Peak Cyber Is Coming Soon!!

WWW.ISSA - COS.ORG

VOLUME 7 NUMBER 8 AUGUST 2018

Peak Cyber Is Coming Soon! !

olleagues, .gov e-mail address), Academia (with a .edu e-mail address), and ISSA Members. The Our Peak Cyber conference will be fee for industry is $250.00. If you’re not an C here very soon. The Colorado ISSA member, join now and you can attend Springs Chapter is once again for FREE! hosting the 8th Annual Peak Cyber - Cybersecurity Training & Technology Forum Keynote speakers include: (CSTTF). Peak Cyber - CSTTF is set to • COL Robert McVay, Deputy CIO, Missile convene from Wednesday August 22nd to Defense Agency Thursday, August 23rd, 2018 at the • Dr. Meyerrose, President, The DoubleTree by Hilton, Colorado Springs, MeyerRose Group Colorado. Peak Cyber is • Dr. Joseph Mitola III, designed to further Chief Technologist, educate Cybersecurity, ENSCO Aerospace Information Management, Sciences and Engineering Information Technology A Note From Division, Fellow of the and Communications IEEE Professionals by providing • Ron Ross, Fellow, a platform to explore some Our President Computer Security of today's most pressing Division, NIST cybersecurity threats, Aaron Shaha, Director of remediation strategies and Network Defense, Root9b best practices. By Ms. Colleen Murphy • Jeff Snyder, Day one, August 22nd, will consist of President, Jeff Snyder Cyber Recruiting three tracks with Subject Matter Expert & Coaching (SME) speaker sessions and panels. On day two, August 23rd, more SME speaker Training opportunities include: sessions, as well as several in-depth training Three-hour mini-boot camp for the workshops and boot camps will take place PenTest+ certification and the throughout the day. Peak Cyber Sessions Cybersecurity Analyst (CySA+) and the Training sessions and the evening certification. CompTIA staff and partners career networking/social are worth up to 16 will give a glimpse into the world of the CPE/CEU Credits. Attendance is FREE for modern pen tester and security analyst. Military/Government (all those with a .mil or Learn about the latest penetration testing (Continued on page 4)

The ISSA Colorado Springs Newsletter incorporates open source news articles in compliance with USC Title 17, Section 107, Paragraph a (slightly truncated to avoid copyright infringement) as a training method to educate readers on security matters . The views expressed in articles obtained from public sources within this newsletter do not neces- sarily reflect those of ISSA, this Chapter or its leadership. Names, products, and services referenced within this document may be the trade names, trade- marks, or service marks of their respective owners. References to commercial vendors and their products or services are provided strictly as a convenience to our members, and do not constitute or imply endorsement by ISSA or the Colorado Springs Chapter of ISSA of any entity, event, product, service, or enterprise. P A G E 2 Cyberwar: What happens when a nation-state cyber attack kills? By Danny Palmer, ZDNet, July 24, 2018 program back by years, and is believed to have been a joint cyber operation by the US and The increasing sophistication and power Israel. of state-backed cyber attacks has led some experts to fear that, sooner or However, Stuxnet was designed to be later, by design or by accident, limited in its impact: in the years since, those one of these incidents will result attacking industrial control systems are in somebody getting killed. becoming more reckless. This was demonstrated in December last year when It might sound far-fetched, hackers used malware to disrupt emergency but a former head of the UK's shutdown systems at a critical intelligence agency has already infrastructure firm in the Middle East. warned about the physical threat posed by cyber attacks and the Analysis of the Triton malware potential damage they could do. by researchers at security company FireEye suggests that the shutdown was "Nation-states are getting unintentional and that it was inadvertently more sophisticated and they're getting more caused while preparing the malware to do brazen. They're getting less worried about physical damage. being caught and being named -- and of course that's a feature of geopolitics," said The shutdown came as a result of a fail- Robert Hannigan, who served as director safe mechanism and no physical damage was general of GCHQ from 2014 to 2017. done -- but the unpredictable nature of the malware could have resulted in much worse. "The problem is the risk of miscalculation is huge," he said, speaking at a security "If the intent of the attacking group was to conference in London last month. "If you start make the plant explode, lives lost by cyber to tamper with industrial control systems, if attack could've happened," Jing Xie, senior you start to tamper with health systems and threat intelligence analyst at Venafi, told ZDNet. networks, it feels like it's only a matter of time "I have no doubt it's just a matter of time before somebody gets hurt and somebody is that someday cyber attacks will definitely cause ultimately killed." direct harm to people," she added. The mention of health systems is a So what happens when a cyber attack by reminder perhaps of last year's WannaCry one nation-state leads to loss of life inside ransomware outbreak, which crippled large another country? parts of the UK's National Health Service. “The current Thousands of appointments were cancelled, In 2014, NATO updated its policy so that a causing disruption and inconvenience for serious cyber attack could be covered by Article legal system patients around the country. 5, its collective defence clause. Legal experts have also made it clear that a serious digital which exists No critical systems were hit, but given the attack could be considered to be the equivalent around war isn't nature of WannaCry -- which the US, UK, and of an armed attack. But what would happen in others have blamed on North Korea -- that reality is still uncertain. necessary up to was likely due to luck rather than planning. "It's been a debate in policy circles for over date with this With attacks against hospitals, transport, a decade, if not longer: when does cyber type of power plants, or other critical national activity cross over into a domain which needs a problem.” infrastructure, attackers are playing a kinetic response from a military source?" said dangerous game -- but that hasn't stopped Jon Condra, director of Asia Pacific Research clandestine, targeted campaigns against at Flashpoint. infrastructure. Read the rest here: Perhaps the most famous example is Stuxnet, malware designed to damage https://www.zdnet.com/article/cyberwar-what- Iranian uranium centrifuges which was happens-when-a-nation-state-issued-cyber- uncovered in 2010. The destructive attack on attack-kills/ the industrial systems put Iran's nuclear

ISSA - C O S N E W S V O L U M E 7 P A G E 3 Membership Update

First, I would like to welcome our new members on behalf of New Members the Chapter! When you’re participating in Chapter activities, July please take a moment to introduce yourself to members of the Jonathan Sneed board, me, and other members. Don’t forget to identify yourself as a Michael Howard new member and feel free to ask for help or information. Thanks for joining the Chapter and don’t forget to look for opportunities to lend your Ty Medler expertise to improve the Chapter. We’re always open to new ideas and Robert Carson suggestions. Russ Sinkola Our membership is holding at ~470 members as of the end of July. As Steven Grogger you’re going about your daily activities, please take the time to engage your Thomas Boone colleagues, ask if they’re ISSA members, and if not take a couple of minutes Joel Kane to convince them of the value of becoming a member of our chapter. Word of Darrell Yakel mouth is our primary method of advertising. If you don’t take the time to tell Karen Perrin people of our organization, folks won’t know all the advantages we bring to Michael Clark their professional life. Renewals are also critical to maintaining our membership. If you are considering not renewing, please talk to me or one of the other board members to help us understand what we can do better to support our membership and retain you as active chapter members. We have the Peak Cyber (Cyber Security Technology and Training Forum) on 22 and 23 Aug. We also have lots of upcoming activities scheduled in the upcoming months—meetings, training and mini-seminars. Please watch the Newsletter, communications and eVites to ensure you stay aware of what’s going on in the chapter. As always, if you have any membership questions don’t hesitate to contact me. Thanks, David Reed Membership Committee Chairman [email protected] P A G E 4

(Continued from page 1)

skills needed to determine a network’s resiliency against attacks and use security A Note From analyst skills to identify suspicious behavior. Register and attend for a chance to win one of two FREE PenTest+ or CySA+ exam vouchers. This session will help you increase your red team / blue team knowledge. There is no fee to attend this optional Our President program and attendees can earn 3 CEUs for attending the session. Phoenix TS Strategic Network Security Monitoring with Security Onion. This workshop will cover the collection of threat intelligence using Security Onion, a Linux distribution used for network security monitoring and intrusion detection. You will explore how analysis tools that comprise Security Onion like BRO, Snort, Kibana, Sguil, and more allow an administrator to efficiently work with network data. Whether you are very familiar with Network Security Monitoring or you are new to networking, this session will give you taste of the tools and data types used to detect unauthorized access or misuse of a network resources. There is no fee to attend this optional program and attendees can earn 3 CEUs for attending the session. Michael J. (MJ) Staggs PHD IS, Certified Forensics Examiner, will provide a lecture/live data demonstration intended to educate the attendee to the level that they comprehend the entire workflow, from evidence seizure to expert testimony. Like all forensic process, digital examinations follow the rigor of repeatable, non-repudiatable process so that the same result happens every time you follow your workflow and that others may have the same results as well. There is also observation and instinct, visual representations, timelines and associations and connections that lend this process an element of art. There is no fee to attend this optional program and attendees can earn 3 CEUs for attending the session. EC Council STORM Mobile Security Training Kit Workshop EC-Council’s Mobile Security Toolkit (Better known as the STORM!) is a fully-loaded pen-test platform which comes equipped with a customized distro of Kali loaded onto a portable Raspberry Pi-based touchscreen device. Attendees can earn 6 CEUs for attending the session. Also check out these videos from the one-day Storm Workshop: VIDEO 1-https://www.youtube.com/watch?v=65IntFqlL6U VIDEO-2-https://www.youtube.com/watch?v=65IntFqlL6U Please note - there is a separate registration and fee required to attend this workshop. * 15% discount for all ISSA Members, Military, and Government Employees. Also, join us for a Career Networking and social the evening of August 22nd. Four panelists, representing the four levels of the Cybersecurity Career Lifecycle (Entry, Mid-Career, Senior, Security Leader), will provide insights into cybersecurity career progression and challenges. Attend this evening professional networking/social event to learn more about the cybersecurity career and to network with your colleagues. Check out this site for more info and to register: https://www.fbcinc.com/e/csttf/. Please register now to guarantee your seat, and the training session you want to attend. Colleen Update Your Profile!

Don’t forget to periodically logon to www.issa.org and update your personal information.

ISSA - C O S N E W S VOLUME 7 NUMBER 8 P A G E 5 P A G E 6 The 10 airports where your phone is most likely to get hacked

By Alison DeNisco Rayome, Tech Republic, July 18, 2018 Business travelers beware: Connecting your company device to airport Wi-Fi networks could open up a host of cybersecurity issues. While this is a risk on any insecure Wi-Fi network, some airports have more vulnerabilities than others, according to a Wednesday report from Coronet, and professionals should take extra caution when traveling through them. It's much easier for attackers to access and exploit data from devices connected to airport Wi-Fi than to do so within the confines of a well-protected office, the report noted. Hackers can use the poor cyber hygiene and insecure Wi-Fi at many airports to inject advanced network vulnerabilities like captive portals, Evil Twins, ARP poisoning, VPN gaps, honeypots, and compromised routers. Any of these network vulnerabilities could allow an attacker to access credentials for Microsoft Office 365, G Suite, Dropbox, and other cloud apps, or to deliver malware to the device and the cloud, the report found. The attacks could also potentially give adversaries access to the entire organization, leading to damages like operational disruption and financial losses. "Far too many U.S. airports have sacrificed the security of their Wi-Fi networks for consumer convenience," Dror Liwer, Coronet's founder and CISO, said in a press release. "As a result, business travelers in particular put not just their devices, but their company's entire digital infrastructure at risk every time they connect to Wi-Fi that is unencrypted, unsecured or improperly configured. Until such time when airports take responsibility and improve their cybersecurity posture, the accountability is on each individual flyer to be aware of the risks and take the appropriate steps to minimize the danger." The report collected data from more than 250,000 consumer and corporate endpoints that traveled through the 45 busiest airports in the US over the course of five months, and analyzed the device vulnerabilities and Wi-Fi network risks to assign each airport a threat score. Coronet classified any score above 6.5 as unacceptable exposure. Here are the least cybersecure airports in America, according to the report: Read the rest here: https://www.techrepublic.com/article/the-10-airports-where-your-phone-is-most-likely-to-get-hacked/

ISSA Nametags

Do you want an ISSA nametag for your very own to wear to meetings, conferences, and events? You can now order/pick up yours directly from: Blue Ribbon Trophies & Awards 245 E Taylor St (behind Johnny’s Navajo Hogan on North Nevada) Colorado Springs (719) 260-9911 Although their hours are officially Monday through Friday until 5:30 pm, they are occasionally in the shop on Saturdays. This is a small business so cash/check would be appreciated. Email [email protected] to order.

ISSA - C O S N E W S VOLUME 7 NUMBER 8 P A G E 7 P A G E 8 SANS IS COMING TO THE SPRINGS! SEC560: Network Penetration Testing and Ethical Hacking As a cybersecurity professional, you have a unique responsibility to find and understand your organization's vulnerabilities and to work diligently to mitigate them before the bad guys pounce. Are you ready? SEC560, the flagship SANS course for penetration testing, fully arms you to address this duty head- on. THE MUST-HAVE COURSE FOR EVERY WELL-ROUNDED SECURITY PROFESSIONAL With comprehensive coverage of tools, techniques, and methodologies for network penetration testing, SEC560 truly prepares you to conduct high-value penetration testing projects step-by-step and end-to-end. Every organization needs skilled information security personnel who can find vulnerabilities and mitigate their effects, and this entire course is specially designed to get you ready for that role. The course starts with proper planning, scoping and recon, then dives deep into scanning, target exploitation, password attacks, and web app manipulation, with over 30 detailed hands-on labs throughout. The course is chock full of practical, real-world tips from some of the world's best penetration testers to help you do your job safely, efficiently...and masterfully. LEARN THE BEST WAYS TO TEST YOUR OWN SYSTEMS BEFORE THE BAD GUYS ATTACK SEC560 is designed to get you ready to conduct a full-scale, high-value penetration test - and on the last day of the course you'll do just that. After building your skills in comprehensive and challenging labs over five days, the course culminates with a final full-day, real-world penetration test scenario. You'll conduct an end- to-end pen test, applying knowledge, tools, and principles from throughout the course as you discover and exploit vulnerabilities in a realistic sample target organization, demonstrating the knowledge you've mastered in this course. EQUIPPING SECURITY ORGANIZATIONS WITH COMPREHENSIVE PENETRATION TESTING AND ETHICAL HACKING KNOW-HOW You will learn how to perform detailed reconnaissance, studying a target's infrastructure by mining blogs, search engines, social networking sites, and other Internet and intranet infrastructures. Our hands-on labs will equip you to scan target networks using best-of-breed tools. We won't just cover run-of-the-mill options and configurations, we'll also go over the lesser known but super-useful capabilities of the best pen test toolsets available today. After scanning, you'll learn dozens of methods for exploiting target systems to gain access and measure real business risk. You'll dive deep into post-exploitation, password attacks, and web apps, pivoting through the target environment to model the attacks of real-world bad guys to emphasize the importance of defense in depth. Go here for more information: https://www.sans.org/community/event/sec560-colorado-springs-54890

ISSA - C O S N E W S VOLUME 7 NUMBER 8 P A G E 9

U.S. charges three Ukrainians in payment card hacking spree By Christopher Bing and Karen Freifeld, Reuters, August 1, 2018 Three Ukrainians have been arrested on criminal hacking charges including stealing payment card numbers, in attacks on more than 100 U.S. companies that cost businesses tens of millions of dollars, the U.S. Justice Department said on Wednesday. U.S. prosecutors alleged that the three Ukrainians, who were arrested in Europe between January and June, are members of FIN7, a notorious cybercrime gang. Victims include the Chipotle Mexican Grill, Emerald Queen Ho- tel and Casino in Washington state, Jason’s Deli, Red Robin Gourmet Burgers, Sonic Drive-in and Taco John’s, according to the Justice Department. The Emerald Queen stopped the attack and no customer data was stolen, prosecutors said in a press release. FIN7 has previously been linked to breaches of Trump Hotels, Whole Foods, Saks Fifth Avenue and Lord & Taylor, according to cyber security firm Trend Micro. One of the three defendants, Fedir Hladyr, 33, has been transferred to Seattle from Dresden, Germany, where he was arrested. Authorities said they are seeking the extradition of the other two: Dmytro Fedorov, 44, and Andrii Kolpakov, 30. Hladyr has pleaded not guilty and denies wrongdoing, according to his attorney, Arkady Bukh. “There is no clear decision at this time whether (we) will go to trial or will consider a plea,” Bukh said via email. Reuters could not reach lawyers for the other two. The three stole and sold payment card numbers and other data belonging to U.S. citizens and businesses, Assistant Attorney General Brian Benczkowski said in a statement. FIN7 sent “phishing” emails to companies, sometimes following up with phone calls urging employees to open tainted attachments, the indictments said. Ukrainian officials could not be reached for comment. FIN7, also widely known as Carbanak, employs dozens of individuals who handle highly specialized tasks such as breaking into networks, stealing payment card numbers and selling stolen data on underground criminal forums, said Adrian Nish, head of threat intelligence with BAE Systems. The defendants used a front company named “Combi Security” that claims to have offices in Moscow, Haifa and Odessa, to launch some intrusions, according to court documents. Combi Security’s website describes it as an expert “in the field of comprehensive protection of large information systems from modern cyber threats.” Cybersecurity firm FireEye said it found job advertisements for Combi Security posted to several different Russian, Ukrainian and Uzbek job recruitment websites. Read the rest here: https://www.reuters.com/article/us-usa-cyber-arrests-ukraine/us-to-announce-arrest-of-ukrainian-hackers- sources-idUSKBN1KM5IU P A G E 10 Vulnerability Spotlight: Multiple Vulnerabilities in Samsung SmartThings Hub By Staff, Talos, July 26, 2018

• Cisco Talos recently discovered several vulnerabilities present within the firmware of the Samsung SmartThings Hub. In accordance with our coordinated disclosure policy, Cisco Talos has worked with Samsung to ensure that these issues have been resolved and that a firmware update has been made available for affected customers. These vulnerabilities could allow an attacker to execute OS commands or other arbitrary code on affected devices. • The SmartThings Hub is a central controller that monitors and manages various internet-of-things (IoT) devices such as smart plugs, LED light bulbs, thermostats, cameras, and more that would typically be deployed in a smart home. The SmartThings Hub functions as a centralized controller for these devices and allows users to remotely connect to and manage these devices using a smartphone. The firmware running on the SmartThings Hub is Linux-based and allows for communications with IoT devices using a variety of different technologies such as Ethernet, Zigbee, Z-Wave and Bluetooth. Given that these devices often gather sensitive information, the discovered vulnerabilities could be leveraged to give an attacker the ability to obtain access to this information, monitor and control devices within the home, or otherwise perform unauthorized activities. Some example scenarios are listed below: • Smart locks controlled by the SmartThings Hub could be unlocked, allowing for physical access to the home. • Cameras deployed within the home could be used to remotely monitor occupants. • The motion detectors used by the home alarm system could be disabled. • Smart plugs could be controlled to turn off or on different things that may be connected. • Thermostats could be controlled by unauthorized attackers. • Attackers could cause physical damage to appliances or other devices that may be connected to smart plugs deployed within the smart home. Given the wide range of possible deployments of these devices, this is not a complete list of different scenarios. Cisco Talos recommends ensuring that affected SmartThings Hubs are updated to the latest version of firmware to ensure that these vulnerabilities are addressed. Exploitation In total, Talos found 20 vulnerabilities in the Samsung SmartThings Hub. These vulnerabilities vary in the level of access required by an attacker to exploit them and the level of access they give an attacker. In isolation, some of these might be hard to exploit, but together they can be combined into a significant attack on the device. While we discuss all 20 of these vulnerabilities later in this blog post, in this section we will discuss how an attacker can chain together three vulnerability classes that are present in the device to gain complete control of the device. Chains It is possible to gather the set of preconditions needed to exploit bugs that would otherwise be unreachable by using multiple vulnerabilities. This is commonly referred to as "chaining." When considering the severity of vulnerabilities, it is essential to keep in mind that they might be used as part of a chain, as this would significantly elevate their severity. We identified three notable chains, the last of which allows for remotely compromising the device without prior authentication: A. Remote code execution: TALOS-2018-0556 describes a post-auth vulnerability that allows for the execution of arbitrary SQL queries against a database inside the device. When used alone, it only allows for altering the whole database. However, TALOS-2018-0557, TALOS-2018-0576, TALOS-2018-0581 and TALOS-2018-0583 describe a set of memory corruption vulnerabilities that allow for executing arbitrary code, assuming the attacker is capable of issuing arbitrary SQL queries. Since TALOS-2018-0556 provides this capability, they can be chained together to achieve code execution from the network. Note, however, that this list is not exhaustive, as other combinations may be viable. Read the rest here: https://blog.talosintelligence.com/2018/07/samsung-smartthings-vulns.html

ISSA - C O S N E W S VOLUME 7 NUMBER 8 P A G E 11 Russian Hackers Appear to Shift Focus to U.S. Power Grid

By David E. Sanger, New York Times, July 27, 2018 State-sponsored Russian hackers appear far more interested this year in demonstrating that they can disrupt the American electric utility grid than the midterm elections, according to United States intelligence officials and technology company executives. Despite attempts to infiltrate the online accounts of two Senate Democrats up for re-election, intelligence officials said they have seen little activity by Russian military hackers aimed at either major American political figures or state voter registration systems. By comparison, according to intelligence officials and executives of the companies that oversee the world’s computer networks, there is surprisingly far more effort directed at implanting malware in the electrical grid. The officials spoke on the condition of anonymity to discuss intelligence findings, but their conclusions were confirmed by several executives of technology and technology security firms. This week, the Department of Homeland Security reported that over the last year, Russia’s military intelligence agency had infiltrated the control rooms of power plants across the United States. In theory, that could enable it to take control of parts of the grid by remote control. While the department cited “hundreds of victims” of the attacks, far more than they had previously acknowledged, there is no evidence that the hackers tried to take over the plants, as Russian actors did in Ukraine in 2015 and 2016. In interviews, American intelligence officials said that the department had understated the scope of the threat. So far the White House has said little about the intrusions other than raise the fear of such breaches to maintain old coal plants in case they are needed to recover from a major attack. On Friday, President Trump was briefed on government efforts to protect the coming midterm elections from what a White House statement described as “malign foreign actors.” It said it was giving cybersecurity support to state and local governments to protect their election systems. “The president has made it clear that his administration will not tolerate foreign interference in our elections from any nation state to other malicious actors,” the statement said. It is possible that Russian hackers are holding their fire until closer to Election Day in November. Given the indictments this month of 12 Russian military officers who are accused of American election interference, the agency once known as the G.R.U. may be all too aware it is being closely watched by the National Security Agency and other American intelligence services. But that has not completely deterred Russia’s intelligence agencies from targeting politicians. Microsoft announced at a security conference last week that it stopped an attack last fall aimed at congressional staff offices. While the company did not identify who was targeted, Senator Claire McCaskill, Democrat of Missouri, who faces a tight race for re-election, said on Thursday night that her office had been struck in what she called an unsuccessful attack. She acknowledged the breach only after The Daily Beast identified her as one of the lawmakers whose offices had been the target of an effort to obtain passwords. Read the rest here: https://www.nytimes.com/2018/07/27/us/politics/russian-hackers-electric-grid-elections- .html?emc=edit_th_180728&nl=todaysheadlines&nlid=10437390728 P A G E 12 Building a sound security strategy for an energy sector company

By Zeljka Zorz, HelpNet Security, July 30, 2018 As more and more attacks against companies working in the energy sector become public, it is becoming increasingly clear that those systems are far from impermeable. And it’s not just state-sponsored attackers that are looking for a way in: opportunistic cyber crooks wielding crypto-miners and ransomware don’t care where the target computer is located or what systems they will disrupt. It’s no wonder, then, that 70 percent of energy security professionals are concerned that a successful cyberattack characteristics of a vulnerability and produce a numerical could cause a catastrophic failure. score reflecting its severity. “Energy and industrial automation companies have to “Security leaders should use CVSS to establish how deal with a distinct array of cyber threats—including not seriously at risk different elements of the plant are, then only traditional IT concerns but also a range of operational match that up to the potential of the loss of that element in technology (OT) related endpoints, e.g. programmable the plant. To do this, they will need subject-matter experts logic controllers (PLCs) and industrial I/O modules that do on plant operations to contribute to the overall plant risk not appear in a typical IT environment. These include well- management strategy and cybersecurity assessment,” he known OT protocols such as Modbus or DNP3, but also a notes. variety of lesser-known, often proprietary protocols,” says The most severe risks must, naturally, be addressed Gary Williams, Senior Director of Cybersecurity Services first, and resources need to be focused where they will Offer Management at Schneider Electric, the European have the most significant effect. energy management and automation solutions giant. Should the company invest in “While the OT energy space is full of many connected devices unique to industry, the attack vectors and hacking cybersecurity insurance? approaches are surprisingly similar to any cyberattack in In the energy sector, delivering energy profitably to other industries. For example, ransomware arrives most customers is the primary mission. This makes it crucial to often via phishing emails, and Trojans embedded into OT keep the business in operation even through a cyberattack. devices still require credentialed access to the network, so proper defense should start with the human interacting with “While cybersecurity insurance is a crucial part of the the system and include the implementation of appropriate overall risk management plan, it alone will not bring behaviors and site security practices.” business continuity,” Williams points out. “Also, insurance may cover a monetary loss, but it does not include the loss Minimizing risk of reputation or other damage that would result from a loss of service.” CISOs working in energy and industrial organizations have to understand the cybersecurity risks they are facing What CISOs should do is make sure they are working and pinpoint the things that need to be protected. with employees to reduce threat exposure. “Experts who have the best knowledge of the plant and Security is part of the operations lifecycle, incorporating its systems can provide a ‘cold eyes’ review to help new stronger employee training to plug every hole. This includes CISOs develop a picture of what vulnerabilities they have everything from heightened personnel screening and how serious they are,” Williams advises. requirements to regularly reviewing and assessing site and system security protocols to ensure antivirus software is To quantify risk in an energy organization, CISOs always up to date. should focus on the likelihood and severity of an attack. The Common Vulnerability Scoring System (CVSS) can Read the rest here: help with that, as it provides a way to capture the principal https://www.helpnetsecurity.com/2018/07/30/security- strategy-energy-sector-company/

ISSA - C O S N E W S VOLUME 7 NUMBER 8 P A G E 13 Pentagon Creates ‘Do Not Buy’ List of Russian, Chinese Software

By Marcus Weisgerber, DefenseOne, July 27, 2018 The Pentagon is warning the military and its contractors not to use software it deems to have Russian and Chinese connections, according to the U.S. Defense Department’s acquisition chief. Officials have begun circulating a “Do Not Buy” list of software that does not meet “national security standards,” Ellen Lord, defense undersecretary for acquisition and sustainment, said Friday. “We had specific issues … that caused us to focus on this,” Lord told reporters at the Pentagon. “What we are doing is making sure that we do not buy software that’s Russian or Chinese provenance,” she said. “Quite often that’s difficult to tell at at first glance because of holding companies.” The Pentagon started compiling the list about six months ago. Suspicious companies are put on a list that is circulated to the military’s software buyers. Now the Pentagon is working with the three major defense industry trade associations — the Aerospace industries Association, National Defense Industrial Association and Professional Services Council — to alert contractors small and large. “It’s a huge education process,” Lord said. Lord said defense officials have also been working with the intelligence community to identify “certain companies that do not operate in a way consistent with what we have for defense standard.” Asked if programs and weapons were compromised by foreign software, Lord said, “These are more widespread issues. I don’t think we’re focused on one particular system.” The IC has grown increasingly concerned about foreign entities compromising U.S. software. This compromising activity can take several forms, as described by a new report from the National Counterintelligence and Security Center, an unclassified version of which was released on Thursday. For example, Chinese businesses have been eagerly investing in American startups that work in artificial intelligence. The report also notes that U.S. companies that want to sell software abroad are often required to allow foreign intelligence services to examine their source code. This may allow the foreign governments to discover vulnerabilities that can be exploited later on. “Recent Chinese laws—including laws on national security and cybersecurity—provide Beijing a legal basis to compel technology companies operating in China to cooperate with Chinese security services,” notes the new report. Russia has similar laws. Last June, Reuters reported that IBM, Cisco, and Germany’s SAP had allowed the FSB, a Russian intelligence service, to examine key source code in various software products. In October, Reuters said the scrutiny had been extended to an HP Enterprise product called ArcSight, described as a “cybersecurity nerve center for much of the U.S. military, alerting analysts when it detects that computer systems may have come under attack.” “If a U.S.-based company wants to go into China and facilitate and enlarge their business from a global perspective, they have to hand over source code and when they get online, they’re working with not only that company in China, but what — the PLA and the MSS, right?,” said William Evanina, who directs the National Counterintelligence and Security Center. “So it’s an unfair playing advantage, and the metaphor I would use is: could you imagine if a company coming to do business in the U.S. had to deal with not only our government, but CIA, NSA, the Department of Commerce, Treasury, as well as maybe some U.S.-based oligarchs, right? It’s just foreign to us, but that’s part of the understanding that we need to have, the understanding that when they globalize their goods and services, that we’re at an unfair advantage in those countries,” Evanina said. Last October, a Pentagon spokesperson told Defense One that there was no specific prohibition to prevent the department from buying software that the Russian intelligence service had looked through. Said Lord, “It really speaks to cybersecurity writ large…It’s one of our greatest concerns right now. This is a challenge for us in terms of how to deal with the industrial base, particularly small companies that don’t always have the resources. It’s more making sure we have secure systems overall for our data and information.” Read the rest here: https://www.defenseone.com/threats/2018/07/pentagon-creates-do-not-buy-list-russian-chinese-software/150100/?oref=d- topstory

P A G E 14 If by Free You Mean Personally Liable… By Al Alper, Total Security Daily Advisor, July 12, 2018 A recent article in the Wall Street Journal exposes just how insecure free e-mail services like GMail, Yahoo, and AOL are. In fact, what the article demonstrates is that if you are a business that is required to protect personal information and you are using GMail or one of these services to conduct business, then you are violating the Privacy laws and are seriously exposed. The risk is serious, and it cannot be overstated. Here’s the issue. Google, Yahoo, etc., and any software developer working with any of these free e-mail services (and there are hundreds of thousands of them) have the ability to read a users’ e-mails, according to a report in The Wall Street Journal. And Google doesn’t even hide it! In a statement made to the WSJ, Google said that its employeesexamine e-mails only “in very specific cases where you ask us to and give consent, or where we need to for security purposes, such as investigating a bug or abuse.” And that’s just Google; the software developers who work with Google may or may not have these same requirements, but they have full access to your e-mails! Not only do these developers use computers to scan inboxes to determine trends in what users read, the developers’ employees have been poking around your e-mail as well. And, while giving employees access to e-mails that users don’t know another human is reading has long been a “common practice” for companies that collect this type of data, the fact that it is now reported on and in the public domain makes you and your company liable if personal information is breached. Why? Because regulations like the New York State Department of Financial Services first-in-the-nation cybersecurity regulation, HIPAA or the European Union’s General Data Protection Regulation (GDPR) now make you liable and force you to pay dearly; and not just if the personal information is breached but for not protecting that information from a breach in the first place! Read the rest here: https://www.marketwatch.com/Story/a-new-data-breach-may-have-exposed-personal-information-of-almost-every-american- adult-2018-06-27?&siteid=yhoof2&yptr=yahoo

Facebook Fail as 100+ Cybercrime Groups are Found on Site By Phil Muncaster, InfoSecurity magazine, April 17, 2018 Facebook has deleted over 100 private discussion groups revealed to have been facilitating identity fraud and cybercrime for years on the platform. Journalist Brian Krebs claimed to have found the groups after searching for just a couple of hours last week. He said they covered a broad range of illicit activity including DDoS-for-hire, carding, 419 scams and botnet creation tools — with over 300,000 members signed up. Most were easily identifiable by group names such as “botnet helpdesk” and “tax refund fraud” and had been active on the social network for an average of two years — with 10% having lasted for over four years without being discovered, reported, or shut down. Krebs claimed that he only sought out groups operating in English language and with over 25 members. “As such, there may well be hundreds or thousands of other groups who openly promote fraud as their purpose of membership but which achieve greater stealth by masking their intent with variations on or mispellings of different cyber fraud slang terms,” he argued. Although the groups blatantly abused Facebook’s community standards policy regarding the promotion of illegal goods and services, the social network appears to have had no automated way to check and investigate such activity, relying primarily on users to report violations. Read the rest here: https://www.infosecurity-magazine.com/news/facebook-fail-100-cybercrime/

ISSA - C O S N E W S VOLUME 7 NUMBER 8 P A G E 15 A desperate hacker tried selling US military files for $150 — only to find no one wanted them

By David Choi, MSN, July 11, 2018 A hacker who got ahold of sensitive US military documents tried to sell them on a dark-web forum — only to find there were no buyers. The hacker was forced to lower his price to $150. After a team of undercover analysts from Recorded Future's Insikt Group embedded themselves with users from the dark- web forum, they came across the hacker who exploited a simple vulnerability on Netgear-brand routers. Through this exploit, the hacker gained access to documents belonging to a US Air Force service member stationed at the Creech Air Force Base in Nevada, and documents belonging to another service member believed to be in the US Army. The sensitive files included a maintenance manual for the MQ-9A Reaper drone, a list of airmen assigned to a Reaper drone unit, manuals on how to suppress improvised explosive devices, and an M1 Abrams tank manual. Although the materials do not appear to be classified, the information was still prohibited from being "released to another nation without specific authority" and was intended for "military purposes only." The hacker also tapped into live footage of surveillance cameras at the US-Mexico border and NASA bases, and an MQ-1 Predator flying over the Gulf of Mexico. The hacker claimed to have stolen "classified" information from the Pentagon, but Insikt Group's analysts say their interac- tions with the hacker painted a less sophisticated picture. After building a rapport with other users on the dark-web forum, analysts chatted with the hacker and discovered he possessed "above amateur" abilities and may have been part of a group within a larger group. "I wouldn't say that they possess skills of highly advanced threat-actors," Andrei Barysevich, a researcher at Recorded Future, told Business Insider. "They have enough knowledge to realize the potential of a very simple vulnerability and use it consistently." Analysts say they have a "good level of confidence" of the hacker's identity, and are coordinating with Homeland Security officials in their investigation. A DHS representative declined to comment on the matter and the affected Air Force drone unit did not respond to requests for comment. He didn't fear the Reaper The hacker may not have been fully aware of the nature of the information he possessed. At one point, he complained that he was unable to find interested buyers for the files — which he believed were highly valuable. He ulimately lowered his price. "I expect about $150 or $200 for being classified information" he said, according to a transcript. In an attempt to make a quick sale, he was also "proactive in giving" samples to analysts, which in turn allowed them to determine whom the documents were stolen from. "[It] clearly shows he had no knowledge of how much this data may cost and where and whom to sell it to," analyst Barysevich said. "He was attempting to get rid of it as soon as possible." After Barysevich's team alerted US officials, the vulnerable computers were taken offline. That move ultimately cut off the hacker's access to the files. The hacker, who is believed to live in a poverty-stricken country in South America, said his internet connection was slow and that, because his bandwidth was limited, he did not download as much information as he had hoped to, prior to finding a willing buyer. Instead, he relied on screenshots and shared them with the analysts, who say they believe he was still unable to find a buyer. A password impasse The Netgear router vulnerability, which dates back to 2016, allowed hackers to access private files remotely if a user's password is outdated. Despite several firmware updates and countless news articles on the subject, thousands of routers re- main vulnerable. Read the rest here: https://www.msn.com/en-us/news/us/a-desperate-hacker-tried-selling-us-military-files-for-dollar150-%E2%80%94-only-to-find- no-one-wanted-them/ar-AAzUrEE?li=BBnb7Kz

P A G E 16

Beyond corporate cybersecurity

By Kelli Kedis Ogborn, The Washington Times, July 11, 2018 Cybersecurity presents an unprecedented risk costing companies billions of dollars in market valuation, lost revenue and expenses. Every 39 seconds, there is a cyberattack and 64 percent of companies have experienced a web-based attack. As the world becomes more interconnected, we make ourselves more vulnerable. More than 85 percent of the Internet belongs to the private sector and it’s estimated that by 2020 there will be roughly 200 billion connected devices, creating risks and vulnerabilities in areas we haven’t considered before. Additionally, while the rise of teleworking has been revolutionary from an efficiency and cost perspective, it also means that more data is potentially exposed on employees’ devices, creating another landscape that needs to be protected. Spectacular data breaches and hacking undermine trust in the fundamental institutions of our society and democracy. Even though global spending in cybersecurity is set to reach $1 trillion between 2017-2021, many companies admit they feel under- prepared to deal with sophisticated cyberattacks and that most efforts are treated as an afterthought or simply an IT problem. Leadership of every company should make cybersecurity a top priority — the sake of their company, its shareholders, this country and their jobs depend on it. The cost of a major cyberattack could be on par with a major natural disaster, but rather than being “acts of God,” cyberattacks can be prevented and disrupted. It is believed that on average, the cost of a data breach by the year 2020 will exceed $150 million and that number will only continue to climb as most business infrastructure becomes connected. The major challenge is that we are not simply dealing with basement hackers. The breaches are sophisticated and often conducted by state-sponsored actors backed by adversarial foreign governments. These governments are not simply employing cyberattacks as a means of spying, but actively supporting hackers to target the commercial sector in rival countries to create chaos and disruption. Russian-backed hackers sought to influence elections in the United States and France. The Chinese military has carried out multiple cyberattacks against U.S. companies. State-backed Iranian hackers conducted an attack aimed at denying services to U.S. banks, while not directly attacking the banks themselves. The fact of the matter is many of our adversaries, looking to destabilize and create chaos for the American economy and military, are looking for asymmetric advantages against the United States. Vulnerable IT systems in the private sector could provide such an opening and as such should be considered part of our national security strategy. National defense and the private sector are not as segregated as you think. Economic issues are security issues. Let’s assume there is a major attack on our banks and the entire banking system is down for 24-48 hours, leaving everyone without access to capital, or if the power grid is destabilized, plunging entire cities into darkness without any electricity. These kinds of attacks create short-term chaos but can have lasting long-term economic effects that will cost billions of dollars and take years to recover from. Additionally, commercial cyberattacks affect military readiness, as much of our military relies on the private sector for staffing, technology development, logistics and acquisitions. When dealing with sophisticated state-sponsored actors, we cannot placate a problem with a Band-Aid solution. Rather than reinvent the wheel, we should adopt and integrate military-grade capabilities and best practices to protect our commercial networks. The way companies structure and monitor their networks is the first important step toward protecting against outsider threats. Network segmentation should be employed to separate and compartmentalize a company’s most important information. Utilizing advanced analytics to track and identify network anomalies and hidden threats are also key to catch small vulnerabilities before they become massive data leaks. Even the best-run networks can fall victim to hacks as a result of user error or malicious intent. Therefore, training employees in best cybersecurity practices and letting them know the consequences if they are responsible for a hack is just as important as having a well-built network backed by military-grade hardware. Employees with security clearances know the significant consequences of their actions and those handling sensitive information at a corporate level should be similarly aware. Read the rest here: https://www.washingtontimes.com/news/2018/jul/11/by-2020-there-may-be-200-billion-connected-devices/

ISSA - C O S N E W S VOLUME 7 NUMBER 8 P A G E 17 NIST hosting CUI Security Requirements Workshop - Oct 18, 2018

By Staff, NIST, July 17, 2018 On Thursday, October 18, 2018, the National Institute of Standards and Technology (NIST), in coordination with the Department of Defense (DoD) and the National Archives and Records Administration (NARA), is hosting an informational workshop providing an overview of Controlled Unclassified Information (CUI), the Defense Acquisition Regulations System (DFARS) Safeguarding Covered Defense Information and Cyber Incident Reporting Clause, and NIST Special Publications 800-171 and 800-171A. The CUI Security Requirements Workshop is open to all interested stakeholders and is free to attend. The workshop will also be available via webcast; advanced registration is not required. Additional information about the webcast will be available at a later date on the event website. The workshop will be hosted at NIST in Gaithersburg, MD. A draft agenda is available and in-person registration is now open! See: https://www.nist.gov/news- events/events/2018/10/controlled-unclassified-information-security-requirements-workshop • For registration questions, contact Pauline Truong ([email protected]). • For technical questions, contact Vicky Yan Pillitteri ([email protected]).

Google: Security Keys Neutralized Employee Phishing By Brian Krebs, Krebs on Security, July 23, 2018 Google has not had any of its 85,000+ employees successfully phished on their work-related accounts since early 2017, when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes, the company told KrebsOnSecurity. Security Keys are inexpensive USB-based devices that offer an alternative approach to two-factor authentication (2FA), which requires the user to log in to a Web site using something they know (the password) and something they have (e.g., a mobile device). A Google spokesperson said Security Keys now form the basis of all account access at Google. “We have had no reported or confirmed account takeovers since implementing security keys at Google,” the spokesperson said. “Users might be asked to authenticate using their security key for many different apps/reasons. It all depends on the sensitivity of the app and the risk of the user at that point in time.” The basic idea behind two-factor authentication is that even if thieves manage to phish or steal your password, they still cannot log in to your account unless they also hack or possess that second factor. The most common forms of 2FA require the user to supplement a password with a one-time code sent to their mobile device via text message or an app. Indeed, prior to 2017 Google employees also relied on one-time codes generated by a mobile app — Google Authenticator. In contrast, a Security Key implements a form of multi-factor authentication known as Universal 2nd Factor (U2F), which allows the user to complete the login process simply by inserting the USB device and pressing a button on the device. The key works without the need for any special software drivers. Once a device is enrolled for a specific Web site that supports Security Keys, the user no longer needs to enter their password at that site (unless they try to access the same account from a different device, in which case it will ask the user to insert their key). Read the rest here: https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/ Additional photographs are available on the ISSA- COS.ORG website ISSA Photos are courtesy of our Chapter Photographer Warren Pearce The Information Systems Security Association (ISSA) ® is a not-for-profit, international organization of information security professionals and practitioners. It provides educational forums, publications, and peer Information Systems Security Association Developing and Connecting Cybersecurity Leaders Globally interaction opportunities that enhance the knowledge, Colorado Springs Chapter skill, and professional growth of its members. The primary goal of the ISSA is to promote WWW.ISSA - COS.ORG management practices that will ensure the confiden- tiality, integrity, and availability of information resources. Chapter Officers: The ISSA facilitates interaction and education to create a President:: Colleen Murphy more successful environment for global information Executive Vice President: Scott Frisch systems security and for the professionals involved. Vice President: Ernest Campos Members include practitioners at all levels of the security Vice President of Membership: David Reed field in a broad range of industries such as • Deputy VP Membership: Melissa Absher communications, education, healthcare, manufacturing, Vice President of Training: Mark Heinrich financial, and government. • Deputy VP Training: Susan Ross Treasurer: Mark Maluschka • Deputy Treasurer: Vacant Communications Officer: Anna Johnston • Dep. Communications Officer: Christine Article for the Newsletter? Mack If you would like to submit an article... Recorder/Historian: Erik Huffman • Deputy Recorder/Historian: Vacant Do you have something that the Colorado Springs Member at Large: James Asimah Member at Large: Dawn Wellein ISSA community should know about? Tell us about it! Member at Large: Bill Blake We are always looking for articles that may be of Member at Large: Jim Blake interest to the broader Colorado Springs cyber Dir. of Certification: Derek Isaacs community. • Dep Dir Certifications: Kurt Danis Dir. of Professional Outreach: Patrice Siravo Send your article ideas to Don Creamer at: • Dep Dir. of Professional Outreach: June [email protected] Shores Ensure that “Newsletter” is in the subject line. Committee Chairs: Looking forward to seeing you in print! Ethics: Tim Westland IT Committee: Bill Welker Mentorship: Melissa Absher Past Senior Leadership Recognition: Erik Huffman President Emeritus: Dr. George J. Proeller Sponsorship: Ernest Campos President Emeritus: Mark Spencer Transformation: Ernest Campos Past President: Frank Gearhart Newsletter: Don Creamer Past President: Cindy Thornburg Past President: Pat Laverty

Is Hackers Reportedly Stole 600 Gallons of Gas From Detroit Gas Station By AJ Dellinger, Gizmodo, July 8, 2018 Police in Detroit are looking for two suspects who allegedly managed to hack a gas pump and steal over 600 gallons of gasoline, valued at about $1,800. The theft took place in the middle of the day and went on for about 90 minutes, with the gas station attendant unable to thwart the hackers. The theft, reported by Fox 2 Detroit, took place at around 1pm local time on June 23 at a Marathon gas station located about 15 minutes from downtown Detroit. At least 10 cars are believed to have benefitted from the free-flowing gas pump, which still has police befuddled. Read the rest here: https://gizmodo.com/hackers-reportedly-stole-600-gallons-of-gas-from-detroi-1827433411

Published at no cost to ISSA Colorado Springs by Sumerduck PublishingTM, Woodland Park, Colorado