Two Days Left to Get an iPad Pro w/ Smart Keyboard, HP ProBook, or $350 Off with OnDemand and vLive Training!

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI - Issue #54

July 12, 2019

Zero Trust Architecture for Military; Marine Cybersecurity Warning; Microsoft - Two Zero-Days and a Critical Flaw




****************************************************************************

SANS NewsBites                July 12, 2019                Vol. 21, Num. 054

****************************************************************************


TOP OF THE NEWS


  Defense Innovation Board Pushing Zero Trust Architecture for Military

  US Coast Guard Issues Marine Cybersecurity Warning and Advice

  Microsoft Patch Tuesday Includes Fixes for Two Zero-Days and a Critical Flaw in Windows DHCP Server


REST OF THE WEEK'S NEWS       


  FEC Says Campaigns Can Accept Discounted Cybersecurity Services

  Apple Pushed Out Update to Remove Zoom Web Server from Macs

  Unsealed Indictment Charges Software Engineer with Theft of Trade Secrets

  Mozilla Releases Firefox 68

  LA County Health Data Breached Through Contractor

  US Conference of Mayors Passes Resolution Not to Pay Ransomware Demands

  Vulnerability in Some GE Anesthesia Devices

  ICS Vulnerability Research Turns Up Critical Flaw in Siemens TIA Portal

  Astaroth Fileless Malware


INTERNET STORM CENTER TECH CORNER


*****************************************************************************

CYBERSECURITY TRAINING UPDATE


-- SANS Network Security 2019 | Las Vegas, NV | September 9-16 | https://www.sans.org/event/network-security-2019


-- Pen Test Hackfest Europe 2019 | Berlin, DE | July 22-28 | https://www.sans.org/event/pentest-hackfest-eu-july-2019


-- DFIR Summit & Training 2019 | Austin, TX | July 25-August 1 | https://www.sans.org/event/digital-forensics-summit-2019


-- Supply Chain Cybersecurity Summit 2019 | Arlington, VA | August 12-19 | https://www.sans.org/event/supply-chain-cybersecurity-summit-2019


-- SANS Chicago 2019 | August 19-24 | https://www.sans.org/event/chicago-2019


-- SANS Virginia Beach 2019 | August 19-30 | https://www.sans.org/event/virginia-beach-2019


-- SANS London September 2019 | September 23-28 | https://www.sans.org/event/london-september-2019


-- SANS Tokyo Autumn 2019 | September 30-October 12 | https://www.sans.org/event/tokyo-autumn-2019


-- SANS October Singapore 2019 | October 7-26 | https://www.sans.org/event/october-singapore-2019


-- SANS OnDemand and vLive Training

Get an iPad Pro with Smart Keyboard, HP ProBook, or Take $350 Off through July 24 with OnDemand or vLive training.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


Single Course Training

-- Single Course Training

SANS Mentor | https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap


************************ Sponsored By AWS Marketplace ***********************


AWS Cloud Security Training Webcast: JumpStart Your Firewall Selection Process in AWS. Gain practical knowledge on how to evaluate and select effective cloud-based firewalls in the AWS Marketplace. Learn how to assess vendor system design, needs versus capabilities, business and technical operational considerations, and integration issues. July 17, 2 PM ET: http://www.sans.org/info/213415


*****************************************************************************

TOP OF THE NEWS  

 

--Defense Innovation Board Pushing Zero Trust Architecture for Military

(July 10, 2019)

The Pentagon's Defense Innovation Board (DIB) has approved a white paper that calls on the Department of Defense (DOD) to implement zero trust architecture (ZTA) for network access. The paper notes DOD's currently reliance perimeter-based cybersecurity and says that "Zero Trust Architecture (ZTA) can significantly offset vulnerabilities and threats across DoD networks by creating discrete, granular access rules for specific applications and services within a network."


[Editor Comments]


[Murray] Current architectures and policies have been proven to be too vulnerable in the face of the increasingly hostile environment. "Zero trust" must go beyond structured networks or end-to-end application layer encryption to include strong authentication, least privilege access control, privileged access management (PAM), and continuous monitoring and measurement.  


Read more in:

media.defense.gov: The Road to Zero Trust (Security) (PDF)

https://media.defense.gov/2019/Jul/09/2002155219/-1/-1/0/DIB_THE_ROAD_TO_ZERO_TRUST_(SECURITY)_07.08.2019.PDF

Fedscoop: Defense Innovation Board wants to help DOD understand zero trust

https://www.fedscoop.com/zero-trust-defense-innovation-board-paper/


 

--US Coast Guard Issues Marine Cybersecurity Warning and Advice

(July 8 & 9, 2019)

An incident earlier this year led the US Coast Guard to issue a Marine Safety Alert that offers providing advice for implementing cybersecurity protocols. In February, the Coast Guard led an interagency team in an investigation of "a significant cyber incident" affecting the shipboard network of a deep draft vessel. The recommendations in the alert include segmenting networks; eliminating generic access credentials for multiple individuals; enforcing least privilege access; and regular patching.


[Editor Comments]


[Northcutt] Interesting story. The advice sounds good with the exception of the thought that anti-virus can detect targeted malware. It appears the most significant threat access vector is USB: "This incident revealed that it is common practice for cargo data to be transferred at the pier, via USB drive." These ships are going to keep needing the cargo data and USB drives are cost effective. Expect this practice to continue, and attackers will look for an external way to influence what is actually on that USB drive.

 

Read more in:

DCO: Cyber Incident Exposes Potential Vulnerabilities Onboard Commercial Vessels (PDF)

https://www.dco.uscg.mil/Portals/9/DCO%20Documents/5p/CG-5PC/INV/Alerts/0619.pdf

Dark Reading: Coast Guard Warns Shipping Firms of Maritime Cyberattacks

https://www.darkreading.com/vulnerabilities---threats/coast-guard-warns-shipping-firms-of-maritime-cyberattacks/d/d-id/1335198

Cyberscoop: After 'significant' malware attack, U.S. Coast Guard issues maritime security advisory

https://www.cyberscoop.com/coast-guard-significant-malware-attack/

Bleeping Computer: U.S. Coast Guard Issues Safety Alert Following Cyber Incident

https://www.bleepingcomputer.com/news/security/us-coast-guard-issues-safety-alert-following-cyber-incident/


 

--Microsoft Patch Tuesday Includes Fixes for Two Zero-Days and a Critical Flaw in Windows DHCP Server

(July 9, 2019)

On Tuesday, July 9, Microsoft released software updates to address nearly 80 vulnerabilities in a range of products. Fifteen of the flaws have been rated critical. Arguably one of the most severe of these is a memory corruption vulnerability in Windows DHCP server; the issue affects most supported versions of Windows Server. Two of the flaws fixed in the update are being actively exploited, and four others were disclosed before the fixes were made available.


Read more in:

KrebsOnSecurity: Patch Tuesday Lowdown, July 2019 Edition

https://krebsonsecurity.com/2019/07/patch-tuesday-lowdown-july-2019-edition/

Dark Reading: Microsoft Patches Zero-Day Vulnerabilities Under Active Attack

https://www.darkreading.com/risk/microsoft-patches-zero-day-vulnerabilities-under-active-attack/d/d-id/1335197

MSRC: Security Update Summary

https://portal.msrc.microsoft.com/en-us/security-guidance/summary

SC Magazine: Microsoft's Patch Tuesday addresses two actively exploited zero-days

https://www.scmagazine.com/home/patch-management/microsofts-july-2019-patch-tuesday-included-updates-for-77-vulnerabilities-including-two-actively-exploited-zero-days-and-five-publicly-disclosed-vulnerabilities/


****************************  SPONSORED LINKS  ******************************


1) These are the 5 key ways CISOs align security with the enterprise to accelerate the business. Read the report now. http://www.sans.org/info/213620


2) Register for the Webcast "Speaking the Language of the Board" with Unisys CISO Mathew Newfield: http://www.sans.org/info/213625


3) Poll: How effective is your security controls testing? Tell us your experience by taking this brief poll http://www.sans.org/info/213630


*****************************************************************************

REST OF THE WEEK'S NEWS       

 

--FEC Says Campaigns Can Accept Discounted Cybersecurity Services

(July 11, 2019)

The US Federal Election Commission (FEC) has ruled that political campaigns may use discounted cybersecurity services with certain stipulations. Campaign finance law bars corporate contributions to campaigns. The FEC ruled that the cybersecurity services are not considered an in-kind contribution as long as the companies providing the discounted services also offer them to non-political organizations.


Read more in:

KrebsOnSecurity: FEC: Campaigns Can Use Discounted Cybersecurity Services

https://krebsonsecurity.com/2019/07/fec-campaigns-can-use-discounted-cybersecurity-services/

FEC: ADVISORY OPINION 2019-12 (PDF)

https://www.fec.gov/resources/cms-content/documents/mtgdoc_19-28-A.pdf

 
 

--Apple Pushed Out Update to Remove Zoom Web Server from Macs

(July 8 & 11, 2019)

On Wednesday, July 10, Apple pushed out a silent update to remove a local web server that had been surreptitiously installed by the Zoom web conferencing app from Macs. The local web server remained on machines even when users uninstalled the Zoom client. Zoom has also issued an update that lets users remove both the application and the web server.


[Editor Comments]


[Neely] Apple created the remove update after Zoom had released an updated client. Users with the updated client would not have seen it disappear (Version 4.4.5392.0709). While Gatekeeper taking action without permission is a bit disconcerting, the feature is intended to rapidly address vulnerabilities. The benefits of Gatekeeper actively protecting systems outweigh disabling it.


[Honan] From a corporate security point of view, Apple's ability to silently remove a third party app from your system(s) should raise some concerns. The usefulness of such a feature is not in dispute, but there should be at least some way of alerting people that is has happened, allowing people to grant permission to proceed with the action, that it is auditable and traceable, and that organisations have the ability to turn the feature off.


Read more in:

Medium: Zoom Zero Day: 4+ Million Webcams & maybe an RCE? Just get them to visit your website!

https://medium.com/bugbountywriteup/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5

Duo: Apple Removes Zoom Web Server from Macs

https://duo.com/decipher/apple-removes-zoom-web-server-from-macs

Threatpost: Apple Issues Silent Update Removing Zoom's Hidden Server

https://threatpost.com/apple-silent-update-zoom-hidden-server/146419/

Ars Technica: Silent Mac update nukes dangerous webserver installed by Zoom

https://arstechnica.com/information-technology/2019/07/silent-mac-update-nukes-dangerous-webserver-installed-by-zoom/

Wired: Zoom Will Fix the Flaw That Let Hackers Hijack Webcams

https://www.wired.com/story/zoom-flaw-web-server-fix/

Vice: Zoom Vulnerability Lets Hackers Hijack Your Webcam

https://www.vice.com/en_us/article/8xzjj4/zoom-video-conferencing-vulnerability-lets-hackers-turn-on-your-webcam

Axios: Apple pushes update to remove Zoom's Web server

https://www.axios.com/apple-zoom-web-server-online-privacy-a837220a-f5c0-4036-a319-6af0d464b623.html

 
 

--Unsealed Indictment Charges Software Engineer with Theft of Trade Secrets

(July 12, 2019)

A December 2017 indictment unsealed earlier this week reveals that Xudong "William" Yao has been charged with theft of trade secrets. Yao worked as a software engineer at an unnamed Illinois company that manufactures trains. He started work in August 2014 and less than a month later, he allegedly downloaded thousands of files containing proprietary and trade secret information related to the company's control system software code. Yao also allegedly began negotiating for a job with a company in China. He was fired from the Illinois company in February 2015 for reasons not related to the case and left he the US in November 2015. Yao is believed to still be in China.   


Read more in:

The Register: Train maker's coder goes loco, choo-choo-chooses to flee to China with top-secret code - allegedly

https://www.theregister.co.uk/2019/07/12/train_software_theft/

Bloomberg: Chinese Engineer Accused of Stealing U.S. Train Maker's Secrets

https://www.bloomberg.com/news/articles/2019-07-11/chinese-engineer-accused-of-stealing-u-s-train-maker-s-secrets

Regmedia: Superseding Indictment

https://regmedia.co.uk/2019/07/11/yaoindictment.pdf

 
 

--Mozilla Releases Firefox 68

(July 9 & 10, 2019)

Mozilla has updated Firefox to version 68 and Firefox Extended Support Release to version 60.8. In all, the newest versions of the browser address 21 security issues, including an issue that was causing problems between antivirus products and HTTPS site certificates. Firefox 68 also has a new feature that lets users report extensions that appear to be security threats.


[Editor Comments]


[Neely] Version 68 also adds fingerprinting and cryptominer blocking to the strict setting for content blocking, making it easier to enable. Version 68 of also actively prompts users to use Firefox sync to carry bookmark and plugin choices forward through updates.


Read more in:

Bleeping Computer: Mozilla Firefox 68 Released With Security and Extension Enhancements

https://www.bleepingcomputer.com/news/software/mozilla-firefox-68-released-with-security-and-extension-enhancements/

SC Magazine: Mozilla's latest Firefox releases fix 21 bugs

https://www.scmagazine.com/home/security-news/vulnerabilities/mozillas-latest-firefox-releases-fix-21-bugs/

ZDNet: Firefox 68 is out: New dark reader view, better extensions, enterprise IT controls

https://www.zdnet.com/article/firefox-68-is-out-new-dark-reader-view-better-extensions-enterprise-it-controls/

Mozilla: See what's new in Firefox! 68.0

https://www.mozilla.org/en-US/firefox/68.0/releasenotes/

 

---LA County Health Data Breached Through Contractor

(July 10, 2019)

An employee at a contractor that provides eligibility and billing services for the Los Angeles (California) County Department of Health Services fell prey to a phishing attack earlier this year. The incident compromised personal health information belonging to nearly 15,000 patients. While the data are encrypted, the compromised email account included encryption keys.


Read more in:

SC Magazine: L.A. County Health Services Department contractor breach leaks patient data

https://www.scmagazine.com/home/security-news/data-breach/a-data-breach-at-a-l-a-county-department-of-health-services-contractor-resulted-in-the-compromise-of-data-from-several-thousand-patients/

Nemadji: Notice of Data Security Incident

https://nemadji.org/notice-of-data-security-incident

 
 

--US Conference of Mayors Passes Resolution Not to Pay Ransomware Demands

(July 10, 2019)

The US Conference of Mayors has passed a resolution stating that it "stands united against paying ransoms in the event of an IT security breach." Baltimore Mayor Jack Young said that paying ransoms encourages the perpetrators and others to launch more attacks.


[Editor Comments]


[Neely] The ability to not pay ransomware is dependent on being prepared to recover from an incident. Develop and test an incident response plan, fill any gaps in security tools, backups, and training to ensure readiness to respond.


Read more in:

SC Magazine: U.S. mayors resolve to no longer pay ransomware attackers

https://www.scmagazine.com/home/security-news/ransomware/u-s-mayors-resolve-to-no-longer-pay-ransomware-attackers/

Statescoop: Mayors pass resolution against paying ransomware ransoms

https://statescoop.com/us-conference-mayors-ransomware-ransom-resolution/

 
 

--Vulnerability in Some GE Anesthesia Devices

(July 8, 9, & 10, 2019)

Research company CyberMDX found that authentication weaknesses in certain GE anesthesia devices used in hospitals could be exploited to gain remote control of the machines, potentially allowing hackers to alter gas composition parameters and silence alarms. The issues affect the GE Aestiva and GE Aespire devices, models 7100 and 7900. US Department of Homeland Security's (DHS's) ICS-CERT and GE Healthcare have both issued advisories. The ICS-CERT advisory notes that "a vulnerability exists where serial devices are connected via an added unsecured terminal server to a TCP/IP network configuration, which could allow an attacker to remotely modify device configuration and silence alarms." A GE spokesperson says that the issues are network issues and that GE "generally recommend[s] that anesthesia devices not be connected to a network. The scenario described in the report requires hospitals to use the equipment in ways that it should not be used."


[Editor Comments]


[Murray] While some appliances, including medical devices, (e.g., cameras) are intended to be connected to public networks, others (e.g., baby-monitors, these medical devices) are not. Connecting the latter to the Internet will always be dangerous, either to the application (e.g., baby monitors, medical devices) or the network (e.g., baby monitors.) (While cameras are intended to be connected to the public networks many are not properly designed for the purpose and represent a risk to those networks.)


Read more in:

CyberMDX: CyberMDX Research Team Discovers Medical Device Vulnerability in GE Anesthesia and Respiratory Devices

https://www.cybermdx.com/vulnerability-research-disclosures/ge-aestiva-and-ge-aespire

ZDNet: Vulnerabilities found in GE anesthesia machines

https://www.zdnet.com/article/vulnerabilities-found-in-ge-anesthesia-machines/

BBC: Anaesthetic devices 'vulnerable to hackers'

https://www.bbc.com/news/technology-48935111

Threatpost: Bug in Anesthesia Respirators Allows Cyber-Tampering

https://threatpost.com/anesthesia-respirators-cyber-tampering/146405/

GovInfosecurity: Certain Anesthesia Devices Have Vulnerabilities: Researchers

https://www.govinfosecurity.com/certain-anesthesia-devices-have-vulnerabilities-researchers-a-12766

US-CERT: ICS Medical Advisory (ICSMA-19-190-01) GE Aestiva and Aespire Anesthesia

https://www.us-cert.gov/ics/advisories/icsma-19-190-01

GE Healthcare: ICS advisory regarding GE anesthesia devices

https://www.gehealthcare.com/support/security-information

 
 

--ICS Vulnerability Research Turns Up Critical Flaw in Siemens TIA Portal

(July 8, 9, & 10, 2019)

Tenable Research has found a critical flaw in Siemens TIA Portal, also known as STEP 7, that could be exploited to gain administrative privileges. The issue affects Siemens SIMATIC STEP 7 v.15.1; Siemens has released an update to fix the issue. Tenable found the Siemens vulnerability while researching top industrial control system vendors; they found a dozen critical flaws in ICS products from four different vendors.


[Editor Comments]


[Murray] These portals represent the primary attack surface in cyber espionage and warfare.  


Read more in:

Medium: Nuclear Meltdown with Critical ICS Vulnerabilities

https://medium.com/tenable-techblog/nuclear-meltdown-with-critical-ics-vulnerabilities-8af3a1a13e6a

Siemens: SSA-721298: Missing Authentication Vulnerability in TIA Administrator

(TIA Portal)

https://cert-portal.siemens.com/productcert/pdf/ssa-721298.pdf

Tenable: Tenable Research Discloses Critical Vulnerability in Siemens STEP 7 (CVE-2019-10915)

https://www.tenable.com/blog/tenable-research-discloses-critical-vulnerability-in-siemens-step-7-cve-2019-10915

GovInfosecurity: Researchers Disclose Vulnerability in Siemens' ICS Software

https://www.govinfosecurity.com/researchers-disclose-vulnerability-in-siemens-ics-software-a-12765

The Register: Remember Stuxnet? You'll endure its hated-by-critics sequel if you don't patch your holey Siemens industrial kit

https://www.theregister.co.uk/2019/07/10/siemens_controllers_flaw/

 
 

--Astaroth Fileless Malware

(July 8 & 9, 2019)

Researchers from Microsoft have detected a fileless malware campaign that uses legitimate services to deliver its payload. Dubbed Astaroth, the malware was detected while looking into a recent spike in the use of the Windows Management Instrumentation Command-line (WMIC) tool.


Read more in:

Microsoft: Dismantling a fileless campaign: Microsoft Defender ATP next-gen protection exposes Astaroth attack

https://www.microsoft.com/security/blog/2019/07/08/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack/

Infosecurity Magazine: Microsoft Warns of Fileless Astaroth Attacks

https://www.infosecurity-magazine.com/news/microsoft-warns-of-fileless/

SC Magazine: What fresh hell is this? Fileless malware campaign spread Astaroth backdoor last spring

https://www.scmagazine.com/home/security-news/malware/what-fresh-hell-is-this-fileless-malware-campaign-spread-astaroth-backdoor-last-spring/

 

*****************************************************************************

INTERNET STORM CENTER TECH CORNER


MSFT Patch Tuesday

https://isc.sans.edu/forums/diary/MSFT+July+2019+Patch+Tuesday/25110/


Samba Project Disabling SMBv1 By Default

https://isc.sans.edu/forums/diary/Samba+Project+tells+us+Whats+New+SMBv1+Disabled+by+Default+finally/25116/


Analysis of a Recent AZORult Sample

https://isc.sans.edu/forums/diary/Recent+AZORult+activity/25120/


Adobe Updates

https://helpx.adobe.com/security.html


Zoom Vulnerability

https://medium.com/bugbountywriteup/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5


Apple Deletes Zoom Web Server

https://www.macrumors.com/2019/07/10/apple-update-remove-zoom-server/


Apple Disables Walkie Talkie App

https://techcrunch.com/2019/07/10/apple-disables-walkie-talkie-app-due-to-vulnerability-that-could-allow-iphone-eavesdropping/


eChOraix Ransomware

https://www.anomali.com/blog/the-ech0raix-ransomware


GnuPG Will No Longer Import Signatures From Keyservers

https://lists.gnupg.org/pipermail/gnupg-announce/2019q3/000439.html


Windows PXE Devices May Fail to Boot After Recent Update

https://support.microsoft.com/en-in/help/4512816/devices-that-start-up-using-preboot-execution-environment-pxe-images-f


Sean Goodwin: Attackers Inside the Walls: Detecting Malicious Activity

https://www.sans.org/reading-room/whitepapers/detection/paper/39055


******************************************************************************

The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.


Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create