SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXII - Issue #3
January 10, 2020U.S. National Cybersecurity Talent Discovery Program Launches on Monday; Consolidating Congressional Cybersecurity Oversight
The U.S. National high school cybersecurity talent discovery program launches Monday. Students play a game (CyberStart) to learn whether they have the aptitude to excel in cybersecurity; no teacher expertise in cyber or computers is required. NSF support this year enables high school students in every state to participate. See the first story in Top of the News.
****************************************************************************
SANS NewsBites January 10, 2020 Vol. 22, Num. 003
****************************************************************************
TOP OF THE NEWS
The U.S. National High School Cybersecurity Talent Discovery Program Launches on Monday
Consolidating Cybersecurity Oversight in Congress
RANSOMWARE
Attackers Infected Travelex with Ransomware Through Known Pulse Secure VPN Flaw
Pittsburgh School District Hit with Ransomware
Contra Costa Library System Ransomware Attack
REST OF THE WEEK'S NEWS
ToTok App is Available in Google Play Store Again
TikTok Vulnerabilities Fixed
Google's Project Zero Announces Changes to Its 90-Day Disclosure Policy
Minnesota Hospital eMail Breach
Mozilla Releases Firefox 72.0.1 to Fix Actively Exploited Critical Flaw
Prison for Webcam Spy
Las Vegas City Network Fends Off Serious Cyber Incident
Dustman Data-Wiping Malware Likely Has Ties to Iran, Say Analysts
Hackers Scanning for Unpatched Citrix Servers
Dragos Report Describes North American Electric Sector Cyber Threats
US Government-Funded Android Phones Have Chinese Malware Preinstalled
INTERNET STORM CENTER TECH CORNER
*************************** Sponsored By SANS ******************************
Attend SANS ICS Security Summit & Training Summit 2020 | Orlando, FL | March 2-9. The 15th annual #ICSSummit will bring together in-the-field practitioners & leading experts to share ideas, methods, and techniques for defending control systems. http://www.sans.org/info/215220
*****************************************************************************
Cybersecurity Training Update
-- SANS Security East 2020 | New Orleans, LA | February 1-8 | https://www.sans.org/event/security-east-2020
-- SANS Tokyo January 2020 | January 20-25 | https://www.sans.org/event/tokyo-january-2020
-- SANS Amsterdam January 2020 | January 20-25 | https://www.sans.org/event/amsterdam-january-2020
-- SANS Scottsdale 2020 | February 17-22 | https://www.sans.org/event/scottsdale-2020
-- Open-Source Intelligence Summit & Training 2020 | Alexandria, VA | February 18-24 | https://www.sans.org/event/osint-summit-2020
-- SANS Munich March 2020 | March 2-7 | https://www.sans.org/event/munich-march-2020
-- SANS Northern VA-Reston Spring 2020 | March 2-7 | https://www.sans.org/event/northern-va-spring-reston-2020
-- Blue Team Summit & Training 2020 | Louisville, KY | March 2-9 | https://www.sans.org/event/blue-team-summit-2020
-- ICS Security Summit & Training 2020 | Orlando, FL | March 2-9 | https://www.sans.org/event/ics-security-summit-2020
-- SANS Secure Singapore 2020 | 16-28 March | https://www.sans.org/event/secure-singapore-2020
-- SANS OnDemand and vLive Training
Get an iPad (32G), a Samsung Galaxy Tab A, or Take $250 Off through January 22 with OnDemand or vLive training.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
*****************************************************************************
TOP OF THE NEWS
--The U.S. National High School Cybersecurity Talent Discovery Program Launches on Monday
(January 10, 2019)
The U.S. National High School Cybersecurity Talent Discovery Program launches on Monday (1/13). Students play a game (CyberStart) to learn whether they have the aptitude to excel in cybersecurity. It's all online and no teacher expertise in cyber or computers is required. NSF support this year enables high school students in every state to participate. High school girls are eligible to start next week; if five girls do well in a school, they win access to the game for boys as well. Here's how parents and teachers describe the impact of GirlsGoCyberStart:
"Girls Go CyberStart REALLY made a big impact on my daughter! The first year, she had zero experience in computer coding or cybersecurity. After participating, she decided to take AP Comp Sci A and now she won a summer internship at the NJ Cyber Security Office!"
"Before I recruited girls to be a part of this wonderful program, I struggled to get girls to realize they could be computer scientists. I had girls actually saying they were too stupid to do this until I said, 'Just try it.' Some of my girls found out they were good at puzzles, some found out they liked programming. I now have girls asking our counselor about computer science degrees at our local community college."
Twenty-seven state governors personally announced GirlsGoCyberStart this year and encouraged students in their states to "just try it!" The Computer Science Teachers Association is a national cosponsor.
To learn more and/or sign up: https://www.girlsgocyberstart.org/
A personal note to NewsBites readers from Alan Paller: Finding talent early is the single biggest game changer a nation can implement to increase its effectiveness in cyberspace. The UK's CyberDiscovery program proved that the CyberStart game scales to provide full national coverage and identifies large numbers of high-aptitude students even when the student doesn't know s/he has it. Now CyberStart's aptitude discovery program has become available at no cost to all high schools in the US, but it runs only once a year and sign-ups close in two weeks. If you have any relationship with a high school student or teacher or administrator or an email list or Twitter following that includes high school teachers, make sure they know about GirlsGoCyberStart in time to take advantage of it this year.
--Consolidating Cybersecurity Oversight in Congress
(January 8, 2020)
Members of the US Cyberspace Solarium Commission are likely to propose consolidating authority for cybersecurity issues under one committee in each chamber of Congress. Currently, numerous committees in each chamber address cybersecurity issues, which can slow down needed legislation.
[Editor Comments]
Read more in:
Fifth Domain: Is a single cybersecurity congressional committee possible?
*****************************************************************************
RANSOMWARE
--Attackers Infected Travelex with Ransomware Through Known Pulse Secure VPN Flaw
(January 6, 7, 8, & 9, 2020)
The Travelex currency exchange is still offline after a December 31 ransomware attack. The company says that its systems became infected with Sodinokibi, also known as REvil. The malware appears to have gained entry to the system through a known vulnerability in Pulse Secure VPN software; a patch for the flaw was made available in April 2019. (Please note that the WSJ story is behind a paywall.)
[Editor Comments]
[Neely] While keeping services updated with the latest security patches is important, prioritize services at the perimeter and pay even more attention to boundary and access control devices such as VPNs, Firewalls, Routers, Proxies and WAFs. It is worth noting that Pulse Secure has been reaching out to customers to make sure that they are applying the patch. The Pulse Secure VPN flaw is being actively leveraged for REvil attacks, including CyrusOne, several managed service providers, 20 Texas local government offices and over 200 dentist offices per ZDNet. https://www.zdnet.com/article/vpn-warning-revil-ransomware-targets-unpatched-pulse-secure-vpn-servers/: VPN warning: REvil ransomware targets unpatched Pulse Secure VPN servers
[Honan] This breach has several examples of how to not handle incident response, from poor communications to key stakeholders, to not engaging with media, and lack of transparency to customers as to the real cause of the systems being offline.
Read more in:
Ars Technica: Unpatched VPN makes Travelex latest victim of "REvil" ransomware
Dark Reading: Widely Known Flaw in Pulse Secure VPN Being Used in Ransomware Attacks
Threatpost: Sodinokibi Ransomware Behind Travelex Fiasco: Report
https://threatpost.com/sodinokibi-ransomware-travelex-fiasco/151600/
Bleeping Computer: Sodinokibi Ransomware Says Travelex Will Pay, One Way or Another
WSJ: Travelex Ransomware Outage Hits Foreign-Currency Transactions at Retail Banks (paywall)
US-CERT: US-CERT Alert (AA20-010A) Continued Exploitation of Pulse Secure VPN Vulnerability
https://www.us-cert.gov/ncas/alerts/aa20-010a
--Pittsburgh School District Hit with Ransomware
(January 8, 2020)
The Pittsburgh Unified School District in Pennsylvania is recovering from a ransomware attack that infected its systems over the holiday break. Classes resumed as scheduled on Monday, January 6. The superintendent noted that while classrooms will not have laptops or Internet access, schools do have access to student information and phone systems are working.
Read more in:
SC Magazine: Ransomware hits, but doesn't stop, the Pittsburgh Unified School District
--Contra Costa Library System Ransomware Attack
(January 7, 2020)
The Contra Costa County (California) Library System was hit with a ransomware attack late last week. The incident affects all 26 of the system's branches. On December 3, library officials said that while impacted servers were taken offline, libraries would be open as usual.
[Editor Comments]
[Neely] As libraries reinvent themselves in the digital age, the importance of their digital service offerings has increased. While you can still visit a branch to get a book, their web system processed over 1.5 million virtual visits, and 425,897 virtual checkouts in 2019. The system has address, phone numbers, email and dates of birth for members; it doesn't contain social security numbers or credit card information. They stopped collecting driver's license numbers and purged those data last year.
Read more in:
Govtech: Bay Area Library System Suffers Ransomware Attack
https://www.govtech.com/security/Bay-Area-Library-System-Suffers-Ransomware-Attack.html
**************************** SPONSORED LINKS ******************************
1) Free Event in Austin, Texas on January 30th | SANS Automation and Orchestration Solutions Forum with SANS Chris Crowley: http://www.sans.org/info/215225
2) Webcast January 22nd at 3:30 PM ET: Optimize Decision Support through Verifiable Classification. Register: http://www.sans.org/info/215235
3) Survey | Take the SANS 2020 Automation and Integration Survey and enter to win a $400 Amazon gift card: http://www.sans.org/info/215240
*****************************************************************************
REST OF THE NEWS
--ToTok App is Available in Google Play Store Again
(January 6 & 8, 2020)
Apple and Google pulled the ToTok messaging app from their stores after the US intelligence officials said it was likely being used as a spy tool for the United Arab Emirates. Google has put what appears to be an updated version of ToTok back in the Google Play Store. The app now asks users for permission to access and sync contact lists.
Read more in:
Wired: An Alleged Spy App Puts Apple in a Bind
https://www.wired.com/story/totok-google-play-apple-app-store-uae-surveillance/
Threatpost: ToTok Returned to Google Play Despite 'Spy Tool' Claims
https://threatpost.com/totok-returned-to-google-play-spy-tool/151576/
--TikTok Vulnerabilities Fixed
(January 8, 2020)
TikTok has patched several flaws that left the social video app vulnerable to account takeovers, private data exposure, and other forms of account manipulation. Researchers from Check Point found the vulnerabilities and notified TikTok in late November 2019. The company fixed the flaws in late December.
[Editor Comments]
[Neely] The patches address account takeover and data exposure issues, not the concerns raised last fall about China-based ByteDance collecting data while the app is being used. Those risks have not changed. If you are continuing to use the application, keep it updated.
Read more in:
The Register: TikTok on the clock, and the hacking won't stop: SMS spoofing vuln let baddies twiddle teens' social media videos
https://www.theregister.co.uk/2020/01/08/tiktok_vulns_/
Wired: TikTok Bugs Could Have Allowed Account Takeovers
https://www.wired.com/story/tiktok-bugs-account-takeover/
ZDNet: TikTok fixes security flaws that could have let hackers manipulate accounts, access personal data
Dark Reading: TikTok Bugs Put Users' Videos, Personal Data At Risk
Threatpost: TikTok Riddled With Security Flaws
https://threatpost.com/tiktok-riddled-with-security-flaws/151616/
--Google's Project Zero Announces Changes to Its 90-Day Disclosure Policy
(January 7, 8, & 9, 2020)
Google's Project Zero says it will now wait the full 90 days after notifying vendors about a bug to disclose details of the vulnerability, regardless of when the vendor makes a fix available. Previously, Project Zero would release vulnerability details as soon as a patch was released. The rationale for the change is that it will allow for more thorough patch development and wider patch adoption before details are released. Vulnerability details may be disclosed sooner than 90 days if the vendor agrees. Exceptions to the rules include allowing the vendor to request up to an additional 14 days if the patch will be ready within that time, and allowing only seven days for vulnerabilities that are being actively exploited.
Read more in:
Google Project Zero: Policy and Disclosure: 2020 Edition
https://googleprojectzero.blogspot.com/2020/01/policy-and-disclosure-2020-edition.html
Threatpost: Google Ditches Patch-Time Bug Disclosure in Favor of 90-Day Policy
https://threatpost.com/google-ditches-patch-disclosure-90-day-policy/151626/
The Register: Yeah, says Google Project Zero, when you think about it, going public with exploit deets immediately after a patch is emitted isn't such a great idea
https://www.theregister.co.uk/2020/01/07/google_project_zero/
ZDNet: Google Project Zero shifts to full 90-day disclosures to improve patch uptake
Dark Reading: Google's Project Zero Policy Change Mandates 90-Day Disclosure
Portswigger: Project Zero relaxes 90-day vulnerability disclosure deadline to boost patch adoption
--Minnesota Hospital eMail Breach
(January 7 & 8, 2020)
Alomere Health is notifying nearly 50,000 patients in Minnesota that their personal health information may have been compromised. Two Alomere Health employee email accounts were compromised in late October and early November 2019.
[Editor Comments]
[Pescatore] I was encouraged to see in the SANS Security Spending Trends survey we are currently working on, increased spending on strong authentication came in 4th highest, after cloud monitoring, cloud access security and staff skills training. Ransomware and breaches in the news have been the ammunition to convince management to back the move away from reusable passwords. In telephone interviews, several small/medium sized organizations making the move as part of moving to O365 and other cloud-based services.
[Honan] Cases like this help to justify Multi-Factor Authentication to senior management.
Read more in:
Alomere Health: Vigilance Is The Best Defense To Cyber Attacks
https://news.alomerehealth.com/vigilance-is-the-best-defense-to-cyber-attacks/
Cyware: Minnesota Hospital Breach Impacts Personal and Medical Data of 50,000 Patients
SC Magazine: Breach of email accounts impacts 50,000 patients of Minnesota hospital
Portswigger: Data breach at Minnesota hospital threatens nearly 50,000 healthcare records
--Mozilla Releases Firefox 72.0.1 to Fix Actively Exploited Critical Flaw
(January 8 & 9, 2020)
Just one day after releasing Firefox 72, Mozilla released version 72.0.1 to address a critical vulnerability that was being actively exploited. The type-confusion flaw could be exploited to execute code or cause crashes on vulnerable systems. Firefox 72 included new privacy features and fixes for five high-severity security issues.
[Editor Comments]
[Neely] If you're on the ESR distribution, the fixes are in 68.4.1. The affected component is the IonMonkey JavaScript JIT compiler which provides optimization and performance enhancement for JavaScript. The flaw is reported as being actively exploited in the wild. Regardless of the version, unless you have disabled IonMonkey, which is enabled by default, applying the update quickly is prudent.
[Murray] Users should prefer purpose-built applications to porous browsers for sensitive applications. Enterprise management should isolate mission-critical data, applications, and systems from browsers.
Read more in:
Mozilla: Mozilla Foundation Security Advisory 2020-03: Security Vulnerabilities fixed inFirefox 72.0.1 and Firefox ESR 68.4.1
https://www.mozilla.org/en-US/security/advisories/mfsa2020-03/
US-CERT: Mozilla Patches Critical Vulnerability
https://www.us-cert.gov/ncas/current-activity/2020/01/08/mozilla-patches-critical-vulnerability
Threatpost: Mozilla Updates Firefox Browser: Zero-Day Bug Patched, Fingerprinting Nixed
https://threatpost.com/mozilla-releases-firefox-72/151636/
Ars Technica: Firefox gets patch for critical zeroday that's being actively exploited
Bleeping Computer: Mozilla Firefox 72.0.1 Patches Actively Exploited Zero-Day
--Prison for Webcam Spy
(January 7 & 8, 2020)
A UK man has been sentenced to five years in prison for spying on people through their webcams and mobile phone cameras. Scott Cowley used the Imminent Monitor remote access Trojan (RAT) to infect the targeted computers and phones.
Read more in:
Threatpost: Liverpool Voyeur Used IM-RAT to Video Women at Home
https://threatpost.com/liverpool-voyeur-im-rat-video-women/151638/
ZDNet: UK man sentenced to prison for hacking and spying on victims through their webcams
--Las Vegas City Network Fends Off Serious Cyber Incident
(January 8 & 9, 2020)
On Tuesday, January 7, 2020, the city of Las Vegas, Nevada experienced a network security incident. The vector of attack is likely to have been a malicious email. City IT staff detected the breach quickly and took steps to minimize its impact. On Wednesday, January 8, the city posted a statement on Twitter that it has "resumed full operations with all data systems functioning as normal."
[Editor Comments]
[Pescatore] I love this news piece. Kudos to the city of Las Vegas IT and security teams. Think of when a strong storm hits your area. If the power blips a few times, or goes out for an hour or so, everyone understands. If it goes out for days, you hate the power company, you know they failed you. You really don't expect the electricity to your house to be totally immune to storms, but you expect the power company to minimize the outages and to proactively trim the trees in advance of the next season of storms. That is how CEOs and Boards of Directors think about IT security!
Read more in:
ZDNet: City of Las Vegas said it successfully avoided devastating cyber-attack
Statescoop: Las Vegas reports experiencing 'cyber compromise'
https://statescoop.com/las-vegas-reports-experiencing-cyber-compromise/
--Dustman Data-Wiping Malware Likely Has Ties to Iran, Say Analysts
(January 8 & 9, 2020)
Cyber analysts at Saudi Arabia's National Cybersecurity Authority (CNA) have detected a new variant of data-wiping malware. Dustman, as it has been named, was found on systems at Bapco, Bahrain's national oil company, late last year and appears to be a variant of data-wiping malware used in attacks on organizations in the Middle East last year. CNA analysts say the malware made its way into Bapco systems through the company's VPN servers. The malware affected only some of Bapco's computers, and the company continued to operate through the attack.
Read more in:
ZDNet: New Iranian data wiper malware hits Bapco, Bahrain's national oil company
Cyware: New Wiper Malware 'Dustman' Takes on Bahrain's National Oil Company
https://cyware.com/news/new-wiper-malware-dustman-takes-on-bahrains-national-oil-company-c67a8b10
Cyberscoop: Saudi cyber authority uncovers new data-wiping malware, and experts suspect Iran is behind it
https://www.cyberscoop.com/saudi-arabia-iran-cyberattack-soleimani/
--Hackers Scanning for Unpatched Citrix Servers
(January 7, 8, & 9, 2020)
Hackers are actively conducting scans to find Citrix servers that have not been patched against a critical vulnerability that affects the company's Application Delivery Controller (ADC) and Gateway products. The directory traversal flaw could be exploited to remotely execute code.
[Editor Comments]
Read more in:
ISC: A Quick Update on Scanning for CVE-2019-19781 (Citrix ADC / Gateway Vulnerability)
Help Net Security: Attackers exploiting critical Citrix ADC, Gateway flaw, company yet to release fixes
https://www.helpnetsecurity.com/2020/01/09/cve-2019-19781/
ZDNet: Hackers probe Citrix servers for weakness to remote code execution vulnerability
https://www.zdnet.com/article/hackers-probe-unsecured-citrix-servers-for-netscaler-vulnerability/
Bleeping Computer: Attackers Are Scanning for Vulnerable Citrix Servers, Secure Now
--Dragos Report Describes North American Electric Sector Cyber Threats
(January 9, 2020)
Dragos has published a report titled North American Electric Cyber Threat Perspective that "provides a comprehensive look at threats to the North American electric sector and offers numerous defensive recommendations for asset owners and operators to implement and combat observed threats."
Read more in:
Dragos: The State of Threats to Electric Entities in North America (summary)
https://dragos.com/blog/industry-news/the-state-of-threats-to-electric-entities-in-north-america/
Dragos: North American Electric Cyber Threat Perspective
https://dragos.com/resource/north-american-electric-cyber-threat-perspective/
Wired: Iranian Hackers Have Been 'Password-Spraying' the US Grid
https://www.wired.com/story/iran-apt33-us-electric-grid/
ZDNet: These hacking groups are eyeing power grids, says security company
https://www.zdnet.com/article/these-hacking-groups-are-eyeing-power-grids-says-security-company/
--US Government-Funded Android Phones Have Chinese Malware Preinstalled
(January 9, 2020)
The US Federal Lifeline Assurance program provides inexpensive or even free phones free with discounted service for low-income households. Researchers at Malwarebytes found that one of the phones available through the program, the $35 Unimax (UMX) U686CL device from Assurance Wireless, comes with unremovable Chinese malware preinstalled.
[Editor Comments]
[Neely] Supply chain security is complicated, and critical, especially when you're driven to deliver the lowest bid solution. US funded programs typically insist on American made solutions, but in this case the $35 device was accepted without full security vetting. As an entity, purchasing devices from a known source, is a good first step; verifying their security, or hiring someone to do that, is prudent.
Read more in:
Ars Technica: US Government-funded Android phones come preinstalled with unremovable malware
Dark Reading: Chinese Malware Found Preinstalled on US Government-Funded Phones
Forbes: U.S. Funds Program With Free Android Phones For The Poor -- But With Permanent Chinese Malware
INTERNET STORM CENTER TECH CORNER
Citrix ADC Update
Another Malicious Word Document
https://isc.sans.edu/forums/diary/Quick+Analyzis+of+another+Maldoc/25694/
Google Project Zero Changing Disclosure Policy
https://googleprojectzero.blogspot.com/2020/01/policy-and-disclosure-2020-edition.html
Google Updates Android
https://source.android.com/security/bulletin/2020-01-01
Critical Firefox Update Fixing Exploited Bug
https://www.mozilla.org/en-US/security/advisories/mfsa2020-03/
Pulse Secure SSLVPN Exploited
3 Google Play Store Apps Exploit Android Zero-Day
Tails 4.2
https://tails.boum.org/news/version_4.2/index.en.html
TikTok Vulnerabilities
https://research.checkpoint.com/2020/tik-or-tok-is-tiktok-secure-enough/
SHA1 Update
Cisco Updates
https://tools.cisco.com/security/center/publicationListing.x
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
