The CyberWire Daily Briefing 08.26.15

Cyber Attacks, Threats, and Vulnerabilities

ISIL shows images of ancient Syrian temple destruction (The National) ISIL militants published photos yesterday that purport to show the destruction of a Roman-era temple in the ancient Syrian city of Palmyra, an act the United Nations has called a war crime

SysAdmin admin tool AutoIt used in targeted attacks to serve malware (Security Affairs) Security experts at Cisco have uncovered a targeted attack leveraging on AutoIt to serve a RAT and other malware by evading detection

Malware Meets SysAdmin — Automation Tools Gone Bad (Cisco Blogs) Talos recently spotted a targeted phishing attack with several unique characteristics that are not normally seen. While we monitor phishing campaigns used to distribute threats such as Dridex, Upatre, and Cryptowall, targeted phishing attacks are more convincing because the format of the message is personalized to the targeted user. This targeted attack was more difficult to detect because adversaries chose to leverage AutoIT, a well known freeware administration tool for automating system management in corporate environments

Sphinx, a new variant of Zeus available for sale in the underground (Security Affairs) A new variant of the popular Zeus banking trojan dubbed was Sphinx is appeared for sale on the black market, it operates entirely through the Tor network

Cyber blackmailers hunt out hacked Aussie Ashley Madison cheaters (9news) Things appear to be going from bad to worse for users of the Ashley Madison dating website, with revelations that opportunists are now moving in to blackmail Australians whose personal details were made public by hackers

How To Protect Yourself From The Ashley Madison Hack 'Ripple Effect' (Fox Business) According to Canadian Police, there's a new type of cheater emerging from the Ashley Madison hack, which they called "the largest data breach in the world," and they're preying on people looking to find out who's on the list

CryptoGirl on StageFright: A Detailed Explanation (Fortinet) Detecting the PoCs published by Zimperium is not difficult: you can fingerprint the PoCs, for example. Detecting variants of the PoCs, i.e., MP4s that use one of the discovered vulnerabilities, is far more difficult. I'll explain why in a moment

How can a cross-certificate make Android devices crash? (TechTarget) Cross-signed certificates are causing Android devices to crash, and it's not the first time there's been a problem. Learn more about this issue and its potential security risks

Stegoloader: A Wolf in Sheep's Clothing (Dell SecureWorks) Dell SecureWorks Counter Threat Unit™ (CTU) researchers analyzed a stealthy malware family named Stegoloader that has been active since at least 2013 and yet is relatively unknown. It has been distributed through software piracy websites, bundled with software license key generators

How security flaws work: the buffer overflow (Ars Technica) Starting with the 1988 Morris Worm, this flaw has bitten everyone from Linux to Windows

Channel warned to watch out for fake invoice scam (MicroScope) Running a small business can be hard enough just keeping the wages paid and the tills ringing but it is often made harder because of the actions of criminals

'Prince Al Waleed millions' email scam hits UAE (Emirates 24/7) People get emails telling them they will receive millions

Cyphort Labs Issues Special Report on the Rise in Malvertising Cyber Attacks (Dark Reading) Cyphort researchers find malvertising campaigns increased 325 percent through early 2015

Researcher catches AT&T injecting ads on free airport Wi-Fi hotspot (Ars Technica) AT&T hotspot "tampering with HTTP traffic" to serve ads, researcher says

Security Patches, Mitigations, and Software Updates

Amazon to Disable Flash Player in Hosted Ads (IBM Security Intelligence) Amazon may be the latest high-profile firm to distance itself from Adobe's Flash Player, but ongoing security concerns may have CISOs and their teams at all sorts of organizations wondering about the best way to protect themselves

Cyber Trends

Survey Finds that Cybersecurity Incidents Rise as Supply Chain Risks Broaden (Supply & Demand Chain Executive) There's no question that cyberattacks continue to escalate in frequency and scope. And manufacturing companies are at greater risk than ever as they share increasingly more processes and information with a widening constellation of supply chain partners

Worries grow over security of cloud data transfers (Automotive IT International) Surveys show that many IT managers are unhappy about breakdowns in data transfers to and from the cloud

Average financial services company uses 1,004 cloud applications (Help Net Security) Skyhigh Networks analyzed cloud adoption in the financial services industry

The changing focus around critical infrastructure protection (Help Net Security) I spend a fair amount of time attending various security conferences, as I'm sure many of you do

Analyzing fraudulent and high-risk behaviour events (Help Net Security) NuData Security announced new threat intelligence that provides insight into the latest trends in online fraud

Marketplace

Cybersecurity Market Expected to Lock Down $170B (PYMNTS) The latest research from MarketResearch.com forecasts the global cybersecurity market to jump from $106.32 billion in 2015 to $170.21 billion by 2020

C-suite take note: there's more to IT security than keeping you safe (Information Age) IT security isn't just about protecting companies from cyber threats — it can actually help close deals and improve other areas of the business

The CISO as a Sales Person: Part 1 — Selling to the Security Architects (Tripwire: the State of Security) After years of working in sales for small- and mid-sized software vendors, I have gotten used to the idea that everyone in the company is a salesperson

Getting to Yes, Cooperatively (Dark Reading) As security advocates, determining what "beneficial" means to a particular audience should be our first step in developing recommendations

Ouch! Feeling The Pain Of Cybersecurity In Healthcare (Dark Reading) There are lots of reasons why medical data is so vulnerable but the sheer numbers at risk speak volumes about the scale of the problem

Hitachi Systems acquires Canadian managed security service provider (Computer Dealer News) Software vendor Hitachi Systems, Ltd., has announced the acquisition of a Canadian security service provider

Cyber-security firm sold to Hitachi (Winnipeg Free Press) Above Security Inc., the company that acquired Winnipeg cyber-security firm Seccuris in February, has been sold to the Japanese electronics powerhouse Hitachi Systems Ltd

Optiv Security Predecessors Named Amongst Fastest Growing Private Companies in North America by Inc. Magazine (BusinessWire) Optiv Security, the nation's largest holistic pure-play cyber security solutions provider, today announced that Inc. magazine has named Optiv's predecessor businesses — Accuvant and FishNet Security — amongst the fastest growing U.S. private companies for a three-year period ending Dec. 31, 2014

Datapipe Joins TechAnax Team to Win Multi-Million Contract with U.S. Department of Veterans Affairs (BusinessWire) Companies plan and execute strategic migration, ongoing data center hosting and associated support services for new large-scale government contract

Leidos Lands $450M Transportation Security IDIQ (GovConWire) Leidos (NYSE: LDOS) has received a five-year, $450 million contract from the Transportation Security Administration to deploy transportation security systems in a number of facilities

Oracle, still clueless about security (ComputerWorld) Oracle's CSO has some wrongheaded notions about her area of expertise. What is the company doing about that?

Do bug bounties work? (Graham Cluley) The recent demonstrations of hacks on everything that moves suggests that there is a vast market opportunity for those who can uncover exploitable security holes

Sans Institute identifies top UK cyber talent (ComputerWeekly) The cream of UK cyber security talent selected from 24,000 candidates are set to begin eight weeks of intensive training in the first-ever intake at the Sans UK Cyber Academy

KEYW picks outsider as new CEO (Baltimore Business Journal) Cybersecurity and intelligence company KEYW Holding Corp. named a new chief executive Tuesday afternoon, months after founder and CEO Leonard E. Moodispaw died following a sudden retirement brought on by his health

AEP security chief adds cybersecurity to duties (Columbus Dispatch) Move acknowledges increasingly sophisticated attempts to disrupt power system

Coalfire Appoints Steve Deitsch as Chief Financial Officer (BusinessWire) Brings CFO experience at late-stage growth companies

BrightPoint Adds New SVP of Products to Growing Executive Team (TopTechNews) BrightPoint Security™, a leading Threat Intelligence Platform provider for automation, curation and sharing of threat intelligence Relevant Products/Services to fight cyber threats, today announced it has named former CipherCloud and Symantec executive Ajay Nigam as senior vice president of products

Products, Services, and Solutions

Symantec plans IoT security platform (ITWire) Symantec has announced its plans to make it easier for Internet of Things vendors to keep their products secure

Trend Micro Rolls Out Updated Mobile Security Software (Texas TechPulse) Dallas-based cybersecurity developer Trend Micro has updated its mobile security product aimed at both Android and iOS devices, the company said this morning

LockPath Delivers Unprecedented Flexibility, Ease-of-Use in Keylight 4.2 (MarketWatch) The regulatory compliance and information security landscape is rapidly evolving. Therefore, the software solutions organizations use to ensure compliance and security must constantly expand their capacity to manage data

StratoKey Expands Presence to the United States (StratoKey) StratoKey offers best-in-class encryption, user behavioral analysis and countermeasures all in one central solution

Menlo Security Partners With Macnica Networks to Bring Malware Isolation to the Japanese Market (Virtual Strategy Magazine) Menlo Security, the only cybersecurity company that eliminates malware from Web and email without the need for endpoint software, today announced a distribution agreement with Macnica Networks, to provide sales and support for Menlo Security's Isolation Platform, both as a cloud-based (SaaS) offering and for deployment by Japanese enterprises and service providers within their datacenters

Cylance, Blue Coat Systems Bring Next-Generation Anti-Malware Technology to Network Security (CSO) Cylance, Inc., the first cyber security company to successfully use artificial intelligence to predictively identify and stop malware and advanced threats, and Blue Coat Systems, Inc., a market leader in enterprise security architecture, today announced a partnership to bring next-generation anti-malware technology to network security

Tenable Network Security Named Launch Partner for New Amazon Web Services Partner Network Security Competency (BusinessWire) Industry leader in continuous network monitoring lends expertise in configuration and vulnerability analysis to defining all-new security competency for AWS Partner Network

There's a simple reason why companies can't keep your data safe from hackers (Business Insider) Things keep getting worse on the cyber front

Passwords are the keys to the IP kingdom (ITWire) In computer parlance, 'privilege' is the nirvana — it allows a hacker to control anything from a single computer to a global network

Equifax clearly doesn't want you to use a password manager (Graham Cluley) Like British Gas before them, Equifax clearly doesn't want you to use a password manager to store your passwords

Twitter blocks 31 accounts tracking politicians' deleted tweets (Neowin) Twitter has blocked a series of accounts that tracked and shared politicians' tweets which had been deleted. Twitter claims that the accounts broke its rules for apps connecting to the service

Technologies, Techniques, and Standards

The US Military Gets A Guidebook to the Cloud (Defense One) DISA rolls out a collection of best practices for a Pentagon herding its myriad information services toward their cloud-based future

Six Steps to Securing DoD's Networks for the 21st Century (Lexington Institute) The Department of Defense (DoD) is at an inflection point with respect to its information networks and their security

US agency tells electric utilities to shore up authentication (CIO) NIST's new publication focuses on authentication and access control

Draft Guide Can Help Energy Companies Reduce Cyber Risk (NIST) The National Cybersecurity Center of Excellence (NCCoE) is requesting comments on a draft guide to help energy companies better control who has access to their networked resources, including buildings, equipment, information technology and industrial control systems. The center, part of the U.S. Commerce Department's National Institute of Standards and Technology (NIST), works with IT developers and providers to help businesses reduce their cyber risk

The 1% Who Can Take Down Your Organization (CloudLock) Cybercriminals continue to focus their efforts on what is widely considered to be the weakest link in the security chain: the user

Five signs an employee plans to leave with your company’s data (CSO) A global high-tech manufacturer had reached its boiling point after several of its sales reps left the company unexpectedly and took with them sales leads and other data to their new employers

IBM says enterprises should block Tor if they don't want to be taken hostage (Inquirer) Tor and the dark net could make your eyes water

Here's How And Why You Should Say Goodbye To Flash Immediately (TechNewsToday) Flash has been plaguing your device with malware and is a susceptible to security intrusion, therefore it's best you say goodbye

How does public key pinning improve website security? (TechTarget) Certificate authority confidence is waning, but the emergence of public key pinning can help keep websites secure

Life's a breach: How to handle the press after a hacking attack (ComputerWeekly) Emily Dent, specialist in crisis PR, offers some advice to organisations that unexpectedly find themselves in the headlines

We're Looking at Information Sharing The Wrong Way (SecurityWeek) Recently, it seems like I've been hearing phrases like: "we need to get better at information sharing", "we need to share more information", or "information sharing is critical to success in information security" everywhere I go

Design and Innovation

Bitcoin and Criminal Smart Contracts (Brave New Coin) In the early 90's Nick Szabo, coined the term "smart contract." The computer scientist and legal scholar explained the basic idea of a contract using a vending machine as an example, "anybody with coins can participate in an exchange with the vendor. The lockbox and other security mechanisms protect the stored coins and contents from attackers, sufficiently to allow profitable deployment of vending machines in a wide variety of areas"

Research and Development

CloudPassage Granted Three Patents for Agile Security (Sys-Con Media) Patents extend existing agent-based security model to include private clouds, bare metal servers and non-server devices

IARPA Seeks Rare Event Forecasting Methods (ExecutiveBiz) The U.S. Intelligence Advanced Research Projects Activity has issued a request for information on existing methods for modeling and forecasting of low-frequency events

Irony: NSA worried hackers with super computers might break current encryption standards (BGR) The National Security Agency (NSA) has a bunch of sophisticated tools at its disposal to conduct massive data collection operations all in the name of doing good — and that's definitely something you'd want from your intelligence agencies

$750,000 For Mobile Security Research Awarded By DHS S&T To UNC Charlotte (Homeland Security Today) The Department of Homeland Security (DHS) Science and Technology Directorate's (S&T) Cyber Security Division awarded a $759,727 cybersecurity contract for Mobile Technology Security (MTS) research and development (R&D) to help secure mobile devices for the federal government to the University of North Carolina at Charlotte (UNC Charlotte)

NCSU, Microsoft researchers tackle security issues for software developers (WRAL) For software programmers, security tools are analytic software that can scan or run their code to expose vulnerabilities long before the software goes to market. But these tools can have shortcomings, and programmers don't always use them. New research from National Science Foundation-funded computer science researcher Emerson Murphy-Hill and his colleagues tackles three different aspects of the issue

Legislation, Policy, and Regulation

Spy Agencies Are Like Old-School Porn — But That's Changing (Vice News) In the fight against the Islamic State (IS), some pretty surprising tools have come to the fore. Teamed up with US forces, Kurdish militias in Syria have been turning to Google-based maps and Android devices to direct US air support. With publicly available tools like these, Kurdish fighters can record the exact GPS coordinates of the enemy and forward a map to their US partners, hundreds of miles away, who can then rain terror — and bombs — on the enemy, and can do so with some measurable degree of accuracy

GCC Governments urged to secure national infrastructure in Face of 'High Risk' of cyberattacks (Albawaba) GCC governments are urged to secure critical national infrastructure in the face of high risk of more sophisticated cyberattacks in the emerging Internet of Things era, industry experts announced today

Cybersecurity: The glitch in the U.S.-China relationship (CNN) Chinese President Xi Jinping is going to Washington next month — and it's not shaping up to be a pleasant visit

Congress: Resist the Temptation to Legislate on the CTIIC (Lawfare) When a conference committee convenes to reconcile differences in the House and Senate versions of the 2016 Intelligence Authorization Act, Members should resist the temptation to legislate on the proposed Cyber Threat Intelligence Integration Center (CTIIC)

Army cyber general proposes new mission to fight global hacks (Augusta Chronicle) Two months after China perpetrated one of the largest breaches of federal data in American history, the commanding general of the U.S. Army Cyber Command on Tuesday proposed a new military in which all operations "converge" to strengthen the nation's digital defenses

Army Takes Biggest Hit In OPM Hack (Defense One) The service will cover 40 percent of the Pentagon's plan to spend $132 million on credit monitoring

FirstNet plans to release cybersecurity information this fall, Kennedy says (IWCE's Urgent Communications) FirstNet officials will provide information about the organization's cybersecurity strategy this fall, beginning with its Industry Day next week, FirstNet President TJ Kennedy said this week during a panel session at the APCO 2015 show

Cyber a Growing Topic in Vehicle Security (Defense News) When security flaws allowed a Jeep Cherokee to be hacked and remotely controlled earlier this month, the US Army took notice, according to a lead acquisitions official

Russia Reverses Ban on Russian Wikipedia After Only a Few Hours (Time) The entry on hashish contained banned information

Litigation, Investigation, and Law Enforcement

FTC can punish organisations with poor cybersecurity (We Live Security) The Federal Trade Commission (FTC) has the power to punish organizations that fail to invest in and deliver robust online security measures, according to ruling by the US Court of Appeals for the Third Circuit

Should FTC regulate commercial cybersecurity? (Federal Times) An appellate court ruling Monday affirmed the Federal Trade Commission's role in policing the cybersecurity of commercial companies, a role some have argued is an overreach of the regulator's authority

Wyndham vs. FTC: Corporate security pros need to lawyer up about data breach protection, experts say (Network World via CSO) U.S. court ruling says FTC does have the authority to punish businesses over stolen customer data

The legal ramifications of a cyber attack (CIO) Guy Betar examines some of the causes for concern with the growing number and size of data breaches

Banks' Lawyers Balk at Target's Data-Breach Deal (National Law Journal) Plaintiffs lawyers representing some banks and financial institutions caught up in Target's 2013 data breach say the $67 million deal struck last week between the retailer and Visa Inc. leaves their clients shortchanged

Inquiry Weighs Whether ISIS Analysis Was Distorted (New York Times) The Pentagon's inspector general is investigating allegations that military officials have skewed intelligence assessments about the United States-led campaign in Iraq against the Islamic State to provide a more optimistic account of progress, according to several officials familiar with the inquiry

French Train Attacker Watched Jihadi Video While Onboard, Prosecutors Say (Time) French authorities formally opened a terrorism investigation on Tuesday after a thwarted attack on a high-speed train last week, saying the suspected attacker had watched a radical Islamic video onboard minutes before the violence

Former Navy SEAL describes the most egregious part of the Hillary Clinton email scandal (Business Insider) The truly egregious aspect of this whole story is that Clinton's private email server was never meant to, cleared to, or thought to be handling classified information

Florida still investigating cyber attack on school testing (MySunCoast) It's been nearly six months since Florida's school testing system was the target of a cyber attack, but there's been no public explanation of who was behind it or why it happened

Businessman who hacked 900 phones as "revenge" is jailed (Naked Security) Imagine that you're a network security company, and you're in the middle of a demonstration to a prestigious customer in the insurance industry — a customer who is worth £80,000 a year in business

Twitter yanks murder video posted by apparent killer of VA journalists (Ars Technica) Account named "Bryce Williams" had been created one week prior to shooting

VoIP Scam Lands Three Men in Jail (Tripwire: the State of Security) An electronic scam involving the use of purchased Voice over Internet Protocol (VoIP) airtime has resulted in three British men receiving jailtime

For a complete running list of events, please visit the Event Tracker.

Upcoming Events

Decepticon 2015 (Cambridge, England, UK, Aug 24 - 26, 2015) Decepticon brings together researchers and practitioners in the detection and prevention of deception. Previously, deception research has been fragmented across conferences in many different disciplines, sub-disciplines and countries. To cover the great diversity of approaches to deception research, our scientific committee has members covering several domains

AFCEA OKC Technology & Cyber Security Day (Oklahoma City, Oklahoma, USA, Aug 27, 2015) FBC and the Armed Forces Communications & Electronics Association (AFCEA) Oklahoma City Chapter will be partnering once again to host the annual Technology Day & "Scholarship" Golf Tournament at Tinker AFB. This is the only Technology Day held at Tinker AFB each year. The annual Technology Day allows exhibitors the opportunity to have access to information technology, communications, cyber, engineering, and contracting personnel at Tinker AFB. Over 300 attendees participated in the 2014 Technology Day and we expect the same level of attendance in 2015

Power Grid Cyber Security Exchange 2015 (San Diego, California, USA, Aug 30 - Sep 1, 2015) The Power Grid Cyber Security Exchange will take a deep dive into the cyber security strategies, innovative approaches and strategic planning necessary to balance the competing priorities of today's technology and information security executives. This program is tailored to utility executives and industry stakeholders that are responsible for addressing threat intelligence, analysis and monitoring; network architecture; and cyber incident response

2015 HTCIA International Conference & Training Expo (Orlando, Florida, USA, Aug 30 - Sep 2, 2015) Bringing together experts from all over the world to share their latest research and techniques related to cybersecurity, incident response and computer forensics

ICFP 2015 (Vancouver, British Columbia, Canada, Aug 31 - Sep 2, 2015) ICFP 2015 provides a forum for researchers and developers to hear about the latest work on the design, implementations, principles, and uses of functional programming. The conference covers the entire spectrum of work, from practice to theory, including its peripheries

Mid-Atlantic Security Conference (Gaithersburg, Maryland, USA, Sep 1, 2015) The conference is brought to you by Information Systems Security Association's Baltimore, NOVA, and National Capital Chapters. Join us for a full day of training on cybersecurity topics by industry leaders, hands-on workshops, and a Capture the Flag event and receive a certificate for 7 CPEs toward your professional certifications

SCADA Nexus 2015 (Houston, Texas, USA, Sep 2 - 4, 2015) SCADA Nexus is an international annual event for ICS and SCADA security professionals and executives to focus on world-wide security concerns. The event is located in Houston, Texas each year at the Hilton Americas Convention Center. Our 2015 event is from September 2-4 with extended training from September 7-11.

SIN 2015 (Sochi, Russia, Sep 8 - 10, 2015) The 8th International Conference on Security of Information and Networks (SIN 2015) provides an international forum for presentation of research and applications of security in information and networks. SIN 2015 features contributed as well as invited papers, special sessions, workshops, and tutorials on theory and practice. It seeks to convene a high-quality, well-attended, and up-to-date conference on scientific and technical issues of security in information, networks, and systems

NSPW (New Security Paradigms Workshop) (Twente, Netherlands, Sep 8 - 11, 2015) Although NSPW is more of a workshop than a conference, it has earned its right to be included in this list. Since 1992, NSPW has been offering a unique forum for cyber security specialists involved in researching high-risk, high-opportunity paradigms to present their ideas. The discussions always challenge the current limitations of information security tools and technology, while disputing ng-held beliefs or the very foundations of security. You're bound to get fresh, new ideas from attending this workshop

Global Cyberspace Cooperation Summit VI (New York, New York, USA, Sep 9 - 10, 2015) An invitation-only event, this meeting of international actors aims to coordinate and consolidate progress, showcase results and promote collective action. The annual cyber summits provide a crucial forum for building international, private-public action to foster international cooperation in cyberspace. Breakthrough groups, aligned with the initiative's objectives of economic and political development, digital security and stability, and sound governance and management, carry the program forward

Intelligence and National Security Summit (Washington, DC, USA, Sep 9 - 10, 2015) AFCEA International (AFCEA) and the Intelligence and National Security Alliance (INSA) are pleased to host the second Intelligence and National Security Summit to provide the platform for this essential discussion. This two-day, unclassified Summit will feature five plenary sessions with top federal agency leaders and policymakers sharing their assessments and priorities for U.S. national, defense and homeland security intelligence. In addition, thought leaders from government, industry and academia will explore emerging issues and solutions related to intelligence policy, cyber threats, and technology and innovation over nine breakout sessions

Cybersecurity Innovation Forum (Washington, DC, USA, Sep 9 - 11, 2015) The 2015 Cybersecurity Innovation Forum is a three-day event hosted by the National Institute of Standards and Technology, and planned with the National Security Agency, and the Department of Homeland Security. This event brings government and industry together to focus on current, emerging, and future challenges, technologies, projects, solutions, and research in trusted computing, security automation, and information sharing

2nd Annual Senior Executive Cyber Security Conference (Baltimore, Maryland, USA, Sep 10, 2015) The one-day symposium will examine the potential advantages and pitfalls of an information-sharing strategy from the technological, business and regulatory perspectives

Cyber 6.0 (Laurel, Maryland, USA, Jun 17, 2015) The mission of the Cyber Conference is to provide a forum for small and mid-sized businesses in Howard County and the region to access industry and government leaders with current information on cybersecurity that will improve their market position, enhance their corporate security policies and infrastructure, identify potential business opportunities, and provide a take away of information and contacts for follow-up that assists businesses in understanding the role they play in national cybersecurity and how they can address those challenges. All businesses have a role to play in protecting the national security of our infrastructure. While locally sponsored and organized, the conference has national reach

BSides Augusta 2015 (Augusta, Georgia, USA, Sep 12, 2015) Each BSides is a community-driven framework for building events for and by information security community members. The goal is to expand the spectrum of conversation beyond the traditional confines of space and time. It creates opportunities for individuals to both present and participate in an intimate atmosphere that encourages collaboration. It is an intense event with discussions, demos, and interaction from participants. It is where conversations for the next-big-thing are happening

SANS Institute: Information Security Training (Las Vegas, Nevada, USA, Sep 12 - 21, 2015) Information security training in Las Vegas from SANS Institute, the global leader in information security training. At SANS Network Security 2015, SANS offers more than 40 hands-on, immersion-style security training courses taught by real-world practitioners. The site of SANS Network Security 2015, September 12 - 21, is Caesars Palace, the majestic Las Vegas hotel

Gulf Cooperation Council Cyber Security Summit (Abu Dhabi, United Arab Emirates, Sep 13 - 15, 2015) The GCC Cyber Security Summit will bring together regional and international thought leaders and decision-makers to examine one of the most vital threats to the region's future well-being: cyber-attack. Penetration of national and company security, criminal fraud and identity theft are now big business worldwide among a shadowy fraternity that is only growing in power and size. Recent incidents with film studios, healthcare providers and global banks continue to resonate in cabinet offices and boardrooms everywhere

Hacker Halted 2015 (Atlanta, Georgia, USA, Sep 13 - 18, 2015) EC-Council Foundation's flagship information security conference, Hacker Halted, will unite some of the greatest minds in information security, as industry experts address the latest threats and vulnerabilities plaguing the virtual world. Hacker Halted will also feature several highly technical and advanced workshops that cover the most current security topics and will include EC-Council's most sought after certification classes. Hacker Halted runs concurrently with the invitation-only Global CSO Forum

EnergySec 11th Annual Security & Compliance Summit (Washington, DC, USA, Sep 14 - 16, 2015) For more than 10 years the EnergySec Security Summit has been the premier gathering for stakeholders in the energy sector focused on physical and cyber security. Our summits give each attendee a rare opportunity to mingle with asset owners, government agencies, researchers, consultants, vendors and academia under one roof

Fraud Summit San Francisco (San Francisco, California, USA, Sep 15, 2015) ISMG's Fraud Summit is a one-day event focused exclusively on the top fraud trends impacting organizations and the mitigation strategies to overcome those challenges. Among the areas to be discussed are the fraud ecosystem, trends in consumer fraud awareness (what's working and what's not), and threat intelligence

Borderless Cyber 2015 (Washington, DC, USA, Sep 15 - 16, 2015) OASIS, in collaboration with The World Bank, will bring together public and private sector security professionals from around the world to evaluate, debate, and collaborate on cyber security best practices and tools. Hosted at The World Bank headquarters in Washington, DC, the conference will generate dialogue across government and business, combining high-profile guest speakers, interactive roundtable sessions, and moderated debates. Additional networking events will complement each day's agenda, offering opportunities for real-time collaboration

Detroit Secure World (Detroit, Michigan, USA, Sep 16 - 17, 2015) Join your fellow security professional for affordable, high-quality cybersecurity training and education at a regional conference near you. Earn CPE credits while learning from nationally recognized industry experts on many diverse topics such as: Risk Mitigation, Malware Detection, Digital Forensics, Cloud Security, Privacy, Big Data, PCI Compliance, Security Metrics, Encryption, Mobile Device Management, Incident Response, and much more. Risk management and enterprise cyber defense strategies figure among the agends

National Insider Threat Special Interest Group Meeting (Laurel, Maryland, USA, Jul 16, 2015) Topics to be discussed at the meeting; Insider Threat Program Development & Implementation, Behavioral Indicators Of Concern, Legal Considerations When Developing & Managing An Insider Threat Program. There is no cost to attend this meeting

6th Annual Billington Cybersecurity Summit (Washington, DC, USA, Sep 17, 2015) Join key leaders and decision makers from government, military and the private sector at this one-day intensive networking event as participants focus on the next generation of solutions to ensure this nation's cybersecurity

Cyber Security Summit: New York (New York, New York, USA, Sep 18, 2015) The Cyber Security Summit provides an exclusive business environment to meet with Senior Executives who are seeking innovative solutions to protect their business & critical infrastructure. Delegates at the Cyber Security Summit are prequalified based on their willingness to meet with Solution Providers and proven ability to purchase products and services

Data Breach Investigation Summit (Dallas, Texas, USA, Sep 21 - 26, 2015) Data Breaches are occurring at an alarming rate and increasing in their scope, frequency and impact and they don't discriminate by industry, geography or organization size. When a breach occurs, organizations, agencies and individuals need to learn how to more effectively, identify/detect that the breach has occurred, respond to the breach in an effective and timely manner, investigate the breach, and prevent/defend the organization from future breaches

St. Louis SecureWorld 2015 (St. Louis, Missouri, USA, Sep 22 - 23, 2015) Join your fellow security professional for affordable, high-quality cybersecurity training and education at a regional conference near you. Earn CPE credits while learning from nationally recognized industry experts on many diverse topics such as: Risk Mitigation, Malware Detection, Digital Forensics, Cloud Security, Privacy, Big Data, PCI Compliance, Security Metrics, Encryption, Mobile Device Management, Incident Response, and much more. The security implications of the Internet-of-things will be among the topics discussed

OWASP APPSECUSA (San Francisco, California, USA, Sep 22 - 25, 2015) The premier gathering of developers, security experts and technologists to discuss cutting edge approaches to secure web applications

SAT 2015: 18th International Conference on Theory and Applications of Satisfiability Testing (Austin, Texas, USA, Sep 24 - 27, 2015) The International Conference on Theory and Applications of Satisfiability Testing (SAT) is the premier annual meeting for researchers focusing on the theory and applications of the propositional satisfiability problem, broadly construed. Aside from plain propositional satisfiability, the scope of the meeting includes Boolean optimization (including MaxSAT and Pseudo-Boolean (PB) constraints), Quantified Boolean Formulas (QBF), Satisfiability Modulo Theories (SMT), and Constraint Programming (CP) for problems with clear connections to Boolean-level reasoning

CSS (International Conference on Cryptography and Security Systems) (Warsaw, Poland, Sep 25 - 27, 2015) After three years' break, CSS is returning in 2017 with another great look at the evolution of cryptography and its role for the cyber security industry. This event is focused on presenting original and unpublished research and developing activities related to all aspects of cryptography and network security. From theory to practice, this conference might be right up your alley if you're interested in cryptography

Business Insurance Cyber Risk Summit 2015 (San Francisco, California, USA, Sep 27 - 28, 2015) The Business Insurance Cyber Risk Summit provides risk management professionals and chief information security officers with the practical information and tools needed to combat the latest cyber risks that threaten their organizations. The day-long conference will explore cyber exposures, regulations, governance and insurance coverage. Risk managers and CISOs will learn how to adapt proven risk management strategies to their current cybersecurity environments, how to better communicate with their information security teams, and how to effectively convey risks, exposures and coverage options to their corporate boards and the C suite

ASIS International (Anaheim, California, USA, Sep 28 - Oct 1, 2015) The ASIS Annual Seminar and Exhibits boasts of being one of the world's most influential events for security professionals. Its mission is to provide industry-leading education, countless business connections, and the latest product and service innovations from 600+ exhibitors from the information security sector

CYBERSEC European Cybersecurity Forum (Kraków, Poland, Sep 28 - 29, 2015) The CYBERSEC forum is the first of its kind in Poland and one of just a few regular public policy conferences in Europe devoted to the strategic issues of cyberspace and cybersecurity. The goal of CYBERSEC conference is the formulation of practical recommendations that aim to increase resilience to cyber threats within specific economic sectors, countries, and the EU as a whole

(ISC)² Security Congress (Anaheim, California, USA, Sep 28 - Oct 1, 2015) Proudly colocated for the fifth year in a row, (ISC)² Security Congress 2015 and ASIS International 61st Annual Seminar and Exhibits (ASIS 2015) expect more than 19,000 professionals worldwide from both the information security and operational security disciplines to join together September 28 - October 1 in Anaheim, CA. Offering more than 80 education sessions along with networking and career advancement opportunities, (ISC)² Security Congress 2015 will include topics on best practices, current and emerging issues, and solutions to challenges

Cloud Security Alliance Congress at P.S.R. (Las Vegas, Nevada, USA, Sep 28 - Oct 1, 2015) The industry's premier gathering for IT security professionals and executives who must further educate themselves on the rapidly evolving subject of cloud security. Offering best practices and practical solutions for remaining secure in the cloud, CSA Congresses also expose attendees to industry-specific case studies. P.S.R. brings together two industry-leading events — CSA Congress US and the IAPP Privacy Academy — to provide attendees with more than double the education and networking opportunities with leading innovators and practitioners in technology, security and privacy for the price of a single conference. Among the keynote presenters are Arthur W. Coviello, Jr., Executive Chairman (Retired), The Security Division of EMC, RSA, Brian Krebs, Investigative Reporter, Cybersecurity Expert, Travis LeBlanc, Chief of Enforcement, Federal Communications Commission, Lydia Parnes, Partner, Wilson Sonsini Goodrich & Rosati, Jessica Rich, Director, Bureau of Consumer Protection, Federal Trade Commission

Fraud Summit Toronto (Toronto, Ontario, Canada, Sep 17, 2014) From account takeover to payment card fraud and the emerging mobile threatscape, the ISMG Fraud Summit series is where thought-leaders meet to exchange insights on today's top schemes and the technology solutions designed to stop them.

Threat Intelligence Summit 2015 (ChampionsGate, Florida, USA, Sep 29 - 30, 2015) The threat landscape is getting bigger and more complex, the tools more plentiful, the amount of digital information increasingly massive, and the skills needed to navigate this terrain seem to multiply continuously. The key to success in defending against threats — actionable threat intelligence. Threat Intelligence Summit 2015 will address best practices for combating threats in your organization

hardwear.io: Hardware Security Conference and Training (The Hague, Netherlands, Sep 29 - Oct 2, 2015) Do you trust your hardware? Learn from experts about backdoors, exploits, trust, assurance and attacks on hardware equipment, firmware and related protocols

VB2015 (Prague, Czech Republic, Sep 30 - Oct 2, 2015) The VB2015 programme includes 38 papers on a wide range of security topics. As in previous years, the presentations will run in two parallel streams and the programme includes both technical and less technical presentations. Just a small selection of the many highlights includes: "Attack on the drones: security vulnerabilities of unmanned aerial vehicles" (Oleg Petrovsky), "How malware eats cookies" (Zhaoyan Xu, Wei Xu), "The Unbearable Lightness of APTing" (Yaniv Balmas, Ron Davidson, Shahar Tal), "The Kobayashi Maru dilemma" (Morton Swimmer, Nick FitzGerald, Andrew Lee), "DDoS trojan: a malicious concept that conquered the ELF format" (Peter Kalnai, Jaromir Horejsi), "POS fraud: trends and counter-actions to mass fraud" (Ken Dunham), and "The elephant in the room" (Marion Marschalek). This year's conference will include two keynote speakers — one at the opening of the conference and one at the very end. The programme will also include a number of added extras