SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsSpanish mobile carrier Orange España has acknowledged that it experienced an outage earlier this week. The incident was caused by a threat actor accessing Orange’s RIPE Network Coordination Center account using a weak password. RIPE, or Réseaux IP Européens, is “the Regional Internet Registry for Europe, the Middle East, and Central Asia.”
According to some reports, the RIPE account used by Orange did not use MFA. At this point, it is inexcusable for a critical infrastructure account like this to not be protected by multi factor authentication. Even highly qualified network engineers may succumb to malware.
This incident highlights the tug between operations management and cybersecurity. From an operations perspective, workflow accounts are often shared and have simple passwords associated with the login. From a security perspective, accountability is important and is reflected in individual accounts with unique passwords. From a risk perspective, better to err on the side of security, especially when it comes to password complexity.
While most popular enterprises offer strong authentication options to their customers and users, for perception of cost and inconvenience, many fail to use this essential measure internally, even, as in this case, for privileged users. Make the implementation of strong authentication a high priority for 2024.
Dark Reading
The Register
Bleeping Computer
The Record
Ars Technica
RIPE
The Attorney General of the State of New York has fined New York Presbyterian (NYP) Hospital $300,000 over its use of third-party tracking tools on its website and patient portal. The tools had not been vetted for potential policy or legal violations. NYP operates 10 hospitals in the New York City area and has more than 2 million patient visits annually.
Using third party trackers isn't great. Maybe I missed the news, but I have not seen any fines for more serious issues like sending initial passwords in the clear via email or using client side JavaScript as sole input validation.
This one is an example of a long running failure to have privacy requirements for any product/service procurement where customer data will be tracked or stored. Security/privacy teams have to assert themselves into the procurement process and into making sure marketing heads understand why privacy is legally a concern.
Are you using trackers on your web site? Are you certain? Are you aware what they store and who has access to that data? More importantly, if you’re using a tracker do you know what it can and cannot do, and do you have appropriate management approval?
Over 13 states have adopted a data privacy statute or similar law. Data collected by these tracking tools is protected by state laws. This should serve as a wake-up call for every organization that employs third-party tracking tools, to review their data privacy policies and use of third-party tracking tools.
It is interesting to see how the state of New York will go over entities like this. Specifically trackers and analytics are such a normal part of our Web life.
The LastPass password manager application is now requiring that all master passwords have a minimum length of 12 characters. Although the 12-character minimum has been the LastPass default since 2018, users have had the option of setting shorter passwords until now. Users who have passwords with fewer than 12 characters will be prompted to change them. LastPass has experienced several security incidents over the past few years.
LastPass is asking you to do two things if you haven’t already. First, re-enroll your MFA token (Google Authenticator, LastPass Authenticator, MS Authenticator) and second confirm that you’ve got a password of 12 or more characters. Note they are still using the old complexity requirements - at least one of upper, lower, numeric and special character, as well as modern guidance of not using information tied to you, sequential characters, etc. Make sure you’re selecting something you can remember and enter reliably.
Some important changes, but the problem isn't so much password length, but the fact that the password is user selected. Competitors use a randomly generated string in addition to the user's password to encrypt password vaults. User passwords will always be week and to some extend guessable no matter the length.
I’m a huge fan of password managers but they are also a single point of failure. In many ways you could consider your password for your Password Manager your most important password. Not sure if LastPass is taking the right approach here, especially after their security issues. What I think would be fantastic is making the MFA the default option. If you did not want MFA, you have to manually disable it and then require something longer than 12 characters. I’m a big fan of passphrases as they are easier to remember and type, but have the entropy needed. I personally prefer the standard of at least 16 characters.
LastPass
SC Magazine
Dark Reading
Bleeping Computer
Infosecurity Magazine
HealthEC LLC, “a population health technology company that provides services to other entities,” has reported a data security breach that affects nearly 4.5 million patients. The incident occurred in July 2023 and was reported to the US Department of Health and Human Services Office for Civil Rights on December 21.
The Court Services Victoria (CSV) has disclosed that a cybersecurity incident that may have compromised transcriptions and audio and video recordings of court and tribunal proceedings. The intrusion was detected on December 21; the breach affects proceedings that took place between November 1 and December 21.
This is an example of an incident report that never says why/how the attack succeeded. This is kind of like a road sign that has “Something Happened” vs. “Fallen Rocks.” The information they did include shows they the attackers were active for two weeks without the Court noticing and there was still exposure for 2 weeks after the attackers announced, “YOU HAVE BEEN PWND.” Those are not good metrics for Court IT security – good item to use to check isolation and monitoring if you have similar systems.
Freight shipping company Estes Express Lines has acknowledged that ransomware operators stole personal data belonging to 20,000 customers. Estes disclosed the incident in early October 2023. The company did not pay the ransom demand.
Estes Express gets credit for promptly reporting the cyber-attack via social media and not paying the ransom demand. Unfortunately, they fell a bit short in formally notifying their customers of the data loss and offering of free identity monitoring services.
A data breach affecting a defunct ambulance service in Boston has compromised personal information of at least 900,000 individuals. Transformative Healthcare disclosed the breach, which affected Fallon Ambulance Service, a subsidiary that ceased operations in December 2022. The breach occurred in early 2023. The data were kept archived on an IT system for legal purposed.
This is in the no good deed goes unpunished category. When creating an archive of data for future use, legal hold, etc., make sure you’ve carefully documented how the information is protected and accessed. At some point you’re going to want to consider when that offline storage may be the proper solution.
Two aspects come to light with this cyber incident: 1) data retention and storage; and 2) acquisition due diligence. While companies have legal obligations to retain data, if it’s no longer required for operational purposes place it in off-site storage. Due diligence should have surfaced the cyber incident prior to acquisition. Regardless, Coastal Medical Transportation Systems is now liable for the data breach.
On Tuesday, January 2, the US Cybersecurity and Infrastructure Security Agency (CISA) added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: a heap buffer overflow vulnerability in Google Chromium WebRTC and a remote code execution vulnerability in Spreadsheet::ParseExcel. Federal Civilian Executive Branch agencies are required to mitigate these issues by January 23.
While Perl has largely fallen out of favor with developers, you should be checking for legacy or lingering Perl code which may have security issues. Either keep that code updated or replace it with code written in tools/languages your developers are using today.
Over the next year, cybersecurity professio0nals will face several compliance deadlines, including the Payment Card Industry Data Security Standard v 4.0 with a deadline of March 31, new Federal Trade Commission (FTC) breach reporting rules that take effect on May 13, and a June 15 deadline for smaller companies to comply with the Securities and Exchange Commission’s (SEC’s) new breach disclosure rules.
Note that PCI/DSS v4.0 comes with 13 new requirements due March 31st. Requirements include identifying the relevant roles and responsibilities of security team members and third-party service providers, determining the scope of an organization’s cardholder data environment (CDE), defining a “customized approach” to compliance, and performing targeted risk analyses. You may wish to engage your internal assessor (ISA), or current QSA as they have been training up on the new requirements.
Google has released its first Chrome update of 2024. The new release fixes six security issues, four of which were submitted by external researchers. Three of the vulnerabilities are use-after-free issues in ANGLE, WebAudio, and WebGPU. The fourth is a heal buffer overflow in ANGLE. All four are rated high severity. Chrome 120.0.6099.199 for Mac and Linux and 120.0.6099.199/200 for Windows will be rolled out over the next few days and weeks.
It is hard to find good numbers, but it is pretty clear that more than half of the vulnerabilities in big name software, like Google, Microsoft, Apple, etc., continue to be found by external researchers. By definition, this means no new releasee of a product/service can be trusted until a lot of outsiders have pounded on it. Since business demands often drive “no, we have to move now,” better to have those outsiders be part of a well-managed bug bounty effort.
Now that we’re back from the holiday break, it’s a good time to scan for systems that don’t have the updated version deployed. Make sure you’ve got data from 2024 for each endpoint, and watch for users which are still waiting on the “reload/relaunch to update” step. Give thought to deploying a setting which sets the max age on the update before the restart is forced.
Prefer single purpose built software. Browsers have long since passed the threshold of complexity beyond which they should not be relied upon for sensitive applications.
Wireshark Updates
https://isc.sans.edu/diary/Wireshark+updates/30528
Interesting large and small malspam attachments from 2023
https://isc.sans.edu/diary/Interesting+large+and+small+malspam+attachments+from+2023/30524
Fingerprinting SSH Identification Strings
https://isc.sans.edu/diary/Fingerprinting+SSH+Identification+Strings/30520
Shall We Play a Game?
https://isc.sans.edu/diary/Shall+We+Play+a+Game/30510
Mailtrap.io Exfiltration
https://isc.sans.edu/diary/Python+Keylogger+Using+Mailtrapio/30512
Pi Hole Docker
https://isc.sans.edu/diary/PiHole+Pi4+Docker+Deployment/30516
Mirai Update
Android Updates
https://source.android.com/docs/security/bulletin/2024-01-01
Apple iOS PoC Exploits
https://github.com/felix-pb/kfd/blob/main/writeups/smith.md
https://github.com/felix-pb/kfd/blob/main/writeups/landa.md
Ivanti Critical Vulnerability
https://forums.ivanti.com/s/article/SA-2023-12-19-CVE-2023-39336?language=en_US
Malicious PyPi Packages
Everything npm package
Orange Spain RIPE Account Compromise
Bitwarden Heist
https://blog.redteam-pentesting.de/2024/bitwarden-heist/
Google OAUTH2 Exploited by Malware
TsuKing DNS Amplification
https://lixiang521.com/publication/ccs23/ccs23-xu-tsuking.pdf
Barracuda 0-Day Vulnerability
https://www.barracuda.com/company/legal/esg-vulnerability
Apache OFBiz 0-Day Exploited against Atlassian (and possibly others)
https://blog.sonicwall.com/en-us/2023/12/sonicwall-discovers-critical-apache-ofbiz-zero-day-authbiz/
Catch up on recent editions of NewsBites or browse our full archive of expert-curated cybersecurity news.
Browse ArchiveFree technical content sponsored by SANSSANS has just released their latest research project, our 2024 Application Security & API Survey.
2023 OT Cybersecurity Year in Review Executive Briefing | Join Dragos CEO and SANS Senior Instructor Robert M.
The results are in for this year's SANS Threat Hunting Survey!
Join us for the CTI Summit Solutions Track 2024 on Jan 30 at 9:20am ET!