************************** SPONSORED BY WinMagic Inc. *******************
WinMagic Invites you to join PBConnex Webinar - The Next Generation of Data Encryption Management As regulatory requirements continue to burden IT organizations, IT managers struggle to contain costs and complexity while protecting users and maintaining compliance. Learn how to improve user experience, enhance security and reduce total cost of ownership.
- --SANS Security East 2012, New Orleans, LA January 17-26, 2012 11 courses. Bonus evening presentations include Advanced VoIP PenTesting: Current Threats and Methods; and Helping Small Businesses with Security. http://www.sans.org/security-east-2012/
- --SANS North American SCADA 2012, Lake Buena Vista, FL January 21-29, 2012 Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them. Hear what works and what doesn't from peer organizations. Network with top individuals in the field of SCADA security. Return from the summit with solutions that you can immediately put to use in your organization. Pre-Summit courses: January 21-25, 2012 Summit: January 26-27, 2012 Post-Summit Courses: January 28-29, 2012 http://www.sans.org/north-american-scada-2012/
- --SANS Monterey 2012, Monterey, CA January 30-February 4, 2012 6 courses. Bonus evening presentations include Who Do You Trust? SSL and TLS Under Attack; and IOS Programming Demo. http://www.sans.org/monterey-2012/
- --SANS Phoenix 2012, Phoenix, AZ February 13-18, 2012 7 courses. Bonus evening presentations include Desktop Betrayal: Exploiting Clients Through the Features They Demand; and Windows Exploratory Surgery with Process Hacker. http://www.sans.org/phoenix-2012/
- --SANS Secure Singapore 2012, Singapore, Singapore March 5-17, 2012 5 courses. Bonus evening presentations include Introduction to Windows Memory Analysis; and Why Our Defenses are Failing Us: One Click is All It Takes ... http://www.sans.org/singapore-2012/
SANS Mobile Device Security Summit: The Growing and Constantly Changing Challenge, Nashville, TN March 12-15, 2012 Summit: March 12-13, 2012 Post-Summit Courses: March 14-15, 2012 Mobile device security experts and practitioners will discuss the best approaches to this new and evolving challenge. Organizations who have developed successful mobile device security programs will share how they developed and gained management support for their plans. http://www.sans.org/mobile-device-security-summit-2012/
- --SANS 2012, Orlando, FL March 23-39, 2012 42 courses. Bonus evening presentations include Exploiting Vulnerabilities: 60 Minutes from Discovery to Exploit; Evolving Threats; and Harbinger of Evil: The Forensic Art of Finding Malware. http://www.sans.org/sans-2012/
Plus Atlanta, Bangalore, San Francisco, Stuttgart, and Nashville, all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php ************************************************************************
TOP OF THE NEWS
NSA Implementing 20 Critical Controls To Lead By Example in Cybersecurity (January 16, 2012)
The National Security Agency (NSA) is developing an internal cyber security program for its own computer systems that can serve as the "gold standard" and a model for other military organizations and contractors that seek to operate their computers in a cost effective, but secure manner. NSA's program which is being developed by a 38-member team, is based on the Twenty Critical Security Controls for Effective Cyber Defense. The list was developed by a team led by former Air Force CIO John Gilligan who had grown weary of audits in which he was told that penetration testers could break into his systems but was not provided with guidance on how to prevent attacks and intrusions. -http://www.defensenews.com/story.php?i=8855751 [Editor's Note (Murray): One size does not fit all. In government such attempts result in watering down controls. Moreover, the security problem in the US government is a problem of bureaucratic will, not knowledge. New guidelines will not help. (Paller): Bill Murray is frequently right, but not this time. If one size did not fit the needs of thousands and thousands of large and small organizations, there would be no Red Hat Linux or Windows or Android or OS-X; each used effectively by millions of people in tens of thousands of organizations. In fact, one agreed-upon set of attack-informed, automatable controls is the single greatest advance necessary to bring about cost-effective cyber security. That's why the UK government announced last week it was adopting the 20 Critical Controls as a national initiative, why NSA is adopting them to lead by example in showing how effective security can be done, why John Streufert (just named to head the US National Cyber Security Division at DHS) automated them at the US State Department and reduced measured cyber risk by over 90%, why hundreds of large companies are adopting them, and why Inspectors General in two government agencies are moving to audit automation of the 20 Critical Controls instead of auditing traditional, wasteful FISMA reporting. Note, you can download the 20 CritiaclControls poster at -http://www.sans.org/critical-security-controls/winter-2012-poster.pdf]
Defense Industrial Base (DIB) Cyber Pilot Produces "Mixed Results" (January 12, 2012)
A government cyber threat information sharing pilot program has produced mixed results, according to a study commissioned by DoD and conducted by Carnegie Mellon University. The program, the Defense Industrial Base cyber pilot, used National Security Agency (NSA) data to help defense contractors protect their networks from cyber attacks. On the positive side, the program demonstrated that carriers could be trusted to handle NSA data; that the government did not need to directly monitor private networks; and that the program was especially helpful to companies with less developed cyber security resources. On the negative side, the program used malware signatures from NSA that were already dated when the program began. Often, the information provided did not help the companies prevent attacks that they were not already prepared to handle without the extra information. -http://www.washingtonpost.com/world/national-security/cyber-defense-effort-is-mi xed-study-finds/2012/01/11/gIQAAu0YtP_story.html [Editor's Note (Pescatore): This pretty much just points out once again that the Intelligence Community and DoD are generally not better at blocking attacks than private industry. They are better at following attacks and gathering intelligence information, or striking back after a successful attack, but prevention is a very different thing. (Paller): Agreed; the ISPs are the right organizations to block attacks. Then the question becomes: who should provide the signatures. A closer look at the data from the DIB pilot shows that the program was quite successful for DIB companies that were not in the business of selling cyber security services. Carnegie Mellon and other large security service providers already knew about some (but definitely not all) of the NSA signatures, but they were *not* making effective use of those signatures to actively block attacks against the rest of the DIB. It appears that the only organizations who saw "mixed results" were those who wanted it to fail. Cybersecurity leaders in industrial organizations with whom I have spoken feel MUCH better about relying on NSA and DHS to provide more complete signatures than depending on subsets of signatures that the big defense contractors can provide. ]
************************** SPONSORED LINK **************************** 1) Don't miss SANS Webcast: Advanced Persistent Threats - Cutting Through the Hype. Sign up at http://www.sans.org/info/96796
2) Analyst Webcast: Needle in a Haystack? Attribution in Control Systems, http://www.sans.org/info/96801 February 22, 1:00 PM EDT ************************************************************************
THE REST OF THE WEEK'S NEWS
Cyber Conflict in the Middle-East Escalating (January 16, 2012)
Malware Has Been Lurking on City College of San Francisco System for a Decade (January 16, 2012)
Students, faculty, and staff at City College of San Francisco (California) are being urged to change their passwords, refrain from using computers at the school to conduct financial transactions or any activity that requires a password, and check their home computers for infection following the detection of malware on the school's computer system. It appears that at least seven different strains of malware have been on the system for years. The problem was detected in November 2011, when those responsible for monitoring network activity noticed anomalous traffic patterns. An investigation revealed that malware had been stealing data for more than a decade. The compromised information includes banking data. -http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2012/01/16/BA8T1MQ4E5.DTL [Editor's Note (Murray): A decade ago Richard Clarke said that 75% of the attack traffic in the Internet could be traced back to a compromised system in a college or university. Closing and securing a college or university network is not a trivial task. Many schools lack the will or resources. ]
Japanese Aerospace Agency Data Compromised (January 13 & 16, 2012)
NHS Trust Challenging Large Fine Over DPA Violations (January 13 & 17, 2012)
An NHS Trust is challenging a large fine imposed by the UK Information Commissioner's Office (ICO) for violating the Data Protection Act (DPA). The ICO is proposing to fine the Brighton and Sussex University Hospitals NHS Trust GBP 375,000 (US $576,000) after some of its patient records were discovered on hard drives that were being offered for sale on eBay. The Trust had contracted with a contractor to destroy 1,000 hard drives. While the disks were in the contractor's possession, 232 of them were stolen and offered for sale on eBay. -http://www.theregister.co.uk/2012/01/13/nhs_fined_stolen_data/ -http://www.bbc.co.uk/news/uk-england-sussex-16502602 -http://computerworld.co.nz/news.nsf/security/nhs-trust-challenges-375000-fine-ov er-data-protection-breach [Editor's Note (Honan): This appears to be a classic example in information security of where you can outsource a task but you cannot outsource the responsibility. As a data controller under the UK Data Protection Act, organisations must take "appropriate technical and organisational measures ... against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data". This includes that you take the necessary steps to ensure that any third parties, termed under the act as Data Processors, acting on your behalf also take the appropriate "appropriate technical and organisational measures" to secure your data. ]
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of InGuardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.
Rohit Dhamankar is a security professional currently involved in independent security research.
Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Alan Paller is director of research at the SANS Institute.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/