*********************** Sponsored By Symantec ************************* Gartner 2014 Magic Quadrant for Endpoint Protection Platforms - Complementary Copy Symantec Endpoint Protection 12.1 was, once again, positioned as a Leader in Gartner's Magic Quadrant and rated highest in the ability to execute. Read the report to learn about the Endpoint Protection landscape, growth drivers and challenges, and where vendors are positioned. http://www.sans.org/info/151455 *************************************************************************** TRAINING UPDATE
--SANS Cyber Guardian 2014 Baltimore, MD March 3-8, 2014 7 courses. Bonus evening presentations include Continuous Ownage: Why You Need Continuous Monitoring; Code Injection; and How the West was Pwned. http://www.sans.org/event/cyber-guardian-2014
-- ICS Summit Orlando Lake Buena Vista, FL March 12-18, 2014 Come join us at the ICS/SCADA Security Orlando Summit where we will take a deep look at embedded system attack surfaces, discover what you can do to improve their security, and take away new tools that you can put to use right away! Summit led by Mike Assante - ex-CSO of NERC, plus 7 courses. http://www.sans.org/event/north-american-ics-scada-summit-2014
-- SANS Northern Virginia Reston, VA March 17-22, 2014 11 courses. Bonus evening presentations include Windows Exploratory Surgery with Process Hacker; Continuous Ownage: Why You Need Continuous Monitoring; and Real-World Risk - What Incident Responders Can Leverage from IT Operations. http://www.sans.org/event/northern-virginia-2014
-- SANS 2014 Orlando, FL April 5-14, 2014 42 courses. Bonus evening presentations include Effective Phishing that Employees Like; and The Law of Offensive Countermeasures. Active Defense, or Whatever You Wanna Call It. http://www.sans.org/event/sans-2014
--SANS Secure Singapore 2014 Singapore, Singapore March 10-26, 2014 7 courses. Bonus evening presentations includes Incident Response and Forensics in the Cloud. http://www.sans.org/event/singapore-2014
--Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!
Cybersecurity Framework to be Released On February 13 (February 8, 2014)
The US Government's Cybersecurity Framework, scheduled to be released on February 13, does not mandate security measures for companies operating portions of the country's critical infrastructure, but instead aims to provide possible guidance that the companies may use to develop their information security programs. The framework is intended for voluntary, not mandated use. -http://www.govinfosecurity.com/on-deck-cybersecurity-framework-a-6488 [Editor's Note (Murray): If the problem were that we do not know "what" to do, or "how" to do it, then this approach might be more useful. In fact, the problem is that we know what to do but not how "much" to do, i.e., when we have done enough. In order not to be prescriptive (or accountable), and because risk tolerance varies by enterprise, this work does not address determining, achieving, or maintaining an "acceptable level of risk." (Paller): In other words, the federal Framework effort wasted more than a year. The federal bureaucracy, led by OMB, will now defend their paper effort, and will not take active steps to protect the critical infrastructure. ]
North Carolina Law Firm Loses "All Documents" to Cryptolocker (February 10, 2014)
A law firm in North Carolina has reported losing all of its legal documents to the Cryptolocker ransomware, even though the company tried to pay the US $300 ransom. Because the firm's IT staff attempted to decrypt the files, by the time the decision was made to pay the ransom, the three-day ransom deadline period had expired. -http://www.computerworlduk.com/news/security/3501150/cryptolocker-scambles-us-la w-firms-entire-cache-of-legal-files/ [Editor's Note (Northcutt): In Management 512, Security Leadership Essentials, we discuss this scenario, which seems to polarize people. Some say the only right course of action is to call the FBI. Others say, pay the ransom and stay in business. Most students prefer not to say anything at all. As we close out the discussion, what I tell the class is, whatever course you pick, make your choice when you are not under the pressure of a deadline. I strongly suggest that NewsBites readers open a discussion with management. While Cryptolocker is less than a year old, ransomware has been around a long time. If you find your mind telling you, "this can't happen to us", you could well be wrong. This law firm is not the only victim: -https://www.us-cert.gov/ncas/alerts/TA13-309A -http://www.connectamarillo.com/news/story.aspx?id=1005134 -http://www.snopes.com/computer/virus/cryptolocker.asp (Pescatore): The obvious lessons are Critical Security Controls 8 (Data Recover/backup) and 5 (Malware Defenses.) The business decision to pay the ransom usually does not make good business sense in the long run - there is ample evidence that paying off once increases the likelihood you are targeted again. But, it *is* a business decision - if the IT and IT security program isn't prepared to recover from incidents like this, management looks at this as "outsourcing" data recovery... of course, to the "outsourcer" that caused the problem in the first place. (Murray): In order to use encryption to deny one use of one's own data, an attacker has to have "write" access to the data and there must be no backup. One of the things that computers do best is make cheap dense portable (backup) copies of data. (Shpantzer): Law firms have a duty to protect their clients that may be actionable by the state bar association. This is news to many law firms who operate with one 'IT guy' and no dedicated security resources, while accumulating highly sensitive personal and corporate information. ]
************************** Sponsored Links: ****************************** 1) Can you keep your XP systems compliant and secure after end of life without upgrading or paying for out-of-band support? http://www.sans.org/info/151460
3) Join us March 7 in NYC at a morning briefing to discuss Financial Services Cybersecurity Trends And Challenges. http://www.sans.org/info/151470 Don't live in the area? Event will be simulcast as well. Register at: http://www.sans.org/info/151475 *****************************************************************************
THE REST OF THE WEEK'S NEWS
Barclays Bank Investigating Alleged Theft of Customer Data (February 9 & 10, 2014)
Barclays Bank is investigating an alleged theft of customer data from Barclays Financial Planning, a division that closed in 2011. A UK news publication was provided with a USB drive containing about 2,000 customer records, but the person providing the information said that the data leak actually affects 27,000 records. The information consists of dossiers that include passport and national insurance information, mortgage and savings information, as well as results of a psychometric test to determine each individual's attitude toward risk. The data had allegedly been sold for use in boiler room high-pressure investment scams. -http://www.theregister.co.uk/2014/02/10/barclays_investigates_gold_mine_client_d ata_breach/ -http://www.theguardian.com/business/2014/feb/09/barclays-catastrophic-theft-cust omer-files [Editor's Note (Pescatore): I'd like to see the press use the term "theft" more often in these reports, vs. "hacked" or "breached." Whether it is insider theft or outsider theft, from a business perspective it is crime against the company. The technical details of how the theft occurred are of interest to security folks but I think dilute the impact to corporate management. ]
Iowa State University National Cyber Defense Competition (February 9, 2014)
Medical Device Manufacturers' Networks Breached (February 8, 2014)
US authorities have informed three major medical device manufacturers that their networks have been infiltrated. Medtronic, Boston Scientific, and St. Jude Medical were hit by attacks during the first half of 2013; some of the attacks may have lasted for months. Because they companies have made no disclosures, it is assumed that no patient data were compromised. -http://www.sfgate.com/news/article/Hackers-break-into-networks-of-3-big-medical- 5217780.php [Editor's Note (Pescatore): Since the targets were the manufacturers of medical devices, one concern is theft of their intellectual property. I think the bigger issue is compromise of their infrastructure - both the source code for the actual devices and also for the server side of any services/updates they provide. ]
Twitter Publishes Transparency Report, Seeks to Disclose More Detailed Data (February 7, 2014)
PCI Standard Compliance Treated as Annual Hurdle, Not Consistent Practice (February 7, 2014)
According to a report from Verizon, most companies that attain annual compliance with the Payment Card Industry Data Security Standard (PCI DSS) do not maintain that compliance over the course of the following year. Verizon based its report on PCI compliance assessments it conducted on more than 500 organizations between 2011 and 2013. According to the data, just over 11 percent of organizations maintained compliance between annual assessments. The problem is that many organizations treat compliance as an annual test rather than a "continuous risk management effort." -http://www.computerworld.com/s/article/9246128/Maintaining_PCI_compliance_is_a_b ig_challenge_for_most_companies?taxonomyId=17 [Editor's Note (Murray): "Compliance" alone rarely leads to security. If it diverts too much resource or management attention, it may actually detract. That said, on balance, PCI DSS is a practical standard and its effect has been salutary. However, by design, it is more about improving than achieving or maintaining. It is about improving the security of the retail payment system more than about securing any participating enterprise. (Shpantzer): Malicious compliance should not be a surprise to auditors. It's nearly universal and applies to every walk of life, with exceptions being, umm, exceptional. Said exceptions are usually driven by top leadership decisions to make the exception a marketable differentiator. Think Volvo and car safety in the 1970s and '80s, more recently Toyota with the Prius and the branding around efficiency, and Apple with the marketing of security on OS X. (Guest Editor Daniel Wesemann): Verizon has done very good work with their compilation and presentation of the data. -http://www.verizonenterprise.com/resources/reports/rp_pci-report-2014_en_xg.pdf and -http://www.verizonenterprise.com/pcireport/2014/insider/ . The Computerworld article just contains a (somewhat lopsided) interpretation of the Verizon report. ]
Phony Army Benefits Website May Have Stolen Credentials (February 7, 2014)
*********************************************************************** The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operartions manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/