SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
Top of the News
Verizon’s Data Breach Investigations Report 2024
Verizon’s 17th annual Data Breach Investigations Report reveals that vulnerability exploits as initial access points in breaches was up 180% in 2023 over 2022. In addition, human error still plays a part in most breaches; ransomware and other extortion attacks account for about one-third of all breaches; and pure extortion attacks are on the rise.
Editor's Notes
- Slide 1 of 4
It is not "human error". It is technology that is not protecting humans and abstracting security leading to a failure to communicate risk to users.
- Slide 2 of 4
The term “human error” is actually incorrect. What VZ DBIR pointed out is the human element is involved in over 65% of all breaches (not including malicious insiders). That number is people, primarily victims of cyberattacks (social engineering) or people making mistakes (that is human error). What really popped this year is people making mistakes represents 28% of all breaches globally; that is a big number. One of the biggest problems we have is that security is really hard for most people, the behaviors we are demanding of them are often confusing, difficult, and overwhelming. Security is no longer just a technology challenge but also a human challenge, and the first step to addressing the human side is making security as simple as possible for people (which is not easy).
- Slide 3 of 4
Well done Verizon, another excellent report. For me, a few key takeaways: 1) the human is still the weak link to building an effective cybersecurity program – exploitation of authentication credentials; 2) Ransomware had a very good year in 2023 – increase in both attacks and payouts; and 3) software supply chain attacks also had a good year and has become a major concern for security professionals.
- Slide 4 of 4
One of the discoveries is it’s taking an average of 55 days to resolve 50% of vulnerabilities. While we’re likely nailing desktop and commodity system patching, those boundary devices, including VPN and remote access services need to be doubled down on. Make sure that you’re not just relying on your WAF to protect applications, code flaws need to be fixed as well.
Slide 1 of 0- Slide 1 of 4
UnitedHealth CEO Testifies at US Congressional Hearing
UnitedHealth CEO Andrew Witty appeared before the US Senate Finance Committee to answer questions about the Change Healthcare ransomware attack. Witty said they paid the ransom demand and that it was his call to do so. Witty also noted that the breached Citrix portal lacked multi-factor authentication (MFA). UnitedHealth is offering affected individuals two years of credit and identity theft protection.
Editor's Notes
- Slide 1 of 4
Two years of credit and identity theft protection is a very bad joke. How will that help people affected whose health records got stolen, and who probably have already free identity theft protection from one of a dozen other breaches? Without meaningful penalties, there is absolutely no reason to improve basic cyber security practices. Free identity theft protection is the "thoughts and prayers" of breaches.
- Slide 2 of 4
This breach is similar to the Equifax breach in 2017, to include the size and scope of breach, the appearances before Congress and the impact. Just like Equifax, I expect there will be a report published on the details of why and how the breach happened. Just like Equifax, this is most likely more than just an issue of lack of MFA, but we will see a much bigger issue of a weak security culture.
- Slide 3 of 4
The big lesson to be learned is the impact that mergers/acquisitions have on one’s cybersecurity program. (UnitedHealth’s acquisition of Change Healthcare was completed in October 2022.) There’s the due diligence part during company acquisition; but then comes the part in merging different security technologies into a common cybersecurity program. Yes, lack of MFA is a big whiff, but I suspect there were other factors at play that led to this sizeable security incident.
- Slide 4 of 4
Beyond credit protection, and the touted neatly $900 million this breach has cost, there should also be consequences from the regulators.
Slide 1 of 0- Slide 1 of 4
GPS and GNSS Attacks are on the Rise
Attacks against the global positioning system (GPS) and global navigation satellite systems (GNSS) are increasing in the Baltic States, the Eastern Mediterranean region, and Resilient Navigation and Timing Foundation, and Ukraine and the Black Sea. The attacks have targeted aircraft and ships with both jamming and spoofing attacks. The UK’s Civil Aviation Authority has published a Safety Notice on GNSS outage that includes recommendations for operational safety.
Editor's Notes
Some airports in the area had to cancel flights as their approaches require GPS. For network security, GPS is often used as a time source. So far, I have not seen any measured effects on time keeping, but it is something to keep in mind as you are designing a time synchronization infrastructure. Maybe we have tomust consider internal time standards again.
The Rest of the Week's News
CISA and FBI Urge Developers to Eliminate Path Traversal Vulnerabilities
The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have published a Secure By Design alert urging software developers to eliminate path traversal vulnerabilities from their products prior to shipping. Also known as directory traversal vulnerabilities, the flaws can be exploited by manipulating inputs to access files and directories that developers did not intend users to access. CISA’s Known Exploited Vulnerabilities (KEV) catalog currently includes 55 directory traversal vulnerabilities.
Editor's Notes
I like how CISA recently focuses on essentials like SQL Injection and Path Traversal. Sadly, it won’t matter because the money needed to fix old code is wasted on buying GPUs to train machine learning models that can identify hot dogs. The new ML model will keep investors happy, but the data breach caused by path traversal will just require a subscription to an identity protection service.
Dropbox Discloses Dropbox Sign Breach
Dropbox has disclosed that the Dropbox Sign e-signature service production environment experienced a breach. The unauthorized access was detected on April 24. The intruder accessed the system through a compromised back-end service account and accessed customer data, including email addresses, usernames, hashed passwords, API keys, OAuth tokens, and MFA information. Until October 2022, Dropbox Sign was known as HelloSign.
Editor's Notes
- Slide 1 of 2
An interesting note in the breach report indicates the leak of MFA information. I assume these are the seeds for one-time pass codes. These seeds are usually not encrypted (and can't be hashed like passwords).
- Slide 2 of 2
The compromise of the service account didn’t appear to access payment information or user documents. They did access the Sign user database, usernames, email, hashed passwords, preferences and authentication data. Dropbox is terminating Sign sessions and having users change passwords, including MFA tokens, as well as changing API keys and OAuth tokens. It’s not clear how they are preventing recurrence, something to consider including with you breach communication plan.
Slide 1 of 0- Slide 1 of 2
GitLab Vulnerability Added to KEV
The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-7028, an improper access control vulnerability in GitLab Community and Enterprise editions to the Known Exploited Vulnerabilities (KEV) catalog. The flaw, which can be exploited to take control of vulnerable accounts, was introduced in May 2023 with the release of GitLab 16.1.0.; it affects all later versions through 16.7.1. GitLab has already released updates that address the vulnerability. Federal Civilian Executive Branch (FCEB) agencies have until May 22 to update.
Editor's Notes
While introduction into the KEV signals active exploitation, the flaw has been known since January when the patch was made available. Hopefully, organizations were already using multi-factor authentication in which case they are safe. For those that haven’t, patch, implement some form of multi-factor authentication, and review your code now to protect against future software supply chain attacks.
Fact Sheet: Defending OT Operations Against Hacktivist Activity
The US Cybersecurity and Infrastructure Security Agency (CISA), along with several other US agencies, the Canadian Centre for Cyber Security, and the UK’s National Cyber Security Centre, have published a fact sheet with information and recommended mitigations to help organizations defend operational technology (OT) operations against current activity conducted by pro-Russian hacktivists. The document offers an overview of the threat actor activity and recommended mitigations, which include hardening HMI remote access; strengthening security posture; and limiting adversarial use of common vulnerabilities.
Editor's Notes
All good mitigation recommendations that should be applied regardless of the threat actor. If the OT device is Internet-facing it becomes part of the attack surface available to the evildoer. Address the easy to fix vulnerabilities first, by changing default passwords and updating the software.
Internet Storm Center Tech Corner
Another Day, Another NAS: Attacks against Zyxel NAS326 Devices CVE-2023-4473, CVE-2023-4474
Linux Trojan - Xorddos with Filename eyshcjdmzg
https://isc.sans.edu/diary/Linux+Trojan+Xorddos+with+Filename+eyshcjdmzg/30880
Scans Probing for LB-Link and Vinga WR-AC1200 routers CVE-2023-24796
https://isc.sans.edu/diary/Scans+Probing+for+LBLink+and+Vinga+WRAC1200+routers+CVE202324796/30890
Buffer Overflow Vulnerabilities in ArubaOS
https://www.arubanetworks.com/support-services/security-bulletins/
The Cuttlefish Malware
https://blog.lumen.com/eight-arms-to-hold-you-the-cuttlefish-malware/
EU iOS Safari Allows User Tracking
https://www.mysk.blog/2024/04/28/safari-tracking/
AWS S3 Denial of Wallet Amplification Attack
https://blog.limbus-medtec.com/the-aws-s3-denial-of-wallet-amplification-attack-bc5a97cc041d
BentoML Critical Deserialization Vuln CVE-2024-2912
https://nvd.nist.gov/vuln/detail/CVE-2024-2912
R-Bitrary Code Execution: Vulnerability in R's Deserialization
https://hiddenlayer.com/research/r-bitrary-code-execution/
Coordinated Docker Hub Attacks using Malicious Repositories
NVMe-oF/TCP Vulnerabilities