SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsUtah’s Office of the Legislative Auditor General reviewed cybersecurity practices at state agencies and local government agencies and some educational institutions. The auditor found that “governmental entities across the state need improvement in key areas.” The report makes 11 recommendations, including advising agencies that do not already have a cybersecurity framework to adopt one, such as the Center for Internet Security (CIS) standards.
This was a pretty broad audit, sent to over 600 county, city, town, school districts, colleges, universities, etc. However, only 37% even bothered to respond which seems to say there aren’t many cybersecurity carrots or sticks at the state level that would drive local entities to take cybersecurity seriously – not adopting the CIS framework is a point of evidence. Of the respondents, the numbers for the larger entities (counties and cities) aren’t that far from typical at that level. The smaller entities are likely the same but an across-the-board lack of emphasis on user awareness and education (combined with no minimum standards such as Implementation Group 1 of the Critical Security Controls) means high risk of phishing attacks succeeding.
In 2021, Utah became the second state in the nation to create a legal safe harbor for private sector companies that implement a cybersecurity framework (i.e., NIST CSF, CIS Critical Security Controls). The legislative body followed that up by auditing the cybersecurity practices of state/local government agencies. The CIS critical security controls are referenced because that provide a prioritized set of actions [safeguards] for any entity, public or private, to follow to establish an effective cybersecurity program.
Having a framework which is then mapped to a control standard is key to implementing a consistent risk-based approach to securing systems. NIST and CIS have free frameworks, with a lot of supporting documentation on implementation, that can give you a leg up here.
Ireland’s Data Protection Authority has fined Meta €1.2 billion (US$1.3 billion) following an investigation that found Facebook has been sending European users’ personal data to the US in violation of the General Data Protection Regulation (GDPR). The ruling also gives Facebook six months to cease sending the data to the US. In 2020, the Court of Justice of the European Union ruled that Facebook data sent to the US did not have sufficient protection from government surveillance.
This story is making headlines due to the €1.2 Billion fine which is the highest GDPR fine issued to date. However, the other penalties, such as the transfer of EU personal data back from the US to the EU, the deletion of EU personal data within the US, and the stop to the flow of EU personal data to the US, will have a much bigger impact on Meta as it will have to make significant changes to how it runs its business. The Irish Data Protection Commission has given Meta 5 months to comply. Meta will no doubt appeal the rulings and many companies that currently transfer EU personal data to the US, or to US companies with operations in the EU, will watch this case very closely as they too could face similar penalties. At the heart of the issue is the lack of human rights protection for non-US citizens to US mass surveillance laws and until fundamental changes are made to such laws this will be an ongoing issue. Currently the US and EU are negotiating a new framework to enable the transfer of EU personal data to replace the EU-US Privacy Shield but there is no guarantee this will address the core issue.
Meta, a US-based company, being sanctioned because of US government access to user data is not very different from the US sanctioning Huawei, a China-based company, for suspected government access. Just because technology leaps across borders does not mean, and never has meant all countries have to allow it to do so. Companies should be building business plans and IT architectures that build privacy and data security in to support opt-in exposure models and higher levels of privacy than required in the US.
In a previous ruling by the Ireland court, Meta was asked to suspend the data transfers. Meta disagreed. There is deal pending between the US & EU to allow for these types of data transfers; until that is squared away, use caution if you're transferring EU user data to the US.
To date, €1.2B is the largest fine ever assessed for GDPR violations. It serves as a wake-up call for companies that retain the personal data of European citizens. The explosive growth of social media platforms led to certain enterprise architecture decisions that make it difficult for companies like Meta to comply with GDPR. Some amount of re-architecting will be necessary in order to meet the six-month deadline imposed by the EU Data Protection Authority.
Wired
NYT
Washington Post
Gov Infosecurity
SC Magazine
Ars Technica
The Python Package Index (PyPI) is operating normally following a temporary suspension of new project name and new user registrations over the weekend. A PyPI statement reads, “The volume of malicious users and malicious projects being created on the index in the past week has outpaced our ability to respond to it in a timely fashion, especially with multiple PyPI administrators on leave.” The suspension was lifted on Sunday, May 21, at 21:57 UTC.
Package repositories like PyPI have ongoing issues with being flooded by malicious, and in some cases just "spam" packages. This isn't a unique PyPI problem. The issue was made worse this weekend due to staffing shortages at the Python foundation.
Python
Bleeping Computer
The Hacker News
Dark Reading
The US Government Accountability Office (GAO) evaluated the implementation of six key cloud security practices at four agencies: the Departments of Agriculture, Homeland Security (DHS), Labor, and the Treasury. According to the report, all four agencies have fully or partially implemented three of the key practices: defined security responsibilities, documented ICAM (Identity, Credentials, and Access Management) policies and procedures, and documented procedures for incident response and recovery. Two of the agencies have fully implemented defining security metrics in an SLA (service level agreement) for most of their systems; and all four agencies have work to do in addressing FedRAMP requirements and implementing continuous monitoring.
Deficiencies were reported in agency Use of FedRAMP, Metrics and Continuous Monitoring. All of the audited agency systems were using FedRAMP authorized cloud service providers, the deficiencies noted were mostly paperwork issues. The lack of metrics is a federal government-wide issue where the FISMA CIO cybersecurity metrics tend to change each year and focus on low level controls vs. proven operations performance metrics such as Time to Detect/Time to Respond/Time to restore. The lack of continuous monitoring of cloud services is likely from inability to extend on premise monitoring out to disparate cloud services – all FedRAMP approved CSPs are required to provide the data.
FedRAMP gives you a big head-start implementing 800-53 controls, but you still need to set up incident response and notification agreements, as well as make determinations on what, if any, log information can be forwarded to your SIEM. Many SaaS providers don't provide logs this way, but they do have response capabilities, you need to run these to ground before getting your ATO.
Last Wednesday, users began reporting connectivity issues with their ASUS routers. ASUS said the issue was due to “an error in the configuration of [their] server settings file.” ASUS says the problem has been remediated; users whose routers are still not operating normally may have to reboot manually or perform a factory reset.
The connectivity issue was quickly diagnosed and corrected by the ASUS team. What’s interesting is that the component is updated regardless of whether the user has automatic security updates enabled. It raises the question: should security updates be automatically applied by the vendor or should the end organization be in control of when security updates are made?
This ties back to a flawed ASD update file. If your router is still misbehaving, try rebooting it. Worst case you're going to have to do a hard reset. What is not yet known is why this impacted routers which had been configured not to rely on these updates.
Cisco has released software updates to fix nine vulnerabilities in its Small Business Series Switches. The vulnerabilities are due to improper validation of requests that are sent to the web interface. They could be exploited to execute arbitrary code, cause denial-of-service conditions, or to read unauthorized information on affected devices.
The CVSS severity rating [9.8 out of 10] and existing proof-of-concept exploit code elevates the priority of patching for these vulnerabilities. The vulnerabilities do serve one possible benefit for Cisco: exposing counterfeit switches that were procured unknowingly by organizations. Patching is the only way to protect the switches, which requires a valid Cisco license.
While it may be a "computer" in one sense, a properly implemented switch is a single-application purpose-built appliance. One would not expect that its procedures could be corrupted by its traffic. One would not expect a switch to be able to execute arbitrary code. Such a capability is an implementation induced vulnerability. One suspects that such a capability exists for the convenience of the developers, not value to the users.
A problematic firmware update has caused some HP Office Jet printers to become inoperable. HP told Bleeping Computer that they “are working diligently to address the blue screen error affecting a limited number of HP OfficeJet Pro 9020e printers.” Users have been reporting that the printers display blue screens with the 83C0000B error code.
If you have printers that have not yet applied the update, disable the automatic updates on them until HP publishes a fix. There isn't any information on restoring bricked printers yet; you may want to put your spares into service until that gets worked out.
Bleeping Computer
A ransomware attack against satellite broadcaster Dish Network earlier this year compromised personal information of nearly 300,000 customers. The disclosure was made in notifications to regulators. The company also sent notification letters to affected individuals. The incident began on February 23 and caused outages affecting multiple Dish Network services.
Dish has now confirmed that it was indeed a ransomware attack – cryptically acknowledging that the data has been deleted by the evildoers. Besides the notification to affected users, Dish is offering free credit monitoring services. I would be remiss not to point out that credit monitoring services are having a profitable year given the spate of ransomware attacks.
A vulnerability in the KeePass 2.x password manager can be exploited to retrieve cleartext master passwords from a memory dump, even from a locked or no longer running workspace. KeePass hopes to have a fix available in early June.
If there is an application where strong authentication, preferably with Passkeys, is indicated, password managers are that application.
The US Cybersecurity and Infrastructure Security Agency has added six entries to its Known Exploited Vulnerabilities (KEV) catalog. Three of the vulnerabilities affect Apple Webkit: a sandbox escape issue, an out-of-bounds read vulnerability, and a use-after-free vulnerability. Two vulnerabilities affect Cisco products: a denial-of-service vulnerability in Cisco IOS and an information disclosure vulnerability in Cisco IOS, IOS XR, and IOS XE IKEv1. The sixth security issue is an insertion of sensitive information into log file vulnerability in Samsung mobile devices.
CISA
Bleeping Computer
Bleeping Computer
The Hacker News
CISA
Probes for recent ABUS Security Camera Vulnerability
Another Malicious HTA File Analysis - Part 3
https://isc.sans.edu/diary/Another+Malicious+HTA+File+Analysis+Part+3/29678
When the Phisher Messes Up With Encoding
https://isc.sans.edu/diary/When+the+Phisher+Messes+Up+With+Encoding/29864
.ZIP Domains Confuse Virustotal
https://twitter.com/imohanasundaram/status/1660678184977805316
Synology DSM 6.2 Patch
https://www.synology.com/en-global/security/advisory/Synology_SA_22_25
Jenkins Fixes Multiple Plugin Vulnerabilities
https://www.jenkins.io/security/advisory/2023-05-16/
PyPi Suspension Lifted
https://status.python.org/incidents/qy2t9mjjcc7g
Nissan Sylphy Classic Key Vulnerability
https://vulmon.com/vulnerabilitydetails?qid=CVE-2023-33281
PGP Signatures on PyPi: Worse than useless
https://blog.yossarian.net/2023/05/21/PGP-signatures-on-PyPI-worse-than-useless
RATs found hiding in the npm attic
https://www.reversinglabs.com/blog/rats-found-hiding-in-the-npm-attic
Catch up on recent editions of NewsBites or browse our full archive of expert-curated cybersecurity news.
Browse ArchiveFree technical content sponsored by Devo Technology, Inc.Why are 80% of security pros expecting to increase SOC automation this year?
I have Trust Issues and So Does My CISO--How NDR can help identify issues in your ZTA | This upcoming webcast, hosted by Matt Bromiley, airs on Thursday, May 25 at 1:00pm ET | Register now: https://www.sans.org/info/226120
Upcoming webcast on Tuesday, May 30 at 1:00pm ET, hosted by Matt Bromiley | Using Intelligent Data as a Force Multiplier for Security and IT Ops | Register now: https://www.sans.org/info/226125
Join Chris Crowley and invited speakers for our 2023 SOC Survey event on Tuesday, June 13 at 10:00am EDT.