SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense, Artificial Intelligence
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
Top of the News
CISA ColdFusion Advisory
The US Cybersecurity and Infrastructure Security Agency (CISA) has published a cybersecurity advisory confirming the exploitation of an improper access control vulnerability in Adobe ColdFusion. The vulnerability (CVE-2023-26360) was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on March 15 with a mitigation date of April 5.Threat actors used the vulnerability to compromise servers at a federal civilian executive branch (FCEB) agency. The advisory includes tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs) and recommendations for detection and protection.
Editor's Notes
It’s time to bid adieu to Cold Fusion. CVE-2023-26360, CVSS score of 8.6, is being actively exploited and is present in older ColdFusion 2016 and ColdFusion 11 which are unsupported as well as the 2018 and 2021 versions which have updates. If you can’t migrate off, look to add a WAF in front as well as implementing signed executable policies, in addition to MFA and aggressive patch management.
Microsoft: End of Support Date for Windows 10
Microsoft has announced that it will stop providing full security support for Windows 10 as of October 14, 2025. Microsoft recommends upgrading to Windows 11, but will offer extended security updates for an annual subscription fee.
Editor's Notes
- Slide 1 of 3
Interesting that Microsoft offers extended support for Windows 10 Home. I doubt they are expecting a lot of home users to sign up for it. But there may be more Windows 10 Home in use in enterprises than expected. This in itself could be an issue. Windows Home does not include all the security and management features enterprises need to properly configure these systems.
- Slide 2 of 3
This is above the security organization, but it is really time for CIOs to say, “At the end of 2025, should we really be supporting user devices that run big honking operating systems when they need to be patched more frequently than monthly, and are mostly (if not exclusively) accessing applications that are running in the cloud vs. on device?” From a security perspective, removing Windows from the threat chain is a major raising of the bar. If Windows stays in the user device picture, cost of patching/mitigating/re-imaging has to be part of budget planning.
- Slide 3 of 3
Windows 11 was released in October 2021, as a free upgrade. With the upgrade to Windows 11 came a set of system requirements that many users likely did not meet. That said, four years is plenty of time to implement a migration plan from Windows 10, that includes the needed hardware refresh.
Slide 1 of 0- Slide 1 of 3
Five Eyes Countries Guidance to Help Eliminate Memory Safety Issues
Intelligence agencies from the Five Eyes nations (Australia, Canada, New Zealand, the UK, and the US) have jointly published The Case for Memory Safe Roadmaps, guidance to help software developers and C-suite executives create memory safe code. The document urges developers to transition to memory safe programming languages (MSLs) and migrate codebases to MSLs.
Editor's Notes
This short list of problems account for a major part of the vulnerability of our infrastructure. It seems clear that we cannot rely upon programmers using popular tools to avoid them. It is past due time to switch to new tools.
The Rest of the Week's News
Sierra Router Vulnerabilities
Researchers at Forescout Vedere Labs have detected more than 20 vulnerabilities affecting Sierra routers. Some of the flaws affect the OpenNDS and TinyXML open source components. Sierra’s Wireless AirLink cellular routers are used in operational technology (OT) systems and Internet of Things (IoT) devices in the critical infrastructure sector.
Editor's Notes
- Slide 1 of 3
The most severe vulnerability in this set is a vulnerability in the Captive Portal code, OpenNDS, which was also known as "nodogsplash". We observed just this week scans for this component by some Russian hacktivists: https://isc.sans.edu/diary/rss/30450: Zarya Hacktivists: More than just Sharepoint.
- Slide 2 of 3
The TinyXML open source component is essentially abandoned but Sierra created fixes for the flaws in their routers. The updates address all of the 20 vulnerabilities. While you may be thinking you’re off the hook in that exploitation has to be done from the WiFi interface, a compromised system could be leveraged here, so you really need to get those updates out.
- Slide 3 of 3
The addition of 21 vulnerabilities is even more troubling when the same research also indicates two-thirds of deployed routers remain unpatched for previously reported vulnerabilities. Internet facing OT devices must be part of an organizations patch management process.
Slide 1 of 0- Slide 1 of 3
HHS Fines Clinic $480,000 for Phishing-based HIPAA Violation
The US Department of Health and Human Services (HHS) has reached a settlement with Lafourche Medical Group over a Health Insurance Portability and Accountability Act (HIPAA) violation stemming from a phishing attack. The incident, which was reported in 2021, involved the compromise of personal health information belonging to 35,000 people.
Editor's Notes
- Slide 1 of 3
What is being targeted is the lack of a security monitoring/risk posture assessment program. Something which has to be continually done and updated. If you’re in a regulated industry, you’re aware of the requirements. What’s new is substantial fines after an incident. Maybe go make sure you’re not just checking a box here.
- Slide 2 of 3
A relatively small incident like this will typically have hard react/recover/restore/communicate costs in the $4-5M range so the fine is just a 10% uplift. This one is smaller example of the previous item on the East River Imaging compromise.
- Slide 3 of 3
Over the last 18 months or so, we’ve seen several settlements at both the state and federal level for violations of basic cybersecurity requirements that led to a data breach. This is but the latest enforcement action. Besides the fine, Lafourche Medical Group must implement several corrective actions to comply with HIPAA cybersecurity rules. This, and the other settlements, should serve as a wakeup call that basic cybersecurity requirements will be enforced.
Slide 1 of 0- Slide 1 of 3
Medical Imaging Service Center Breach
East River Medical Imaging (ERMI) has begun notifying more than 600,000 people that their personal information may have been compromised in a breach of the company’s systems. ERMI detected suspicious activity on its network on September 20; an investigation determined that intruders had access to the network for three weeks prior to the discovery. ERMI reported the incident to the department of Health and Human Services Office for Civil Rights (HHS OCR) on November 22.
Editor's Notes
- Slide 1 of 2
Mid-sized medical services firms are attractive targets because of the billing data they store and the fact that they are often not large enough to have strong security teams or management focus on security/safety as they went online – and attackers have been taking advantage of both factors. If you are in a similar situation, use this one to convince management that the cost of avoiding a $50M incident is lower than going through one.
- Slide 2 of 2
The attackers had access to their systems from August 31st to September 20th. Impacted people were notified starting around thanksgiving. ERMI is offering complimentary credit monitoring to those whose Social Security or driver’s numbers were part of the impacted data. If you’re a customer of ERMI, you want to check for fraudulent activity and, even if not impacted, setup credit monitoring and identity restoration services.
Slide 1 of 0- Slide 1 of 2
HHS’s Proposed Healthcare Sector Cybersecurity Strategy
The US Department of Health and Human Services (HHS) has published a cybersecurity strategy to help hospitals address cybersecurity concerns. HHS is seeking comments on proposed cybersecurity requirements that could tie Medicare and Medicaid funding to implementation of baseline security standards. The document also proposes updates to the Health Insurance Portability and Accountability Act (HIPAA) that would impose new cybersecurity requirements.
Editor's Notes
- Slide 1 of 2
Restaurants that have unhealthy/unsanitary food handling conditions are routinely shut down and produce containing deadly bacteria is routinely removed from grocery store shelves. The HHS plan has steps to push out (voluntary standards which largely exist already) and to “Provide resources to incentivize and implement these cybersecurity practices.” After that, enforcement has to be part of the strategy.
- Slide 2 of 2
As cybersecurity strategies go nothing surprising here. Instead of creating yet another set of voluntary cybersecurity requirements leverage what already exists and enforce them. Accountability has to be the crucial component of the strategy.
Slide 1 of 0- Slide 1 of 2
WordPress Update Fixes RCE Vulnerability
WordPress version 6.4.2 addresses a remote code execution flaw that could be chained with another flaw to execute arbitrary PHP code. The Property Oriented Programming (POP) chain issue was introduced in WordPress core 6.4, which was released in early November.
Editor's Notes
For a change this flaw impacts WordPress core. The flaw was introduced in version 6.4 and is patched in 6.4.2. While this should be automatically installed, check your servers to be sure. WordFence released a WAF rule 12/6 for paid users which will be available 1/5 for the free version.