Sensitive Data Sharing Risks Heightened as GenAI Surges
This article from Infosecurity Magazine discusses the heightened risks of sensitive data sharing due to the surge in AI applications. According to a Netskope study, 96% of organizations now use GenAI tools, which has led to an increase in the sharing of sensitive data. Notably, proprietary source code sharing with GenAI apps accounts for 46% of all data policy violations.
In Unit 1 we discussed trade secrets and intellectual property and how these need to be protected. This article is a good example of how the human error can impact the security. Likely, the average employee doesn’t realize that by putting information into GenAI apps they are opening their organization up to risk. Whether it’s source code, company strategy, or customer information, it is now being shared.
Title: BlackByte Targets ESXi Bug With Ransomware to Access Virtual Assets
According to an article released by Jai Vijayan on August 28th, 2024 it was reported that cybercriminals using the BlackByte ransomware are now focusing their attacks on a newly found security loophole in VMware ESXi known as CVE 2024 37085. This security flaw enables attackers who have enough access to Active Directory (AD) to take complete control over ESXi hosts, which play a vital role, in business networks. The BlackByte group has changed its methods to take advantage of this vulnerability as part of a new strategy to target critical infrastructure and create significant chaos. The article highlights how these ransomware groups adapt their tactics and procedures over time and pressure companies to improve their security measures regarding handling vulnerabilities and responding to incidents. The article is closely related to this week’s topic of “Understanding an Organization’s Risk Environment” as it demonstrates how cybercriminals adapt to exploit new vulnerabilities, emphasizing the need for organizations to identify and manage risks effectively.
Title: Hacking blind spot: States struggle to vet coders of election software.
The state of New Hampshire hired an IT firm to build their new voter registration database ahead of the 2024 election who used offshore labor to partially build the software behind the database. An external auditor uncovered that the software was misconfigured to communicate with servers in Russia along with the use of open-source code during a scan. The auditor also discovered that a developer hard-coded the Ukrainian national anthem into the database to show solidarity.
The state of New Hampshire did not provide robust specifications of security controls and objectives to the small IT Firm tasked with building their new voter registration database. The threat of a foreign adversary could have a HIGH impact on the Confidentiality, Integrity, and Availability of the system with the vulnerability uncovered by the third-party auditors. New Hampshire failed to manage its vendor’s security posture which might have led to the dissemination of voters’ confidential Personal Identifiable Information (PII), the destruction or modification of polling data, or the loss of access to the database. New Hampshire should improve its administrative security controls to govern and restrict the development and access to the software to personnel within the country that have obtained Top Secret / Sensitive Compartmented Information (TS/SCI) clearance.
How does Data classification of information enhance cyber security
.
We have seen the importance of data classification and categorization from this week’s reading of FIPs 199 and the FGDC Guidelines. My takeaway from this article was some of the benefits of data classification mentioned.
Customized security measures: Not all data is created equal and not all data requires the same level of protection. With data classification, organizations can tailor security measures to the specific needs of each data category. This ensures a more efficient use of resources and a more robust defense against cyber threats.
Insider threat prevention: Insiders pose a significant risk to cyber security, whether intentionally or unintentionally. Data classification helps organizations monitor and control internal access, preventing unauthorized employees from accessing sensitive information and reducing the risk of data leaks.
Incident response and recovery: In the unfortunate event of a cyber-attack, data classification facilitates a swift and targeted response. By knowing which data is most critical, organizations can prioritize recovery efforts, minimizing downtime, and potential losses.
Title: Uber fined €290m for personal data transfer
Uber was fined €290 million by the Dutch Data Protection Authority (DPA) for transferring European drivers’ data to U.S. servers, violating GDPR rules. The data included sensitive information like ID documents and taxi licenses. The DPA deemed Uber’s actions a “serious violation” due to inadequate data protection measures. This is the third fine against Uber by the DPA, highlighting growing EU enforcement of data privacy regulations against tech companies.
This particular article on Uber highlights a vulnerability within the company and what happens when a company fails to comply with local regulations in places they conduct business. The nature of the information in combination with how it was being transferred from the U.K to the U.S posed a weakness in the information system and made the data susceptible to adversarial and/or accidental threats.
A breach at National Public Data (NPD) exposed sensitive information for 272 million individuals. The data leaked included Social Security Numbers, addresses, and phone numbers. The breach was originally dated to December 2023 but was publicly acknowledged in August 2024. The leaked passwords were linked to earlier security issues with NPD’s founder, Salvatore Verini. In the leaks, it was shown that many individuals kept their default passwords, which only amplified the severity. Affected individuals were advised to freeze their credit files and regularly monitor their accounts for identity theft.
I chose this article as this incident reflects a lack of security maturity at NPD as indicated by the inadequate management of passwords and delayed response. Default and poor passwords reflect inadequate NPD’s password policies and management practices. The delayed response demonstrates the lack of swiftness when responding to a cyber threat. Organizations need to focus on security maturity to effectively improve their security. Creating a comprehensive, risk-based, and business-aligned strategy is vital to keep an organization’s data safe.
Title: Microsoft 365 Copilot Vulnerability Exposes User Data Risks
A vulnerability in Microsoft 365 Copilot that allowed attackers to steal users’ sensitive information has been discovered by Johann Rehberger, a cybersecurity researcher. The attack combines several advanced techniques including prompt injection, a cyberattack that manipulates a large language model (LLM) by injecting malicious inputs into a prompt, which stages data for exfiltration.
The attack begins with a prompt injection delivered through a malicious email or shared document, once triggered the injection prompts the LLM, Copilot in this case, to search for additional emails without the user’s consent. The attacker is then able to use invisible Unicode characters to steal sensitive data.
As we learned with data classification and data categorization, Microsoft initially classified the attack as low severity, but after further consideration were prompted to take a more assertive approach to patch the vulnerability, which was completed recently in July 2024.
This article also highlights Unit 1 in how hackers are consistently looking for new vulnerabilities as Microsoft 365 copilot was just released in 2023, and the importance of security risk training as the attack itself was sent through via email / shared document.
Laptops possibly containing confidential information on criminal cases stolen at Cook County courthouse
Several laptops, potentially containing confidential information on criminal cases, were stolen from the Cook County State’s Attorney’s offices at the Leighton Criminal Courthouse. Discovered on Tuesday morning, the break-in likely occurred after hours, involving a burglar who accessed the courthouse through a secure entrance and bypassed office security by propping open a door with stacked chairs. The stolen laptops, estimated to be outdated models, were password-protected, but the breach also raised concerns about missing paper files containing irreplaceable evidence. The incident’s implications include potential exposure of sensitive information and disruption of legal proceedings.
Title: Stolen laptop leads to breach of 1,092 Multnomah Co. heath clients’ data
A former employee refused to return their work laptop and used their access to download multiple excel sheets containing patient’s personal information. The IT team sent a kill command to the stolen machine, but the status of the information is unknown. This sort of thing is what the case study could have been in a worst case scenario while also highlighting how much risk comes internally.
2.9 billion records, including Social Security numbers, stolen in data hack: What to know
The hacking group USDoD claimed that they had stolen records of 2.9 billion people from the National Public Data. A lawsuit from 3 weeks ago revealed that the records were obtained after a breach in April of 2024. The data breach was massive and revealed the names, address, phones numbers, and social security numbers of people that scaled three decades. USDoD claims that they are selling the information on the black market and have made around 3.5 million dollars so far. The author, Emily DeLetter, also reported that the National Public Data never released a statement on whether or not the breach actually happened to them. However, some employees have come out and revealed that the breach did happen back in April, and that the USDoD hacker group still has people’s information and is continuing to sell it on the black market. Personally, I think that the National Public Data is probably embarrassed that their risk safeguards did not work, and a hacker group was able to breach their data. The article never shared how exactly the breach happened, and I am assuming since the National Public Data has not commented on the issue yet, nobody knows how the breach happened yet.
Ransomware attacks on schools threaten student data nationwide
Cybercriminals have began targeting school districts across the United States, gaining access to sensitive student data such as medical records, Social Security numbers, and personal information. Data from K12 Security Information Exchange (K12 SIX) reports over 325 ransomware attacks on schools between 2016 and 2022, with at least 83 more potential attacks from January 2023 to June 2024.
In January 2023, a ransomware attack on the Tucson Unified School District in Arizona led to a two week closure where private student and employee data was leaked to the dark web. This prompted a White House summit in August 2023, and the U.S. Department of Education has since launched a Government Coordinating Council to help protect schools from cybersecurity threats.
It is crucial to be aware of these developments and the increasing importance of cybersecurity in educational environments.
On May 23, 2024, Snowflake, a cloud platform, identified a security breach in users accounts. The company noticed unauthorized access to user accounts and the issue at first seemed small. However, after assessing the breach in further detail, high profile clients were impacted. For example, 560 million users of Ticketmaster, 380 million users of Advance Auto Parts, and 190 million users of Lending Tree were affected. This was not an isolated incident. A combination of phishing, malware, and various info stealing tools were used to target accounts using only single factor authentication. Snowflakes policy does not require customers to have multifactor on their accounts.
Moving forward, Snowflake has attempted to remedy the security vulnerability by encouraging customers to use multifactor authentication (MFA) and providing guidance on securing/monitoring data. For preventative measures, Snowflake is working with clients to enhance security protocols and develop a plan to enforce strict network rules and MFA.
This story relates to what has been learned in class, that security vulnerabilities mostly common from people. Snowflake did well by identifying the situation, although a bit late, assessing the gravity of the breach, and developing corrective action for recovery and preventative measures. It is good that they have been transparent and that they are working with clients to develop a plan for preventative security measures.
Link: https://www.msn.com/en-us/money/other/cybersecurity-wake-up-call-lessons-from-snowflake-s-massive-data-breach/ar-BB1pCY5G
Title of article: Researchers trace massive data leak to US data broker: why should you care
A recent data leak exposed over 170 million confidential records online due to a potential breach involving People Data Labs (PDL), a San Francisco-based data broker. The leaked information included personal details such as names, contact information, and professional backgrounds. This breach was traced to an unprotected Elasticsearch server, which may have been mishandled by a third party. This incident has raised concerns about PDLs approach to safeguarding information especially since they had been associated with a similar breach back, in 2019. This event brings up worries, about how data brokers operate and the dangers that come with data security measures.
Title of Article: Critical infrastructure sustained 13 Cyber-Attacks per second in 2023
According to the open-source article, cyber-attacks rose 30 percent globally between January 2023 and January 2024 (Jennings-Trace, 2024). The article claims that over 420 million cyber-attacks are directed at the critical infrastructures of more than 160 countries (Jennings-Trace, 2024). The United States (US) was the primary target of those attacks, followed by the United Kingdom, India, and Japan (Jennings-Trace, 2024).
Known as advanced persistent threat attacks (APT), due to the amount of sophistication and funding, likely from a state sponsor, these actors are able to target critical infrastructures such as power grids, transportation, and communication networks and cause catastrophic damage and disruption. The article claims that water networks within the US sustained the most targeted attacks (Jennings-Trace, 2024). Also, the APT attacks were reported to have originated primarily from China, Russia, and Iran, who consider these acts to be nothing more than cyber warfare.
Sensitive Data Sharing Risks Heightened as GenAI Surges
This article from Infosecurity Magazine discusses the heightened risks of sensitive data sharing due to the surge in AI applications. According to a Netskope study, 96% of organizations now use GenAI tools, which has led to an increase in the sharing of sensitive data. Notably, proprietary source code sharing with GenAI apps accounts for 46% of all data policy violations.
In Unit 1 we discussed trade secrets and intellectual property and how these need to be protected. This article is a good example of how the human error can impact the security. Likely, the average employee doesn’t realize that by putting information into GenAI apps they are opening their organization up to risk. Whether it’s source code, company strategy, or customer information, it is now being shared.
Link – https://www.infosecurity-magazine.com/news/sensitive-data-sharing-genai/
Title: BlackByte Targets ESXi Bug With Ransomware to Access Virtual Assets
According to an article released by Jai Vijayan on August 28th, 2024 it was reported that cybercriminals using the BlackByte ransomware are now focusing their attacks on a newly found security loophole in VMware ESXi known as CVE 2024 37085. This security flaw enables attackers who have enough access to Active Directory (AD) to take complete control over ESXi hosts, which play a vital role, in business networks. The BlackByte group has changed its methods to take advantage of this vulnerability as part of a new strategy to target critical infrastructure and create significant chaos. The article highlights how these ransomware groups adapt their tactics and procedures over time and pressure companies to improve their security measures regarding handling vulnerabilities and responding to incidents. The article is closely related to this week’s topic of “Understanding an Organization’s Risk Environment” as it demonstrates how cybercriminals adapt to exploit new vulnerabilities, emphasizing the need for organizations to identify and manage risks effectively.
Link:
https://www.darkreading.com/cyberattacks-data-breaches/blackbyte-targets-esxi-bug-with-ransomeware-to-access-virtual-assets
Title: Hacking blind spot: States struggle to vet coders of election software.
The state of New Hampshire hired an IT firm to build their new voter registration database ahead of the 2024 election who used offshore labor to partially build the software behind the database. An external auditor uncovered that the software was misconfigured to communicate with servers in Russia along with the use of open-source code during a scan. The auditor also discovered that a developer hard-coded the Ukrainian national anthem into the database to show solidarity.
The state of New Hampshire did not provide robust specifications of security controls and objectives to the small IT Firm tasked with building their new voter registration database. The threat of a foreign adversary could have a HIGH impact on the Confidentiality, Integrity, and Availability of the system with the vulnerability uncovered by the third-party auditors. New Hampshire failed to manage its vendor’s security posture which might have led to the dissemination of voters’ confidential Personal Identifiable Information (PII), the destruction or modification of polling data, or the loss of access to the database. New Hampshire should improve its administrative security controls to govern and restrict the development and access to the software to personnel within the country that have obtained Top Secret / Sensitive Compartmented Information (TS/SCI) clearance.
Source: https://www.politico.com/news/2024/09/01/us-election-software-national-security-threats-00176615
How does Data classification of information enhance cyber security
.
We have seen the importance of data classification and categorization from this week’s reading of FIPs 199 and the FGDC Guidelines. My takeaway from this article was some of the benefits of data classification mentioned.
Customized security measures: Not all data is created equal and not all data requires the same level of protection. With data classification, organizations can tailor security measures to the specific needs of each data category. This ensures a more efficient use of resources and a more robust defense against cyber threats.
Insider threat prevention: Insiders pose a significant risk to cyber security, whether intentionally or unintentionally. Data classification helps organizations monitor and control internal access, preventing unauthorized employees from accessing sensitive information and reducing the risk of data leaks.
Incident response and recovery: In the unfortunate event of a cyber-attack, data classification facilitates a swift and targeted response. By knowing which data is most critical, organizations can prioritize recovery efforts, minimizing downtime, and potential losses.
https://thesecuritycompany.com/the-insider/how-does-data-classification-of-information-enhance-cyber-security/
Title: Uber fined €290m for personal data transfer
Uber was fined €290 million by the Dutch Data Protection Authority (DPA) for transferring European drivers’ data to U.S. servers, violating GDPR rules. The data included sensitive information like ID documents and taxi licenses. The DPA deemed Uber’s actions a “serious violation” due to inadequate data protection measures. This is the third fine against Uber by the DPA, highlighting growing EU enforcement of data privacy regulations against tech companies.
This particular article on Uber highlights a vulnerability within the company and what happens when a company fails to comply with local regulations in places they conduct business. The nature of the information in combination with how it was being transferred from the U.K to the U.S posed a weakness in the information system and made the data susceptible to adversarial and/or accidental threats.
Link: https://www.bbc.com/news/articles/cy76v561g48o
National Public Data Published Its Own Passwords:
A breach at National Public Data (NPD) exposed sensitive information for 272 million individuals. The data leaked included Social Security Numbers, addresses, and phone numbers. The breach was originally dated to December 2023 but was publicly acknowledged in August 2024. The leaked passwords were linked to earlier security issues with NPD’s founder, Salvatore Verini. In the leaks, it was shown that many individuals kept their default passwords, which only amplified the severity. Affected individuals were advised to freeze their credit files and regularly monitor their accounts for identity theft.
I chose this article as this incident reflects a lack of security maturity at NPD as indicated by the inadequate management of passwords and delayed response. Default and poor passwords reflect inadequate NPD’s password policies and management practices. The delayed response demonstrates the lack of swiftness when responding to a cyber threat. Organizations need to focus on security maturity to effectively improve their security. Creating a comprehensive, risk-based, and business-aligned strategy is vital to keep an organization’s data safe.
Article for reference: https://krebsonsecurity.com/2024/08/national-public-data-published-its-own-passwords/#comments
Title: Microsoft 365 Copilot Vulnerability Exposes User Data Risks
A vulnerability in Microsoft 365 Copilot that allowed attackers to steal users’ sensitive information has been discovered by Johann Rehberger, a cybersecurity researcher. The attack combines several advanced techniques including prompt injection, a cyberattack that manipulates a large language model (LLM) by injecting malicious inputs into a prompt, which stages data for exfiltration.
The attack begins with a prompt injection delivered through a malicious email or shared document, once triggered the injection prompts the LLM, Copilot in this case, to search for additional emails without the user’s consent. The attacker is then able to use invisible Unicode characters to steal sensitive data.
As we learned with data classification and data categorization, Microsoft initially classified the attack as low severity, but after further consideration were prompted to take a more assertive approach to patch the vulnerability, which was completed recently in July 2024.
This article also highlights Unit 1 in how hackers are consistently looking for new vulnerabilities as Microsoft 365 copilot was just released in 2023, and the importance of security risk training as the attack itself was sent through via email / shared document.
Source: https://www.infosecurity-magazine.com/news/microsoft-365-copilot-flaw-exposes/
Laptops possibly containing confidential information on criminal cases stolen at Cook County courthouse
Several laptops, potentially containing confidential information on criminal cases, were stolen from the Cook County State’s Attorney’s offices at the Leighton Criminal Courthouse. Discovered on Tuesday morning, the break-in likely occurred after hours, involving a burglar who accessed the courthouse through a secure entrance and bypassed office security by propping open a door with stacked chairs. The stolen laptops, estimated to be outdated models, were password-protected, but the breach also raised concerns about missing paper files containing irreplaceable evidence. The incident’s implications include potential exposure of sensitive information and disruption of legal proceedings.
https://chicago.suntimes.com/crime/2024/07/24/laptops-possibly-containing-confidential-information-on-criminal-cases-stolen-at-cook-county-courthouse
Title: Stolen laptop leads to breach of 1,092 Multnomah Co. heath clients’ data
A former employee refused to return their work laptop and used their access to download multiple excel sheets containing patient’s personal information. The IT team sent a kill command to the stolen machine, but the status of the information is unknown. This sort of thing is what the case study could have been in a worst case scenario while also highlighting how much risk comes internally.
https://www.kptv.com/2024/05/17/stolen-laptop-leads-breach-1092-multnomah-co-heath-clients-data/
2.9 billion records, including Social Security numbers, stolen in data hack: What to know
The hacking group USDoD claimed that they had stolen records of 2.9 billion people from the National Public Data. A lawsuit from 3 weeks ago revealed that the records were obtained after a breach in April of 2024. The data breach was massive and revealed the names, address, phones numbers, and social security numbers of people that scaled three decades. USDoD claims that they are selling the information on the black market and have made around 3.5 million dollars so far. The author, Emily DeLetter, also reported that the National Public Data never released a statement on whether or not the breach actually happened to them. However, some employees have come out and revealed that the breach did happen back in April, and that the USDoD hacker group still has people’s information and is continuing to sell it on the black market. Personally, I think that the National Public Data is probably embarrassed that their risk safeguards did not work, and a hacker group was able to breach their data. The article never shared how exactly the breach happened, and I am assuming since the National Public Data has not commented on the issue yet, nobody knows how the breach happened yet.
https://www.usatoday.com/story/tech/2024/08/15/social-security-hack-national-public-data-breach/74807903007/
Ransomware attacks on schools threaten student data nationwide
Cybercriminals have began targeting school districts across the United States, gaining access to sensitive student data such as medical records, Social Security numbers, and personal information. Data from K12 Security Information Exchange (K12 SIX) reports over 325 ransomware attacks on schools between 2016 and 2022, with at least 83 more potential attacks from January 2023 to June 2024.
In January 2023, a ransomware attack on the Tucson Unified School District in Arizona led to a two week closure where private student and employee data was leaked to the dark web. This prompted a White House summit in August 2023, and the U.S. Department of Education has since launched a Government Coordinating Council to help protect schools from cybersecurity threats.
It is crucial to be aware of these developments and the increasing importance of cybersecurity in educational environments.
https://www.cbsnews.com/news/school-ransomware-attacks-threaten-student-data/
On May 23, 2024, Snowflake, a cloud platform, identified a security breach in users accounts. The company noticed unauthorized access to user accounts and the issue at first seemed small. However, after assessing the breach in further detail, high profile clients were impacted. For example, 560 million users of Ticketmaster, 380 million users of Advance Auto Parts, and 190 million users of Lending Tree were affected. This was not an isolated incident. A combination of phishing, malware, and various info stealing tools were used to target accounts using only single factor authentication. Snowflakes policy does not require customers to have multifactor on their accounts.
Moving forward, Snowflake has attempted to remedy the security vulnerability by encouraging customers to use multifactor authentication (MFA) and providing guidance on securing/monitoring data. For preventative measures, Snowflake is working with clients to enhance security protocols and develop a plan to enforce strict network rules and MFA.
This story relates to what has been learned in class, that security vulnerabilities mostly common from people. Snowflake did well by identifying the situation, although a bit late, assessing the gravity of the breach, and developing corrective action for recovery and preventative measures. It is good that they have been transparent and that they are working with clients to develop a plan for preventative security measures.
Link: https://www.msn.com/en-us/money/other/cybersecurity-wake-up-call-lessons-from-snowflake-s-massive-data-breach/ar-BB1pCY5G
Title of article: Researchers trace massive data leak to US data broker: why should you care
A recent data leak exposed over 170 million confidential records online due to a potential breach involving People Data Labs (PDL), a San Francisco-based data broker. The leaked information included personal details such as names, contact information, and professional backgrounds. This breach was traced to an unprotected Elasticsearch server, which may have been mishandled by a third party. This incident has raised concerns about PDLs approach to safeguarding information especially since they had been associated with a similar breach back, in 2019. This event brings up worries, about how data brokers operate and the dangers that come with data security measures.
Link: https://cybernews.com/security/people-data-labs-data-leak/
Title of Article: Critical infrastructure sustained 13 Cyber-Attacks per second in 2023
According to the open-source article, cyber-attacks rose 30 percent globally between January 2023 and January 2024 (Jennings-Trace, 2024). The article claims that over 420 million cyber-attacks are directed at the critical infrastructures of more than 160 countries (Jennings-Trace, 2024). The United States (US) was the primary target of those attacks, followed by the United Kingdom, India, and Japan (Jennings-Trace, 2024).
Known as advanced persistent threat attacks (APT), due to the amount of sophistication and funding, likely from a state sponsor, these actors are able to target critical infrastructures such as power grids, transportation, and communication networks and cause catastrophic damage and disruption. The article claims that water networks within the US sustained the most targeted attacks (Jennings-Trace, 2024). Also, the APT attacks were reported to have originated primarily from China, Russia, and Iran, who consider these acts to be nothing more than cyber warfare.
Source: Jennings-Trace, E. (2024, September 2). Critical infrastructure sustained 13 cyberattacks per second in 2023. Retrieved from Tech Radar Pro: https://www.techradar.com/pro/critical-infrastructure-sustained-13-cyber-attacks-per-second-in-2023