the 17 th and it will be a dinner at TREA. This year instead of a conference at UCCS and two FBC tech events, Fort Carson and Peterson Air Force Base, we are having our conference during the Peterson Air Force Base. UCCS is celebrating their 50 th anniversary and had events scheduled for Oct. Peterson Air Force Base is the 27 th and Fort Carson’s FBC tech event is 28 th. More to come as the event and speakers are confirmed. In November we will have a lunch meeting and finally our award luncheon on December 4 at Antlers. Also in December will be the elections. Events: Sept 17 – Evening meeting TREA Oct 15 - Secure World – Oct 14 for Secure World Plus and Oct 15 for the conference. Held at The (Continued on page 9) The ISSA Colorado Springs Newsletter incorporates open source news articles as a train- ing method to educate readers on security matters in compliance with USC Title 17, Section 107, Paragraph a. The views expressed in articles obtained from public sources within this newsletter do not necessarily reflect those of ISSA, this Chapter or its leadership. INSIDE THIS ISSUE: WWW.ISSA-COS.ORG C olleagues, This year has been a busy one for the chapter and for Cyber Security. So far this year, the chapter has had two successful conferences with Federal Business Council (FBC) and members have not had to pay for a meeting. We returned to Bambinos for a few meetings prior to their move downtown and had our first networking social at Sky Sox Stadium. Volunteers have been outstanding as always and could not have a successful chapter without them. Dave Reed, Glen York and Shawn Murray are going to the international conference in Chicago. Attacks are still occurring and risk management framework is being used by Department of Defense. The year is coming to an end quickly but there is still a lot going on. Our September meeting is on Just how easy is it to digitally fake a death? 2 The 2015 Security+ Exam 4 Reviewing the U.S. Office of Personnel Management Data 5 Another Day, Another Hack: What Security News Should You Care About? 6 Researchers Hack Air-Gapped Computer with Simple Cell Phone 7 Father of the Internet Vint Cerf’s Forecast for ‘Internet of Things’ 8 Pentagon Unveils New Rules Requiring Contractors to Disclose Data 10 Highway to hack: Why we’re just at the beginning of the auto- hacking era 11 Letters of Volatility? 12 NIST Computer Security Division Announces a new Special Publication (SP) Series - SP 1800-series 12 Smart Watches Fail the Data Security Test 13 CyberGirlz 14 Important DoD and Navy Issuances 15 U.S. developing sanctions against China over cyber thefts 16 Author Bruce Sterling Testified to Congress in 1993 as a Time Traveler From 2015 20 A Note From Our Vice President By Cindy Thornburg VOLUME 4 NUMBER 9 SEPTEMBER 2015
Transcript
the 17th and it will be a dinner at TREA. This year instead of a conference at UCCS and two FBC tech events, Fort Carson and Peterson Air Force Base, we are having our conference during the Peterson Air Force Base. UCCS is celebrating their 50th anniversary and
had events scheduled for Oct. Peterson Air Force Base is the 27th and Fort Carson’s FBC tech event is 28th. More to come as the event and speakers are confirmed. In November we will have a lunch meeting and finally our award luncheon on December 4 at Antlers. Also in December will be the
elections.
Events:
Sept 17 – Evening meeting TREA
Oct 15 - Secure World – Oct 14 for Secure World Plus and Oct 15 for the conference. Held at The
(Continued on page 9)
The ISSA Colorado Springs Newsletter incorporates open source news articles as a train-
ing method to educate readers on security matters in compliance with USC Title 17, Section
107, Paragraph a.
The views expressed in articles obtained from public sources within this newsletter do
not necessarily reflect those of ISSA, this Chapter or its leadership.
I N S I D E T H I S
I S S U E :
W W W . I S S A - C O S . O R G
C olleagues, This year has been a busy one for the chapter and for Cyber Security. So far this
year, the chapter has had two successful conferences with Federal Business Council (FBC) and members have not had to pay for a meeting. We returned to Bambinos for a few meetings prior to their move downtown and had our first networking social at Sky Sox Stadium. Volunteers have been outstanding as always and could not have a successful chapter without them. Dave Reed, Glen York and Shawn Murray are going to the international conference in Chicago. Attacks are still occurring and risk management framework is being used by Department of Defense.
The year is coming to an end quickly but there is still a lot going on. Our September meeting is on
Just how easy is it to digitally fake a death?
2
The 2015 Security+ Exam 4
Reviewing the U.S. Office of Personnel Management Data
5
Another Day, Another Hack: What Security News Should You Care About?
6
Researchers Hack Air-Gapped Computer with Simple Cell Phone
7
Father of the Internet Vint Cerf’s Forecast for ‘Internet of Things’ 8
Pentagon Unveils New Rules Requiring Contractors to Disclose Data
10
Highway to hack: Why we’re just at the beginning of the auto-hacking era
11
Letters of Volatility? 12
NIST Computer Security Division Announces a new Special Publication (SP) Series - SP 1800-series
12
Smart Watches Fail the Data Security Test
13
CyberGirlz 14
Important DoD and Navy Issuances
15
U.S. developing sanctions against China over cyber thefts
16
Author Bruce Sterling Testified to Congress in 1993 as a Time Traveler From 2015
20
A Note From
Our Vice
President
By Cindy Thornburg
V O L U M E 4 N U M B E R 9 S E P T E M B E R 2 0 1 5
By Andrea Peterson, Washington Post, August 8, 2015
Killing someone is easier than you might think, or at least getting them legally declared dead might be.
With just a few easy steps, most of them online, a bad guy could "kill off" someone for fun — or profit, according to one researcher.
"The process is quite lax in terms of security in the U.S." says Chris Rock — an Australian hacker, not the comedian — who has been studying security flaws in what he calls "the death industry" for the past year.
Rock said his curiosity was piqued when an Australian hospital accidentally sent out 200 death
notices instead of 200 discharge notices last year. "Since then, I've found out that nearly all Western countries have moved to online systems," he said.
In the U.S., most states use electronic death registration (EDR) systems to help certify that someone has died. For someone to be declared dead, a medical professional needs to fill out a form affirming the cause of death and a funeral director must fill out another explaining what happened to their remains.
"Universal implementation of EDR has the potential to virtually eliminate death-reporting errors and would ensure that our death records — whether pertaining to current beneficiaries or other persons — include the most accurate and most current information," Social Security Administration spokesman William Jarrett told The Washington Post. The agency has been advocating for a switch to such systems since 2002, he said.
Electronic systems are much faster than the traditional manual certification processes and are "highly accurate" because state officials verify the names and Social Security numbers of a deceased person against the government records before a death certificate is issued, according to Jarrett.
But Rock worries people may be able to fake their way into the EDR systems by hijacking the identities of people normally involved in submitting the death-certificate
I S S A - C O S N E W S
“You could use them to hide your identity, to get a new Social Security number, for money laundering — or kill it off for life insurance”
applications. In some cases, there appears to be nothing stopping someone from finding a doctor's name, medical practice and license number online. Rock's concern is that someone could take the legitimate information about medical professionals and combine it with contact information like a burner phone and an anonymous e-mail address to submit fraudulent applications for access to the systems.
There appear to be similarly weak checks on the sign-up process for funeral directors, he said.
But states run their EDR systems themselves, so there is a lot of variation from state to state and it is difficult to test their security without potentially breaking the law, Rock acknowledged, so it's hard to say just how real the threat from that kind of fraud might be.
Idaho verifies license numbers and will ask for a copy of the license if something about the application raises additional concerns, said Idaho Department of Health & Welfare public information officer Niki Forbing-Orr. The agency's staff also looks into the contact information and may take additional measures if there are questions about an application, she said.
But Idaho has an advantage: The state's small population means the agency's staff basically knows everyone who is involved in the process, she said.
But the process may be less personal in larger states. Washington's system verifies an applicant's name and license status, but not their contact information, according to Jean Remsbecker, a vital records manager with the state's Department of Health. "I'm not sure we have access to that information," she said.
But if Rock is right, the risks for victims of a digitally faked death may be severe. With a death certificate in hand, a person could potentially collect life insurance on someone who is still alive or get control over a person's financial accounts if they take the extra step of faking them a will, according to Rock. It may also create problems for the still living when it comes to collect things like Social Security benefits, he said.
We are currently maintaining our membership level in the mid-380s. Please keep those renewals as well as new member referrals coming! We’re working closely with
ISSA International about the pilot test of the “Freemium” student sponsorship program. We’re at the “how do we actually implement” phase of the discussion. We’re working with the
database/website developer for ISSA International to figure out the actual mechanics of making this work. They are still trying to have the beta test active so we’ll be able to report progress at the
October ISSA International meeting in Chicago. I will be presenting our Freemium program status to the Chapter Leaders’ summit as part of the ISSA International Conference. As one of the “guinea pig”
chapters (Baltimore is the other one) we will begin putting together our chapter implementation plan to get it off the ground as soon as possible. I have sent out a couple of emails to students so far that I’m aware of. I
intend to reach out to as many student members as possible over the next few weeks. However, I will ask that all current student members who are coming up for renewal to drop me an email (address below) that includes your name, membership number, expiration date and student status (currently enrolled and graduation date) so I can get this resolved for folks as quickly as possible. We’ve got lots of upcoming activities and we want to ensure everyone stays informed of everything. That information will also let me prioritize some test cases as we get the ISSA International program off the ground. More information will be published about this great opportunity for our chapter as it becomes available.
Melissa Absher has been working getting the mentorship program rolling again with the start of the new school year. This coincides with several initiatives that ISSA International is trying to work to get their Cybersecurity Career Lifecycle program off the ground. More to follow on that in the near future.
Last, and of course not least, I’d like to welcome those new members on behalf of the Chapter! When you’re participating in Chapter activities, please take a moment to introduce yourself to members of the board, me, and other members. Don’t forget to identify yourself as a new member and feel free to ask for help or information.
Thanks for joining the Chapter and don’t forget to look for opportunities to lend your expertise to improve the Chapter. We’re always open to new ideas and suggestions.
As most of you know, I don't have an IT background but rather have been a technical writer and editor for most of my career. So when I began studying for CompTIA's new Security+ exam, I had to backfill with the basics that are on the A+ and Network+ exams. I thought I would merely be studying security aspects, but the exam covers a much broader scope.
To top it off, CompTIA now emphasizes practical scenarios. After a great deal of study from books, practice tests, our excellent Security+ review classes (yes, I had to take more than one), the YouTube "Professor Messer" bite-sized videos on both the Network+ and Security+ topics, and the Boson ExSim software, I eventually felt ready for the exam. Let me add that the Boson software was critical because of its difficult scenario-based test questions that required multiple answers to get the question correct. I've heard other students ask about harder exam questions, and Boson is an essential resource.
So when I walked into the exam, I was feeling fairly confident. I was getting more than 90% correct on the practice exams. But when I sat down at the computer and began, my heart sank.
Perhaps by shear luck, the first dozen questions were grouped together and were the lengthy answer scenario questions. They were much harder than the Boson questions, and Boson had the most challenging tests I'd found. As time ticked by, I realized that I was going to have to skip some of those questions in order to finish the bulk of the exam. I flagged the questions I skipped, but I ended up flagging many more "easier" questions afterward.
Even the "simple" questions were scenario-based. As I plowed quickly through the remainder of the exam, my heart sank. I was certain that I was not only going to fail, but fail badly. I finished with only ten minutes to review the first questions I had skipped. As I answered the last lengthy questions, time ran out and I could not review any of the others I had marked.
The 2015 Security+ Exam
I didn't even pay attention to the screen at the end of the test. I walked sullenly to the printer to pick up the hardcopy of the results. To my shock, I had passed. I still find it hard to believe.
Many of you may be considering whether to renew your Sec+ certification, or may have employees who need it. The new exam has been compared to a mini-
CISSP, and I think that's fair. I doubt that future versions will get easier. In one of our chapter Security+ review classes, I overheard a more experienced person who probably was there for the CEUs tell a less experienced person that if you wait until you are confident, you will never take the test. I have the opposite view. From my point of view, especially for newbies, you will find it difficult to pass the new SY0-401 test unless you are confident going in.
I heartily recommend our review class, but I also need to emphasize that it is strictly a review to take right before the test. There is so
much information covered on the exam that there is no way for a one-day (or even two-day) class to teach a student all the material. But it is also an excellent opportunity for students to ask probing questions of our highly knowledgeable experts who teach it. The small $25 fee is well worth the investment, especially when the exam is $300 per shot. To top that off, if you fail the exam, you can retake the class for free. Pretty sweet deal, if you ask me.
We are very fortunate that our chapter offers such great classes for Security+, CISSP, and even the CISSP-ISSAP monthly group review. I send a hearty thank you to Colleen and her excellent teachers. What a resource!
P A G E 4
I S S A - C O S N E W S
P A G E 5 V O L U M E 4 N U M B E R 9
Reviewing the U.S. Office of Personnel
Management Data Breach information within critical infrastructure. The CSF leverages existing standards that are constantly being revised and improved to address emerging cyber threats. It’s designed for both government agencies as well as private organizations within critical infrastructure. Version 1.0 of the CSF was released in February 2014 in response to President Obama’s 2013 Executive Order, “Improving Critical Infrastructure Cybersecurity.”
NIST recommends that organizations of all sizes apply the framework to reduce the chances and severity of a data breach. Although the CSF is becoming increasingly accepted, especially within the financial services and utilities industries, it has certainly not been universally adopted. As implementation across diverse public and private organizations increases, cyber security programs will begin to be more standardized, and security professionals will use the same concepts and be able to speak the same language. For federal agencies like the OPM, which hold the key to private citizen information, CSF deployment can’t be elective. No other option provides this level of protection for millions of civilians’ sensitive personal information.
Create an incident response program
Based on the OPM’s security inadequacies described in the 2014 audit report, it’s clear that the department was missing the mark on some of the most basic levels of data security and protection.
As part of the planning process, it’s essential that organizations develop a robust security incident-response program in the event that a cyber attack occurs. Essential elements of that program include the need to:
Assess and ensure that the threat landscape is understood
Develop a true risk profile that is in tune with emerging risks that may affect the organization’s integrity and reputation
Ensure that incident response plans are completely supported from the top down within the organization so that they are effectively adopted in a timely manner
There must be consequences if the program is not properly implemented; federal agencies must be held to same standards as private organizations. In the case of the OPM, the federal government is not leading by example. This must change to diminish and ultimately prevent reoccurring attacks.
In June 2015, it was initially reported that the U.S. Office of Personnel Management (OPM) experienced a massive data breach, potentially affecting as many as 4 million current and former federal employees. Updated reports indicate that the actual number of people compromised is more than five times as many as initially suspected, affecting 21.5 million federal employees and civilians.
The finger of suspicion was originally pointed at Chinese state-sponsored hackers, but recently the White House decided not to publicly accuse China due to the risk of revealing U.S. intelligence information in the process. However, the Obama Administration has now changed course and decided to retaliate against the perpetrators in some fashion to deter future attacks.
What made this cyber attack so unique was the breadth of information accessed. The hackers retrieved not just personally identifiable information (PII) such as Social Security numbers, birth dates, and bank information, but they also became privy to highly confidential employee background checks, containing information on family friends and employment history. Even more, highly personal details like run-ins with the law, lie detector test results, mental illness treatments, and bankruptcy filings were revealed. The breach was so vast that hackers even accessed data going back 30 years.
What may be most unsettling of all is that a 2014 audit discovered security flaws within the OPM’s computer system, yet these issues were not reported until several months after being detected. In fact, the report cited “material weakness” in 2013, and its status was escalated to “significant deficiency” in 2014. This lack of action to rectify the report’s findings begs the question: What can be done at the federal level to prevent such devastating reoccurrences? In response, there are five essential steps that need to be taken to close the federal security gaps in today’s complex, digital environment, as follows:
Comprehend and implement NIST’s Cyber Security Framework.
Create an incident response program.
Maintain transparency with those affected and decrease response time.
Recognize the auditor’s role in cyber security.
Assess security investments.
Let’s look at these steps one by one.
Comprehend and implement NIST’s Cyber Security
Framework
NIST’s Cyber Security Framework (CSF) is an important standard that forms a baseline for government agencies and private organizations in securing assets and sensitive
P A G E 6
I S S A - C O S N E W S
bank and card statements, and maybe even set up your own free credit monitoring system. Hacks may be ubiquitous, but when it hits home, you should pay just as much (possibly more) attention.
Broad trends and security news from trusted, consumer-focused experts. Even laypeople should take a little time to explore how security tools work, which ones are generally recommended (and are well regarded) and which are more likely to cause more problems than they solve. Everyone should also learn, in general, how to protect their security and privacy online. This one’s tougher to pin down because who trust is an issue, but the bottom line is that any security researcher or professional whose background you can study and whose job it is to pay attention to the industry and distill it for consumers in an understandable way is a good source. Then, once you’ve found one source like that, find a few more, and read multiple opinions. You’ll do best here by sticking to technology-focused sites, as opposed to sites with huge names that seem to cover everything, like local news and weather. Consumer tech sites like PCMag, Cnet, and others with dedicated security editors are a good start.
If you’re an enthusiast, budding researcher, or you’re interested in security news and want to learn more than what you’ll hear on the occasional podcast or read on multipurpose consumer technology sites, then you’ll want to dig deeper. If that sounds like you, here are some things you should pay attention to:
All of the above. Make no mistake, you shouldn ’t slack on the basics just because you want to learn more, or you think you’re more than a layperson. You should, just as you would expect anyone else, change those passwords once a site you visit has been hacked, check your credit and finances to make sure someone’s not stealing your identity, and practice good internet hygiene.
Specific industry trends and widely-encompassing issues like Heartbleed and Shellshock. Whether you’re an enthusiast or you’re just interested in learning more than what you’ll hear at a lot of news sites, following specific news about big security issues that aren’t actionable at a consumer level will reveal a lot. Vulnerabilities like Heartbleed, Shellshock, and the more recent StageFright aren’t exactly anything the average consumer can do anything about, so for many there’s no need to scare them about something they can’t protect themselves from (or there’s little evidence is being exploited in the wild.)
What Security News Should You Care About? By Alan Henry, Lifehacker, August 8, 2015
Every day it seems like there’s a new breach, a password to reset, or vulnerability. The trouble with a lot of security news though is that lot of it is important, but then there are garbage stories like this, big on scare and lacking in information, that make you just want to tune out. Let’s break down what’s worth paying attention to, and what you can ignore when you see it.
Much of this boils down to where you get your security news in general, and how much of it you’d like to read. If you’re an enthusiast or security professional, you probably have blogs and names you follow and trust. If you’re a layperson however, even a scary headline about a “vulnerability” disclosed by “security researchers” can seem like a reason to turn off your PC or call your internet provider to ask how you can protect yourself.
Don’t worry—a lot of security news, especially on general news sites, is generally recycled information from older publications, shallow reports without much detail, and in general not very informative. That’s not to say you shouldn’t sit up and pay attention sometimes, though, if the issue is serious enough. Here’s what you should look out for.
There are some types of news that everyone should sit up and take notice of. Usually this is because the news is actionable, as in you can do something to protect yourself and your data. Here are a couple of things you should always look into when you see people talking about them, or read a headline about them:
Hacks and security breaches that require action, like password changes or stolen credit card information. Regardless of your level of tech-savvy, these are the headlines that should make you read deeper. If you see that a service you use or retailer you shop with has been hacked, you should learn as much as you can about it. If it’s a service you haven’t used in ages, change the password or close the account. Don’t rely on the retailer or web site to email you or contact you with more information—they may say they will, but never follow up on it, and at the end of the day, it’s still your responsibility to protect yourself. Make sure you change those passwords and monitor your credit reports and statements.
Reports of identity theft at places you shop. This one’s a little more sinister. Whether you find out that the staff at a restaurant you used to frequent have been charged with stealing credit card numbers, or one of the country’s biggest retailers was hacked and stolen cards are turning up in the wild, pay attention. It may seem like common sense, but that’s a good time to go get a free copy of your credit report and make sure everything is on the up and up, go through your
P A G E 7 V O L U M E 4 N U M B E R 9
risk to the company.
“[U]nlike some other recent work in this field, [this attack] exploits components that are virtually guaranteed to be present on any desktop/server computer and cellular phone,” they note in their paper.
Though the attack permits only a small amount of data to be extracted to a nearby phone, it’s enough to allow to exfiltrate passwords or even encryption keys in a minute or two, depending on the length of the password. But an attacker wouldn’t actually need proximity or a phone to
siphon data. The researchers found they could also extract much more data from greater distances using a dedicated receiver positioned up to 30 meters away. This means someone with the right hardware could wirelessly exfiltrate data through walls from a parking lot or another building.
Although someone could mitigate the first attack by simply preventing all mobile phones from being brought into a sensitive work environment, to combat an attack using a dedicated receiver 30 meters away would require installing insulated walls or partitions.
The research was conducted by lead researcher Mordechai Guri, along with Assaf
Kachlon, Ofer Hasson, Gabi Kedma, Yisroel Mirsky, and Elovici. Guri will present their findings next month at the Usenix Security Symposium in Washington, DC. A paper describing their work has been published on the Usenix site, though it’s currently only available to subscribers. A video demonstrating the attack has also been published online.
Data leaks via electromagnetic emissions are not a new phenomenon. So-called TEMPEST attacks were discussed in an NSA article in 1972. And about 15 years ago, two researchers published papers demonstrating how EMR emissions from a desktop computer could be manipulated through specific commands and software installed on the machine.
The Israeli researchers built on this previous knowledge to develop malware they call GSMem, which exploits this condition by forcing the computer’s memory bus to act as an antenna and transmit data wirelessly to a phone over cellular frequencies. The malware has a tiny footprint and consumes just 4 kilobytes of memory when operating, making it difficult to detect. It also consists of just a series of simple CPU instructions that don’t need to interact with the API, which helps it to hide from security scanners designed to monitor for malicious API activity.
The most sensitive work environments, like nuclear power plants, demand the strictest security. Usually this is achieved by air-gapping computers from the Internet and preventing workers from inserting USB sticks into computers. When the work is classified or involves sensitive trade secrets, companies often also institute strict rules against bringing smartphones into the workspace, as these could easily be turned into unwitting listening devices.
But researchers in Israel have devised a new method for stealing data that bypasses all of these protections—using the GSM network, electromagnetic waves and a basic low-end mobile phone. The researchers are calling the finding a “breakthrough” in extracting data from air-gapped systems and say it serves as a warning to defense companies and others that they need to immediately “change their security guidelines and prohibit employees and visitors from bringing devices capable of intercepting RF signals,” says Yuval Elovici, director of the Cyber Security Research Center at Ben-Gurion University of the Negev, where the research was done.
The attack requires both the targeted computer and the mobile phone to have malware installed on them, but once this is done the attack exploits the natural capabilities of each device to exfiltrate data. Computers, for example, naturally emit electromagnetic radiation during their normal operation, and cell phones by their nature are “agile receivers” of such signals. These two factors combined create an “invitation for attackers seeking to exfiltrate data over a covert channel,” the researchers write in a paper about their findings.
The research builds on a previous attack the academics devised last year using a smartphone to wirelessly extract data from air-gapped computers. But that attack involved radio signals generated by a computer’s video card that get picked up by the FM radio receiver in a smartphone.
The new attack uses a different method for transmitting the data and infiltrates environments where even smartphones are restricted. It works with simple feature phones that often are allowed into sensitive environments where smartphone are not, because they have only voice and text-messaging capabilities and presumably can’t be turned into listening devices by spies. Intel’s manufacturing employees, for example, can only use “basic corporate-owned cell phones with voice and text messaging features” that have no camera, video, or Wi-Fi capability, according to a company white paper citing best practices for its factories. But the new research shows that even these basic Intel phones could present a
Researchers Hack Air-Gapped Computer with
Simple Cell Phone
P A G E 8
I S S A - C O S N E W S
By Lisa Singh, WashingtonExec, August 17, 2015
After revelations that a compromised contractor login abetted a grandiose breach of federal employees' background investigations, now comes word that Defense Department suppliers score below hacked retailers when it comes to cyber defense.
Look around you. The “Internet of Things” is everywhere, and that’s no exaggeration. Gone are the days when traditional laptops, desktops, tablets, mainframes and cloud systems were enough; we’re now more connected than ever courtesy of devices hooked to larger networks. Simple functions like taking a digital picture come with a whole host of communication capabilities; while sensor systems, such as Google’s Nest, allow us to program thermostats from a mobile device.
Where will the Internet of Things head next? Who better to ask than one of the “Fathers of the Internet,” Dr. Vint Cerf?
“We are seeing networking become a much more pervasive kind of infrastructure, touching many more things than in the past,” says the telecommunications pioneer who co-designed TCP/IP protocols and the Internet’s basic architecture decades ago. “Of course,” adds Cerf, “that [expansion]opens up all kinds of opportunities, both for powerful applications and also a certain degree of risk – which is why security, privacy and strong authentication will be more visible themes in this Internet of Things environment.”
Programmable Devices: “Rich Tapestry”
When it comes to programmable devices, they’re all fast becoming part of a “very rich tapestry,” says Cerf.
We’ve all heard the industry buzzwords of the day – like mobility and big data analytics – and the hype is all true. Mobile devices are no longer mere “phones,” but, rather, fully programmable devices, says Cerf. Sensors, including GPS and multiple radios, are also fast becoming functional components of networked mobile, portable and fixed devices. This shift even extends to cars. “Think about Teslas, operated very strongly by and informed by software, rather than relatively inflexible hardware,” says Cerf.
Future Innovations to Watch
So where should companies invest in the Internet of Things?
Among the areas to watch, says Cerf, is Medical information. “Our ability to monitor vital signs on a continuous basis and to capture that information … gives us a baseline for what is normal for a person,” says Cerf, who prefaces that by noting the importance of privacy.
“Even location information can be considered personal information,” he notes.
Looking ahead, companies would do well to focus on standardization of protocols for mobile devices. “Companies should invest in services that offer alternatives to what had been done in other ways, giving the consumer more choices,” says Cerf. Standardization of protocols applies to a whole host of disparate industries including security, heating and ventilation and entertainment, including movies and music.
Equally essential will be ensuring that devices, including household appliances that now make up the Internet of Things, are properly configured so that uncontrolled or unauthorized access is denied. “The nightmare headline for me is, ‘100,000 Refrigerators Attack Bank of America,’” says Cerf. “That is going to take some serious thinking not only about basic security technology but also how to configure devices at scale,” he adds, noting no one wants to spend their entire weekend typing IPV6 addresses for each and every household device.
Online Privacy: Mitigating Risk
What’s great about networking devices can also be a danger – for instance, temperature sensors could help an intruder determine house occupancy and when. On the flip side, information, conveyed via household television cameras, could aid police or fire departments in determining the appropriate response to an emergency. “You can see how this information is simultaneously beneficial and hazardous,” says Cerf. “The biggest challenge,” he adds, “will be helping consumers properly configure their systems so only authorized parties have access to that information or control over the devices providing it.”
Also essential will be finding ways to update devices safely and securely. “Because it’s almost guaranteed there will need to be an update either to fix a bug or a functionality,” says Cerf. “We need to be careful that all of the devices that we put into this Internet of Things have the
ability to be upgraded … and certainly without the danger of downloading malware,” he says.
What’s Next in Innovation?
“In the remaining decades of this century, more devices will become available and affordable to persons as opposed to companies,” says Cerf, citing a reverse of the typical trend that’s accompanied IT trends in decades past.
CISSP This year’s CISSP Exam Prep Review Seminar is nearly complete, with the final two sessions scheduled for 12 and
26 Sep. The 12 Sep session will cover Domain 7, Security Operations. The 26 Sep session will cover Domain 6 (Security Assessment & Testing) and Domain 8 (Security in the Software Development Life Cycle). If you’re interested in attending either of these CISSP Seminar sessions, or if you have any questions, send an email to our Chapter Training leads at: [email protected]. There’s no cost for current CISSP members to attend the CISSP Seminar sessions on a space-available basis, but please pre-coordinate your attendance through our Chapter Training leads (to ensure we have seats available). .
Security+ The next Security+ Exam Prep Review Seminar is scheduled for 17 Oct, at Colorado Technical University (CTU). If
you’re interested in attending, or have any questions, please send an email to our Chapter Training leads at: [email protected].
CEU/CPE Ideas Do you know there are numerous free or low cost CEU and CPE options available? Check out the ISSA-COS web
page (http://www.issa-cos.org/), Training Classes, “On-Line Training” link for suggested sites.
Volunteer Opportunities Looking for a volunteer opportunity? Looking for a way to share your knowledge/expertise? Looking for a way to
earn CompTIA CEUs or (ISC)2 CPEs? We’re always looking for members to teach one or more of the Security+ or CISSP domains. We provide the slides, but you can modify them as you see fit as long as your changes remain consistent with the official CompTIA or (ISC)2 criteria. If you would like to volunteer to teach one of the Security+ or CISSP domains, or if you have questions, please contact our Chapter Training leads at: [email protected].
If you have ideas/suggestions/requests for training initiatives, please email
Cable Center 2000 Buchtel Blvd Denver Co 80210. URL to register is: https://secureworld.ungerboeck.com/prod/SignIn.aspx?ReturnUrl=%2fprod%2femc00%2fregister.aspx%3fOrgC
ISSA-COS will have a table on Oct 15 – need volunteers to man table – coordinate with Chuck Forth or Pat Laverty
Oct 24 – CyberGirlz event (See page 14 in this Newsletter) at Fox Meadow Middle School – if anyone is attending please contact Cindy Thornburg.
Oct 27 – Peterson Air Force Base FBC Tech event and ISSA-COS conference
Oct 28 – Fort Carson FBC Tech even
Thanks for all you’re doing.
Cindy
(Continued from page 1)
I S S A - C O S N E W S
P A G E 1 0
By Aliya Sternstein, NextGov, August 26, 2015
New sweeping defense contractor rules on hack notifications take effect today, adding to a flurry of Pentagon IT security policies issued in recent years.
Just this month, the Office of Management and Budget proposed guidelines to homogenize the way vendors secure data government wide. The Defense Department had already released three other policies that dictate how military vendors are supposed to handle sensitive IT.
Now, industry, which is already concerned about overlapping and burdensome cyber rules, worries the Pentagon will go back and retroactively change contracts, after the White House draft is finalized.
The new Pentagon regulations for "Network Penetration Reporting and Contracting for Cloud Services" cover more types of incidents and more kinds of information than past policies. The guidelines, which were published Wednesday, also apply to a broader swath of the contracting community.
The objective here is to more tightly control the way defense data traverses contractor systems and is stored by companies, military officials say.
"The benefits of the increased security requirements implemented through this rule are that more information will be protected from release, inadvertently or through malicious intent," and in so doing strengthen national security," Jennifer Hawes, editor of the Defense Acquisition Regulations System, said in the policy.
Ongoing attacks against military contractors prompted the release of Wednesday's regulations, according to the Pentagon.
The "interim rule" will kick in before a public comment period because of "the urgent need to protect covered defense information and gain awareness of the full scope of cyber incidents being committed against defense contractors," Hawes said.
It is unclear whether this is a specific hacker campaign -- or the usual targeting of high-value contractors. Nextgov has asked the Pentagon to elaborate. Parts of the rule were originally required by Congress in the 2013 and 2015 National Defense Authorization Acts.
The policy applies to contractors, subcontractors and
lower-tier, downstream vendors. There also is a provision for cloud computing services that spells out standard contract language for purchases.
The measure covers confidential military technological and scientific data, known as “unclassified controlled technical information," as well as all other unclassified "protected" data, such as export-controlled information. The protection of classified information is governed by other measures.
Within 72 hours of detecting an incident or possible incident, subcontractors and contractors must notify Defense through http://dibnet.dod.mil/.
The Pentagon, in turn, will be required to protect the confidentiality of proprietary and identifying information
that contractors submit to the government for investigation.
"Recent high-profile breaches of federal information show the need to ensure that information security protections are clearly, effectively and consistently addressed in contracts," Hawes said.
Over the past year, the U.S. government has confirmed hacks that exposed sensitive data at the Office of Personnel Management, State Department, White House and U.S. Postal Service.
In the rulemaking, Hawes said this latest "rule does not duplicate, overlap or
conflict with any other federal rules."
But the contracting industry contends the Pentagon and OMB are out of lockstep in moving forward with data security guidelines. The public can comment on the OMB draft guidelines until Sept. 10.
“It seemed a little ironic that you're putting into place a more detailed, specific, focused DOD rule” while guidance for the whole federal government is open for a 30-day discussion period, before even getting down to the nitty gritty of contract clauses, said Alan Chvotkin, executive vice president of the Professional Services Council, an industry group.
It could be years before the government incorporates the White House guidelines into the official federal acquisition rules, and then decides whether to fold those rules into existing defense contracts, he said.
“Companies hate any time when you retroactively are substantially changing the terms and conditions of a contract,” Chvotkin said.
Imagine it’s 1995, and you’re about to put your company’s office on the Internet. Your security has been solid in the past—you’ve banned people from bringing floppies to work with games, you’ve installed virus scanners, and you run file server backups every night. So, you set up the Internet router and give everyone TCP/IP addresses. It’s not like you’re NASA or the Pentagon or something, so what could go wrong?
That, in essence, is the security posture of many modern automobiles—a network of sensors and controllers that have been tuned to perform flawlessly under normal use, with little more than a firewall (or in some cases, not even that) protecting it from attack once connected to the big, bad Internet world. This month at three separate security conferences, five sets of researchers presented proof-of-concept attacks on vehicles from multiple manufacturers plus an add-on device that spies on drivers for insurance companies, taking advantage of always-on cellular connectivity and other wireless vehicle communications to defeat security measures, gain access to vehicles, and—in three cases—gain access to the car’s internal network in a way that could take remote control of the vehicle in frightening ways.
While the automakers and telematics vendors with targeted products were largely receptive to this work—in most cases, they deployed fixes immediately that patched the attack paths found—not everything is happy in auto land. Not all of the vehicles that might be vulnerable (including vehicles equipped with the Mobile Devices telematics dongle) can be patched easily. Fiat Chrysler suffered a dramatic stock price drop when video of a Jeep Cherokee exploit (and information that the bug could affect more than a million vehicles) triggered a large-scale recall of Jeep and Dodge vehicles.
And all this has played out as the auto industry as a whole struggles to understand security researchers and their approach to disclosure—some automakers feel like they’re the victim of a hit-and-run. The industry's insular culture and traditional approach to safety have kept most from collaborating with outside researchers, and their default response to disclosures of security threats has been to make it harder for researchers to work with them. In some cases, car companies have even sued researchers to shut them up.
By contrast, Tesla has embraced a coordinated disclosure policy. The company recently announced a vehicle security bug bounty program that offers $10,000 for reproducible security vulnerabilities. Tesla even participated in the presentation of vulnerabilities discovered by outside researchers in the Tesla S' systems at DEF CON. The
company's chief technology officer, JB Straubel, appeared on stage with the researchers who performed the penetration test of the Tesla S—Marc Rogers of Cloudflare and Lookout Security CTO and co-founder Kevin Mahaffey—in order to present them with Tesla "challenge coins" for their work.
But no one from Fiat Chrysler was anywhere near the stage when Charlie Miller and Chris Valasek presented their findings on Uconnect. And it might be a while before any other carmaker makes a move to embrace the security community in the wake of the Chrysler recall.
It's not like Miller and Valasek caught Fiat Chrysler by surprise. Miller told Ars that he worked with Fiat-Chrysler throughout his many months of research, advising them of what he and Valasek found. The company had already issued a patch to fix the problems, but it was only a voluntary update to be performed using USB. Sprint moved to block remote access to the network connection on Chrysler vehicles that Miller and Valasek's attack exploited just before the pair revealed their research at Black Hat.
Still, it wasn't until after Wired published video of reporter Andy Greenberg in the driver's seat on an interstate highway reacting to the vehicle's throttle being remotely taken over that Chrysler issued a recall on over a million affected vehicles. Miller said that the demonstration for Wired was completely safe. "It wasn't nearly as bad as the Wired video made it look," he said, explaining that what he and Valasek had done to Greenberg was the same as would happen to any driver during a typical breakdown. Greenberg still had control of the wheel and limited acceleration, according to Miller, and the reporter would have been able to maneuver to a shoulder. But even if things looked a tad over dramatic, Miller felt that the highway demonstration was needed to make the problem real to the American public and to Chrysler. After all, other researchers funded by DARPA—the same program that had funded previous research by Miller and Valasek— demonstrated the same sort of attack for 60 Minutes only a few months earlier with reporter Leslie Stahl driving on a closed course in a parking lot. That time, however, the brand of the car was concealed, and the test took place on a closed circuit. "People couldn't relate it to real life," Miller said.
beginning of the auto-hacking era A slew of recently revealed exploits shows gaps in carmakers'
security fit and finish.
P A G E 1 2
I S S A - C O S N E W S
By NIST, Jul 30, 2015
NIST and the NIST Computer Security Division is proud to announce a new technical publication series in the Special Publications. The new Special Publication (SP) series is called: SP 1800-series
The new Special Publication (SP) 1800 subseries, “NIST Cybersecurity Practice Guides,” complements NIST’s 800 subseries of computer security publications. The new SP 1800s target specific cybersecurity challenges in the public and private sectors; practical, user-friendly guides to facilitate adoption of standards-based approaches to cybersecurity. NIST will continue to use the original SP 800 subseries as its primary method for publishing computer/cyber/information security guidelines, recommendations and reference materials.
The first SP 1800 document has been released as a Draft document. The number for this draft document is: SP 1800-1. Email will be sent out very shortly with further details about this new draft from this new Special Publication series.
By Various Sources, August 10, 2015
Unfortunately due to legal risk, Cisco has stopped providing letters of volatility. I am hearing rumors this will become more and more common from other manufactures as well. This is the guidance we have been given by the Cisco legal team.
It is unfortunate because it will limit our ability to perform risk evaluations based on presence (or absence) of memory.
Based on input from legal counsel, Cisco cannot provide sanitization procedures allowing a customer to safely move equipment from one cleared environment to another, for the following reasons:
Having a document with procedures creates a potential false safety leading to legal and reputation liability that Cisco can not undertake. We do not have an organization today that can create and document procedures for the multitude of product families. Business Units can potentially make design or component changes without public knowledge.
In the past, on an as-needed basis, individual SEs have provided information that has been interpreted as a letter of volatility (LOV).
Legal counsel has indicated that this practice needs to be discontinued due to the possibility of misinterpretation of the information provided, and legal risk to Cisco.
Issues include the following:
There is potential for design changes (locations of volatile memory today may not be accurate in the future).
Inaccurate or stale volatile memory information has the potential to release classified data SEs may continue the practice of providing information when requested by an end user as it relates to volatile memory. It is the responsibility of SEs to ensure that the customer understands that it is limited to engineering information only and NOT a certification.
Also, they need to clearly state that the information is based on the currently available data, and the information is provide "For Informational Purposes Only". The alternative to an LOV is to destroy the equipment.
It will be interesting to see how the government handles this.
By Phil Muncaster, InfoSecurity Magazine, August 13, 2015
South African security firm Thinkst is hoping to give new life to an old idea—the honeypot—in a bid to help organizations detect security breaches and intruders in their private networks. Thinkst's Canary is a simple network appliance and corresponding online monitoring service that makes it easy to set up juicy-looking targets on the corporate LAN that will sound the alarm if any attempt is made to access them.
The perils of allowing wearables in the workplace were highlighted again today in new research from Trend Micro which uncovered security and privacy issues with some of the biggest brand smart watches on the market, including the Apple Watch.
The security giant commissioned First Base Technologies to test the devices based in three areas: device protection; data connection; and local data storage.
There were seven smart watches in total – the Motorola 360, LG G Watch, Sony Smartwatch, Samsung Gear Live, Asus ZenWatch (all Android-based), plus the Pebble and Apple Watch. All devices were monitored in their default state with no third-party apps installed. They were upgraded to the latest OS version, and paired with the iPhone 5, Motorola X (2013) and Nexus 5.
The report claimed physical device protection was poor on all the smart watches reviewed, with authentication not enabled by default on any of them.
What’s more, Android smartphones can use ‘trusted’ Bluetooth devices like the watches for authentication – so if they’re connected to the watch they will not engage the lock screen. This means that if the phone and watch were stolen together, a thief would have full access to both devices.
Also concerning was that all devices tested kept local
Smart Watches Fail
the Data Security Test
copies of data which could be read through the watch interface. This means that if any of the smart watches were stolen then all synced data would be accessible to the thief.
The Apple Watch was particularly exposed by storing much more data than the other devices – including contacts, emails, calendars, pictures, fitness data and Passbook entries. Passbook-stored cards can even be used to make payments. However, Apple did win back some security points by being the only device to have a timed lock-out facility and a device wipe option after a set number of failed log-in attempts.
On the plus side, all of the watches tested used Bluetooth encryption and TLS over WiFi to ensure secure data in transit.
“Currently smartwatches do not allow the same level of interaction as a smartphone; however it is only a matter of time before they do,” the report claimed. “Having unprotected devices with full access to personal data is a serious risk.”
Wearables are an increasing concern to enterprise IT managers keen not to repeat the early mistakes of BYOD.
Separate Trend Micro research found that 69% of UK staff bring their wearables to work, but a third of IT pros surveyed said they were worried about the influx.
Nearly three-quarters (73%) said businesses need to introduce a specific wearable security policy.
Sep 17 5:30 to 7:30 The Retired Enlisted Association
Oct (TBD) All Day UCCS Fall Conference
Nov 11 10:45 to 1:00 The Retired Enlisted Association
Dec (TBD) 10:45 to 1:00 Awards Luncheon, Antlers Hilton
I S S A - C O S N E W S
P A G E 1 4
P A G E 1 5 V O L U M E 4 N U M B E R 9
By Karen L. Burke, Naval Postgraduate School, August 20, 2015
Researchers at the University of London and the University of Rome felt VPN service providers' claims about advantages of using their services, such as online anonymity, censorship avoidance, and protection from tracking/monitoring, have not received enough scrutiny. So, the
academics downloaded the clients for desktop and mobile devices of 14 of the most popular commercial VPN services. The team published their findings in the paper A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients .
There have been two major publications since May. On 8 May, DoD issued the much-awaited DoDI 8540.01, Cross Domain (CD) Policy, available at http://www.dtic.mil/whs/directives/corres/ins1.html, scroll down to DoDI 8540.01. On 11 August, DoD issued DoDD 8140.01, Cyberspace Workforce Management, available at http://www.dtic.mil/whs/directives/corres/dir.html, scroll down to DODD 8140.01 or see enclosed.
The issuance of DoDD 8140.01 begins transition to new guidance on Cyber Workforce
Management. It reissues and renumbers DODD 8570.01 and unifies the overall cyberspace workforce elements (cyberspace effects, cybersecurity, and cyberspace information technology (IT). Note that this is applicable to contractors as well. The real detail will be in the supporting manual which has not been update yet. Until then, we are still required to comply with DOD 8570.01-M Manual.
OPM Memo, Subject: Special Cybersecurity Workforce Project, dated 8 July 2013, directed agencies to develop a plan to code work positions and develop hiring and classification processes. On 8 April 2015, [the Navy (DON)] released a Memo for the DON’s implementation of the OPM
memo.
The implementation manual for the DODD 8140,01 will align with the National Initiative for Cybersecurity Education (NICE) Framework development that DoD is supporting. Reference: http://csrc.nist.gov/nice/framework/. These efforts implement Strategic Goal #1, of “The DoD Cyber Strategy” to build and maintain ready forces and capabilities to conduct cyberspace operations. You can retrieve full strategy or fact sheet on The DoD Cyber Strategy at http://www.defense.gov/News/Special-Reports/0415_Cyber-Strategy
For a little background, the DISA FSO began working on the Joint Cyberspace Training and
Certification Standard (JCT&CS) for the DoD under the direction Gen Keith Alexander. Per their briefing in 2012, JCT&CS would be the current baseline for work role definition and NICE would be the baseline for Federal and DoD work role definitions. The release of DoDD 8140.01 was one step in moving us forward to the JCT&CS and NICE frameworks. Based on what I heard at the NSA IA Symposium in June, it could take nearly two years for the DODD 8140.01 implementation manual to be issued. Until then, the DoD 8570.01-M is still required by the DODI 8500.01 and DoDI 8510.01. The current certifications are located at the http://iase.disa.mil website. The Navy is also determining what training and education will be required of positions that support the Navy’s implementation of the Risk Management Framework, such as the Validator. So as you can see there are many tasks in progress.
By Ellen Nakashima, Washington Post, August 31, 2015
The Obama administration is developing a package of unprecedented economic sanctions against Chinese companies and individuals who have benefited from their government’s cybertheft of valuable U.S. trade secrets.
The U.S. government has not yet decided whether to issue these sanctions, but a final call is expected soon — perhaps even within the next two weeks, according to several administration officials, who spoke on the condition of anonymity to discuss internal deliberations.
Issuing sanctions would represent a significant expansion in the administration’s public response to the rising wave of cyber-economic espionage initiated by Chinese hackers, who officials say have stolen everything from nuclear power plant designs to search engine source code to confidential negotiating positions of energy companies.
Any action would also come at a particularly sensitive moment between the world’s two biggest economies. President Xi Jinping of China is due to arrive next month in Washington for his first state visit — complete with a 21-gun salute on the South Lawn of the White House and an elaborate State Dinner. There is already tension over a host of other issues, including maritime skirmishes in the South China Sea and China’s efforts to devalue its currency in the face of its recent stock market plunge. At the same time, the two countries have deep trade ties and the administration has sometimes been wary of seeming too tough on China.
But the possibility of sanctions so close to Xi’s visit indicates how frustrated U.S. officials have become over the persistent cyber plundering.
The sanctions would mark the first use of an order signed by President Obama in April establishing the authority to freeze financial and property assets of, and bar commercial transactions with, individuals and entities overseas who engage in destructive attacks or commercial espionage in cyberspace.
The White House declined to comment on specific sanctions, but a senior administration official, speaking generally, said: “As the president said when
U.S. developing sanctions against
China over cyber thefts
signing the executive order enabling the use of economic sanctions against malicious cyber actors, the administration is pursuing a comprehensive strategy to confront such actors. That strategy includes diplomatic engagement, trade policy tools, law enforcement mechanisms, and imposing sanctions on individuals or entities that engage in certain significant, malicious cyber-enabled activities. The administration has taken and continues to introduce steps to protect our networks and our citizens in cyberspace, and we are assessing all of our options to respond to these threats in a manner and timeframe of our choosing.”
China is not the only country that hacks computer networks for trade secrets to aid its economy, but it is by far the most active, officials say. Just last month, the FBI said that economic espionage cases surged 53 percent in the past year, and that China accounted for most of that.
The expected sanctions move will send two signals, a second administration official said. “It sends a signal to Beijing that the administration is going to start fighting back on economic espionage, and it sends a signal to the private sector that we’re on your team. It tells China, enough is enough.”
The sanctions would be a second major shot at China on the issue. In May 2014, the Obama administration secured indictments on economic spying charges against five Chinese military members for hacking into the computer systems of major U.S. steel and other firms.
“The indictments were a strong move,” said Rob Knake, a former White House cyber official and currently a senior fellow at the Council on Foreign Relations. “This is going to be an even stronger move. It’s really going to put China in the position of having to choose whether they want to be this pariah nation — this kleptocracy — or whether they want to be one of the leading nations in the world.”
We are looking for members to present at both the lunch and dinner meeting. The presenter has about 40 minutes to give the presentation and answer questions. This could be one slide with a situation identified and audience will then discuss possible solutions or a how-to presentation with a demonstration afterwards. The below listed are topics that have been suggested as areas of interest from our members. Please send an email to either, Pat Laverty ([email protected]) and/or myself, Cindy Thornburg ([email protected]) with topic to be presented, and we will connect with you for your availability. We would like the topic to be presented at both meetings however we do understand that may be difficult to accomplish.
Request for Chapter Presenters
Cyber Security Laws in Colorado
Interior Protection
Building in Resiliency
Ethics
Intrusion Detection/Prevention Systems – configuration and how to review
Making the Business Case for Security – how to
Hacking – how to
Application Security Scanning
COMPTIA CE Cycles & Fee Structure
A Summary and Rating of available Certifications
A Survey of current IA Incidents We Should Know About (heartbleed) and What They Mean for the State of Our Industry
Latest Innovations in Network Management Systems
Real World Case Studies
Threat Overview – Real World
Legal Issues in Information Systems
Asymmetric Warfare – what is it
Spear Phishing – what is it and demonstration
Prevention of Cyber Bullying
Best Practices for Backing Up & Archiving Corporate Data
When to Maximize or Minimize Your Cyber Footprint/Persona
Threat Structuring
Security Modeling – how to
Data Flow Control
Trusted Software Development – how to
Risk Management Framework and what does it mean
Case Study of Breaches – how they happen and how to prevent
Security Architecture Development – ‘Building it In’
‘Mobile’ Security Management
Bring Your Own Device (BYOD)
Biometric Security and Privacy
Hacking Back
Thank you!
Cindy
P A G E 1 8
I S S A - C O S N E W S
P A G E 1 9 V O L U M E 4 N U M B E R 9
ISSA photos are courtesy of our Chapter Photographer
Warren Pearce.
The Information Systems Security Association (ISSA)® is a not-for-profit, international organization of information security professionals and practitioners. It provides educational forums, publications, and peer interaction opportunities that enhance the knowledge, skill, and professional growth of its members.
The primary goal of the ISSA is to promote management practices that will ensure the confidentiality, integrity, and availability of information resources. The ISSA facilitates interaction and education to create a more successful environment for global information systems security and for the professionals involved. Members include practitioners at all levels of the security field in a broad range of industries such as communications, education, healthcare, manufacturing, financial, and government.
Information Systems Security Association Developing and Connecting Cybersecurity Leaders Globally
Colorado Springs Chapter
W W W . I S S A - C O S . O R G
Published at no cost to ISSA Colorado Springs by Sumerduck Publishing TM, Woodland Park, Colorado
Are you a budding journalist? Do you have something that the Colorado Springs ISSA community should know about? Tell us about it!
We are always looking for articles that may be of interest to the broader Colorado Springs security community.
Article for the Newsletter? If you would like to submit an article...
Chapter Officers:
President: Dr. Patrick J. Laverty
President Emeritus: Dr. George J. Proeller
President Emeritus: Mark Spencer
Executive Vice President: Tim Hoffman
Vice President: Cindy Thornburg
Vice President of Training: Colleen Murphy
Treasurer: Melody Wilson
Communications Officer: Jeff Pettorino
Recorder: Matt Everlove
Member at Large: Russ Weeks
Member at Large: James Asimah
Director of Membership: David Reed
Director of Professional Outreach: Chuck Forth
Committee Chairs:
Don Creamer—Newsletter
Tim Westland--Ethics
Suzanne Chance--Marketing
Mentoring--Melissa Absher
Author Bruce Sterling Testified to Congress in 1993 as a Time Traveler From 2015
By Matt Novak, Gizmodo, August 13, 2015
In 1993, sci-fi author Bruce Sterling testified in front of a House subcommittee about the future of the internet — specifically, what “the Net” would look like in 2015.
Sterling was testifying about funding for the National Research and Education Network (NREN) which was a program to complement the backbone network overseen by the National Science Foundation, NSFNet. The program was implemented to support faster internet communication between universities and research institutions.
But Sterling’s wasn’t your typical testimony in front of Congress. He adopted the role of time traveler, playing Mr. Bob Smith, a network administrator from the futuristic world of 2015. And would you look at that — it’s 2015 this very year!
