The CyberWire Daily Briefing 02.19.15
news from Cyber Wednesday at the Atlantic Council
The Atlantic Council and the Christian Science Monitor held a conference yesterday as part of the Monitor's launch of its Passcode cyber section. The sessions' focus was on "breaking the cyber information-sharing logjam."
Michael Daniel, Special Assistant to the President and White House Cybersecurity Coordinator, opened the discussion. He began with an acknowledgment that information sharing is not a new topic, and that he would concentrate on outlining the Administration's recently proposed initiatives. First, he described the role of the Cyber Threat Intelligence Integration Center (whose acronym "CTIIC" he clarified, will be pronounced "see-tick"). This new organization is designed to facilitate intra-Governmental information sharing. The National Cybersecurity and Communications Integration Center (NCCIC) in the Department of Homeland Security retains its role as principal interface with the private sector.
The current task, as seen in last Friday's summit, is building relationships that will enable effective cyber information sharing. The private sector made some important commitments there, Daniel said. They will form Information Sharing and Analysis Organizations (ISAOs), develop best practices, and use the NIST Framework. The ISAOs will enable many different kinds of organizations to serve as information hubs. The Executive Order calls for creation of a baseline for such organizations, and DHS will facilitate this.
Daniel stressed that ISAOs don't have to share with the NCCIC or any other part of the Government, but the President's order makes it clear that the NCCIC will share with ISAOs. The Executive Order also commits to some form of liability protection for the ISAOs.
The Executive Order streamlines the way in which classified information may be shared with the private sector, effectively by expediting certain forms of clearance. The ISAOs don't need this capability to operate, but many in the private sector have indicated this is something they wanted.
Daniel concluded by arguing that information sharing as such is not an end in itself. It must serve some actionable purpose appropriate to the sector for which it's done. A cyber weather map requires one kind of sharing. A public health service for cyber requires another. And getting ahead of the threat requires yet another sort of sharing.
Daniel's presentation was followed by a panel discussion on the Executive Order's implications for information sharing. The discussion was led by Jason Healey, Director, Cyber Statecraft Initiative, at the Brent Scowcroft Center on International Security, Atlantic Council. Panelists included Marcus Sachs (Vice President, National Security Policy, Verizon), Jeff Schmidt (founder and CEO, JAS Global Advisers), and Ari Schwartz (White House Senior Director for Cybersecurity).
Schwartz began by asserting that the presumption has now shifted in favor of sharing, and the new Executive Order facilitates sharing in four ways. First, it makes it easier to clear personnel at critical infrastructure companies. Second, it encourages private-to-private sharing outside the Government. Third, it facilitates private-to-government information sharing. And, fourth, through the CTIIC, it promotes intra-governmental information exchange. This last is particularly important because, of course, no agency has the full picture. The Office of the Director of National Intelligence (ODNI) was created to provide just such perspective, and ODNI seems the logical place to lodge an office designed to foster cyber intelligence sharing.
We need, Schwartz argued, to separate the technical issues of sharing from those that require legislation. The ISAOs are interesting and important because they focus on private-to-private sharing. Hubs need not be government hubs, or even organizations with any government participation at all.
Verizon's Sachs noted that Information Sharing and Analysis Centers (ISACs) date back some time, and are designed to be sector-specific. But much of the US economy lies outside the sectors as traditionally conceived and organized. Situational awareness is fine, but information sharing among those who can take action is powerful. You can be surrounded by information unrelated to action. What's wanted, and where there's room for improvement, is sharing actionable info.
Healey prompted the panelists to consider sharing of information other than threat intelligence. As much as we think of cyber defense against threats, vulnerability disclosure, for example, is a big part of information sharing.
Schmidt said that sharing information about vulnerabilities came to his own consciousness rather late. Today, however, there have never been more people looking for vulnerabilities, more efforts to monetize the search, better tools for finding them. We're now finding fundamental design issues that result in vulnerabilities. Sometimes keeping a vulnerability secret (to give vendors runway to fix it) is the best thing for effective information sharing. Such disclosure needs to be responsible. Let us say we agree that we should tell vendors of vulnerabilities in their products. Do you tell the US Government? Or do you tell foreign governments? Especially governments whose CERTs are indistinguishable from their foreign intelligence services?
Schwartz said that the President's Executive Order is intended to foster information sharing internationally, and the ISAOs should do so. Sachs suggested that international cooperation during the Y2K era offer a useful lesson: a follow-the-sun model of willing collaborators who can do something about the problem seemed to work.
Many of the ISAO members are, and are going to be, multinationals and other companies who operate internationally, said Schmidt. Thus it's not a new problem. Some of the Executive Order's provisions about clearances are intended to address the challenge of sharing information with companies that operate internationally.
After some general discussion of privacy as an important issue that needed to be and presumably would be addressed, Healey asked the panelists if information sharing would have helped Sony, or JPMorgan.
Sachs thought it depended upon individual action. Schmidt said directly, "Yes. It would have helped." A big problem is preparing for the wrong adversary, and information sharing would help in this regard. As we understand threat actors and their motivations, sharing such insight might indeed have helped Anthem, Sony, and others understand and prepare for the threats they face.
Schwartz was very encouraged by the number of companies at last Friday's summit expressing their commitment to the NIST framework — requiring it of their vendors, insurers requiring it of their policy holders, and so on.
In response to a question that suggested policymakers' emphasis on security clearances was misplaced, Sachs answered that classification and clearances were indeed barriers to effective information sharing. Many tech experts don't hold clearances, and may not even be clearable. And the Government may be prone to over classification. The Government needs to think about the tear-line — the part of the information that can be shared — in advance. It's a problem when we share classified information that then can't be used.
In any case, Schwartz observed, "We're not going to clear our way out of the problem," and Healey suggested a useful rule-of-thumb: "If the bad guys are putting their stuff out on the Internet, that stuff should be considered as unclassified as any cat picture."
A questioner asked if there were companies one would not like to see participating in an ISAO. Sachs thought that, since sector-based ISACs are sector-specific, that suggests an obvious screen for sector-centric ISAOs. Other sharing groups receive nominations for memberships and vet their candidates, and this is another option for ISAOs. Such circles of trust are important, and can work quite well.
Healey noted that companies like FireEye, Crowdstrike, and TruSTAR are well on their way to developing workable models for cyber information sharing. Schwartz advised watching for legislation and RFPs to clarify how such companies can function as ISAOs.
As the session concluded, Sachs said there's plenty of room for the public sector to see, infer, and share, and there's plenty of room for the private sector to see, infer, share, and sell. The public and private sectors can amplify one another's contributions. ISAOs will need to be holistic — considering people as well as networks.
Journalists and other observers continue to mull Kaspersky's coy but admiring account of its researches into Equation Group. Most infer US responsibility. (Wired, for example, cracks wise that it turns out the Americans have had a cyber Manhattan Project after all — and like the original, it's secret, mobilizes lots of scientists and engineers, and focuses on offense. The head of security company Immunity is refreshingly candid in voicing full-throated approval: Equation Group should be patting itself on the back. If they're NSA, they're giving the taxpayers value for their investment.)
Iran says it's deeply concerned by Equation Group news.
The Anthem breach, with an emerging consensus attribution to the Chinese government, "raises US hackles" over its HUMINT implications. Chinese media return Equation Group as a tu quoque.
Help Net Security has a useful table of Desert Falcon's target list. Speculation that the group is a kind of pan-Arab cyber mercenary unit continues.
The conflict between ISIS and its many foes involves information operations broadly conceived even more than cyber. Interesting reports on how ISIS perceives itself, and communicates its goals in both word and propaganda-of-the-deed, appear. (By some accounts Russia is attempting Cold-War style exploitation of Islamist discontent and ambition against its main (US) enemy.) US officials describe their approach to anti-ISIS messaging; the Attorney General calls for disruption of the aspiring caliphate's online recruiting.
As the cyber insurance market matures, analysts think businesses underestimate their risk, and that in general they should carry much more coverage than they do.
Notes.
Today's issue includes events affecting Afghanistan, Belgium, China, Iran, Iraq, Pakistan, Russia, Slovakia, Sweden, Syria, United Kingdom, and United States.
Washington, DC: the latest from the Atlantic Council and Passcode
White House: Clock ticking on cyber sharing (The Hill) The cybersecurity relationship between the government and private sector will be cemented for generations to come by the decisions made in the next few years, a top White House official said Wednesday
Cyber Attacks, Threats, and Vulnerabilities
Is the US Behind the Most Sophisticated Cyber Attacks to Date? (The Diplomat) A report by a Russian cybersecurity firm lays bare the activities of a highly sophisticated cyber attack group
'Equation Group' Spyware Highly Effective, Culprit Hard to Identify (Sputnik News) Experts claim that the recently-discovered spying software hidden in computers around the world which targets foreign governments and financial institutions is sophisticated enough to get virtually all types of information, without exactly knowing who the culprit is
Cyber Firm: The NSA Is Out-Hacking the Chinese and the Russians (Defense One) A new report exposes the agency's efforts to penetrate systems in multiple countries
Iran Spokeswoman Says It Concerned by Cybersecurity Report (Associated Press via ABC News) Iran is concerned by a Russian cybersecurity firm's report suggesting a new family of malicious programs and worms is infecting computers there and elsewhere in the world, a Foreign Ministry spokeswoman said Wednesday
How hackers could attack hard drives to create a pervasive backdoor (Ars Technica) Reverse-engineering HD firmware isn't rocket science, but it does take skill and time
Arabic cyber espionage group attacking high profile victims (Help Net Security) Kaspersky Lab discovered Desert Falcons, a cyber-espionage group targeting high profile organizations and individuals from Middle Eastern countries
Chinese Stole Anthem Data For HUMINT; Should Raise US 'Hackles' (Breaking Defense) The Chinese just walked out of Anthem's enormous data warehouse (though without encrypting their data it might as well have been a troop of Girl Scouts) with personal data on a quarter of America's population
Report: More US cyber spying on China, others (China Daily) There has been plenty of talk lately by US officials on strengthening cyber security, but none of it touched on US cyber intrusion in other countries
FreeBSD and the YARNBUG — more trouble at the Random Number Mill (Naked Security) The latest vulnerability-with-a-snazzy-name is YARNBUG, and it affects the most recent version of FreeBSD
Ransomware disguised as Google Chrome, and four other security risks CIOs need to know (Financial Post) Insecure web browsers chief source of enterprise malware
Credit card info stolen in BigFish Games site compromise (Help Net Security) Seattle-based casual gaming company Big Fish Games has has its site and personal and financial information of some of its users compromised in an attack that started on last Christmas Eve
Beware of fake Facebook "Copyright Violations" warnings (Help Net Security) The latest Facebook-themed phishing messages doing rounds are trying to trick users into believing they are "making copyright violations" on their Facebook page
IRS Warns Tax Preparers to Watch out for New Phishing Scam; Don't Click on Strange Emails or Links Seeking Updated Information (IRS) The Internal Revenue Service today warned return preparers and other tax professionals to be on guard against bogus emails making the rounds seeking updated personal or professional information that in reality are phishing schemes
Columbia struggles to prevent cyber attacks on city's website (Columbia Missourian) The city's website, www.gocolumbiamo.com, has been essentially defenseless against a series of cyber attacks that have overloaded its servers and rendered it temporarily inoperable since December
RedTube porn website spreads malware, via iFrame invisible to the naked eye (Graham Cluley) RedTube, one of the world's most popular websites for those eager to watch pornographic sex videos, has been compromised and found attempting to infect visiting computers via an Adobe Flash vulnerability
Jamie Oliver website has been serving up malware since December (Graham Cluley) The website of celebrity chef Jamie Oliver, which is said to receive some 10 million visitors every month, has been found serving up the unpleasant dish of malware
What ISIS Really Wants (National Journal) The Islamic State believes it is a key agent of the coming apocalypse. Here's what that means for its strategy
Why does ISIS keep making enemies? (CNN) Whenever ISIS carries out a new atrocity, whether it's beheading a group of Egyptian Christians or enslaving Yazidi women in Iraq or burning its victims alive, the big question most people have is: Why on Earth is ISIS doing this? What could possibly be the point?
Putin directs Muslim anger toward Cold War foes (Stars and Stripes) Hundreds of thousands of Muslims vented their anger in unison, shouting "Allahu Akbar!" as their leader condemned supporters of the satirical French magazine Charlie Hebdo after militants murdered five of its cartoonists
Faulted for Avoiding 'Islamic' Labels to Describe Terrorism, White House Cites a Strategic Logic (New York Times) President Obama chooses his words with particular care when he addresses the volatile connections between religion and terrorism. He and his aides have avoided labeling acts of brutal violence by Al Qaeda, the so-called Islamic State and their allies as "Muslim" terrorism or describing their ideology as "Islamic" or "jihadist"
Security Patches, Mitigations, and Software Updates
Twitter's new tool should stop password sharing and help fend off hijackings (Naked Security) There are many ways to have your Twitter account hijacked: clicking on phishy links; using feeble passwords instead of unique, hefty brutes; or practicing poor password etiquette by, for example, using your pet's name or simply handing over your password to strangers
CVE-2015-1349: A Problem with Trust Anchor Management Can Cause named to Crash (ISC Knowledge Base) When configured to perform DNSSEC validation, named can crash when encountering a rare set of conditions in the managed trust anchors
Cyber Trends
Anthem attack a wake-up call for health care industry, nation (Valley Vindicator) As if patients entering doctor's offices don't have enough anguish, uncertainty and pain to worry about already, along comes a new and mammoth set of unsettling woes confronting them direct from the cyber sphere
Five Cyber Attacks that Made CISOs Rethink Security (IT Business Edge) Click through for five malware attacks that have turned the cyber security industry upside down, as identified by Menlo Security CTO Kowsik Guruswamy
Marketplace
Why Kaspersky's Bank Robbery Report Should Scare Us All (InformationWeek) So, you don't work for a financial institution? Don't think you're off the hook for the kind of theft discussed by Kaspersky. Banks are certainly not the only organizations moving around massive amounts of money every day
Cyber attack risk requires $1bn of insurance cover, companies warned (Financial Times) Companies will need as much as $1bn in cyber insurance coverage as the costs of hacking attacks mount, industry experts are warning, but some businesses are struggling to secure even a tenth of that
Black Friday for cyber insurance (Bankrate Insurance Blog) When I first started writing about cyber insurance back in 2000, the world had just breathed a collective sigh of relief that our computer infrastructure had not been rendered helpless by Y2K. While that may sound like science fiction to teens today, plenty of smart people actually believed that a turn-of-the-millennium apocalypse was imminent because the fear was that our machines weren't yet capable of replacing a "1" with a "2," as in making the transition from 1999 to 2000
MasterCard, Visa up ante in battle for data security (FierceRetailIT) MasterCard and Visa are adding more firepower in their fight to combat data security abuses
How the Government Outsourced Intelligence to Silicon Valley (Truthdig) For years, the outsourcing of defense and intelligence work was, with good reason, controversial in political circles. But in the last years of Bill Clinton's administration, the president authorized the CIA's creation of the first US government-sponsored venture capital firm, In-Q-Tel, designed to invest in cutting-edge Silicon Valley companies
NSA-linked Sqrrl eyes cyber security and lands $7M in funding (Gigaom) Sqrrl, the big data startup whose founders used to work for the NSA, plans to announce Thursday that it is shifting its focus to cyber security with a new release of its enterprise service. The startup is also taking in a $7 million Series B investment round, bringing its total funding to $14.2 million, said Ely Kahn, a Sqrrl co-founder and vice president of business development
Check Point Acquisition Sets Up Skirmish With Palo Alto Networks (CRN) Check Point Software Technologies is ramping up the battle against rival Palo Alto Networks, acquiring Israel-based security startup Hyperwise in a bid to detect advanced threats
Grenville Completes Follow-On Investment in Above Security (Marketwired) Grenville Strategic Royalty Corp. (TSX VENTURE:GRC) ("Grenville") is pleased to announce that is has advanced an additional CAD$500,000 to Sécurité Above Inc. ("Above Security") in order for the company to complete its proposed acquisition of Seccuris Inc. ("Seccuris"). In exchange for the amount advanced to Above Security, Grenville will receive a royalty based on Above Security's gross revenue within Grenville's average royalty rate of between 1% and 4%
Lockheed sees double-digit growth in cyber business (Reuters) Lockheed Martin Corp, the No. 1 provider of information technology to the U.S. government, said it expected double-digit growth in its overall cybersecurity business over the next three to five years, and even bigger gains in the commercial sector
Symantec quietly drops cloud security certification due to lack of adoption (TechTarget) After nearly three years, the Symantec Certified Professional-Cloud Security certification has been discontinued due to a lack of adoption, causing observers to question Symantec's cloud security strategy
Partnership will fight cyber-crime (Yorkshire Post) A partnership has been established which could make it easier for Yorkshire firms to fight off cyber criminals
ThreatTrack Security Named to 2015 Cybersecurity 500 (PRNewswire) ThreatTrack Security is one of the "hottest and most innovative cybersecurity companies to watch in 2015"
Products, Services, and Solutions
Lockheed Martin Partners With UK Supply Chain to Counter Cyber-Security Threats (Israel Defense) Lockheed Martin UK is creating a virtual network of businesses to allow small UK-based companies, specializing in cyber-security expertise, to obtain support and investment for the development of new technologies and markets
Windows 10 will offer password-free authentication (Help Net Security) The upcoming Windows 10 will offer more authentication options instead of just passwords, Dustin Ingalls, Group Program Manager for Windows Security & Identity, has shared in a blog post
Ultra security claimed for IoT applications (newelectronics) Atmel says its latest CryptoAuthentication product — the ATECC508A — is the first to integrate the Elliptic Curve Diffie-Hellman (ECDH) security protocol, an ultra secure method to provide key agreement for encryption/decryption. The part, which also features Elliptic Curve Digital Signature Algorithm (ECDSA) authentication, is targeted at IoT applications
GnuPG 2.0.27 released (Help Net Security) GnuPG is a complete and free implementation of the OpenPGP standard. It allows to encrypt and sign your data and communication, features a versatile key management system as well as access modules for all kinds of public key directories
Exabeam's User Behavior Intelligence Solution Provides an Identity-based Strategy for Detecting Modern Cyberattacks (Business Wire) After eight months of testing, dozens of design partners and beta customers see immediate benefits
Prevoty releases cryptography service to make encryption easier for developers at no cost (Virtual Strategy Magazine) Application security company launches encryption, decryption and hashing service to help developers protect sensitive data
ControlCase Announces "One Audit" to Simplify Compliance with Multiple Regulations (Sys-Con Media) "One Audit" is an enhanced Integrated Compliance and Risk Control Solution for organizations subject to multiple regulations, such as ISO, SOC, PCI, NIST 800-53, HIPAA and HITRUST
New Tufin Orchestration Suite Boosts Security Controls over Heterogeneous Networks with Application-Driven Orchestration (Business Wire) Tufin®, the market-leading provider of Security Policy Orchestration solutions, today announces a new version of its award-winning Tufin Orchestration Suite™
Etisalat Adopts Gemalto Mobile NFC Solution for Accessing Office Facilities (Globe Newswire) Etisalat, the UAE's leading telecoms company, is harnessing mobile NFC solution for corporate access control from Gemalto (Euronext NL0000400653 GTO), the world leader in digital security. The solution enables Etisalat's management to securely access its head office and facilities with a single tap of a mobile phone on a contactless reader
Digital Guardian Launches Digital Guardian 7.0 for Data Protection Against All Threats (BusinessWire) Digital Guardian, the only security solution to protect data from insider and outsider threats with a single endpoint agent, has launched Digital Guardian 7.0, which extends the functionality of the patented Digital Guardian Agent to protect against advanced threats
No Security Alert Left Behind: Swimlane Launches Automated Security Operations Management Platform (PRNewswire) Phoenix Data Security today announced the launch of Swimlane, a new security operations management platform and company focused on empowering enterprises and government agencies with data-driven automation and orchestration for incident response and improved security operations
Technologies, Techniques, and Standards
UTM vs. NGFW: Unique products or advertising semantics? (Tech Target) In comparing UTM vs. NGFW, organizations find it difficult to see if there are differences between the two products or if it is just marketing semantics
Integrated Threat Defence: Joining Forces to Defend Against Cyber Attacks (CSO) Today's security landscape is constantly changing. Attackers are becoming more sophisticated and nimble, leading to new threats and attacks evolving every day
When Spies Tweet (Pacific Standard) How are government agencies adapting to the social media age
Design and Innovation
Google Urges Friendly Hackers To Set Deadlines For Fixes, But How Feasible Is It? (iDigitalTimes) On Friday, Google's Project Zero Team issued a call to action for ethical hackers to hold vendors accountable for timely software fixes in the form of deadline ultimatums
Bits and Chips Beat Guns and Guards (Forbes) I recently expressed the view that Edward Snowden had provided a great service to business. Whatever your views on his actions, one of their key impacts has been to raise the profile of cryptography. I can?t overemphasize the importance of this development, so I think it is worth digging down a little more into the discussion and the implications it has for how companies need to think about data security moving forward
Security should not be hard to implement (Solid State Technology) Data is ubiquitous today. It is generated, exchanged and consumed at unprecedented rates
Research and Development
Breakthrough in facial recognition: the 'Deep Dense Face Detector' (Naked Security) Just take a look at all these great actors
Kiska, rectors and ESET open new research centre (Slovak Spectator) President Andrej Kiska along with rector of the local Slovak Technical University (STU) Robert Redhammer, rector of Comenius University (UK) Karol Micieta and ESET's CEO Richard Marko opened a new research centre opened in Bratislava on February 17
Academia
Can tech conservatories save the day? (Washington Post) Once upon a time, if you emerged from college with zero marketable skills but dreams of a safe career path, you went to law school. For three years and $150,000
Legislation, Policy, and Regulation
Gaps in France's Surveillance Are Clear; Solutions Aren't (New York Times) Last June, Patrick Calvar, the head of France's domestic intelligence service, faced a decision: continue surveillance on a French Islamist who had been viewed as a potential threat for a decade, or shift limited resources to help monitor a swelling new generation of fighters returning from Syria
Holder urges more data sharing to thwart would-be Islamic State recruits (McClatchy) U.S. Attorney General Eric Holder called on some 70 nations Wednesday to immediately step up data sharing to help border agents thwart would-be foreign fighters from reaching Syria and Iraq to join the Islamic State
Surprise! America Already Has a Manhattan Project for Developing Cyber Attacks (Wired) "What we really need is a Manhattan Project for cybersecurity." It's a sentiment that swells up every few years in the wake of some huge computer intrusion
Can Silicon Valley and Fort Meade work out their differences? (Brookings) One year ago, President Obama spoke to the world about American surveillance policies
President Obama say he leans more towards strong encryption than law enforcement (Graham Cluley) Well, this is somewhat refreshing
President's cyber security summit: Share attack info but protect privacy, civil liberties (Network World) Cyber security cannot be done right without government and private business cooperating
Phyllis Schneck, DHS Cyber Chief, Elected to Wash100 for Public-Private Collaboration Leadership (GovConExec) Executive Mosaic is honored to introduce Phyllis Schneck, deputy undersecretary for cybersecurity and communications at the Department of Homeland Security, as the newest inductee into the Wash100 — a group of influential leaders in the government contracting arena
Cyber Attack Battle Plan (WVTF) The battle against cyber attacks is being joined in Virginia. Political leaders are looking for new weapons to fight the wave of breaches and hack attacks that seem to be ramping up
Litigation, Investigation, and Law Enforcement
Russian Hacker Charged With Data Breach, But What Has America Done? (Wall Street Cheat Sheet) On Tuesday, the Department of Justice's Office of Public Affairs announced a federal court charge brought this week against a Russian national. The man, 34-year-old Vladmimir Drinkman was first extradited from the Netherlands before facing charges related to the "largest international hacking and data breach scheme ever persecuted in the United States"
Swedish man pleads guilty to peddling Blackshades malware (CSO) Blackshades was widely used in the cybercriminal underground for about three years
For a complete running list of events, please visit the Event Tracker.
Newly Noted Events
Philadelphia SecureWorld (Philadelphia, Pennsylvania, USA, Mar 18 - 19, 2015) Join your fellow security professional for affordable, high-quality cybersecurity training and education at a regional conference near you. Earn CPE credits while learning from nationally recognized industry experts on many diverse topics such as: Risk Mitigation, Malware Detection, Digital Forensics, Cloud Security, Privacy, Big Data, PCI Compliance, Security Metrics, Encryption, Mobile Device Management, Incident Response, and much more. Keynote speakers will be Larry Ponemon (of the Ponemon Institute) and Christopher Pierson (General Counsel & Chief Security Officer, Viewpost)
Centers for Medicare and Medicaid Services (CMS) CISO Security & Privacy Forum (Woodlawn, Maryland, USA, Apr 7, 2015) The CISO Security & Privacy Forum is hosted by the Information Security Privacy Group (ISPG) at CMS. The Vision for ISPG is to provide leadership to CMS in managing information security and privacy risks appropriate for evolving cyber threats. The Mission is to enable the safe use of sensitive and privacy data while servicing the healthcare needs of the nation. The format for this event will include briefings from government and industry. Our featured speaker is from the Interagency OPSEC Support Staff and will present on "TRASHINT: Dumpster Diving", a very popular topic which teaches attendees how one person's trash can be another person's treasure
TakeDownCon Rocket City (Huntsville, Alabama, USA, Jul 20 - 21, 2015) TakeDownCon is a highly technical forum that focuses on the latest vulnerabilities, the most potent exploits, and the current security threats. The best and the brightest in the field come to share their knowledge, giving delegates the opportunity to learn about the industry's most important issues. With two days and two dynamic tracks, delegates will spend Day 1 on the Attack, learning how even the most protected systems can be breached. Day 2 is dedicated to Defense, and delegates will learn if their defense mechanisms are on par to thwart nefarious and persistent attacks
Hacker Halted (Atlanta, Georgia, USA, Sep 17 - 18, 2015) Hacker Halted is a global series of computer and information security conferences presented by EC-Council. The objective of the Hacker Halted conferences is to raise international awareness towards increased education and ethics in IT security
Upcoming Events
Cyber Framework and Critical Infrastructure: A Look Back at Year One (Washington, DC, USA, Feb 19, 2015) Last February, the Obama administration rolled out the nation's first cybersecurity standards to protect critical infrastructure. One year later, Dr. Phyllis Schneck, the Department of Homeland Security leader responsible for helping institutions implement the new standard, will reflect on how the nation has improved its protection of critical infrastructure over the last year. We'll discuss the effectiveness of the standard so far, whether security protections are strong enough, and if incentives are attractive enough to induce companies to take on the new standard
DEFCON | OWASP International Information Security Meet (Lucknow, India, Feb 22, 2015) Defcon | OWASP Lucknow International Information Security Meet is a combined meet of Defcon and OWASP Lucknow. Defcon Lucknow is a DEF CON registered convention for promoting, demonstrating & spreading awareness regarding the field of Information Security and OWASP Lucknow is a chapter of OWASP Community
10th Annual ICS Security Summit (Orlando, Florida, USA, Feb 22 - Mar 2, 2015) Attendees come to the Summit to learn and discuss the newest and most challenging cyber security risks to control systems and the most effective defenses. The Summit is designed so you leave with new tools and techniques you can put to work immediately when returning to your office. The summit will allow you to learn from industry experts on attacker techniques, testing approaches in ICS, and defense capability in ICS environments
Cybersecurity for a New America: Big Ideas and New Voices (Washington, DC, USA, Feb 23, 2015) In addition to featuring keynote remarks by Admiral Mike Rogers, Director of the National Security Agency, this event will convene experts and practitioners from the public and private sector, military, media, academia, non-governmental and intergovernmental organizations for a series of discussion panels and first person "pop-up" style speeches on the wide range of cybersecurity issues that are affecting and infecting everything from personal devices and corporate networks to national defense and international affairs. The focus of the event will be to push past the status quo and instead explore the next generation of challenges, as well as highlight bold, new ideas to face them. CNN is the event's media partner and will provide a live-stream of the event
Workforce Development Forum — CyberWorks Information Session (Baltimore, Maryland, USA, Feb 24, 2015) Are you a technology company that would like to actively participate in growing the right candidates for your open IT and cybersecurity positions? Are you a job seeker interested in pursuing a career in IT/cybersecurity who would benefit from business mentorship and hands-on practical work experience? If you said yes to either question please join us at the upcoming CyberWorks information session to learn how you can benefit from this innovative program. CyberWorks is an industry-led, workforce development program designed to help Maryland companies fill their cybersecurity needs with qualified candidates, while simultaneously helping individuals start careers and improve Maryland's economy
Cybersecurity: You Don't Know What You Don't Know (Birmingham, Alabama, USA, Feb 24 - 25, 2015) What: Connected World Conference in partnership with University of Alabama at Birmingham's Center for Information Assurance and Joint Forensics Research (The Center) have teamed up to bring professionals together to discuss security and connected devices. Purpose: Convene the leading industry, government, and academia leaders. Chief Objective: Influence professionals from the most innovative and influential organizations in the world will meet to unravel the relationship between the connected society and cybersecurity
The Future of Cybersecurity Innovation (Washington, DC, USA, Feb 26, 2015) The US intelligence community has ranked cyberattacks as the No. 1 threat to national security — more than terrorist groups or weapons of mass destruction. But the military's cyberwarriors fight these battles hunkered over computers, working with strings of code — a laborious process that requires advanced engineering skills. That's why the Pentagon's advanced research arm, the Defense Advanced Research Projects Agency (DARPA), is building a system to give the military instantaneous knowledge of network attacks by displaying them in real-time with rich graphics and 3-D visualizations
NEDForum: Cyber Network Exploitation and Defence: "Darknet & the Primordial Soup of Cyber Crime" (Edinburgh, Scotland, UK, Feb 27, 2015) Speakers will cover such topics as: "Fear and loathing on Darknet," (Greg Jones, Managing Consultant, Digital Assurance), "Securing the internet of everything" (Rik Ferguson, Global Vice President Security Research, Trend Micro), and "Is your organisation setup for success in security?" (Patrick Brady, Independent Consultant)
2015 Cyber Risk Insights Conference — San Francisco (San Francisco, California, USA, Mar 3, 2015) Following on the success of the 2014 half-day cyber risk event, Advisen will present a full day of learning and networking for risk managers, CISOs, CROs, insurance brokers, insurance underwriters, reinsurers and other risk professionals. An expert faculty comprised of leading security, regulatory, risk management, and cyber insurance authorities will provide their insights into the critical privacy, network security and insurance coverage now issues facing organizations and their insurers, with an emphasis on the business, technology and regulatory factors that make California and the West Coast unique
Cybergamut Technical Tuesday: Tor and the Deep Dark Web (Columbia, Maryland, Sioux Falls, Mar 3, 2015) This talk will explore the use of Tor and how it relates to garnering useful intelligence. Distinguishing attribution or valuable intelligence from limited event data is difficult. Leveraging external threat data can be helpful in evaluating intelligence but how do you identify relevance? Created as a means of protecting the privacy and anonymity of its users, Tor — the managed network of private computers leveraged by criminal elements to minimize the risk of surveillance and capture — is being exploited by the most technically proficient, aggressive, and organized of criminal syndicates. Presented by Scott FitzPatrick of Norse
Boston SecureWorld (Boston, Massachusetts, USA, Mar 4 - 5, 2015) Join your fellow security professional for affordable, high-quality cybersecurity training and education at a regional conference near you. Earn CPE credits while learning from nationally recognized industry experts on many diverse topics such as: Risk Mitigation, Malware Detection, Digital Forensics, Cloud Security, Privacy, Big Data, PCI Compliance, Security Metrics, Encryption, Mobile Device Management, Incident Response, and much more. Among the speakers are several leading figures in cyber law enforcement
Mercury Proposers' Day Conference (IARPA1, Washington, DC, Mar 5, 2015) The Intelligence Advanced Research Projects Activity (IARPA) will host a Proposers' Day Conference for the Mercury Program on March 5, in anticipation of the release of a new solicitation in support of the program
Financial Services Cyber Security Summit: Middle East and North Africa (Dubai, UAE, Mar 9 - 10, 2015) Building on the success and feedback of our Cyber Security Summit in Europe — 180 attendees, 3 streams, CPE certified — we are pleased to invite you to the Financial Services Cyber Security Summit MENA — a highly interactive experience sharing platform for top experts from banks, insurance companies, monetary organizations and government institutions, accountancy companies, consumer finance, investment funds, stock brokerages and more
The Vulnerability Economy: Zero-Days, Commerce and National Security (Rockville, Maryland, USA, Mar 10, 2015) Dr. Ryan Ellis (Belfer Center, Harvard University) will explore a series of topics around cybersecurity including the challenges and opportunities associated with the growing trade in previously unknown and undisclosed software vulnerabilities ("zero days"). Drawing from a real-world case study, Dr. Ellis investigates the tension between the development of offensive cyber capabilities and cybersecurity. The discussion considers different approaches to disclosing newly discovered vulnerabilities and highlights the key roles that government and industry can play in promoting enhanced cybersecurity
OISC: Ohio Information Security Conference (Dayton, Ohio, USA, Mar 11, 2015) Technology First invites you to participate in the 12th Annual Ohio Information Security Conference Wednesday, March 11, at the Sinclair Community College Ponitz Center in Dayton, Ohio. The conference will focus on three areas/tracks: management, technical and implementation. CEUs (7) are available for this event
RiSK Conference 2015 (Lasko, Slovenia, Mar 11 - 12, 2015) In recent years RISK conference has become one of the leading events on computer security in the Adriatic region and is attended by engineering as well as executive staff of companies from the region. Much has changed in the field of security and data protection in recent times. There are popular new technologies in the form of SaaS (Security as a Service) and services in a cloud (cloud computing), green computing, etc
B-Sides Vancouver (Vaqncouver, British Columbia, Canada, Mar 16 - 17, 2015) The third annual Security B-Sides Vancouver is an information security conference that will be held March 16th and 17th. We love to see brand new speakers, seasoned speakers, and everyone in between
Insider Threat 2015 Summit (Monterey, California, USA, Mar 16 - 17, 2015) The Insider Threat 2015 Summit is about bringing Government and Industry organizations and their cybersecurity leaders together in order to better understand the type of threats that may impact their infrastructure and overall operations. Our two-day summit will provide insights on the most unique and thought provoking active defenses currently available for physical and personnel security, as well as, cyber threats. By supplying intelligent focus through tailored solutions our presenters and sponsors will be contributing to a forum to discuss ways to mitigate the risk of insider threats. This event allows for a truly unique opportunity to hear from experts in the field talk about their current and future solutions, giving way to an optimal setting for networking
2015 North Dakota Cyber Security Conference (Fargo, North Dakota, USA, Mar 17, 2015) The North Dakota Cyber Security Conference brings together community members from academia, government and industry to share strategies, best practices and innovative solutions to address today's challenges in cyber security. The vast scope of modern cyber threats calls for active participation from individuals and organizations across the state
IT Security Entrepreneurs Forum: Bridging the Gap Between Silicon Valley & the Beltway (Mountain View, California, USA, Mar 17 - 18, 2015) IT Security Entrepreneurs Forum (ITSEF) — SINET's flagship event — is designed to bridge the gap between the Federal Government and private industry. ITSEF provides a venue where entrepreneurs can meet and interact directly with leaders of government, business and the investment community in an open, collaborative environment focused on addressing the Cybersecurity challenge
BSides Salt Lake City (Salt Lake City, Utah, USA, Mar 20 - 21, 2015) BSides is a community-driven framework for building events for and by information security community members. The goal is to expand the spectrum of conversation
CarolinaCon-11 (Raleigh, North Carolina, USA, Mar 20 - 22, 2015) CarolinaCon-11 (also hereby referred to as "The Last CarolinaCon As We Know It") will occur on March 20th-22nd 2015 in Raleigh NC (USA). We are now officially accepting speaker/paper/demo submissions for the event. If you are somewhat knowledgeable in any interesting field of hacking, technology, robotics, science, global thermonuclear war, etc. (but mostly hacking), and are interested in presenting at CarolinaCon-11, we cordially invite you to submit your proposal
CyberTech Israel 2015 (Tel Aviv, Israel, Mar 24 - 25, 2015) In the face of these enemies and threats, individuals, organizations and states are required to produce innovative, unique solutions that would improve the resistance and resilience of the sensitive systems they rely on every day. For this purpose, it is essential to maintain a direct, on-going contact with the latest developments and changes in the cyber defense market. To this end, we are pleased to invite you to Cybertech 2015, the International Conference & Exhibition for Cyber Solutions, taking place on March 24th-25th, 2015 in Tel Aviv, Israel. Cybertech Conference and Exhibition, an initiative of Israel Defense, is the largest exhibition and conference of cyber technologies outside of the US
2nd Annual ISSA COS Cyber Focus Day (Colorado Springs, Colorado, USA, Mar 25, 2015) Join us for the Information Systems Security Association (ISSA) — Colorado Springs Chapter — Cyber Focus Day set to take on Wednesday, March 25, 2015 at the University of Colorado Colorado Springs (UCCS). The theme for CFD 2015 will "Cybercrime". Industry experts will be on hand to brief attendees on the latest trends, and best practices, in cybersecurity. This one-day forum will offer IT, business, law enforcement, government, military, academic, training, and other professionals a unique, local opportunity to get up-to-date information on rapidly evolving cybersecurity challenges
CYBERWEST: the Southwest Cybersecurity Summit (Phoenix, Arizona, USA, Mar 25 - 26, 2015) The purpose of CYBERWEST is to bring together Government and businesses to: Exchange information and learn in areas of policy and strategy; technology and R&D; workforce training and education; and economic, legal, regulatory and insurance impacts. Discuss cybersecurity issues and to focus on applied cybersecurity (i.e. implementing the NIST framework, R&D, legal and regulatory perspectives, state and local approaches). Present content that attendees can take back and use in their organizations
Women in Cyber Security (Atlanta, Georgia, USA, Mar 27 - 28, 2015) Despite the growing demand and tremendous opportunities in the job market, cybersecurity remains an area where there is significant shortage of skilled professionals regionally, nationally and internationally. Even worse, women's representation in this male-dominated field of security is alarmingly low. Through the WiCyS community and activities we expect to raise awareness about the importance and nature of cybersecurity career. We hope to generate interest among students to consider cybersecurity as a viable and promising career option
Automotive Cyber Security Summit (Detroit, Michigan, USA, Mar 30 - Apr 1, 2015) The debut Automotive Cyber Security Summit will bring together CTOs, CSOs, Engineers and IT professionals from GM, KIA, Nissan, Bosch, Qualcomm and more for three days of case studies, workshops, panel discussions and networking sessions
Insider Threat Symposium & Expo (Laurel, Maryland, USA, Mar 31, 2015) The National Insider Threat Special Interest Group (NITSIG) announced that it will hold FREE 1 day Insider Threat Symposium & Expo (ITS&E) on March 31, 2015 in Laurel, Maryland. The symposium is exclusively focused on insider threat awareness, insider threat program development and implementation and insider threat risk mitigation.The ITS&E will provide attendees with access to a broad network of security professionals to collaborate with on insider threat risks, insider threat detection, insider threat risk mitigation strategies and insider threat program development, implementation and management. The expo will include vendors that have proven technologies and services for insider threat risk mitigation