SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXII - Issue #86
October 30, 2020Hospitals Under Ransomware Siege; SANS Launches CyberStart America: $2 million in Scholarships To Help Close Advanced Cyber Skills Gap
Lots of bad news this week - hospitals under ransomware siege; transport system disabled; $1 million HIPAA fine; CEO fired for hiding breach info. One good news story is today's launch of the United States' first program that has a chance to close the advanced cyber skills gap that China and Russia have established.
Alan
*****************************************************************************
SANS NewsBites October 30, 2020 Vol. 22, Num. 086
*****************************************************************************
THE TOP OF THE NEWS
A National Cyber Challenge: CyberStart America Free for All U.S. High School Students; $2 Million in College Scholarships
Hospitals Under Ransomware Siege (Ref: FBI, HHS and DHS)
REST OF THE WEEK'S NEWS
Ransomware Attack Shut Down Montreal Public Transit Website
Zoom Begins Phase One of End-to-End Encryption Rollout
Vastaamo Fires CEO for Withholding Breach Information
Hackers Leaked Swedish Security Company Customer Information
Critical Flaw in Oracle WebLogic Server is Being Actively Exploited
Optional Microsoft Update Removes Flash Player from Windows 10
Steelcase SEC Filing Divulges Cyberattack
FBI: Hackers Targeting Vulnerable SonarQube Instances
Vulnerabilities in Hoermann Gateway Device
Documents Show ICE, IRS Considering Using Hacking Tools
Aetna Will Pay $1M USD for HIPAA Violations
INTERNET STORM CENTER TECH CORNER
************************* Sponsored By Chronicle ********************************
Google Cloud has launched modern security detection for modern security threats with Chronicle Detect. View our on demand webinar to see a demo of our next generation rules engine that operates at the speed of search and hear from Paul Farley, the Deputy CISO of NCR, about their journey with Chronicle. Watch it now! | http://www.sans.org/info/218044
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
New OnDemand Courses
SEC588: Cloud Penetration Testing
- https://www.sans.org/ondemand/course/cloud-penetration-testing
MGT525: IT Project Management, Effective Communication, and PMP(R) Exam Prep
- https://www.sans.org/ondemand/course/project-management-effective-communication
View all courses
- https://www.sans.org/cyber-security-courses/?focus-area=&training-format=ondemand
Live Online Training Events and Summits
Pen Test HackFest + Summit @Night
Nov 16-21 EST | 15 Courses | Core NetWars + Coin-A-Palooza
- https://www.sans.org/event/pen-test-hackfest-2020-live-online
SANS Cyber Defense Initiative(R) 2020 - Dec 14-19 EST
35+ Courses | Core, Cyber Defense, and DFIR NetWars
- https://www.sans.org/event/cyber-defense-initiative-2020-live-online
View complete event schedule
- https://www.sans.org/cyber-security-training-events/north-america
Free Resources
Tools, Posters, and more.
- https://www.sans.org/free
OnDemand Training Special Offer
One Week Only! FREE Core Netwars Continuous with qualifying OnDemand Course purchases through November 4 - a $1,420 value!
- www.sans.org/specials/north-america/
*****************************************************************************
TOP OF THE NEWS
--A National Cyber Challenge: CyberStart America Free for All U.S. High School Students; $2 Million in College Scholarships
(October 30, 2020)
"The US Starts Enders Hacking Game" is the title of today's story on CyberStart America in The Register. Free to every high school student in the country, CyberStart America has a fighting chance of eliminating the advanced cyber skills pipeline advantage that China and Russia have established. Designed both for students who have played with technology and students who had no idea they could be good at it (through the "novice level,") the game allows students to become virtual cyber protection agents where they solve very real world problems. Those who enjoy it can progress through hundreds of challenges learning at every level through cryptography, Linux, Python programing all the way to reverse malware engineering. Teachers report it is the best program for teaching creative problem-solving skills they have seen. Students who solve 20% of the challenges are eligible for the scholarship round where $2,000,000 in college scholarships will be awarded for use at the college of their choice. The qualification round starts on October 30 and lasts until the end of February.
[Paller] As of noon today (Eastern) 830 students are engaged.
Read more:
The Register: On Friday the US starts Ender's hacking game: All local teens can compete for scholarships in cybersecurity
https://www.theregister.com/2020/10/30/cyberstart_hacking_challenge/
Dark Reading: SANS Launches New CyberStart Program for All High School Students
https://www.darkreading.com/operations/sans-launches-new-cyberstart-program-for-all-high-school-students/d/d-id/1339323
--Hospitals Under Ransomware Siege (Ref: FBI, HHS and DHS)
(October 28 & 29, 2020)
On Wednesday, October 28, the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Health and Human Services, and the FBI issued a joint cybersecurity advisory saying they are in possession of "credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers." As of Thursday, networks at nearly two dozen hospitals in the US have been hit with ransomware. Mandiant has released a list of indicators of compromise.
[Editor Comments]
[Paller] Hospital cybersecurity matters, as illustrated by last month's death of a German woman who was turned away from a hospital disabled by ransomware and died on the way to a second hospital. https://www.technologyreview.com/2020/09/18/1008582/a-patient-has-died-after-ransomware-hackers-hit-a-german-hospital/
[Pescatore] In the 2019 SANS Top New Attacks and Threat Report, Ed Skoudis detailed the DNS tunneling threat and mitigation approaches that are key to the threats in this latest warning. The publicity around the government agency warnings should be used to get management support for immediate mitigation and enhanced monitoring.
Read more in:
KrebsOnSecurity: FBI, DHS, HHS Warn of Imminent, Credible Ransomware Threat Against U.S. Hospitals
https://krebsonsecurity.com/2020/10/fbi-dhs-hhs-warn-of-imminent-credible-ransomware-threat-against-u-s-hospitals/
The Hill: Cyberattack targets networks of Vermont, New York hospitals
https://thehill.com/policy/cybersecurity/523475-cyberattack-targets-networks-of-vermont-new-york-hospitals
Wired: Ransomware Hits Dozens of Hospitals in an Unprecedented Wave
https://www.wired.com/story/ransomware-hospitals-ryuk-trickbot/
HealthITSecurity: Ransomware Wave Hits Healthcare, as 3 Providers Report EHR Downtime
https://healthitsecurity.com/news/ransomware-wave-hits-healthcare-as-3-providers-report-ehr-downtime
ZDNet: FBI warning: Trickbot and ransomware attackers plan big hit on US hospitals
https://www.zdnet.com/article/fbi-warning-trickbot-and-ransomware-attackers-plan-big-hit-on-us-hospitals/
Ars Technica: Advisories: "Brazen" Russian ransomware hackers target hundreds of US hospitals
https://arstechnica.com/information-technology/2020/10/us-government-warns-of-imminent-ransomware-attacks-against-hospitals/
Threatpost: 2 More Hospitals Hit by Growing Wave of Ransomware Attacks, As Feds Issue Warning
https://threatpost.com/hospitals-hit-by-ransomware/160695/
US-CERT CISA: Ransomware Activity Targeting the Healthcare and Public Health Sector
https://us-cert.cisa.gov/ncas/alerts/aa20-302a
Github: aaronst/unc1878_indicators.txt
https://gist.github.com/aaronst/6aa7f61246f53a8dd4befea86e832456
******************************* SPONSORED LINKS ********************************
1) How Look-alike Domains Drive BEC, Brand Abuse, and More [LIVE EXPERT WEBINAR] | http://www.sans.org/info/218049
2) Webcast | Our upcoming webcast, "Are you protected from a resurgence of APT29?" will teach you how to operationalize MITRE ATT&CK framework and leverage it to validate your controls against threat groups | November 3 @ 1:00 PM EST | http://www.sans.org/info/218054
3) Webcast |Google Clouds Chronicle platform works seamlessly with Palo Alto Networks Cortex XSOAR solution to investigate and remediate security threats with speed and scale. Join "Accelerate SecOps Incident Response with High Performance Playbooks from Cortex XSOAR and Google Chronicle" to learn more | November 4 @ 3:30 PM EST | http://www.sans.org/info/218059
*****************************************************************************
THE REST OF THE WEEK'S NEWS
--Ransomware Attack Shut Down Montreal Public Transit Website
(October 21, 22, & 27, 2020)
A ransomware that hit the network of Societe de transport de Montreal (STC) shut down both the transit agency's website and STC's reservation system for adapted transit. The bus and metro networks were not affected. People needing to make reservations for adapted transit rides were unable to do so or to modify existing reservations after 9:15 pm, Sunday, October 25.
Read more in:
Montreal Gazette: Ransomware attack blamed for shutting down STM website
https://montrealgazette.com/news/local-news/stm-website-was-taken-down-by-ransomware
CBC: Adapted transit users want compensation after STM's website shut down by virus
https://www.cbc.ca/news/canada/montreal/stm-adapted-transit-ransomware-compensation-1.5777977
Bleeping Computer: Montreal's STM public transport system hit by ransomware attack
https://www.bleepingcomputer.com/news/security/montreals-stm-public-transport-system-hit-by-ransomware-attack/
--Zoom Begins Phase One of End-to-End Encryption Rollout
(October 27, 2020)
Zoom has begun rolling out end-to-end encryption (E2EE) for desktop and mobile devices. The initial phase of the rollout is a 30-day technical preview, during which Zoom will gather customer feedback. The current rollout does not offer E2EE for browsers.
[Editor Comments]
[Neely] To get the E2EE feature, you need to update your desktop and Zoom mobile clients to the latest version (5.4.0+). Evaluate the scenarios where you need E2EE, including the impacts to existing device access to meetings; for example, the web client and room systems cannot participate in E2EE.
Read more in:
ZDNet: Zoom rolls out encryption for all desktop and mobile users
https://www.zdnet.com/article/zoom-rolls-out-encryption-for-all-desktop-and-mobile-users/
--Vastaamo Fires CEO for Withholding Breach Information
(October 27 & 29, 2020)
Ville Tapio, CEO of Finnish psychotherapy center Vastaamo, has been fired after it was learned that they prevented details of data breaches from becoming public. Patients have reported that hackers have contacted them, demanding they pay a ransom or have their personal information posted online. The Vastaamo patient database was initially breached in November 2018 and remained vulnerable to intrusion through March 2019.
[Editor Comments]
[Pescatore] Good news to see a CEO fired for suppressing internal knowledge of the second breach from the board and the general public. Vastaamo was acquired as this was happening; the acquiring company has begun legal proceedings because of the impact of this on the value of Vastaamo. Similar to 2017 when Verizon acquired Yahoo before learning of the massive Yahoo breach - and ended up reducing the acquisition price by $350M, which in retrospect was not enough of a reduction.
[Honan] Personal data encrypted due to a ransomware attack means, under the EU General Data Protection Regulation (GDPR), the organisation has lost control of the personal data and the ransomware attack is deemed a data breach. Under the GDPR an organisation that suffers a personal data breach, in particular of sensitive data such as that held by Vastaamo, "shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority". It will be interesting to see what actions the Finnish supervisory authority will take in this case.
Read more in:
SC Magazine: Finnish psychotherapy center fires CEO for suppressing breach details
https://www.scmagazine.com/home/security-news/data-breach/finnish-psychotherapy-center-fires-ceo-for-suppressing-breach-details/
Cyberscoop: Why the extortion of Vastaamo matters far beyond Finland -- and how cyber pros are responding
https://www.cyberscoop.com/finland-vastaamo-hack-response/
--Hackers Leaked Swedish Security Company Customer Information
(October 28, 2020)
Hackers have posted data stolen from the Gunnebo Group, a Swedish company that provides physical security for organizations around the world. Gunnebo customers include banks, airports, government agencies, and nuclear power plants. In March, KrebsOnSecurity received a tip from Hold Security "about a financial transaction between a malicious hacker and a cybercriminal group which specializes in deploying ransomware." Included in that transaction were credentials for a Remote Desktop Protocol (RDP) account set up by a Gunnebo employee. In August 2020, Gunnebo disclosed that its network was hit with a ransomware attack.
[Editor Comments]
[Murray] Since Target, one should recognize the risk from third parties. It is bad enough that one must concern oneself with employee convenience that trumps one's security. One should not have to worry about the convenience of one's security vendors.
Read more in:
KrebsOnSecurity: Security Blueprints of Many Companies Leaked in Hack of Swedish Firm Gunnebo
https://krebsonsecurity.com/2020/10/security-blueprints-of-many-companies-leaked-in-hack-of-swedish-firm-gunnebo/
Infosecurity Magazine: Hackers Leak Swedish Security Firm's Data
https://www.infosecurity-magazine.com/news/hackers-leak-swedish-security/
--Critical Flaw in Oracle WebLogic Server is Being Actively Exploited
(October 29, 2020)
A critical remote code execution flaw in Oracle WebLogic server is being actively exploited. Hackers are searching for servers running vulnerable versions of Oracle WebLogic server. Oracle released a fix for the vulnerability last week as part of its quarterly Critical Patch Update.
[Editor Comments]
[Neely] While you're still ingesting the 400 updates in the latest Oracle CPU, move the testing and deployment of the WebLogic update to the top of the list, particularly for Internet-facing services.
Read more in:
ISC: PATCH NOW: CVE-2020-14882 Weblogic Actively Exploited Against Honeypots
https://isc.sans.edu/forums/diary/PATCH+NOW+CVE202014882+Weblogic+Actively+Exploited+Against+Honeypots/26734/
Threatpost: Oracle WebLogic Server RCE Flaw Under Active Attack
https://threatpost.com/oracle-weblogic-server-rce-flaw-attack/160723/
Bleeping Computer: Critical Oracle WebLogic flaw actively targeted in attacks
https://www.bleepingcomputer.com/news/security/critical-oracle-weblogic-flaw-actively-targeted-in-attacks/
Security Week: Oracle WebLogic Vulnerability Targeted One Week After Patching
https://www.securityweek.com/oracle-weblogic-vulnerability-targeted-one-week-after-patching
Ars Technica: Hackers are on the hunt for Oracle servers vulnerable to potent exploit
https://arstechnica.com/information-technology/2020/10/hackers-are-on-the-hunt-for-oracle-servers-vulnerable-to-potent-exploit/
--Optional Microsoft Update Removes Flash Player from Windows 10
(October 27, 2020)
Microsoft has released an optional update for Windows 10 and Windows Server that removes Adobe Flash Player and prevents it from being installed again. Once the update, KB KB4577586, has been installed, it cannot be uninstalled. The update currently removes the version of Flash Player that is bundled with Windows 10. Standalone versions of Flash Player will not be removed, and the Flash Player component in Edge is not affected.
[Editor Comments]
[Ullrich] After applying this update, users are no longer able to install Flash Player. Make sure you actually no longer need it before applying the update.
[Neely] This update is available only through the Microsoft Catalog and doesn't comprehensively remove Flash. It is scheduled for general availability in early 2021. As the removal is not comprehensive, you may need to adopt a broader strategy to ensure that Flash is removed and disabled on endpoints. Now is a good time to start your validation process that systems reliant on Flash have been updated to other technology.
[Murray] One would like to think that, ten years after Steve Jobs published his analysis, most enterprises have already eliminated this porous product. However, "ten years" suggests just how sticky it is.
Read more in:
Bleeping Computer: Microsoft releases update to remove Adobe Flash from Windows
https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-update-to-remove-adobe-flash-from-windows/
Engadget: Windows 10 update removes Flash and prevents it from being reinstalled
https://www.engadget.com/windows-10-update-removes-flash-and-prevents-it-from-being-reinstalled-071737612.html
--Steelcase SEC Filing Divulges Cyberattack
(October 27 & 28, 2020)
Office furniture manufacturer Steelcase has acknowledged that its network was the target of a cyberattack. The information was disclosed in an October 26 form 8-K filing with the US Securities and Exchange Commission (SEC).
[Editor Comments]
[Pescatore] In the SEC filing, Steelcase notes that it is not aware of any data loss and does not expect material impact from this incident, so technically the disclosure wasn't required. But, in 2018 the SEC issued additional guidance saying "...we also remind companies and their directors, officers, and other corporate insiders of the applicable insider trading prohibitions under the general antifraud provisions of the federal securities laws and also of their obligation to refrain from making selective disclosures of material nonpublic information about cybersecurity risks or incidents." Boards and CXOs have an incentive to err on the side of disclosure to avoid possible insider trading charges.
[Neely] Steelcase stated in its 8-K filing that it was not aware of any sensitive or customer data loss from its systems, or any other loss of assets as a result of this attack. They also immediately took action to contain and remediate. The top entry points for ransomware are still phishing email and vulnerable access services such as VDI and unpatched VPN servers. Make sure that you're keeping those Internet-exposed services updated and securely configured.
Read more in:
Infosecurity Magazine: Furniture Giant Steelcase Hit by Suspected Ransomware Attack
https://www.infosecurity-magazine.com/news/furniture-giant-steelcase/
Bleeping Computer: Steelcase furniture giant hit by Ryuk ransomware attack
https://www.bleepingcomputer.com/news/security/steelcase-furniture-giant-hit-by-ryuk-ransomware-attack/
SEC: United States Securities and Exchange Commission | Form 8-K | Steelcase Inc.
https://www.sec.gov/ix?doc=/Archives/edgar/data/1050825/000105082520000146/scs-20201022.htm
--FBI: Hackers Targeting Vulnerable SonarQube Instances
(October 14 & 27, 2020)
In a TLP: White Flash, the FBI has warned that "unidentified cyber actors have actively targeted vulnerable SonarQube instances to access source code repositories of US government agencies and private businesses." The attacks have been occurring since April 2020. Recommended mitigations include changing SonarQube default settings, putting SonarQube instances behind a login screen, and checking for unauthorized access. "SonarQube is an open-source automatic code review tool that detects bugs and security vulnerabilities in source code."
[Editor Comments]
[Neely] Be sure to change the defaults, including passwords when installing services. As code security verification services such as SonarQube are tightly integrated into your Ci/Cd pipeline, they should not be exposed to the Internet to ensure their security functions, such as vulnerability and bug detection, are not compromised.
Read more in:
Bleeping Computer: FBI: Hackers stole government source code via SonarQube instances
https://www.bleepingcomputer.com/news/security/fbi-hackers-stole-government-source-code-via-sonarqube-instances/
Document Cloud: Cyber Actors Target Misconfigured SonarQube Instances to Access Proprietary Source Code of US Government Agencies and Businesses (PDF)
https://assets.documentcloud.org/documents/20399900/fbi_flash_sonarqube_access_bc.pdf
--Vulnerabilities in Hoermann Gateway Device
(October 28, 2020)
Researchers have found a number of vulnerabilities in the Hoermann BiSecur gateway device wireless access control system for garage doors, entrance gates, and other such smart systems. The flaws can be exploited both to open doors and to disable the door opening mechanisms. Some of the vulnerabilities require local network access to exploit; others can be exploited remotely.
Read more in:
Security Week: Hackers Can Open Doors by Exploiting Vulnerabilities in Hoermann Device
https://www.securityweek.com/hackers-can-open-doors-exploiting-vulnerabilities-h%C3%B6rmann-device
--Documents Show ICE, IRS Considering Using Hacking Tools
(October 28, 2020)
Documents shared with Motherboard show that US Immigration and Customs Enforcement (ICE) and the Internal Revenue Service (IRS) have explored the possibility of using hacking tools in criminal investigations and may have actually used them. The documents were obtained through a Freedom of Information Act (FoIA) lawsuit brought by Privacy International, the ACLU, and the Civil Liberties & Transparency Clinic of the University at Buffalo School of Law.
[Editor Comments]
[Neely] It is important to understand the tools and techniques used by our adversaries. The difference here is intent and permission.
Read more in:
Vice: ICE, IRS Explored Using Hacking Tools, New Documents Show
https://www.vice.com/en/article/epd4wp/ice-irs-hacking-tools
--Aetna Will Pay $1M USD for HIPAA Violations
(October 28 & 29, 2020)
The Aetna Life Insurance Company will pay the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) $1 million to settle alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). The fine covers three separate breaches that occurred in 2017 within a six-month period.
[Editor Comments]
[Pescatore] Between the April 2003 compliance date for HIPAA and September 30, 2020, the HHS OCR has settled or imposed a civil money penalty in 85 cases resulting in a total dollar amount of $128,155,082.00 - not an eye-catching amount per year, but since 2016 they have been stepping up the penalties. In 2020, Premera was fined $6.85M for a 10M record breach. These large fines are usually a small portion of the overall cost of the incidents, but they quickly catch the attention of boards and Chief Legal Officers because the fines have $$ directly attached.
[Neely] What is interesting here is the discovery of Aetna's lack of review of information protection validation. Regularly review & verify access to and handling of sensitive company information, including PII, and make sure users have training commensurate with the importance of the information they are accessing. In regulated environments, use internal audits to discover shortfalls before the regulator does.
Read more in:
Infosecurity Magazine: Triple Data Breach Earns Insurer $1m Fine
https://www.infosecurity-magazine.com/news/triple-data-breach-earns-insurer/
Bank Infosecurity: Aetna Fined $1 Million After 3 Data Breaches
https://www.bankinfosecurity.com/aetna-fined-1-million-after-3-data-breaches-a-15264
HHS: Aetna Pays $1,000,000 to Settle Three HIPAA Breaches
https://www.hhs.gov/about/news/2020/10/28/aetna-pays-one-million-to-settle-three-hipaa-breaches.html
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
PATCH NOW: CVE-2020-14882 WebLogic Actively Exploited
https://isc.sans.edu/forums/diary/PATCH+NOW+CVE202014882+Weblogic+Actively+Exploited+Against+Honeypots/26734/
SMBGhost Remains Unpatched on 8% of Exposed SMB Servers
https://isc.sans.edu/forums/diary/SMBGhost+the+critical+vulnerability+many+seem+to+have+forgotten+to+patch/26732/
Mishka McCowan: Mitigating Risk with the CSA 12 Critical Risks for Serverless Applications
https://www.sans.org/reading-room/whitepapers/cloud/mitigating-risk-csa-12-critical-risks-serverless-applications-39845
Vulnerable SonarQube Configurations Used to Steal Code
https://beta.documentcloud.org/documents/20399900-fbi_flash_sonarqube_access_bc
Microsoft Defender ATP Cobalt Strike False Positive
https://twitter.com/ffforward/status/1321375690084810753?s=20
Microsoft Edge Security Updates (Chromium-Based)
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200002
Microsoft Releases Flash Removal Tool
https://support.microsoft.com/en-us/help/4577586/update-for-removal-of-adobe-flash-player
Bypassing MSFT Teams Policies
https://o365blog.com/post/teams-policies/
QNAP Security Advisory
https://www.qnap.com/en/security-advisory/QSA-20-09
New Linux Trickbot Version Sighted
https://www.netscout.com/blog/asert/dropping-anchor
Abuse.ch Needs Help
https://abuse.ch/blog/moving-forward/
Zonealarm Update
https://www.zonealarm.com/software/extreme-security/release-history
Ransomware Targeting Healthcare
https://us-cert.cisa.gov/ncas/alerts/aa20-302a
OpenEMR Vulnerabilities
https://blog.sonarsource.com/openemr-5-0-2-1-command-injection-vulnerability
*****************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create