******************* SPONSORED BY ForeScout Technologies **************** Special white paper: IDC Report on Architecting a Flexible BYOD Strategy - - IDC security analyst Phil Hochmuth examines a tiered service approach to enterprise mobile security while exploring how NAC and MDM, as complementary controls, offer necessary network and device level defenses to enable IT organizations to realize mobility advantages while reducing security and compliance exposures. http://www.sans.org/info/110400 **************************************************************************** TRAINING UPDATE - --SANS San Francisco 2012 San Francisco, CA July 30-August 6, 2012 8 courses. Bonus evening presentations include All Your Hash Are Belong to Us: Targeting Windows Password Hashes for Penetration; Spear Phishing and Targeted Attacks; and Assessing Deception. http://www.sans.org/san-francisco-2012/
- --SANS Boston 2012 Boston, MA August 6-11, 2012 8 courses. Bonus evening presentations include SIFT Workstation: The Art of Incident Response; and Everything I Know is Wrong! How to Lead a Security Team in a Time of Unprecedented Change and Challenge. http://www.sans.org/boston-2012/
- --SANS Virginia Beach 2012 Virginia Beach, VA August 20-31, 2012 10 courses. Bonus evening presentations include Information Assurance Metrics: Practical Steps to Measurement; and Who's Watching the Watchers? http://www.sans.org/virginia-beach-2012/
- --SANS Crystal City 2012 Arlington, VA September 6-11, 2012 6 courses. Bonus evening presentations include SIFT Workstation: The Art of Incident Response. http://www.sans.org/crystal-city-2012/
- --SANS Baltimore 2012 October 15-20, 2012 6 courses. Bonus evening presentations include Infosec Rock Star: How to be a More Effective Security Professional. http://www.sans.org/baltimore-2012/
- --SANS Network Security 2012, Las Vegas, NV September 16-24, 2012 45 courses. Bonus evening presentations include Evolving Threats; New Legal Methods for Collecting and Authenticating Cyber Investigation Evidence; and Intrusion Detection is Dead. http://www.sans.org/network-security-2012/
Plus San Antonio, Melbourne, Prague, Singapore, Dubai, and Seattle all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php ***************************************************************************
TOP OF THE NEWS
Pentagon Secure Network Access Program Being Expanded to Other Agencies (July 20, 2012)
The Pentagon is expanding its network protection program to civilian agencies. Users who do not have the new tokens will not be able to access federal classified networks. The effort is aimed at preventing leaks of secret data. The plan was announced by Defense Secretary Leon Panetta and marks a movement toward extending the security implemented on networks within the defense department to other agencies. -http://www.nextgov.com/cybersecurity/2012/07/agencies-dole-out-new-hardware-keys -secret-networks/56907/?oref=ng-channelriver [Editor's Note (Murray): The use of strong authentication in the US Government is at least a decade overdue. It has been delayed by the choice of a technology that requires readers on edge devices and too much infrastructure. ]
Senators Introduce Modified Version of Cybersecurity Bill (July 19, 20 & 23, 2012)
Three-Strikes Rule Cuts Piracy Rates in New Zealand (July 23, 2012)
The Recording Industry Association of New Zealand (Rianz) says that piracy rates have dropped by 50 percent since the inception of a three-strikes rule in September 2011. (In New Zealand, the most stringent punishment is a fine, not being cut off from the Internet.) Violators can be fined up to NZ $15,000 (US $11,850) after three illegal filesharing offenses. Rianz says they have sent out nearly 2,800 infringement letters since September. Despite the disincentive program, an estimated 41 percent of New Zealand's Internet users still access "copyright infringing services online." Rianz is seeking to have the fee it pays to Internet service providers who issue the notices reduced from NZ $25 (US $20), while the ISPs are calling for a fourfold increase. -http://www.nzherald.co.nz/business/news/article.cfm?c_id=3&objectid=10821492 -http://www.bbc.co.uk/news/technology-18953353
Stolen MapleSoft Customer Data Used to Spread ZeuS (July 23, 2012)
Hackers are using customer data stolen from MapleSoft to send spam containing malware. MapleSoft has acknowledged that its administrative database was breached on July 17; compromised information includes customer names, email addresses, and names of associated institutions. The malicious messages appear to come from MapleSoft Security Update Team and urge recipients to install an accompanying critical patch for the software. However, the link infected users' computers with ZeuS malware. -http://www.cso.com.au/article/431358/hackers_pose_hacked_software_vendor_spread_ zeus_trojan/
DARPA Awards Contract to Develop Anomalous User Behavior Detection Technology (July 23, 2012)
Survey Shows Users Unclear About Benefits of Updates (July 23, 2012)
July 23, 2012 marked the beginning of "International Technology Upgrade Week," an effort to encourage users to keep their software up-to-date. A recent Skype-commissioned survey found that 40 percent of adult computer users do not always install security updates the first time they are prompted to do so, and that 25 percent do not bother to update at all because they do not understand the benefits of updating and what the updates are supposed to do. -http://www.theregister.co.uk/2012/07/23/skype_software_update_survey/ -http://www.computerworld.com/s/article/9229477/Quarter_of_users_see_no_benefit_i n_updating_software?taxonomyId=17 [Editor's Note (Murray): After sixty years, the software industry still has not learned that patch and fix is more expensive than doing it right in the first place. This research suggests that they want to blame the failure of their strategy on the user. Am I the only one who sees irony there? (Paller): In fact the software industry has learned just the opposite. There is no economic model yet that persuades software companies to engineer in security from the outset. In fact some government integrators and custom development organizations actually make money writing bad code and then make more money fixing it. ]
Legislators Concerned About Drone GPS Hacking (July 22, 2012)
At a recent House Homeland Security Oversight subcommittee hearing, US legislators expressed concern about the possibility of hackers hijacking and jamming drone aircraft GPS signals. The Federal Aviation Administration (FAA) has an approaching deadline for creating regulations and licensing to incorporate drones into national airspace. University of Texas assistant professor Todd Humphreys, who recently demonstrated GPS spoofing of drones, said in his testimony before the committee that "civil GPS spoofing also presents a danger to manned aircraft, maritime craft, communications systems, banking and finance institutions, and the national power grid." -http://arstechnica.com/tech-policy/2012/07/fear-of-drone-gps-hacking-raised-by-c ongress-as-faa-deadline-looms/
Project Aims to Help Fight Cybercrime in Developing Countries (July 19 & 20, 2012)
UK Government Losing Skilled Cybersecurity Workers to Private Industry (July 18, 2012)
Last year, the UK's Intelligence and Security Committee (ISC) recommended that the Government Communications Headquarters (GCHQ) find ways to help retain skilled IT security professionals, who are increasingly being hired away by private industry. GCHQ recently adopted a bonus system for particular skills. However, the ISC's 2011-12 annual report found that "GCHQ [is ] losing critical staff with high end cyber technology skills at up to three times the rate of the corporate average." GCHQ has proposed a new model, in which staff members are trained with the expectation that they will at some point move to private industry, and that "if they're working with some of those companies that we work closely with, perhaps there is a benefit that we can get from them." -http://www.cso.com.au/article/430984/gchq_3_times_more_likely_lose_cyber_securit y_skills_than_private_sector/ [Editor's Comment (Northcutt): Government will always lose trained people to private industry. The loss can be slowed by creating valuable and valued career paths. If you need to keep security people, then you need to have career paths that allow for challenging work and promotion, prestige, and compensation. Multiple surveys have shows that one of the most important things employers do to maintain satisfaction of security people is to allow them to maintain their skills through training and interesting projects. (Cole): A key way of dealing with this problem is moving from less manually intensive security measures to more automation. The critical controls ( -http://www.sans.org/critical-security-controls/) provide a framework for implementing more automated security controls which will allow organizations to have effective security with less skilled professionals. The British CPNI have adopted those controls as a national initiative so there is reason to anticipate that the UK will lead the world in this important transformation to automating cyber security. ]
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of CounterHackChallenges, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.
Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting. Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/