Attacks and defenses in nuclear and other power sites are the focus of the top two stories this week. John Pescatore's description of the misallocation of U.S. Energy Department (DoE) cybersecurity funding illuminates a key cause of the continuing weakness - that too many people in the energy sector are beguiled by "shiny new tools" rather than knowing how to implement the low-cost security controls that stop nearly all common attacks. That news story does not mention the good news, which is DOE's groundbreaking work with the Council on Cybersecurity in cyber workforce skills, and its catalytic contribution to the most promising response to the skills challenge: the GICSP. Under the leadership of an international consortium of Shell, BP, Pacific Gas & Electric, ABB, Emerson Process Management, Schneider Electric, Invensys, Rockwell Automation and Yokogawa, the European Commission's Joint Research Centre, KPMG, and several others, a new skills certification will be required for cybersecurity professionals in companies using, building, or consulting on security for industrial control systems. Global Industrial Cyber Security Professional (GICSP) certification testing will begin in eight weeks (November 22). http://www.infosecurity-magazine.com/view/34638/industry-launches-global-certifi cation-effort-targeting-critical-infrastructure-/
************************ Sponsored By Bit9 ******************************* Top Lessons Learned From Real Attacks. This whitepaper details lessons learned about cyber attacks from extensive interviews with security analysts. One common thread that emerged was the difficulty of preventing the delivery of APT malware to systems and quickly detecting the attack once the malware was active. Learn More: http://www.sans.org/info/139870 *************************************************************************** TRAINING UPDATE
- --Securing the Internet of Things Summit (October 17-22, 2013) San Francisco, CA The Internet of Things summit focuses on new solutions, demonstrates security technology that already works and provides a force multiplier to make the Internet of Things more secure. http://www.sans.org/event/internet-of-things-summit
- --Health Care Cyber Security Summit (October 17-24, 2013) San Francisco, CA Meet leaders from the top health care organizations and see what really works in securing and succeeding in the new health care environment - balance security, compliance, and innovation. http://www.sans.org/event/healthcare-summit
- --SANS Seattle 2013 Seattle, WA October 7-14, 2013 8 courses. Bonus evening presentations include "So What?" The Most Important Question in Information Security; Why Our Defenses are Failing Us. One Click is All it Takes ...; and Sick Anti-Analysis Mechanisms in the Wild. http://www.sans.org/event/seattle-2013
- --SANS Baltimore 2013 Baltimore, MD October 14-19, 2013 9 courses. Bonus evening presentations include An Introduction to PowerShell for Security Assessments; The Security Impact of IPv6; and Tales from the Crypt: TrueCrypt Analysis. http://www.sans.org/event/baltimore-2013
- --SANS Chicago 2013 Chicago, IL October 28-November 2, 2013 7 courses. Bonus evening presentations include SANS 8 Mobile Device Security Steps; and Privileged Domain Account Protection: How to Limit Credentials Exposure. http://www.sans.org/event/chicago-2013
- --SANS Forensics Prague 2013 Prague, Czech Republic October 6-13, 2013 SANS' European forensics summit and dedicated forensics training event. Four of SANS' most important forensics training courses and opportunities to network with leading digital forensics experts. http://www.sans.org/event/forensics-prague-2013
- --SANS London 2013 London, UK November 16-25, 2013 17 courses. Bonus evening presentations include Real World Risk - What Incident Responders Can Leverage From IT Operations; Information Assurance Metrics: Practical Steps to Measurement; and APT: It Is Time To Act. http://www.sans.org/event/london-2013
US Dept. of Energy Spending $30 Million on Critical Infrastructure Security (September 20 & 23, 2013)
The US Department of Energy has awarded US $30 million to 11 vendors for projects aimed at protecting the country's power grid and oil and gas infrastructure from cyberattacks. Currently, all measures to harden these networks are voluntary. A report drawn from a survey sent by US legislators to utility companies earlier this year showed that at some organizations, cyberattacks are constant or frequent. The survey garnered 112 responses, and many of the organizations evaded direct answers to questions about damages from cyberattacks or the number of attacks detected. -http://www.computerworld.com/s/article/9242544/Energy_Department_spends_30M_to_b olster_utility_cybersecurity_tools?taxonomyId=17 -http://www.informationweek.com/government/security/energy-dept-invests-30-millio n-in-utilit/240161651 [Editor's Note (Pescatore): These awards, and $20M in funding the DoE announced in February 2013, seem to largely be in areas where wide choices of commercial off the shelf security products and services already exist. I think I'd rather see $50M go directly to security managers at the critical infrastructure operators to close known vulnerabilities using known proven solutions, a la the Critical Security Controls. (Assante): Research and development projects to enhance energy control system security is encouraging, but they fall short of demonstrating workable solutions that are attractive enough to warrant investment for broad scale deployment. What are the most urgent and prioritized challenges and where do we focus our collective efforts? Answers to these questions could fuel a multi-year program from design to demonstration. ]
Unpatched IE Flaw Exploited in Attacks on Japanese Websites (September 23, 2013) Attackers have exploited an unpatched vulnerability
*************************** Sponsored Links: ****************************** 1) Meet the challenges of Continuous Diagnostics & Mitigation (CDM). Get real-time discovery and assessment of all network endpoints. Download the tech note: ForeScout CounterACT Continuous Diagnostics & Mitigation. http://www.sans.org/info/139875
2) What Works in Advanced Threat Protection: Blocking Complex Malware Threats at Boston Financial, Featuring John Pescatore and Mike Rizzo. Wednesday, September 25 at 1:00 PM EDT. http://www.sans.org/info/139880
3) Securing the Internet of Things Summit (October 17-22, 2013) San Francisco, CA. The Internet of Things summit focuses on new solutions, demonstrates security technology that already works and provides a force multiplier to make the Internet of Things more secure. http://www.sans.org/info/139885 *****************************************************************************
THE REST OF THE WEEK'S NEWS
Spain Approves More Stringent Anti-Piracy Law (September 20, 2013)
Grace Period Ends for Updated HIPAA Rule Compliance (September 23, 2013)
As of September 23, 2013, US organizations that handle protected health information must abide by updated Health Insurance Portability and Accountability Act (HIPAA) rules. The changes were established in 2009 and took effect in March 2013, but organizations were given a six-month grace period that ended this week. Among the new rules are a requirement that business associates of organizations covered by HIPAA must be in compliance with the rules' security and privacy measures, and new restrictions on covered entities' marketing and sale of personal health information. -http://www.scmagazine.com/compliance-deadline-on-hipaa-rules-brings-expanded-res ponsibilities-for-third-parties-handling-data/article/313079/
MPAA, RIAA Help Draft Anti-Piracy Curriculum for Use in California Schools (September 23, 2013)
The Motion Picture Association of America (MPAA), the Recording Industry Association of America (RIAA), and several major US ISPs plan to pilot an anti-piracy program in California's elementary schools. The curricula, which are adapted for each age level from kindergarten through sixth grade, were created by the California School Library Association and the Internet Keep Safe Coalition working with the Center for Copyright Infringement, which counts executives from MPAA, RIAA, and several large telecommunications forms among its board members. A draft of the program suggests that using other people's works without permission is worse than copying someone's answers on a test. Those helping to develop the curriculum stress that it is still in draft form. -http://www.wired.com/threatlevel/2013/09/mpaa-school-propaganda/
Some Arrested in Barclays Heist Linked to Attempted Theft from Santander Bank (September 20 & 23, 2013)
20 Percent of Cybersecurity Positions at DHS Directorate Remain Unfilled (September 20, 2013)
According to the US's Government Accountability Office (GAO), the Department of Homeland Security's (DHS's) National Protection and Programs Directorate's Office of Cybersecurity and Communications, has more than a 20 percent vacancy rate for jobs. Part of the reason for this is the lag time created by obtaining necessary security clearances for personnel. DHS officials also cite low pay compared to private sector salaries, and the fact that there are not clearly defined skills sets for cybersecurity positions. -http://www.govinfosecurity.com/dhss-huge-cybersecurity-skills-shortage-a-6080 [Editor's Note (Murray): The clearance is a "Catch 22." One cannot qualify for the job without it and cannot get it without the job. It is expensive and someone must pay. Government contractors make it their stock-in-trade. Moreover, it is an inefficient substitute for supervision. (Shpantzer): A note on the clearance issue, from someone with experience in the matter. This is hardly a unique experience: -http://www.washingtonpost.com/opinions/the-wrong-way-to-conduct-security-clearan ces/2013/02/20/2d0d1e2c-7554-11e2-aa12-e6cf1d31106b_story.html]
California Governor Approves Online "Eraser Button" (September 23, 2013)
California Governor Jerry Brown has signed a bill that requires apps, websites, and online services that target minors to offer an "eraser button." The feature will allow young people to request removal of information that might have negative effects on their chances of getting into schools or gaining employment. The feature must be in place by January 2015. The button does not allow people to request the removal of content others have posted, nor does it require that the content be deleted from sites' servers. -http://news.cnet.com/8301-1009_3-57604301-83/california-gives-teens-an-eraser-bu tton-to-hide-online-skeletons/ [Editor's Note (Murray): However well intentioned, implementation of this law is likely to require magic. (Pescatore): I guess there is long precedence for youthful law offenders having their convictions expunged from legal records if they have no additional offenses. But, even though the scope is limited and some terms are optional, this seems like an enormous unfunded mandate on every business judged to be "geared towards minors." (Ullrich): This feature was by far the top request in a recent privacy study (see -http://www.theheartlandvoice.com/wp-content/uploads/2013/06/HeartlandMonitorPoll .pdf). However, it goes very much against everything you learn if you are managing an information system (Backups, disaster recovery...). This will be very hard to implement in many cases. ]
The FBI's Internet Crime Complaint Center (IC3) has issued a warning about a botnet called Beta Bot that is capable of disabling antivirus software and blocking access to security websites. Beta Bot steals login credentials and financial information from financial institutions, online shopping sites and payment platforms, and social networking sites. It spreads by pretending to be a message from Microsoft Windows seeking permission to let the "Windows Command Processor" modify the users' computer settings. Beta Bot has also spread through USB drives and Skype. -http://www.v3.co.uk/v3-uk/news/2295970/fbi-warns-of-bank-robbing-beta-bot-malwar e-that-disables-antivirus
Cyberespionage Campaign Focused on Drone Technology (September 20, 2013)
************************************************************************ The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/