The CyberWire Daily Briefing 10.14.15

Summary

By The CyberWire Staff

Anonymous counts coup against Belgian governmental sites, including the Prime Minister's own.

A new zero-day hits Adobe Flash, apparently effective even against fully patched versions. Trend Micro attributes the infections to Pawn Storm, a threat group that's operated a long-running cyber espionage campaign, many of whose targets have been journalists. Many speculate that it's a Russian government operation (apply the usual denials, disclaimers, and dudgeon).

Rapid7 and Knowledge Consulting Group report finding a command-injection vulnerability in HP's SiteScope tool.

Proofpoint warns that the Vawtrak Trojan is back, and in a more virulent form.

US-CERT issues a warning about the Dridex peer-to-peer malware, mostly implicated in theft of banking credentials. But there's some good news here as well: a British-American law enforcement operation has succeeded in disrupting the criminal network that served Dridex up.

The Poodle vulnerability that barked so loudly last year appears to be exiting with a whimper.

Symantec warns that Android ransomware authors are using Google design principles to come up with more plausible, more effective bait.

A researcher demonstrates that Wi-Fi jamming is not only easier than generally believed, but it's cheaper, too.

Microsoft, Google, Adobe, and SAP issue patches. Microsoft SQL Server 2005 approaches the end of its life.

ICS security maven Joe Weiss will make our flesh creep in tonight's Nova documentary "CyberWar Threat."

The industry continues to process Dell's acquisition of EMC. Northrop Grumman protests Raytheon's $1B DHS cyber contract. Rapid7 buys Logentries; Wombat buys ThreatSim.

Observers still puzzle over the Sino-American cyber agreement.

Notes.

Today's issue includes events affecting Belgium, China, India, Russia, Thailand, Ukraine, United Kingdom, and United States.

Selected Reading

Cyber Trends

Cybersecurity Expert: Be Afraid, America. Be Very Afraid. (Daily Beast) Leading cybersecurity expert Joseph Weiss writes about how vulnerable America's computer systems are. He features in the NOVA documentary 'CyberWar Threat,' premiering Oct. 14 on PBS

Internet of Things: Connecting the security dots from application design to post-sale (Help Net Security) The age of Internet of Things is upon us. While it's still early days, Gartner predicts that by 2020, the Internet of Things will be made up of 26 billion connected devices and IDC estimates that $7.3 trillion in revenue will be generated by IoT components by 2017

Coast Guard official: Cyber incidents with physical consequences impacting the maritime transportation system (FierceGovernmentIT) Cyber threats are real and active for those who manage operations at the nation's ports, said Rear Adm. Paul Thomas, assistant commandant of prevention policy with the U.S. Coast Guard

Cybersecurity expectations: Myth and reality (Help Net Security) Millennials in the U.S. and U.K. have almost entirely lost trust in government and business to protect their personal information online, according to Intercede

Too many healthcare employees complacent about security (CSO) Non-technical health care employees are too complacent about the possibility of a data breach

Legislation, Policy and Regulation

Mandia: US-China No-Hack Pact Could Be Game Changer (Dark Reading) Mandiant founder Kevin Mandia says change is coming in the wake of Xi and Obama's pledge not to conduct cyberespionage for economic gain if China holds up its end of the deal

US-China cyber espionage treaty 'will do nothing': FireEye boss (Register) So what are all those hack groups in China doing?

What will the cyber mission force look like? (Defense Systems) The Defense Department is steadily building and training its cyber force, and while it still has a ways to go on both fronts, it is putting teams to work as they are formed, DOD officials say

7 Components for Cybersecurity Readiness (InfoRisk Today) U.S.-based Melissa Hathaway, a senior fellow at the Potomac Institute for Policy, has developed a cyber readiness index, compiled with information drawn from 125 countries to help enterprises in evolving a resilient cybersecurity model

NSA official, Utah congressman defend federal agency's role to combat cyber-attacks (Canadian Business) The National Security Agency's massive data centre in Utah isn't being used to store Americans' personal phone calls or social media activity, but plays a key role in protecting the country from cyber-attacks by hostile foreign governments, U.S. Rep. Chris Stewart of Utah said Tuesday

Cybersecurity expert urges open talk between government, business (Tampa Tribune) When Keith Alexander arrived in Tampa in 1998 to take over as director of intelligence for U.S. Central Command, he spent the first six days walking around MacDill Air Force Base, checking out his new surroundings

Sanders would 'absolutely' end NSA spying (The Hill) Sen. Bernie Sanders would "absolutely" end sweeping surveillance powers at the National Security Agency, he said during the first Democratic presidential debate on Tuesday

4 out of 5 Democratic candidates agree — Snowden should face the courts (Ars Technica) Bernie Sanders would shut down NSA, doesn't care about Clinton's e-mail server

John McAfee on the Cyber Party platform (CSO) In this segment of The Irari Report interview with security icon and presidential candidate John McAfee, Ira Winkler and Araceli Treu Gomes ask McAfee about the political party that he formed, The Cyber Party. McAfee tells Ira and Ari about the Cyber Party's platform that focuses on Privacy, Freedom and Technology

New York lawmakers press Air Force for cyber squadron (The Hill) New York legislators from both chambers of Congress on Tuesday urged the Air Force to establish one of four planned cyber operations squadrons in New York

Dateline

2015 AUSA Annual Meeting & Exposition, Day 2: Homeland Defense/Homeland Security — the Army/DHS Partnership (The CyberWire) The Honorable Jeh C. Johnson, Secretary of Homeland Security, addressed the AUSA yesterday morning on partnership between the Army and the Department of Homeland Security. We offer an overall observation: clearly "whole-of-government" solutions and approaches are de rigeur everywhere, but this seems especially so when officials talk about the challenges of cyber security

US-China cyber agreement not a cure-all, says Jeh Johnson (FierceGovernmentIT) Recent commitments between China and the United States on cybersecurity are not a cure-all for the problems between the two powers in cyberspace, said Homeland Security Department Secretary Jeh Johnson during testimony last week

Strategic Development of Special Warfare in Cyberspace (Joint Forces Quarterly) Why are regional powers such as Iran and Russia better prepared for cyber-enabled special warfare operations than the United States? How do Iran and Russia empower their tactical operators, while the United States masses its cyber-authorities and cyber-capabilities at the strategic level? Why are U.S. policies, authorities, and doctrine for cyber-enabled special operations so immature despite their first announcement over 20 years ago?2 Although these are serious questions, what is even graver for the Nation is addressing the root question: How does the United States develop a strategic cyber-enabled special warfare capability?

Products, Services, and Solutions

FireEye launches threat intelligence service with Visa, new hardware/software (Seeking Alpha) Four months after announcing they plan to offer a threat intelligence service relying on data from both companies, FireEye (FEYE +1%) and Visa have unveiled Visa Threat Intelligence, a subscription-based service delivering real-time threat info to merchants and card issuers

Financial services group gets access to IBM X-Force Exchange's cyberthreat intelligence (FierceITSecurity) IBM announced Monday that it is providing access to its IBM X-Force Exchange, which collects, analyzes and shares cyberthreat intelligence, to the Financial Services Information Sharing and Analysis Center — or FS-ISAC

Tenable Network Security Reduces Cloud Infrastructure Attack Surface with New Capabilities in Nessus v6 (PRWire) New Nessus Agents for Amazon, Debian and Ubuntu Linux, and new Nessus scanner for AWS help customers simplify cloud vulnerability management

Michael Buratowski: Standards Body Certifies Fidelis Cybersecurity as Payment Card Forensic Investigator (ExecutiveBiz) The Payment Card Industry Security Standards Council has granted Fidelis Cybersecurity a certification to help financial services companies to manage compromised data

Cisco dedicates security project to 'pissing off the bad guys' (Network World via CSO) Project Aspis will help hosting providers remove persistent criminal activity from their networks before it spreads to end users

Gemalto’s LinqUs Cloud Protects Over 3Bn Mobile Phonebook Contacts in MEA (Footprint to Africa) Gemalto, the world leader in digital security, has disclosed that over three billion mobile phonebook contacts across the Middle East and Africa region alone are now being protected through its LinqUs Cloud Backup solution

Flashpoint and Malformity Labs Partner to Enhance Analysis of Deep & Dark Web Threat Intelligence (PRNewswire) Flashpoint Maltego transforms enable visualization of deep and dark Web data

Latest Kaspersky products address growing threat to online privacy (Nation) Kaspersky Lab, an international security software group operating worldwide and headquarteredin Moscow, yesterday launched its |latest products for home users — Kaspersky Antivirus Software (KAS 2016) and Kaspersky Internet Security Software (KIS 2016) - with localisation for the Thai market

Microsemi Rolls Out Secure Cryptography Cores (Social-Tech) Aliso Viejo-based semiconductor developer Microsemi said this morning that it has rolled out a portfolio of IP cores, in partnership with security and cryptography provider The Athena Group

Enhanced Help Desk Support and Password Synchronization for Office 365 Added to Thycotic Password Reset Server (PRNewswire) Self-service password reset tool for end-users now offers increased flexibility and ease-of-use for organizations of all sizes

Technologies, Techniques, and Standards

5 Things Every Board Member Needs to Know about Security (Security Magazine) Corporate security and cybersecurity are no longer an IT problem

Strengthening Cyber Risk Management in Commercial Real Estate (Wall Street Journal) As commercial real estate (CRE) companies step up their use of technologies such as cloud, mobile and social media to drive tenant engagement and operational efficiency, they could be increasing their vulnerability, as well of that of their tenants, to cyber risks

Raising the Stakes on Client Confidentiality (Legaltech News) "Lawyers can make a "reasonable effort" to protect client data from falling into the wrong hands with the help of information rights management

E-Signature Validity: Keeping Your Signatures Defensible in Court (Legaltech News) Without the right evidence, e-signatures can crumble under judicial and opposing counsel scrutiny

Marketplace

Dell-EMC acquisition leaves questions as Tucci steps away (TechTarget) When the Dell-EMC deal is complete, EMC CEO Joe Tucci will step away after 15 years on the job -— leaving Michael Dell and others to carry on his legacy

HP's Whitman warns of chaos for Dell and EMC (Channel Web) In Hewlett Packard Enterprise staff memo seen by Channelnomics, HP CEO blasts Dell-EMC deal

Dell Buying EMC: The Impact on RSA (InfoRiskToday) Future of security company remains unclear

Rapid7 buying machine data search software firm, challenges Splunk (Seeking Alpha) Newly-public security software/services firm Rapid7 (NASDAQ:RPD) is buying Logentries, a provider of software for searching and analyzing the large volumes of machine/log data produced by IT systems, for $68M – $36M in cash + $32M in stock

Wombat acquires ThreatSim to extend security awareness training capabilities (CSO) Wombat Security announced today that it is acquiring ThreatSim — a company that focuses on spear phishing prevention

Cybersecurity Insurance Fills Important Gaps in Liability Insurance Coverage (National Law Review) The twenty-first century challenges posed by data breaches and cyber crimes do not fit neatly into the space occupied by traditional liability insurance policies

E.U. order complicates multinational personal data sharing for thousands of firms (Business Insurance) More than 4,000 U.S. multinational companies must seek an alternative legal framework for conveying their workers' personal data from European Union countries to the United States without risking regulatory scrutiny, as a result of an E.U. court order that invalidated the current safe harbor

Spotlight: Security analytics startup DataVisor raises $14.5M in funding (FierceITSecurity) DataVisor, a big data security analytics startup, announced Tuesday that it raised $14.5 million in a funding round led by GSR and NEA

Anti-virus co SentinelOne raises $25m (GLOBES) The company plans to expand its departments, open new centers, and double its workforce

KEYW obtains Naval task order worth up to $13.5M (Seeking Alpha) The Naval Research Laboratory has granted KEYW (KEYW +0.1%) a contract to "provide a broad range of services including development, evaluation and integration of General Purpose Electronic Test Equipment as well as program specific software development." The contract has one base year and two one-year options, and a max value of $13.5M

Booz Allen's 'Internet of Things' partnership with Amazon is about more than consulting (Washington Business Journal) Booz Allen Hamilton Inc.'s (NYSE: BAH) "Internet of things" partnership with Amazon Web Services could be a signal that the centenarian consulting firm is ushering in a new era

Cyber Command Awards CACI $14 Million Extension For Continued Support (Defense Daily) Due to a delay in United States Cyber Command effort to consolidate a number of existing separate support contracts, the command has awarded CACI International [CACI] a one-year $13.8 million extension to continue support under a current task order for IT and research

Northrop Grumman Protests $1 Billion DHS Cyber Award To Raytheon (Defense Daily) Northrop Grumman [NOC] has protested the award of a potential $1 billion contract that Raytheon [RTN] won in September from the Department of Homeland Security (DHS) for support of a network security program.The protest was filed with the Government Accountability

Vendor View: Blue Coat forecasts growth as it rides wave of cloud adoption (Channelnomics) Vendor keen to help partners accommodate EMEA privacy laws

iovation Wins "FinTech Forward Company to Watch" Award (MarketWired) American Banker and BAI recognize Iovation for its game changing device-based fraud fighting solutions and large adoption by financial institutions

Cylance Adds Art Coviello, Former CEO of RSA Security, to its Board of Directors (EIN) Cylance, the company that is revolutionizing cybersecurity with products and services that proactively prevent, rather than just reactively detect, advanced persistent threats and malware, today announced that Art Coviello, formerly CEO of RSA, and Executive Chairman of RSA, the security division of EMC, has joined its Board of Directors

As Hackers Increasingly Target The Cloud, Rackspace Turns To Military Vet With Cyberwar Experience (International Business Times) In the dead of night, two Navy SEALs and a former military officer glide toward a U.S. military facility, water lapping quietly against the side of their canoe

Research and Development

Universities, Utility Research Protecting Nation's Power Grid From Cyber Attacks (Homeland Security Today) Cybersecurity researchers from four universities and one utility company are working together as part of a Department of Energy (DoE) Center for Securing Electric Energy Delivery Systems (SEEDS) to help safeguard the nation's power utilities from cyber attacks

FIU researchers working on protecting nation's power grid from cyber attacks (Florida Trend) Researchers from FIU's College of Engineering and Computing have teamed up with four other universities and a utility company to help safeguard the nation's power utilities from cyber attacks

Security Patches, Mitigations, and Software Updates

Microsoft Security Bulletin Summary for October 2015 (Microsoft Security TechCenter) This bulletin summary lists security bulletins released for October 2015

October Patch Tuesday: the first of 2015 with no zero day exploits (TechTarget) Microsoft's October 2015 Patch Tuesday has the fewest number of bulletins of any release this year and also is the first of the year to feature no patches related to zero day exploits

Mm, what's that smell, Microsoft SQL Server 2005? Yes, it's death (Register) Six months left before end-of-life, warns Redmond

Stable Channel Update (Chrome Releases) The Chrome team is delighted to announce the promotion of Chrome 46 to the stable channel for Windows, Mac and Linux

Adobe Releases Security Updates for Reader, Acrobat, and Flash Player (US-CERT) Adobe has released security updates to address multiple vulnerabilities in Reader, Acrobat, and Flash Player. Exploitation of some of these vulnerabilities may allow a remote attacker to take control of an affected system

Apple yanks App Store apps that could monitor encrypted data traffic (FierceITSecurity) Apple has removed from its App Store mobile apps that install root certificates that could allow an attacker to monitor encrypted data traffic

SAP Security Notes October 2015 — Review (ERPScan) SAP has released the monthly critical patch update for October 2015. This patch update closes 29 vulnerabilities in SAP products, 15 of which are high priority, some of them belong to the SAP HANA security area

Xen 4.6 strengthens security and Intel support (InfoWorld) The latest version of the open source hypervisor adds deep-seated security measures and now works with key Intel-only hardware features

Cyber Attacks, Threats, and Vulnerabilities

Anonymous Targets Belgian Government, Knocks Prime Minister's Website Off (HackRead) The online hacktivist group Anonymous Belgian conducted a series of DDoS attacks on the official website of Belgian Prime Minister Charles Michel, the Brussels parliament and the website of Federal Public Services Home Affairs this Sunday

New zero-day exploit hits fully patched Adobe Flash (Ars Technica) Attacks used to hijack end users' computers when they visit booby-trapped sites

Attackers could gain access to HP SiteScope control panel and execute arbitrary commands (FierceITSecurity) Researchers at Rapid7 and Knowledge Consulting Group have found a command injection hole in HP's SiteScope tool used to monitor enterprise IT infrastructure and applications. This could enable an attacker to execute any commands on the underlying operating system

The Vawtrak Trojan reemerges tougher and sneakier (SC Magazine) The Vawtrak bug back and meaner than ever, say Proofpoint researchers

Alert (TA15-286A) Dridex P2P Malware (US-CERT) Dridex, a peer-to-peer (P2P) bank credential-stealing malware, uses a decentralized network infrastructure of compromised personal computers and web servers to execute command-and-control (C2). The United States Department of Homeland Security (DHS), in collaboration with the Federal Bureau of Investigation (FBI) and the Department of Justice (DOJ), is releasing this Technical Alert to provide further information about the Dridex botnet

'POODLE' One Year Later: Still Around? Not So Much (Dark Reading) As high-severity vulnerabilities go, POODLE remediation rates and times have proven to be astonishingly better than expected

AV Phone Scan via Fake BSOD Web Pages (Internet Storm Center) A few days ago, I found a malicious website which tries to lure the visitor by simulating a Microsoft Windows Blue Screen of Death (BSOD) and popping up error messages within their browser

Prolific Cybercrime Gang Favors Legit Login Credentials (Dark Reading) FireEye researchers shed more light on infamous cybercriminals associated with RawPOS malware. and christen it 'FIN5'

Fraudsters exploit weak SSL certificate security to set up hundreds of phishing sites (SC Magazine) Certificate authorities are granting SSL certificates to the owners of spoof domain names which are being used to phish customers of well-known retail and banking brands

Magento database tool Magmi has a zero-day vulnerability (PCWorld) Magento has contacted the websites that appear to be vulnerable, Trustwave said

Android ransomware uses Google's own design principles against victims (FierceITSecurity) The Android.Lockdroid.E ransomware uses Google's design principles and an open-source project against users, warned Symantec security researcher Dinesh Venkatesan in a blog post

Hackers Can Silently Control Siri From 16 Feet Away (Wired) Siri may be your personal assistant. But your voice is not the only one she listens to

WiFi jamming attacks more simple and cheaper than ever (Help Net Security) A security researcher has demonstrated that jamming WiFi, Bluetooth, and Zigbee networks is not difficult to perform but, most importantly, also not as costly as one might think

Cyber-attack warning after millions stolen from UK bank accounts (Guardian) Top crime agency delivers advice after virus used to access online banking details, with UK losses estimated to hit £20m

Consumer Alert: Debit card fraud at Walmart discovered in 16 states (CSO) Criminals cashing out compromised debit cards, avoiding detection until it's too late by staying below a $50.00 price point

America's Thrift Stores breached by Eastern European criminals (Help Net Security) America's Thrift Stores, a for-profit organization that operates thrift stores in Alabama, Georgia, Louisiana, Mississippi and Tennessee, is the victim of a data breach

How Soviets used IBM Selectric keyloggers to spy on US diplomats (Ars Technica) Highly sophisticated bugs went undetected for 8 years during the Cold War

Academia

Battelle-Led Team Lands $185M Contract to Manage Army STEM Programs (GovConWire) A Battelle-led consortium has won a potential 10-year, $185 million contract to help administer the U.S. Army's portfolio of programs for science, technology, engineering and mathematics education

Litigation, Investigation, and Enforcement

US, UK disrupt Dridex botnet, which targeted online banking (IDG via CSO) Dridex is considered one of the most effective banking malware families

Arrest of Chinese Hackers Not a First for U.S. (KrebsOnSecurity) The Washington Post reported last week that the Chinese government has quietly arrested a handful of hackers at the urging of the U.S. government, a move described as "an unprecedented step to defuse tensions with Washington at a time when the Obama administration has threatened economic sanctions"

U.K. Politicians' Comms Not Exempt From Spy Agency Dragnets, Says Tribunal (TechCrunch) If this latest ruling by the judicial body that oversees complaints relating to the U.K's intelligence agencies doesn't ratchet up political pressure for reform of mass surveillance powers in the U.K. then surely little else will — given it pertains to the sanctity of politicians' communications

The Obscure 1789 Statute That Could Force Apple to Unlock a Smartphone (Motherboard) Law enforcement have asked a magistrate judge in the Eastern District of New York to compel Apple, Inc. to unlock (and possibly decrypt) an iPhone

A New Way for Tech Firms to Fight Orders to Unlock Devices (Wired) Although the federal government recently backed down on its efforts to compel tech companies to install backdoors on their electronic devices, it doesn't mean the government has given up on getting access to protected phones and other devices

Cops Don’t Need a Crypto Backdoor to Get Into Your iPhone (Wired) Late last week, the privacy community scored a victory in a year-long battle over the future of encryption

SECURITY: Clinton server's software had hacking risk (Press Enterprise) The private email server running in Hillary Rodham Clinton's home basement when she was secretary of state was connected to the Internet in ways that made it more vulnerable to hackers, according to data and documents reviewed by The Associated Press

Matthew Keys' Hacking Conviction May Not Survive an Appeal (Wired) The conviction of former Reuters employee Matthew Keys on hacking charges this week has renewed focus on a controversial federal law that many say prosecutors are using incorrectly and too broadly to inflate cases and trump up charges

Hacker Who Sent Me Heroin Faces Charges in U.S. (KrebsOnSecurity) A Ukrainian hacker who once hatched a plot to have heroin sent to my Virginia home and then alert police when the drugs arrived had his first appearance in a U.S. court today, after being extradited to the United States to face multiple cybercrime charges

Lottery chief who "rigged the randomness" is jailed for 10 years (Naked Security) Eddie Raymond Tipton, come on down!

Idaho Cyber Security Task Force begins work to stop cyber criminals (Standard Journal) Our United States military is trained and ready to defend our borders, our local police force is trained and ready to protect our communities. So who is trained and ready to protect our information — in computer servers and floating around in what is known as the cloud?

Even in public life, some things should be private (The National) Everyone is in favour of transparency and greater openness, aren't they?

Design and Innovation

A better approach to cloud encryption (InfoWorld) Many cloud encryption solutions weaken security to preserve functionality; it doesn't have to be like that

Industry Events

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

newly Noted Events

Cyber Liability Summit (New York, New York, USA, October 21, 2015) Attendees of the CLM Cyber Liability Summit will come away with a full understanding of the risks, exposures, development of claim activity and trends in the areas specific to Data and Network Security, Privacy and Social Media, and the types of cases that result from such. The distinguished presenters will lead interactive sessions on essential cyber liability topics to ensure attendees have the most comprehensive and up-to-the-minute information needed to flourish in an ever-changing environment

Münchner Cyber Dialog (München, Bayern, Germany, October 21, 2015) Die Konferenz stellt eine Dialogplattform zwischen Politik, Wirtschaft, Wissenschaft und Verwaltung dar, um die gesamtgesellschaftlichen Chancen und Risiken des Digitalisierungsprozesses zu erörtern. Der Schwerpunkt liegt dabei auf der Bedeutung hochwertiger, sicherer und vertrauenswürdiger IT-Infrastruktur als Basis industrieller Produktion und gesamtwirtschaftlicher Entwicklung in Deutschland. Der Dialog dient als Katalysator gemeinsamer Anstrengungen zur sicheren Gestaltung des Digitalisierungsprozesses

7th Semi-Annual ENAM Conference: the Borderline Between Cybersecurity and Individual Freedoms (Vilnius, Lithuania, October 16, 2015) This half-day conference in Vilnius will address topics such as the latest cyber-threats, most recent developments in the European and US regulatory framework, as well the consequences of these developments for private individuals and businesses. Under discussion will be imperatives and challenges, solutions and ideas to make cyberspace resilient

Cyber Security Opportunities for U.S. Firms in Japan, S. Korea, and Taiwan (Online, December 2, 2015) Listen to experts from Japan, S. Korea and Taiwan and learn how to position your company for success in these countries. Sponsored by the US Department of Commerce

BSides Tampa 2016 (MV Royal Caribbean Brilliance of the Seas, Tampa to Mexico, February 4 - 8, 2016) BSides Tampa is an annual IT security/hacking conference featuring hands on training classes and lectures from some of the greatest minds in the industry and academia

ICCWS 2016 (Boston, Massachusetts, USA, March 17 - 18, 2016) ICCWS 2016 will cover the complex but exciting aspects of international cyber warfare and security

ASIS 15th European Security Conference & Exhibition (London, England, UK, April 6 - 8, 2016) ASIS Europe 2016 invites you to join security professionals and experts from over Europe and beyond in one of the most dynamic centres of business and culture in the world

The Security Culture Conference 2016 (Oslo, Norway, June 14 - 15, 2016) The Security Culture Conference 2016 is the leading, global conference discussing how to build, measure and maintain security culture in organizations. The conference is a part of the Security Culture Framework Community, and draws professionals from around the world to meet, share and learn about security culture.

upcoming Events

New York Metro Joint Cyber Security Conference (New York, New York, USA, October 14, 2015) The New York Metro Joint Cyber Security Conference is a collaborative event cooperatively developed, organized and sponsored by the leading information security industry organizations and chapters

NASA Goddard Cyber Expo (Greenbelt, Maryland, USA (also available by webex), October 2, 2014) The 2014 Goddard Cyber Expo will be a dedicated Information Technology & Cyber Expo at this secure facility hosted by the Office of the Chief Information Officer. The OCIO will be recruiting speakers to provide informational sessions on relevant Cyber issues. Industry exhibitors may sit in on the sessions. This event will be promoted to all NASA Cyber and IT-focused personnel, as well as the entire workforce at this location

BSides Portland (Portland, Oregon, USA, October 16 - 17, 2015) BSides PDX is a gathering of the most interesting infosec minds in Portland and the Pacific Northwest! Our passion about all things security has driven attendance from other parts of the country. Our goal is to provide an open environment for the InfoSec community to engage in conversations, learn from each other and promote knowledge sharing and collaboration

SecTor (Toronto, Ontario, Canada, October 19 - 21, 2015) Illuminating the Black Art of Security. Now entering its 9th year, SecTor has built a reputation of bringing together experts from around the world to share their latest research and techniques involving underground threats and corporate defences. The conference provides an unmatched opportunity for IT Professionals and Managers to connect with their peers and learn from their mentors

Cyber Defense San Diego 2015 (San Diego, California, USA, October 19 - 24, 2015) Cyber security training in San Diego CA from SANS Institute, the global leader in Information Security training. SANS Cyber Defense San Diego 2015 features hands-on, immersion-style training courses for security professionals at all levels. Many of these security courses have Certifications that are aligned with DoD Directive 8570/8140 and most courses at this event are associated with GIAC Certifications. SANS delivers unparalleled security training with world-class Instructors

2015 Cyber Risk Insights Conference (New York, New York, USA, October 20, 2015) The world's largest cyber risk event for P&C professionals. Save-the-date for Advisen's 5th annual Cyber Risk Insights Conference in New York City with a full-day program that takes place on October 20, 2015

2015 Government Cybersecurity Forum (Washington, DC, USA, October 20, 2015) The Government Cybersecurity Forum was created three years ago a result of the complexity of today’s global threat environment. As more devices connect to the Internet and data breaches continue to escalate, the hottest debate in cybersecurity revolves around the balance between privacy, anonymity, technology and security. For the first time ever, join leading government, military, technology and policy experts as they gather in one room to help solve this urgent issue facing the government and industry in securing infrastructure

Cyber Security Summit: Boston (Boston, Massachusetts, USA, October 9, 2015) The Cyber Security Summit provides an exclusive business environment to meet with Senior Executives who are seeking innovative solutions to protect their business & critical infrastructure. Delegates at the Cyber Security Summit are prequalified based on their willingness to meet with Solution Providers and proven ability to purchase products and services

Swiss Cyber Storm (KKL Lucerne, Switzerland, October 21, 2015) Swiss Cyber Storm 2015 is an international IT security conference that provides essential information about national cyber security issues, critical for both government and private infrastructures. The event also includes a cyber challenge competition held beforehand, which offers the best security talents a chance to be invited to the conference

DevSecCon (London, England, UK, October 22, 2015) DevSecCon is a newly formed, non-profit conference for DevOps and SecOps practitioners, run by practitioners. By creating a neutral platform, we will exchange and create new ideas on how to leverage the best of both worlds

2015 North American International Cyber Summit (Detroit, Michigan, USA, October 25 - 26, 2015) The North American International Cyber Summit 2015 hosted by Michigan Governor Rick Snyder, is set to take place in the heart of Downtown Detroit at the newly remodeled Cobo Center for the second straight year. As in the previous three sold-out summits, this year's event will bring together experts from across the globe to address a variety of cybersecurity issues impacting the world of business, education, information technology, economic development, law enforcement and personal use

ICS Cyber Security Week (Atlanta, Georgia, USA, October 26 - 29, 2015) ICS Cyber Security Week is the longest-running cyber security-focused conference dedicated to the industrial control systems sector. The event caters to critical infrastructure organizations in the following sectors: energy, utility, chemical, transportation, manufacturing, and many more

Cyber Awareness & Technology Days (Colorado Springs, Colorado, USA, October 27 - 28, 2015) The Information Systems Security Association (ISSA) Colorado Springs Chapter http://www.issa-cos.org will once again host the 6th Annual Cyber Security & Information Technology Days set to take place at Peterson AFB on Tuesday, October 27, 2015 and at Ft Carson on Wednesday, October 28, 2015. Both events are being conducted in October to coincide with National Cyber Security Awareness Month as a way to encourage collaboration between local military personnel and industry partners. Government and Industry experts will be on hand to brief attendees on the latest trends, best practices and remediation strategies, in the cyber security field. These one day forums will offer Cyber Security & Information Technology personnel a unique, local opportunity to get up-to-date informaton on rapidly evolving security security challenges

Designing Secure Healthcare Systems (Long Branch, New Jersey, USA, October 27 - 29, 2015) Designing Secure Healthcare Systems is a three day intensive and immersive workshop…by healthcare hackers for healthcare technologists. Over the three days you will go from the basics of SQL injection to the over the top advanced concepts used to break code — you will learn not just by watching — but by doing. Regardless of your programming background or technical focus, you will walk away much better prepared to design and develop secure healthcare information technology systems

Cloud Security Alliance Summit NYC 2015 (New York, New York, USA, October 28, 2015) The full-day Cloud Security Alliance NYC Summit is a standalone event in Manhattan. Co-hosted by the CSA NY Metro and CSA Delaware Valley chapters, some 200 well-qualified attendees are expected. The theme is "Enterprise Lessons Learned in Cloud Security," with experts from financial services and other key industries. Viney Patel, Director, Global Head of Information Security at Citi Technology Infrastructure and Dan Reynolds, VP, Chief of Security and Information Architecture at Omnicom Media Group will be keynote speakers

Data Breach Summit Asia 2015 (Mumbai, India, October 28, 2015) As Cyber Security continues to become a challenge for all industries, ISMG's Data Breach Summit a unique, one-day event will focus on the issues to help the participants learn more about how to prevent cyber security breaches as well as how to mitigate the situation should a breach occur. The summit will provide an unparalleled platform to the attendees to engage in dialogue on real-world solutions protecting their organisations

Technology & Cyber Awareness Day (Aurora, Colorado, USA, October 28, 2015) The Buckley Air Force Base Technology & Cyber Security Day is a one-day event held on-site, where industry vendors will have the opportunity to display their products and services to IT, Comm, Cyber and Intelligence personnel. FBC will invite personnel from all major units and tenants at Buckley AFB, including ADF personnel

CyberMaryland 2015 (Baltimore, Maryland, USA, October 28 - 29, 2015) Now entering its 5th year, the Federal Business Council is proud to bring you the CyberMaryland 2015 Conference. The conference theme this year is "Collaborate.Educate.Innovate"

Cyber Security World 2015 (Washington, DC, USA, October 28 - 29, 2015) Cyber Security World 2015 brings together security experts, practitioners, and researchers who will share their firsthand knowledge and open the discussion to information sharing between public and private sector attendees. Join us in Washington, D.C. for two days of deep dive discussion on cybersecurity management and strategy, operations, cybercrime, and privacy. You're sure to walk away with new ideas you can implement in your organization to combat the cyber threat

Hackito Ergo Sum (Paris, France, October 29 - 30, 2015) No commercial content, no vendor talk. First time presenters welcome. Highly technical talks only. Bonus point for offensive and weird ideas. Areas and domains: systems hacking & security, network hacking, non-x86 exploitation, mobile hacking, offensive forensics, hardware & firmware hacking, brain hacking, automated hardware reverse engineering

8th Annual Space, Cyber, and Telecommunications Washington DC Conference (Washington, DC, USA, October 29 - 30, 2015) The Space, Cyber, and Telecommunications Law team hosts an impressive lineup of the world's greatest minds annually at conferences in Washington DC and in Lincoln, Nebraska and at occasional events around the world. Explore our past conferences and learn about our upcoming events below

Sponsor & Support

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.