• Treasurer: Mark Maluschka - Deputy Treasurer: Erik Hjelmstad

• Recorder/ Historian: Erik Huffman - Deputy Recorder/ Historian: vacant

• Communications Officer: Anna Johnston

- Deputy Communications Officer: vacant

• VP of Membership: Dave Reed - Deputy VP of Membership: Melissa

Absher

• VP of Training: Mark Heinrich - Deputy VP of Training: Susan Ross

• Dir of Professional Outreach: vacant - Deputy Dir of Professional Outreach: June Shores Dir of Certification: Derek Isaacs - Deputy Dir of Certification: Kurt Danis

• Members at Large: - James Asimah - Ryan Schneider - Dawn Wellein - Jim Blake

Colleen

W W W . I S S A - C O S . O R G

C olleagues,

2017 was a great year for our Chapter - we were selected as Chapter of the Year! We have

another great year of events planned for 2018, so watch for emails, newsletters, and web updates so you don't miss out on anything. Your Board of Directors as of January 1, 2018, is shown below. (Vacant positions are highlighted in red.) Some were on the Board of Directors in 2017 and are continuing to serve and some are new to the Board. Please reach out to them throughout the year for any questions you may have. We have a couple vacant positions to fill, so if you're interested in any of those positions, please let me or any Board member know. You can reach any of the Board members and their deputies via links on our website.

Please join me in welcoming our newest Board members and thanking all of our Board and Committee volunteers for their continued service!

• President: Colleen Murphy

• Exec Vice Pres: Scott Frisch

• Vice President: Ernest Campos

The ISSA Colorado Springs Newsletter incorporates open source news articles in compliance with

USC Title 17, Section 107, Paragraph a (slightly truncated to avoid copyright infringement) as a training

method to educate readers on security matters .

The views expressed in articles obtained from public sources within this newsletter do not neces-

sarily reflect those of ISSA, this Chapter or its leadership.

Names, products, and services referenced within this document may be the trade names, trade-

marks, or service marks of their respective owners. References to commercial vendors and their prod-

ucts or services are provided strictly as a convenience to our members, and do not constitute or imply

endorsement by ISSA or the Colorado Springs Chapter of ISSA of any entity, event, product, service, or

enterprise.

Happy New Year!!!

A Note From

Our President

By Ms. Colleen Murphy

V O L U M E 7 N U M B E R 1 J A N U A R Y 2 0 1 8

P A G E 2

By Tim Simonite, Wired, December 21, 2017

For all the hype about killer robots, 2017 saw some notable strides in artificial intelligence. A bot called Libratus out-bluffed poker kingpins, for example. Out in the real world, machine learning is being put to use improving farming and widening access to healthcare.

But have you talked to Siri or Alexa recently? Then you’ll know that despite the hype, and worried billionaires, there are many things that artificial intelligence still can’t do or understand. Here are five thorny problems that experts will be bending their brains against next year.

The meaning of our words

Machines are better than ever at working with text and language. Facebook can read out a description of images for

visually impaired people. Google does a decent job of suggesting terse replies to emails. Yet software still can’t really understand the meaning of our words and the ideas we share with them. “We’re able to take concepts we’ve learned and combine them in different ways, and apply them in new situations,” says Melanie Mitchell, a professor at Portland State University. “These AI and machine learning systems are not.”

Mitchell describes today’s software as stuck behind what mathematician Gian Carlo-Rota called “the barrier of meaning.” Some leading AI research teams are trying to figure out how to clamber over it.

One strand of that work aims to give machines the kind of grounding in common sense and the physical world that underpins our own thinking. Facebook researchers are trying to teach software to understand reality by watching video, for example. Others are working on mimicking what we can do with that knowledge about the world. Google has been tinkering with software that tries to learn metaphors. Mitchell has experimented with systems that interpret what’s happening in photos using analogies and a store of concepts about the world.

I S S A - C O S N E W S

“You no longer need a room full of PhDs to do machine learning.”

The reality gap impeding the robot revolution

Robot hardware has gotten pretty good. You can buy a palm-sized drone with HD camera for $500. Machines that haul boxes and walk on two legs have improved also. Why are we not all surrounded by bustling mechanical helpers? Today’s robots lack the brains to match their sophisticated brawn.

Getting a robot to do anything requires specific programming for a particular task. They can learn operations like grasping objects from repeated trials (and errors). But the process is relatively slow. One promising shortcut is to have robots train in virtual, simulated worlds, and then download that hard-won knowledge into physical robot bodies. Yet that approach is afflicted by the reality gap—a phrase describing how skills a robot learned in simulation do not always work when transferred to a machine in the physical world.

The reality gap is narrowing. In October, Google reported promising results in experiments where simulated and real robot arms learned to pick up diverse objects including tape dispensers, toys, and combs.

Further progress is important to the hopes of people working on autonomous vehicles. Companies in the race to roboticize driving deploy virtual cars on simulated streets to reduce the time and money spent testing in real traffic and road conditions. Chris Urmson, CEO of autonomous-driving startup Aurora, says making virtual testing more applicable to real vehicles is one of his team’s priorities. “It’ll be neat to see over the next year or so how we can leverage that to accelerate learning,” says Urmson, who previously led Google parent Alphabet’s autonomous-car project.

Guarding against AI hacking The software that runs our electrical

grids, security cameras, and cellphones is plagued by security flaws. We shouldn’t expect software for self-driving cars and domestic robots to be any different. It may in fact be worse: There’s evidence that the complexity of machine-learning software introduces new avenues of attack.

Read the rest here:

https://www.wired.com/story/as-artificial-intelligence-advances-here-are-five-projects-for-2018/

As Artificial Intelligence Advances, Here Are Five

Tough Projects For 2018

P A G E 3

First, I would like to take this opportunity to say Happy New Year and thank everyone for their support of the Colorado Springs Chapter of ISSA.

The members are what make this such a great organization to associate with. Everything you do to support chapter activities is appreciated!

Next, I would like to welcome our new members on behalf of the Chapter! When you are participating in Chapter activities, please take a moment to introduce yourself to members of the board, me, and other members. Don’t forget to identify yourself as a new member and feel free to ask for help or information. Thanks for joining the Chapter and don’t forget to look for opportunities to lend your expertise to improve the Chapter. We’re always open to new ideas and suggestions.

Elections were completed in early December and the new board members were announced at the ISSA-COS Annual Recognition Luncheon. We look forward to serving the chapter in the upcoming year. I was glad to see a good turn-out for the luncheon. It was a good meal and a great opportunity to network with friends and colleagues. If you couldn’t participate this year, I hope you’ll try to keep you schedule open for next year’s recognition lunch.

Thanks,

David Reed Membership Committee Chairman

dreed54321@comcast.net

V O L U M E 7

Membership Update

New Members December

Matthew Ejtehadi

Eric Keith

Erik Huffman

Richard Owen Jr.

Robert McCaslin Jr

Jeffrey Tomkiewicz

William J. Carson

I S S A - C O S N E W S

P A G E 4

Local news coverage of cybersecurity in 2017 By Frank Gearhart , ISSA-COS, December, 31 2017

In 2017, cybersecurity was a popular subject to write about. Locally, the Colorado Springs Business Journal and the Colo-rado Springs Gazette printed 55 articles where cybersecurity was either the main subject of the article or a significant part of the article, while the Denver Post printed 48. That’s just under two articles each week on cybersecurity.

These articles cover cybersecurity from various viewpoints: high-visibility national and international attacks; local business-es and investment; academic, government, and private partnerships; and local conferences. The Colorado Springs-based Na-tional Cybersecurity Center, the National Cybersecurity Symposium, and Cybersecurity Industry Day are all covered.

If you want to get more involved in these activities in 2018, keep an eye on local professional and business organization upcoming events. It may also be worth subscribing to a local business-focused publication. If you want to be part of conversa-tion rather than just read about, contact your local business organizations and help them include cybersecurity a part of their upcoming events.

If you missed any of these articles, here is a mostly comprehensive list, starting with the most recent.

Denver Post

• https://www.denverpost.com/2017/12/22/alteryx-data-breach/

• https://www.denverpost.com/2017/12/03/start-ups-embrace-cryptocurrency-raise-needed-capital/

• https://www.denverpost.com/2017/11/28/colorado-colleges-overflowing-computer-science-students/

• https://www.denverpost.com/2017/11/27/tech-plus-mailbag-email-spoofing/

• https://www.denverpost.com/2017/11/26/fbi-silent-us-officials-targeted-russian-hackers/

• https://www.denverpost.com/2017/11/21/uber-data-hack-november-2017/

• https://www.denverpost.com/2017/11/04/hackers-hijacked-donald-trump-web-addresses/

• https://www.denverpost.com/2017/11/02/russia-hacking-hit-list-presidential-election-putin/

• https://www.denverpost.com/2017/10/09/ask-amy-cybersecurity-expert-gets-spousehacked/

• https://www.denverpost.com/2017/10/05/castle-rock-bioptix-cryptocurrency/

• https://www.denverpost.com/2017/10/03/equifax-chairman-data-breach/

• https://www.denverpost.com/2017/09/26/sec-chairman-facing-congress-after-hack/

• https://www.denverpost.com/2017/09/25/cybersecurity-vacation-rentals-denver-gazelle-fast-growing-company/

• https://www.denverpost.com/2017/09/22/colorado-elections-system-weakness-scan/

• https://www.denverpost.com/2017/09/21/sec-hacked-illegal-stock-trades/

• https://www.denverpost.com/2017/09/15/regis-university-cybertech-girls-seminar-cybersecutity/

• https://www.denverpost.com/2017/09/15/equifax-data-breach-social-security-number-replacement/

• https://www.denverpost.com/2017/09/10/ibm-mit-partner-artificial-intelligence-research/

• https://www.denverpost.com/2017/09/07/equifax-data-breach/

• https://www.denverpost.com/2017/09/07/denvers-optiv-security-david-petraeus/

• https://www.denverpost.com/2017/08/10/cyber-criminals-next-target-pacemaker/

• https://www.denverpost.com/2017/08/08/defense-agencies-stolen-data-darknet-denver-owl-cybersecurity/

• https://www.denverpost.com/2017/08/08/secretary-of-state-wayne-williams-election-hacking/

• https://www.denverpost.com/2017/08/07/hbo-hackers-demand-millions-in-ransom-for-stolen-data/

• https://www.denverpost.com/2017/07/26/hacker-summit-las-vegas-focuses-preventing-attacks/

(Continued on page 9)

P A G E 5 V O L U M E 7 N U M B E R 1

Mentorship Committee Update

Thank you to all who have participated in the Mentorship Program this past year! The next meeting will

be the Mentors meeting in January 2018.

Mission Statement

Provide curious mentees at any stage of their information security career lifecycle with access to mentors

who share their knowledge and experience in ensuring the confidentiality, integrity, and availability of

information resources throughout a variety of industries.

Overview

The ISSA-COS Mentorship Program is designed to be mentee driven. Mentees determine the number of

mentors they meet with depending on their questions, needs, and availability. The goal is to provide mentees

with quality mentoring opportunities in a professional and problem solving environment. There will be group

meetings twice a year (April & October) for all mentors and mentees to meet, greet, and discuss information

security. Individual meetings between mentees and mentors will be scheduled throughout the year

determined by the mentee and mentor. Mentees and mentors are expected to prepare for individual

meetings by writing down questions and discussion topics prior to the meeting. e-Mentoring is also an option

for those who need remote options. Mentors will meet as a group twice a year (January & June) to

collaborate and share resources. Small group meetings to discuss specific topics and field trips to

companies and organizations will be scheduled ad hoc.

Why Mentor?

Give back to the security community by sharing your knowledge and experience, provide career insight to

mentees, grow your network.

Why be a Mentee?

Gain access to knowledge and experience in different security areas and industries.

Enrollment Process

• Be an ISSA Member

• Complete the Mentorship Enrollment Form

• Submit form with your resume to a Mentorship Committee Chair

Free Splunk Training for Former Service Members

As part of the$100 million Splunk Pledge (https://workplus.splunk.com/veterans), Splunk has committed to supporting the effort to train the workforce of tomorrow by equipping veterans and former service members with the Splunk skills they need for today’s jobs — all at no cost to them.

P A G E 6

I S S A - C O S N E W S

ISSA Fellow Program 2018 Fellows Cycle Now Open

The Colorado Springs ISSA Chapter has over 500 current members. Many of you have been members for several years and may qualify for the ISSA fellow program. The Fellow Program recognizes sustained membership and contributions to the profession. If you think you or another ISSA associate may qualify in the fellow program, please contact Shawn P. Murray at 5871charlois@gmail.com or at 719-362-0666 to coordinate the process. Shawn is the chair of the chapter awards committee and will help you through the steps. Below are some additional details on the ISSA Fellow Program. Qualification information is also presented below:

No more than 1% of members may hold Distinguished Fellow status at any given time. Fellow status will be limited to a maximum of 2% of the membership.

Nominations and applications are accepted on an annual cycle. Applications will be accepted until March 23, 2018 at 5:00pm Eastern Time. Following the application period, there will be a ten week review period followed by the notification and presentation process. Fellows and Distinguished Fellows will be recognized at the 2018 ISSA International Conference.

Familiarize yourself with the Fellow Program, and the submission guidelines. If you have questions, contact Shawn or The ISSA Fellow Manager or call 866 349 5818 (US toll free) extension 4082.

To Become a Senior Member

Any member can achieve Senior Member status. This is the first step in the Fellow Program. What are the criteria?

Senior Member Qualifications

• 5 years of ISSA membership

• 10 years relevant professional experience

All Senior Member applications require an endorsement from their home chapter to qualify.

Click here to access the Senior Member application. Click here for the Senior Member endorsement form.

To Become a Fellow or Distinguished Fellow

Have you led an information security team or project for five or more years? Do you have at least eight years of ISSA membership and served for three years in a leadership role (as a chapter officer or Board member or in an International role)? You may be eligible to become an ISSA Fellow or Distinguished Fellow. Please contact Shawn and become familiar with the Fellow Program Guidelines and use the current forms to ensure you comply with all requirements.

Fellow Qualifications

• 8 years of association membership.

• 3 years of volunteer leadership in the association.

• 5 years of significant performance in the profession such as substantial job responsibilities in leading a team or project, performing research with some measure of success or faculty developing and teaching courses.

(Continued on page 7)

P A G E 7 V O L U M E 7 N U M B E R 1

All Fellow applications require a nomination to qualify.

Click here to access the Fellow application. Click here to nominate a Fellow. Click here to submit a Fellow letter of recommendation.

Distinguished Fellow Qualifications

• 12 years association membership.

• 5 years of sustained volunteer leadership in the association.

• 10 years of documented exceptional service to the security community and a significant contribution to security posture or capability.

All Distinguished Fellow applications require a nomination to qualify.

Click here to access the Distinguished Fellow application. Click here to nominate a Distinguished Fellow. Click here to submit a Distinguished Fellow letter of recommendation.

Please help us identify candidates that we can recognize in our chapter! Please contact:

Shawn P. Murray Awards & Recognition Committee Chair

5871charlois@gmail.com

719-362-0666

(Continued from page 6)

Update Your Profile!

Don’t forget to periodically logon to

www.issa.org and update your personal

information.

T here is a huge need for cybersecurity professionals with there being almost 1 million open job

positions globally, estimated to grow to a massive 3.5 million openings by 2021. However,

what is surprising is that only 11% of the current cybersecurity workspace consists of women,

with only a meager 1% of women as C-Level Executives. It is time for women to take a stand

toward promoting a cyber safe industry and break stereotypes by coming forward to bridge this gap.

EC-Council University, in recognizing this gap, has taken a strong stand in promoting Women in

Cybersecurity, globally, by offering a President's Scholarship to encourage and increase the

participation of women in this domain. All women are encouraged to apply for this scholarship

valued at USD 2000 that can be used against a successful application toward a Bachelors or

Masters degree program.

Tell us what you think about 'Women in Cyber Leadership' and apply for a President's

Scholarship opportunity, awarded by EC-Council University President -Lata Bavisi, a Leading

Woman in Advocating Cybersecurity Education.

Deserving candidates will be selected on the following criteria:

1. All admission requirements must be met

2. An essay of 200 words on what you think about Women in Cyber Leadership

3. Deadline is January 31, 2018

For more details contact is at presidentsscholarship@eccu.edu

The Cybersecurity Industry Needs YOU! EC-Council, 101C Sun Avenue, NE, Albuquerque, NM

87109

P A G E 8

I S S A - C O S N E W S

President's Scholarship for

Women in Cybersecurity

P A G E 9 V O L U M E 7 N U M B E R 1

• https://www.denverpost.com/2017/07/17/tech-plus-mailbag-remote-access/

• https://www.denverpost.com/2017/07/10/trump-cyber-security-russia-unit/

• https://www.denverpost.com/2017/06/27/europe-hackers-widespread-disruption-ukraine/

• https://www.denverpost.com/2017/06/21/russia-election-hacking/

• https://www.denverpost.com/2017/06/13/russian-election-hacks-colorado-not-involved/

• https://www.denverpost.com/2017/05/17/nsa-hacking-tool-loose/

• https://www.denverpost.com/2017/05/16/north-korea-links-cyberattack/

• https://www.denverpost.com/2017/05/15/ransomware-attack-shows-the-threat-of-cyberwar-crimes/

• https://www.denverpost.com/2017/05/15/cyberattack-wave-risk/

• https://www.denverpost.com/2017/05/13/global-cyberattack-nations-respond/

• https://www.denverpost.com/2017/05/12/nsa-leak-malware-cripples-computers/

• https://www.denverpost.com/2017/05/09/rocky-mountain-information-security-conference-cybersecurity-women/

• https://www.denverpost.com/2017/05/06/france-election-campaign-macron-hacking-attack/

• https://www.denverpost.com/2017/04/30/cyberattacks-extortion-increasing/

• https://www.denverpost.com/2017/04/18/denver-cybersecurity-startup-cybergrx-hit-a-nerve-attracts-20-million-in-round-led-by-silicon-valley-vc/

• https://www.denverpost.com/2017/04/10/amazon-third-party-sellers-hackers/

• https://www.denverpost.com/2017/03/20/optiv-security-acquires-comm-solutions/

• https://www.denverpost.com/2017/03/19/cybersecurity-industry-hopes-women-will-help-fill-1-million-jobs/

• https://www.denverpost.com/2017/03/13/robots-jobs-cyberwarfare-edelman/

• https://www.denverpost.com/2017/03/09/denver-cybersecurity-competition/

• https://www.denverpost.com/2017/02/12/regis-cybersecurity-exercise/

• https://www.denverpost.com/2017/01/30/draftees-can-choose-computer-over-infantry/

• https://www.denverpost.com/2017/01/17/secureset-academy-4-million-investment/

Colorado Springs Gazette:

• http://gazette.com/air-force-academy-brainstorming-at-research-center-is-outgrowth-of-cyberworx-effort/article/1618126

• http://gazette.com/ppcc-to-launch-new-two-year-cybersecurity-degree-open-third-lab/article/1617676

• http://gazette.com/us-firm-hackers-interfered-with-industrial-facility/article/feed/521462

• http://gazette.com/uber-no-evidence-hackers-took-rider-credit-card-numbers/article/feed/521136

• http://gazette.com/britains-cyber-security-chief-warns-of-russian-interference/article/feed/511641

• http://gazette.com/expert-at-colorado-springs-forum-cybersecurity-as-urgent-as-60s-race-for-moon/article/1614506

• http://gazette.com/chief-economic-development-officer-leaving-colorado-springs-chamber/article/1614463

• http://gazette.com/former-spy-chief-david-petraeus-touts-cybersecurity-at-colorado-springs-symposium/article/1614427

• http://gazette.com/the-nurse-has-no-idea-that-im-practically-dead-3-of-the-spookiest-cyber-security-threats-of-2017/article/1614305

• http://gazette.com/silicon-valley-company-plans-to-add-up-to-30-jobs-next-month-in-colorado-springs/article/1614132

(Continued from page 4)

(Continued on page 10)

P A G E 1 0

I S S A - C O S N E W S

• http://gazette.com/new-ceo-remaking-national-cybersecurity-center-as-think-tank/article/1613229

• http://gazette.com/colorado-springs-chamber-developing-plan-to-grow-cybersecurity-industry/article/1613230

• http://gazette.com/colorado-springs-startup-wants-to-be-dropbox-of-cybersecurity-industry/article/1613175

• http://gazette.com/colorado-springs-cybersecurity-firm-root9b-acquired-by-new-york-private-equity-firm/article/1612229

• http://gazette.com/sec-under-fire-for-being-hacked-despite-warnings-on-security/article/feed/494893

• http://gazette.com/gulf-cybersecurity/article/feed/492082

• http://gazette.com/air-force-academy-boss-wants-colorado-springs-community-to-stop-by-for-a-visit/article/1610764

• http://gazette.com/gardner-state-could-lead-in-cybersecurity/article/1610281

• http://gazette.com/cherwell-software-founder-creating-accelerator-focused-on-security-technology/article/1609426

• http://gazette.com/russias-foreign-minister-says-trump-and-putin-discussed-cybersecurity-and-agreed-to-set-up-a-joint-group-to-address-it/article/feed/474982

• http://gazette.com/group-warns-that-kenya-may-use-cybersecurity-surveillance/article/feed/474414

• http://gazette.com/documents-link-russian-cybersecurity-firm-to-spy-agency/article/feed/474046

• http://gazette.com/vulnerabilities-in-infrastructure-software-concern-cybersecurity-experts/article/1604755

• http://gazette.com/china-cybersecurity-law/article/feed/461040

• http://gazette.com/colorado-springs-defense-contractor-vectrus-gets-212-million-contract-extension/article/1604164

• http://gazette.com/trade-groups-appeal-to-beijing-to-postpone-cybersecurity-law/article/feed/461030

• http://gazette.com/colorado-springs-civil-air-patrol-cadets-earn-national-cybersecurity-honor/article/1601599

• http://gazette.com/british-colorado-springs-cybersecurity-experts-compare-notes-in-panel-discussion/article/1599081

• http://gazette.com/colorado-springs-fire-department-twitter-account-hijacked-in-turkish-diplomatic-feud/article/1598960

• http://gazette.com/cybersecurity-presentation-planned-thursday-in-colorado-springs/article/1597778

• http://gazette.com/cybersecurity-becoming-a-top-dod-priority-colorado-springs-expert-says/article/1596601

• http://gazette.com/colorado-springs-growing-cyber-industry-takes-center-stage/article/1596356

• http://gazette.com/wargame-of-cyber-proportions-unfolds-in-colorado-springs-symposium/article/1596165

• http://gazette.com/lawyer-3-charged-with-treason-in-russia-cybersecurity-case/article/feed/442253

Colorado Springs Business Journal

• https://www.csbj.com/2017/12/27/ppcc-launches-cybersecurity-degree/

• https://www.csbj.com/2017/11/22/sbdc-expands-cybersecurity-training-for-small-biz/

• https://www.csbj.com/2017/11/22/country-of-origin-important-with-cybersecurity-software/

• https://www.csbj.com/2017/11/21/sbdc-boosts-small-biz-cybersecurity-training/

• https://www.csbj.com/2017/11/10/cybersecurity-workers-high-demand-across-colorado/

• https://www.csbj.com/2017/11/10/uccs-cisco-launch-cybersecurity-workforce-deal/

• https://www.csbj.com/2017/11/03/missick-helps-fill-cybersecurity-gap-in-springs/

• https://www.csbj.com/2017/10/24/92394/

• https://www.csbj.com/2017/10/20/soldiers-take-fast-track-to-cybersecurity-careers/

• https://www.csbj.com/2017/09/08/cybersecurity-compliance-window-closing-fast/

(Continued from page 9)

(Continued on page 11)

P A G E 1 1 V O L U M E 7 N U M B E R 1

• https://www.csbj.com/2017/09/06/colorado-cybersecurity-company-partners-fort-carson/

• https://www.csbj.com/2017/08/29/rios-announces-resignation-national-cyber-center/

• https://www.csbj.com/event/cybersecurity-oversight-training/

• https://www.csbj.com/2017/04/21/cyberecurity-apprenticeships-bridge-gaps/

• https://www.csbj.com/2017/04/14/new-center-tackles-health-care-cybersecurity/

• https://www.csbj.com/2017/04/07/89644/

• https://www.csbj.com/2017/03/29/cybersecurity-industry-day-april-10/

• https://www.csbj.com/2017/03/24/experts-cybersecurity-in-city-set-to-surge/

• https://www.csbj.com/2017/03/03/cybersecurity-risks-for-nonprofits/

• https://www.csbj.com/2017/01/24/furda-leaving-csbj-national-cybersecurity-center/

(Continued from page 10)

NSF awards nearly $5.7 million to protect U.S. cyberspace

By Staff, Homeland Security News Wire, December 28, 2017

The National Science Foundation (NSF) recently gave the nation’s cybersecurity professionals a boost with the inclusion of four new universities into its CyberCorps: Scholarship for Service (SFS) program.

NSF awarded nearly $5.7 million, with an expected total of almost $16.6 million over the next five years, to universities in Illinois, Maryland, Louisiana, and Texas. The schools will use the money to provide scholarships consisting of full tuition and a stipend up to $34,000 to individuals willing to work after graduation in a cybersecurity position for federal, state, local or tribal governments.

The NSF says that the following universities received the awards:

• Purdue University Northwest, $1.2 million ($3.6 million over five years)

• University of Maryland, College Park, $1.6 million ($5 million over five years)

• Louisiana Tech University, $1.3 million ($3.5 million over five years)

• Texas A&M University Main Campus, $1.5 million ($4.4 million over five years)

“Each school provided evidence of a strong academic program in cybersecurity, including designation as a Center of Excellence by the National Security Agency and Department of Homeland Security,” said Victor Piotrowski, CyberCorps SFS lead program director in NSF’s Education and Human Resources Directorate. “They also bring unique additions to the CyberCorps SFS portfolio of 70 schools.”

For example, the University of Maryland will integrate CyberCorps SFS into the Advanced Cybersecurity Experience for Students (ACES), a cybersecurity curriculum created as a private-public partnership with Northrop Grumman Corporation. It consists of two academic programs that students take over the course of four years: the ACES Living-Learning Program for freshmen and sophomores, and coursework for juniors and seniors called the ACES Minor that leads to an academic minor in cybersecurity.

Other additions include:

• The first bachelor of science program in Cyber Engineering developed by Louisiana Tech.

• A newly formed Cyber Operations Special Unit leveraged by Texas A&M at its Corps of Cadets.

• Purdue University Northwest’s establishment of a seamless pathway for students from community colleges to study cybersecurity at four-year schools.

The NSF notes that agreements with community colleges also played an important role in making the new awards. Purdue University Northwest proposed partnerships with Moraine Valley Community College and Indiana Ivy Tech, Indiana’s community college system. In addition, Texas A&M proposed a new partnership that will permit students from Houston Community College to enroll in Texas A&M to continue their studies.

Read the rest here:

http://www.homelandsecuritynewswire.com/dr20171228-nsf-awards-nearly-5-7-million-to-protect-u-s-cyberspace

By Frank Gearhart , ISSA-COS, November 2017

Reports of the global security professional gap range from 1M to 1.8M open positions. In response, there are dozens of new academic programs and for-profit companies trying to fill that gap, promising good salaries and long-term careers. What if we magically had all the cybersecurity practitioners we needed. Would that solve our security problems?

If we look at what security professionals do now and assume that the next 1M or 1.8M will do the same, I’m not convinced that our personal, organizational, and governmental cybersecurity will be significantly improved by just adding more people. Just having more hands on keyboards or more eyes on screens will not make that much difference. One hundred people on one hundred keyboards cannot respond to machine speed attacks any faster than ten or one.

What we need is more flexibility in thinking about security to develop better, smarter tools, more innovative defenses, and ways to better build security in from the beginning across the board - in hardware, software, robotics (personal, commercial, and industrial), and Internet of Things (IoT) systems (again personal, commercial, and industrial).

Should we stop worrying about STEM/STEAM, or bringing people into our profession? No. Firstly, there’s attrition. People retire or move to other fields. Secondly, we won’t get the new, flexible thinking our profession needs without new minds.

To get to new ways of thinking about security we need to change our philosophy and our techniques. I propose a three-pronged approach:

1. Step away from the idea that unless we block every attack, we’ve somehow failed. It’s too depressing. Our biological immune systems don’t stop every virus or malign organism, yet we are generally healthy. Getting a cold is usually no more than a nuisance, so we don’t fret too much about colds. We should worry less about ensuring that nothing bad ever gets in and concern ourselves more with minimizing the possible damage of those that do.

2. Move away from presenting cybersecurity as a separate, complex, difficult to master field. It IS complex and difficult to master, but we should think of it, and present it, as an integral part of everything we do as users of information technology; not as a separate thing. We are experts in an area where everyone is a user, like an English professor. We need to tell a compelling story and make cybersecurity personal.

P A G E 1 2

3. Be more inviting. Demystify our profession and actively engage those who may only be interested in just learning the shallowest layers. Not everyone wants to be a penetration tester or a malware researcher, but everyone needs to understand the importance of protecting their data. Lock your house; lock your office; lock your data.

We need a continual influx of diverse, well-trained minds to tackle the current issues and find ways to defend against the new ones. We need to share our knowledge and our concerns. We also need smarter tools for these new minds to use effectively. More eyes and more hands alone are not enough.

(Originally published on LinkedIn)

Will Throwing More People At

Security Make It Better?

I S S A - C O S N E W S

Training News Happy New Year, fellow security fiends!

2018 looks to be a great year for training events. Our mini-seminars start in February and the first topic is (tentatively) "Blockchains: What they are and how they will affect us". I will finalize the details in the next few weeks.

Other mini-seminar topics may include Reverse En-gineering, Introduction to NMAP, Introduction to Wireshark, and Dark Web Follies. Of course, if you have a topic you wish to present, let me know.

The Security+ materials update will begin in a few weeks. Thanks to those of you that volunteered. We'll start the CISSP update as soon as the CBK is released, probably in the March/April timeframe.

As always, I want to extend a special thanks to the people who help with our work, either as speakers or doing the "behind the scenes" support that is so critical.

I look forward to seeing all of you in the coming weeks.

If you have any questions, contact our Training Committee leads at:Training@ISSA-COS.org.

Mark Heinrich, CISSP

VP Training

P A G E 1 3 V O L U M E 7 N U M B E R 1

By Kurt Danis, ISSA-COS, November 15, 2017

Readers should consider registering for the Journal of Cybersecurity. Registering with Oxford Academic, provides you with FREE access to the online journal. The journal contains well-written scholarly articles and research papers about various disciplines of cybersecurity. Here are three quality articles published in March 2017:

• “Introduction to the special issue on strategic dimensions of offensive cyber operations” by Herbert Lin and Amy Zegart from Stanford University

• “Rules of engagement for cyberspace operations: a view from the USA” by C. Robert Kehler, Herbert Lin, and Michael Sulmeyer. Recall Gen. Kehler, former Commander of United States Strategic Command.

• “Second acts in cyberspace” by Martin C. Libicki -- an American scholar and Professor at the Frederick S. Pardee RAND Graduate School in Santa Monica, California.

From their website, you will find the following description of the Journal of Cybersecurity:

Journal of Cybersecurity publishes accessible articles describing original research in the inherently interdisciplinary cyber domain. Journal of Cybersecurity is premised on the belief that computer science-based approaches, while necessary, are not sufficient to tackle cybersecurity challenges. Instead, scholarly contributions from a range of disciplines are needed to understand the varied aspects of cybersecurity.

Journal of Cybersecurity provides a hub around which the interdisciplinary cybersecurity community can form. The journal is committed to providing quality empirical research, as well as scholarship, that is grounded in real-world implications and solutions.

Journal of Cybersecurity solicits articles adhering to the following, broadly constructed and interpreted, aspects of cybersecurity: anthropological and cultural studies; computer science and security; security and crime science; cryptography and associated topics; security economics; human factors and psychology; legal aspects of information security; political and policy perspectives; strategy and international relations; and privacy.

Source: https://academic.oup.com/cybersecurity

Magazine review:

JOURNAL OF CYBERSECURITY

I S S A - C O S N E W S

Open Source Patch Management:

Options for DIYers

P A G E 1 4

By Paul Rubens, eSecurity Planet, December 11, 2017

CVE-2017-5638 is the code vulnerability that will long live in the corporate memory of Equifax, the credit ratings agency. A simple patch management system might have kept that vulnerability from turning into one of the most high-profile data breach-es in recent memory.

CVE-2017-5638 is a remote code execution bug that affects the Jakarta Multipart parser in Apache Struts, an open source application framework for developing Java EE web applications. Remote code execution bugs are generally extremely serious, and for that reason, when the vulnerability was discovered, the Apache Foundation recommended that any developers or users of affected versions of Struts upgrade to later versions that had been patched to close the vulnerability.

Unfortunately for Equifax, news of the bug never reached the person or persons responsible for applying patches, so the software in use in the company was never patched. And as if that were not bad enough, a scanner used by the company to detect software with known vulnerabilities reportedly did not detect the unpatched versions of Struts and issue an alert to the relevant administrators either.

As a result, hackers soon exploited the company's vulnerable systems to infiltrate the organization and made off with sen-sitive personal records - including social security numbers - of more than 140 million people in the U.S., Canada, and the UK.

The failure by Equifax to ensure that its systems were patched promptly to prevent hackers exploiting a known (rather than zero-day) vulnerability highlights the importance of having an effective patch management system in place. The overwhelming majority of hacks are caused by organizations running software that has known vulnerabilities that should have been patched, and in that sense they are easily preventable. In fact an HP study, Cyber Risk Report 2015, found that 44 percent of known breaches in 2014 were caused by vulnerabilities that were between two and four years old that had not been fixed.

Patch management features Most patch management solutions include three features: Inventory scanning to detect what software is present in an or-

ganization (authorized or otherwise); patch status detection to check that operating systems and applications are fully patched and flagging any that are vulnerable or for which the patch status is unknown; and patch deployment to collect, configure and apply software patches to applications that require them in the appropriate order to avoid conflicts or to undo a previously ap-plied patch.

What's clear from the fallout from the Equifax hack is that an effective patch management system would have prevented the incident: A thorough vulnerability scan would have detected the unpatched and vulnerable software and made it straightfor-ward for the patches to be deployed. Ideally, an administrator dashboard would have highlighted the fact that the software had not been patched and prompted a suitably senior administrator on a continuous basis until the patches had been deployed.

There is no shortage of good patch management solutions. Microsoft allows many organizations to update their IT infra-structure using System Center and Windows Server Update Services, and there are also many other third-party patch manage-ment solutions from the likes of SolarWinds, Ivanti, Kaseya, and Flexera.

Open source patch management solutions These solutions all involve proprietary software, but many organizations prefer to use open source solutions whenever pos-

sible. Apache Struts is itself open source software, but what's notable is that when it comes to open source patch management solutions which might have prevented the data breach, there are very few options.

That's not to say that none exist at all. One possible candidate is OPSI – Open PC Server Integration - which bills itself as "an open source client management system to manage heterogeneous environments." The code is under active development, and the latest test version of the code was released on Nov. 20, 2017. Commercial support is available from the project's spon-sor, a German company called UIB.

And a quick search of GitHub reveals just a handful of possible solutions such as vFense ("an Open-Source Cross-Platform Patch Management and vulnerability correlation tool") which has not been updated for several years, or more actively maintained projects such as LLNL/MacPatch, which is specifically targeted at OS X systems used in enterprises.

But the truth is that there are not many realistic options for anyone looking for an open source patch management solution with a vibrant community around it and commercial support available when necessary.

Read the rest here:

https://www.esecurityplanet.com/applications/open-source-patch-management.html

P A G E 1 5 V O L U M E 7 N U M B E R 1

By Joshua Goldfarb, Security Week, December 13, 2017

Security is not a technology profession. Or at least it shouldn’t be, I would argue. If this sounds like a provocative statement to you, then I am doing my job well. In the end, though, once I’ve argued my position, I hope you’ll come to agree with me.

Perhaps it makes sense to begin by drawing a parallel to another profession, namely computer science. There is a famous quote that is sometimes attributed to Edsger Dijkstra, one of the pioneers of the com-puter science field: “Computer Science is no more about computers than astronomy is about telescopes.” Whether or not Dr. Dijkstra actually made this statement does not take away from the insight it brings. It is my belief that we in the information security profession can learn a lot from this quote.

So what am I getting at here? Before I answer that question, let’s take a look at two distinct topics within information security. One of them is a hot topic in current events, while the oth-er is a timeless principle that has always been and will always be part of information security.

GDPR

Lots of people, whether security professionals or not, are talking about the European General Data Protection Regulation (GDPR) lately. This conversation is happening for good reason. The regulation is set to go into effect in May 2018, and many organizations are still struggling with it.

Rather than rehash various different points around GDPR though, I would like to focus on something different entirely. What is the essence of GDPR? What is the regula-tion going after? In my opinion, the regulation focuses on a strategic point that is too often overlooked in security. It fo-cuses on the personal and private data and mandates that organizations take steps to protect that data.

GDPR doesn’t mandate that organizations have a cer-tain type of IDS, a SIEM with a specific set of features, or a particular ticketing system. Rather, it instructs them to ade-quately protect the data they are entrusted with safeguard-ing. GDPR hones in on exactly what attackers are after - personal and private data.

Risk Mitigation

Risk mitigation is a subject that is timeless in the infor-mation security field, and it is, in essence, what information security is all about. And if we look at the biggest risks most organizations face, many of those risks relate directly to the loss of sensitive, proprietary, and confidential data. The theft of data that an organization was entrusted with safeguarding will most often cost that organization dearly.

Once again, we see that all roads lead back to protect-ing data. You don’t mitigate risk by throwing a bunch of technologies into a data center and hoping for the best. You prioritize the gravest risks to the most sensitive data,

and then go about determining how best to protect that data.

So that brings us back to my original, perhaps provoc-ative statement: “Security is not a technology profession.”

At this point, I hope you’ll agree that security is really a data protection profession, or at least it ought to be. Or, as we used to call our profession before the word “cyber” was everywhere, information security. Given this, you can im-

agine my surprise that most organizations still think about security as a technology profes-sion.

Don’t get me wrong - technology is an ex-tremely important component of a security program. As has been discussed many times, people, process, and technology all need to work together to secure an organi-

zation. Rather, what I am getting at here is that many organizations still seem to focus

almost entirely on technological solutions to tactical problems, rather than on strategically

addressing how they can best and most efficient-ly protect the data they are entrusted with. In other words, many organizations focus on the symp-toms, rather than the actual disease.

Let’s use the common cold to illustrate this point. Most of us catch a cold one or two times per year. We’re all familiar with the symptoms: sore throat, stuffy nose, headaches, and other unpleasant things. Some of us may take medicine to help minimize the effect of the various symptoms of a cold, but as we all know, there is no cure for the common cold. No matter what we do, we simply have to wait for our immune system to fight off the virus that has infected us. I might be able to relieve my head-ache by taking a particular medicine, but until I fight off the cold, that headache will come right back as soon as the medicine wears off.

In security, many organizations start with the symp-toms, rather than the disease. I hear people say things like “I need a technology to combat ransomware”, “I want to buy something that will block more malware”, or “I am looking for a more effective anti-virus”. I almost never hear people say things like “I need to safeguard customer data” or “I am looking to better protect sensitive, confiden-tial, and proprietary information”.

Of course, people, process, and technology will pro-vide the means to protect the data. But until that data has been identified, classified, and properly prioritized, it is nearly impossible to direct resources appropriately toward protecting it. You can take a pill to get rid of your ransom-ware problem today, but unless you address the root of the issue (that being the vulnerability of the data that ran-somware goes after), another problem will take its place tomorrow. Sort of a game of whack-a-mole if you will.

Read the rest here:

http://www.securityweek.com/security-not-technology-profession

Security is Not a Technology Profession

I S S A - C O S N E W S

P A G E 1 6

By Susan Brady, Total Security Daily Advisor, November 22, 2017

A recent technical alert is issued based on information from Department of Homeland Security and the Federal Bureau of Investigation about ongoing cyberattacks against critical industrial infrastructure and control systems across the United States.

The United States Computer Emergency Readiness Team (US-CERT) responds to major incidents, analyzes threats, and exchanges critical cybersecurity information in an effort to protect the Internet. Analysis by the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and other trusted U.S. and international partners has resulted in US-CERT issuing a joint Technical Alert (TA17-293A) that warns of advanced and persistent cyberthreats targeting government entities and organizations in the energy, nuclear, water, aviation, and critical manufacturing sectors across the United States.

The alert published by US-CERT warns, “Since at least May 2017, threat actors have targeted government entities and the energy, water, aviation, nuclear, and critical manufacturing sectors, and, in some cases, have leveraged their capabilities to compromise victims’ networks.”

Though not named specifically, the attack is related to a campaign that Symantec reported on September 6 identified as Dragonfly 2.0. According to Symantec’s analysis, the attacks have been under way since December 2015, with an increasing number of attacks in 2017. The attack is considered to be ongoing. Systems affected include domain controllers, file servers, and e-mail servers.

“DHS assesses this activity as a multistage intrusion campaign by threat actors targeting low security and small networks to gain access and move laterally to networks of major, high value asset owners within the energy sector,” the US-CERT alert said. “Based on malware analysis and observed IOCs [indicators of compromise], DHS has confidence that this campaign is still ongoing, and threat actors are actively pursuing their ultimate objectives over a long-term campaign.”

The alert suggests two distinct categories of victims: staging and intended targets. The initial victims are peripheral organizations such as trusted third-party suppliers with less secure networks. The initial victims are referred to in the alert as “staging targets.” The threat actor uses the staging targets’ networks as pivot points and malware repositories when targeting their final intended victims. The ultimate objective of the cyberthreat actors is to compromise organizational networks, which are referred throughout the alert as “intended target.”

“The threat actors compromise the infrastructure of trusted organizations to reach intended targets,” said the alert.

US-CERT Warns of Active Attacks Targeting

Energy and Other Critical Infrastructure Sectors The US-CERT technical alert provides detection and

prevention guidelines to help defend against cyberattacks. It recommends that network administrators review the IP addresses, domain names, file hashes, and YARA and Snort signatures provided and add the IPs to their watch list to determine whether malicious activity is occurring within their organization. The report contains IOCs and technical details on the tactics, techniques, and procedures (TTPs) used by APT actors on compromised victims’ networks.

Read the rest here:

http://totalsecuritydailyadvisor.blr.com/cybersecurity/us-cert-warns-active-attacks-targeting-energy-critical-infrastructure-sectors/?Source=ITDA&effort=1&utm_source=BLR&utm_medium=Email&utm_campaign=ITDAEmail&spMailingID=12400750&spUserID=MTg2ODM0NzQ3NjQwS0&spJobID=1281885300&spReportId=MTI4MTg4NTMwMAS2

Did you accidentally friend a North

Korean hacker on Facebook?

By Micharl Kan, PC Magazine, December 19, 2017

North Korean hackers have been preying on potential targets using Facebook, but the company has thwarted at least some of their activities.

Last week, Facebook joined Microsoft and others in the security community to disrupt a covert campaign, the White House said on Tuesday. The scheme involved creating fake personal Facebook accounts that attempted to build relationships with potential targets and coordinate other activities.

In a statement, Facebook confirmed its involvement and said the Lazarus Group, a hacking collective that many security experts suspect works for North Korea, was be-hind the fake accounts. "We also notified people who may have been in contact with these accounts and gave sug-gestions to enhance their account security," Facebook said.

It isn't clear why North Korean hackers targeted Face-book users. However, social media is often ripe with peo-ple's personal information, including email addresses, phone numbers and location data. In this case, North Ko-rea may have sought to trick their victims into in-stalling malware, which could then be used to take over their computers.

Read the rest here:

https://www.pcmag.com/news/358049/did-you-accidentally-friend-a-north-korean-hacker-on-faceboo

P A G E 1 7 V O L U M E 7 N U M B E R 1

Study Reveals Small But Powerful Iran Cyber

Threat By David Ignatius, Real Clear Politics, December 27, 2017

When it comes to cyberweapons, America is an elephant and Iran is a flea. Still, a flea can be a persistent nuisance, especially for the unprotected.

Iran's cyber capability is the focus of a detailed new study called "Iran's Cyber Threat," to be published soon by Collin Anderson and Karim Sadjadpour of the Carnegie Endowment for International Peace. It describes a country that, although "third tier" on the cyberthreat matrix, can still do considerable damage.

The disclosures about Iran's cyberattacks are a reminder that America and its allies live in a dangerous electronic ecosystem. Russia's hacking of the 2016 U.S. presidential campaign gets daily coverage, and China's theft of American secrets has also been well-publicized. What gets too little attention are the less-sophisticated but still-toxic weapons available to dozens of smaller countries. The U.S., with its relatively open systems, can be an easy target.

The Iran study is timely: The Trump administration has declared its desire to help Saudi Arabia and other allies push back against Iran's proxies across the Middle East, in Yemen, Syria, Lebanon and elsewhere. The U.S. call for rollback is largely rhetoric, at this point; there's still little clear policy. But Tehran's allies can fight back, sometimes in ways that are hard to identify or attribute. That's especially true with cyberweapons.

The Carnegie study describes a small but useful Iranian cyber capability that evolved partly to gather foreign intelligence and partly to spy on domestic opposition groups that coalesced in the 2009 Green Movement. Iranian hackers developed payback motive, too, after 2012 newspaper reports about the U.S. and Israeli "Stuxnet" malware attacks on the Iranian nuclear program that had started in 2007.

A decade ago, Iran began mobilizing its own resources. This home-grown hacking culture is one of the report's most interesting findings, because it can probably be duplicated in dozens of other emerging economies. "Iran's cyber capabilities appear to be indigenously developed, arising from local universities and hacking communities," the report notes. "Threat actors seemingly arise from nowhere and operate in a dedicated manner until campaigns dissipate, often due to their discovery by researchers."

The Iranian hackers began slowly in 2007, with cyber-pinpricks. A group calling itself the Iranian Cyber Army defaced dissident Twitter accounts in 2009 and, soon after, websites belonging to the Voice of America. But the attacks became more serious in 2011, after an Iranian hacker penetrated a Dutch security firm called DigiNotar, opening Gmail users in Iran to government surveillance, according to the Carnegie study.

Then came Iranian counterattacks, simple but destructive. After Iran's oil industry was hit in April 2012 by malware known as "Flame" and "Wiper," the Iranians launched an August 2012 attack on the Saudi Aramco oil company, using a wiper virus known as "shamoon." According to the Carnegie researchers, the attack affected tens of thousands of Saudi Aramco computers and caused tens or even hundreds of millions of dollars in damage.

Iran successfully attacked the U.S. as well. In September 2012, a hacker group that called itself the Izz ad-Din al-Qassam Cyber Fighters began attacking U.S. banks and financial institutions with a primitive but destructive assault known as a "distributed denial of service," or DDoS, which basically flooded targeted computers with so much traffic that their systems crashed. Here, too, the assaults did surprising damage.

The FBI concluded that from 2012 to 2013, the Iranian operation "locked hundreds of thousands of banking customers out of accounts for long periods of time and resulted in tens of millions of costs to remediate," the Carnegie analysts explain. Many financial institutions that had been hit by the Iranians said little about the attacks, to avoid worrying customers or shareholders.

Why did the Iranians strike U.S. banks? Revenge is the simple answer. The Carnegie reports cites an NSA assessment that signals intelligence "indicates that these attacks are in retaliation to Western activities against Iran's nuclear sector and that senior officials in the Iranian government are aware of these attacks."

Iran's cyber capabilities suggest that the Trump administration's new anti-Tehran campaign may not be costless, even if open conflict is avoided. A website called "The Cipher Brief," which focuses on intelligence issues, headed this month that "Iran's ... Cyber Hackers Poised to Strike If Trump Shreds Nuke Deal." A computer security firm called "FireEye" reported this month that a group of Iranian hackers, dubbed "APT34," have developed a new backdoor cyber-surveillance technique.

Read the rest here:

https://www.realclearpolitics.com/articles/2017/12/27/study_reveals_small_but_powerful_iran_cyber_threat_135856.html

P A G E 1 8

No, you’re not being paranoid. Sites

really are watching your every move

By Dan Goodin, Ars Technica, November, 20, 2017

If you have the uncomfortable sense someone is looking over your shoulder as you surf the Web, you're not being paranoid. A new study finds hundreds of sites—including microsoft.com, adobe.com, and godaddy.com—employ scripts that record visitors' keystrokes, mouse movements, and scrolling behavior in real time, even before the input is submitted or is later deleted.

Session replay scripts are provided by third-party analytics services that are designed to help site operators better understand how visitors interact with their Web properties and identify specific pages that are confusing or broken. As their name implies, the scripts allow the operators to re-enact individual browsing sessions. Each click, input, and scroll can be recorded and later played back.

A study published last week reported that 482 of the 50,000 most trafficked websites employ such scripts, usually with no clear disclosure. It's not always easy to detect sites that employ such scripts. The actual number is almost certainly much higher, particularly among sites outside the top 50,000 that were studied.

"Collection of page content by third-party replay scripts may cause sensitive information, such as medical conditions, credit card details, and other personal information displayed on a page, to leak to the third-party as part of the recording," Steven Englehardt, a PhD candidate at Princeton University, wrote. "This may expose users to identity theft, online scams, and other unwanted behavior. The same is true for the collection of user inputs during checkout and registration processes."

Englehardt installed replay scripts from six of the most widely used services and found they all exposed visitors' private moments to varying degrees. During the process of creating an account, for instance, the scripts logged at least partial input typed into various fields. Scripts from FullStory, Hotjar, Yandex, and Smartlook were the most intrusive because, by default, they recorded all input typed into fields for names, e-mail addresses, phone numbers, addresses, Social Security numbers, and dates of birth.

Even when services took steps to mask some of the data, they often did so in ways that continued to jeopardize visitor privacy. Smartlook and UserReplay, for instance, collected the number of characters typed into password fields. UserReplay also logged the last four digits of visitors' credit card numbers.

Englehardt said the services provide manual and automatic tools website operators can use to redact information that is collected on their properties. But the tools in many cases require large amounts of developer time and skill. And even then, sites with strong legal incentives not to leak sensitive data were found doing just that. Walgreens.com, for instance, sent medical conditions and prescriptions alongside user names to FullStory despite the extensive use of manual redactions on the pharmacy site.

Read the rest here:

https://arstechnica.com/tech-policy/2017/11/an-alarming-number-of-sites-employ-privacy-invading-session-replay-scripts/

I S S A - C O S N E W S

P A G E 1 9 V O L U M E 7 N U M B E R 1

GET A JOB! Colorado Springs ISSA chapter member Melody Wilson maintains a “Jobs” page at Cyberjoblist.com. There is no charge. The jobs are set to remain listed for 30 days. Job listing originators re-post them again for another 30 days. It is designed for Colorado Springs, but once in awhile a job is listed outside the area.

You can also sign-up on the Cyberjob-list.com site for Job Alerts to be notified when a new job listing is posted!

CISSP Study Guide Discount Ashley Edwards, Senior Account Manager, Wiley

aedwards@wiley.com

CISSP (ISC)2 Certified

Information Systems Security Professional Official Study Guide: Edition 7

50% off for ISSA chapters

Promo code CSP50

ISSA Nametags

Do you want an ISSA nametag for your very own to wear to meetings, conferences, and events? You can now order/pick up yours directly from:

Blue Ribbon Trophies & Awards

245 E Taylor St (behind Johnny’s Navajo Hogan on North Nevada)

Colorado Springs

(719) 260-9911

Although their hours are officially Monday through Friday until 5:30 pm, they are occasionally in the shop on Saturdays. This is a small business so cash/check would be appreciated. Email wbusovsky@aol.com to order.

Items of Interest

P A G E 2 0

I S S A - C O S N E W S

The ISSA-COS Newsletter staff taking a momentary respite to wish you a very happy New Year.

Such a lovely group. Rather ill-mannered, but lovely none-the-less.

Always clamoring on about their pay. They have no idea how privileged

they are to be allowed to work on the grounds of the Chapter estate.

Artificial

intelligence

may not need

networks at all By Patrick Nellson, Network World, December 20, 2017

The advancement of edge computing, along with increasingly powerful chips, may make it possible for artificial intelligence (AI) to operate without wide-area networks (WAN).

Researchers working on a project at the University of Waterloo say they can make AI adapt as computational power and memory are removed. And indeed if they can do that, it would allow the neural networks to function free of the internet and cloud — the advantages being better privacy, lower data-send costs, portability and the utilization of AI applications in geographically remote areas.

The scientists say they can teach AI to learn it doesn’t need lots of resources.

The group claims to be doing it by copying nature and placing the neural network in a virtual environment. They “then progressively and repeatedly deprive it of resources.” The AI subsequently evolves and adapts, the team members say in a news article on the school’s website..

The engine essentially learns to work around the fact that it doesn't have huge resources to draw on — AI typically uses a lot of power and processing capability.

“The deep-learning AI responds by adapting and changing itself to keep functioning,” the researchers say.

Making AI smaller Whenever computational power or memory is removed from the school's experimental AI, it becomes smaller and is thus

“able to survive in these environments,” says Mohammad Javad Shafiee, a research professor at Waterloo and the system’s co-creator.

Fitting the deep-learning engine onto a chip for use in robots, smartphones, or drones — where both connectivity and weight can be issues — are possible uses for the technology, the researchers say.

“When put on a chip and embedded in a smartphone, such compact AI could run its speech-activated virtual assistant and other intelligent features,” the news article continues.

Edge AI The University of Waterloo’s stand-alone AI isn’t the first edge-ified AI that we’ve seen, though. Unrelated to the Waterloo

project, Intel earlier this year launched its Movidus Neural Compute Stick.

That ground-breaking, no-cloud-required, plug-and-play neural compute device (retailing at under $100) is geared towards prototyping and then deploying neural vision networks at the edge with no internet needed. It’s no larger than a computer memory stick.

Gaining momentum from that launch, Movidius’s technology is also being used in Google’s upcoming Raspberry Pi-based hobbyist AIY Vision Kit, a do-it-yourself neural vision processor for the Pi camera that costs less than $50. It, too, is portable, simply requiring the Pi computer, camera and the Movidius-running, VisionBonnet Raspberry PI add-on board. Again, no network is needed. The Google TensorFlow-based software can recognize common objects, faces and animals. Movidius’s vision processing can also now be found in security cameras, drones and industrial machines.

In the case of the University of Waterloo’s AI project, the researchers say they have been able to obtain a 200-times reduction in the size of overall deep-learning AI software for object recognition.

Read the rest here:

https://www.networkworld.com/article/3243925/lan-wan/artificial-intelligence-may-not-need-networks-at-all.html

V O L U M E 7 N U M B E R 1 P A G E 2 1

P A G E 2 2

I S S A - C O S N E W S

Annual Recognition Luncheon

P A G E 2 3 V O L U M E 7 N U M B E R 1

ISSA Photos are courtesy of our Chapter

Photographer

Warren Pearce.

Many additional photographs are available

on the ISSA-COS.ORG website

The Information Systems Security Association (ISSA)® is a not-for-profit, international organization of information security professionals and practitioners. It provides educational forums, publications, and peer interaction opportunities that enhance the knowledge, skill, and professional growth of its members.

The primary goal of the ISSA is to promote management practices that will ensure the confiden-tiality, integrity, and availability of information resources. The ISSA facilitates interaction and education to create a more successful environment for global information systems security and for the professionals involved. Members include practitioners at all levels of the security field in a broad range of industries such as communications, education, healthcare, manufacturing, financial, and government.

Information Systems Security Association Developing and Connecting Cybersecurity Leaders Globally

Colorado Springs Chapter

W W W . I S S A - C O S . O R G

Published at no cost to ISSA Colorado Springs by Sumerduck PublishingTM, Woodland Park, Colorado

Do you have something that the Colorado Springs ISSA community should know about? Tell us about it!

We are always looking for articles that may be of interest to the broader Colorado Springs cyber community.

Send your article ideas to Don Creamer at:

doncreamer@outlook.com

Ensure that “Newsletter” is in the subject line.

Looking forward to seeing you in print!

Article for the Newsletter? If you would like to submit an article...

Chapter Officers:

President:: Colleen Murphy

Executive Vice President: Scott Frisch

Vice President: Ernest Campos

Vice President of Membership: David Reed

Deputy VP Membership: Melissa Absher

Vice President of Training: Mark Heinrich

Deputy VP Training: Susan Ross

Treasurer: Mark Maluschka

Deputy Treasurer: Erik Hjelmstad

Communications Officer: Anna Johnston

Dep. Communications Officer: Vacant

Recorder/Historian: Erik Huffman

Deputy Recorder/Historian: Vacant

Member at Large: James Asimah

Member at Large: Dawn Wellein

Member at Large: Ryan Schneider

Member at Large: Jim Blake

Dir. of Certification: Derek Isaacs Dep Dir Certifications: Kurt Danis

Dir. of Professional Outreach: Vacant Deputy Dir. of Professional Outreach: June

Shores

Committee Chairs:

Ethics: Tim Westland

Web Development: Bill Welker

Sponsorship: Dr. Pat Laverty

Mentorship: Melissa Absher

Recognition: Shawn P. Murray Sponsorship: Pat Laverty

Transformation: Ernest Campos Newsletter: Don Creamer

Norway officially scraps FM radio in favor of digital broadcasting By Ed Adamczyk, UPI, December 15, 2017

Norway became the first country to end FM radio service this week.

The last FM transmitters of government radio services, in Troms and Finnmark in the country's most remote northern areas, shut down on Thursday. The nationwide change to DAB, or digital audio broadcasting, took nearly one year.

Read the rest here:

https://www.upi.com/Top_News/World-News/2017/12/15/Norway-officially-scraps-FM-radio-in-favor-of-digital-broadcasting/7561513356508/?utm_source=sec&utm_campaign=sl&utm_medium=7

Past Senior Leadership President Emeritus: Dr. George J. Proeller President Emeritus: Mark Spencer Past President: Frank Gearhart Past President: Cindy Thornburg Past President: Pat Laverty