The ISSA Colorado Springs Newsletter incorporates open source news articles as a train-

ing method to educate readers on security matters in compliance with USC Title 17, Section

107, Paragraph a.

The views expressed in articles obtained from public sources within this newsletter do

not necessarily reflect those of ISSA, this Chapter or its leadership.

I N S I D E T H I S

I S S U E :

W W W . I S S A - C O S . O R G

ISSA-COS NEWSLETTER

N O V E M B E R 2 0 1 4 V O L U M E 3 N U M B E R 1 1

The Sharyl Attkisson’s computer intrusions: ‘Worse than anything Nixon ever did’ 2

A Note From Our President

3

Candidate for Recorder

4

Candidate for Member-At-Large

6

Candidate for Member-At-Large

7

Making Sense of Security

8

Request for Chapter Presenters

9

Hacking Back In Self-Defense: The Parameters of Active Defense?”© 10

The State of ICS Cyber Security 12

ISSA International to Solve "Missing Generation" of Cybersecurity Professionals with Launch of Industry Wide Cybersecurity Career Lifecycle

13

ISSA-COS October Conference 13

ISSA-COS at the IT Expo

14

Hackers Are Using Reddit to Connect 17,000 Macs to a Botnet

16

In Memoriam

We are thankful for your service to the

Cybersecurity community and your

friendship to your ISSA colleagues …

You will be missed!

Rich Edyvean

P A G E 2

By Erik Wemple, The Washington Post, October 27, 2014 The intrusions into former CBS News correspondent Sharyl Attkisson’s computers constitute the narrative spine of the reporter’s new book Stonewalled: My Fight for Truth Against the Forces of Obstruction,

Intimidation, and Harassment in Obama’s Washington. The book starts with not really a word, but a sound: “Reeeeeeeeeee.”

That’s the noise that Attkisson’s Apple computer was making at 3:14 one morning. A Toshiba laptop computer issued by CBS News did the same thing a day earlier, around 4 a.m. All this goes down in October 2012, right in the midst of the Benghazi story. A person who’s identified as “Jeff” warns Attkisson: “I’ve been reading your reports online about Benghazi. It’s pretty incredible. Keep at it. But you’d better watch out.” “Jeff,” like several of the names in “Stonewalled,” is a pseudonym.

Now we know why Attkisson has been so stingy for so long with details of her computer intrusions: She wanted to have some material for her book. The story debuted in May 2013, when Attkisson appeared on a Philadelphia radio show and declared that there may be “some relationship” between her computer troubles and the sort of tracking that descended upon Fox News reporter James Rosen in a much-discussed leak case. On a subsequent appearance on Fox News’s “O’Reilly Factor,” Attkisson said she thought she knew who was responsible for the ruckus.

All of which was just enough to whet the appetite for the treatment in “Stonewalled.” On one level, the book is a reminder of all the ways people can mess with you. It’s not just her computers that showed signs of tampering, says

I S S A - C O S N E W S

“Intrusions of this caliber, concludes ‘Patel,’ are ‘far beyond the the abilities of even the best nongovernment hackers.’”

Attkisson, who bolted CBS News earlier this year. “[B]y November 2012,” she writes, “there are so many disruptions on my home phone line, I often can’t use it. I call home from my mobile phone and it rings on my end, but not at the house.” More devices on the fritz at Attkisson Central: “My television is misbehaving. It spontaneously jitters, mutes, and freeze-frames,” she writes, noting that the computers, TVs and phone all use Verizon’s FiOS service. At one point, “Jeff” inspects the back of Attkisson’s house and finds a “stray cable” attached to her FiOS box. That cable, he explains, could be used to download data.

Next big moment: Attkisson gets her computer checked out by someone identified as “Number One,” who’s described as a “confidential source inside the government.” A climactic meeting takes place at a McDonald’s outlet at which Attkisson and “Number One” “look around” for possibly suspicious things. Finding nothing, they talk. “First just let me say again I’m shocked. Flabbergasted. All of us are. This is outrageous. Worse than anything Nixon ever did. I wouldn’t have believed something like this could happen in the United States of America.” That’s all coming from “Number One.”

The breaches on Attkisson’s computer, says this source, are coming from a “sophisticated entity that used commercial, nonattributable spyware that’s proprietary to a government agency: either the CIA, FBI, the Defense Intelligence Agency, or the National Security Agency (NSA).” Attkisson learns from “Number One” that one intrusion was launched from the WiFi at a Ritz Carlton Hotel and the “intruders discovered my Skype account handle, stole the password, activated the audio, and made heavy use of it, presumably as a listening tool.”

To round out the revelations of “Number One,” he informs Attkisson that he’d found three classified documents deep inside her operating system, such that she’d never know they were even there. “Why? To frame me?” Attkisson asks in the book.

Read the rest here:

http://www.washingtonpost.com/blogs/erik-wemple/wp/2014/10/27/sharyl-attkissons-computer-intrusions-worse-than-anything-nixon-ever-did/

The Sharyl Attkisson’s computer intrusions:

‘Worse than anything Nixon ever did’

C olleagues,

The next two (2) months will help the chapter set a course for our future so I’m asking for your participation. In this

newsletter, you will read articles from members running for board positions. I think it’s important that we are all informed as to what potential board members qualifications are and what they would like to see happen in the chapter in the coming year. In addition, at our Nov 12th meeting all chapter members running for office will be given the opportunity to speak for a couple minutes to introduce themselves to us. I would also like to offer up that there is still time to throw your name in the hat for a board position this year so if you are interested in running for a board member position please let Cindy Thornbuc (thornbuc@aol.com) and myself know. To sign up for the Nov 12th meeting please go to https://www.eventbrite.com/e/nov-2014-lunch-meeting-issa-colorado-springs-chapter-tickets-13719181441. The event will be free and will be the only meeting held in November.

After much thought and reflection on this past year, I have decided I will run for reelection as Chapter President. I believe our chapter has gone in the right direction this year and I’d like to be part of the team helping to continue moving us in that direction. I appreciate the faith you have shown in me to lead the chapter and I hope you have been happy with the direction the chapter has been going. Chapter President is a busy role but I’ve had some great support from many members so that has made it quite a bit easier. In the coming year, I would like to see us do more in the area of networking. We need more events where you have an opportunity to interact more with each other and other leaders in this career field. I’d also like to see us to continue to grow our student membership. We’ve seen the chapter become more diverse and this is bringing in new energy and ideas which will serve as a boost for us going forward. I also would like to continue to solidify the relationships we are building in our community and at local universities. While I’m very pleased with how things have gone over the past 10 months I know we can serve you and the

P A G E 3 V O L U M E 3 N U M B E R 1 1

Cyber Security community at a higher level and I’m asking for your continued support.

On December 5th we will be having our Annual Recognition Luncheon. This year’s luncheon will be different than previous years. First, we are having it at the Antlers Hilton which will allow us to host a much larger crowd. The cost will be free to all members and in addition to recognizing those members who have gone above and beyond we will also be briefing the year in review and provide a roadmap briefing on things you can expect the chapter in 2015. In addition, as is normal we will be having board elections at this event. It would be great if we could get at least 200 members (more than half of our

chapter members) out to this event so please go to https://www.eventbrite.com/e/annual-awards-ceremony-for-colorado-springs-chapter-of-the-issa-tickets-13719289765 and register. The meal here will not be cheap so when you sign up please be sure to attend so we aren’t left paying for unused meals.

Last week our Executive Vice President, Tim Hoffman, informed me he will be moving back to Colorado Springs in the coming weeks. Many of you who have been in the chapter a few years know Tim as he has served our chapter in several positions for many years. It will be great to have Tim back in town and continuing to serve our chapter members so let’s make sure we give him a warm welcome when we see him. Tim is extremely skilled in the cyber arena and we are excited to have him back to help lead our chapter.

In closing, I have been TDY and had an extended leave in Fla so I have missed a couple key events recently. I was very thankful for our Chapter Vice President, Cindy Thornburg, stepping up to lead as she has all year. Cindy puts her skills and a ton of effort into her position as well as a lot of her time to serve our chapter so please thank her next time you see her. Thanks for all your support of your Colorado Springs ISSA chapter and I hope everyone has a very Happy Thanksgiving.

Cheers.

Pat

A Note From

Our President

By Dr. Patrick Laverty

P A G E 4

I S S A - C O S N E W S

Candidate for Recorder

Matt Everlove I earned my Baccalaureate of Science degree, in Telecommunications Management, from DeVry University, Long Beach,

in June of 2003. I’ve worked for a variety of different employers, after graduating college: AirTouch Cellular / Verizon Wireless, in the Financial Services sector. I also worked for a boutique consulting firm, named Titanium Consulting, that was sub-contracting to AT&T Wireless, as a Lead Switch Technician, remotely managing AT&T Wireless cell sites. Being the Lead Technician, I had a couple dozen direct reports.

I started in the Aerospace & Defense industry, in July of 2004, so I have a little over 10 years in the industry. My first em-ployment was with Raytheon (through a temporary agency, and promoted to a full time employee) as a Sr. Clerk; Essentially, an IT buyer and tier 1 Help Desk technician, working under the authority and purview of an IT Control Point. Within a year, I promoted into Technical Security, as both an IT Specialist and the Security Organization’s IT Control Point.

In 2008, I moved into the Information Assurance field, as an Information Assurance Officer, and subsequently earned my CISSP, in March of 2010. My next employer, as of June 2011, was Northrop Grumman Aerospace Systems, in El Segundo, CA. My position title was Information System Security Analyst.

In August 2014, I accepted a position with Harris Corporation, as an Information System Security Officer.

I’m currently a member of InfraGard and ISSA (Colorado Springs and soon the Denver chapter too). I’m currently looking

into memberships with AFA, AFCEA, NCMS, and ISSWG.

I also currently have a CISSP and Network+ certification and am studying for CEH and CCNA

Please let me know if there are any additional details you would like to include.

Thank you,

Matthew Everlove

You thought the elections

were over, didn’t you?

Chapter elections will be held at our Holiday Luncheon (see next page) on December 11th.

Information on candidates is contained within this Newsletter.

P A G E 5 V O L U M E 3

First, I’d like to welcome those new members on behalf of the Chapter! When you’re participating in Chapter activities, please

take a moment to introduce yourself to members of the board, me, and other members. Don’t forget to identify yourself as a new member

and feel free to ask for help or information.

Thanks for joining the Chapter and don’t forget to look for opportunities to lend your expertise to improve the Chapter. We’re always open to new ideas

and suggestions.

We will continue to sponsor student memberships so if you are interested, please contact me to coordinate the details. Based on some efforts we’ve been working with the Mentorship Committee, we have an opportunity to sponsor some new

student members. We will be reaching out to them in early November to attend the November meeting so that will be a great opportunity to meet and influence potential new members. Please take the opportunity to talk to as many “new faces” at the meeting as possible. Each membership costs $55 per year including chapter dues. I’ll be happy to work with you if you have special requests such as male/female, veteran, etc. Contact me if you’re interested in becoming a sponsor. Also, if you know a specific student at any of the local universities you’d like to sponsor, I can work with you on that too.

We have good news about our 2014 membership drive so far. We’ve added a total of 90 new members this year. So, everyone, give yourself a pat on the back and continue to bring in new members. Keep recruiting as we extend our goals for the year. Also, don’t forget to remind your peers and friends to renew, too. We’ve still got some work to do to get to our goal of 400 members but we are getting closer. Let’s get there by the end of the year!

The October conference at UCCS went extremely well on 15 October. There were lots of good speakers and it was a great opportunity to network with each other as well as welcoming all of our new members into the Chapter. Some of our UCCS student members presented and there was a really good exchange with the UCCS student panel and the audience. On a sad note, one of our presenters and long-time members, Rich Edyvean, passed away in late October.

As a separate activity, we have been working to establish a student mentorship program. The first meeting occurred on 23 October at UCCS. The initial meeting’s focus was on jobs, internships, what we actually do as system security professionals, and how they can best prepare for the field. It was a great opportunity to explain how ISSA membership can help further their development and opportunities. Thanks to Mark Spencer, Amy Hamilton and Matt Everlove for joining me and spending an evening representing the Chapter. It was a long meeting but I got lots of positive feedback from the students. Melissa Absher is the chairperson of the Student Mentorship Committee. All new students interested in being part of the mentoring program should contact Melissa or Dave. The student mentoring program now has a solid base of mentors, but is looking for more. Thank you to all who have volunteered already. Please see Dave or Melissa if you are interested in being a mentor.

Thanks for all your efforts and support.

David Reed Membership Committee Chairman

dreed54321@comcast.net

Welcome!

New Members:

September

Marilyne Cleeves

Stephen Anderson

Date Time Location

Nov. 12 10:45 to 1:00 The Retired Enlisted Association

834 Emory Circle (719) 596-0927

No evening meeting in November

Dec 5 10:45 to 1:00

Holiday Luncheon—Antlers Hilton 4 S. Cascade Avenue

Chapter Elections

Upcoming Chapter Meeting

I S S A - C O S N E W S

Summary: I am originally from Ghana, West Africa. I have been in the United States for about 9 years now. I am married to my beautiful wife Kathy and we have one son Jr.

I have been working in the field of information technology for more than 10 years with experience in Network Security Technology, Security Management, Security Architect, Compliance and Risk Management.

Specialty: Some of my specialties are as follow:

Establishing Information Security Infrastructure from the ground up in any form of business environment

Align Information Security with the business requirement in a cost effective manner

Scoping and designing security policy to meet the requirement of obtaining and maintaining certification of HIPAA, ISO, PCI and SOX Compliance.

Education:

Master’s Degree in Information Technology Management and Security Assurance from Capella University in

Minnesota

Bachelor’s Degree in Information Technology and Security from Baker Collage

Associate Degree in Computer Networking Technology from Baker collage

Reasons for Servicing as Member at large: I have been a leader in many capacities in the past; serving as a board member in Non-profit organizations. I am the

former president of student representative council at Kumasi Technical Institute (KTI) and Institute of Technology and Communication Management, both in Ghana. I learn during my year’s services in those various capacities that if you want to be a leader, you must first serve.

As a member of this wonderful chapter of ISSA, I know I have a potential to serve and contribute with my natural abilities and God-given-talent as a people person. I love to interact with members and adhere to their interest, passion, desire, vision, frustration, dislikes and complaints, and make it known to the board in a professional manner; respecting the privacy of members.

I will treat every member equal in my service if elected. I will serve and uphold the constitution of ISSA and the Chapter by-laws. Information that I receive from members as “Member at large” will be delivered to the board in accordance with it classifications: public, private and need-to-know depending on the specification from members.

I am very excited about the future of Colorado Springs Chapter of ISSA and I want to use this opportunity to thank you for your vote.

Respectfully,

James Asimah

Candidate for Member-At-Large

James Asimah

P A G E 6

P A G E 7 V O L U M E 3 N U M B E R 1 1

Candidate for Member-at-Large

Russell Weeks

I’d like the opportunity to serve as your Member at Large for the upcoming term of office. Here are my relevant qualifications:

22 year Air Force career with experience as a network security manager

Bachelor’s degree in Information System Management, University of Maryland

Working towards a MBA with Capella University

Security+ (CE)

CISSP since 2009

Member of the Colorado Springs Chapter ISSA since 2010

Member of the chapter training committee

Serves as committee representative for many recent chapter security events

Assists with management of the chapter web site and Eventbrite sites

Developed the chapter business cards

Employed by Northrop Grumman as a security project manager at Schriever AFB

I’d like to serve so I can bring your ideas to the board, make sure the board understands the needs of the chapter members and continue to grow the chapter. My agenda includes:

Seek additional training opportunities for chapter members including free or low-cost opportunities for government and commercial certificates

Find more industry partnerships to sponsor our events to provide and higher quality experience to members

Engage the members in feedback to learn their needs

Be available at most of the monthly meeting and listen to members thoughts

Attend the chapter board meetings and represent the members

Please consider my request to serve the chapter membership and help with our bright future.

Sincerely,

Russell Weeks

P A G E 8

I S S A - C O S N E W S

Making Sense of Security An Upcoming Event

Join Saje Network Systems, Kaspersky Lab, and WatchGuard Technologies for an amazing “Making Sense of

Security” event!

Research shows the primary security concern of IT departments is avoiding a disastrous security breach. Next is the concern

that security policies and products are "slowing down the business."

Would you like to learn how usability, visibility and manageability will protect you from real-world attacks without sacrificing

performance? Then please join us at MacKenzies Chop House on November 18th and learn from the experts!

Tuesday November 18, 2014

11:30am - 1:30pm

MacKenzies Chop House 128 S. Tejon St., Colorado Springs, CO 80903

Saje, Kaspersky, and WatchGuard are pleased to offer this free seminar to current and prospective customers. Space is

limited, so please register for the event here:

http://secure.watchguard.com/11.18.2014SajeKasperskyWGLL-ColoradoSpringsCO_RegistrationLandingPage.html

At the recent SecureWorld event in Denver, I spoke with the gentleman at the ISSA table about an upcoming Kaspersky Lab and Watchguard event being held in Colorado Springs by Saje Network Systems. They felt this might be of broader interest to your group and suggested I write to this email with the information.

This will be a chance for companies to learn more about industry leading security at the endpoint and at the edge with presentations from both Kaspersky Lab and WatchGuard.

Our target audience for this event is customers with more than 50 employees as the messaging at this event will be aimed at the Small Business/Mid-Market space and up.

Steve Winfield

I S S A - C O S N E W S

We are well over half way through the year and, we will continue to talk to potential sponsors however due to tighten budgets, they have not been available. As such we are looking for members to present at both the lunch and dinner meeting. The presenter has about 40 minutes to give the presentation and answer questions. This could be one slide with a situation identified and audience will then discuss possible solutions or a how-to presentation with a demonstration afterwards. The below listed are topics that have been suggested as areas of interest from our members. Please send an email to either, Pat Laverty (plaverty1961@gmail.com) and/or myself, Cindy Thornburg (thornbuc@aol.com) with topic to be presented, and we will connect with you for your av

Request for Chapter Presenters

Cyber Security Laws in Colorado

Interior Protection

Building in Resiliency

Ethics

Intrusion Detection/Prevention Systems – configuration and how to review

Making the Business Case for Security – how to

Hacking – how to

Application Security Scanning

COMPTIA CE Cycles & Fee Structure

A Summary and Rating of available Certifications

A Survey of current IA Incidents We Should Know About (heartbleed) and What They Mean for the State of Our Industry

Latest Innovations in Network Management Systems

Real World Case Studies

Threat Overview – Real World

Legal Issues in Information Systems

Asymmetric Warfare – what is it

Spear Fishing – what is it and demonstration

Prevention of Cyber Bullying

Best Practices for Backing Up & Archiving Corporate Data

When to Maximize or Minimize Your Cyber Footprint/Persona

Threat Structuring

Security Modeling – how to

Data Flow Control

Trusted Software Development – how to

Risk Management Framework and what does it mean

Case Study of Breaches – how they happen and how to prevent

Security Architecture Development – ‘Building it In’

‘Mobile’ Security Management

Bring Your Own Device (BYOD)

Biometric Security and Privacy

Hacking Back

Thank you!

Cindy

P A G E 9 V O L U M E 3 N U M B E R 1 1

“Hacking Back In Self-Defense: The

Parameters of Active Defense?”©

P A G E 1 0

I S S A - C O S N E W S

By David Willson*, ISSA-COS, September 25, 2014 In the not so distant past, when asked about cyber

security, most companies and firms believed that data breaches would not happen to them, they are too small or don’t have anything the hackers want. This attitude is quickly changing with the recent very high profile breaches like JP Morgan, Target, Home Depot, Neiman Marcus, Sally Beauty Supply, and many healthcare organizations.

The reality is the threat has been present for many years; the breaches are just becoming more public. A lot of small and medium size businesses have already been breached but those breaches didn’t make the news. In many cases businesses that have been breached still don’t know it.

So, if breached, what are your options? Typically, hire a company to help you clean up, do some damage control, contact law enforcement, and determine what happened. Unfortunately in many instances, depending on where you are and how serious the breach is, law enforcement may be too busy to assist or not have the technical expertise. Beyond this, there is not much you can do.

What if the breach is not a single incident but your company or firm is under persistent attack? You continue to suffer denial of service (DoS) attacks, or your intellectual property, client data, or proprietary data is constantly walking out of the door. Can you legally defend yourself? Depending on the facts and circumstances, yes.

Many people, though, will tell you no, it is illegal to defend yourself; they claim you will start a war with China, or, you will impact an innocent bystander. The legality of self-defense is certainly something to discuss, but the other two arguments are just ridiculous. Starting a war with China is not even worth addressing. As for impacting an innocent bystander, the company that was hacked and is now being used to attack my company may be a victim like me, but is in no manner an innocent bystander. Consider the movie with Harris Ford, “Firewall.” His family was kidnapped and he was forced to break into the bank he was responsible for securing. Certainly he was in a tough position and had a tough decision to make. But, he

was not an innocent bystander. Yes, a victim, but not innocent, he had a choice. The analogy is not perfect, but, the company whose server is being used to attack others must accept some culpability. Their security may not be up to par or there could be a number of other factors that allowed them to be hacked and now used as a weapon.

Legally, the issues include the Computer Fraud and Abuse Act (CFAA), and similarly various state computer crime laws, and then there is the theory of self-defense.

To clarify, the CFAA makes it unlawful to gain unauthorized access to another’s computer. The term computer under the CFAA includes any computing device connected to the Internet. This therefore includes, servers, PCs, laptops, smartphones, etc. Many state computer crime laws follow the example of the CFAA and also include data privacy rules.

Self-defense is the defense of person and property. The key to claiming self-defense

that that the attack must be imminent, in progress or continuing. For instance, if someone punches you in the face and runs away, self-defense does not apply if you chase that person down to retaliate. The same applies if someone breaches your network. If he/she attacked and is now gone, self-defense is not an option. If the attack, though, is imminent, ongoing or persistent, why shouldn’t you be able to defend your property?

If you are going to track down and go after your attacker you will most likely have to access the computer network of other users and companies. This is because only an extremely dumb hacker would hack from his computer directly into your business. Good hackers will typically compromise a number of networks bouncing from network to network to hide their tracks and then use the server of a compromised business to attack, or utilize a botnet. When attempting to follow the hacker’s tracks you will more than likely end up in the network of that not-so innocent bystander. If you decide to block the attack, hack back, employ active defense, or just track down your intruder, will likely impact the owner (so-called innocent bystander) of the compromised server.

Here is the key: Business owners must take a proactive planned approach. This cannot be the IT

(Continued on page 11)

department hiding in the basement trying to stay under the radar or doing some recreational hacking at night or on the weekends. Information must be collected and decisions made by the company leadership at various points. I have spoken to and heard many stories of the employee who goes home and tries to track the hacker on his own, or the IT department who decides to take matters into their own hands, and finally, the company leadership who loves the idea but tries to create a buffer and act like they had no knowledge if all goes bad.

The leadership must make decisions based upon legal issues and whether the potential risk of the activity outweighs the loss or damage the company is suffering from the breaches. Business owners must understand that at some point they may be called to account and at that point they should be comfortable with the decisions they made in self-defense of their company and be able to justify each and every decision.

Here is how this would work. Once a breach is detected, a team of experts must be called in. The experts would include people to conduct malware analysis, online intelligence gathering, network analysis, traceback analysis and techniques, a public affairs person to help with messaging and reputation if needed, programmers who can develop the necessary tools and techniques for whatever courses of action are chose, and an attorney who can provide legal and risk management support throughout the operation. There may be others but this is a start. Incidence response, malware analysis, some Intel collection and interviews would be conducted to begin gathering as much information as possible.

The goal is to be able to provide the leadership with the data necessary to make well-informed decisions. The leadership will have to decide at various points whether to move forward with a particular course of action, cease all operations, or gather more Intel prior to moving ahead. As stated above, the decision must be made early on that the attacks are persistent and ongoing. If searching for stolen data, then self-defense is not an issue since this would be akin to retribution, and so the primary focus here would be steps to identify where the data is and how to retrieve. This would be more of an Intel exercise versus a hacking back or active defense exercise. Both are viable options.

Let’s say your Intel identifies the server that attacks are being launched from. If you can identify who owns the server and where it is, then contact the owner and explain that he has been compromised and work with him to take action. If he ignores you or refuses to acknowledge any culpability, then it is game on. The leadership will have to decide is the damage being suffered great enough to proceed. If yes, then utilizing an escalated approach, take the steps necessary to block the server from being used to attack you. If this results in a lawsuit your counterclaim would be that the plaintiff was provided notice that he was being used to attack you and refused to take action forcing you to take unilateral action and you are now countersuing him for all the damage you have suffered due to his lack of or inadequate security. Chances are if you tell the server owner that his server is not just attacking you but 100

(Continued from page 10) other companies and you will proceed to inform them, he will be more likely to cooperate.

If on the other hand you cannot identify the server and its owner, the decision must be made, based on the Intel available, whether or not to take action, what action, and whether the continuing damage outweighs the potential damage of taking action. At various points the leadership must be presented with the facts and asked to make a decision. Companies make risk decisions all the time and have to decide whether the benefit outweighs the risk.

As for the CFAA, much of the activity engaged in to collect the Intel, traceback, and even block an attack or identify data may be automated. For example, let’s use a scenario, you may or may not find realistic, just to prove my point: you have been persistently attacked and are constantly suffer DDoS attacks or are constantly losing valuable data. You have attempted to clean up but the bot in your network is persistent, regenerates and is difficult to remove. You develop your own code, attach it to the “phone home” function of the bot, and when the bot reaches out to speak to its CnC server your code is dumped on the server and blocks the communication path. Now, have you violated the CFAA, gained unauthorized access to the server? The server of the so-called “innocent bystander” has gained unauthorized access to your network by placing and/or providing instructions to the bot. Also, how is your code any different from that of adware, cookies, spam, and a dozen other programs that run automatically on the Internet and load themselves up on your machine without your consent or knowledge? With the exception of spam, are these illegal? No.

CEO’s have a fiduciary responsibility to protect the company. Doing nothing may be the best choice after a cyber-attack, but should not be the only choice. The decision to employ active defense should not be considered criminal by anyone, to include the Justice Department or courts. That is like saying you cannot defend yourself if someone is beating on you or else we the police will arrest you. This is a civil issue if anything, and therefore must be well-documented and the leadership must be comfortable with their decisions and ready to defend them in court, before shareholders, clients, and the media if necessary.

* David is a licensed attorney in NY, CT and CO, and focuses on risk management, cyber security, reputation protection and the law. He is the owner of Titan Info Security Group, a risk management and cyber security law firm. He holds the CISSP & Security + certifications and has two LLM’s in International Law and in Intellectual Property law. He is a member ISSA and InfraGard. He is also on the Board of Advisors with Cylance.

David is a retired Army JAG officer. During his 20 years in the Army, in addition to over eight years of litigation, he provided legal advice in computer network operations (CNA, CND, CNE), information security and international and operational law, and intelligence oversight, to the DoD, NSA, the Army, various combatant commands, and other agencies to include DNI, DTRA, JTF-GNO/DISA, INSCOM/1st IO, DIA, STRATCOM, and was the legal advisor to the IOTC, NASS, then JFCC-NW (now CYBERCOM).

P A G E 1 1 V O L U M E 3 N U M B E R 1 1

The State of

ICS Cyber Security

hand. Peeping Tom would like to do something about this problem, but people see his contribution as counter-productive. The Lady is riding naked for their benefit, after all.

That’s where project SHINE is. Yes, we’re describing the nudity of the problem. We refuse to let this go without comment. It is a ridiculous, potentially dangerous situation. We have got to get this lady back indoors and get her dressed. The dare is over. It is time to get back to the real business of supporting the markets and building better communities.

Read the Project SHINE report here:

http://www.slideshare.net/BobRadvanovsky/project-shine-findings-report-dated-1oct2014

Article suggested by Glenn York.

By Jake Brodsky & Bob Radvanovsky, Infracritical, October

2, 2014

Out of the 11th century Anglo-Saxon town of Coventry, there emerged a legendary story about a noblewoman who rode naked through the town. She did so because her husband, Leofric, the Earl of Mercia, dared her; promising to reduce tolls and taxes from onerous to affordable if she kept her part of the deal. The amazing thing about this story is that, but for one man known as “Peeping Tom,” everyone shuttered their windows and did not look at her. (Yes, that is where the expression comes from)

Fast forward to the present. We have these wonderful SCADA and control systems which we use to manage utilities with economic precision and efficiency --and hackers have largely ignored them despite the fact that they are effectively as naked as Lady Godiva was. We expose them so that people can work from other places, so that information can be spread around in near real time, and so that other systems, even systems belonging to other interest groups, can interface with them easily.

That is what makes this situation so ridiculous and unusual. Everyone acts as if there is nothing out of the ordinary while a noble lady is riding through town in the nude. However, this is not a reasonable or safe situation. Our SCADA and Industrial Control Systems need to be secured better than what they are. Our societies cannot allow critical infrastructure to remain as defenseless and vulnerable as a naked noblewoman. The report on Project SHINE, with as much gentility as is possible in a socially awkward situation like this, was intended to bring awareness to this situation. It is time for Lady Godiva to go back inside and get dressed.

Note that in the legend Peeping Tom was a tailor. Clearly he was highly qualified to deal with this situation and offer many remedies. But few were interested in giving him the business. That is the state of Industrial Control Security today. Many are quite aware of the nudity of the infrastructure. However, like Peeping Tom’s behavior, it doesn’t fix anything; and it gave people a very bad impression of tailors (and security specialists).

To fix it, we must address the causes: We are doing this to save money and build a thriving community. Our utilities are expensive and overwrought with many commitments to supply data to hordes of interests.

This introduced complexity. With that complexity there are vulnerabilities. Utilities are being dared to ride naked on the Internet so that operating costs can be reduced. It may work for a very short while, but then the risks get out of

P A G E 1 2

I S S A - C O S N E W S

By ISSA, September 10, 2014

Through the Department of Homeland Security’s Transition to Practice (TTP) program, cybersecurity technologies developed at Sandia National Laboratories — and at other federal labs — now stand a better chance of finding their way into the real world.

The Information Systems Security Association (ISSA) today launched an industry-wide program to solve the global cybersecurity workforce gap. The ISSA Cybersecurity Career Lifecycle (CSCL) is a comprehensive professional development framework that maps all five stages of the cybersecurity career lifecycle and empowers cybersecurity professionals - from students to Chief Information Security Officers (CISOs) - to identify where they are in their career, where they want to go, and how to accelerate their growth.

The ISSA will also establish an International Consortium for Cybersecurity Education (ICCE), bringing together for the first time key stakeholders from the public and private sectors around the world to find a common solution for this shared problem. The CSCL and the ICCE will be announced today at the annual ISSA 30th Anniversary International Conference (#ISSAConf) in Orlando, FL.

The "Missing Generation" The information security profession, which evolved

largely in reaction to threats, is now paying the price of an entire "missing generation." An estimated 300,000-1,000,000 cybersecurity jobs are vacant, and demand will likely rise as the private sector faces unprecedented numbers of data breaches and cybersecurity threats. The U.S. Bureau of Labor Statistics is predicting 22 percent growth in employment in cybersecurity by 2020.

One study shows the lack of qualified security talent is approaching a state of critical mass, where organizations are vulnerable to serious risk exposure . A recent Ponemon Institute study found that the lack of a strong security posture is directly related to the lack of sufficient security expertise. Economists even predict the gap affects the effective adoption of key technologies in the enterprise and the public sector - and will, in turn, inhibit enterprise growth and economic expansion.

Despite the spotlight on cybersecurity skills as a national priority, widely accepted career definitions are still evolving. This lack of concensus makes it difficult for organizations to attract new entrants; for professionals to

evolve their careers; and costly for organizations that often reinvent the wheel on job descriptions or hire for the wrong role.

The Cybersecurity Career Lifecycle Framework As the only independent global organization for cybersecurity professional development, the ISSA is in a unique position to

bring the industry together to address these critical issues. The CSCL is driven by a steering committee of industry influencers who provide guidance to task forces and assist with outreach to industry partners. It was developed in collaboration with

chief information security officers and cybersecurity experts from leading companies, agencies and from universities from around the world. Seventy-five experts participated in the first development phase of the CSCL framework development.

The CSCL framework defines and maps the five stages of a cybersecurity professional's career:

Pre-professional (students, young adults, etc.)

Entry level

Mid-career

Senior level

Executive level For each stage, the framework provides a common

definition of the required Knowledge, Skills, and Aptitudes (KSAs) and responsibilities; how to be successful in each level; and how to get from one career stage to the next. Each level can have multiple tracks and path options.

The second phase of the CSCL will focus on an Assessment Tool. This tool will offer a skills and career level analysis, and it will recommend career plans tailored to each individual professional. The CSCL Assessment Tool initially will be made available to ISSA members.

The ISSA will also offer guidance and resources for professionals to achieve their career goals and will work with other service delivery providers to offer security education programs that support the stages of the CSCL framework.

Read the rest here:

http://globenewswire.com/news-release/2014/10/23/675975/10104201/en/ISSA-International-to-Solve-Missing-Generation-of-Cybersecurity-Professionals-with-Launch-of-Industry-Wide-Cybersecurity-Career-Lifecycle-CSCL-Program.html

ISSA International to Solve "Missing Generation" of

Cybersecurity Professionals with Launch of Industry

Wide Cybersecurity Career Lifecycle (CSCL)

Program

P A G E 1 3 V O L U M E 3 N U M B E R 1 1

P A G E 1 4

I S S A - C O S N E W S

P A G E 1 5 V O L U M E 3 N U M B E R 1 1

ISSA photos are courtesy of our Chapter photographer Warren Pearce.

P A G E 1 6

I S S A - C O S N E W S

P A G E 1 7 V O L U M E 3 N U M B E R 1 1

ISSA photos are courtesy of our Chapter photographer Warren Pearce.

The Information Systems Security Association (ISSA)® is a not-for-profit, international organization of information security professionals and practitioners. It provides educational forums, publications, and peer interaction opportunities that enhance the knowledge, skill, and professional growth of its members.

The primary goal of the ISSA is to promote management practices that will ensure the confidentiality, integrity, and availability of information resources. The ISSA facilitates interaction and education to create a more successful environment for global information systems security and for the professionals involved. Members include practitioners at all levels of the security field in a broad range of industries such as communications, education, healthcare, manufacturing, financial, and government.

Information Systems Security Association Developing and Connecting Cybersecurity Leaders Globally

Colorado Springs Chapter

W W W . I S S A - C O S . O R G

Published at no cost to ISSA Colorado Springs by Sumerduck Publishing TM, Woodland Park, Colorado

Chapter Officers:

Dr. Pat Laverty—Chapter President

Dr. George J. Proeller—President Emeritus

Mark Spencer—President Emeritus

Tim Hoffman—Executive Vice President

Cindy Thornburg—Vice President

Jim Stevens—VP of Training

Melody Wilson—Treasurer

Jim Stephens—Training

Lora Woodworth—Recorder

Jeff Pettorino—Communications Officer

Derek Issacs—Member at Large

Brian Kirouac—Member at Large

Position Chairs:

David Willson—Sponsorship

Don Creamer—Newsletter

Are you a budding journalist? Do you have something that the Colorado Springs ISSA community should know about? Can you interview one of the “movers and shakers”? Tell us about it!

We are always looking for articles that may be of interest to the broader Colorado Springs security community.

Send your article ideas to Don Creamer at:

doncreamer-issa@q.com

Ensure that “Newsletter” is in the subject line.

Looking forward to seeing you in print!

Article for the Newsletter? If you would like to submit an article...

Hackers Are Using Reddit to Connect 17,000 Macs to a Botnet

By Kate Knibbs, Gizmodo, October 3, 2014 Bad news for Mac users: You're at risk for an insidious malware that will

connect your computer to a botnet.

Hackers have developed a backdoor entry called "Mac.BackDoor.iWorm" that gains access to Macs and uses Reddit to connect the hacked computer with a command server. Once the computer is infected, the iWorm uses Reddit's search function to hunt down posts made by the hackers. These posts (on a Minecraft subreddit) provide server addresses, and the software uses the Reddit posts as a guide to connect to the botnet.

Read the rest here:

http://gizmodo.com/hackers-are-using-reddit-to-connect-17-000-macs-to-a-bo-1642062140