Hacker Guard: Partnerships

Hacker Guard:

University Special Pricing Has Just Been Reduced

Ready to mitigate your most significant risk -- untrained, unqualified system administrators making errors that cause non-compliance fines and tarnished University trust? The risk which is shared by your management? Then take advantage of the holiday special: SANS Hacker Guard program tuition fee for up to 25 students has been reduced to $22,500 per year for three years.

To register, go to https://www.sans.org/vlive/details/sec464-jan-2013-john-strand.

In Step 3, group discount code, enter: 3x900

Once we receive your order, we will send you the agreement and contact you for the list of students that need to be enrolled in the upcoming January 22 - 23, 2013 Program.

SANS HackerGuard University Program

On Thursday, November 15, the SANS/University Consortium gathered for its second meeting in 3 weeks. Representatives from 40 Universities were in attendance. The major topics discussed were:

  • Risk and whether Security group risk aligned with Risk for CSO, CIO, CFO
  • How Best to Mitigate Risk
  • Special pricing for Universities for participating in SANS SEC464 HackerGuard Program
  • Certifying body for minimal level of competency with System Administrators

Most participants agreed that the webcast workshop style, which started with a short presentation by SANS Sr. Instructor John Strand and then just had some slides for discussion points, worked well. Participants felt free to share experiences more openly because we did not record the session. Consensus was that the top security concern was risk; specifically compliance issues and failure to comply with regulations.

Universities must comply with FERPA (Family Education Rights and Privacy Act) regulations, however, it was acknowledged that there were not any negative consequences with a FERPA violation. Not the case with HIPAA and HITECH regulations. Many participants represent universities with a combination of a medical school, medical facilities for students, staff, and communities, and some serve to administer health care benefits to US Military Veterans.

Thus, most schools do need to comply with HIPAA (Health Insurance Portability and Accountability Act) regulations. The key word in the HIPAA acronym being "accountability. HIPAA violations after February 18, 2009, have resulted in fines ranging from$100 - $50,0000 per violation, with a cap of $1.5 Million in any one calendar year.

In addition, most schools are also subject to the HITECH (Health Information and Information Technology for Economic and Clinical Health) Act, part of the American Recovery and Reinvestment Act of 2009. HITECH violations can be quite costly with fines ranging from $25,000 to $1,500,000 per incident, depending on whether it was determined that the failure to comply was accidental or intentional.

A representation from one school reported that due to a significant breach in 2009 which made headlines in a significant number of industry and consumer publications, the cyber security staff has increased 10 fold to the point where there will be 15 full time cyber security professionals serving the needs of the Medical Center by 2014.

Most forum attendees felt that a breach did help management understand the danger and disruption to the business process that an unauthorized access can cause.

When questioned about the alignment or agreement between themselves and the CSO, and the CFO or the CIO, it was agreed that management's primary goal, especially the CSO and CFO (not so much the CIO, interestingly) was to keep news of a breach out of the press. Breaches can impact the ability to attract both top notch scholars, large grants that are the major source of revenue for most of these schools, and enrollment, a smaller but significant source of revenue for many of these schools.

As reported after the previous discussion on October 28, most attendees saw their greatest source of risk to be untrained system administrators being given "privileged user" access without qualification. As one participant noted, "Academic Freedom means the ability to study controversial subjects or study with controversial colleagues. It has nothing to do with running Windows ME".

Several participants suggested that SANS needs to make a security awareness program for "privileged users" available. At this point, we mentioned that such a program exists, SANS SEC464: Hacker Guard: Security Baseline Training for IT Administrators and Operations, with Continuing Education. The regular tuition fee for the Hacker Guard program is $2,295 per person in year one. The tuition fee for the quarterly updates in year two is $690 per student; in year three it is $760. Thus, the total fee is $3,745 per student over three years.

Participant feedback of this university program see that the SANS Hacker Guard program addresses the number one business risk these security professionals face, the risk of untrained system administrators leaving the university's doors wide open. The general consensus was that the program would be very valuable, and even more so if the training could be provided in such a way that the cost per person trained per year would not exceed $1,000, as opposed to an upfront fee of twice that amount.

Based on this feedback, SANS is offering a university pilot program which runs from now until January 11, 2013. This special university program allows schools to purchase training for system and network administrators, as well as security professionals who have not yet had any security training, in groups of 25 SANS students for $25,000 per year, for three years, or $75,000, rather than paying $93,625 over the same three year period. These students will be trained to develop skills for:

  • Baselining
  • Continuous Monitoring of Baselines for Anomalies
  • Documenting these anomalies (breaches) and communicating them to the Incident Response Team
  • Refreshing these skills so that they become a habit. The SANS Hacker Guard continuing education program of quarterly threat attack vector briefings may be the most valuable portion of the program, as we show participants how to apply the baselining and continuous monitoring skills to search for signs of the latest malware in their systems.
  • The training will de delivered through SANS vLive! so that we can reach a fairly large number of students at the same time.
  • The first training event will be held on January 22 - 23, 2013. SANS Sr. Instructor John Strand, course author of SANS Hacker Guard, will teach the course. To register for the course, simply contact Scott Weil, swell@sans.org, and we will give you instructions for enrolling in this pilot program to give the skills above to your system administrators as well as security professionals in this program.

One of the questions asked was how SANS differentiates the value of SANS Security Essentials, SEC401, our most popular course, with SANS SEC464, Hacker Guard.

The best way to describe the difference is to first acknowledge that SANS Security 401 is the most widely studied material within the SANS curricula. The Security 401 training course runs for 6 days. The learning objectives of SANS Security Essentials are to provide students with skill foundations from which to launch themselves into a more advanced and in-depth study of a particular cyber security subject, such as intrusion in depth, hacker techniques, exploits and incident handling, an in depth study of securing either a Windows or a Linux environment. SANS also has full curricula on penetration testing, auditing, digital forensics and security management, and secure application coding. All of these deep SANS curricula flow from the initial study of SANS Security Essentials.

The learning objective of SANS Security 464 Hacker Guard is to help stop system and network breaches immediately by leveraging IT professionals, for whom security is only part of their total job responsibilities, to be the first line of defense for the security professionals within your organization.

SANS SEC464 Hacker Guard starts with a 2 day course, and then follows it up with quarterly continuing education threat briefs each year, leveraging the skills taught during the initial 2 day course for both Windows and Linux environments. We do this through a combination of lectures and a total of 12 hands-on labs during the two days of course instruction. The reason for the heavy emphasis on hands-on training in this course is the course author's belief that the best way to apply what one learns during class immediately is to make sure the students know what tools are needed to learn the skills of baselining and continuously monitoring baselines for anomalies, then properly communicating those anomalies to the organization's incident response team.

At SANS we see SEC 464 as a stepping stone for those who are interested in learning more to dive in by taking SANS Security Essentials. Those who take this path will have the advantage of having had a specifically targeted class provide them with a context for applying the general concepts and skills they will learn in SANS Security Essentials. Those who decide to remain system and network administrators will have the skills they need to be able to, as part of their job function, serve the university as the early warning system that a breach has occurred.

Representatives from 50 universities participate in SANS program to secure university systems and networks

On Thursday, October 25, John Strand led a webcast workshop for people from 50 different universities on issues faced on securing networks given the demands of an open research driven working environment. You can view the webcast here: https://www.sans.org/webcasts/open-enrollment-hackers-95827

Here is the .pdf of the presentation

Here is a summary of the discussion points from the October 26, 2012 webcast workshop, with SANS responses.

  1. Can I share the access to this webcast with other people?
    Yes you can, as long as they are people within the university and college community.
    Simply provide them with the same link, https://www.sans.org/webcasts/open-enrollment-hackers-95827
    Once they register for the webcast, they will have access to the archive just like you have access to it.
  2. Any recommendations on how to best turn a breach (like the GhostShell leaks) into an awareness training opportunity?
    Yes, breaches like the one reported earlier in October give us as a community the opportunity to come together. Obviously, there is only value in doing this if we are able to change the way people think about security, if we are truly able to make users and IT professionals more security aware.
  3. What risks scare you the most in your role within your university?
    Multiple answers:
    • The risk that scares me the most is the "unknown" risk, assets that we (campus IT) don't run.
    • It's the systems run under the curtain of 'academic freedom' that keep me up at night.
    • Risks I haven't foreseen make me most uncomfortable and the weakest link in the organization is the user
    • The risk of poor (no security monitoring/mitigation) network design.
    • Risk of other people's mistakes affecting my systems
    • The risk of systems that have not been hardened
  4. How do you best mitigate these risks to the level that makes the risk acceptable to your organization?
    1. Training to ensure adjacent systems admins are doing things correctly
    2. Auditing systems
    3. Utilization of consistent change mgmt processes
  5. What compliance issues do you face?
    • HIPAA
    • HITECH
    • PCI
    • GLBA (Gramm-Leach-Bliley Act)
  6. What about passwords?
    Discussion of importance of length of passwords, frequency of changing of passwords, compliance issues. John Strand provided a short presentation on the value of a 15 character password, showing that using today's technology, a 15 character password would take 1.159 Million years to brute-force crack The question came up, yes, but is the 15 character password compliant with NIST Level 1 standard. John confirmed that the 15 character password standard is NOT in compliance with the NIST level 1 standard. He suggested that as security professionals, we face conflicting compliance issues from different governing bodies And brought up the idea of a "statement of mitigating controls" which would allow one to be in non-compliance. John Strand added a short presentation on why it is important to have passwords of 15 or more characters from a technical point of view, especially for organizations that store passwords using LAN MAN.
  7. Will this discussion continue using this format?
    Yes it will. Our plan is to do a follow up webcast which addresses more specifics on these questions above, and then discuss what appropriate actions we should be taking. The contents of the next webcast, along with a summary, will be posted here as well.
  8. If you have any comments or questions, please send them to sweil@sans.org.