SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXIII - Issue #12
February 12, 2021Florida Water Treatment System Breach Cause Exposed; Microsoft Patches: Install Quickly; Windows Defender Vulnerability; Bloomberg Says Spy Chips Found in Super Micro Computer Products
U.S. college cyber rankings will be published in NewsBites in May for talented high school students looking for the best place to learn with other talented students and for employers to use to find star talent. The rankings will be based on the scores of college students on the Cyber FastTrack National Cyber Scholarship Competition. 400 collegians will also win $1,000 scholarships for use at their schools and a few hundred who show extraordinary talent will win free advanced SANS training.
Deadline to sign up is March 8
Information at: https://cyber-fasttrack.org/
Presidents of all large college collegiate cyber clubs and all WiCyS chapters have 250 licenses to distribute to club members and prospects for practice. If your club president doesn't have them, have them email apaller@sans.org with the subject "Practice for Cyber FastTrack."
Sign up at: cyber-fasttrack.org
Questions: hello@cyber-fasttrack.org
*****************************************************************************
SANS NewsBites February 12, 2021 Vol. 23, Num. 012
*****************************************************************************
TOP OF THE NEWS
Florida Water Treatment System Breach: Employees Shared One TeamViewer Password
Microsoft Patch Tuesday: Install Quickly
12-Year-Old Windows Defender Vulnerability Fixed
Bloomberg Says Spy Chips Found in Super Micro Computer Products
THE REST OF THE WEEK'S NEWS
Adobe Releases Security Updates for Acrobat and Reader, Magento, and Other Products
Authorities Make Arrests in Connection with SIM-Swapping Scheme
Zerologon Defense, Phase Two
Web Hosting Company Shuts Down After Cyberattack
Critical Flaw in SAP Commerce Platform
Responsive Menu WordPress Plugin Flaw
In Wake of Recent Attacks, Accellion Announces EOL for FTA Software
INTERNET STORM CENTER TECH CORNER
************************* Sponsored By SANS **********************************
Cyber Range | SANS+HBCU Cyber Ranges competition - Black History Month Edition is open for registration! Throughout this four-day event, HBCU students, alum, faculty, and staff will gain cybersecurity skills by competing in a self-paced, independent, hands-on challenge. The skills gained from our CTF are applicable to real-world jobs. The range will be open for competition on February 19th at 9 am ET and will remain open, around the clock, until it officially closes on February 22nd at 6 pm ET. Learn more. | https://www.sans.org/info/218910
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
New & Updated Courses
SEC301: Introduction to Cybersecurity
- https://www.sans.org/cyber-security-courses/introduction-cyber-security/
SEC401: Security Essentials Bootcamp Style
- https://www.sans.org/cyber-security-courses/security-essentials-bootcamp-style/
MGT512: Security Leadership Essentials for Managers
- https://www.sans.org/cyber-security-courses/security-leadership-essentials-managers/
SANS Live Online Winter Special
Save $500 off standard 4-6 day courses during the events listed below.
Offer is valid thru February 24th. View event pages for details.
ICS Security Summit & Training
FREE Summit: Mar 4-5 | Courses: Mar 8-13 EST
- https://www.sans.org/event/ics-security-summit-2021/
SANS Cyber Security West 2021 - Mar 15-20 | PDT
10 Interactive Courses | Core NetWars Tournament
- https://www.sans.org/event/cyber-security-west-march-2021/
SANS 2021 - Mar 22-27 EDT
30+ Courses | Core, Cyber Defense, and DFIR NetWars
- https://www.sans.org/event/sans-2021-live-online
OnDemand Training Special Offer
Get a free GIAC certification attempt or take $350 Off with OnDemand or Live Online training through February 24.
- https://www.sans.org/specials/north-america/
Offensive Operations Resources
New Cheat Sheets, Slingshot Linux Distro, Posters, and more. View & Download
- https://www.sans.org/offensive-operations/
*****************************************************************************
TOP OF THE NEWS
--Florida Water Treatment System Breach: Employees Shared One TeamViewer Password
(February 9 & 10, 2021)
In the wake of an attack in which a hacker gained access a Florida water treatment plant's network and altered the amount of chemicals being added to drinking water, the FBI released a Private Industry Notification (PIN) warning that "the cyber actors likely accessed the system by exploiting cyber security weaknesses including poor password security, and an outdated Windows 7 operating system to compromise software used to remotely manage water treatment. The actor also likely used the desktop sharing software TeamViewer to gain unauthorized access to the system."
[Editor Comments]
[Neely] Remote access applications, such as TeamViewer, should be configured with unique credentials for each user, and Internet-exposed entry points need to support MFA and include a firewall. All these also need to be actively monitored for abuse. Old unsupported operating systems, such as Windows 7, which cannot be updated to Windows 10, need additional mitigations, such as an external firewall, to protect them from modern attacks. CISA Alert AA21-042A includes analysis and additional logical and physical mitigations to incorporate if your enabling remote access to control systems. https://us-cert.cisa.gov/ncas/alerts/aa21-042a
[Ullrich] When signing up for a new TeamViewer account, the user is prompted to set up two-factor authentication. TeamViewer also offers integration with single sign-on systems for enterprise use. Looks like either may have prevented this breach but was not enabled. The old version of Windows may have been required to run the particular software, and it does not look like it contributed to the breach.
[Pescatore] Everyone has probably seen the "Rubin's Vase" optical illusion that to some people looks like a vase and to other people looks like two faces staring at each other. Incidents like this one at the Oldsmar water treatment plant happen frequently and can be viewed two different ways: (1) employees who didn't care about security doing very dangerous things violating well-known security policies enabled an attacker; or (2) mission requirements demanded remote access, no secure approach was provided and the employees did what they had to do to keep the water treatment systems running. The pandemic forced rapid movement to Work-From-Home and exposed a lot of number 2 out there, especially in smaller organizations.
[Murray] Any and all utility controls attached to public networks MUST employ strong authentication. This one measure will reduce risk by eighty to ninety percent. Shared passwords, on the other hand, reduce accountability and otherwise increase risk.
Read more in:
Ars Technica: Breached water plant employees used the same TeamViewer password and no firewall
https://arstechnica.com/information-technology/2021/02/breached-water-plant-employees-used-the-same-teamviewer-password-and-no-firewall/
ZDNet: Following Oldsmar attack, FBI warns about using TeamViewer and Windows 7
https://www.zdnet.com/article/following-oldsmar-attack-fbi-warns-about-using-teamviewer-and-windows-7/
KrebsOnSecurity: What's most interesting about the Florida water system hack? That we heard about it at all.
https://krebsonsecurity.com/2021/02/whats-most-interesting-about-the-florida-water-system-hack-that-we-heard-about-it-at-all/
Vice: Why Cybersecurity Experts Hate TeamViewer, the Software Used to Tamper With Florida Water Supply
https://www.vice.com/en/article/akdqxk/why-cybersecurity-experts-hate-teamviewer-the-software-used-to-tamper-with-florida-water-supply
--Microsoft Patch Tuesday: Install Quickly
(February 9, 2021)
On Tuesday, February 9, Microsoft released updates to address 56 vulnerabilities in Windows and related software. Eleven of the flaws are rated critical. One of the flaws, a privilege elevation vulnerability in Win32k, is being actively exploited.
[Editor Comments]
[Ullrich] This patch Tuesday fixed a smaller number of vulnerabilities, but it included a few vulnerabilities that need to be patched quickly. Most notable is the DNS server issue. The TCP/IP stack problems also need rapid action. Make sure your perimeter firewalls/routers do not pass IPv4 packets with IP options. This should already be a default configuration but I find a surprising number of devices that still pass them.
It is also sad that we are still fighting with these basic TCP/IP implementation issues. TCP/IP stacks have been in use for 40 years. Microsoft included TCP/IP by default starting with Windows 98 and NT 4.0. One would have hoped that it was implemented correctly by now in most operating systems. Forescout this week released a paper outlining how many TCP/IP implementations still do not get TCP sequence numbers right.
https://www.forescout.com/company/resources/numberjack-weak-isn-generation-in-embedded-tcpip-stacks/
Read more in:
ISC: Microsoft February 2021 Patch Tuesday
https://isc.sans.edu/forums/diary/Microsoft+February+2021+Patch+Tuesday/27080/
ZDNet: Microsoft February 2021 Patch Tuesday fixes 56 bugs, including Windows zero-day
https://www.zdnet.com/article/microsoft-february-2021-patch-tuesday-fixes-56-bugs-including-windows-zero-day/
Dark Reading: Microsoft Fixes Windows Zero-Day in Patch Tuesday Rollout
https://www.darkreading.com/vulnerabilities---threats/microsoft-fixes-windows-zero-day-in-patch-tuesday-rollout/d/d-id/1340114
KrebsOnSecurity: Microsoft Patch Tuesday, February 2021 Edition
https://krebsonsecurity.com/2021/02/microsoft-patch-tuesday-february-2021-edition/
Threatpost: Actively Exploited Windows Kernel EoP Bug Allows Takeover
https://threatpost.com/exploited-windows-kernel-bug-takeover/163800/
MSRC: Security Update Guide
https://msrc.microsoft.com/update-guide
--12-Year-Old Windows Defender Vulnerability Fixed
(February 11, 2021)
Among the vulnerabilities fixed in Microsoft's February Patch Tuesday is a 12-year-old privilege elevation flaw in Windows Defender. The flaw could be exploited by threat actors with basic user privileges. The update will be installed automatically for users who have that feature enabled.
[Editor Comments]
[Neely] This vulnerability was hard to discover as it is in the BTR.sys driver which is only present when needed and has a random name when installed and is purged after execution. BTR.sys performs boot time cleanup of malicious files and registry entries. The fix is in Microsoft Malware Protection Engine 1.1.17800.5 or later.
[Murray] The risk associated with old undiscovered vulnerabilities goes up dramatically when they are identified, publicized, or a fix is published. Such vulnerabilities should be addressed in a timely manner. "Privilege escalation" vulnerabilities are an issue for multi-user and managed systems.
Read more in:
Wired: A Windows Defender Vulnerability Lurked Undetected for 12 Years
https://www.wired.com/story/windows-defender-vulnerability-twelve-years/
Bleeping Computer: 12-year-old Windows Defender bug gives hackers admin rights
https://www.bleepingcomputer.com/news/security/12-year-old-windows-defender-bug-gives-hackers-admin-rights/
--Bloomberg Says Spy Chips Found in Super Micro Computer Products
(February 12, 2021)
According to a report from Bloomberg, US intelligence agencies have known for nearly a decade that China has been tampering products made by Super Micro Computer, Inc. The situation illustrates the susceptibility of "American companies ... to potential nefarious tampering of any products they choose to have manufactured in China."
Read more in:
Bloomberg: The Long Hack: How China Exploited a U.S. Tech Supplier
https://www.bloomberg.com/features/2021-supermicro/
******************************* SPONSORED LINKS *******************************
1) Free Virtual Event | The Mobile Security Solutions Forum, chaired by SANS Senior Instructor, Heather Mahalik, is a free virtual event featuring invited mobile security experts who will explore various mobile security topics while showcasing current capabilities available today. Register and reserve your spot today for an incredible day! | February 19th @ 10:30 AM ET | https://www.sans.org/info/218915
2) Webcast | Are you overlooking the valuable role DNS can play in security detection and investigations? Join us for our upcoming webcast, "The Strategic Value of Passive DNS to Cyber Defenses and Risk Management." | February 23rd @ 3:30 PM EST | https://www.sans.org/info/218920
3) Webcast | Tune in for our upcoming webcast, "Practical lessons from standing up a greenfield Security Operations Center" | February 25th @ 10:30 AM EST | https://www.sans.org/info/218925
*****************************************************************************
THE REST OF THE WEEK'S NEWS
--Adobe Releases Security Updates for Acrobat and Reader, Magento, and Other Products
(February 9 & 10, 2021)
Hackers are exploiting a critical heap-based buffer overflow vulnerability in Adobe Reader in "limited attacks" targeting users running Adobe Reader on Windows. The flaw is one of 23 fixed in Adobe's February 9 updates for Reader and Acrobat. Adobe also released updates to address 18 vulnerabilities in Magento, five vulnerabilities in Photoshop, two in Illustrator, and one in each Animate and Dreamweaver.
Read more in:
ZDNet: Adobe patches wave of critical bugs in Magento, Acrobat, Reader
https://www.zdnet.com/article/adobe-patches-wave-of-critical-bugs-in-magento-acrobat-reader/
Threatpost: Attackers Exploit Critical Adobe Flaw to Target Windows Users
https://threatpost.com/critical-adobe-windows-flaw/163789/
Adobe: Security update available for Adobe Acrobat and Reader | APSB21-09
https://helpx.adobe.com/security/products/acrobat/apsb21-09.html
Adobe: Security Updates Available for Magento | APSB21-08
https://helpx.adobe.com/security/products/magento/apsb21-08.html
--Authorities Make Arrests in Connection with SIM-Swapping Scheme
(February 10, 2021)
Authorities in the UK have arrested eight people in connection with a SIM-swapping scheme that targeted celebrities. The National Crime Agency worked alongside US federal and state authorities on the investigation. Two other people were arrested earlier in Malta and in Belgium.
[Editor Comments]
[Neely] Make sure that you've enabled the available protections from your carrier to prevent SIM-swapping. If you haven't checked recently, revisit your account to see if there are added settings you need to enable. If SMS or phone call is the second factor to access your Cryptocurrency wallet, consider switching to alternate second factor mechanisms not susceptible to this attack.
[Murray] SIM-Swapping attacks are expensive, risky, and do not scale well. They rely in part upon the carriers desire to be responsive to user reports of new, lost, or damaged phones. That said, those who rely upon their mobiles for receiving one-time passwords for high value accounts should be sensitive to not receiving calls or messages that they are expecting. If your phone "goes dead," report it to your carrier immediately. Prefer local password generators to SMS for high value accounts.
Read more in:
National Crime Agency: Brits arrested for sim swapping attacks on US celebs
https://www.nationalcrimeagency.gov.uk/news/brits-arrested-for-sim-swapping-attacks-on-us-celebs
Europol: Ten Hackers Arrested for String of Sim-Swapping Attacks Against Celebrities
https://www.europol.europa.eu/newsroom/news/ten-hackers-arrested-for-string-of-sim-swapping-attacks-against-celebrities
ZDNet: Authorities arrest SIM swapping gang that targeted celebrities
https://www.zdnet.com/article/authorities-arrest-sim-swapping-gang-that-targeted-celebrities/
--Zerologon Defense, Phase Two
(February 10 & 11, 2021)
With the most recent security update, Microsoft has begun enforcing phase two of security measures to protect users from the Zerologon vulnerability that was disclosed in August 2020. The severity of the flaw prompted the Cybersecurity and Infrastructure Security Agency (CISA) to issue an emergency directive, ordering federal agencies to take steps to protect vulnerable systems by September 21, 2020. The "February 9, 2021 and superseding Windows Updates enable enforcement mode on all supported Windows Domain Controllers and will block vulnerable connections from non-compliant devices."
[Editor Comments]
[Neely] This is the last step for fixing CVE-2020-1472, moving DCs into enforcement mode. Prior to this update you could toggle enforcement mode on your DC manually. Devices which cannot be made to use the Secure RPC Netlogin need to be manually added to the "Domain controller: Allow vulnerable Netlogin secure channels connections" group policy or they will not be able to authenticate.
Read more in:
Dark Reading: Microsoft Launches Phase 2 Mitigation for Zerologon Flaw
https://www.darkreading.com/vulnerabilities---threats/microsoft-launches-phase-2-mitigation-for-zerologon-flaw/d/d-id/1340138
Bleeping Computer: Microsoft now forces secure RPC to block Windows Zerologon attacks
https://www.bleepingcomputer.com/news/security/microsoft-now-forces-secure-rpc-to-block-windows-zerologon-attacks/
--Web Hosting Company Shuts Down After Cyberattack
(February 9, 2021)
A web hosting site has decided to shut down operations after "a hacker successfully compromised all the servers [they] use to operate [their ] business." A message posted on its site urges customers to download backups of their websites and databases through cPanel. The company did not provide details about the attack. However, TorrentFreak has reported that two other hosting sites, both of which "provide IPTV services to pirate streaming sites," have recently suffered similar attacks.
[Editor Comments]
[Neely] Make sure that you have a plan for recovery if your hosting provider suffers a catastrophic failure. Verify that you not only have backups enabled, but you also know how to retrieve them and restore the services backed up. Test this capability before you need it and verify your providers DR process. The cost of the backups will be less than the cost of recovery from scratch.
[Pescatore] I really wish this item said, "All customers of a web hosting company that had been completely compromised by attackers cancelled their services, resulting in the web hosting company going out of business." I can't say I know how business decisions are made at "pirate streaming sites" but all too often cloud or other outsourced hosting services are chosen by lowest bid instead of the superior approach of security being evaluated and being a go/no-go decision rule.
Read more in:
ZDNet: Web hosting provider shuts down after cyberattack
https://www.zdnet.com/article/web-hosting-provider-shuts-down-after-cyber-attack/
TorrentFreak: Hacker Blackmails Pirate IPTV Services, Threatens To Send User Data To Police
https://torrentfreak.com/hacker-blackmails-pirate-iptv-services-threatens-to-send-user-data-to-police-210209/
--Critical Flaw in SAP Commerce Platform
(February 9 & 10, 2021)
A critical vulnerability affecting the SAP Commerce platform could be exploited to allow remote code execution. The flaw affects SAP Commerce versions 1808, 1811, 1905, 2005 and 2011. A patch for the flaw is available.
[Editor Comments]
[Neely] I used to dread having to apply patches to our ERP system, particularly critical/urgent ones, both for risk of business interruption and making sure we had sufficient regression testing. The Experian breach taught us that avoidance can have consequences which exceed the business impact of the update, particularly for Internet accessible services. This particular vulnerability, CVSS-2021-41477, requires an authenticated user and has a raw CVSS 3.0 score of 9.9. The fix for this law requires manual steps to fully mitigate risks.
Read more in:
Threatpost: SAP Commerce Critical Security Bug Allows RCE
https://threatpost.com/sap-commerce-critical-security-bug/163822/
SCN SAP: SAP Security Patch Day - February 2021
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=568460543
Onapsis: SAP Security Patch Day February 2021: Critical Patch released for SAP Commerce
https://onapsis.com/blog/sap-security-patch-day-february-2021-critical-patch-released-sap-commerce
--Responsive Menu WordPress Plugin Flaw
(February 10, 2021)
Three flaws affecting the Responsive Menu WordPress plugin could be exploited to take control of vulnerable websites. The plugin has been installed on more than 100,000 sites. An updated version of the plugin is available. Users are urged to update to Responsive menu version 4.0.4.
[Editor Comments]
[Neely] The vulnerable version of the plugin (4.0.0 - 4.0.3) allowed any authenticated user to upload and extract a zip file, resulting in opportunities for remote code execution. While the flaw, once acknowledged, was fixed rapidly and an update was released January 19th, the difficulty in reaching the maintainer suggests looking for alternative plugins with a more reachable support team. Wordfence WAF was updated December 17 and January 16 for the paid and free versions respectively.
[Murray] WordPress plugins come with no representation or assurance of quality and have historically been a source of vulnerability. They should be used sparingly, only by design and intent, and, must even then, be diligently policed.
Read more in:
Wordfence: Multiple Vulnerabilities Patched in Responsive Menu Plugin
https://www.wordfence.com/blog/2021/02/multiple-vulnerabilities-patched-in-responsive-menu-plugin/
Bleeping Computer: Buggy WordPress plugin exposes 100K sites to takeover attacks
https://www.bleepingcomputer.com/news/security/buggy-wordpress-plugin-exposes-100k-sites-to-takeover-attacks/
--In Wake of Recent Attacks, Accellion Announces EOL for FTA Software
(January 28 & February 11, 2021)
Cloud service provider Accellion will retire its FTA filesharing product following a number of attacks that compromised data at government agencies and private companies in Australia, New Zealand, Singapore, and the US. The attackers appear to be using SQL injection to install a web shell and from there, steal files stored on the FTA appliance. In a January 11 statement, Accellion noted that it had been made aware of the issue in December 2020 and had "released a patch within 72 hours to the less than 50 customers affected." More recently, Accellion announced that its FTA software will reach EOL on April 30, 2021.
[Editor Comments]
[Neely] The FTA appliance is based on Centos 6, which reached "end-of-life" in November 2020. If you want to continue to use Accellion services for file transfer, you need to migrate to their Kiteworks cloud service. Kiteworks has a FedRAMP moderate authorization. Accellion is sweetening the pot by offering migration services to existing FTA customers. I would not roll my own file transfer service, but rather use cloud solutions such as OneDrive, Box, DropBox, Drop and Google drive.
Read more in:
ZDNet: Accellion to retire product at the heart of recent hacks
https://www.zdnet.com/article/accellion-to-retire-product-at-the-heart-of-recent-hacks/
Guidepoint Security: Accellion FTA Targeted by Web Shell
https://www.guidepointsecurity.com/accellion-fta-targeted-by-file-downloading-web-shell/
Rackcdn: Accellion Responds to Recent FTA Security Incident - January 11, 2021 (PDF)
https://dd80b675424c132b90b3-e48385e382d2e5d17821a5e1d8e4c86b.ssl.cf1.rackcdn.com/external/accellion-fta-p0-statementfinal.pdf
Accellion: Accellion USA, LLC is announcing End of Life for its legacy FTA software effective April 30, 2021. (PDF)
https://www.accellion.com/sites/default/files/resources/fta-eol.pdf
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
Microsoft Patch Tuesday
https://isc.sans.edu/forums/diary/Microsoft+February+2021+Patch+Tuesday/27080/
https://www.theregister.com/2021/02/09/microsoft_patch_tuesday/
Phishing Message to the ISC Handlers E-Mail Distro
https://isc.sans.edu/forums/diary/Phishing+message+to+the+ISC+handlers+email+distro/27082/
Agent Tesla Hidden in Historical Anti-Malware Tool
https://isc.sans.edu/forums/diary/Agent+Tesla+hidden+in+a+historical+antimalware+tool/27088/
Dependency Confusion
https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
https://azure.microsoft.com/mediahandler/files/resourcefiles/3-ways-to-mitigate-risk-using-private-package-feeds/3%20Ways%20to%20Mitigate%20Risk%20When%20Using%20Private%20Package%20Feeds%20-%20v1.0.pdf (PDF)
Google Phishing Statistics
https://cloud.google.com/blog/products/workspace/how-gmail-helps-users-avoid-email-scams
Adobe Security Updates
https://helpx.adobe.com/security/products/acrobat/apsb21-09.html
Apple Sudo Patch
https://support.apple.com/en-us/HT212177
Number:Jack ISN Generation Weaknesses
https://www.forescout.com/company/resources/numberjack-weak-isn-generation-in-embedded-tcpip-stacks/
McAfee Total Protection Vulnerabilities
https://service.mcafee.com/webcenter/portal/oracle/webcenter/page/scopedMD/s55728c97_466d_4ddb_952d_05484ea932c6/Page29.jspx?wc.contextURL=%2Fspaces%2Fcp&articleId=TS103114&_afrLoop=787687216282731&leftWidth=0%25&showFooter=false&showHeader=false&rightWidth=0%25¢erWidth=100%25#!%40%40%3FshowFooter%3Dfalse%26_afrLoop%3D787687216282731%26articleId%3DTS103114%26leftWidth%3D0%2525%26showHeader%3Dfalse%26wc.contextURL%3D%252Fspaces%252Fcp%26rightWidth%3D0%2525%26centerWidth%3D100%2525%26_adf.ctrl-state%3Dxhwyfc0a5_432
Intel Patches
https://blogs.intel.com/technology/2021/02/ipas-security-advisories-for-february-2021
Discord Used to Distribute Malware
https://www.zscaler.com/blogs/security-research/discord-cdn-popular-choice-hosting-malicious-payloads
*****************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
