Security Weekly
Enterprise Security WeeklySubscribe
Breach, Government Regulations, Industry Regulations

HAR files, Okta breach, EO on AI, Ransomware, Solarwinds CISO charged, and Bagels! – ESW #338

Oh, the HARror! Sanitizing HAR files is not as easy as some might lead you to believe. CISA funds Cyber.org for K-12 cyber education and ORNL creates a Center for AI Security Research (CAISER). Cloudflare creates a tool out of spite, and CISA creates a tool you shouldn't use in production? Biden's EO on "Safe, Secure, and Trustworthy AI" and the Top Five Things you need to know about how GenAI is used in Security Tools.

Five lessons learned form Okta's latest breach, should ransom payments be illegal, and why ransomware victims can't stop paying ransoms. We discuss the impact of the charges made against Solarwinds and its CISO by the SEC, the 2023 ISC2 Cybersecurity Workforce Survey, and Microsoft's latest open letter on security.

Finally we wrap up discussing a delicious $8M Series A for better bagels!

Full episode and show notes

Announcements

  • Join our cybersecurity community on Discord! Connect directly with our expert hosts, join discussions with fellow audience members, and customize your notifications to receive alerts every time an episode of your favorite show publishes. Get your invite at securityweekly.com/discord!

Hosts

Host of the Enterprise Security Weekly podcast and principal researcher of The Defender's Initiative at The Defender's Initiative
  1. 1. FUNDING: Cranium Announces $25 Million in Series A Funding to Secure AI
  2. 2. FUNDING: CISA Awards CYBER.ORG $6.8M in Funding for K-12 Cyber Education
  3. 3. ACQUISITIONS: Palo Alto Networks buys Dig Security, sources say for $400M
  4. 4. ACQUISITIONS: Proofpoint Signs Definitive Agreement to Acquire Tessian
  5. 5. NEW ORGANIZATIONS: Center for Artificial Intelligence Security Research (CAISER)
  6. 6. NEW TOOLS: HAR Sanitizer tool by Cloudflare

    I recorded a simple HAR file of me logging into a VERY simple website that I regularly use. Maybe I need to do additional testing, but it was not possible for me to figure out which cookies or other elements to sanitize from the HAR file. The variable/cookie names looked randomly generated - there was nothing labeled "password", "secrets", or "OAuth key". Browsing the HAR file manually was also difficult, and I failed to locate the OAuth key that way as well.

    In summary, I don't think the average employee would be successful in sanitizing HAR files, and I don't see a straightforward way to automate this process.

    However, the attackers seem to have found a process to take advantage of them, however! They don't have to understand the HAR file or perform surgery on it, they can just use it as is to have a logged-in session.

  7. 7. NEW TOOLS: Logging Made Easy

    Initially created by NCSC and now maintained by CISA, Logging Made Easy is a self-install tutorial for small organizations to gain a basic level of centralized security logging for Windows clients and provide functionality to detect attacks. It's the coming together of multiple free and open software platforms, where LME helps the reader integrate them together to produce an end-to-end logging capability. We also provide some pre-made configuration files and scripts, although there is the option to do it on your own.

    Logging Made Easy can:

    • Show where administrative commands are being run on enrolled devices
    • See who is using which machine
    • In conjunction with threat reports, it is possible to query for the presence of an attacker in the form of Tactics, Techniques and Procedures (TTPs)
  8. 8. LEGISLATION: President Biden Issues Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence

    I'm sad we overlooked the opportunity to call this the "Skynet Prevention Act"

  9. 9. AI ESSAYS: The Top Five Things You Need To Know About How Generative AI Is Used In Security Tools
  10. 10. AI ESSAYS: AI Security Has Serious Terminology Issues
  11. 11. REPORTS: Offensive Security Vision Report 2023

    Penetration tests have always had gaps. It's unavoidable - you just can't do everything the bad guys can do, like installing malware with a worm component in production environments. But it strikes me that, with the popularity of SaaS these days, pentests might be missing entire environments. The term SaaS, environments like Salesforce, M365, Google Workspace, Okta never come up in this NetSPI report.

    Working in product marketing for a SaaS security vendor, one of my challenges has been figuring out why SaaS security isn't higher on folks' priority lists, and I suspect this might be part of the reason why. I mean, I get it - folks still have NT4, Server 2003 on their networks (hell, they still have "networks"), and that's scary as hell. But an Okta/M365 admin takeover is pretty scary as well, no?

    Is SaaS in scope for modern pen tests? Is it even on pen testers' radars?

  12. 12. AI INTERVIEWS: Trustworthy AI for National Security – Kathleen Fisher – PSW #805
  13. 13. BREACHES: Five Lessons Learned From Okta’s Support Site Breach
  14. 14. TRENDS: Why ransomware victims can’t stop paying off hackers
  15. 15. PODCASTS: Should Ransom Payments Be Made Illegal?

    On its face, refusing to pay ransoms sounds like a great idea. However, 'winning' against cybercrime always comes with a cost. Here's my logic:

    1. We convince everyone to stop paying ransoms and we win! Cybercriminals stop using ransomware and extortion as a means of making money.
    2. The cybercriminals didn't go away, so they're going to use their sizable numbers, R&D budget, time, and skills to come up with a new way of making money.
    3. They'll either shift to something else that's currently working (e.g. BEC, which is already several times more profitable than ransomware), or come up with something new.
    4. Are we prepared for the new? Do we follow the trend and shift focus away from ransomware prevention to the new thing?
    5. Most companies don't have fundamentals down, so this plays out badly for us. Again.

    Could we even consider stopping ransomware a success, or a reasonable goal, given that most orgs won't be prepared for what comes next?

    join this discussion here on LinkedIn

  16. 16. ESSAYS: How to Banish Heroes from Your SOC?
  17. 17. INTERVIEWS: SC Media Talks Cybersecurity and Process Mining

    https://youtube.com/watch?v=hCOYg02hMA4&feature=shared

  18. 18. HOWTOS: How Leading Companies Use Trust Center Updates — Best Practices and Examples – SafeBase Blog
  19. 19. LEGAL: SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures

    https://www.sec.gov/news/press-release/2023-227

  20. 20. LEGAL: Cybersecurity Leaders Spooked by SEC Lawsuit Against SolarWinds CISO

    Maybe there's an upside here though? Now CISOs can push back on pressure to bend the truth or lie, pointing to cases like these?

  21. 21. LEGAL: Here’s what that Capital One court decision means for corporate cybersecurity
  22. 22. REPORTS: 2023 ISC2 Cybersecurity Workforce Survey
  23. 23. OPEN LETTERS: Announcing Microsoft Secure Future Initiative to advance security engineering

    Lastly, we are continuing to push the envelope in vulnerability response and security updates for our cloud platforms.

  24. 24. SQUIRREL FUNDING: Deal Dive: Bagels with a schmear of venture capital
Executive Director at Guardedrisk
Founder & CTO at Trimarc

Related

Threat Modeling and Understanding Inherent Threats – Adam Shostack – ESW #359

This is a great interview with Adam Shostack on all things threat modeling. He's often the first name that pops into people's heads when threat modeling comes up, and has created or been involved with much of the foundational material around the subject. Adam recently released a whitepaper that focuses on and defines inherent threats. Resources: ...