OnDemand Includes 4 Months Access to Course Content - Special Offers Available Now!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #92

November 20, 2018


SANS NewsBites              November 20, 2018               Vol. 20, Num. 92



  UK Parliament Committee Report: Critical Infrastructure Cyber Security At Risk

  DOD, DHS Reach Cybersecurity Accord

  DHSs Cybersecurity and Infrastructure Security Agency Has an Elevated Mission and a Two-Year Plan


  Moodys Will Factor Risk of Cyber Attacks into Ratings

  Microsoft Azure and Office 365 Multi-Factor Authentication Outage

  Dark Web Hosting Provider Hacked, Sites Deleted

  DHS Goal: Naming Critical Functions to Protect by End of Calendar Year

  Spear Phishing Attack Impersonates US State Department Employees

  Vovox Pulls Exposed Database Offline

  Government Contractors to Face New Rules Around Data Breaches

  Tabletop Cyberattack Simulation Brings Private Industry and Government Together



-- SANS OnDemand and vLive Training

The SANS Training you want with the flexibility you need.

Get the ALL NEW 11" iPad Pro, or a Microsoft Surface Pro, or Take $350 Off with OnDemand and vLive Training. Offer ends December 5.


-- Cyber Defense Initiative 2018 | Washington, DC | December 11-18 | https://www.sans.org/event/cyber-defense-initiative-2018

-- SANS Security East 2019 | New Orleans, LA | February 2-9 | https://www.sans.org/event/security-east-2019

-- Tactical Detection & Data Analytics Summit & Training | Scottsdale, AZ | December 4-11 | https://www.sans.org/event/tactical-detection-summit-2018

-- SANS Amsterdam January 2019 | January 14-19 | https://www.sans.org/event/amsterdam-jan-2019

-- Cyber Threat Intelligence Summit & Training | Arlington, VA | January 21-28 | https://www.sans.org/event/cyber-threat-intelligence-summit-2019

-- SANS Las Vegas 2019 | January 28-February 2 | https://www.sans.org/event/las-vegas-2019

-- SANS London February 2019 | February 11-16 | https://www.sans.org/event/london-february-2019

-- SANS Secure Japan 2019 | Tokyo, Japan | February 18-March 2 | https://www.sans.org/event/secure-japan-2019

-- SANS Secure Singapore 2019 | March 11-23 | https://www.sans.org/event/secure-singapore-2019

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/

Single Course Training

-- Single Course Training

SANS Mentor |  https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/


-- View the full SANS course catalog and Cyber Security Skills Roadmap




***************************  Sponsored By SANS   ************************************

Attend SANS Tactical Detection & Data Analytics Summit | Scottsdale, AZ

| Dec 4-5 Learn firsthand from leading cybersecurity practitioners and

top experts as they demonstrate how to leverage high-value log sources,

monitoring tools, and sound analysis methods to detect attacks.





--UK Parliament Committee Report: Critical Infrastructure Cyber Security at Risk

(November 19, 2018)

According to a report from the UK Parliaments Joint Committee on National Security Strategy, the UKs national critical infrastructure is vulnerable to damaging cyber attacks. The report also says that while the risk of cyberattacks on the national critical infrastructure is growing, neither the government nor the private companies that operate elements of critical infrastructure are doing enough to adequately protect it. The reports authors are concerned that expectations of the [GCHQs] National Cyber Security Centre are outstripping the resources put at its disposal by the Government. They go on to urge the Government to appoint a single Cabinet Office Minister who is charged with delivering improved cyber resilience across the UKs critical national infrastructure.

[Editor Comments]

[Henry] This is a global story and would have been completely valid had UK been replaced with the name of many other countries.


Read more in:

ZDNet: Security warning: UK critical infrastructure still at risk from devastating cyber attack


The Register: Britain may not be able to fend off a determined cyber-attack, MPs warn


Parliament: Cyber Security of the UKs Critical National Infrastructure



--DOD, DHS Reach Cybersecurity Accord

(November 15 & 16, 2018)

The US Department of Defense (DOD) and Department of Homeland Security (DHS) have reached an agreement about how to help one another defend the parts of cyberspace for which each is responsible. In written testimony, DHS Assistant Secretary Jeanette Manfra noted that the accord reflects the commitment of both departments in collaborating to improve the protection and defense of the U.S. homeland from strategic cyber threats [and] clarifies roles and responsibilities between DOD and DHS to enhance U.S. government readiness to respond to cyber threats.

[Editor Comments]

[Murray] Video of testimony before a joint meeting of two congressional subcommittees can be found at https://www.c-span.org/video/?454510-1/interagency-cyber-cooperation: Interagency Cyber Cooperation

Read more in:

FNR: DoD, DHS reach accord on new steps to cooperate in cyber defense


Defense Systems: DOD teams with DHS for critical infrastructure protection


Nextgov: DHS and Pentagon Memo Details Future Cyber Cooperation



--DHSs Cybersecurity and Infrastructure Security Agency Has an Elevated Mission and a Two-Year Plan

(November 16, 2018)

The Department of Homeland Securitys (DHSs) National Protection and Programs Directorate (NPPD) is now officially the Cybersecurity and Infrastructure Security Agency (CISA). The new legislation also elevates CISAs mission within DHS. has been signed into law. The bill also elevates CISAs mission within DHS, putting it on the same level as the Secret Service, the Federal Emergency Management Agency (FEMA) and others.

Read more in:

FNR: Launch of DHS cyber agency more of a groundbreaking than a ribbon-cutting



The Hill: Trump signs bill cementing cybersecurity agency at DHS


**************************  SPONSORED LINKS  ********************************

1) Train in California's renowned wine region SANS Sonoma 2019 (Jan

14-19)! Choose from 4 courses in Core Security Essentials and Security

Management. Learn more, http://www.sans.org/info/208620

2) What role does artificial intelligence play in security? Help SANS

examine how security professionals are leveraging AI by taking this

survey, and enter to win a $400 Amazon gift card |


3) Does your vulnerability management program cover your organization's

cloud workloads, partner access, IoT and industrial control systems?

Take the SANS Survey and enter to win a $400 Amazon gift card |





--Moodys Will Factor Risk of Cyber Attacks into Ratings

(November 12, 2018)

Moodys plans to start including the impact a major cybersecurity incident would have on a company in its creditworthiness ratings. Moodys may move to a separate cyber-risk rating apart from the entitys credit ranking. According to its website. Moodys provid[es] credit ratings, research, tools and analysis that contribute to transparent and integrated financial markets.

[Editor Comments]

[Henry] The insurance agencies are working hard to assess cybersecurity incidents and risk, as are the SEC and other government regulators. Moodys movement into this area seems to be a logical step. Companies values are based on many factors, including their intellectual property, their corporate strategies, and other differentiators. While loss of those assets can impact companies ability to compete and should be measured, the methodologies used to assess cybersecurity has typically been a challenge. Moodys ability to make that assessment will require a lot of thought and calculation.   

[Pescatore] While this sounds like a good thing, in 2017 Moodys paid nearly $1B in fines to settle government charges that it gave inflated ratings to risky mortgage investments that played major roles in causing the 2008 financial meltdown. If they werent trustworthy in their core business of financial risk rating, pretty sure they shouldnt be at the top of list for cybersecurity risk ratings.


[Northcutt] There is a pot of gold waiting for the first group to develop an actuarial table for cyber risk, though the reality is it is many tables. They started with utilities; it will be interesting to see how far they are able to get. The press release does show some good architecture with respect to compliance.

https://www.moodys.com/research/Moodys-As-cyber-threat-intensifies-for-US-utilities-government-support--PBC_1142449: Research Announcement: Moody's: As cyber threat intensifies for US utilities, government support remains key to credit profiles

Read more in:

CNBC: Moody's is going to start building the risk of a business-ending hack into its credit ratings



--Microsoft Azure and Office 365 Multi-Factor Authentication Outage

(November 19, 2018)

A problem with multi-factor authentication (MFA) has prevented some Microsoft Azure and Office 365 users from accessing their accounts. The outage began at 4:39 AM UTC Monday, November 19 (11:39 PM ET Sunday, November 18). The problem is affecting users around the world. The issue may also prevent some users from performing self-service password resets. Azure services are now operating normally. As of Tuesday, November 20 at 1:00 PM ET (6:00 PM UTC), the Office 365 Status page says We've conducted extensive monitoring over the last 12 hours and have not observed an increase in failed authentication requests. We'll continue to monitor the environment while we further investigate the root cause of this issue. Azure's status page says that it is operating normally.

[Editor Comments]

[Neely]  Enabling multi-factor authentication remains an important security measure, particularly if you permit access to Microsofts cloud services from non-corporate devices or insecure networks. If youre using ADFS rather than your own authenticator, Microsoft provides multiple options for multi-factor authentication. Using the Microsoft Authenticator application eliminates reliance on SMS for message delivery and possible interception.


[Honan] One of the keys to security is resilience. Organisations moving to the cloud need effective and resilient multi-factor authentication platforms, and if they should fail they need contingency plans.

Read more in:

ZDNet: Microsoft Azure, Office 365 users hit by multi-factor authentication issue


The Register: Azure goes super-secure: Multi-factor authentication is borked in Europe and Asia


Status Office 365: Office 365 service health status


Azure: Azure status



--Dark Web Hosting Provider Hacked, Sites Deleted

(November 17 & 19, 2018)

Hackers have deleted all accounts, including the servers root account, from dark web hosting provider Daniels Hosting. The administrator says that there were no back-ups of the hosted sites; all data are gone. He says he will bring [the] hosting back up once the vulnerability has been identified and fixed. The attack occurred on November 15. 

Read more in:

ZDNet: Popular Dark Web hosting provider got hacked, 6,500 sites down


BBC: Blackout for thousands of dark web pages



--DHS Goal: Naming Critical Functions to Protect by End of Calendar Year

(November 16, 2018)

The US Department of Homeland Security (DHS) plans to compile a list of the countrys most critical functions that need to be protected from cyberattacks. Then, the DHS along with federal researchers and other organizations will begin mapping how the functions rely on each other, identifying which sectors depend on which critical elements, and what the effect on each sector would be if these elements were attacked. The critical function identification and mapping is a DHS National Risk Management Center project. 

[Editor Comments]

[Neely] Mapping critical functions and their interdependencies is important to build a risk model and then prioritize mitigation and application of security measures. The trick will be maintaining this mapping as well as incentivizing application of appropriate security controls and monitoring the residual risks. Leveraging the capabilities and budget with CDM DEFEND will allow agencies to get a jump on licensing products as well as provide a path for DHS to continue to monitor the risks.


[Henry] Eighteen years ago, I worked in the FBIs National Infrastructure Protection Center (NIPC.) One of NIPCs responsibilities was the Key Asset and Critical Infrastructure program, whose mission was to compile a list of the countrys most critical functions that need to be protected from cyberattacks. After 9/11 NIPC was terminated, as the mission was transferred from the FBI when newly established DHS. Its an important program and Im glad to see it get the attention it deserves.  

[Murray] This is an essential step in improving the security of our infrastructure. Attempting to secure everything to the same level will leave some things under-protected and others over-protected. It is neither effective nor efficient. However, this is not a simple exercise; it is more important to get it right than to get it early.

Read more in:

Nextgov: DHS Aims to ID Critical Functions to Protect from Cyberattacks by Years End



--Spear Phishing Attack Impersonates US State Department Employees

(November 16 & 19, 2018)

A phishing attack believed to be the work of hackers working for the Russian government is using email messages that purport to be from US State Department employees. The phony messages have been sent to people at government agencies, think tanks, and other organizations.  

[Editor Comments]

[Pescatore] The current administrations National Cybersecurity Strategy says a key objective is to ENSURE THE GOVERNMENT LEADS IN BEST AND INNOVATIVE PRACTICES: The Federal Government will ensure the systems it owns and operates meet the standards and cybersecurity best practices it recommends to industry. Every Presidential Cybersecurity Strategy since PDD-63 in 1998 has said the same thing, yet we still have government employees (including elected official) and US citizens accessing government services doing so with re-usable passwords vs. strong authentication.

Read more in:

Reuters: Russians impersonating U.S. State Department aide in hacking campaign: researchers


Ars Technica: Russias Cozy Bear comes out of hiding with post-election spear-phishing blitz



--Vovox Pulls Exposed Database Offline

(November 15 & 16, 2018)

An inadequately secured server exposed a database that contains millions of SMS text messages, many of which include reset links, plaintext passwords, and one-time passwords for various accounts. The database in question belongs to communications firm Vovox, which processes billions of calls and text messages every month, according to the companys website. Vovox pulled the database offline after it was notified of the situation, and before public disclosure of the issue. The database on the server was configured in a way that made it easily readable and searchable.

[Editor Comments]

[Neely] While the database is no longer accessible, the risks of using SMS messaging for 2FA remain. When choosing multi-factor options for services provided, most authentication solutions support other options such as OTP, which doesnt rely on sending the device a code that can be intercepted or recorded. Even so, the TOTP seeds need to not be recoverable.

Read more in:

TechCrunch: A leaky database of SMS text messages exposed password resets and two-factor codes


Ars Technica: Database leak exposes millions of two-factor codes and reset links sent by SMS



--Government Contractors to Face New Rules Around Data Breaches

(November 15 & 19, 2018)

A proposed rule from the US General Services Administration (GSA) seeks to amend the Federal Acquisition Regulation (FAR) to create and implement appropriate contract clauses and regulatory coverage to address contractor requirements for a breach response consistent with the requirements. The proposed rule would require that in the event of a breach, the GSA and the affected agency would have access to the contractors breached systems. It would also require contractors to retain images of the breached systems for government review.

[Editor Comments]

[Neely] Flowing down of cybersecurity requirements to contractor systems can be a challenge. While contractors may not embrace the need for the GSA to be able to access systems for forensic analysis, as the data owners, they are accountable for what happens to that data, particularly with privacy legislation such as the GDPR and California Consumer Privacy Act which carry increased penalties relating to breaches and reporting requirements.

Read more in:

Fedscoop: GSA proposes new cybersecurity reporting rules for contractors


Nextgov: Government Contractors Face New Data Breach Disclosure and Investigation Requirements



--Tabletop Cyberattack Simulation Brings Private Industry and Government Together

(November 13, 2018)

In October, the Foundation for Defense of Democracies think tank held a tabletop cyberattack simulation exercise that focused on determining what companies and government agencies would need from each other in the event of a cross-sector cyber attack. The exercise illustrated that there really is daylight between the positions of the private sector and the government regarding retaliatory action, according to former National Security Agency (NSA) director retired Gen. Michael Hayden.

[Editor Comments]

[Murray] One would hope that such drills become regular, routine, and ubiquitous. If and when we come under attack, it will be too late to coordinate our responses. Improving the resilience of our digital infrastructure is essential; we must be able to absorb multiple simultaneous Sony-scale attacks while sustaining critical capabilities.  

Read more in:

Cyberscoop: How the U.S. might respond if China launched a full-scale cyberattack




Multipurpose PCAP Analysis Tool


Quickly Investigating Websites with Lookyloo


From Field Spoofing in GMail


Google Play Malware


ATM Vulnerabilities


Nagios XI Update




The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create