Home / News / This Month In Cyber – March Edition

This Month In Cyber – March Edition

This Month in Cyber: March

NIST 2.0, Memory-Safe Tech, Conversation Overflow, Phobos Ransomware Insights

Welcome back to Emagine IT’s monthly, “This Month in Cyber”, where we make staying current on all things cyber easy and accessible in one read per month. Let’s get into it.

February Catchup – Here’s what we missed last month:

Update on Fulton County, GA: Continuing from our previous reports on the Fulton County breach, there has been no further threat or any known release of sensitive data. However, the main court system that affected the county’s phone, billing, email addresses, etc. is still not back online with no ETA on its repair. This isn’t surprising as these kinds of repairs take quite a while to fix.

NIST 2.0 Cybersecurity Update: NIST released version 2.0 of their cybersecurity framework on February 26th. Since its inception in 2014, this is their second revision. This version focuses on the framework moving from a static resource with disparate pieces into something that is more interconnected and accessible, especially with their new focus on governance and supply chain and focusing on smaller organizations to apply the framework. The frameworks’ functions are identify, protect, detect, respond, recover, and, now, governance.

US Press release on Future Software should be Memory-Safe: The White House released a report called, “Back to the Building Blocks, A Path Towards Secure and Measurable Software” focusing on more stringent standards of security or design manufacturers, software developers, hardware, etc. The press release says, “ONCD [White House Office of the National Cyber Director] makes the case that technology manufacturers can prevent entire classes of vulnerabilities from entering the digital ecosystem by adopting memory safe programming languages.”

Microsoft and Open AI: In this warning report of detailing Nation State Hackers weaponizing AI for cyber attacks, Microsoft says, “language support is a natural feature of LLMs and is attractive for threat actors with continuous focus on social engineering and other techniques, relying on false deceptive communications tailored to their targets, jobs, professional networks, and other relationships.” These State Hackers have gotten AI past the various stages of the attack chain – stages like code assistance, malware development, and reconnaissance.Interested in a deeper dive on the February catch-up? Keep reading! If you’re more interested in jumping straight to the March Incidents and breaches, click here.

NIST 2.0 In-Depth Look:

What started in 2014, with a slight revision in 2018 called 1.1, and now after following a two-year draft period, NIST’s Cybersecurity Framework (CSF) 2.0, as it’s now called, moves from solely focusing on protection of critical infrastructure to now all organizations in any sector. It’s significant change to adding governance as one of its five functions is intended to elevate the other functions to the C-Suite and board levels of organizations.

The other significant change is CSF 2.0’s focus on supply chain risk management. Cybersecurity Supply Chain Risk Management (C-SCRM) is defined as a “systematic process for managing exposure to cybersecurity risks throughout the supply chain and developing appropriate response strategies, policies, processes, and procedures.” CSF 2.0 pushing C-SCRM into the governance function serves as a leverage to help alleviate how messy supply chain currently is. With constant breaches into the supply chain, most notably the SolarWinds breach in 2019-2020 , CSF 2.0 to help manage more at the top of the supply chain to better mitigate the risks from data breaches.

Additionally, NIST’s CSF 2.0’s focus on governance and smaller organizations is a boon to the industry as a whole. NIST wasn’t idly sitting by twiddling their thumbs before the release of CSF 2.0. For the last two years, they’ve had extensive talks with Industry on the direction of CSF 2.0 and what Industry would want out of this framework. One aspect Industry wanted was to have a focus on smaller organizations. And even though there are more stringent requirements for these smaller organizations to adopt from CSF 2.0, it’s helping increase the threshold of cybersecurity while letting these small businesses receive government contracts.

The final point to highlight is the biggest pushback against CSF 2.0, which centers on the ambiguity of its desired outcomes and the perceived openness of its subsequent steps. Because CSF 2.0 is ultimately a guideline, where vague desired outcomes are the norm, there has now been a desire from the community expressing the want for better defined details on these desired outcomes. Especially with more government agencies making joint technical documents, like CISA and EPA , so non-technical people can start to come together to help make decisions, it seems a bit of a step in the wrong direction to keep toeing the line between strict descriptions and vague guidelines.

Memory Safe In-Depth Look:

The White House Office of the National Cyber Director (ONCD) released a technical report, “Back to the Building Blocks, A Path Towards Secure and Measurable Software” that calls for technology manufacturers to adopt memory safe programming languages to better assuage fears of exploitive vulnerabilities. Director of ONCD, Harry Coker, said:

Historically when writing a program, a lot of the program runs on memory. However, an easy vulnerability that can occur is writing more data to a block of memory than it can hold – this is called a buffer overflow. When this occurs, the program has permission in the computer to do something that is administrative in nature. You run the buffer overflow, it runs that code instead of the actual computer code that’s written, and then the bad guy has execution at the administrative level on the computer. That’s what happens in memory. This is a big reason why ONCD wants manufacturers to get away from these traditional programming languages.

Conversely, Memory Safe programming languages have been seen as incredibly safe to prevent memory-safety attacks, using programming languages such as Java and .NET. These utilize techniques like Data Execution Protection (DEP) – a security feature that restricts the areas of memory that code can be executed from – and Address-Space Layout Randomization (ASLR) – a security technique that randomly arranges the positions of key data areas of a process, including the base of the executable and the positions of the stack, heap, and libraries, in a system’s memory. However, transitioning from non-Java and non-.NET software systems.

Even with these transition issues, design manufacturers, software developers, hardware developers, etc. need to take responsibility over what they ship to the marketplace. By the time it’s shipped, vulnerabilities are already built in – leaving no chance for the customer the product is being shipped to, small businesses, nonprofits, schools, etc., to defend themselves (which is one of the prevailing issues currently in supply chain risk management referenced above in this article).

This press release serves as a mounting pressure on manufacturers of hardware and developers of software to own what they ship. One solution is through the development of these memory safe programming languages. Another is to buy software written in memory safe programming languages from now on instead of trying to replace existing systems. These are a couple steps to take that can critically help with the supply chain risk management problem circulating the U.S.

March Incidents & Breaches That Left Their Mark:

Speaking of problems circulating the U.S. this month we focus on one main breach and a story about NIST’s National Vulnerability Database.

AI Security in Email is Bypassed by Conversation Overflow

A new cyberattack technique has been discovered. Called, “Conversation Overflow,” this new phishing email cyberattack attempts to obtain credentials by bypassing AI and ML (Machine Learning) algorithms that are enabled on some email platforms. Within seemingly benign emails, hidden text that mimic legitimate communication are used to circumvent AI/ML threat detection algorithms that rely on “known good” and “known bad” communications. The phishing email’s hidden text serves as a way to seduce AI/ML threat detection algorithms by mimicking the “known good” communication which then lets the email through to its unsuspecting receiver. The attackers are also betting that the receiver won’t scroll down pages and pages of blank space before getting to the bottom and seeing the fake conversation meant for the AI/ML threat detection.

This new attack highlights the biggest problem when it comes to cybersecurity: the people. When people – cybersecurity professionals and non-cybersecurity professionals – have access to sensitive data and also have a heavy reliance on tools (“Oh, I’m safe because the AI/ML algorithm is always watching my emails”) then the end user doesn’t strengthen the skill necessary to identify every phishing scam – and we mean every because it only takes one to lose control of everything. That’s the result of bad training. The last line of defense for a cyber vulnerability is the end user with their training, not solely AI, ML, or some tool. But if that end user doesn’t do their due diligence, and isn’t aware of the ever evolving landscape of cyber threats, then these kinds of breaches will keep happening.

Social engineering is the number one way of getting in.

NIST Vulnerability Database Disruption Mystery

An interesting story that’s surrounded in mystery occurred this month with NIST’s Vulnerability Database. There are 2,700 vulnerabilities within this Database – they are known as “Common Vulnerabilities and Exposures.” This database is the world’s most widely used software vulnerability database to identify various cyberattack techniques that can occur. However, since February 12th of this year, only 200 CVEs of the 2,700 have been enriched. Enriched means that these vulnerabilities have the metadata information that’s needed to fully understand the vulnerability – a description of the vulnerability that could lead to an exploit (Common Weakness or Exposure – CWE), the names of the software impacted (crucial data for vendors and suppliers), the vulnerability’s criticality score (CVSS) – a score ranging from 0-10 (from low to critical), and the vulnerability’s patching status.

So with these 2,500 vulnerabilities and counting which are not enriched, and do not have the metadata information cybersecurity specialists need, it begs the question why they stopped providing the information which enables the action to solve the problem. Are they adjusting how they handle the enrichment process? Shifting their organization structure? There’s too little information currently to provide a clear assessment without putting on a tinfoil hat.

There are some hints that NIST is building a new National Vulnerability Database consortium – so maybe the structure change isn’t too far off of a guess. However, we don’t have information on this consortium – what it is, who’s involved, what changes will be made, etc.

What you can expect from us is that we’ll follow this story wherever it goes and update you accordingly!

NSA’s Stance on Zero Trust Guidance

NSA has released their maturity guidance for Zero Trust Network and Environmental Pillar. This information sheet details prevention of adversarial lateral movement within an organization’s network to access sensitive data and critical systems – basically, to prevent threat actors from living off the land or pivoting (see February’s blog for more details on this concept). They define this guidance as, “Advancing Zero Trust maturity through the network and environment pillar provides guidance in how to strengthen internal network control and contain network intrusion to a segmented portion of the network using zero trust principles.” This effectively bridges the gap between implementation of zero trust and untrusted until verified.

This learning curve for Industry as Zero Trust implementation continues to be at the forefront is steep. But face it – what’s the alternative?

Closing Thoughts

Security isn’t just the tools, the automation, or the AI algorithms. Security is the combined behavior of the systems and the people that collectively protect valuable assets. It’s about many individuals consistently distrusting each email they receive, diligently engaging in their training and continuous learning within the sector. With AI/ML algorithms taking the cybersecurity sector by storm, it is necessary to remember that the most significant barrier to cyber threats remains the educated and vigilant human element. The evolution of cyber threats, like the “Conversation Overflow” technique, underscores the ongoing challenge: technology can filter, but it cannot discern with the nuanced understanding of a trained professional. As cyber actors refine their strategies, leveraging AI for social engineering and exploiting vulnerabilities in our digital infrastructure, it becomes clear that our reliance on technology must be balanced with an equal, if not greater, investment in human capital and to not only comply with regulations, but maintain constant vigilance.

Events That Occurred & Events < 60 Days Away:

Update from Adam and Erik’s event Acquia and AWS on March 19

First, we want to give a shout out to our own Adam Chun and Erik Dominguez with their participation at Acquia and AWS’s event on March 19th! Adam spoke about Emagine IT’s involvement with FedRAMP and next steps for companies after they complete the FedRAMP process while Erik spoke about the red team engagement changes that will occur with the new FedRAMP regulations.

Shout out to Chris Hughes and Acquia for coordinating this event!

Key Events in the Next 30 Days

Philadelphia Cybersecurity Conference, Virtual and In-person, Philadelphia, Pennsylvania: April 4

Join cybersecurity professionals from across the nation with a panel of C-Suite executives who have mitigated Cyber Attacks.SANS New2Cyber Summit 2024-Central US, Virtual: April 4 – 15

SANS New2Cyber helps new cyber professionals with the skills you need to excel in the industry. This free online event hosts:

  • A packed agenda of essential sessions for anyone looking to break into cyber or level up an existing cyber career — including a New2Cyber Espanol track!
  • A must-see Keynote by Marco Palacios, Senior Tactical Threat Analyst, Fortinet
  • An exciting Capture the Flag by KC7Cyber
  • Success stories from cybersecurity pros who made the switch from very different fields
  • A one-of-a-kind networking experience with exclusive access to connect with industry experts, SANS instructors, and the wider community
  • Access to free and low-cost resources available from SANS and the community

Cybersecurity Implications of AI Summit: North America West Summit, Seattle, Washington: April 16

This summit explores the ever-evolving relationship between AI and cybersecurity. Top industry thought leaders and peers will host conversations on AI in fraud prevention, securing large language models (LLMs) and understanding the implications for privacy, compliance, and intellectual property.Google Cloud Next ’24, Las Vegas, Nevada: April 9 – 11

Over a three day period, join Google Cloud C-Suite Executives as they explore the future of cloud and how AI and ML will be a part of it.