Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXIII - Issue #7

January 26, 2021

SonicWall Vulnerabilities; Cloud Accounts Exploited In Aviation and High-Tech Networks; UofSC Cybersecurity Grads More Desirable To Employers



****************************************************************************

SANS NewsBites               January 26, 2021              Vol. 23, Num. 007

****************************************************************************

TOP OF THE NEWS


  SonicWall Internal Systems Breached Through Vulnerabilities in its Own Products

  Cloud Accounts Used to Gain Persistent Access to Aviation and High-Tech Company Networks

  University of South Carolina First Undergraduate College to Make Cybersecurity Graduates Highly Desirable To Employers



THE REST OF THE WEEK'S NEWS


  US Military Intel Purchases Phone Location Data Instead of Obtaining Warrants

  SEPA Ransomware Update: Stolen Files Leaked

  Vulnerabilities in OPC Network Protocol

  Tesla Sues Over Theft of Trade Secrets

  Australian Securities and Investment Commission Says Server Breached

  Cisco Issues Fix for Cross-site Request Forgery Vulnerability in DNA Center

  Crane Manufacturer Palfinger Hit with Cyberattack

  Flash Deactivation Halts Chinese Railroad for a Day

  ADT Employee Pleads Guilty to Spying on Customers Through Security Cameras

 

INTERNET STORM CENTER TECH CORNER

********************  Sponsored By AWS Marketplace  ***************************


Webcast | Our upcoming webcast is designed to teach you how to improve your Cloud Threat Intelligence (CTI) program by gathering critical cloud-specific event data, relevant types of indicators of compromise (IoC), and adversarial tactics, techniques, and procedures (TTPs). SANS and AWS Marketplace will discuss CTI detection and prevention metrics, finding effective intelligence data feeds and sources, and determining how best to integrate them into security operations functions. Register today and be one of the first to receive the associated whitepaper written by SANS Senior Instructor, Dave Shackleford!  | January 28th @ 2:00 PM ET

| http://www.sans.org/info/218750


*****************************************************************************

CYBERSECURITY TRAINING UPDATE


New & Updated Courses


SEC401: Security Essentials Bootcamp Style

- https://www.sans.org/cyber-security-courses/security-essentials-bootcamp-style/


SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling

- https://www.sans.org/cyber-security-courses/hacker-techniques-exploits-incident-handling/


FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics 

- https://www.sans.org/cyber-security-courses/advanced-incident-response-threat-hunting-training/


Upcoming Live Online Events


ICS Security Summit & Training

FREE Summit: Mar 4-5 | Courses: Mar 8-13 EST

- https://www.sans.org/event/ics-security-summit-2021/


SANS Stay Sharp - Mar 8-9 EST

2-Day Pen Test & Offensive Ops Courses

- https://www.sans.org/event/stay-sharp-pen-test-march-2021/

 

SANS 2021 - Mar 22-27 EDT

30+ Courses | Core, Cyber Defense, and DFIR NetWars

- https://www.sans.org/event/sans-2021-live-online/


OnDemand Training Special Offer


Get an iPad, a Galaxy Tab A, or take $250 Off with OnDemand training through January 27.

- www.sans.org/specials/north-america/


Offensive Operations Resources


New Cheat Sheets, Slingshot Linux Distro, Posters, and more. View & Download

- https://www.sans.org/offensive-operations/


*****************************************************************************

TOP OF THE NEWS   

 

--SonicWall Internal Systems Breached Through Vulnerabilities in its Own Products

(January 22, 23, 24, & 25, 2021)

SonicWall has published an urgent security notice noting that it its "engineering teams continue their investigation into probable zero-day vulnerabilities with SMA 100 series products." SonicWall's internal systems were breached through zero-day vulnerabilities in its own remote access products.


[Editor Comments]


[Neely] This is a 0-Day exploit of the SonicWall SMA 100 series of appliances, not their NetExtender VPN as previously thought. Until a patch is released, make sure you have 2FA enabled on your SMA 100s; enable End Point Control to verify devices prior to connection; and consider using Geo-IP/botnet filtering to block access from countries you shouldn't see access from as well as limiting times accounts can login. While good mitigations, these actions need careful considerations when you have users who travel internationally, or work from multiple time zones.


[Ullrich] Yet another incident that fits into the larger "supply chain" attack theme. This may be more severe than the SolarWinds issue as it may affect a lot more users. I hope SonicWall caught the attack quickly and were able to limit impact. At last year's SANS keynote panel at RSA, I talked about the issues with vulnerable perimeter devices. While companies are dissolving perimeters quickly, we still rely on VPNs and Firewalls and just assume (perhaps incorrectly) these devices to work. 


Read more in:

SonicWall: Urgent Security Notice: NetExtender VPN Client 10.X, SMA 100 Series Vulnerability [Updated Jan. 23, 2021]

https://www.sonicwall.com/support/product-notification/urgent-security-notice-netextender-vpn-client-10-x-sma-100-series-vulnerability-updated-jan-23-2021/210122173415410/

The Hacker News: Exclusive: SonicWall Hacked Using 0-Day Bugs In Its Own VPN Product

https://thehackernews.com/2021/01/exclusive-sonicwall-hacked-using-0-day.html

Infosecurity Magazine: SonicWall Probes Attack Using Zero-Days in Own Products

https://www.infosecurity-magazine.com/news/sonicwall-probes-zerodays-in-own/

ZDNet: SonicWall says it was hacked using zero-days in its own products

https://www.zdnet.com/article/sonicwall-says-it-was-hacked-using-zero-days-in-its-own-products/

SC Magazine: SonicWall network attacked via zero day in its secure access solution

https://www.scmagazine.com/home/security-news/vulnerabilities/sonicwall-network-attacked-via-zero-days-in-its-vpn-and-secure-access-solutions/

Bleeping Computer: SonicWall firewall maker hacked using zero-day in its VPN device

https://www.bleepingcomputer.com/news/security/sonicwall-firewall-maker-hacked-using-zero-day-in-its-vpn-device/

Security Week: SonicWall Says Internal Systems Targeted by Hackers Exploiting Zero-Day Flaws

https://www.securityweek.com/sonicwall-says-internal-systems-targeted-hackers-exploiting-zero-day-flaws

Gov Infosecurity: SonicWall Investigating Zero-Day Attacks Against Its Products

https://www.govinfosecurity.com/sonicwall-investigating-zero-day-attacks-against-its-products-a-15837

  

--Cloud Accounts Used to Gain Persistent Access to Aviation and High-Tech Company Networks

(January 21, 2021)

According to a report from NCC group and its Fox-IT subsidiary, hackers have been gaining access to networks at high tech and aviation organizations and maintaining dwell times of as long as three years. The hackers appear to have gained initial access to the networks through cloud-based services. 


[Editor Comments]


[Pescatore] Phishing and password compromise were cited as how the attackers gained initial access - as is the case in the majority of all attacks and more than 90% of incidents when major cloud services are the access point. Strong authentication on cloud admin services would have closed that path. Enhanced monitoring of all admin-privileged accounts would have reduced the time to detect in the unlikely event that strong authentication was compromised.


[Ullrich] Three years dwell time is easily explained with missing controls around cloud services. In particular SaaS providers do not always offer tools to audit access from authorized users.


[Neely] The attackers used credential stuffing, password spraying, and brute force techniques to compromise credentials used for cloud services, and had a long dwell time. Monitoring, not only for the attacks, but also unusual user activity would have revealed the hackers much sooner. Additionally, make sure account lockout actions are configured and tested. Lastly, verify multi-factor authentication is enabled for all accounts on services which can be directly accessed from the Internet, cloud or otherwise. Your IDP can be configured to vary the strength of authentication required based on many factors, including domain membership, location, and time, to maintain a frictionless experience for legitimate users.


Read more in:

SC Magazine: Hackers hijacked cloud accounts of high-tech and aviation firms, hid in systems for years

https://www.scmagazine.com/home/security-news/apts-cyberespionage/hackers-hijacked-cloud-accounts-of-high-tech-and-aviation-firms-hid-in-systems-for-years/

Fox-IT: Abusing cloud services to fly under the radar

https://blog.fox-it.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/


 

--University of South Carolina First Undergraduate College To Make Cybersecurity Graduates Highly Desirable To Employers

(January 20, 2021)

The University of South Carolina Aiken is partnering with the SANS Technology Institute to provide the students in the university's Bachelor of Science program in Applied Computer Science - Cybersecurity the option of completing the 12-credit Undergraduate Certificate in Applied Cybersecurity at SANS.edu as part of the UofSC Aiken cybersecurity degree program.  The Certificate provides graduates with three GIAC certifications that, according to recent data, make those students three times as likely to chosen for cybersecurity job interviews than students with the certifications commonly earned by cybersecurity graduates. 


[Editor Comments]


[Neely] This program is an awesome opportunity. If you're in the UofSC Aiken cybersecurity degree program, with a GPA of 2.5 or better, you can apply to the SANS undergraduate program, complete one SANS course per semester in your Junior and Senior years, and come out with four GIAC certifications, and hands-on knowledge which makes you a very attractive candidate for an employer as you not only have a breadth of critical current knowledge but also experience applying it during the program.


[Ullrich] As a part of SANS.edu, I am very excited about the expansion of our undergraduate program. Not only will this fill a critical gap in training new cyber security talent, but I am in particular excited to see what great content these students will create as part of the included internship with the Internet Storm Center.


[Murray] A bachelors degree is about being ready for life; depending in part upon the program, it may or may not prepare the student for the first job out of school. Certificates are about being ready for the job; they are becoming increasingly useful to employers and candidates.  


Read more in:

WRDW: UofSC partnership aims to bolster cybersecurity studies

https://www.wrdw.com/2021/01/20/uofsc-partnership-aims-to-bolster-cybersecurity-studies/

SANS: Undergraduate Cyber Security Certificate Program

https://www.sans.edu/usca


*******************************  SPONSORED LINKS  ******************************** 


1) Webcast | Join our upcoming webcast, "Best Practices for Securing Modern Cloud Native Application with ActiveCampaign CISO" where Chaim Mazal, ActiveCampaign CISO, shares his experience in the cloud native space and offers tips for others. | February 4th @ 10:30 AM EST

| http://www.sans.org/info/218755


2) Webcast  | Join our live webinar during which Anthony Moisant, CISO of Glassdoor and Doug Cahill, Vice President and Group Director, Cybersecurity at Enterprise Strategy Group, will share their perspectives on the challenges security organizations faced in 2020 and what lies ahead for 2021 and beyond. | January 29th @ 1:00 PM EST

| http://www.sans.org/info/218760


3) Webcast Tomorrow! | We invite you to join us for our upcoming webcast, "Slacking on insider threats? Investigative and monitoring approaches to use within Slack to locate bad actors" | January 27th @ 10:30 AM EST


*****************************************************************************

THE REST OF THE WEEK'S NEWS  

 

--US Military Intel Purchases Phone Location Data Instead of Obtaining Warrants

(January 22, 2021)

According to an unclassified memo obtained by the New York Times, the US Defense Intelligence Agency (DIA) has been circumventing warrant requirements by obtaining smartphone location data through commercially available databases. A 2018 US Supreme Court ruling requires the government to obtain a warrant prior to obtaining phone location data from telecommunication companies.


[Editor Comments]


[Neely] Privacy laws and corresponding legislation around mobile device location data continue to evolve. While cellular providers have location data from cell towers, location services on your device also provide individual applications' location data which may be used by their providers. As it is largely impractical to blanket-disable location services and Apple and Google are working to limit what applications can do with location data, only enable it for the applications that truly need it. As law enforcement is able to obtain non-anonymized location data, which then includes information about US and non-US citizens, guidance and practices need to evolve to support not only the 4th Amendment, but also foreign privacy laws. If you're in the federal government, you also have to watch for Executive Order 12333 when accessing the data.

https://www.archives.gov/federal-register/codification/executive-order/12333.html


Read more in:

NYT: Intelligence Analysts Use U.S. Smartphone Location Data Without Warrants, Memo Says

https://www.nytimes.com/2021/01/22/us/politics/dia-surveillance-data.html

Ars Technica: Military intelligence buys location data instead of getting warrants, memo shows

https://arstechnica.com/tech-policy/2021/01/military-intelligence-buys-location-data-instead-of-getting-warrants-memo-shows/

Cyberscoop: DIA uses purchased phone location data without warrants

https://www.cyberscoop.com/phone-location-data-privacy-dia-dhs/

  

--SEPA Ransomware Update: Stolen Files Leaked

(January 21 & 22, 2021)

Ransomware operators who launched an attack against Scotland's Environment Protection Agency (SEPA) have posted files stolen from the agency's systems. SEPA's network was hit with ransomware in late December 2020; SEPA refused to pay the demanded ransom. A month later, the agency's email and other systems remain down; SEPA flood forecasting and warning system are operating.   


[Editor Comments]


[Neely] SEPA is taking a hard line on not paying ransomware operators, which supports their continued operation, but also not paying organizations or individuals which are on the International sanctions lists; which is illegal in the US & UK. To support that position, your organization needs not only good differential backups, but also practice restoring systems from those backups, without dependencies on remaining systems which may be compromised. 


Read more in:

SEPA: SEPA Cyber-Attack: Data theft, service delivery and recovery update

https://media.sepa.org.uk/media-releases/2021/sepa-cyber-attack-data-theft-service-delivery-and-recovery-update.aspx

The Register: Scottish enviro bods shrug off ransomware gang's extortion attempt as 4,000 files dumped online, saying it's nothing big

https://www.theregister.com/2021/01/22/sepa_ransomware_failure/

ZDNet: Hackers publish thousands of files after government agency refuses to pay ransom

https://www.zdnet.com/article/hackers-publish-thousands-of-files-after-government-agency-refuses-to-pay-ransom/

Threatpost: Ransomware Attackers Publish 4K Private Scottish Gov Agency Files

https://threatpost.com/attackers-publish-private-scottish-gov-files/163254/

  

--Vulnerabilities in OPC Network Protocol

(January 25, 2021)

Researchers at Claroty have found nine vulnerabilities in implementations of the Open Platform Communications (OPC) network protocol. The vulnerabilities affect products from three vendors: Softing Industrial Automation GmbH, Kepware PTC, and Matrikon Honeywell. All three have released fixes for the flaws, which could be exploited to allow remote code execution attacks, to leak data, and to create denial-of-service conditions.


Read more in:

Claroty: Claroty Finds Critical Flaws in OPC Protocol Implementations

https://www.claroty.com/2021/01/25/blog-research-critical-flaws-in-opc-protocol/

Dark Reading: Critical Vulns Discovered in Vendor Implementations of Key OT Protocol

https://www.darkreading.com/attacks-breaches/claroty-discloses-multiple-critical-vulns-in-vendor-implementations-of-key-ot-protocol/d/d-id/1339973

SC Magazine: Users of IoT products from three major vendors at risk of DDoS attacks, data leaks

https://www.scmagazine.com/home/security-news/iot/users-of-iot-products-from-three-major-vendors-at-risk-of-ddos-attacks-data-leaks/

   

--Tesla Sues Over Theft of Trade Secrets

(January 23 & 25, 2021)

Tesla is suing a former employee for allegedly stealing proprietary software code. Alex Khatilov allegedly stole the files and transferred them to his personal Dropbox account within days after he was hired on December 28, 2020. The incident was detected on January 6, 2021. The files were not related to Khatilov's position at Tesla. The complaint alleges breach of contract and theft of trade secrets.


[Editor Comments]


[Pescatore] The SolarWinds compromise points out that if someone can steal your digital intellectual property, odds are high that they could also modify it. Tesla needs to assure its customers that its source code management systems are better at integrity control than they apparently were at access control.


[Neely] The question is: could you detect employees within your organization taking similar actions? Raise the bar by limiting access to authorized cloud services and only allowing approved USB storage devices to be connected to systems. Actively monitor cloud and peripheral use to detect anomalous behavior. Training and policy need to be in place to support/reinforce these controls and include requirements for protection of Intellectual Property, particularly trade secrets.


Read more in:

ZDNet: Tesla sues ex-employee over alleged 'brazen' theft of confidential code, files

https://www.zdnet.com/article/tesla-sues-ex-employee-over-alleged-code-file-theft/

Mashable: Tesla sues a former employee for allegedly taking automation files

https://mashable.com/article/tesla-sues-former-employee-download-files/

Electrek: Tesla claims a software engineer stole critical automated software from its WARP Drive system

https://electrek.co/2021/01/23/tesla-claims-software-engineer-stolen-critical-automated-software-warp-drive-system/

  

--Australian Securities and Investment Commission Says Server Breached

(January 25, 2021)

The Australian Securities and Investment Commission (ASIC) has disclosed that one of its servers was breached. ASIC learned of the incident on January 15, 2021 and says that the breach is "related to Accellion software used by ASIC to transfer files and attachments." ASIC has disabled access to the compromised server. Earlier this month, the New Zealand Reserve Bank experienced a data breach related to Accellion software. 


Read more in:

ASIC: Accellion cyber incident

https://asic.gov.au/about-asic/news-centre/news-items/accellion-cyber-incident/

The Register: Digital burglars break into the Australian Securities and Investments Commission

https://www.theregister.com/2021/01/25/asic_accellion_breach/

Reuters: Australia's securities regulator says server hit by cyber security breach

https://www.reuters.com/article/us-australia-cyber-asic/australias-securities-regulator-says-server-hit-by-cyber-security-breach-idUSKBN29U0S7

Bleeping Computer: Australian securities regulator discloses security breach

https://www.bleepingcomputer.com/news/security/australian-securities-regulator-discloses-security-breach/

                                                 

--Cisco Issues Fix for Cross-site Request Forgery Vulnerability in DNA Center

(January 25, 2021)

Cisco has released a fix to address a high-severity flaw affecting its Digital Network Architecture (DNA) Center. The vulnerability could be remotely exploited to launch cross-site request forgery attacks. The issue has been fixed in Cisco DNA Center releases 2.1.1.0, 2.1.2.0, 2.1.2.3, 2.1.2.4, and later.


Read more in:

Threatpost: Cisco DNA Center Bug Opens Enterprises to Remote Attack

https://threatpost.com/cisco-dna-center-bug-remote-attack/163302/

Cisco: Cisco DNA Center Cross-Site Request Forgery Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dnac-csrf-dC83cMcV

  

--Crane Manufacturer Palfinger Hit with Cyberattack

(January 25, 2021)

Austria-based Palfinger Group, which manufactures hydraulic lifting, loading, and handling systems, says it "is currently the target of an ongoing global cyber attack." In an alert on its website, Palfinger notes that it "cannot be contacted via e-mail nor can it receive or process inquiries, orders, shipments, and invoices." Customers are advised that, presently, the company can be contacted only by telephone.


Read more in:

Bleeping Computer: Leading crane maker Palfinger hit in global cyberattack

https://www.bleepingcomputer.com/news/security/leading-crane-maker-palfinger-hit-in-global-cyberattack/

Palfinger: CYBER ATTACK AT PALFINGER GROUP

https://www.palfinger.ag/en/news/cyber-attack-at-palfinger-group_nag_832121

  

--Flash Deactivation Halts Chinese Railroad for a Day

(January 24 & 25, 2021)

A railroad system in northeastern China was disabled for a day earlier this month due to the deactivation of Adobe Flash. Adobe disabled Flash from running after January 12, 2021; China Railway Shenyang uses Flash to plan daily operations. The situation led to a complete shutdown of railway operations in Dalian, Liaoning province on the 12th. On January 13, the railway obtained a version of Flash that did not contain deactivation code and resumed operations. 


[Editor Comments]


[Neely] Verify any business systems still reliant on Flash and make sure there is an active plan to remove that dependency. While reverting to an older version of Flash may restore the functionality, that action also re-introduces the vulnerabilities in the older player as well.  


Read more in:

Ars Technica: Deactivation of Flash may have crippled Chinese railroad for a day [Updated]

https://arstechnica.com/tech-policy/2021/01/deactivation-of-flash-cripples-chinese-railroad-for-a-day/

Wired: Flash Is Dead--but Not Gone

https://www.wired.com/story/zombie-flash-security-problems/

  

--ADT Employee Pleads Guilty to Spying on Customers Through Security Cameras

(January 22 & 23, 2021)

A former employee of the home security company ADT has pleaded guilty to computer fraud and invasive visual recording for spying on people through their video surveillance systems. Telesforo Aviles added his personal email to the systems' ADP Pulse accounts, which allowed him to access security cameras. Approximately 200 accounts were affected over a five-year period. During that time, Aviles accessed customer systems nearly 10,000 times. ADT learned of the situation when a customer called to complain about the suspicious email address associated with their account.


[Editor Comments]


[Neely] ADT has implemented technical and procedural actions designed to prevent and detect recurrence. All providers need to implement similar controls. As a consumer, you also need to take action. If you have security cameras, to include your doorbell camera, which can be viewed remotely, assume they can be accessed by that provider and verify the accounts which have access to that content. Also review your agreement to verify what other access and use is granted along the retention periods. Also refrain from putting cameras in areas you don't wish activities to be viewed by others.  


Read more in:

CNET: ADT technician pleads guilty to spying on customer camera feeds for years

https://www.cnet.com/news/adt-technician-pleads-guilty-to-spying-on-customer-camera-feeds-for-years/

ZDNet: Rogue CCTV technician spied on hundreds of customers during intimate moments

https://www.zdnet.com/article/rogue-cctv-technician-spied-on-hundreds-of-customers-during-intimate-moments/

Ars Technica: Home alarm tech backdoored security cameras to spy on customers having sex

https://Arstechnica.Com/Information-Technology/2021/01/Home-Alarm-Tech-Backdoored-Security-Cameras-To-Spy-On-Customers-Having-Sex/

Threatpost: ADT Tech Hacks Home-Security Cameras to Spy on Women

https://threatpost.com/adt-hacks-home-security-cameras/163271/

Cyberscoop: Home security technician pleads guilty to spying on women, couples

https://www.cyberscoop.com/adt-technician-aviles-spying-women/

Justice: ADT Technician Pleads Guilty to Hacking Home Security Footage

https://www.justice.gov/usao-ndtx/pr/adt-technician-pleads-guilty-hacking-home-security-footage

 

*****************************************************************************

INTERNET STORM CENTER TECH CORNER

 

Another File Extension to Block: JNLP

https://isc.sans.edu/forums/diary/Another+File+Extension+to+Block+in+your+MTA+jnlp/27018/


SonicWall Vulnerability Used to Breach SonicWall

https://www.sonicwall.com/support/product-notification/urgent-security-notice-netextender-vpn-client-10-x-sma-100-series-vulnerability-updated-jan-23-2021/210122173415410/


IObit Forum Breached / Used for Ransomware Distribution

https://www.bleepingcomputer.com/forums/t/741190/derohe-ransomware-distributed-through-fake-iobit-one-year-free-license-key-promo/


ProtonVPN BSOD

https://protonstatus.com/incidents/124


Fun With nmap nse Scripts and DoH (DNS over HTTPS)

https://isc.sans.edu/forums/diary/Fun+with+NMAP+NSE+Scripts+and+DOH+DNS+over+HTTPS/27026/


Malicious NPM Module Stealing Discord Passwords

https://blog.sonatype.com/cursedgrabber-strikes-again-sonatype-spots-new-malware-campaign-against-software-supply-chains


Mitigating the $I30 Bug

https://www.osr.com/blog/2021/01/21/mitigating-the-i30bitmap-ntfs-bug/

https://github.com/OSRDrivers/i30Flt


*****************************************************************************

The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Alan Paller is director of research at the SANS Institute.