*********************** Sponsored by NetIQ *******************************
Free Security Event Management Guide
Do you need more efficient, automated log management methods and tools to manage the terabytes of information generated by your Security Event Management systems? Download our free guide, "Log Management: Closing the Loop on Security Event Management," to discover the crucial role that log management plays as part of a complete Security Event Management solution.
OPM Releases IT Security Training Guide (14 June 2004)
The Office of Personnel Management (OPM) has released a four-step process to help agencies ensure their employees receive adequate IT security training. The rules vary depending on employees' IT security roles and responsibilities. -http://gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id =26205 (Editor's Note (Tan): A very good move by OPM. Users are usually the weakest link in security. The requirements for different roles of people provide a clearer guide on what they need to know. Security training is not just for end users but for all levels of staff, including the top management. In fact, it is important for the top management to have a better understanding of security so that they can make a better risk decision.)
Defense Department Software Security Initiative (11 June 2004)
Ohio Officials Certify Voting System with Paper Audit Trail (10 June 2004)
Election officials in Ohio have certified a touch-screen voting system that provides a voter-verified paper audit trail. A recently passed law in Ohio requires that the voting machines provide paper trails. -http://www.fcw.com/geb/articles/2004/0607/web-accupoll-06-10-04.asp (Editor's Note (Schultz: Ohio has done the right thing--now it is the federal government's turn to pass legislation that requires paper audit trails for voting systems.)
************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
Taiwanese Man Arrested for Alleged Data Theft (10 June 2004)
Taiwan's Criminal Investigation Bureau has arrested a man in connection with the theft of large quantities of sensitive personal data, including banking and auction-site account numbers and codes. Chen Chung-shun is suspected of working with others to use a Trojan horse program to obtain the information. As many as 200,000 account numbers may have been compromised. Chen also allegedly stole money after transferring it from the compromised accounts. -http://www.taipeitimes.com/News/taiwan/archives/2004/06/10/2003174478/print
Saudi Graduate Student Acquitted of Patriot Act Charges (10 June 2004)
A jury acquitted Saudi graduate student Sami Omar Al-Hussayen of charges that he "fostered terrorism" by serving as webmaster for several sites that prosecutors maintained were used to "recruit terrorists, raise money and disseminate inflammatory rhetoric." The case is a significant test of a provision of the Patriot Act that "makes it a crime to provide expert advice or assistance to terrorists." Despite his acquittal, Al-Hussayen, who was studying computer science at the University of Idaho, will be deported. -http://www.guardian.co.uk/worldlatest/story/0,1280,-4193164,00.html
Stolen Laptop Contains Information About Blood Donors (10 June 2004)
A laptop containing information about blood donors of the University of California Los Angeles Blood and Platelet Center was stolen late last year; the Center has sent letters to the 145,000 affected people warning them they could be at risk for identity theft. The stored information included names, birth dates and social security numbers. The database was password-protected but not encrypted; police are investigating. University officials were not aware of the "significance" of the theft until a security audit last month. A second laptop was stolen from the University health center several weeks ago. -http://zdnet.com.com/2102-1105_2-5230662.html?tag=printthis (Editor's Note Grefer): For laptops running the Microsoft Windows XP Professional operating system, a quick and easy way to add another layer of security is to encrypt the pertinent directory or directories. HOW TO: Encrypt a Folder in Wndows XP -http://support.microsoft.com/default.aspx?scid=kb;en-us;q308989&sd=tech INFO: Understanding Encrypted Directories -http://support.microsoft.com/default.aspx?scid=kb;en-us;248723&sd=tech)
Laptops Purchased at Auction Still Hold Old Data (9/7 June 2004)
AT&T CSO Sings Intrusion Prevention Systems' Praises (8 June 2004)
Speaking at the Gartner Information Technology Security Summit in Washington DC, AT&T CSO Edward Amoroso said that intrusion prevention systems (IPS) offer the best protection against vulnerable software and that IPS has been notably effective at protecting his company's corporate network. Amoroso also said the patching and testing cycle is overwhelming to system administrators. -http://www.fcw.com/fcw/articles/2004/0607/web-att-06-08-04.asp
Time Spent Planning for Business Continuity and Disaster Recovery is Well Worth the Investment (June 2004)
Organizations would be well-advised to take the time to develop business continuity, resilience and disaster recovery plans, though many don't do so, according to Stephen Northcutt. -http://www.cyberdefensemag.com/articles2.php
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
Optix Pro Trojan Author Admits to Embedding Master Password (11 June 2004)
The author of Optix Pro, a popular, free Trojan horse program, has admitted that he embedded a "master password" in the program which could allow him to take control of vulnerable machines. He said he did it so that if law enforcement officials were to discover his identity, he could make the password public, thereby lessening its appeal to others. -http://www.securityfocus.com/printable/news/8893 (Editor's Note (Ranum): Lie down with dogs; wake up with fleas. Use hacker tools; run code the hackers want you to run.)
Critical Flaw in Oracle's 11i E-Business Suite and Applications 11.0 (11/9 June 2004)
Six Vulnerabilities in Concurrent Versions System (10 June 2004)
The security holes could allow denial-of-service attacks or let attackers run malicious code. Two weeks ago, someone used another vulnerability to break into the CVS project website; the subsequent audit led to the discovery of these six holes. The CVS project has released an update to address the vulnerabilities. -http://www.computerworld.com/printthis/2004/0,4814,93754,00.html
Special Section On SANS Training Resources To Meet Federal FISMA Requirements
SANS offers off the shelf and customizable training that meets or exceeds the requirements shown below. We list the rule and then describe what we offer.
(1) All users of Federal information systems must be exposed to security awareness materials at least annually. Users of Federal information systems include employees, contractors, students, guest researchers, visitors, and others who may need access to Federal information systems and applications.
SANS offers a one day, train the trainer in Security Awareness based on the NIST Security Awareness guidance that includes an Awareness presentation the student can give in their own organization. We also have online Awareness training that includes a monthly newsletter. -http://www.sans.org/awareness/
(2) Executives must receive training in information security basics and policy level training in security planning and management.
(3) Program and functional managers must receive training in information security basics; management and implementation level training in security planning and system/application security management; and management and implementation level training in system/ application life cycle management, risk management, and contingency planning.
(4) Chief Information Officers (CIOs), IT security program managers, auditors, and other security-oriented personnel (e.g., system and network administrators, and system/application security officers) must receive training in information security basics and broad training in security planning, system and application security management, system/application life cycle management, risk management, and contingency planning.
(5) IT function management and operations personnel must receive training in information security basics; management and implementation level training in security planning and system/application security management; and management and implementation level training in system/ application life cycle management, risk management, and contingency planning.
SANS offers both a CompTIA Security + level security basis course, Introduction to Information Security:
Provide the Federal information systems security awareness material/exposure outlined in NIST guidance on IT security awareness and training to all new employees before allowing them access to the systems. Provide information systems security refresher training for agency employees as frequently as determined necessary by the agency, based on the sensitivity of the information that the employees use or process. Provide training whenever there is a significant change in the agency information system environment or procedures or when an employee enters a new position that requires additional role-specific training. [FR Doc. 04-13319 Filed 6-10-04; 8:45 am ]
Finally, SANS material is modular and can be quickly customized for specific Agency requirements.
== end ==
NewsBites Editorial Board: Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/