IT Security in Health Care: Where Are We Now? Take Survey - Enter to Win iPad

SANS NewsBites - Volume: XV, Issue: 14


In the last 24 hours, most major news outlets highlighted Chinese
military and military-related hacking of American companies.
BusinessWeek's cover this week, in big letters: "Yes the Chinese Army
is Spying on You." Mandiant provided strong documentation. It's a big
story.

But is it the right story? If you know that the People's Liberation Army
is spying on you, do you change your defenses? How? Do you look for
Chinese language intrusion prevention tools. The continuous China
bashing simply reflects the inability of watchers to see evidence of the
stealthier attacks coming from many nations that may take a different
approach to penetrating our telecommunications and banking and power
systems and stealing our national wealth. The number of bad actors,
spread among nations, terrorists, anarchists and criminals, is so great
that their identity is not as important as what we do to defend our
systems - because they usually exploit the same weaknesses. The most
important answer to what we should do was released last week in a White
house/DHS/NIST meeting
(https://csis.org/publication/raising-bar-cybersecurity). The defenses
specified in that paper, written by CSIS' Jim Lewis, actually block the
vast majority of the Chinese - and other - attacks. What we as a
community must do is identify the barriers that stop broad based
adoption of these defenses and lower them. Tony Sager and John Pescatore
have taken on that challenge. You can help by reading the paper and
sending them (at CCA@sans.org) the one or two most important challenges
you see slowing adoption.

Alan

*************************************************************************
SANS NewsBites                     February 19, 2013                    Volume: XV, Issue: 14
*************************************************************************
TOP OF THE NEWS

  Military Leaders Say DOD Cyber Force Underqualified - DoD 8570 Is the Cause
  Report Says China Behind Cyber Attacks Against More Than 100 U.S. Companies; Failed Coke Deal Blamed on Chinese Hacking, Too.
  US Military Contracts Will Require Continuous Monitoring of Industrial Control Systems

THE REST OF THE WEEK'S NEWS

  CERT Australia's Critical Infrastructure Breach Report
  European Privacy Regulators Consider Action Against Google
  Irish Companies More Aware of Need for Data Protection
  DNSSEC Adoption Growing in Government, But Unpopular with eCommerce and Finance
  Critical Flaws in BlackBerry Enterprise Server
  Adobe to Patch Flaws in Reader This Week
  Facebook Acknowledges That Company Laptops Were Compromised
  Dept. of Energy IG Report Finds Security Concerns at Los Alamos


********************** SPONSORED BY Symantec ****************************
Symantec Endpoint Protection 12 and Critical System Protection are positioned highest in Gartner's Magic Quadrant for completeness of vision and the ability to execute. Read the report to learn about the Endpoint Protection landscape, growth drivers and challenges, and where vendors are positioned. Learn More.
http://www.sans.org/info/124492
****************************************************************************
TRAINING UPDATE


- -- SANS Monterey 2013 Monterey, CA March 22-March 27, 2013 8 courses. Bonus evening presentations include Base64 Can Get You Pwned!; The 13 Absolute Truths of Security; and Look Ma, No Packets! - The Recon-ng Framework.
http://www.sans.org/event/monterey-2013


- --SANS Northern Virginia 2013 Reston, VA April 8-April 13, 2013 7 courses. Bonus evening presentations include Infosec Rock Star: How to be a More Effective Security Professional; Pentesting Web Apps with Python; and Practical, Efficient Unix Auditing: With Scripts.
http://www.sans.org/event/northern-virginia-2013


- --SANS Cyber Guardian 2013 Baltimore, MD April 15-April 20, 2013 9 courses. Bonus evening presentations include Windows Exploratory Surgery with Process Hacker; Offensive Countermeasures, Active Defenses, and Internet Tough Guys; and Tactical SecOps: A Guide to Precision Security Operations.
http://www.sans.org/event/cyber-guardian-2013


- --SANS Security West 2013 San Diego, CA May 7-May 16, 2013 32 courses. Bonus evening sessions include Gone in 60 Minutes; The Ancient Art of Falconry; and You Can Panic Now. Host Protection is (Mostly) Dead.
http://www.sans.org/event/security-west-2013


- --SANS Secure Singapore 2013 February 25-March 2, 2013 6 courses. Bonus evening presentations include APT: It is Time to Act; and Security of National eID (smartcard-based) Web Applications.
http://www.sans.org/event/singapore-2013


- --Secure Canberra 2013 Canberra, Australia March 18 - March 23, 2013 Featuring Network Penetration Testing and Ethical Hacking and Computer Forensic Investigations - Windows In-Depth.
https://www.sans.org/event/secure-canberra-2013


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at https://www.sans.org/ondemand/specials
Plus Scottsdale, Brussels, Johannesburg, Abu Dhabi, Seoul, and Bangalore all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org
***************************************************************************

TOP OF THE NEWS

Military Leaders Say DOD Cyber Force Underqualified - DoD 8570 Is the Cause (February 16, 2013)
Twenty-four experts, including uniformed members of all three major branches of the military provided strong evidence that the people who have the task of protecting US Department of Defense (DOD) computer networks lack adequate technical training for their responsibilities. Many who have gained certifications can talk about security but are unable to perform even basic security tasks. DoD CIO Teri Takai says her team is revising qualification and certification policies to make sure that new hires are qualified and capable.
-http://www.federaltimes.com/article/20130216/DEPARTMENTS01/302160001/Experts-say
-DoD-cyber-workers-undertrained?odyssey=tab%7Ctopnews%7Ctext%7CFRONTPAGE



Report Says China Behind Cyber Attacks Against More Than 100 U.S. Companies; Failed Coke Deal Blamed on Chinese Hacking, Too. (February 19, 2013)
A new report on Chinese hackers details a huge cyber espionage campaign against of American companies from security providers to power plant suppliers. The failure of a big deal by Coca- Cola was also blamed on Chinese army hackers. In 2008, Coca-Cola bid about $2.4 billion for the China Huiyuan Juice Group, a beverage company based in Beijing, in what would have been one of the biggest foreign acquisitions ever in that country. While the bid was being developed, Chinese hackers were inside Coke's systems reading the details.
-http://www.nytimes.com/2013/02/19/technology/chinas-army-is-seen-as-tied-to-hack
ing-against-us.html?_r=0Companies

-http://dealbook.nytimes.com/2013/02/19/accusations-of-hacking-in-cokes-failed-bi
g-deal/

-http://www.usatoday.com/story/tech/2013/02/19/chinese-military-hacking-group-us-
attacks-cybersyping/1930307/



US Military Contracts Will Require Continuous Monitoring of Industrial Control Systems (February 15, 2013)
Later this year, the Pentagon will issue cybersecurity certification requirements for organizations that operate components of the country's critical infrastructure and those that support the US military. The requirements have been under development for some time, predating the president's executive order that asks the government to consider requiring cybersecurity standards in federal contracts. The owners of critical infrastructure organizations have been asking for cybersecurity guidance, but are reluctant to having requirements imposed. Within the next year, military contracts will include a requirement that industrial control systems (ICS) be continually monitored. Currently, those systems are tested for security every three years.
-http://www.nextgov.com/cybersecurity/2013/02/pentagon-will-require-security-stan
dards-critical-infrastructure-networks/61328/?oref=ng-channelriver

[Editor's Note (Pescatore): Continuous monitoring is good only if meaningful things are monitored. Also, multiple monitoring and certification requirements can lead to a compliance focus vs. a security focus, ending up with IT systems that look like what today's ladders look like: the same old ladder plastered with lots of warning and safety standard stickers. The Critical Security Controls are a strong starting point for defining a standard baseline set of meaningful controls for continuous monitoring.
(Henry): I know people get all spun up about "regulation" whenever anyone talks about government guidelines, but really? I have to get my car inspected each year so I'm not a hazard to other motorists, and I am comforted that someone is verifying the cleanliness and safety of the food and water I eat and drink. Oh, and I'm always glad to see the little white card in the elevator that assures me someone's recently checked so I don't plummet down the shaft to my death. So when the government starts talking about requirements for monitoring the Industrial Control Systems that run our critical infrastructure? Yeah, I'm ok with that.
(McBride): This is big (and encouraging) news - a significant customer demanding at least some security of ICS networks. Unfortunately, successful implementation will take well over a year. We've got to build a bridge between IT and OT that simply isn't there today. Monitoring is a good start, but without personnel who know from both cyber and operational perspectives what to do, and policies that make sure the right actions occur on ICS/SCADA networks, that monitoring will not be effective. ]



*************************** Sponsored Links: *****************************
1) SANS Survey on SCADA Security results revealed by SCADA expert, Matt Luallen, Wed, Feb. 20. 1PM EDT. http://www.sans.org/info/124497

2) Take the SANS Survey on Help Desk Security! Enter to win an iPad 4! http://www.sans.org/info/124502
*****************************************************************************

THE REST OF THE WEEK'S NEWS

CERT Australia's Critical Infrastructure Breach Report (February 18, 2013)
According to a report from the Computer Emergency Response Team (CERT) Australia, 51 operators of critical infrastructure systems in that country reported breaches in 2012. Of those, nine reported that the intruders stole proprietary information. The report was written by the Centre for Internet Safety, and compiled information from 255 organizations responding to requests. The causes of the breaches include device theft, automated hacking tools, software flaws, and misconfigured systems, applications, and network devices. In four instances, a person was charged as a result of the incident. More than half of the reported attacks are believed to be targeted, and 44 percent were launched from within the organizations themselves.
-http://www.scmagazine.com.au/News/333541,51-critical-infrastructure-organisation
s-breach-in-2012-report.aspx

-http://www.theregister.co.uk/2013/02/18/cert_australia_says_eight_percent_of_onl
ine_crims_charged/



European Privacy Regulators Consider Action Against Google (February 18, 2013)
European privacy regulators are preparing to take action against Google for the company's new privacy policy that they say violates European law. At issue is Google's new policy of sharing user information between the company's own products. Google made the change last year, establishing a single privacy policy that covers all of its products to take the place of the myriad existing policies for the company's various products. Google maintains that its new policy complies with EU laws and that it had informed European regulators of actions it had taken to address their concerns. However, France's National Commission for Computing and Civil Liberties says that Google has not offered "any precise and effective" solutions to the issues raised.
-http://arstechnica.com/business/2013/02/european-regulators-expect-to-take-googl
e-to-task-over-data-sharing-this-summer/

-http://www.bloomberg.com/news/2013-02-18/google-may-face-fines-after-failing-to-
answer-privacy-questions.html

[Editor's note (Ullrich): European privacy law is usually more concerned with protecting personal information from commercial interests and unlike in US law, it is not always possible to just ask the customer to consent to whatever privacy policy the company dreams up. ]


Irish Companies More Aware of Need for Data Protection (February 18, 2013)
A survey of more than 250 Irish IT professionals found that 80 percent say their organizations have designated employees responsible for data protection. The top two reasons given for increased compliance with the Data Protection Act were avoiding penalties and protecting their organization's reputation. However, 43 percent of organizations responding to the survey said they had experienced a data breach within the past year and that most were the result of employee activity. Fintan Swanton, president of the Association of Data Protection officers noted that while companies "might appreciate the importance of data security, ... they must also instill a culture of compliant data management throughout the company, not just amongst the designated data protection personnel."
-http://www.siliconrepublic.com/strategy/item/31526-data-protection-awareness/


DNSSEC Adoption Growing in Government, But Unpopular with eCommerce and Finance (February 18, 2013)
Although DNSSEC (DNS Security Extensions) technology helps prevent spoofing of websites, none of the top e-commerce companies or banking and financial services companies have deployed it fully. In contrast, two-thirds of US government agencies are using DNSSEC, although some of the agencies are signing their domains incorrectly.
-http://www.theregister.co.uk/2013/02/18/dnssec/
[Editor's Note (Pescatore): I imagine that in the US in 1963 there were similar stories about the unpopularity of a change required to make delivery of physical messages more reliable. It was called the Zone Improvement Plan - and these days we routinely put ZIP codes on snail mail addresses without grumbling. Need to get over that hump with DNSSEC - and then use the freed-up energy to push BGP and SSL Certificate Authority security improvements up the next hill.
(Ullrich): Having implemented DNSSEC for a few domains, I found out first hand that it is very easy to "mess up" and render a domain non resolvable. Even some notable .gov sites (like for example fbi.gov) fell victim to badly configured DNSSEC in the past. On the other hand, attacks that involve DNS spoofing are rare and not considered a sufficient risk compared to the risk of downtime due to badly configured DNSSEC signatures. This may however change as more commercial DNS providers will offer DNSSEC as a service and as popular DNS servers like BIND make configuring DNSSEC easier.
-https://isc.sans.edu/tag.html?tag=dnssec]


Critical Flaws in BlackBerry Enterprise Server (February 18, 2013)
BlackBerry has acknowledged critical flaws in components of its BlackBerry Enterprise Server (BES). The flaws could be exploited to allow arbitrary code execution. The issue lies in the way BlackBerry MDS Connection Service and BlackBerry Messaging Agent process TIFF images. To exploit the vulnerability through MDS Connection Service, users must be tricked into clicking on a link in a maliciously crafted web page. In Messaging Agent, the flaw can be exploited by embedding an image in an email; there is no need for the user to click on a link. BlackBerry has released security updates to address the issues; administrators can upgrade to version5.0.4 MR2, which addresses these vulnerabilities. There are also workarounds available.
-http://www.h-online.com/security/news/item/BlackBerry-Enterprise-Server-vulnerab
le-to-dangerous-TIFFs-1805252.html

[Editor's Note (Ullrich): It is important to note that the libtiff flaw that is being patched here has been known for a while, and Blackberry is just catching up. ]


Adobe to Patch Flaws in Reader This Week (February 17 & 18, 2013)
Adobe plans to release an emergency patch this week to address a pair of memory corruption flaws in Reader and Acrobat. Adobe said the patch would be available the week of February 18, but did not provide a specific date. The vulnerabilities are being actively exploited in attacks that manage to circumvent Adobe's Protected Mode sandbox. The attacks are being made through specially crafted PDF documents attached to emails.
-http://www.zdnet.com/safe-pdfs-are-almost-here-adobe-to-release-reader-acrobat-z
ero-day-patch-this-week-7000011437/

-http://www.h-online.com/security/news/item/Emergency-patches-for-Adobe-Reader-sc
heduled-1804966.html

-http://www.computerworld.com/s/article/9236889/Adobe_to_patch_Reader_zero_day_th
is_week_with_rush_update?taxonomyId=17



Facebook Acknowledges That Company Laptops Were Compromised (February 15 & 16, 2013)
Facebook has acknowledged that several of its employees' computers were infected with malware that exploited a known Java vulnerability, but says that no customer data were compromised. The incidents occurred in January, and involved the employees visiting a mobile-developer website that had been compromised and infected their laptops with malware. In a blog post, Facebook Security writes that "Facebook was not alone in this attack," but did not specify which other organizations had been affected." When Facebook became aware of the situation, the company "remediated all infected machines, informed law enforcement, and began a significant investigation." The company realized that there had been a breach when the security team found a suspicious domain in DNS logs and traced it back to a Facebook laptop. Oracle has since released a patch for the flaw that the attackers exploited.
-http://www.cnn.com/2013/02/15/tech/social-media/facebook-attack/index.html
-http://arstechnica.com/security/2013/02/facebook-computers-compromised-by-zero-d
ay-java-exploit/

-http://www.bbc.co.uk/news/world-us-canada-21481101
-http://www.theregister.co.uk/2013/02/15/facebook_hacked/
-http://www.v3.co.uk/v3-uk/news/2244451/facebook-fesses-up-to-security-breach


Dept. of Energy IG Report Finds Security Concerns at Los Alamos (February 15, 2013)
An audit report from the US Department of Energy's (DOE's) Office of Inspector General (IG) finds that while Los Alamos National Laboratory
(LANL) has taken steps to improve its cybersecurity posture, there remain a number of concerns regarding risk management, system security testing, and vulnerability management practices at the facility.
-http://www.nextgov.com/cybersecurity/2013/02/nuclear-lab-remains-vulnerable-cybe
rstrikes-energy-ig-says/61347/?oref=ng-HPriver

Report:
-http://energy.gov/sites/prod/files/IG-0880.pdf
[Editor's Note (Henry): If this report is accurate (and I say "if", because I've had experience with various IGs over the years and things are not always accurate or put in proper context), then this should ring alarm bells. The report states "we identified 5 critical and 15 high-risk weaknesses on the 4 national security systems scanned, some of which dated back to 2008." These systems, according to the article, process classified information, which one may surmise relates to the safety and reliability of the Nation's nuclear stockpile. And they've promised to get their systems remediated by no later than March 30, 2014?! They did read the words "critical" and "high-risk", right?
(Murray): My mentor, Bob Courtney, taught me that one should never take security counsel from cryptographers or auditors. My exception to the rule is Bruce Schneier, who is a reformed cryptographer. There was once a reformed auditor but I have forgotten her name.

************************************************************************
The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.


Stephen Northcutt founded the GIAC certification and is President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was Vice President and Chief Security Officer for American Electric Power.


Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.


Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.


Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/