individual event fees for members. Wow! Just, WOW!

Thank you, Colleen, for your tireless service to our organization and for all you did to prepare us for the next level of our chapter’s growth. Folks, please raise a glass, issue a toast, and offer her a hand shake; Ms. Murphy did a lot for our chapter and we will reap the benefits for years to come.

Now, let’s look at our future…

Forecasts indicate an 80% spike for Cybersecurity professionals entering our industry within the next 3-5 years. Impressive? Yes but, not really. In 2018, analysts calculated a 200,000+ deficit for qualified Cybersecurity professionals in the United States alone; 2,000,000+ globally. Leading the way

are positions associated with the Federal Government and Department of Defense; for most, a trusted source of employment and revenue opportunities. However, and with equal importance, are the non-Government related industries which are screaming for help, guidance, and support regarding the best methods to implement cost effective Cybersecurity rigor into their own respective industries. This need is prevalent among

(Continued on page 4)

W W W . I S S A - C O S . O R G

I SSA-COS Members,

The 2018 calendar year was an excel-lent year of internal growth and

operational improvement for our chapter. Under Colleen Murphy’s leadership, our chapter experienced an incredible transfor-mation which will prepare us for a strong future. In 2018, our chapter instituted new and better-defined Sponsorship Programs for companies, organizations, and individuals wishing to invest in the future of our chapter. These spon-sorships dollars will trans-late into improved events, higher caliber guest speakers, and an expansion of services.

Last year, Colleen oversaw the development and institution of well-defined position descrip-tions for all board mem-bers and the establishment of charters for all our existing committees. Colleen also implemented deputy board member positions to maintain depth and continuity of operations, and she instituted our organization’s first commercially resourced IT services contract to facilitate our operational business activities. All this was accomplished while remaining within our existing operational budget and WITHOUT increasing chapter dues or implementing

The ISSA Colorado Springs Newsletter incorporates open source news articles in compliance with

USC Title 17, Section 107, Paragraph a (slightly truncated to avoid copyright infringement) as a training

method to educate readers on security matters .

The views expressed in articles obtained from public sources within this newsletter do not neces-

sarily reflect those of ISSA, this Chapter or its leadership.

Names, products, and services referenced within this document may be the trade names, trade-

marks, or service marks of their respective owners. References to commercial vendors and their prod-

ucts or services are provided strictly as a convenience to our members, and do not constitute or imply

endorsement by ISSA or the Colorado Springs Chapter of ISSA of any entity, event, product, service, or

enterprise.

Welcome to 2019!

A Note From

Our President

By Mr. Ernest Campos

V O L U M E 8 N U M B E R 1 J A N U A R Y 2 0 1 9

P A G E 2

“It’s not right to have consumers kept in the dark about how their data is sold and shared and then leave them unable to do anything about it.”

whose users enable location services to get local news and weather or other information, The Times found. Several of those businesses claim to track up to 200 million mobile devices in the United States — about half those in use last year. The database reviewed by The Times — a sample of information gathered in 2017 and held by one company — reveals people’s travels in startling detail, accurate to within a few yards and in some cases updated more than 14,000 times a day.

These companies sell, use or analyze the data to cater to advertisers, retail outlets and even hedge funds seeking insights into consumer behavior. It’s a hot market, with sales of location-targeted advertising reaching an estimated $21 billion this year. IBM has gotten into the industry, with its purchase of the Weather Channel’s apps. The social network Foursquare remade itself as a location marketing company. Prominent investors in location start-ups include Goldman Sachs and Peter Thiel, the PayPal co-founder.

Businesses say their interest is in the patterns, not the identities, that the data reveals about consumers. They note that the information apps collect is tied not to someone’s name or phone number but to a unique ID. But those with access to the raw data — including employees or clients — could still identify a person without consent. They could follow someone they knew, by pinpointing a phone that regularly spent time at that person’s home address. Or, working in reverse, they could attach a name to an anonymous dot, by seeing where the device spent nights and using public records to figure out who lived there.

Many location companies say that when phone users enable location services, their data is fair game. But, The Times found, the explanations people see when prompted to give permission are often incomplete or misleading. An app may tell users that granting access to their location will help them get traffic information, but not mention that the data will be shared and sold. That disclosure is often buried in a vague privacy policy.

Read the rest here:

https://www.nytimes.com/interactive/2018/12/10/business/location-data-privacy-apps.html

By Jennifer Valentino-DeVries, Natasha

Singer, Michael H. Keller and Aaron Krouk, The New York Times, December 10, 2018

The millions of dots on the map trace highways, side streets and bike trails — each one following the path of an anonymous cellphone user.

One path tracks someone from a home outside Newark to a nearby Planned Parenthood, remaining there for more than an hour. Another represents a person who travels with the mayor of New York during the day and returns to Long Island at night.

Yet another leaves a house in upstate New York at 7 a.m. and travels to a middle school 14

miles away, staying until late afternoon each school day. Only one person makes that trip: Lisa Magrin, a 46-year-old math teacher. Her smartphone goes with her.

An app on the device gathered her location information, which was then sold without her knowledge. It recorded her whereabouts as often as every two seconds, according to a database of more than a million phones in the New York area that was reviewed by The New York Times. While Ms. Magrin’s identity was not disclosed in those records, The Times was able to easily connect her to that dot.

The app tracked her as she went to a Weight Watchers meeting and to her dermatologist’s office for a minor procedure. It followed her hiking with her dog and staying at her ex-boyfriend’s home, information she found disturbing.

“It’s the thought of people finding out those intimate details that you don’t want people to know,” said Ms. Magrin, who allowed The Times to review her location data.

Like many consumers, Ms. Magrin knew that apps could track people’s movements. But as smartphones have become ubiquitous and technology more accurate, an industry of snooping on people’s daily habits has spread and grown more intrusive.

At least 75 companies receive anonymous, precise location data from apps

Your Apps Know Where You Were Last Night, and

They’re Not Keeping It Secret

I S S A - C O S N E W S

P A G E 3

First, I would like to take this opportunity to say Happy New Year and thank everyone for their support of the Colorado Springs Chapter of ISSA. The members are what make this such a great

organization to associate with. Everything you do to support chapter activities is appreciated!

Hot item! Melissa Absher has decided to give up her position as chairperson for the Mentorship Committee after four years of service in that role. So, we need a volunteer to take on this role for the chapter. If you’re interested, please contact me at membership@issa-cos.org or any board member at cos-board-new@issa-cos.org. If you have questions about what the role requires, Melissa can answer any questions you might have—you can reach her at the membership email address above. She will be continuing in her role as Deputy Membership VP.

Also, ISSA International notified us that they will no longer be supporting free student memberships. After several discussions within the ISSA-COS board, it was agreed that we will discontinue the free student membership program (formerly known as “Freemium”) within the chapter, too. Both ISSA and ISSA-COS will continue to support the reduced price ($55) student membership program.

Watch for all the upcoming activities after the start of the year as we get back into our monthly meetings, mini-seminars and other training. Please watch the Newsletter, communications and eVites to ensure you stay aware of what’s going on in the chapter. As always, if you have any membership questions don’t hesitate to contact me.

I would also like to welcome our new members on behalf of the Chapter! When you’re participating in Chapter activities, please take a moment to introduce yourself to members of the board, me, and other members. Don’t forget to identify yourself as a new member and feel free to ask for help or information. Thanks for joining the Chapter and don’t forget to look for opportunities to lend your expertise to improve the Chapter. We’re always open to new ideas and suggestions.

Our membership stands at ~466 members as of the end of December. As you’re going about your daily activities, please take the time to engage your colleagues, ask if they’re ISSA members, and if not take a couple of minutes to

convince them of the value of becoming a member of our chapter. Word of mouth is our primary method of advertising. If you don’t take the time to tell people of our organization, folks won’t know all the advantages we bring to their professional life. Renewals are also critical to maintaining our membership. If you are considering not renewing, please talk to me or one of the other board members to help us understand what we can do better to support our membership and retain you as active chapter members.

Thanks,

David Reed Membership Committee Chairman

dreed54321@comcast.net

V O L U M E 8

Membership Update

New Members December

Michael J. Cutter

Shaun Marvin

David Edwards

Andrea Heinz

Fred Hollingsworth

New Chapter By-Laws have been posted on the ISSA-COS website and may be found here:

https://issa-cos.org/wp-content/uploads/2018/12/Colorado-Springs-ISSA-ByLaws-FINAL-Dec-2018.pdf

P A G E 4

I S S A - C O S N E W S

large businesses and “big-box” stores but, also among small and medium sized businesses. In 2018, I was invited to participate as a panel member for a local Colorado Springs Chamber and Economic Development Council’s small business discussion on Cybersecurity. I was impressed by the folks representing small to medium sized businesses who **paid** to attend this event. Medical practices, marketing agencies, food service businesses (catering, bar, and restaurant), retail stores, and financial institutions were all in attendance seeking advice on how to implement low-cost Cybersecurity solutions, disciplines, and technologies that are both cost and results effective.

Additionally, at the 2018 Small Business Development Council’s (SBDC) “Cover Your Assets” (CYA) forum, the Honorable John Suthers, Mayor of Colorado Springs, stated while comparing the current deficit regarding the regional emphasis on Cybersecurity employment and support for small/medium sized businesses (as compared to Government opportunities), that “Colorado Springs needs Cybersecurity for ALL industries.” This was an emphasis, plea, and/or challenge for those who can help to help. After attending this event, I realized ISSA-COS is best positioned to answer this challenge. Thus, as the new President, I am instituting an expansion to our Special Interest Groups (SIGs) based off our highly successful Women in Security (WIS) quarterly meeting (props to June Shores for leading this group!). The expansion will include a focus on both Affinity (Women, Mentoring, Young Professionals, and Executives) and Industry (Healthcare, Retail, Finance, and DoD) groups. In so doing, it is my aspiration to expand our mostly DoD focus into all industries within COS. But why you might ask? Think for a moment how many of us…

... utilize Healthcare services in COS (primary care, specialty care, and prescriptions),

… frequent Retail services in COS (clothing, home improvement, and groceries),

… rely on Financial institutions in COS (mortgage, auto loans, and personal loans),

… depend upon trusted Legal counsel to operate our business operations (statutory, regulatory, and compliance),

… utilize COS City utility services (gas, water, waste, and electric).

All too often we rely upon the institutions that make us money and not enough on the institutions that we spend money on.

In 2019, ISSA-COS will work to preserve our commitments with our established partners while establishing new relationships with new industries. Our goal is to expand our presence, increase our impact, and elevate our influence on the COS region. In so doing, we will answer the Mayor’s call and institute a focus on Cybersecurity for all industries. Please join us as we aim to achieve our goal in 2019.

To accomplish these goals, ISSA-COS will institute several new programs designed to increase our reach across the region, diversify our membership across industries, and establish our organization as a cornerstone for knowledge and insight within our community.

In 2019, we can look forward to the institution of recognition programs designed to acknowledge new members and celebrate the professional achievements of existing members. In conjunction with our expansion of SIGs, we will also launch a membership drive to help capture members from new industries. This drive will seek to recognize those who bring in the most new members each quarter and throughout the year. Do you know someone who should be a member but isn’t? Now is the time to have them join! In the year to come, you can look forward to the addition of quarterly events and an increased emphasis on our monthly Mini-seminars.

Last of all, behind the scenes our board members and key personnel will continue to integrate refined operating procedures designed to streamline the way we run the chapter. We are excited for what the future holds. Please consider contributing as a volunteer when called upon, and you too can help own a portion of our success!

Thank you for your support!

Sincerely,

Ernest Campos President, ISSA-COS

(Continued from page 1)

A Note From

Our President

Plan to Dumb-Down the Power Grid In Name

of Cybersecurity Passes Senate

By Aaron Boyd, NextGov, December 20, 2018

A push to secure the nation’s electric power grid from cyberattacks by introducing analog stopgaps and redundancies passed the Senate late Wednesday.

The Securing Energy Infrastructure Act was introduced last year by Sens. Angus King, I-Maine, and Jim Risch, R-Idaho, and approved by the Energy and Natural Resources Committee in March. The bill requires the Energy secretary to establish a two-year pilot program to look at analog, nondigital and physical systems that can be incorporated into the power grid to miti-gate the potential effects of a cyberattack—what its authors have called a “retro” approach.

The genesis of the bill came after a 2015 cyberattack in Ukraine took down a significant portion of the country’s energy grid. Operators were able to get the systems back online relatively quickly using human-powered backups.

“For years we’ve seen the danger of cyberattacks grow as bad actors pursue larger and more sophisticated incursions on our vital systems, but the federal government’s response has not matched the severity of these threats,” King said in a state-ment after the Senate vote. “This commonsense, bipartisan bill is an important step in the right direction, and will help protect America’s critical infrastructure from devastating attacks before they happen.”

The bill gives the secretary 180 days from enactment to establish the program, which would be led by the Energy Depart-ment national laboratories in partnership with volunteers from the energy sector—from power stations to manufacturers in the supply chain.

The legislation also calls for the creation of a federal working group to assess the recommendations from the partnership. That 10-member group would include representatives from the departments of Energy, Homeland Security and Defense, the Office of the Director of National Intelligence and the North American Electric Reliability Corporation.

The bill includes a $10 million appropriation for the pilot program and $1.5 million for the working group.

“It’s an interesting approach that people haven’t really thought of this much,” Chris Cummiskey, senior fellow at the George Washington University Center for Cyber and Homeland Security and former Homeland Security undersecretary and chief ac-quisition officer, told Nextgov when the bill was voted out of committee in March.

Read the rest here:

https://www.nextgov.com/cybersecurity/2018/12/plan-dumb-down-power-grid-name-cybersecurity-passes-senate/153719/

Poor Security Could Leave U.S. Defenseless

Against Missile Attacks By Heather Kuldell, NextGov, December 14, 2018

The Defense Department’s inconsistent security practices leave technical data about the na-tion’s missile defense system vulnerable to inside and outside threats, according to the agency auditor.

The ballistic missile defense system is designed to detect and intercept incoming missiles before they hit their intended targets. The system is made up of many elements, some run by the government and others by cleared contractors. The Defense Department keeps the system’s technical information—such as engineering data, algorithms and source codes—on its classified net-works.

“The disclosure of technical details could allow U.S. adversaries to circumvent [ballistic missile defense system] capabili-ties, leaving the United States vulnerable to deadly missile attacks,” the Defense Department Office of Inspector General said in an audit.

The OIG found known network vulnerabilities that hadn’t been mitigated at three of the five facilities examined and intrusion detection capabilities that had not been implemented.

Read the rest here:

https://www.nextgov.com/cybersecurity/2018/12/poor-security-could-leave-us-defenseless-against-missile-attacks/153569/

V O L U M E 8 N U M B E R 1 P A G E 5

NIST SP 800-37, Revision 2 Published By Staff, NIST, December 20, 2018

NIST has published NIST Special Publication (SP) 800-37 Revision 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. This update to NIST Special Publication 800-37 develops the next-generation Risk Management Framework (RMF) for information systems, organizations, and individuals, in response to Executive Order 13800, OMB Circular A-130, and OMB Memoranda M-17-25 and M-19-03. This is the first NIST publication to address security and privacy risk management in an integrated, robust, and flexible methodology.

One of the key changes in this RMF update is the addition of the Prepare step, which was incorporated to achieve more effective, efficient, and cost-effective security and privacy risk management processes.

Visit the CSRC Update link below for more information about the seven major objectives of this update, as well as its objectives for institutionalizing organization-level and system-level preparation. By achieving those objectives, organizations can simplify RMF execution, employ innovative approaches for managing risk, and increase the level of automation when carrying out specific tasks.

For any questions or comments, please contact: sec-cert@nist.gov

CSRC Update:

https://csrc.nist.gov/news/2018/rmf-update-nist-publishes-sp-800-37-rev-2

Publication details:

https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final

P A G E 6

ISSA Nametags

Do you want an ISSA nametag for your very own to wear to meetings, conferences, and events? You can now order/pick up yours directly from:

Blue Ribbon Trophies & Awards

245 E Taylor St (behind Johnny’s Navajo Hogan on North Nevada)

Colorado Springs

(719) 260-9911

Although their hours are officially Monday through Friday until 5:30 pm, they are occasionally in the shop on Saturdays. This is a small business so cash/check would be appreciated. Email wbusovsky@aol.com to order.

I S S A - C O S N E W S

P A G E 6

P A G E 7 V O L U M E 8 N U M B E R 1

Huawei Is the Doorway to China's Police State By Dan Blumenthal, The National Interest, December 12, 2018

The arrest of Huawei Chief Financial Officer Meng Wanzhou was apparently a long time coming. U.S. investigators began looking into Huawei’s dealings when Iran’s once Chinese-backed ZTE was identified as a sanctions-breaker. U.S. prosecutors now appear to have substantial evidence of the Chinese Communist Party’s state-backed mobile and technology company’s violations of the sanctions regime against Iran.

The arrest and call for extradition spotlights just how concerned the free world should be about Huawei. The stakes are high, as the company is positioned to be the dominant player in 5G mobile networks. If Huawei

wins this competition against U.S. companies, much of the world’s data will pass through the mobile networks of a CCP-backed company that does business with the world’s

most troubling regimes. Huawei is also the critical player in CCP General-Secretary Xi Jinping’s bid to establish a high-tech police state and to leapfrog the United States

in critical technologies that will enable a host of military capabilities.

The CCP is already collecting enough data from Chinese citizens who use mobile networks, search engines, and online purchasing systems to establish a

“Social Credit System.” To say that this system is Orwellian is an understatement. Even George Orwell could not have imagined the new technology of totalitarianism.

The Chinese government plan is to have a database on Chinese citizens’ consumer preferences, personal activities, and habits to give each one a “score” based on loyalty to the party and other behaviors deemed by party

leaders to make for good citizens. This score will determine if Chinese citizens are accepted to colleges, can get good jobs, buy a house, and so much more. It is nothing less than an attempt to perfect the world’s first

ever high-tech police state.

Huawei will continue to play a big role in the creation of this system. But Huawei is an international company with high ambitions. An almost

unimaginable amount of global data will flow through the next generation of mobile technology. This is partly the reason why 5G and artificial intelligence are so

closely related: the companies with the most access to data will be able to train the best AI systems.

Thus, this CCP-backed company is poised to determine the future of how people use everything, from transportation to health care. If it wins the global race to become the dominant player in mobile technology, then the rest of the world could lose control over the use and integrity of data to the CCP colossus. Regardless of Huawei’s protestations that it is a private company, Chinese laws require companies doing business in China to share data that the party deems necessary for national security. And, notwithstanding the passage of strict data laws in places like Europe, there will no way to guarantee the integrity and use of data if it flows through a CCP-made 5G system. The CCP may not own Huawei, but it is benefitting from the massive amounts of 5G and AI related research and development, the abuse of Chinese patenting and anti-monopoly laws that put competitors at a disadvantage, the absence of ethical restrictions in China, and the use of AI technologies.

Read the rest here:

https://nationalinterest.org/feature/huawei-doorway-chinas-police-state-38532

Upcoming SANS Training! SANS is projecting their SEC301 class for Feb 25, 2019 – Mar 01, 2019 in Colorado Springs, at the DoubleTree

Hilton (where we hold our Peak Cyber conference). The SANS SEC301 course is their Introduction to Cyber Security. SANS is also planning two classes to Denver: SEC545 (Cloud Security Architecture and Operations) and DEV540 (Secure DevOps and Cloud Application Security).

Upcoming training events in Colorado includes: • Jan 14, 2019 – Jan 18, 2019 | Denver, CO US| Community SANS Denver DEV540

• Feb 25, 2019 – Mar 01, 2019 | CO. Spr., CO US| Community SANS CO. Springs SEC301

• Mar 25, 2019 – Mar 29, 2019 | Denver, CO US| Community SANS Denver SEC545

All SANS training can be viewed at https://www.sans.org/security-training/by-location/north-america

P A G E 7 V O L U M E 8 N U M B E R 1

Update Your Profile!

Don’t forget to periodically logon to

www.issa.org and update your personal

information.

P A G E 8

The Pentagon Doesn’t Know All the Software

on Its Networks—And That’s a Problem By Heather Kuldell, NextGov, December 19, 2018

The Defense Department’s poor software management practices put its networks at “unnecessary” cyber risk—and that’s on the department’s chief information officer, according to the agency inspector general.

The department doesn’t have an enterprisewide software application rationalization program—an inventory of what the department owns and is in use—as required by the Federal Information Technology Acquisition Reform Act, the Defense inspector general wrote in a report released Tuesday. Such programs help agencies get rid of duplicative or obsolete applications and avoid buying redundant software.

Instead of an enterprisewide solution, the Defense CIO in 2017 revised a Joint Information Environment objective to limit software rationalization to data centers.

“As a result, the DoD and its Components are exposing the DoD Information Network to unnecessary cybersecurity risks because they lack visibility over software application inventories and, therefore, are unable to identify the extent of existing vulnerabilities

associated with their owned software applications,” the inspectors wrote.

Without a complete software inventory, the department can’t be sure its software is up to date on security patches. As of July, the department accounted for only 30 percent of its software to comply with a congressional request, according to a memo from Defense CIO Dana Deasy. Deasy instructed agencies to boost known software inventory by December and pushed the department to use automated means to find the number of installed applications.

Last week, Congress recognized some improvement in the department’s FITARA scorecard in part because it created a software library. However, it has lots of room to improve; it only increased its grade from an ‘F+’ to a ‘D+’ and was the lowest scoring agency for several scorecards.

Deasy came onboard as Defense CIO in May, the first permanent CIO since Terry Halvorsen retired in February 2017.

Read the rest here:

https://www.nextgov.com/cio-briefing/2018/12/pentagon-doesnt-know-all-software-its-networksand-s-problem/153657/

I S S A - C O S N E W S

V O L U M E 8 N U M B E R 1

By Shaun Nichols, The Register, November 30, 2018

Administrators overseeing lab environments would be well advised to double-check their network setups following the disclosure of serious flaws in a line of oscilloscopes.

On Friday, SEC Consult said it had uncovered a set of high-impact vulnerabilities in electronic testing equipment made by Siglent Technologies.

In particular, the bug-hunters examined the Siglent SDS 1202X-E Digital line of Ethernet-enabled oscilloscopes and found the boxes were lacking even basic security protections.

Among the flaws found by researchers was the use of completely unauthenticated and unguarded TCP connections between the oscilloscopes and any device on the network, typically via the EasyScopeX software, and the use of unencrypted communications between the scope and other systems on the network.

"Two backdoor accounts are present on the system," the researchers explained. "A Telnet service is listening on port 23 which enables an attacker to connect as root to the oscilloscope via LAN."

As a result, anyone who had local network access would be able to get onto the device and tamper with it.

Siglent did not respond to a request for comment on the matter.

Chalk this up as yet another example of the dangers brought on by the growing market for connected internet-of-things devices.

Normally, an oscilloscope would be the last thing an admin would have to worry about, however as new connectivity is bolted onto devices that traditionally operated in isolation, it is inevitable that some otherwise basic security measures will be overlooked.

Aside from the obvious dangers of allowing an attacker to use the compromised devices as a starting to point for attacks on other network devices, SEC Consult noted that someone could also use the vulnerabilities to mess with the oscilloscope's own readings - offering a handy route for sabotage.

"Any malicious modification of measurement values may have serious impact on the product or service which is created or offered by using this oscilloscope," SEC Consult said of the flaw. "Therefore, all procedures which are executed with this device are untrustworthy."

Read the rest here:

https://www.theregister.co.uk/2018/11/30/pwned_via_oscilloscope/

It's nearly 2019, and your network can get

pwned through an oscilloscope

P A G E 9

Australia has become the first western country

to pass a bill forcing tech companies to hand

over your encrypted data By Staff, Reuters, December 67, 2018

Automation is about more than just turning simple human actions into machine processes. Because I spend my time working with organizations on security orchestration, automation, and response (SOAR) solutions that apply automation across many aspects of the incident response and case management lifecycle, I have a unique perspective on the variety of ways that organizations can get value from investing in automated tools.

A controversial bill allowing spies and police to snoop on the encrypted communications of suspected terrorists and criminals was passed in Australia on Thursday, as tech giants warned of wide-ranging implications for global cybersecurity.

The bill, the most far-reaching imposed by a western country, is set to become law before the end of the year.

“Let’s just make Australians safe over Christmas,” opposition Labour Party leader Bill Shorten told reporters outside parliament in the capital of Canberra.

There has been extensive debate about the new law and its reach beyond Australia’s shores in what is seen as the latest salvo between global governments and tech firms over national security and privacy.

Under the legislation, Canberra can compel local and international providers – including overseas communication giants such as Facebook and WhatsApp – to remove electronic protections, conceal covert operations by government agencies, and help with access to devices or services.

Australian authorities can also require that those demands be kept secret. The bill, passed by the lower house of parliament earlier on Thursday, was to be debated in the upper Senate, where

Labour said it intended to suggest new amendments, before going back to the lower house.

But in an eleventh-hour twist, Labour said that despite its reservations, it would pass the bill in the Senate, on the proviso that the coalition agreed to its amendments next year.

“We will pass the legislation, inadequate as it is, so we can give our security agencies some of the tools they say they need,” Shorten said.

The bill provides for fines of up to A$10 million (US$7.2 million) for institutions and prison terms for individuals for failing to hand over data linked to suspected illegal activities.

“There has been similar legislation in the UK and possibly a few other jurisdictions but their legislation doesn’t go anywhere near as far as what’s happening here,” said Mark Gregory, an associate professor specialising in network engineering and internet security at Melbourne’s RMIT University. “The government here can coerce the company to actually provide back doors into their systems and into devices and force the company to build systems that can help with investigations.”

When the bill becomes law, Australia will be one of the first nations to impose broad access requirements on technology firms, after many years of lobbying by intelligence and law enforcement agencies in many countries, particularly the so-called Five Eyes nations.

The Five Eyes intelligence network, comprised of the United States, Canada, Britain, Australia and New Zealand, have each warned that national security was at risk because authorities were unable to monitor the communications of suspects.

Australia’s government has said the laws are needed to counter militant attacks and organised crime and that security agencies would need to seek warrants to access personal data.

Technology companies have opposed efforts to create what they see as a back door to users’ data, a stand-off that was propelled into the public arena by Apple’s refusal to unlock an iPhone used by an attacker in a 2015 shooting in California. The companies say creating tools for law enforcement to break encryption will inevitably undermine security for everyone.

Read the rest here:

https://www.scmp.com/news/asia/australasia/article/2176759/australia-has-become-first-western-country-pass-bill-forcing

P A G E 1 0

I S S A - C O S N E W S

P A G E 1 1 V O L U M E 8 N U M B E R 1

5 Questions to Ask When Planning to Deploy

AI for Cybersecurity By Brian Buntz, IoT World Today, December 20, 2018

Artificial intelligence is overhyped for cybersecuri-ty, according to Rene Kolga, senior director of prod-uct and marketing at Nyotron. “Of course, I agree that machine learning algorithms and AI represent a transformational trend overall — no matter in which industry. But the current upswelling of attention the topic has received — within cybersecurity and seem-ingly everywhere else — could plunge the field into another period of AI winter, where funding and thus progress cools to a near standstill, Kolga reckons. “We have had multiple AI winters in the past 50 to 60 years,” he explained. “We are potentially heading to this point again because the field is so prone to over-promise.”

By late 2018, it seems every company either says they do AI or are involved in an AI-based pro-ject, but 4 percent of CIOs internationally say they have AI projects in production,

According to Gartner’s Hype Cycle for Artificial Intelligence from July 2018. In that same month, The Guardian published an exposé on the explosion of what it termed “pseudo AI” in which companies use a mix of algorithms buttressed by human labor in the background.

So whether one is evaluating the field of AI at large, or evaluating an AI-based strategy to improve the security of an IoT application, it is important “to understand what’s real and what’s not,” said Kolga, who also shared the following questions to help companies sift through the hype.

1. Are You Sure You Have Access to Good Data?

Some companies are so enamored with the prospects of AI-based cybersecurity and the power of the latest algorithms that they will rush to deploy the technology without ensuring they have the data they need for the program to be successful in the long-run.

But another related problem is that a company’s leaders may think they have access to good data when they have been unknowingly breached. A company might use User Entity Behavior Analytics products, for instance, to understand the baseline behavior of the network of their devices and users. After the initial period of baselining, they can theoretically detect anomalies. “What’s dangerous about this is that if the malware or a malicious insider is already inside your environment, now the algorithm will baseline that as the norm,” Kolga said. “If you do that, will you really be able to detect an infection?”

It is entirely possible that an organization’s cyber leaders might think their environment is safe only to discover later that it was not. The Poneman 2017 Cost of a Data Breach Study found that it took an organization an average of 206 days to detect a breach. And a 2017 Inc. article reports that 60 percent of small businesses in the United States are hacked each year.

2. Are You Working on Developing an AI-based Crystal Ball?

The important thing to remember about subjects such as big data and analytics is that it is a much more reliable strategy to codify past behavior than it is to use the technology to invent the future. The plan to use big data, machine learning, artificial intelligence, etc. to “enumerate badness” as Marcus Ranum has put it, is problematic in that there are vastly more types of “bad” in the form of malware and attacks than there is “good.” So if you feed a machine learning algorithm a massive trove of data related to known attacks and malware, it will likely be able to detect subtle variations of known malware from the past. But it will have less of a shot at detecting an entirely new form of malware or a new attack methodology. “Sometimes companies take the position that AI is this really magical tool that can detect everything,” Kolga said. “But then if you think about how it works, it’s trained on the known, old malware samples.”

Read the rest here:

https://www.iotworldtoday.com/2018/12/20/5-questions-to-ask-when-planning-to-deploy-ai-for-cybersecurity/

P A G E 1 2

I S S A - C O S N E W S

P A G E 1 3 V O L U M E 8 N U M B E R 1

P A G E 1 4

Additional photographs are available on

the ISSA-COS.ORG website

P A G E 1 5 V O L U M E 8 N U M B E R 1

P A G E 1 6

I S S A - C O S N E W S

Title Issue Pg

10 Security Behaviors That Anger Us Vol 7, No. 6 13

25% of employees use the same password for every ac-count Vol 7, No. 7 13

8 questions to ask about your industrial control systems security Vol 7, No. 4 15

8th Annual Peak Cyber Symposium Summary Vol 7, No. 9 9

A desperate hacker tried selling US military files for $150 — only to find no one wanted them Vol 7, No. 8 15

A new data breach may have exposed personal information of almost every American adult Vol 7, No. 7 14

A pathway for cybersecurity students to be-come cyberse-curity professionals Vol 7, No. 10 15

A volt out of the blue: Phone batteries reveal what you typed and read Vol 7, No. 7 15

Actions Taken by Equifax and Federal Agencies in Response to the 2017 Breach Vol 7, No. 10 6

Alexa and Siri Can Hear This Hidden Command. You Can’t. Vol 7, No. 6 10

Alexa heard what you did last summer – and she knows what that was, too Vol 7, No. 11 2

All about cryptojacking Vol 7, No. 10 9

Artificial intelligence may not need networks at all Vol 7, No. 1 21

As Artificial Intelligence Advances, Here Are Five Tough Projects For 2018 Vol 7, No. 1 2

As Russians hack the US grid, a look at what’s needed to protect it Vol 7, No. 9 8

Atlanta pays $2.6 million for cybersecurity issues stemming from $51,000 ransomware attack Vol 7, No. 5 7

Beyond corporate cybersecurity Vol 7, No. 8 16

Blackout: Critical Infrastructure Attacks Will Soar in 2018 Vol 7, No. 2 13

British teenager hacked top ranking US officials using social engineering Vol 7, No. 2 16

Building a sound security strategy for an energy sector company Vol 7, No. 8 12

CAC is staying around for a while Vol 7, No. 10 14

Cisco Accidentally Released Dirty Cow Exploit Code in Soft-ware Vol 7, No. 12 5

Cops take dead man’s smartphone to his corpse in attempt to unlock it Vol 7, No. 5 2

Cracking The Crypto War Vol 7, No. 7 10

Critical Flaws in Industrial Software Left US Infrastructure Wide Open to Hackers Vol 7, No. 6 9

Cyber Security Insurance: Nine Questions to Ask to Deter-mine Your Exposure Vol 7, No. 3 11

Cybersecurity job gap grows to 3 million, report Vol 7, No. 11 13

Cybersecurity pros don’t feel equipped to stop insider attacks Vol 7, No. 3 7

Cybersecurity Tech Accord: Marketing Move or Serious Security? Vol 7, No. 5 14

Cyberwar: What happens when a nation-state cyber attack kills? Vol 7, No. 8 2

Defense, civilian contractors laying groundwork to imple-ment NIST information-sharing framework Vol 7, No. 3 10

Defining a Class of Offensive Destructive Cyber Weapons As Weapons of Mass Destruction: An Examination of the Mer-its Vol 7, No. 3 13

Despite rise in security aware-ness, employees’ poor securi-ty habits are getting worse Vol 7, No. 12 14

Despite Risks, Nearly Half of IT Execs Don't Rethink Cyberse-curity after an Attack Vol 7, No. 5 16

DHS Cybersecurity Branch Signed into Existence by Trump Vol 7, No. 12 11

DHS Publishes New Cybersecurity Strategy Vol 7, No. 6 14

Did you accidentally friend a North Korean hacker on Face-book? Vol 7, No. 1 16

2018 In Review—An Index Title Issue Pg

DOD Must Comply with DHS Cybersecurity Directives Under Senate Bill Vol 7, No. 7 12

Ex spy bosses: Cyber-warfare needs rules of engagement for nations to promptly ignore Vol 7, No. 11 15

Facebook Fail as 100+ Cybercrime Groups are Found on Site Vol 7, No. 8 14

Facebook scraped call, text message data for years from Android phones Vol 7, No. 4 2

FBI Software For Analyzing Fingerprints Contains Russian-Made Code, Whistleblowers Say Vol 7, No. 2 15

FDA Reveals New Plans for Medical Device Security Vol 7, No. 5 13

'Five Eyes' Agencies Demand Reignites Encryption Debate Vol 7, No. 10 12

Five things to know about Russian attacks on the energy grid Vol 7, No. 4 13

For safety’s sake, we must slow innovation in internet-connected things Vol 7, No. 10 2

Foreign Cyber Actors Target Home and Office Routers and Networked Devices Worldwide Vol 7, No. 6 4

Ghost in the DCL shell: OpenVMS, touted as ultra reliable, had a local root hole for 30 years Vol 7, No. 3 10

Girl Scouts fight cybercrime with new cyber-security badge Vol 7, No. 4 17

Google: Security Keys Neutralized Employee Phishing Vol 7, No. 8 17

Governor's Trial Hinges on Photo That May or May Not Exist Vol 7, No. 6 12

Hacker backdoors popular JavaScript library to steal Bitcoin funds Vol 7, No. 12 7

Hacker Kevin Mitnick shows how to bypass 2FA Vol 7, No. 6 9

Hackers once stole a casino's high-roller database through a thermometer in the lobby fish tank Vol 7, No. 5 18

Hackers Reportedly Stole 600 Gallons of Gas From Detroit Gas Station Vol 7, No. 8 20

Here Are The Clever Means Russia Used To Hack The Energy Industry Vol 7, No. 4 12

Here's the funniest, most scathing, most informative and most useful talk on AI and security Vol 7, No. 10 20

Homeland Security Head: Colorado Tops US in Vote Security Vol 7, No. 10 14

How an Ohio Hospital Avoided a Widespread Ransomware Attack Vol 7, No. 2 11

How Antivirus Software Can Be Turned Into a Tool for Spy-ing Vol 7, No. 2 12

How hackers can use artificial intelligence against us Vol 7, No. 5 15

How Industrial Espionage Started America’s Cotton Revolu-tion Vol 7, No. 6 15

How IoT is Impacting DNS, and Why It's Scaring Both CISOs and Networking Pros Vol 7, No. 9 11

How safe is your DNA data? Vol 7, No. 9 2

How the IT sector can help plug the cyber security skills gap Vol 7, No. 9 15

How to Steal Someone's Identity in 45 Minutes Vol 7, No. 5 10

If by Free You Mean Personally Liable… Vol 7, No. 8 14

Increasing Risk of Cyber Attacks During Holidays Says Report Vol 7, No. 12 8

iPhone apps blasted for selling your exact location - do you have these on your phone? Vol 7, No. 10 11

Iran’s ‘cyber attacks’ against US can cause damage, experts warn Vol 7, No. 12 10

Is Microsoft Doing the Right Thing by Killing the Windows Control Panel? Vol 7, No. 7 20

Is The Education System Keeping Women Out of Cybersecu-rity? Vol 7, No. 6 11

Is there new 'hackproof' cyber defense? Air Force, industry test new system Vol 7, No. 9 13

JOURNAL OF CYBERSECURITY Vol 7, No. 1 13

Let’s destroy Bitcoin Vol 7, No. 5 17

Local news coverage of cybersecurity in 2017 Vol 7, No. 1 4

LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group Vol 7, No. 10 8

P A G E 1 7 V O L U M E 8 N U M B E R 1

Title Issue Pg

Study Reveals Small But Powerful Iran Cyber Threat Vol 7, No. 1 17

The 10 airports where your phone is most likely to get hacked Vol 7, No. 8 6

The Cybersecurity World Is Debating WTF Is Going on With Bloomberg’s Chinese Microchip Stories Vol 7, No. 11 8

The Do’s and Don’ts of Industrial IoT Vol 7, No. 5 10

The F-35's Greatest Vulnerability Isn't Enemy Weapons. It's Being Hacked. Vol 7, No. 12 11

The Military's Losing War Against Data Leakage Vol 7, No. 3 8

The rare form of machine learning that can spot hackers who have already broken in Vol 7, No. 12 2

The US National Cyber Strategy Vol 7, No. 11 7

The Wiretap Rooms Vol 7, No. 7 2

This Insane Map Shows All The Beauty And Horror Of The Dark Web Vol 7, No. 4 14

This is Not a Game: NIST Virtual Reality Aims to Win for Public Safety Vol 7, No. 6 8

This Is So Much Bigger Than Facebook Vol 7, No. 4 10

Top 8 Cybersecurity Skills IT Pros Need in 2018 Vol 7, No. 2 14

U.S. charges three Ukrainians in payment card hacking spree Vol 7, No. 8 9

U.S. DoD Hopes To Stamp Out Threats With Bug Bounty Program Vol 7, No. 5 8

U.S. Government Can’t Get Controversial Kaspersky Lab Software Off Its Networks Vol 7, No. 6 2

U.S. states demand better access to secrets about elec-tion cyber threats Vol 7, No. 9 12

Uber’s Secret Tool for Keeping the Cops in the Dark Vol 7, No. 2 2

Upstream devoted to truck cybersecurity threats Vol 7, No. 12 12

US AG creates a new 'Cybersecurity Task Force' Vol 7, No. 3 14

US govt staffers use personal gear on work networks, handle biz docs on the reg – study Vol 7, No. 3 8

US mulls drafting gray-haired hackers during times of crisis Vol 7, No. 4 16

US Senator Ron Wyden to Pentagon: Encrypt your web-sites Vol 7, No. 6 15

USB & U Vol 7, No. 11 5

US-CERT Warns of Active Attacks Targeting Energy and Other Critical Infrastructure Sectors Vol 7, No. 1 16

Vaporworms: New breed of self-propagating fileless malware to emerge in 2019 Vol 7, No. 12 13

Vulnerability Affects All OpenSSH Versions Released in the Past Two Decades Vol 7, No. 9 12

Vulnerability Spotlight: Multiple Vulnerabilities in Sam-sung SmartThings Hub Vol 7, No. 8 10

Water Proof Vol 7, No. 11 20

What happens to your online accounts when you die? Vol 7, No. 9 6

What the @#$%&!? Microsoft bans nudity, swearing in Skype, emails, Office 365 docs Vol 7, No. 4 20

What types of hospitals experience data breaches? Vol 7, No. 3 14

White House Reorganization Addresses Cyber Workforce Gap Vol 7, No. 7 17

Who wanted a future in which AI can copy your voice and say things you never uttered? Who?! Vol 7, No. 4 8

Why Hackers Love Healthcare Vol 7, No. 5 12

Why You Should Never Pay A Ransomware Ransom Vol 7, No. 4 9

Will Throwing More People At Security Make It Better? Vol 7, No. 1 12

Windows 10 can now show you all the data it's sending back to Microsoft Vol 7, No. 2 14

Windows 95 is now an app you can download and install on macOS, Windows, and Linux Vol 7, No. 9 20

Your Nosy Amazon Alexa Can Now Interrogate You Vol 7, No. 5 9

Zero-day in popular WordPress plugin exploited in the wild to take over sites Vol 7, No. 12 6

Title Issue Pg

Microsoft's National Cybersecurity Policy Framework: Prac-tical Strategy or Non-Starter? Vol 7, No. 9 14

Mylobot Malware Brings New Sophistication to Botnets Vol 7, No. 7 11

National Guard team builds open-source cyber toolkit Vol 7, No. 6 13

Nearly half of security pros rarely change their security strategy, even after a cyber attack Vol 7, No. 3 15

New Data Show Demand for Cybersecurity Professionals Accelerating Vol 7, No. 12 15

New Intel Made Smart Glasses That Look Normal Vol 7, No. 3 4

New NIST Forensic Tests Help Ensure High-Quality Copies of Digital Evidence Vol 7, No. 2 8

New Threat Group Conducts Malwareless Cyber Espionage Vol 7, No. 11 14

New whaling and phishing techniques include weaponising Google Docs Vol 7, No. 3 12

NIST hosting CUI Security Requirements Workshop - Oct 18, 2018 Vol 7, No. 8 17

NIST Publications Vol 7, No. 4 7

NIST Releases Version 1.1 of its Popular Cybersecurity Framework Vol 7, No. 5 8

NIST's New Advice on Medical IoT Devices Vol 7, No. 9 10

No, you’re not being paranoid. Sites really are watching your every move Vol 7, No. 1 18

North Korea Might Be Behind The World’s Largest Crypto Heist Vol 7, No. 3 2

North Korea-Linked Group Stops Targeting U.S. Vol 7, No. 6 17

Norway officially scraps FM radio in favor of digital broad-casting Vol 7, No. 1 24

NSF awards nearly $5.7 million to protect U.S. cyberspace Vol 7, No. 1 11

Open Source Patch Management: Options for DIYers Vol 7, No. 1 14

Pentagon Creates ‘Do Not Buy’ List of Russian, Chinese Software Vol 7, No. 8 13

Pentagon Creates, “Do Not Buy”List of Russian, Chinese Software Vol 7, No. 9 3

Pentagon is rethinking its multibillion-dollar relationship with U.S. defense contractors to boost supply chain security Vol 7, No. 10 10

Philips tests LiFi in a real office Vol 7, No. 4 9

Picking flowers, making honey Vol 7, No. 11 10

Police dog sniffs out USB drive to snare school hacker Vol 7, No. 6 20

President's Scholarship for Women in Cybersecurity Vol 7, No. 1 8

Privacy, identity 'impossible to protect' say 74% of security pros Vol 7, No. 7 16

Publicly Available Tools Seen in Cyber Incidents Worldwide Vol 7, No. 11 11

Real "fake news": China introduces AI news anchor Vol 7, No. 12 20

Recommended Reading List Vol 7, No. 10 3

Red Teamer’s Tools: Tom’s Hacking Kit Vol 7, No. 3 16

Researchers Warn of Physics-Based Attacks on Sensors Vol 7, No. 3 9

Rights group criticises China for mass DNA collection in Xinjiang Vol 7, No. 2 9

Risk Management Framework (RMF) – Frequently Asked Questions(FAQ) Vol 7, No. 5 11

Russian Hackers Appear to Shift Focus to U.S. Power Grid Vol 7, No. 8 11

Russian Scientists Arrested for Using Nuclear Supercomput-er to Mine Bitcoin Vol 7, No. 3 20

Security is Not a Technology Profession Vol 7, No. 1 15

Senate Defense Bill Aims to Scrub Cyber Adversaries from U.S. Military Tech Vol 7, No. 6 16

Server Virtualization Security: NIST Publishes SP 800-125A Revision 1 Vol 7, No. 7 17

Seven Security Activities You Should Automate Vol 7, No. 11 12

Side-Channel Attack Allows Remote Listener to ‘Hear’ On-Screen Images Vol 7, No. 10 13

Smartphone Battery Explodes After Man Inexplicably Bites Into It Vol 7, No. 2 20

Some good resources for Windows Auditing....... Vol 7, No. 10 4

The Information Systems Security Association (ISSA)® is a not-for-profit, international organization of information security professionals and practitioners. It provides educational forums, publications, and peer interaction opportunities that enhance the knowledge, skill, and professional growth of its members.

The primary goal of the ISSA is to promote management practices that will ensure the confiden-tiality, integrity, and availability of information resources. The ISSA facilitates interaction and education to create a more successful environment for global information systems security and for the professionals involved. Members include practitioners at all levels of the security field in a broad range of industries such as communications, education, healthcare, manufacturing, financial, and government.

Information Systems Security Association Developing and Connecting Cybersecurity Leaders Globally

Colorado Springs Chapter

W W W . I S S A - C O S . O R G

Published at no cost to ISSA Colorado Springs by Sumerduck Publishing TM, Woodland Park, Colorado

Do you have something that the Colorado Springs ISSA community should know about? Tell us about it!

We are always looking for articles that may be of interest to the broader Colorado Springs cyber community.

Send your article ideas to Don Creamer at:

newsletter@issa-cos.org

Ensure that “Newsletter” is in the subject line.

Looking forward to seeing you in print!

Article for the Newsletter? If you would like to submit an article...

Chapter Officers:

President:: Ernest Campos

Executive Vice President: Scott Frisch

Vice President: Ernest Campos

Vice President of Membership: David Reed

• Deputy VP Membership: Melissa Absher

Vice President of Training: Mark Heinrich

• Deputy VP Training: Susan Ross

Treasurer: Mark Maluschka

• Deputy Treasurer: Chuck Wright

Communications Officer: Anna Johnston

• Dep. Communications Officer: Christine Mack

Recorder/Historian: Russ Weeks

• Deputy Recorder/Historian: Vacant

Member at Large: James Asimah

Member at Large: Delton Eason

Member at Large: Bill Blake

Member at Large: Jim Blake

Dir. of Certifications: Derrick Lopez • Dep Dir Certifications: Vacant

Dir. of Professional Outreach: Katie Martin • Dep Dir. of Professional Outreach: June

Shores

Committee Chairs:

Ethics: Tim Westland

IT Committee: Patrick Sheehan

Mentorship: Melissa Absher

Recognition: Erik Huffman Sponsorship: Ernest Campos

Transformation: Ernest Campos Newsletter: Don Creamer

By Staff, The Atlantic, Undated, 2018

It’s straight out of a television show: contact lenses that can virtually turn the wearer into a computer. Less invasive than a microchip in the brain and less bulky than an actual computer, smart contact lenses could literally change how we see the world—and how it sees us.

It’s not just an abstraction: Several medical companies are filing patents for lenses that could do everything from release allergy-relief medication to monitor a wearer’s biometric data. Here’s what else the next frontier of wearables could do..

Read the rest here:

https://www.theatlantic.com/sponsored/vmware-2017/contact-lens/1634/

Past Senior Leadership President Emeritus: Dr. George J. Proeller President Emeritus: Mark Spencer Past President: Frank Gearhart Past President: Cindy Thornburg Past President: Pat Laverty Past President: Colleen Murphy

The Contact Lens That Could Turn You Into a Camera