There are very real privacy issues involved in the information being disclosed about NSA. One of the most thoughtful pieces written about those issues and what needs to be done about them came from Dr. John Hamre, president of the Center for Strategic and International Studies. Dr. Hamre distributed the note to a small group of policy makers and thought leaders in the United States and several other countries, but it deserves to be read widely; it is attached it to the end of this issue of NewsBites.
************************************************************************* SANS NewsBites September 20, 2013 Volume: XV, Issue: 75 *************************************************************************
************************ Sponsored By Bit9 ******************************* Do you know what is running on the endpoints and servers in your enterprise? Do you know the trustworthiness of the files on your systems? If you do not know the answers to these questions, you may have already been targeted. Download this whitepaper to learn why everyone is a cyber attack target. http://www.sans.org/info/139770 *************************************************************************** TRAINING UPDATE
--Securing the Internet of Things Summit (October 17-22, 2013) San Francisco, CA The Internet of Things summit focuses on new solutions, demonstrates security technology that already works and provides a force multiplier to make the Internet of Things more secure. http://www.sans.org/event/internet-of-things-summit
--Health Care Cyber Security Summit (October 17-24, 2013) San Francisco, CA Meet leaders from the top health care organizations and see what really works in securing and succeeding in the new health care environment - balance security, compliance, and innovation. http://www.sans.org/event/healthcare-summit
--SANS Network Security 2013 Las Vegas, NV September 14-23, 2013 50 courses. Bonus evening presentations include The Security Impact of IPv6; Unleashing the Dogs of (cyber) War; and InfoSec Vertigo: Small Medical Lab Wages War Against InfoSec Vendor, US Government, and Big DC Law Firm. http://www.sans.org/event/network-security-2013
--SANS Seattle 2013 Seattle, WA October 7-14, 2013 8 courses. Bonus evening presentations include "So What?" The Most Important Question in Information Security; Why Our Defenses are Failing Us. One Click is All it Takes ...; and Sick Anti-Analysis Mechanisms in the Wild. http://www.sans.org/event/seattle-2013
--SANS Baltimore 2013 Baltimore, MD October 14-19, 2013 9 courses. Bonus evening presentations include An Introduction to PowerShell for Security Assessments; The Security Impact of IPv6; and Tales from the Crypt: TrueCrypt Analysis. http://www.sans.org/event/baltimore-2013
--SANS Forensics Prague 2013 Prague, Czech Republic October 6-13, 2013 SANS' European forensics summit and dedicated forensics training event. Four of SANS' most important forensics training courses and opportunities to network with leading digital forensics experts. http://www.sans.org/event/forensics-prague-2013
RSA Warns Customers Not to Use Cryptographic Component with NSA Backdoor (September 19, 2013)
RSA Security has sent an advisory to some of its customers, urging them to stop using a cryptographic component that has been revealed to contain an NSA backdoor. Two of the company's products, the BSAFE toolkit and Data Protection Manager, use the specification, known as Dual EC_DRBG, by default. RSA recommends that customers using the affected products switch to a different pseudo random number generator (PRNG). -http://arstechnica.com/security/2013/09/stop-using-nsa-influence-code-in-our-pro duct-rsa-tells-customers/ [Editor's Note (Murray): When the RSA patents expired, the BSAFE library was RSA'S stock-in-trade. It is the basis of hundreds of implementations. ("Any one who considers arithmetical methods of producing random digits is, of course, in a state of sin." --John von Neumann) ]
Brazil Wants to Reduce Dependence on US-Based Internet Services (September 18, 2013)
NSA Deploying Security Controls to Prevent More Leaks (September 18, 2013)
The NSA is taking steps to prevent more leaks like those conducted by former contractor Edward Snowden. The agency will digitally tag sensitive documents to limit access to specific analysts. The tags will also help NSA learn what people do with the data they access. NSA CTO Lonny Anderson said that what Snowden did could not be done today. Systems administrators and other people who have privileged access to the NSA system will not do anything alone. The NSA is also limiting how employees store data on removable devices. -http://arstechnica.com/security/2013/09/nsa-aims-to-plug-holes-that-sprang-snowd en-leaks/
*************************** Sponsored Links: ****************************** 1) Automate the Top SANS Critical Security Controls - Get Started: http://www.sans.org/info/139775
2) SANS is pleased to offer the DHS Continuous Diagnostics & Mitigation (CDM) Award Workshop as a key opportunity to provide education on this program. Wednesday, November 6, 2013. http://www.sans.org/info/139780
Report Says its Too Soon to Professionalize Cybersecurity (September 18, 2013)
According to a recent report from the National Research Council of the National Academy of Sciences, it is too soon to introduce professionalization standards into the discipline of cybersecurity. According to a member of the committee that produced the report, professionalization may improve the quality of the people entering the profession, but it also prevents others from entering. The report, which was commissioned by the Department of Homeland Security (DHS), observes that because jobs in the discipline of cybersecurity are so diverse, professionalization requires careful analysis and must consider the particulars of each job. Professionalization should move forward when these two criteria are met: stable knowledge and skills requirements, and credible evidence of deficiencies in the workforce's skills. -http://www.nextgov.com/cybersecurity/2013/09/cybersecurity-field-not-ready-be-pr ofessionalized-study-finds/70488/?oref=ng-channeltopstory [Editor's Note (Honan): Another reason to consider professionalization in our industry is the area of accountability. Today it is too easy for anyone to claim to be a cybersecurity expert and no real mechanism for them to be challenged on their claims or censured should they bring the industry into disrepute. ]
Iowa State University Cybersecurity Competition (September 17, 2013)
On Saturday, September 21, Iowa State University (ISU) will run its annual Cyber Defense Competition. More than 200 students are expected to participate in the event, which began in 2005. The competitions are conducted through ISEAGE, the Internet-Scale Attack and Event Generation Environment, which was developed at ISU. Teams of four to eight students from all disciplines and at all levels will defend their networks against attacks launched by a team of ISU industry partner professionals and graduate students. -http://www.news.iastate.edu/news/2013/09/17/cyberdefense13
MPAA Says Search Engines Should Do More to Prevent Piracy (September 18, 2013)
On earlier occasions I have noted the unique paradox of America. With the tragic exception of African Americans who were brought here as slaves and native Americans who were living here for centuries before the Europeans arrived, most citizens trace their lineage to individuals who shared one common characteristic-they wanted to leave their native lands. To be sure, many of them saw no economic future back home and left for a better life. But also many of them left because the deck was stacked against them socially. They didn't come from privileged circumstances and many of them were escaping from pogroms and enforced service in the military.
So Americans have a unique perspective about their government. On the one hand, they want the government to protect them. On the other hand, they want to be protected from the government. We created a government system here that is constrained by laws, procedures, and custom.
All of this is now coming to a head on the question of cyber surveillance. A young man named Snowden betrayed his country by stealing vast quantities of classified information and fled the country, masquerading as a whistleblower patriot. (Okay, I got that out of my system.) These disclosures in the press have triggered a major cyclical change in America. After 9/11, the overwhelming demand by citizens was for the government to protect them from terrorism. Now it appears that the cycle has shifted and many Americans fear intrusion by the government in their private lives.
The Right and the Left are joining forces on this. The Left is always skeptical about American police powers. The Right is energized by the allegation that the Internal Revenue Service was targeting conservative organizations that sought tax-exempt status. They blame the Obama Administration for using the IRS to pursue political agendas. And the rising "tea party" caucus in Republican ranks shares the Left's skepticism of police powers more generally. So both Left and Right are energized on the domestic intelligence surveillance issue and are targeting the National Security Agency as a rogue operation violating the rights of ordinary citizens.
I used to serve on as a member of the Advisory Committee to the National Security Agency. So some people will obviously consider me biased. But honestly, these wild claims against NSA are simply untrue. Amazon, Facebook, VISA, American Express and Wal-Mart know a hell of a lot more about me and you than NSA does. These organizations (and business in general) collect vast quantities of information to try to understand their customers. Their knowledge is deep and intimate in its details. NSA isn't allowed to pursue any of this without a court order, and that is granted only after independent judges have determined there is tangible evidence that a citizen is connected to criminal or terrorist activities.
This is ironic, but it is also understandable. Amazon can give me a discount, but they can't put me in jail. The Government can, so we do want serious constraints on our government.
But we also want our Government to protect us. NSA has been the indispensable element of our overall system to detect and stop terrorist incidents, either here in the US or overseas. We shouldn't damage our most essential tool because we are running scared by staged press leaks by a traitor.
I know a lot about NSA's procedures and systems. I am personally confident that they are VERY careful to protect the privacy of citizens. But we do have a crisis.
Democracies, by definition, must conduct their most fundamental public debates in the open. But governments do have matters that they must undertake in secret. How do we reconcile this inherent tension?
Thirty-five years ago we faced a similar crisis and developed a good system. We established the FISA Court system, a special judicial process mandated by the Foreign Intelligence Surveillance Act (FISA) in 1978. If NSA wants to listen in on the conversations of American citizens (or anyone living in America, even if they are not a citizen, or an American citizen living overseas), they must get authorization from this independent court.
There is a fundamental flaw in the design of FISA, however. When the Supreme Court renders an opinion, it explains its reasoning in a public document. That process of public explanation of its decisions fundamentally establishes the legitimacy of the Court. The FISA court system does not publish the reasoning for its decisions. (Recently one judge did release a fine summary of her thinking in a case. This is a first.)
As a substitute, we rely on the respective intelligence committees of the House of Representatives and the Senate. These Committees represent you and me in a process of oversight of the intelligence community and the FISA court. They are the essential link that ties the democratic need for public debate to the government's legitimate need for secrecy.
Sadly, these committees descended into partisan skirmishing through the Bush Administration and into the first term of the Obama Administration, badly damaging their authority and focus. We need these institutions to return to their historic norm of thoughtful, bipartisan cooperation. The current committee leaders are strong and attuned to the need for bipartisan cooperation. The question is whether the rank and file representatives and senators will let the committees function honorably and collaboratively on a bipartisan basis.
Ultimately the crisis facing us with NSA is a crisis of legitimacy of the institutions we picked to oversee the intelligence community. NSA is doing important and honorable work, but it needs oversight scrutiny, and we need to strengthen the two sets of institutions that do that for all of us average citizens. It is the only way to insure our government is effective in protecting us, and that we are protected from abuse by the government.
************************************************************************ The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/
I've been managing multi-million dollar projects for years but always felt muddled as to the formal activities required. Halfway through the SANS PM course, things are becoming clear at last. -Matt Harvey, US DOJ