SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsA critical configuration bug in AWS Application Load Balancer (ALB) when used for authentication could be exploited to gain unauthorized access to resources and exfiltrate data. The issue was detected by researchers from Miggo Research, who have dubbed the issue ALBeast. Miggo Research reported the issue to AWS in April. AWS has published a document, 'Security best practices when using ALB authentication,' which both offers advice and refers to the AWS Shared Responsibility Model for security and compliance.
This AWS Load Balancer issue is similar to the Confused Deputy problem. This stems from the fact that many cloud services are shared between customers. Given a configuration that is not restrictive enough, you end up in this very strange situation where if the load balancer works for you, it will also work for everyone else, allowing the check of authentication to pass no matter where it is. This tends to be one of those difficult bugs because the onus is on everyone else, not Amazon, to fix the issue. How do they notify affected customers, and should they? This is a tricky one.
Secure configuration of enterprise assets and software is a critical security control. The CIS Community Defense Model documented that establishing and maintaining a secure configuration process (CIS CSC 4) is a safeguard for all five attack types discussed in the defense model. This includes cloud-based assets, for which CIS offers an AWS Foundations Benchmark. Download the benchmark for specific configuration guidance. https://www.cisecurity.org/controls: CIS Critical Security Controls¨
'Cyclomatic complexity' as measured in metrics like McCabe Complexity in the late 70s/80s proved that 'spaghetti code' (high complexity caused by many paths needing to be tested) inevitably had more errors than low complexity code. Today's equivalent is 'spaghetti code as a service' or maybe we should call in the 'spaghetti cloud' as 35 different services with hundreds of calls back and forth are used to complete a transaction. Software testing tools are starting to evolve in this direction but bad guys and smart pen testers (and bug bounty chasers) are finding the gaps.
With cloud services, or any other hosted service, you need to follow the providerÕs security best practices to ensure you're not leaving yourself vulnerable. It's also a good idea to understand what they are doing to ensure their service is secure. What's harder is that you need to watch for updates to these practices, and yeah, adjust accordingly. If you can't sign up for proactive notifications, make a calendar reminder to check regularly. If you haven't verified your ALB authentication configuration recently against best practices, today's a good day.
https
https
https
https
https
SonicWall has released updates to address what they say is a critical vulnerability in the SonicWall SonicOS management access. The improper access control issue could be exploited to gain unauthorized access to resources, and in some cases, crash the firewall. The vulnerability affects Gen 5 (SOHO), Gen 6 and certain Gen 7 Firewalls.
The language in the advisory isn't quite clear. Based on the CVSS Score of 9.8, this is not "just" a denial of service vulnerability. Patch now.
CVE-2024-40766, improper access control, CVSS score of 9.3, requires a firmware update to fix. Gen 5 - 5.9.2.14-13o, Gen 6, 6.5.8.2.8-2n or 6.5.4.15.116n (device dependent), Gen 7 install the latest firmware, at a minimum 7.0.1-5035. Additionally, restrict access to WAN management of your firewall.
SonicWall
Security Week
Help Net Security
The Hacker News
Cyberscoop
NVD
The American Relay Radio League (ARRL) disclosed that they paid a $1 million ransomware demand in mid-May. ARRL says they paid the threat actors' demand to obtain the decryptor, not to keep data from being leaked. Most AEEL systems have now been restored. According to breach notification documentation filed with Maine's attorney general in July, the breach affected 150 people.
As a ham radio operator (K3TN), several key applications I use are still down 3 months later. Also, the personal data exposure only impacted a small number of users but the down services impacted several hundred thousand users. Non-profits can use this one as an example of the real world costs of not preventing incidents.
As a ham operator this attack was disturbing, and while services are not all online, popular services like Logbook of The World (LoTW) - used to record and track contacts with others - is back, and ARRL is forming an Information Technology Advisory Committee to help guide future efforts to remain secure and prevent recurrence. Note to self: no matter how insignificant your organization may look to you, not-for-profit or otherwise, you need to be prepared to repel boarders. ARRL was able to leverage insurance to cover costs here; don't assume that's the magic bullet. Talk to a broker about the realities for your business in your area.
Two questions are relevant: 1. What security mechanisms were in place at ARRL at time of the attack? 2. What influence did the insurance carrier have in the negotiations? For the first, the answer helps others defend against similar attacks. It's clear that ARRL has made architecture changes to the infrastructure because of the attack. For the second, although it is ultimately the company's decision whether to pay, insurers hold a lot of sway. Should the insurer provide the option to pay the ransom? It's a hotly debated topic.
The ARRL may be our communication system of last resort in the face of catastrophe.
According to the results of an audit conducted by the US Justice Department's Office of Inspector General (DOJ OIG), the Federal Bureau of Investigation (FBI) has not been exercising due caution with its 'management of its inventory and disposition for its electronic storage media.' OIG made three recommendations to address the issues; the FBI has concurred with all three.
The issue is that while drives with sensitive data are removed for appropriate disposal/destruction, they are neither tracked nor labelled commensurate with the data on them. The systems they were removed from were both labelled and tracked. Points for special handling of sensitive data destruction, minus a bunch for tracking and controlling access to the media before it's wiped. In today's environment you really do need to track sensitive data "cradle to grave." Take a look at cryptographic erasure (NIST SP 800-88) rather than multi-pass wipe or even shredding. Regardless of how you're ensuring data is properly disposed of, make sure that you track media with sensitive data, including restricting physical access, and are validating a sample to ensure it's really not retrievable. https://csrc.nist.gov/pubs/sp/800/88/r1/final: Guidelines for Media Sanitization
Proper disposal of classified information (SBU, NSI) is a basic requirement of all agencies that handle such information. An individualÕs clearance would be pulled for leaving classified information unprotected. The FBIÕs mission requires access to such information but how do you create a culture of security, when basic security requirements are essentially ignored? Accountability has to start at the top and it can't be by simply concurring with the recommendations.
Those in the private sector should check themselves against the findings in these public reports. These findings do not make news because they are unique to one organization, or even rare, but rather because they are likely to be common.
OIG Justice
Nextgov
MeriTalk
Security Week
The Register
The Port of Seattle, which operates Seattle-Tacoma International Airport, is investigating a 'possible cyberattack' that disrupted operations and delayed flights. The incident began over the weekend. Both Alaska Airlines, which has a hub at the airport, and the Transportation Security Administration (TSA) reported experiencing no disruptions.
The idea of adding cyber event to the list of travel delays to allow for is disturbing. In this case, travelers were able to check-in/obtain boarding passes and flight status through airline online (mobile/web) apps, while in-airport ticket counters had to fall back to paper tickets. The baggage handling/sorting system was also affected, resulting in warnings to passengers to only bring carry-on bags. It appears threat actors are evolving their attacks on critical infrastructure faster than security improvements can be made, which is likely exacerbated by the number of interconnected systems that come together to provide the services we expect.
In the last few months, we have seen how fragile our airport infrastructure systems are. I call it the Hospital problem. Hospitals have historically had a hard time understanding the risks of cyber, until ransomware came along and consistently disrupted hospitals' operations. Will that be what it takes for our OT operators to pay attention to things like water, power, and airports? CrowdStrike's outage was a wakeup call.
For too long we have relied on organisations and vendors to ensure appropriate levels of security are in place to protect critical infrastructure. However, we regularly see organisations fail cybersecurity audits or indeed be victims of cyberattacks. We are now at the stage where we need such organisations.
X
TechRadar
The Register
The Record
Bleeping Computer
Autoriteit Persoonsgegevens, AP, the Dutch Data Protection Authority (DPA) has fined Uber Û290 million ($324 million) for violations of the European Union's General Data Protection Regulation (GDPR). The Dutch DPA says that Uber transferred European drivers' personal information to the US without properly protecting the data. Uber has reportedly ended the problematic practice.
In 2018, we saw many organisations rush to become compliant with the requirements of the EU General Data Protection Regulation (GDPR). This is a timely reminder that compliance with the EU GDPR is a journey and not a destination, particularly for organisations that regularly transfer personal data of EU data subjects outside of the EU. If your organisation does transfer such data then you should consider conducting a Transfer Impact Assessment (TIA) and reviewing this guidance from the European Data Protection Board. https://www.edpb.europa.eu/sme-data-protection-guide/international-data-transfers_en: International data transfers
Autoriteit Persoonsgegevens
The Record
Security Week
The Hacker News
Oil field services company Halliburton has confirmed that they suffered a cyberattack last week. In an August 22 filing with the US Securities and Exchange Commission (SEC), Halliburton wrote that they became aware of the incident on August 21 and took certain systems offline to mitigate the situation and prevent it from spreading. In May, the US Transportation Security Administration (TSA) renewed a security directive requiring 'owners and operators of a hazardous liquid and natural gas pipeline or a liquefied natural gas facility notified by TSA that their pipeline system or facility is critical' to implement certain security measures, which include developing incident response plans and network segmentation.
While there is still a lot of mystery here, it is clear that Halliburton executed their response plan, proactively taking sensitive systems offline to prevent further impact. Beyond having a response plan, and proactively taking systems offline to contain an incident, you also need to make sure that you're paying attention to cyber hygiene. Too often hackers are hitting unpatched vulnerabilities or systems inappropriately exposed to the Internet, or even other unsecure systems. Regardless of how you like the term ZTA, one of the core ideas is important - connections need to not only check for user trustworthiness, but also the suitability of the system. If a system doesn't meet minimum security standards, don't allow it on your net.
While it has yet to be determined a ransomware attack, it bears all the hallmarks of one. Many of the TSA security requirements speak to incident planning and notification. To be effective against ransomware attacks, review the Blueprint for Ransomware Defense, hosted by the Institute for Security and Technology. https://securityandtechnology.org/ransomwaretaskforce/blueprint-for-ransomware-defense/: Blueprint for Ransomware Defense
On August 23, Texas Dow Employees Credit Union (TDECU) began notifying 500,000 members that their personal data were compromised in an attack last year. The threat actors compromised the data by exploiting the MOVEit file transfer software vulnerability. TDECU says they learned on July 30, 2024, that the data had been compromised.
Discovering in June of 2024 that data was exfiltrated in May of 2023 is a bit distressing. TDECU with 4.8 billion in assets and 500,000 members, is not a small financial institution, #85 out of 4600 in the US. While TDECU engaged experts to determine if their data were compromised, it still took a year to make a determination. There is a red flag there that should be addressed for future engagements. Even so, it's important to note that even though the information hasn't appeared on the dark web, TDECU is offering 12 months of credit monitoring/protection to their affected members, providing guidance to members and being as transparent as possible. One hopes TDECU has moved to a different, more modern, file interchange service, in today's climate, where members are inclined to switch financial institutions as quickly as they change clothes, they are now going to have to focus on showing how recurrence is being prevented to retain members.
On the past several days, the US Cybersecurity and Infrastructure Security Agency (CISA) has added two security issues to their Known exploited Vulnerabilities (KEV) catalog. A high-severity type-confusion vulnerability (CVE-2024-7971) in the V8 JavaScript and WebAssembly engine in Google Chrome 'allowed a remote attacker to exploit heap corruption via a crafted HTML page.' Federal Civilian Executive Branch (FCEB) agencies have until September 16 to mitigate this issue. A medium-severity dangerous file type upload vulnerability (CVE-2024-39717) in Versa Director could be exploited to upload malicious files. FCEB agencies have until September 13 to mitigate this vulnerability. Other recently added entries include a pair of Dahua IP Camera authentication bypass issues, a Linux Kernel heap-based buffer overflow vulnerability, a Microsoft Exchange Server information disclosure vulnerability, and a Jenkins Command Line Interface (CLI) path traversal vulnerability.
Not a bad idea to take a gander at the KEV to see what other (known exploited) vulnerabilities are out there. As MS Exchange is on the list again: I'm going to encourage you to challenge the need for an on-premises Exchange server.
CISA
Security Affairs
The Hacker News
The Hacker News
NVD
NVD
INTERNET STORM CENTER TECH CORNER
Pandas Errors: What encoding are my logs in?
https://isc.sans.edu/diary/Pandas+Errors+What+encoding+are+my+logs+in/31200
From Highly Obfuscated Batch File to XWorm and Redline
https://isc.sans.edu/diary/From+Highly+Obfuscated+Batch+File+to+XWorm+and+Redline/31204
CVE-2024-38063 Windows IPv6 Issue PoC Exploit
https://github.com/ynwarcs/CVE-2024-38063
Not a vulnerability
CrowdStrike Performance Issues
https://www.reddit.com/r/sysadmin/comments/1eyfex6/at_least_its_not_on_a_friday/
CopyBara Malware
https://www.zscaler.com/blogs/security-research/technical-analysis-copybara#conclusion
SonicWall Vulnerability
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0015
Catch up on recent editions of NewsBites or browse our full archive of expert-curated cybersecurity news.
Browse ArchiveWebcast: SANS 2024 Multicloud Survey: Securing Multiple Clouds Amid Constant Changes | August 28, 11:00AM ET | Kenneth G.
Free Virtual Event: SANS 2024 AI Survey: AI and Its Growing Role in Cybersecurity: Lessons Learned and Path Forward | September 11, 10:30 AM ET | Join Matt Edmondson as and other experts as they explore the intersection of AI and cybersecurity and provide actionable insights for practitioners, decision-makers, and enthusiasts eager to navigate the future of digital defense.
Webcast: SANS 2024 ICS/OT Survey: The State of ICS/OT Cybersecurity | Wednesday, October 9, 10:30 AM ET | SANS Certified Instructor, Jason Christopher, explores the growing trends in cyber threats, vulnerabilities, and risks across industrial environments, including actionable recommendations for how organizations can improve their security posture.
Virtual Event: Cloud Security Convergence: How Controls Models for A Robust Cloud Security Stack Are Changing | December 6, 1:00 pm ET | As cloud security controls mature, itÕs common to find that a wide variety of security controls and configuration capabilities are melding into a single platform or service fabric.