HAR files, Okta breach, EO on AI, Ransomware, Solarwinds CISO charged, and Bagels! – ESW #338
Oh, the HARror! Sanitizing HAR files is not as easy as some might lead you to believe. CISA funds Cyber.org for K-12 cyber education and ORNL creates a Center for AI Security Research (CAISER). Cloudflare creates a tool out of spite, and CISA creates a tool you shouldn't use in production? Biden's EO on "Safe, Secure, and Trustworthy AI" and the Top Five Things you need to know about how GenAI is used in Security Tools.
Five lessons learned form Okta's latest breach, should ransom payments be illegal, and why ransomware victims can't stop paying ransoms. We discuss the impact of the charges made against Solarwinds and its CISO by the SEC, the 2023 ISC2 Cybersecurity Workforce Survey, and Microsoft's latest open letter on security.
Finally we wrap up discussing a delicious $8M Series A for better bagels!
Announcements
Join our cybersecurity community on Discord! Connect directly with our expert hosts, join discussions with fellow audience members, and customize your notifications to receive alerts every time an episode of your favorite show publishes. Get your invite at securityweekly.com/discord!
Hosts
- 1. FUNDING: Cranium Announces $25 Million in Series A Funding to Secure AI
- 2. FUNDING: CISA Awards CYBER.ORG $6.8M in Funding for K-12 Cyber Education
- 3. ACQUISITIONS: Palo Alto Networks buys Dig Security, sources say for $400M
- 4. ACQUISITIONS: Proofpoint Signs Definitive Agreement to Acquire Tessian
- 5. NEW ORGANIZATIONS: Center for Artificial Intelligence Security Research (CAISER)
- 6. NEW TOOLS: HAR Sanitizer tool by Cloudflare
I recorded a simple HAR file of me logging into a VERY simple website that I regularly use. Maybe I need to do additional testing, but it was not possible for me to figure out which cookies or other elements to sanitize from the HAR file. The variable/cookie names looked randomly generated - there was nothing labeled "password", "secrets", or "OAuth key". Browsing the HAR file manually was also difficult, and I failed to locate the OAuth key that way as well.
In summary, I don't think the average employee would be successful in sanitizing HAR files, and I don't see a straightforward way to automate this process.
However, the attackers seem to have found a process to take advantage of them, however! They don't have to understand the HAR file or perform surgery on it, they can just use it as is to have a logged-in session.
- 7. NEW TOOLS: Logging Made Easy
Initially created by NCSC and now maintained by CISA, Logging Made Easy is a self-install tutorial for small organizations to gain a basic level of centralized security logging for Windows clients and provide functionality to detect attacks. It's the coming together of multiple free and open software platforms, where LME helps the reader integrate them together to produce an end-to-end logging capability. We also provide some pre-made configuration files and scripts, although there is the option to do it on your own.
Logging Made Easy can:
- Show where administrative commands are being run on enrolled devices
- See who is using which machine
- In conjunction with threat reports, it is possible to query for the presence of an attacker in the form of Tactics, Techniques and Procedures (TTPs)
- 8. LEGISLATION: President Biden Issues Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence
I'm sad we overlooked the opportunity to call this the "Skynet Prevention Act"
- 9. AI ESSAYS: The Top Five Things You Need To Know About How Generative AI Is Used In Security Tools
- 10. AI ESSAYS: AI Security Has Serious Terminology Issues
- 11. REPORTS: Offensive Security Vision Report 2023
Penetration tests have always had gaps. It's unavoidable - you just can't do everything the bad guys can do, like installing malware with a worm component in production environments. But it strikes me that, with the popularity of SaaS these days, pentests might be missing entire environments. The term SaaS, environments like Salesforce, M365, Google Workspace, Okta never come up in this NetSPI report.
Working in product marketing for a SaaS security vendor, one of my challenges has been figuring out why SaaS security isn't higher on folks' priority lists, and I suspect this might be part of the reason why. I mean, I get it - folks still have NT4, Server 2003 on their networks (hell, they still have "networks"), and that's scary as hell. But an Okta/M365 admin takeover is pretty scary as well, no?
Is SaaS in scope for modern pen tests? Is it even on pen testers' radars?
- 12. AI INTERVIEWS: Trustworthy AI for National Security – Kathleen Fisher – PSW #805
- 13. BREACHES: Five Lessons Learned From Okta’s Support Site Breach
- 14. TRENDS: Why ransomware victims can’t stop paying off hackers
- 15. PODCASTS: Should Ransom Payments Be Made Illegal?
On its face, refusing to pay ransoms sounds like a great idea. However, 'winning' against cybercrime always comes with a cost. Here's my logic:
- We convince everyone to stop paying ransoms and we win! Cybercriminals stop using ransomware and extortion as a means of making money.
- The cybercriminals didn't go away, so they're going to use their sizable numbers, R&D budget, time, and skills to come up with a new way of making money.
- They'll either shift to something else that's currently working (e.g. BEC, which is already several times more profitable than ransomware), or come up with something new.
- Are we prepared for the new? Do we follow the trend and shift focus away from ransomware prevention to the new thing?
- Most companies don't have fundamentals down, so this plays out badly for us. Again.
Could we even consider stopping ransomware a success, or a reasonable goal, given that most orgs won't be prepared for what comes next?
- 16. ESSAYS: How to Banish Heroes from Your SOC?
- 17. INTERVIEWS: SC Media Talks Cybersecurity and Process Mining
- 18. HOWTOS: How Leading Companies Use Trust Center Updates — Best Practices and Examples – SafeBase Blog
- 19. LEGAL: SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures
- 20. LEGAL: Cybersecurity Leaders Spooked by SEC Lawsuit Against SolarWinds CISO
Maybe there's an upside here though? Now CISOs can push back on pressure to bend the truth or lie, pointing to cases like these?
- 21. LEGAL: Here’s what that Capital One court decision means for corporate cybersecurity
- 22. REPORTS: 2023 ISC2 Cybersecurity Workforce Survey
- 23. OPEN LETTERS: Announcing Microsoft Secure Future Initiative to advance security engineering
Lastly, we are continuing to push the envelope in vulnerability response and security updates for our cloud platforms.
- 24. SQUIRREL FUNDING: Deal Dive: Bagels with a schmear of venture capital