SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense, Artificial Intelligence
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
Top of the News
Gartner Researchers: Organizations Need to Change Mindsets About Prevention and Recovery
In their keynote speech at the Gartner Security & Risk Management Summit in Sydney, Australia, Gartner researchers Chris Mixter and Dennis Xu said that it is not possible to completely prevent cybersecurity incidents; what is important, they said, is to develop robust recovery plans and rehearse them.
Editor's Notes
- Slide 1 of 3
There are two points being made here. The first is that you need to train and plan for an incident. Develop plans based on tolerable impact which would allow responses to be prioritized. The second is that you need to look out for the well-being of your responders. Staff more than one shift, monitor for stress and mental state, make sure they acknowledge work they have done, even taking credit for small incidents to show they are making a difference.
- Slide 2 of 3
Business continuity plans that are rehearsed and drilled have been identified as both essential and efficient for decades. They are the security measure of last resort; we invoke them when all else fails. The success of ransomware attacks demonstrates that many are not nearly as robust as they need to be. That said, prevention remains the most efficient part of one's strategy.
- Slide 3 of 3
You can’t talk about prevent and recovery without also including detection. It’s akin to having fire detectors installed. You can never, completely prevent a fire, but you do want to be able to detect one and be able to reduce the harm from it. And yes, you should regularly test the recovery plan. That’s why organizations regularly have fire alarm drills.
Slide 1 of 0- Slide 1 of 3
Broken Undersea Cables Disrupt Internet Service in Africa
Damaged undersea cables along the West African coast have impacted Internet service in more than a dozen African countries. The incident occurred last week, and has affected Internet availability in Burkina Faso, Gambia, Guinea, Liberia, Côte d'Ivoire, Ghana, Benin, Niger, and other countries.
Editor's Notes
- Slide 1 of 3
The impacted cables are deep, about 1.86 miles, which rules out human activity (ship anchor, fishing, drilling) leaving seismic activity as a likely source. Undersea cables are responsible for about 99% of intercontinental traffic. As we're all thinking "path diversity," we need to also consider the viability of alternate options, both bandwidth and latency. Remember when we thought we could fail over from a T3 to a T1 - until we did? Same idea with satellite - it may not be viable. Document how you're implementing your redundant connection, including path, bandwidth and latency, and then, in a possibly resume enhancing move, schedule failovers to verify it's viable, or at least tolerable.
- Slide 2 of 3
Usual reminder that we learned to have backup power for data centers, backup internet connectivity also needed these days. But, a twist here: network connectivity for many applications these days need lower latency than satellite service can provide – bandwidth alone is not the issue. Some “crown jewel” business processes may require more expensive dedicated backup services, both for on premise hosted and cloud hosted.
- Slide 3 of 3
Undersea cables are the weakest link on the Internet. If they are damaged, the result is a service degradation until alternate communication paths can be established. Unfortunately, there isn’t a lot of redundancy on the Internet especially it’s outer edges.
Slide 1 of 0- Slide 1 of 3
The Rest of the Week's News
NVD Leaves Thousands of Entries Without Enriched Information
The US National Institute of Standards and Technology’s (NIST’s) National Vulnerability Database (NVD) is in the midst of making changes to its processes, resulting in thousands of new entries lacking enrichment: vulnerability analyses and descriptions, as well as lists of affected software, CVSS scores, and links to patches and additional information. Some researchers are reporting that more than 2,000 recently-added vulnerabilities lack enrichment data.
Editor's Notes
- Slide 1 of 3
While NIST is working to bridge the gap on enrichment, they are also dealing with the first budget cut in over 10 years, as well as a doubling of published CVEs comparing 2017 to 2023. One hopes the consortium they are establishing will help bridge both resource and volume challenges.
- Slide 2 of 3
The lesson for the rest of us, here and in the case of the recent AT&T wireless outage, is that changes to processes should be planned in such a way that they do not put the mission at risk.
- Slide 3 of 3
NIST has certainly gotten everyone’s attention regarding the state of the NVD. What would be helpful is a bit more transparency on the makeup of this consortium and possible changes to the data that makes up the NVD. NIST helped create the demand for the NVD, and it should resource it while it forms the consortium.
Slide 1 of 0- Slide 1 of 3
UK Government Publishes Cloud Security Guidance for OT
The UK’s National Cyber Security Centre (NCSC) has published guidance to help organizations that use operational technology (OT) decide whether or not to migrate their supervisory control and data acquisition (SCADA) systems to the cloud. The document includes sections on understanding the business drivers and cloud opportunities, organizational readiness, and technology and cloud solutions suitability.
Editor's Notes
The idea of moving traditionally air-gapped SCADA systems to the cloud is a bit concerning. This guide is designed to walk you through considerations and tradeoffs. First you need to decide if you're doing a full migration, fail-over, or hybrid. Second, determine the specific risks, including staff skillsets to manage the cloud, including OT/SCADA components, as well as detect changes, particularly to SDN. Lastly, include an assessment of the suitability of technology for cloud migration. Keep in mind that even private cloud is still a software defined boundary, and like a submarine, many OT/SCADA components don't respond well to bullets, so you will need different tools to monitor the health and security of those migrated systems.
Malawi’s Passport System is Operational Again
Malawi’s passport system is back online following a cybersecurity incident several weeks ago. In late February, the computer system at Malawian’s immigration service suffered what was likely a ransomware attack.
Editor's Notes
Back in February, the Malawi President said they would have replacement system online in three weeks and this is right about on schedule with passport printing resuming this week, first in Lilongwe, then other regions after that. As to the attack, they are referring to the gang as cyber mercenaries which will face the long arm of the law. This is a good scenario for the multi-agency investigation and takedown, which we've seen of late, to take on.
Healthcare Sector Breaches in Scotland and Ireland
Last week, National Health Service (NHS) Dumfries and Galloway in Scotland posted an alert warning that they are experiencing an ongoing cybersecurity incident that may disrupt services and compromise patient information. In another story, a configuration error affecting Ireland’s Health Service Executive (HSE) led to the exposure of COVID vaccination data.
Editor's Notes
This is a bit of a one-two punch, not only the attack in Scotland, but also a configuration error in the Irish Salesforce implementation which allowed accounts belonging to HSE patients to access the parts of the system storing the vaccination data. This was not a deliberate mistake; it was a misunderstanding of permissions and their implications within the Salesforce platform. Even though Salesforce has implemented changes to more readily identify permission issues and audit their abuse, you still need to regularly assess and review your permissions on all your SaaS platforms. Hire a third party to help you learn and execute. Remember to budget for cybersecurity: even outsourced or cloud-based services need control testing, monitoring, response capabilities.
Fortra Fixes Critical Flaw in FileCatalyst WorkFlow
Fortra has released a fix for a critical directory traversal vulnerability in its FileCatalyst WorkFlow product. The flaw could be exploited to execute code, including web shells. The vulnerability was reported to Fortra in August 2023 and the fix was released shortly after. The CVE was issued at the request of the individual who reported the vulnerability.
Editor's Notes
- Slide 1 of 2
The exploit for the flaw is trivial. I have not seen any attempts against our honeypots yet, but due to the simple exploit, and attackers ability to easily enumerate vulnerable devices: Assume compromise when patching.
- Slide 2 of 2
CVE-2024-25153, directory traversal flaw, CVSS score of 9.8, allows a file to be uploaded outside the intended "uploadtemp" directory, then executed. The fix is to upgrade to FileCatalyst 5.1.6 Build 114 or higher, which also resolves two other flaws, CVE-2024-25154 and CVE-2024-25155, which can be used for information leakage and code execution. The researcher from LRQA Nettitude not only discovered the vulnerability but also released a POC exploit. Given the attention on file transfer system weaknesses, by folks like the Cl0p ransomware gang, you need to get the updates deployed post haste.
Slide 1 of 0- Slide 1 of 2
McDonald’s Global IT Outage Blamed on Third-Party Provider
Starting late last week, many McDonald’s restaurants across the world were forced to close temporarily due to an IT outage. The incident affected point-of-sale systems, which prevented employees from taking orders, processing payments, or opening cash registers. The outage appears to have been caused by a configuration error at a third-party provider.
Editor's Notes
- Slide 1 of 3
The McDonald’s Global CIO message had a telling quote: “Notably, this issue was not directly caused by a cybersecurity event; rather, it was caused by a third-party provider during a configuration change.” Which is like saying “Notably, arsonists didn’t burn down my house, that electrician we used caused the fire. But, we are still sleeping in a tent.” We really need CIOs that think of security as just an attribute of reliability and service levels vs. some totally separate effort.
- Slide 2 of 3
Third-parties are how we're getting business done, and the impacts of errant configuration changes are widely felt. Remember the AT&T outage last month? Make sure you understand where you have third parties and what the impact of service outages would be. Remember when you're down, pointing to the third-party isn't going to satisfy your customers; they want to know when services will be restored. Work with your third parties to understand their processes, to include fail-over and reporting, and make sure they are commensurate with the risks of service impacts to your business.
- Slide 3 of 3
The implication of third parties in breaches, starting with Target and including this one, raises three questions. First, does your reliance on a third party constitute a single point of failure for your enterprise? Second, does your connection to a third party materially increase your attack surface? Third, are third parties restricted to only that portion of the enterprise network to which they must have access for the intended purpose? Consider that I may have the order wrong.
Slide 1 of 0- Slide 1 of 3
Fujitsu Discloses Data Breach
In a notice posted to their website, Fujitsu writes that they have “confirmed the presence of malware on several of [the] company’s work computers.” An investigation of the incident revealed that the breach may have led to the theft of customer and employee data.
Editor's Notes
Fujitsu is focused on immediate containment, eradication and impact of the malware. That they suspect data has been exfiltrated hints that this may have been the initial stages of a ransomware attack. Their response plan is an example of being very proactive, taking actions, including communication to prevent added damage.
International Monetary Fund Discloses Cybersecurity Incident
The International Monetary Fund (IMF) is investigating a cybersecurity incident that was detected in mid-February. An ongoing investigation has determined that 11 IMF email accounts were compromised. The IMF has not disclosed additional information except for confirming that they use Microsoft 365.
Editor's Notes
- Slide 1 of 2
This event happened on February 16th, and the compromised accounts appear to be regular users, not top leadership, which would allow attackers to nominally insert themselves into the business communication, possibly leveraging that access for gains later. Here is a good excuse for making sure you've not got gaps in your email MFA configuration, no special exceptions, and that your session token life is within risk tolerance and documented.
- Slide 2 of 2
Strong authentication (at least two kinds of evidence, at least one of which is resistant to replay), is essential for e-mail.
Slide 1 of 0- Slide 1 of 2