********************** Sponsored By EiQnetworks ************************ Free Cyber Defense Readiness Assessment - Does your network have what it takes to thwart cyber villains? Find out: Am I following best practices for securing my network? What security gaps currently exist in my network and how can I resolve? Is my network under attack? How can I prevent a breach? Get Started at No Cost to You: http://www.sans.org/info/143017 *************************************************************************** TRAINING UPDATE
- --South Florida 2013 Ft. Lauderdale, IL November 4-9, 2013 5 courses. Bonus evening presentations include The Security Impact of IPv6; Evolving Threats; and Real-World Risk - What Incident Responders Can leverage from IT Operations. http://www.sans.org/event/south-florida-2013
- --SANS Cyber Defense Initiative Washington, DC December 12-19, 2013 31 courses. Bonus evening presentations include Have No Fear - DFIR is Here!; New School Forensics: Latest Tools and Techniques in Memory Analysis; and a Special Event: NetWars Tournament of Champions. http://www.sans.org/event/cyber-defense-initiative-2013
- --SANS Security East 2014 New Orleans, LA January 20-25, 2014 10 courses. Bonus evening presentations include Legends: The Reality Behind the Security Fairytales We All Hear; and 10 Things Security Teams Need to Know About Cloud Security. http://www.sans.org/event/security-east-2014
- --SANS Sydney 2013 Sydney, Australia November 11-23, 2013 6 courses. Bonus evening presentations include Advanced Exploit Writing: Use-After-Free Vulnerabilities. http://www.sans.org/event/sydney-2013
- --SANS London 2013 London, UK November 16-25, 2013 17 courses. Bonus evening presentations include Real World Risk - What Incident Responders Can Leverage From IT Operations; Information Assurance Metrics: Practical Steps to Measurement; and APT: It Is Time To Act. http://www.sans.org/event/london-2013
Plus San Diego, Muscat, San Antonio, and Dubai all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org *****************************************************************************
TOP OF THE NEWS
Google to Limit Windows Chrome Extensions to Those From Chrome Web Store (November 7, 2013)
Starting in January 2014, Users of Chrome on Windows will be permitted to install extensions only from The Chrome Web Store. Currently, users are asked if they want to install extensions when they originate outside of the Chrome store, but attackers have found methods to bypass that warning mechanism. -http://news.cnet.com/8301-1009_3-57611380-83/google-to-ban-external-sources-for- windows-chrome-extensions/ [Editor's Note (Pescatore): Google has slowly been making the Android and Google Play App Store look much more like the Apple App Store as far as getting the App Store mechanism in between Android users and applications. The iPhone/iPad experience has shown this form of whitelisting software is a tremendous advance in security - and the users love it. So, Google extending this approach to browser plug-ins is a really, really good thing. I'd like to see competition between these white lists (and others) on the % of malicious/privacy threatening apps that get in but then get revoked/removed, in addition to their current competition on total number of apps. That would require some transparency - which one of them will step up first to provide such data? ]
FBI Adds Five to Most Wanted List of Cybercriminals (November 6 & 7, 2013)
DHS Inspector General Warns Over Lack of Effective Warning System for Cyber Events (November 5, 2013)
According to an October 24 report from the US Department of Homeland Security (DHS) Office of the Inspector General (OIG), the US government lacks a digital warning system for cyber incidents; there is no means of sharing alerts about computer breaches between agencies or with private industry. There is a system to distribute event reports and another for distributing response information, but the two are not connected. The IG's report makes seven recommendations, including acquiring or developing tools and technologies that can link situational awareness products to cyber incidents. -http://www.nextgov.com/cybersecurity/2013/11/ig-government-has-no-digital-cyber- warning-system/73199/?oref=ng-channelriver -http://www.oig.dhs.gov/assets/Mgmt/2014/OIG_14-02_Oct13.pdf [Editor's comment (Northcutt): It freaks me out that the conversations that we were having in 1997 are still being repeated with the exact same words in 2013. Some how, we need to move forward.]
************************ Sponsored Links: ******************************** 1) Analylst Webcast: Automation and Critical Security Controls 1-7: EIQ SecureVue Tuesday, November 12 at 1:00 PM EST Featuring Jerry Shenk and Brian Mehlman. http://www.sans.org/info/143022
2) Tool Talk Webcast: 2014 Security Predictions. Tuesday, November 19 at 1:00 PM EST featuring Bob Hansmann. Come prepared to be armed with new insights on how the threat landscape will shift in the coming year, along with ideas on how to improve your security posture and stay ahead of threats. http://www.sans.org/info/143027
3) Smart Buildings, Cars and Medical Devices! The Internet of Things Survey is Calling You To Take It - and enter to win an iPad. http://www.sans.org/info/143032 *****************************************************************************
THE REST OF THE WEEK'S NEWS
Zero-Day Office Flaw Will Not Be Included in Microsoft's November Patch Tuesday (November 7, 2013)
Bitcoin Wallet Service Loses US $1.2 Million in Attack (November 7, 2013)
TradeFortress has closed the bitcoin web wallet service Inputs.io after attackers exploited a flaw to steal US $1.2 million in bitcoins. The attacks occurred on October 23. According to a statement from TradeFortress, "the attacker compromised the hosting account through compromising email addresses." TradeFortress also said that he would recommend storing bitcoins only on computers not connected to the Internet. -http://www.coindesk.com/hackers-steal-bitcoins-inputs-io-wallet-service/ [Editor's Note (Murray): Today everything is connected to the Internet almost by default. That said, in a world of cheap computers, one need not do one's banking on the same system that one uses for browsing and e-mail. (Shpantzer): As with traditional online banking, if the endpoint is properly compromised, hope is all but lost. Unlike FDIC insured consumer accounts and personal account contractual agreements with the banks, I don't know how the bitcoin economy is planning on reimbursements for loss, if at all. ]
Google Engineers Angry Over NSA and GCHQ Snooping (November 6 & 7, 2013)
Google has begun encrypting traffic between its data centers after leaked documents indicated that the NSA and GCHQ had been targeting the fiber-optic networks that transmit data between Google data centers in a data harvesting operation dubbed MUSCULAR. (For the record, the operation also snooped on traffic between Yahoo data centers.) The traffic was not encrypted before because it was considered internal to the company. Google executive chairman Schmidt was vocal about his feelings regarding the situation, calling the operation "outrageous" and "perhaps illegal." Google engineers have also vociferously expressed their anger about the situation. -http://arstechnica.com/information-technology/2013/11/googlers-say-f-you-to-nsa- company-encrypts-internal-network/ -http://www.zdnet.com/google-engineers-rage-at-nsa-7000022874/ -http://www.theregister.co.uk/2013/11/07/google_engineers_slam_nsa/ [Editor's Note (Pescatore): Google's engineers didn't do much of a risk analysis here. There has always been a risk of governments tapping into fiber optic networks. After the terrorist attacks of 2001, many businesses moved their backup data center's further away from the main data center and looked at the risk of compromise of the fiber runs between the data center. Government interception (by US, China, others) was a known risk as early as 2000, with much public validation by 2003, and I believe that in around 2005 SANS published a white paper on how much easier it had become. Businesses that decided they did not want to risk any eavesdropping on fiber put high speed encryptors on those links, which appears what Google has now belatedly decided to do. (Honan): If you are not fully in control of a system or its network then you should not consider it "internal to the company". Indeed, depending on the sensitivity of the data being transmitted on your network, serious consideration should be given to encrypting it to mitigate the insider threat. ]
Cybersecurity Not Yet Central Issue in Political Campaigns (November 5, 2013)
Although cybersecurity has not yet become a central campaign issue in US politics, that is likely to "change as more elected officials begin to roll out their own cybersecurity initiatives at the local level," according to a blog post from Dominic Basulto in The Washington Post. While voters may not seem to care about the issue as much as they care about the economy or employment, cybersecurity is actually both an economic issue and an employment issue. Unfortunately, the issue is not likely to rise to the top of the heap of concerns unless the country experiences a major cyber attack. -http://www.washingtonpost.com/blogs/innovations/wp/2013/11/05/when-will-cybersec urity-become-a-major-campaign-issue/ [Editor's Note (Pescatore): It will be unfortunate when cybersecurity *does* become a central issue in political campaigns. Anyone waiting for that to improve cybersecurity at their company or government agency is simply looking for excuses to avoid actually improving security right now. ]
The Council on CyberSecurity (CCS) identified 10 roles in cybersecurity that employers are saying are critical to their security and are difficult jobs to fill. They asked SANS NewsBites readers to tell them if the selection and descriptions are correct and whether any major jobs are equally critical where the skills are in such short supply. Please respond to CCSskillssurvey@sans.org with your comments. Please include the organization you work for and your roll.
What makes these jobs mission critical? Each of the ten mission critical cybersecurity jobs highlighted below require technical and analytic skills well beyond those found in typical social engineering approaches to cybersecurity or in security regimes that rely principally on running vulnerability testing or packaged exploit tools. Indeed, the advanced practitioner will demonstrate not only mastery of the technical knowledge and skills necessary to protect systems and networks, they will also be able to anticipate and counter sophisticated adversarial strategies. By identifying from among these positions those most important to protecting their specific networks and systems, enterprises will be able to direct scarce human resource dollars to their highest priority critical needs. Moreover, by committing to maintain competency for these professionals, enterprises will realize a valuable skill development program for their entire cybersecurity workforce.
* System and Network Penetration Tester. This mission critical cybsersecurity position requires a demonstrated ability to devise, analyze, and systematically assess the ability of systems and networks to withstand sophisticated adversaries (i.e., adversaries who have not only advanced technical skills, but also knowledge of the architecture and systems they are targeting.) Competence here is demonstrated through an advanced ability to conduct sophisticated, methodical, comprehensive technical testing of configurations, pathways, and interactions between systems that mimic the techniques employed by advanced adversaries. Mastery is demonstrated by using knowledge of advanced attack strategies to devise superior processes for security monitoring, event analysis, security architecture and engineering to defeat these strategies - whether mounted by external adversaries or insiders - which might otherwise result in data exfiltration or captured command and control of internal systems and processes.
* Application Penetration Tester. This position requires the demonstrated technical abilities necessary to conduct operational testing of applications before initial deployment and as they are subsequently updated. Competence is assessed on the ability to identify the program avenues most riddled with flaws and holes that give malicious actors access to important content or systems. Applications from the web are particularly vulnerable to malicious exploitation, frequently infecting visitors' computers with troublesome viruses and other malware that can create access pathways for data exfiltration or worse. Mastery here includes the knowing how to find and exploit an application vulnerability, a skill which, in turn, allows for better code reviews, forensics analysis, threat analysis, and incident response.
* Security Monitoring and Event Analyst. Competency here includes the dual abilities to identify indicators that a malicious incident has occurred and to initiate swift, appropriate, and comprehensive responses. Because savvy adversaries can construct attacks to mimic old, impotent attack vectors and create easy ways to bypass defenses, mastery here includes the ability to differentiate between incidents that represent impotent attacks from those that must be analyzed in-depth and deflected or defeated by effective and timely incident response.
* Incident Responder In-Depth. This mission critical cybersecurity position requires the ability to deploy and manipulate active measures to contain incidents - including isolation, characterization, reverse engineering, and rapid and accurate assessment of the capability and activity of malicious software that has been found on agency systems. It also includes the ability to correctly identify intruder introduced local changes, suspect interactions, and targets that have been triggered to evoke malicious behaviors, as well as the ability to develop and rapidly deploy eradication tools. While less than ten percent of all malicious software must be subject to this deep analysis, these payloads are the most dangerous. Malicious software left undetected is able to burrow deeply, maintain control, and spread through agency systems, as well as leave back doors for unauthorized access at will. Undetected attacker "free time" on the network equates to freedom of malicious movement and action, including malicious behavior by insiders. Moreover, attackers can reuse tactics and tools to re-attack or maintain control over systems for long periods, taking and changing data at will. Thus, mastery of skills in this competency must reflect a deep understanding of attackers and their tools to enable the professional to thwart attempts to undercut the defensive efforts.
* Counter-Intelligence/Insider Threat Analyst. Competency here will reflect deep and current knowledge of the attack surface, its most vulnerable and high value targets, and how its technical vulnerabilities may be exploited. The advanced professional will also have the skills necessary to program custom tools to detect local changes, identify suspect interactions, and watch for and respond to intrusions and exploits - reflecting up-to-the-minute situational awareness on what malicious actors are using and targeting. Because well-embedded adversaries often become privy to instructions and can work to stay a step ahead of observed defender actions, mastery in this competency will devise techniques to prevent the targeted installation of malicious software or use of techniques able to evade defenses without being spotted. Of course, to address the most advanced, persistent threats, teams of professionals must be assembled with first-rate skills to understand attackers' motivations, languages, organization, and social behaviors. With this knowledge, threat actors can be arrayed logically to create effective "cyber" profiles of malicious actors, groups and campaigns - information that would not only help enterprises become more affirmatively and effectively active on their own behalf in security posture and defense, but also inform the broader cybersecurity ecosystem of important developments in the threat landscape.
* Risk Assessment Engineer. Competency here will reflect the ability to develop real time estimates of the risks associated with deploying new technologies against existing and newly discovered threats, enabling businesses and agencies to assess the resources needed to respond effectively in a prioritized way. Mastery requires significant hands-on technical expertise to assess how the threats will manifest and how to prioritize the deployment and operation of effective defenses.
* Secure Coder and Code Reviewer. This professional is able to write code free of known coding flaws and weak design approaches. Competency includes the ability to check software under operating conditions in order to find and fix flaws such as maliciously introduced additions, modifications, or deletions of legitimate code. The most proficient coders possess the cognitive capacity and demonstrated ability to discover security vulnerabilities in programs while under real world operational time, quality, and cost pressures.
* Security Engineer/Architecture and Design. When security is not designed in, systems and networks remain chronically vulnerable to intrusions and other malicious acts. Thus, competency here requires knowledge and skills necessary to distinguish authentic and relevant security attributes from superficial and transient approaches. It also requires the ability to maintain up-to-the-minute currency on attack techniques being used by adversaries against any of the components being engineered into new or updated systems. Experts can use their technical knowledge of current attacks to identify flaws and weaknesses in the composition and design of networks, remote access schemes, systems and applications to specify solutions, verify the solutions that have been implemented, and rapidly adjust designs based on new threat and attack information as it is acquired.
* Security Engineer/Operations. The most common forms of targeted intrusions easily penetrate network and system defenses because measures for basic cybersecurity hygiene have not been put in place. Cybersecurity engineers must understand how to install and maintain such basic hygiene measures as configuration and application whitelisting, sensors for continuous diagnostics and monitoring, and real time patching of systems and applications. Mastery here includes the ability to implement and configure host and network firewalls, logging, and IPS/IDS at the highest appropriate level of security, as well as the skills to implement automated monitoring of configuration, patching, AV status, administrative rights, application white listing, and other security measures in order to give system and network administrators real time task lists not only to maintain the highest possible level of security, but also to ensure that those actions and tasks are being performed correctly and in a timely manner.
* Advanced Forensics Analyst. In investigating intrusions or other malicious activity (including those which may constitute crimes or potential crimes), the advanced forensics analyst must perform many of the tasks of the incident responder in depth - with special emphasis on reverse engineering (in law enforcement, this will also include the added requirement of establishing evidence that will stand up in court). Competency here will include the clear ability to determine precisely which programs have been executed, find files that have been changed by an intruder (on disk and in memory), use time stamps to develop authoritative timelines of actions taken by intruders, find evidence of deleted files, and identify key information in browser histories, account usage, and USB usage. Mastery in this area will include the advanced ability to find unknown malware hidden in systems, also known as persistent presence.
************************************************************************ The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based i Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/