Gordon M. Snow Named FBI's AD Cyber Division

Director Robert S. Mueller, III has named Gordon M. Snow assistant director of the FBI’s Cyber Division. Most recently, Mr. Snow served as deputy assistant director of the Cyber Division. In this new role, he will be responsible for leading the FBI’s efforts to protect the United States against cyber-based attacks and high-technology crimes.

“The FBI considers the cyber threat against our nation to be one of the greatest concerns of the 21st century,” said Director Mueller. “Protecting the United States against cyber crimes is one of the FBI’s highest priorities and, in fact, is the FBI's highest criminal priority. Gordon’s broad range of investigative and leadership experience will serve the Cyber Division well as they carry out this mission.”

Mr. Snow entered on duty as a special agent with the FBI on March 8, 1992. Upon completion of training at the FBI Academy in Quantico, Virginia, he was assigned to the Birmingham Division’s Huntsville Resident Agency. While there, he investigated violent crime, drug, civil rights, public corruption, and white-collar crime matters.

In April 1996, he was assigned to the Critical Incident Response Group as a member of the Hostage Rescue Team. During that time, he took part in several sensitive rendition missions; conducted terrorism assessments overseas with the Department of State; and was assigned to assessment, protection, and investigative support missions after the bombing of the USS Cole in Aden, Yemen, and the embassy bombings in Nairobi, Kenya.

Mr. Snow was promoted to supervisory special agent in the Counterintelligence Division’s Middle East Unit in January 2001. Two years later, in January 2003, he was assigned to the Detroit Division, where he supervised the foreign counterintelligence program and served as the SWAT program coordinator. In April 2005, Mr. Snow was appointed chief of the Weapons of Mass Destruction and Acquisition of U.S. Nuclear & Missile Technology Unit at FBI Headquarters.

In May 2006, Mr. Snow was selected as the assistant special agent in charge of the San Francisco Division’s San Jose Resident Agency. In that role, he had operational responsibility for the counterterrorism, cyber, white-collar crime, and violent crime squads; the San Jose members of the Joint Terrorism Task Force; the High-Value Computer Crimes Task Force; the Silicon Valley Regional Computer Forensics Lab; and the Monterey Bay Resident Agency. He also served as the SWAT program manager.

Mr. Snow was assigned to the Afghanistan theatre of operations as the FBI's on-scene commander for the Counterterrorism Division in June 2007. Following his return to the U.S., he was appointed section chief in the Cyber Division in January 2008, and detailed to the Office of the Director of National Intelligence, National Counterintelligence Executive. During that assignment, he and his staff led the effort in drafting the government-wide Cyber Counterintelligence Plan under Homeland Security Presidential Directive-23/National Security Presidential Directive-54, the Comprehensive National Cyber Initiative.

In January 2009, Mr. Snow was appointed as chief of the Cyber Division’s Cyber National Security Section and the director of the National Cyber Investigative Joint Task Force. In November 2009, he was named deputy assistant director of the Cyber Division.

Mr. Snow is a native of Detroit, Michigan. He graduated from the University of Michigan, Ann Arbor, with a B.A. in English. He received an M.B.A. with an emphasis in finance from Virginia Tech in 2001 and a J.D. from Catholic University’s Columbus School of Law in 2006. Prior to joining the FBI, Mr. Snow served in the United States Marine Corps for more than 10 years, as both an enlisted Marine and as an officer.

This post is excerpted from the FBI Press Release, Gordon M. Snow Named Assistant Director of FBI Cyber Division, April 23rd, 2010.

Reputation

Everyone today talks about creating an online presence on social media sites such as FaceBook or Twitter. But beyond presence, where does online reputation come into play? And how can one protect and build one's own online rep?

Warren Buffett, the stock market investor, couldn't have said it better: "It takes 20 years to build a reputation, and five minutes to ruin it." Think about it: Our entire lives depend on our reputation -- the image through which we are visible to the world. And this applies to the online world, as well. Even more so, and here's why.

Information security is all about reputation and integrity. If you lose that, you lose everything.

Recently, I spoke with Dena Haritos Tsamitis, director of education, training and outreach at Carnegie Mellon University's CyLab. She emphasized that protecting and building an online reputation is all the more important for security folks. "Information security is all about reputation and integrity," she says. "If you lose that, you lose everything." Also, HR professionals and information security recruiters increasingly rely on "Google search" for getting more information on potential candidates, as well as screening their social media profiles -- including LinkedIn, Twitter and FaceBook -- for additional background information. If security professionals have no "online" presence at all, then so be it. But if they have a questionable reputation, then it may cost them their job.

Imagine searching your name, and finding - on the first page of Google - embarrassing information like your involvement with drugs, links to inappropriate photos or information leading to inconsistency in your employment history. The web breeds an erroneous feeling that "no one can see the real you." But, in fact, online is where everyone can see the real you. Think and consider all of the information that has ever been online about you, both private and public - it is usually only a few clicks away. Security professionals, therefore, should invest in ways to protect and monitor their online reputations. As a first step, they must find out what information is already on the Internet and assess the impression it leaves on people.

Here are 8 tips to monitor and protect one's online reputation:

Search your name.
Type your first and last name within quotation marks into several popular search engines to see where you are mentioned and in what context. Narrow your search and use keywords that apply only to you, such as your city, employer and industry association.

Expand your search.
Use similar techniques to search for your telephone numbers, home address, e-mail addresses, and personal website domain names. You should also search for your social security and credit card numbers to make sure they don't appear anywhere online.

Read blogs.
If any of your friends or coworkers have blogs or personal web pages on social networking sites, check them out to see if they are writing about or posting pictures of you.

Sign up for alerts.
Use the Google alert feature that automatically notifies you of any new mention of your name or other personal information.

Limit your personal information.
Tweet/chat/discuss regarding business and the emerging trends in your industry, but limit posting information on your personal life, which could be a subject of major scrutiny by recruiters and hiring managers. Also, be sure you know how organizations will use your information before you give it to them.

Use privacy settings.
Most social networking and photo-sharing sites allow you to determine who can access and respond to your content. If you're using a site that doesn't offer privacy settings, find another site.

Choose your photos and language thoughtfully.
You need to ensure that information posted online is written professionally without use of swear words and catchy phrases. Also, be very selective in posting photographs, and use your judgment to ensure that these photographs are how you want the world to see you.

Take action.
If you find information about yourself online that is embarrassing or untrue, contact the website owner or administrator and ask them to remove it. Most sites have policies to deal with such requests.

This post is excerpted from the Government Information Security News article, Where Do You Go To Get Back Your Online Reputation, by Upasana Gupta, April 7th, 2010.

For more on maintaining your online presence, visit Government Information Security.

Career or Job?

I came across this in my morning Coffee Reads, and thought I'd pass it along. Michael Santarcangelo has just taken up the mantle of Career Catalyst at CSO, and has put in his first installment as a columnist. Here's what he has to say.

Have you ever wondered about the difference between a job and a career? I have.

As a result, I have spent the last decade considering the difference between practitioners and professionals, jobs and careers.

Along the way I have been honored to train thousands for successful careers as Certified Information System Security Professionals, founded the Security Catalyst Community and developed the Catalyst Career Compass program. In fact, I'm working with a group of amazing people right now to re-launch the Security Catalyst Community and incorporate a guild, complete with a mentoring program [ for details in a few months]. Seems a focus on professionalism and career success has always interested me. Now I have the opportunity to share ideas and strategies for career success in this column.

Why me?

I have cultivated a unique blend of skills and abilities: I am a professional speaker [the capability to teach others], a published author and have over a decade of experience forged in the trenches. Over my career, I have contributed time and effort to advancing the profession through service to [ISC]2 and CompTIA. Most importantly, I am human catalyst focused on harnessing the power of people; in fact, I hold a degree in Human Ecology [go Cornell!].

When pressed, I explain the role of a catalyst in three steps:

1. Observe, absorb and actively engage to learn and experience as much as possible
2. Step back to process, distill and probe deeper with questions to uncover what matters
3. Connect with people, where they are, and communicate what counts.

As a catalyst, I am able to guide a journey that goes beyond finding a job and earning a paycheck to a more rewarding path of developing a successful career. While we can explore the finer points of finding a job, I see this as an opportunity to do more: we can seek out examples of career excellence and amplify the good.

We are fortunate to be in a profession of great impact; with that comes great responsibility. As we engage on this journey, I hope to explore the difference between professionals and practitioners as we cultivate the skills and aptitudes the changing landscape demands.

A few years ago, I shared some collected ideas in a keynote and workshop titled Are you making a living, or a life? Adapted to the focus of making a career instead of working a job, allow me to share three concepts from my own experience:

1. Strive for integration over balance

When something is balanced, there is no movement. The concept of balance in the workplace is misguided and creates a false friction and unnecessary stress. Instead of balance, consider the power of integrating the passions, joys and experiences of life into everything you do. In my experience, it is easy to talk to a colleague about digital cameras, golf or motorcycles. When the time comes to explain a key point or ask for a favor, that commonality and shared experience goes a long way toward understanding and action.

For more of Michael's insight, visit CSO Security Leadership.

Picture: Not Worth 1,000 Words

Well, it's not actually a picture but an obfuscated malicious VB script.

That’s the story with W32/VBSAuto-F — yet another autorun worm that sets a number of self-starting registry entries, spreads via USB drives, and downloads further malware. The worm embeds code in a JPEG comment field of an ambiguously named file “image.jpg” or “imwin.jpg”.

Previewing such files as images remains innocuous, as picture viewers tend not to execute meta data by default. This is unfortunately not the case when the file is run through the VB script engine, which is happy to interpret the same JPEG comment 0xFFFE header bytes to indicate Little-Endian UTF-16 encoded data and execute the remaining portion of the file as code.

This malware is certainly not worth 1000 words, as even the deobfuscated malicious script itself weighs in at a mere 391 words total.

This post is excerpted from the Sophos article, When is a picture not worth 1000 words, by Mike Wood, March 31st, 2010.

For more information on embedded maliciousness, visit SophosLabs.

There Is No Mushroom Cloud In Cyberspace

The National Academies of Science functions in part to provide independent scientific advice to the US government. In that capacity, the office of the Director of National Intelligence contracted with the NAS to look into the prospects of developing cyberwarfare capabilities that are sufficient to deter an attack on its national infrastructure. The NAS has recently submitted a progress report on its efforts, and the dry text of the introductory letter (the report is termed, "The first deliverable for Contract Number HHM-402-05-D- 0011") obscures a sometimes fascinating look into how the cold-war thinking that drove the development of the concept of nuclear deterrence fails to scale to the networked world.

That may seem like a statement of the obvious, but the report points out that deterrence was actually a fully fleshed-out conceptual framework, and there is a significant parallel between cyber and nuclear weapons that's a major component of this framework: it's much easier to engage in offense than defense. "Passive defensive measures must succeed every time an adversary conducts a hostile action, whereas the adversary’s action need succeed only once," the text notes, and recent history is replete with evidence that hostile actions can easily succeed far more often than once.

So, the prospect of mutually assured cyberdestruction might seem to offer the possibility of a framework that's at least similar to the one that governed the world of nuclear weapons. The body of the report, however, focuses on the various reasons it probably doesn't.

Perhaps the biggest reason is that, for deterrence to work, we and our adversaries have to have a rough idea of each other's offensive capabilities. "Classical deterrence theory bears many similarities to neoclassical economics, especially in its assumptions about the availability of near-perfect information (perfect in the economic sense) about all actors," as the report notes. Leaving aside the shortcomings of these assumptions in neoclassical economics, this simply doesn't describe the current reality.

Right now, the US has chosen to keep its offensive cyber weaponry entirely classified and, since there's no launch infrastructure or physical indications of testing (hallmarks of nuclear weaponry), nobody is likely to develop a complete picture of what we can do. The US is unlikely to disclose its capabilities because, in contrast to nuclear weaponry, knowing these capabilities may help adversaries plan defenses. It may be somewhat effective as a deterrent—it's generally assumed that the US has the most potent capabilities around. But it leaves the US in a situation where it is counting on everyone to assume it has the weapons.

This post is excerpted from the Ars Technica article, Modeling cyberattack deterrence on nuclear deterrence fails, by John Timmer, April 6th, 2010.

For more on cyber attack deterrence, visit Ars Technica.