SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
Top of the News
US Legislators Draft Nationwide Data Privacy Act
Two US legislators have drafted the American Privacy Rights Act, which eliminates the existing patchwork of state comprehensive data privacy laws, and establishes robust enforcement mechanisms to hold violators accountable, including a private right of action for individuals. The legislation would restrict the types of data companies can collect, retain, and use to only what is necessary to provide products and services. It would also hold companies accountable for their data security obligations.
Editor's Notes
- Slide 1 of 3
One of the great things about the US is how our 50 states (plus territories!) serve as petri dishes of democracy. Many have created and tested their own privacy laws. Here's hoping the federal government manages to adopt the best aspects of each.
- Slide 2 of 3
Having a single privacy law in the U.S. would simplify implementation for all involved. The draft legislation parallels the existing goals of CCPA, GDPR and other privacy acts. The question is how it will be transformed as it works its way through congress and if states will be willing to accept what remains or continue to enact their own rules.
- Slide 3 of 3
A US Data Privacy Act is long overdue. On first blush it appears to be modeled off the European General Data Protection Regulation (GDPR) giving citizens rights over their personal data. Given its bipartisan sponsored, strengthens the likelihood it will fully be considered by the House and Senate.
Slide 1 of 0- Slide 1 of 3
Acuity Confirms Their GitHub Repositories Were Breached
The US Department of State is investigating a potential cyber incident after information that was purportedly taken from national security agencies was leaked online. Tech consulting firm Acuity, which is a US government contractor, has confirmed that intruders breached their GitHub repositories and stole documents.
Editor's Notes
- Slide 1 of 2
Maybe the headline should read "Acuity confirms it stored national security data on GitHub", not that the GitHub repo was breached. But it probably sounded better in the press release to call this a GitHub repo breach.
- Slide 2 of 2
Not so sure storing national security information on GitHub is a wise choice without a lot of due diligence to ensure its protected. The takeaway is to really understand the (external) environment you're storing sensitive data in and verify the protection (and detection) mechanisms meet or exceed your requirements, then ensure they continue to do so.
Slide 1 of 0- Slide 1 of 2
D-Link NAS Vulnerability Affects End-of-Life Devices
A vulnerability affecting more than 92,000 D-Link network-attached storage (NAS) devices is being actively exploited. The issue was discovered by a researcher known online as netsecfish, who writes, The vulnerability lies within the nas_sharing.cgi uri, which is vulnerable due to two main issues: a backdoor facilitated by hardcoded credentials, and a command injection vulnerability via the system parameter. The vulnerable devices are no longer supported and thus will not be patched.
Editor's Notes
- Slide 1 of 3
Whenever you purchase a device, you need to track its "lifetime" based on the vendors end-of-support rules. Vendors not being open about how long to expect support for should be avoided. But at one point, the only option will be to replace the device, which needs to be budgeted for.
- Slide 2 of 3
We need to be as conscious of lifecycle with home devices as we are in the workplace. Yeah, they are not broken as they keep working. But they are not getting updates either. Also its easy to forget about them - like that time you allowed a connection from the internet to help some friends you never shut down? Now the really hard part is to get rid of the old one so you're not tempted to put it back online.
- Slide 3 of 3
The count makes one suspicious that these devices are visible to the public networks. Network attached storage should not be visible to the public networks.
Slide 1 of 0- Slide 1 of 3
The Rest of the Week's News
Optical Product Manufacturer Discloses Cybersecurity Incident
Hoya Corporation has disclosed a cybersecurity incident that the company says has affected some production facilities and some product ordering systems. Hoya says that on March 30, they discovered a discrepancy in system behavior that revealed a system failure, and was advised by third-party experts that it was likely due to unauthorized access. Hoya is a Tokyo-based manufacturer of optical products, including eyeglasses, contact lenses, endoscopy products, and glass substrate used in hard disk drives.
Editor's Notes
Although Hoya has yet to confirm a ransomware attack, it bears all the hallmarks of one. Hoyas revenue last year was just over $5.6B, so its safe to assume they have a reasonable cybersecurity budget. Hopefully, they will be forthcoming about what happened and what defenses were in place at the time of attack.
German State Switches from Microsoft Windows to Linux
The Germany state of Schleswig-Holstein says it plans to move from Microsoft Windows to Linux. Schleswig-Holstein digitalization minister Dirk Schršdter noted that the use of open-source software also benefits from improved IT security, cost-effectiveness, data protection, and seamless collaboration between different systems. He also cited digital sovereignty as a reason for the move. The switch to open-source is not a surprise: several years ago, the state announced its intention to switch from Microsoft Office to LibreOffice, with a goal of migrating 25,000 computers by 2026.
Editor's Notes
If you're evaluating a similar move, make sure you consider the impact on your support and security services. The total cost of ownership may be higher than you think. Make sure you understand what infrastructure you're going to need to provide and how you'll achieve equivalent security and user experience. You may need a lot of training as so much experience is based on how Windows does things.
Home Depot Data Breach Impacts Employees
Home Depot has acknowledged a recent cybersecurity incident that exposed employee data. Home Depot told Bleeping Computer that A third-party Software-as-a-Service (SaaS) vendor inadvertently made public a small sample of Home Depot associates' names, work email addresses and User IDs during testing of their systems. The number of affected employees is not specified.
Editor's Notes
- Slide 1 of 2
Testing with mocked up or dummy data takes a bit longer to generate usable data but is really important for testing. With outsourced or cloud services you need data which doesn't matter while you make sure systems are properly secured before going live.
- Slide 2 of 2
Test data is part of the specification. It should be written before the code. It includes both the inputs and the associated expected outputs. Live data does not contain the expected outputs and is not adequate for testing. Moreover, proper separation of functions should deny developers and testers access to live data.
Slide 1 of 0- Slide 1 of 2
Google V8 Sandbox Aims to Prevent Memory Corruption Vulnerabilities from Spreading
Google is adding a V8 sandbox to their Chrome browser with the goal of preventing memory corruption in V8 from spreading within the host process. Memory corruption vulnerabilities in V8 are usually not garden variety memory corruption issues: most cannot be addressed by switching to memory-safe programming languages or using hardware memory safety features.
Editor's Notes
- Slide 1 of 2
This is designed to protect the host system from the browser.
- Slide 2 of 2
Browsers leak. This announcement says that the Javascript V8 engine, a component of many browsers, leaks so badly that the solution is to encapsulate it so as to contain the leakage. The objectives of the V8 engine, and of most browsers, were speed and features. Speed, features, and integrity: pick two.
Slide 1 of 0- Slide 1 of 2
NYC Payroll Website Not Available Outside of City Intranet
Due to a phishing campaign aimed at obtaining city employee account credentials, the New York City Automated Personnel System, Employee Self Service (NYCAPS/ESS) is not currently publicly available. According to Recorded Future, New York City's Office of Technology and Innovation said that employees were receiving smishing (phishing via SMS) messages. While the website is not accessible to the general public, it is still accessible to employees through NYC's secure internal network (intranet). The smishing messages, which asked employees to set up MFA, appears to be a scam based out of Lithuania.
Editor's Notes
Sounds like a sensible precaution. Reducing your attack surface, by not exposing some applications to the internet, can substantially reduce the risk. Maybe this application should never have been exposed in the first place?
US DoJ Data Exposed in Third-Party Breach
A data security incident at a US Department of Justice (DoJ) third-party contractor has resulted in the exposure of DoJ-related information belonging to more than 340,000 people. The Greylock McKinnon Associates consulting firm said the incident occurred in May 2023. The compromised data include Medicare information and Social Security numbers.
Editor's Notes
- Slide 1 of 2
It took the third party until February this year to confirm the incident. While they subsequently deleted the DoJ data, the data were already exposed) This highlights the need to understand the capabilities of your third-party providers as well as make sure their response actions are consistent with your requirements. Propose a joint tabletop to make sure you're on the same page.
- Slide 2 of 2
Law firms and consultant organizations often maintain sensitive information on behalf of their clients. They are perhaps the weak link in the cybersecurity chain. What's disappointing though, is the timing of victim notification almost a year after the data breach.
Slide 1 of 0- Slide 1 of 2