world at no cost. (Honan): Kudos to Mr. Streufert for openly sharing this model with other organisations, and at no cost. It is open and effective information sharing between organisations that will help us all to better improve all our information security. ]
Dutch Government to revoke its DigiNotar Certificates on September 28 (September 26, 2011)
1) SANS Analyst Webcast September 29, 1 PM EST: Integrating Security into Development Cycles, No Pain Required, featuring Senior SANS Analyst Dave Shackleford and IBM Rational's Karl Snyder. http://www.sans.org/info/87604
2) Protecting Federal Systems and Advanced Persistent Threats, featuring security expert and speaker, G. Mark Hardy, September 28, 1 PM EST: http://www.sans.org/info/87609
OnStar Data Collection Practices Draw Fire from US Legislators (September 26, 2011)
Three US senators have voiced concerns over OnStar's announcement that it would continue to collect location data from car owners even after they had cancelled the OnStar service. Senators Al Franken (D-Minnesota) and Chris Coons (D-Delaware) have said that "violate [s ] basic principles of privacy and fairness." And Senator Charles Schumer (D-New York) has written a letter to the Federal Trade Commission asking for an investigation into the matter. OnStar made the announcement earlier this month in an email to subscribers. The company said it is reserving the right to sell the data, anonymized, to third parties. The legislators are skeptical about OnStar's claim that the data will be anonymized, because there is a "broad body of research showing that it is extraordinarily difficult to successfully anonymize personal data like location." -http://arstechnica.com/tech-policy/news/2011/09/three-senators-condemn-onstar-fo r-tracking-former-customers.ars -http://www.wired.com/threatlevel/2011/09/senator-onstar-brazen-privacy-invasion/ [Editor's Note (Murray): I think that OnStar's trial balloon just got shot down. Someone read their terms. ]
USCC Cyber Quests Winners Announced (September 26, 2011)
The US Cyber Challenge has announced the winners of the most recent round of Cyber Quests. The online competition is open to people 18 and older with a strong interest in cyber security. Chad Weber, a Vermont Technical College student, took first place; his prize is a trip to the SANS NetWars competition where he can further hone his skills and make valuable connections with people in the industry. Ben Toews, a graduate of DePaul University in Illinois took second place, and Dan Borges, a senior at East Stroudsberg University in Pennsylvania, took third place. -http://www.digitaljournal.com/pr/432284
Alleged LulzSec Member's IP Address Identified Through VPN/Proxy Server Provider (September 26, 2011)
A VPN and web proxy service has acknowledged that it provided information that led to the identification of Cody Kretsinger, who is allegedly a member of the LulzSec hacking group; the man was arrested last week. Hide My Ass (HMA) said it was complying with a court order to disclose the IP address with which Kretsinger had logged into its service. HMA notes that its terms-of-service agreement stipulates that it not be used for illegal purposes. HMA logs users' IP addresses at the beginning and end of VPN sessions. -http://www.h-online.com/security/news/item/VPN-provider-helped-track-down-allege d-LulzSec-member-1349666.html -http://www.scmagazineus.com/hide-my-ass-service-not-as-secret-as-suspect-likely- believed/article/212884/ [Editor's Note (Murray): David Brin told us, "Privacy and anonymity are what we want for ourselves; accountability is what we want for everyone else." All hope of anonymity in the Internet died when anon.penet.fi was forced to shut down. Until it was shut down, I always suspected that it was run by NSA. However, when the Finnish police sided with the Church of Scientology against it, that established its bona fides but destroyed the necessary trust. Finland surrendered its claim to be a bastion of freedom. At least HMA claims that it yielded to a court order. The requirement for a court order is about the best we can hope for now. ]
Phony Flash Player Installer Targets Mac Users (September 26, 2011)
Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.
Rohit Dhamankar is a security professional currently involved in independent security research.
Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).
Alan Paller is director of research at the SANS Institute.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/