SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsVerizon’s 17th annual Data Breach Investigations Report reveals that vulnerability exploits as initial access points in breaches was up 180% in 2023 over 2022. In addition, human error still plays a part in most breaches; ransomware and other extortion attacks account for about one-third of all breaches; and pure extortion attacks are on the rise.
It is not "human error". It is technology that is not protecting humans and abstracting security leading to a failure to communicate risk to users.
The term “human error” is actually incorrect. What VZ DBIR pointed out is the human element is involved in over 65% of all breaches (not including malicious insiders). That number is people, primarily victims of cyberattacks (social engineering) or people making mistakes (that is human error). What really popped this year is people making mistakes represents 28% of all breaches globally; that is a big number. One of the biggest problems we have is that security is really hard for most people, the behaviors we are demanding of them are often confusing, difficult, and overwhelming. Security is no longer just a technology challenge but also a human challenge, and the first step to addressing the human side is making security as simple as possible for people (which is not easy).
Well done Verizon, another excellent report. For me, a few key takeaways: 1) the human is still the weak link to building an effective cybersecurity program – exploitation of authentication credentials; 2) Ransomware had a very good year in 2023 – increase in both attacks and payouts; and 3) software supply chain attacks also had a good year and has become a major concern for security professionals.
One of the discoveries is it’s taking an average of 55 days to resolve 50% of vulnerabilities. While we’re likely nailing desktop and commodity system patching, those boundary devices, including VPN and remote access services need to be doubled down on. Make sure that you’re not just relying on your WAF to protect applications, code flaws need to be fixed as well.
UnitedHealth CEO Andrew Witty appeared before the US Senate Finance Committee to answer questions about the Change Healthcare ransomware attack. Witty said they paid the ransom demand and that it was his call to do so. Witty also noted that the breached Citrix portal lacked multi-factor authentication (MFA). UnitedHealth is offering affected individuals two years of credit and identity theft protection.
Two years of credit and identity theft protection is a very bad joke. How will that help people affected whose health records got stolen, and who probably have already free identity theft protection from one of a dozen other breaches? Without meaningful penalties, there is absolutely no reason to improve basic cyber security practices. Free identity theft protection is the "thoughts and prayers" of breaches.
This breach is similar to the Equifax breach in 2017, to include the size and scope of breach, the appearances before Congress and the impact. Just like Equifax, I expect there will be a report published on the details of why and how the breach happened. Just like Equifax, this is most likely more than just an issue of lack of MFA, but we will see a much bigger issue of a weak security culture.
The big lesson to be learned is the impact that mergers/acquisitions have on one’s cybersecurity program. (UnitedHealth’s acquisition of Change Healthcare was completed in October 2022.) There’s the due diligence part during company acquisition; but then comes the part in merging different security technologies into a common cybersecurity program. Yes, lack of MFA is a big whiff, but I suspect there were other factors at play that led to this sizeable security incident.
Beyond credit protection, and the touted neatly $900 million this breach has cost, there should also be consequences from the regulators.
SC Magazine
The Register
Ars Technica
SC Magazine
Cloudfront
Attacks against the global positioning system (GPS) and global navigation satellite systems (GNSS) are increasing in the Baltic States, the Eastern Mediterranean region, and Resilient Navigation and Timing Foundation, and Ukraine and the Black Sea. The attacks have targeted aircraft and ships with both jamming and spoofing attacks. The UK’s Civil Aviation Authority has published a Safety Notice on GNSS outage that includes recommendations for operational safety.
Some airports in the area had to cancel flights as their approaches require GPS. For network security, GPS is often used as a time source. So far, I have not seen any measured effects on time keeping, but it is something to keep in mind as you are designing a time synchronization infrastructure. Maybe we have tomust consider internal time standards again.
In last Friday’s NewsBites (NB 26.33), we mistakenly indicated that the Awards Ceremony for the President’s Cup Cybersecurity Competition would be held on May 13. The ceremony will be held on May 20.
The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have published a Secure By Design alert urging software developers to eliminate path traversal vulnerabilities from their products prior to shipping. Also known as directory traversal vulnerabilities, the flaws can be exploited by manipulating inputs to access files and directories that developers did not intend users to access. CISA’s Known Exploited Vulnerabilities (KEV) catalog currently includes 55 directory traversal vulnerabilities.
I like how CISA recently focuses on essentials like SQL Injection and Path Traversal. Sadly, it won’t matter because the money needed to fix old code is wasted on buying GPUs to train machine learning models that can identify hot dogs. The new ML model will keep investors happy, but the data breach caused by path traversal will just require a subscription to an identity protection service.
Dropbox has disclosed that the Dropbox Sign e-signature service production environment experienced a breach. The unauthorized access was detected on April 24. The intruder accessed the system through a compromised back-end service account and accessed customer data, including email addresses, usernames, hashed passwords, API keys, OAuth tokens, and MFA information. Until October 2022, Dropbox Sign was known as HelloSign.
An interesting note in the breach report indicates the leak of MFA information. I assume these are the seeds for one-time pass codes. These seeds are usually not encrypted (and can't be hashed like passwords).
The compromise of the service account didn’t appear to access payment information or user documents. They did access the Sign user database, usernames, email, hashed passwords, preferences and authentication data. Dropbox is terminating Sign sessions and having users change passwords, including MFA tokens, as well as changing API keys and OAuth tokens. It’s not clear how they are preventing recurrence, something to consider including with you breach communication plan.
The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-7028, an improper access control vulnerability in GitLab Community and Enterprise editions to the Known Exploited Vulnerabilities (KEV) catalog. The flaw, which can be exploited to take control of vulnerable accounts, was introduced in May 2023 with the release of GitLab 16.1.0.; it affects all later versions through 16.7.1. GitLab has already released updates that address the vulnerability. Federal Civilian Executive Branch (FCEB) agencies have until May 22 to update.
While introduction into the KEV signals active exploitation, the flaw has been known since January when the patch was made available. Hopefully, organizations were already using multi-factor authentication in which case they are safe. For those that haven’t, patch, implement some form of multi-factor authentication, and review your code now to protect against future software supply chain attacks.
Security Week
Ars Technica
Bleeping Computer
The Register
https
NVD
https
The R Project has released R Core Version 4.4.0 to address a high-severity deserialization of untrusted data vulnerability that could allow arbitrary code execution. The vulnerability could be exploited in supply chain attacks. Users are urged to upgrade to the most recent version of the open-source programming language.
CERT
The Register
NVD
Hidden Layer
The Hacker News
Security Week
https
The White House has issued a National Security Memorandum “to secure and enhance the resilience of U.S. critical infrastructure.” The memorandum replaces a decade-old policy document regarding critical infrastructure protection. The new memorandum designates the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) as the lead agency for securing the country’s critical infrastructure; aims to improve public/private partnerships through intelligence and threat information sharing; and reaffirms 16 designated infrastructure sectors and the associated federal departments and agencies that serve as each sector’s Sector Risk management Agency.
The White House
The White House
Wired
Nextgov
The US Cybersecurity and Infrastructure Security Agency (CISA), along with several other US agencies, the Canadian Centre for Cyber Security, and the UK’s National Cyber Security Centre, have published a fact sheet with information and recommended mitigations to help organizations defend operational technology (OT) operations against current activity conducted by pro-Russian hacktivists. The document offers an overview of the threat actor activity and recommended mitigations, which include hardening HMI remote access; strengthening security posture; and limiting adversarial use of common vulnerabilities.
All good mitigation recommendations that should be applied regardless of the threat actor. If the OT device is Internet-facing it becomes part of the attack surface available to the evildoer. Address the easy to fix vulnerabilities first, by changing default passwords and updating the software.
CISA
Security Week
SC Magazine
Bleeping Computer
Gov Infosecurity
A Finnish man has been sentenced to six years and three months in prison for stealing data from the Vastaamo Psychotherapy Center in 2020 and using the data to extort money from patients. Julius Kivimäki was found guilty of multiple counts of aggravated dissemination of information infringing on individuals' private lives, aggravated attempted blackmail, and aggravated blackmail. Last year, Vastaamo’s CEO received a tree-month suspended sentence for failing to protect the privacy of patient data.
Another Day, Another NAS: Attacks against Zyxel NAS326 Devices CVE-2023-4473, CVE-2023-4474
Linux Trojan - Xorddos with Filename eyshcjdmzg
https://isc.sans.edu/diary/Linux+Trojan+Xorddos+with+Filename+eyshcjdmzg/30880
Scans Probing for LB-Link and Vinga WR-AC1200 routers CVE-2023-24796
https://isc.sans.edu/diary/Scans+Probing+for+LBLink+and+Vinga+WRAC1200+routers+CVE202324796/30890
Buffer Overflow Vulnerabilities in ArubaOS
https://www.arubanetworks.com/support-services/security-bulletins/
The Cuttlefish Malware
https://blog.lumen.com/eight-arms-to-hold-you-the-cuttlefish-malware/
EU iOS Safari Allows User Tracking
https://www.mysk.blog/2024/04/28/safari-tracking/
AWS S3 Denial of Wallet Amplification Attack
https://blog.limbus-medtec.com/the-aws-s3-denial-of-wallet-amplification-attack-bc5a97cc041d
BentoML Critical Deserialization Vuln CVE-2024-2912
https://nvd.nist.gov/vuln/detail/CVE-2024-2912
R-Bitrary Code Execution: Vulnerability in R's Deserialization
https://hiddenlayer.com/research/r-bitrary-code-execution/
Coordinated Docker Hub Attacks using Malicious Repositories
NVMe-oF/TCP Vulnerabilities
Catch up on recent editions of NewsBites or browse our full archive of expert-curated cybersecurity news.
Browse ArchiveWhile GenAI promises unprecedented speed and productivity, information security leaders must empower developers with the right tools to safeguard against the threats of AI.Snyk's eBook "CISOs Guide to Safely Unleashing the Power of GenAI" will equip security leaders with:* Insights: An understanding of GenAI’s strengths and vulnerabilities in open-source code* Guidance: Steps to build, scale, and govern a secure GenAI program* Selection: Choose the best AI-empowered security toolsDownload now and stay ahead in the race for innovation and security!
SANS 2024 CTI Survey: Managing the Evolving Threat Landscape | May 22 | Join us to learn How the CTI discipline has evolved in the past year-how CTI analysts kept up with the ever-changing threat landscape, how they view emerging threats (adversary use of AI), and how technology enablement improves efficiency.
Take the SANS 2024 AI Survey: AI and Its Growing Role in Cybersecurity: Lessons Learned and Path Forward | The goal of this survey is to look at AI's role in cybersecurity and understand the opportunities and workforce dynamics as well as emerging threats, shortcomings and challenges.
Take the SANS 2024 Multicloud Survey: Securing Multiple Clouds Amid Constant Changes | This survey will explore the underlying forces behind why multicloud customers make the cloud adoption decisions that have been identified in past surveys.