SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXIII - Issue #4
January 15, 2021CISA: Weak Cloud Security Actively Exploited; NSA: Third-Party DNS Resolvers Unsafe; FIX NOW! Actively Exploited Flaws in Microsoft, Adobe, and Cisco Products
*****************************************************************************
SANS NewsBites January 15, 2021 Vol. 23, Num. 004
*****************************************************************************
THE TOP OF THE NEWS
CISA: Attackers Exploit Poor Cyber Hygiene to Compromise Cloud Security Environments
NSA Warns Enterprises Not to Use Third-Party DNS Resolvers
Microsoft Patch Tuesday Includes Fix for Actively Exploited Microsoft Defender Flaw
Adobe Patch Tuesday - High Priority
Cisco Updates Include Fix for Serious Vulnerability in CMX and 70 Other High-Severity Flaws
THE REST OF THE WEEK'S NEWS
Proposed Rulemaking Would Require Financial Institutions to Report Cybersecurity Incidents Within 36 Hours
International Effort Leads to DarkMarket Server Takedown and Arrest of Alleged Operator
SolarWinds: Third Malware Tool Discovered
Apple Will Remove Feature that Let its Apps Bypass Security Measures
Stolen COVID-19 Data Leaked
Mimecast Says Hackers Stole Digital Certificate
Update Available to Fix Critical Flaw in Orbit Fox by ThemeIsle WordPress Plugin
INTERNET STORM CENTER TECH CORNER
****************** Sponsored By Security Risk Advisors **********************
Purple Team "Essentials" is an effective way to begin purple teaming, obtain benchmarks, and strengthen your defenses against the most used attacker TTPs. Security Risk Advisors will help you measure the effectiveness of your defensive tools and track performance over time. SRA is a thought-leader in purple team methodology, represented by the free VECTR(TM) platform. | https://www.sans.org/info/218670
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
New & Updated Courses
SEC401: Security Essentials Bootcamp Style
- https://www.sans.org/cyber-security-courses/security-essentials-bootcamp-style/
SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling
- https://www.sans.org/cyber-security-courses/hacker-techniques-exploits-incident-handling/
FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics
- https://www.sans.org/cyber-security-courses/advanced-incident-response-threat-hunting-training/
Upcoming Live Online Events
SANS Stay Sharp - Feb 1-4 CST
1-3 Day Management & Cloud Courses
- https://www.sans.org/event/stay-sharp-management-and-cloud-feb-2021/
SANS Pen Test & Offensive Training - Feb 8-13 CST
14 Courses | Core NetWars | Coin-A-Palooza!
- https://www.sans.org/event/pen-test-and-offensive-training-2021/
Open-Source Intelligence (OSINT) Summit & Training
FREE Summit: Feb 11-12 | Courses: Feb 8-10 & 15-20 EST
- https://www.sans.org/event/osint-summit-2021/
OnDemand Training Special Offer
Get an iPad, a Galaxy Tab A, or take $250 Off with OnDemand training through January 27.
- www.sans.org/specials/north-america/
Blue Team Operations Resources
Cheat Sheets, Papers, Podcasts, and more. View & Download
- https://www.sans.org/blue-team/
*****************************************************************************
TOP OF THE NEWS
--CISA: Attackers Exploit Poor Cyber Hygiene to Compromise Cloud Security Environments
(January 13 & 14, 2021)
The US Cybersecurity and Infrastructure Security Agency (CISA) has released Analysis Report AR21-013A: Strengthening Security Configurations to Defend Against Attackers Targeting Cloud Services, after becoming aware of cyber-attacks leveraging weaknesses in cloud security services. Threat actors are leveraging phishing and other techniques to exploit poor cyber hygiene practices and misconfigurations in cloud services. CISA has listed steps organizations can take to improve their cloud security posture.
[Editor Comments]
[Paller] The false belief that "cloud equals more secure" is so pervasive that one of the largest cloud providers has an employee (a senior retired FBI agent) whose nearly full-time job is explaining to clients that the system images they bought from the cloud provider were "no more secure than the servers and desktops they bought from Best Buy." In a meeting in Washington, he told the other attendees his nickname at the company was "CAO." When asked what that meant, he said, "Chief Apology Officer." It takes skilled professionals to make cloud systems secure, though the cloud providers offer wonderful tools to enable clients to make their systems more secure. SANS has in-depth, up-to-date courses on how to use those tools (https://www.sans.org/blog/sans-cloud-security-curriculum/) and all three top cloud providers allow you to order system images preconfigured according to the Center for Internet Security configuration guidelines. https://www.cisecurity.org/blog/everything-you-need-to-know-about-cis-hardened-images/: Everything You Need to Know About CIS Hardened Images
[Neely] The report includes great recommendations to improve cloud security. Make sure that you're adequately securing cloud environments; at a minimum make sure you're following the service's security guidance. Review that guidance annually for improvements and needed changes. Make sure that direct access requires MFA. Verify that conditional access is both enabled and operates as planned. Evaluate the risks of enabling SSO from corporate desktops. Be sure that cloud service logs are being reviewed regularly, ideally forwarded automatically to your centralized logging and SIEM.
[Pescatore] Poor configuration management, authentication, privilege management and secure configuration IT ops practices don't get better just because the application is now running in the cloud. Too often it just means that the wrong things can be done faster. None of CISA's recommendation are cloud-specific. Best approach is to focus on essential security practices on-premise, then extend to the cloud.
Read more in:
US-CERT-CISA: Attackers Exploit Poor Cyber Hygiene to Compromise Cloud Security Environments
CISA: Analysis Report AR21-013A: Strengthening Security Configurations to Defend Against Attackers Targeting Cloud Services
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-013a
Bleeping Computer: CISA: Hackers bypassed MFA to access cloud service accounts
Threatpost: Cloud Attacks Are Bypassing MFA, Feds Warn
https://threatpost.com/cloud-attacks-bypass-mfa-feds/163056/
Security Week: CISA Warns Organizations About Attacks on Cloud Services
https://www.securityweek.com/cisa-warns-organizations-about-attacks-cloud-services
MeriTalk: Threat Actors Exploiting Poor Cyber Hygiene of Cloud Environments, CISA Warns
--NSA Warns Enterprises Not to Use Third-Party DNS Resolvers
(January 14, 2021)
The US National Security Agency (NSA) has released recommendations for enterprises to securely adopt encrypted DNS. The document "explain[s] the benefits and risks of adopting the encrypted domain name system (DNS) protocol, DNS over HTTPs (DoH), in enterprise environments." The NSA recommends against using third-party DNS resolvers to "ensure proper use of essential enterprise security controls, facilitate access to local network resources, and protect internal network information."
Read more in:
Defense: Adopting Encrypted DNS in Enterprise Environments (PDF)
NSA: NSA Recommends How Enterprises Can Securely Adopt Encrypted DNS
Bleeping Computer: NSA advises companies to avoid third party DNS resolvers
ZDNet: NSA warns against using DoH inside enterprise networks
https://www.zdnet.com/article/nsa-warns-against-using-doh-inside-enterprise-networks/
--Microsoft Patch Tuesday Includes Fix for Actively Exploited Microsoft Defender Flaw
(January 12, 2021)
Microsoft has released fixes for 83 security issues in its software, including Windows, Edge, Office, SQL Server, and Azure. Ten of the flaws are rated critical. One of the flaws fixed was disclosed prior to the monthly security update, and one of the flaws is being actively exploited: a remote code execution vulnerability that affects Microsoft Defender.
[Editor Comments]
[Neely] Prioritize patching the actively exploited Defender flaw, which affects versions 1.1.17600 and below, followed closely by the splwow64 (user-mode printer driver) and Windows RPC Runtime updates. The RPC vulnerability is a RCE that reportedly requires no user interaction to exploit.
Read more in:
ISC: Microsoft January 2021 Patch Tuesday
https://isc.sans.edu/forums/diary/Microsoft+January+2021+Patch+Tuesday/26978/
MSRC: Microsoft Defender Remote Code Execution Vulnerability
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647
ZDNet: Microsoft fixes Defender zero-day in January 2021 Patch Tuesday
https://www.zdnet.com/article/microsoft-fixes-defender-zero-day-in-january-2021-patch-tuesday/
KrebsOnSecurity: Microsoft Patch Tuesday, January 2021 Edition
https://krebsonsecurity.com/2021/01/microsoft-patch-tuesday-january-2021-edition/
Threatpost: Critical Microsoft Defender Bug Actively Exploited; Patch Tuesday Offers 83 Fixes
https://threatpost.com/critical-microsoft-defender-bug-exploited/162992/
The Register: Microsoft emits 83 security fixes - and miscreants are already exploiting one of the vulns in Windows Defender
https://www.theregister.com/2021/01/12/patch_tuesday_fixes/
MSRC: Security Update Guide
https://msrc.microsoft.com/update-guide/
--Adobe Patch Tuesday - High Priority
(January 12 & 13, 2021)
Adobe has released security updates to address seven critical vulnerabilities in Photoshop, Illustrator, Animate, Bridge, and other products. As of Tuesday, January 12, Adobe is blocking Flash content. Users are being urged to uninstall the software, which is no longer supported.
[Editor Comments]
[Neely] Uninstalling Flash removes the option for a bypass of the kill switch. Make sure browser updates, which further blocked the running of Flash, are installed. Monitor for the reintroduction, only permitting Flash where the risk has been explicitly accepted and mitigations are in place to prevent abuse. Consider adding Flash to your denied/banned applications list and blocking content at the perimeter.
Read more in:
Threatpost: Adobe Fixes 7 Critical Flaws, Blocks Flash Player Content
https://threatpost.com/adobe-critical-flaws-flash-player/162958/
ZDNet: Adobe fixes critical code execution vulnerabilities in 2021's first major patch round
Adobe: Adobe Security Bulletins and Advisories
https://helpx.adobe.com/security.html
--Cisco Updates Include Fix for Serious Vulnerability in CMX and 70 Other High-Severity Flaws
(January 13 & 14, 2021)
Cisco has released fixes for nearly 70 high-severity flaws in a variety of products. One of the most serious vulnerabilities affects Cisco Connected Mobile Experiences (CMX); it could be exploited to "allow a remote, authenticated attacker without administrative privileges to alter the password of any user on an affected system." Cisco has also released fixes for vulnerabilities in its RV routers, but it is not releasing updates for older RV routers that have reached end-of-life (EOL). The devices in question, which include Cisco Small Business RV110W, RV130, RV130W, and RV215W systems, reached EOL in 2017 and 2018, and paid extended support contracts expired on December 1, 2020. Cisco is urging customers using older versions of its RV routers to upgrade to newer, actively supported models.
[Editor Comments]
[Neely] Exploiting the vulnerabilities requires existing credentials on the devices. One of the mitigations is to disable the web UI for managing the configuration. As these are devices used by small businesses, which may not have the expertise to manage them using the command line, replacement of these EOL devices is a much better choice. Review the configuration to ensure that only authorized devices and users are able to update the configuration. Make sure that you are regularly checking for and applying updates as well as verifying the configuration, and changing credentials after support staff turnover.
[Pescatore] Demolition experts find a small number of key support points and use a small number of explosives to bring down very large buildings. IT infrastructure elements, like network management systems (SolarWinds), VPN servers (such as PulseSecure) and all routers/switchers/load balancers, etc. are high priority/high level targeted "support points" that can cause catastrophic damage if left vulnerable and exploitable. Down time for patching/securely configuring key infrastructure elements has to be fought for.
Read more in:
Threatpost: High-Severity Cisco Flaw Found in CMX Software For Retailers
https://threatpost.com/cisco-flaw-cmx-software-retailers/163027/
ZDNet: Cisco says it won't patch 74 security bugs in older RV routers that reached EOL
Cisco: Cisco Connected Mobile Experiences Privilege Escalation Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cmxpe-75Asy9k
******************************* SPONSORED LINKS ********************************
1) Next Friday! | January 22nd @ 9:00 AM EST | Join us for the 2021 Cyber Threat Intelligence Summit Solutions Track! Chaired by Robert M. Lee, this virtual event will consist of presentations that focus on case-studies and thought leadership using specific examples relevant to the industry as we know it today | 4 CPE Credits | https://www.sans.org/info/218675
2) Webcast | Join us for our upcoming webcast, "Protect your public cloud resources and achieve cloud maturity" which will explore hot topics in cloud security and powerful Secure Cloud Analytics features that could mean the difference between you and the next public cloud compromise. | January 20th @ 3:30 PM EST | https://www.sans.org/info/218680
3) Webcast |Attend our upcoming webinar, "The Top 10 UEBA Use Cases for Today's SOCs" to learn more about why behavior analytics is a must-have for a mature security framework, and more! | January 21st @ 3:30 PM EST | https://www.sans.org/info/218685
*****************************************************************************
THE REST OF THE WEEK'S NEWS
--Proposed Rulemaking Would Require Financial Institutions to Report Cybersecurity Incidents Within 36 Hours
(January 12, 2021)
US federal financial regulatory agencies have proposed a rule that would require financial institutions to report cybersecurity events to financial regulators "no later than 36 hours after the banking organization believes in good faith that the incident occurred." The US The Office of the Comptroller of the Currency, Treasury, the Board of Governors of the Federal Reserve System and the Federal Deposit Insurance Corporation (FDIC) published the proposed rulemaking in the Federal Register on January 12, 2021; comment will be accepted through April 12, 2021.
Read more in:
Duo: NEW RULE MAY REQUIRE BANKS TO REPORT INCIDENTS SOONER
https://duo.com/decipher/new-rule-may-require-banks-to-report-incidents-sooner
Federal Register: Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers
--International Effort Leads to DarkMarket Server Takedown and Arrest of Alleged Operator
(January 13, 2021)
An international law enforcement operation involving Europol and agencies in Germany, Australia, Denmark, Moldova, Ukraine, the UK, and the US has taken down the DarkMarket illegal online marketplace. The alleged operator of the marketplace, an Australian citizen living in Germany, has been arrested. Authorities also seized more than 20 associated servers in Moldova and Ukraine.
[Editor Comments]
[Neely] A Darknet market is an e-commerce site designed to lie beyond the reach of regular search engines. Payments are made purely with cryptocurrency, and buyers and sellers are largely untraceable. Even so, this market had 500,000 users with 2,400 sellers. This takedown was part of a larger investigation which led to the 2019 shutdown of the CyberBunker "bulletproof hosting" service and distinct from the 2009 takedown of another site also called DarkMarket.
[Honan] An exemplary example of how international cooperation between law enforcement agencies can effectively tackle online crime. Expect to see many more of these operations in the future.
Read more in:
Europol: DarkMarket: World's Largest Illegal Dark Web Marketplace Taken Down
The Register: World's largest dark-web marketplace shuttered after Euro cybercops cuff Aussie
https://www.theregister.com/2021/01/13/darkmarket_europol_shutdown/
ZDNet: Australian man arrested for alleged operation of now-shuttered DarkMarket
--SolarWinds: Third Malware Tool Discovered
(January 12 & 13, 2021)
SolarWinds and CrowdStrike have disclosed information about yet another piece of malware that helped enable the supply chain attack. Dubbed Sunspot, the malware is designed "to insert the SUNBURST backdoor into software builds of the SolarWinds Orion IT management product."
Read more in:
CrowdStrike: SUNSPOT: An Implant in the Build Process
https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/
The Register: SolarWinds malware was sneaked out of the firm's Orion build environment 6 months before anyone realised it was there - report
https://www.theregister.com/2021/01/12/solarwinds_tech_analysis_crowdstrike/
SC Magazine: Sunspot malware scoured servers for SolarWinds builds that it could weaponize
Dark Reading: More SolarWinds Attack Details Emerge
https://www.darkreading.com/threat-intelligence/more-solarwinds-attack-details-emerge/d/d-id/1339885
KrebsOnSecurity: SolarWinds: What Hit Us Could Hit Others
https://krebsonsecurity.com/2021/01/solarwinds-what-hit-us-could-hit-others/
--Apple Will Remove Feature that Let its Apps Bypass Security Measures
(January 14, 2021)
In October 2020, Mac researchers noticed a feature in a beta version of macOS 11.2 that allowed Apple apps to bypass socket firewalls and virtual private networks. Dubbed the ContentFilterExclusionList, the feature permitted roughly 50 Apple programs to access the Internet without going through the Network Extension Framework, which was established to allow the monitoring and filtering of network traffic. Researchers noted that exploiting the ContentFilterExclusionList is trivial. The second beta version of macOS 11.2 will not include that feature.
[Editor Comments]
[Neely] With the increased emphasis on supply chain security, allowing 50 apps to bypass security measures without recourse should raise a red flag. Apple is turning up the security with macOS 11, including deprecating kernel modules to prevent introduction of malfeasance into the highest privileged parts of the OS. Apple also introduced a Network Extension Framework to permit security products to interact with all network-bound traffic. While an exclusion list may be valuable, by default all applications need to follow the security framework; only be excepted when the user organization accepts that risk, if ever.
Read more in:
SC Magazine: Apple nixes feature that let its apps skip VPNs and firewalls, after criticism from researchers
--Stolen COVID-19 Data Leaked
(January 13, 2021)
Hackers who stole COVID-19 vaccine and medicine data from the European Medicines Agency (EMA) late last year have posted the information online. Law enforcement authorities are investigating.
Read more in:
EMA: Cyberattack on EMA - update 4
https://www.ema.europa.eu/en/news/cyberattack-ema-update-4
Threatpost: Hackers Leak Stolen Pfizer-BioNTech COVID-19 Vaccine Data
https://threatpost.com/hackers-leak-pfizer-covid-19-vaccine-data/163008/
ZDNet: Hackers have leaked the COVID-19 vaccine data they stole in a cyberattack
Health IT Security: Hackers Leak COVID-19 Vaccine Data Stolen During EU Regulator Breach
--Mimecast Says Hackers Stole Digital Certificate
(January 12 & 13, 2021)
In a January 12 blog post, eMail security provider Mimecast says, "Microsoft recently informed us that a Mimecast-issued certificate provided to certain customers to authenticate Mimecast Sync and Recover, Continuity Monitor, and IEP products to Microsoft 365 Exchange Web Services has been compromised by a sophisticated threat actor." The issue affects approximately 10 percent of Mimecast's customer base. Mimecast has asked affected customers "to immediately delete the existing connection within their M365 tenant and re-establish a new certificate-based connection using the new certificate" Mimecast has made available. Both the methods and the targets of the attack bear similarities to the SolarWinds supply chain attack.
[Editor Comments]
[Neely] The certificate stolen is the one that is trusted to create the certificates associated with successful authentication activities. As such, removing the old certificate so it is no longer trusted is required. That requires deleting and recreating the connection rather than just updating a certificate in place.
Read more in:
Mimecast: Important Update from Mimecast
https://www.mimecast.com/blog/important-update-from-mimecast/
Dark Reading: SolarWinds Attackers May Have Hit Mimecast, Driving New Concerns
Cyberscoop: Mimecast breach investigators probe possible SolarWinds connection
https://www.cyberscoop.com/mimecast-email-breach-solarwinds-russia/
Ars Technica: Hackers steal Mimecast certificate used to encrypt customers' M365 traffic
ZDNet: Mimecast says hackers abused one of its certificates to access Microsoft accounts
Threatpost: Mimecast Certificate Hacked in Microsoft Email Supply-Chain Attack
https://threatpost.com/mimecast-certificate-microsoft-supply-chain-attack/162965/
Bleeping Computer: Mimecast discloses Microsoft 365 SSL certificate compromise
Duo: Mimecast Says Attackers Stole Certificate, Targeted Customers' Email
https://duo.com/decipher/mimecast-says-attackers-stole-certificate-targeted-customers-email
--Update Available to Fix Critical Flaw in Orbit Fox by ThemeIsle WordPress Plugin
(January 12, 2021)
A critical authenticated privilege elevation flaw in the Orbit Fox by ThemeIsle WordPress plugin could be exploited to take control of vulnerable websites. An update for the plugin is available. It also addresses a medium-severity stored cross-site scripting vulnerability that could be exploited to inject malicious JavaScript into websites. The plugin has been installed on more than 400,000 WordPress sites. Users are urged to update to Orbit Fox by ThemeIsle version 2.10.3.
[Editor Comments]
[Neely} Exploiting the vulnerability requires both enabling the creation of registration forms and the Elementor and Beaver Builder plugins. Even if you only have the ThemeIsle plugin, apply the update. Wordfence pushed firewall rules to their free version on December 19th to block attempted exploitation.
Read more in:
Wordfence: Multiple Vulnerabilities Patched in Orbit Fox by ThemeIsle Plugin
Threatpost: Critical WordPress-Plugin Bug Found in 'Orbit Fox' Allows Site Takeover
https://threatpost.com/orbit-fox-wordpress-plugin-bugs/163020/
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
MSFT January 2021 Patch Tuesday
https://isc.sans.edu/forums/diary/Microsoft+January+2021+Patch+Tuesday/26978/
Adobe Patches
https://helpx.adobe.com/security.html
Mimecast Cert Stolen
https://www.mimecast.com/blog/important-update-from-mimecast/
Leaking Silhouettes of Cross-Origin Images
https://blog.mozilla.org/attack-and-defense/2021/01/11/leaking-silhouettes-of-cross-origin-images/
Hancitor Activity Resumes After a Holiday Break
https://isc.sans.edu/forums/diary/Hancitor+activity+resumes+after+a+hoilday+break/26980/
Intel Hardware-Enabled Ransomware Protections
Making Clouds Rain: RCE in Microsoft Office 365
https://srcincite.io/blog/2021/01/12/making-clouds-rain-rce-in-office-365.html
SAP Security Patch Day
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564760476
Dynamically Analyzing A Heavily Obfuscated Excel 4 Macro Malicious File
Odd Filename Corrupts NTFS Disks
https://twitter.com/jonasLyk/status/1347900440000811010
Cisco Vulnerabilities
https://tools.cisco.com/security/center/publicationListing.x
*****************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.