SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsI’m sure similar issues will now be found with lots of image, video and audio editing tools and applications. This bug points out there really is a developer mindset (“I can easily just move the IEND chunk to crop this data file” without thinking “and I need to delete the cropped data, too”) vs. a good tester methodology of “I wonder if I can still find any of the ‘cropped’ data.” This is why we see so much success from managed bug bounty programs even after 20 years of secure development life cycles and developer training.
Practitioner's note: To demonstrate this in Windows, hit s to snag part of the screen. In the Snipping Tool itself, save that screen grab, and look at the size of the file. Now, in the Snipping Tool, use the Crop tool to cut off the bottom half of the image. Save it again with the same file name. The file size has not changed! Much of the original data is still present in the cropped file. You can mitigate this specific case by saving the cropped image with a new name (or wait for a patch).
Redaction has to be done right. Tools like the snipping tool, or your photo editor on your smartphone make it easier, but aren't necessarily comprehensive. Recall when it was learned a popular PDF editor used layers for redaction, but if you selected the text or exported the text, the redacted information was available? This time it's about understanding what meta-data is in an image. As the researcher noted, a small, redacted, thumbnail sized image was still 5MB. While we have been advising co-workers to make a new image or document which contains the resulting image, you're probably going to have to show them what meta data remains on a redacted photo (such as the full photo in the embedded thumbnail), to make it real.
applications take advantage of open-source libraries. A flaw in one or more of those libraries can lead to a vulnerable application. A SBOM will at least list the software libraries used by the application, helping to identify and close cross-platform vulnerabilities.
Looking past doing a "goosy honk" or a "goosey graze," this free tool may be able to give you insight you don't currently have for your M365/AAD environments. Given the challenges we often have getting log/configuration data from our cloud environments, let alone making sense of it, this could give you that boost your team is looking for to help detect malicious activity and miss-configurations. It accesses AAD, M365 and Azure configurations, AAD sign-in and audit log, M365 unified audit log (UAL), Azure activity logs, MS Defender (IoT and Endpoint) alerts.
There are a lot of valuable and useful open source security tools available and SANS SOC surveys have shown that SOC teams that use more of them often have lower attrition rates, as SOC analysts get to add value and create new rules/extensions rather than just staring at SIEM screens all day. But, open source tools are not free – they require patching, version checking to avoid compromised copies, admin, etc. just like commercial tools.
I appreciate a government agency with a sense of humor. Thank you CISA! (Missed the reference? Search for Untitled Goose Game.)
The 2022 report by the Identity Theft Resource Center showed that in 2022 more identities were compromised through supply chain attacks than by direct attacks against the information holder. Supply chain disruptions and direct compromise of data are the big risks of not focusing on supply chain security.
They have a COOP plan which is allowing them to meet patient demand for a bit. Have you considered how long you can provide services on your plan? Is that interval aligned with your worst-case recovery objectives? If you have a gap, you need to develop a plan. It is better to plan for when rather than if you get compromised.
Although it has not been described as such, it is likely a ransomware attack at play. Every organization should have incident plans in place and regularly exercise those plans. By doing so, you limit disruption to normal business operations.
Credential compromise continues to be a viable attack vector, and while I have stated the number one protection is implementing strong MFA, there is a lot more you need to do to provide comprehensive coverage, to include: actively managing accounts/identity as well as securing systems, only allowing the access needed when needed, revoking it as soon as that need expires. This guidance does a good job of laying out the threat and tying the actions to the risks you're mitigating. Review the “:actions to take now” checklists and consider where you are against those items; don't just read Appendix I – you'll want to read the rest to get your ideas flowing.
Given the proliferation of many different platforms and applications not just on organisations’ internal networks but also in the cloud and with third party vendors, this guidance framework is a very timely and welcome resource. As a large number of breaches can be related to the abuse of accounts and authentication mechanisms I strongly recommend the majority those response for cybersecurity in their organization read the guidance.
Identity and Access Management (IAM) underpins access for every IT enterprise. It is a core component in building a zero-trust architecture. Creating a best-practices guide for administrators is a good thing. For the ‘Cliff Notes’ version, see Controls 5 and 6 from the CIS Critical Security Controls.
As someone very interested in the IAM space, I am happy to see general guidance for companies. This is a very good thing and dovetails nicely with the large number of installations we see using Azure AD.
Defense
CISA
SC Magazine
Security Week
OT has been a target since Stuxnet, and since then, many have made it an easier target by exposing it to the Internet. Make your case that cyber criminals are opportunistic and will go after whatever is discoverable. Also, if you have sensors and other components deployed in the field, understand how they transmit data: are they push or pull? is the back-haul over a public network or private? Ask not only who can change the security settings, but also who manages that list of users. Ask your OT system managers to explain their security model to you, including updates and monitoring. Ask them what IT systems they interact with, then take steps to make sure that is all they can interact with.
Cyber threats affect every industry sector. Vulnerabilities crop up in every product—ICS is no exception. Having a robust network architecture in-place to limit attacker access to the OT environment is paramount to maintaining business operations. Restricted access also has the added benefit that organizations can apply product patches during normal maintenance cycles. While you’re reviewing network access to the OT environment, also look at both your physical and personnel security programs; the unscrupulous insider is perhaps the greater threat.
The CPGs are intended to be a baseline and benchmark of widely acceptable/best practices across critical infrastructure. Since October these goals have been reorganized to match the NIST Cybersecurity Framework (CSF). This is good as the CSF has crosswalks to other security frameworks in case you're an ISO 27000 shop rather than 800-53/etc. Jim Langevin was a senior member of the House Armed Services Committee where he was the Chairman of the Subcommittee on Cyber, Innovative Technologies and Information Systems (CITI.) Both Chris and Jim bring a valuable background to the table to make this viable and relevant.
This is a good industry effort. Just like most industry efforts, feedback is warranted. If you want to participate (as I would encourage everyone), I recommend joining the discussion here: https://github.com/cisagov/cybersecurity-performance-goals/discussions. This is the same advice I would give anyone that wants to help with the IETF or the W3C.
Linking the performance goals to the NIST CSF five core functions is a good thing. Other frameworks that have similar controls, (err, performance goals) have been doing it for years.
CISA
CPG
Health IT Security
Security Week
MeriTalk
It's been a bit since we've had a WordPress severe issue plugin alert. While the CVE ID is still pending, the CVSS v3 score is 9.8. The question is are you still watching notifications of plugin updates, or are you filtering those away for "later?" Even with all plugins set to auto-update it's a good idea to regularly go in and check that they are indeed: some updates need added steps. If you've got this WooCommerce Payments plugin, make sure it's at 5.6.2. If you're using Wordfence firewall rules will be released for the paid and free versions March 23rd and April 22nd respectively. If you're researching WordPress security, you can disclose findings to Wordfence and you may be awarded a CVE ID and even acknowledged on their leaderboard.
WordPress is used by over a third of the Internet for content management and continues to grow YoY. With Wordpress, critical vulnerabilities most often crop up by the use of plugins that render websites exploitable. Given the large use of WooCommerce by on-line merchants and the fact that this is both authentication bypass and privilege elevation, you have to patch immediately.
As an end-user, consider using a privacy enhanced browser or a plugin designed to block tracking to reduce the likelihood of your information being sent to external organizations. As an application developer, these tracking pixels/etc. include a compelling list of features relating to user behavior, optimizations, and otherwise helping you be successful. The trick is they come at a cost. They need data to operate, and you really need to know what data that is. Even if you've got risk acceptance on the data, you need to know what is done with that data, where is it stored, who controls that, and who is it shared with. Note that even innocuous items like a reCAPTCHA user validation may need to be included on every page to track and detect behavior relating to attempted bypass.
The recent announcement by Cerebral (see SANS NewsBites Volume 25, Number 021) is causing other organizations (UCSD being one) to review their use of pixel-tracking technology on websites. Expect other Industry sectors to follow suit and for this matter to find its way into the court system. One of several questions the Court will decide on is whether [insert organization here] had a data management process in place to review data collected by the healthcare platform and its third-party providers. As this and other cases get adjudicated, it becomes an excellent case study for both Boards and executive leadership training.
Health IT Security
SC Magazine
UCSD
FTC
The KEV gives agencies until April 5th to patch the vulnerability. If you're on ColdFusion 2018, apply update 16, ColdFusion 21, update 6. These were released earlier this month so your team may already have them. Unlike some prior updates, these updates do not require recreation of connectors: ColdFusion 21 users will need to reinstall custom hotfixes after the update. Still, this should be a pretty painless fix.
I’ll hold my reservations of comments for those still running ColdFusion as it is still widely used in large sites. I will, however, mention that I would probably not recommend ColdFusion as the starting point for a new website in this decade. Patch?
The impact of this incident looks like similar in impact to Dole as when bagged salads were found to be contaminated and had to be removed from shelves in stores and factories/machines/processing had to be inspected. Imagine if software vendors had to go through all that when their product was found to be “contaminated.” Actually, when you think about it, that is what Software as a Service vendors do when a flaw is found! But all the contaminated “food” is in a very small number of “stores”!
One would hope employee data loss would be disclosed to employees before it was reported in one's SEC disclosure. Employees getting calls from friends and family who see the disclosure without prior direct communication is not the optimal way to develop long term relationships and retain staff.
Cropping and Redacting Images Safely
https://isc.sans.edu/diary/Cropping+and+Redacting+Images+Safely/29666
Acropalypse Detection and Sanitization Tools
https://github.com/infobyte/CVE-2023-21036
Windows Snipping Tool Privacy Bug: Inspecting PNG Files
https://isc.sans.edu/diary/Windows+11+Snipping+Tool+Privacy+Bug+Inspecting+PNG+Files/29660
Windows 11 Snipping Tool Privacy Bug
String Obfuscation: Character Pair Reversal
https://isc.sans.edu/diary/String+Obfuscation+Character+Pair+Reversal/29654
Untitled Goose Tool
https://github.com/cisagov/untitledgoosetool
Veeam Vulnerability Details
https://www.horizon3.ai/veeam-backup-and-replication-cve-2023-27532-deep-dive/
Unicode Support in Python used to Evade Detection
https://blog.phylum.io/malicious-actors-use-unicode-support-in-python-to-evade-detection
WooCommerce Skimmer Reveals Tampered Gateway Plugin
https://blog.sucuri.net/2023/03/woocommerce-skimmer-reveals-tampered-gateway-plugin.html
Netgear Orbi Router Vulnerable
Malicious .Net Packages
Spring Framework Vulnerability
Snappy Vulnerability
https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc
Catch up on recent editions of NewsBites or browse our full archive of expert-curated cybersecurity news.
Browse ArchiveFree technical content sponsored by Trend Micro Inc.2 questions for you: Do you live in the world of ICS/OT, SOC, or Visibility?
Upcoming webcast on Tuesday, April 4th at 12:30pm ET | SOC Visibility Triad, Why You Need NDR Alongside EDR - Join us as we demo popular EDR tools and give analyst workflow examples and use cases.
Join Chris Crowley on Wednesday, April 5th at 10:30am ET for this upcoming whitepaper discussion - Managed Detection and Response: Optimizing External Expertise | Register now: https://www.sans.org/info/225610
Upcoming Webcast on Thursday, April 13th at 1:00pm ET with SANS Instructor, Stephen Mathezer | A SANS First Look at Zero Trust-based Access Management and Remote Access for OT-IT-Cloud | Register now: https://www.sans.org/info/225615