The SANS WhatWorks in Incident Detection Summit 2009 will be held on December 9-10 in Washington, D.C. It follows the 2008 and 2009 editions of the SANS WhatWorks in Forensics and Incident Response Summits. For this summit, SANS is teaming with Richard Bejtlich to create a practioner-focused event dedicated to incident detection operations. The SANS Incident Detection Summit will share tools, tactics, and techniques practiced by more than 40 of the world’s greatest incident detectors in two full days of content consisting of keynotes, expert briefings, and dynamic panels.

Wade Baker (Risk Intel) is on the Commercial security intelligence service providers panel and Andrew Valentine (IR) is on the detection using logs panel. Should be an interesting event.

We hope to see you there.

Today ICSA Labs (an independent division of Verizon Business) released a report based on testing results and observations taken during its 20-year history certifying security products. We mention it here because several members of this team worked with ICSA Labs to design the study, collect and analyze data (a non-trivial feat given the time span), and write the report. Although bookended by other information and recommendations, the bulk of the report hits on three main topics: how often product deficiencies occur during testing, which types occur most often, and what factors contribute to their occurrence. We hope readers will find the report helpful in their mission to protect information and useful to the decisions and deployments made in support of that mission.

You can get it here: www.icsalabs.com/whitepaper/report

The most significant impact on risk over the last week was November’s Microsoft Tuesday security bulletins, and most developments this week had a positive impact on risk. Kerfuffles over another SMB issue is of little consequence as was the news of SCADA hacking in Brazil. The US Congress has taken up data privacy and breach legislation, but it remains to be seen whether it will increase risk by costing business more to comply, or decrease it by better protecting data. Signing the DNS root zone will have a positive impact on risk, but use of non-Latin alphabet in domains will probably be looked back upon as negative.

The most risk significant development this week was Microsoft’s Advance Notification for release of six security bulletins on 2009-11-10. Sun released an update to Java addressing seventeen vulnerabilities, but none are presently the target of attack. Historically, Java vulnerabilities are ignored by criminals or attacked months after patching. Social networks continue to be a primary target of criminal activity. Gumblar, the FTP-stealing trojan is now targeting Wordpress blogs. Bredolab, Virut and Zeus activity continues with malicious code disguised as shipping confirmations and money transfers. However, sending pharmaceutical spam has been occupying most criminal cycles.

Most of the threat activity for this week was directed towards Facebook and Twitter users. Large e-mail campaigns for password reset confirmations led to compromised Facebook accounts and Trojan installations, with the primary goal of stealing bank account information. Sun issued advance notification to patch at least six vulnerabilities in Java on Tuesday, 2009-11-03. There is also an unspecified buffer overflow vulnerability in the current version of Java System Web Server. The Guardian Newspaper reported a “sophisticated” intrusion on their jobs site, and Gawker Media became the victim of a malvertisement similar to September’s attack on the New York Times.