Archive for June 19, 2024

CISA conducts first-ever public-private AI security incident response exercise

Posted in Commentary with tags on June 19, 2024 by itnerd

Last week, the CISA announced it’s putting together a comprehensive framework to unify government, industry and global partners in their response to significant security incidents involving AI just after conducting the first-ever AI security incident tabletop exercise.
 
The four-hour event held at Microsoft’s Virginia offices brought together over 50 AI experts and was intended to support the development of the AI Security Incident Collaboration playbook that is expected to be released later this year.
 
Participants in the event included the FBI, the NSA, the Office of the Director of National Intelligence and the Defense and Justice departments as well as AI and software developers including, but not limited to:

  • OpenAI
  • Microsoft
  • IBM
  • Cisco
  • Amazon Web Services

 
The Joint Cyber Defense Collaborative, CISA’s flagship public-private partnership, organized the exercise and is developing the playbook through a planning effort called JCDC.AI. The collaborative is planning a second exercise later this year on AI integration in U.S. critical infrastructure.
 
FBI Cyber Division Assistant Director Bryan Vorndran said the exercise showed that both sectors are better prepared to handle cyberthreats when there is adequate coordination.

“We are stronger when we come together to share information and determine best practices in the evolving AI landscape.”

Dave Ratner, CEO, HYAS had this comment:

   “Determining and aligning on best practices in the evolving AI landscape is a great endeavor and a needed exercise. However, the criminals are clearly not participating and march to their own drum, which is why we need to stay vigilant with the development of cyber resiliency approaches against the ever-increasingly complex and AI-driven attacks.”

Exercises like this one are a good thing in my mind as it helps to flush out weaknesses for improvement and strengthens the things that organizations do well. Others should look at this and copy it as this is a good model to work from.

Leave a comment »

Globe Life insurance investigates data breach due to permission and identity vulnerabilities

Posted in Commentary with tags on June 19, 2024 by itnerd

In a filing with the SEC late last week, life and supplemental health insurance provider Globe Life disclosed a data breach impacting the information of its consumers and policyholders.

The company said after an inquiry from a state insurance regulator, it launched an investigation into “potential vulnerabilities related to access permissions and user identity management for a Company web portal”, which showed that the vulnerabilities likely allowed unauthorized access to consumer and policyholder data.

Globe Life removed external access to the compromised portal it believes the issue is isolated to. The company does not anticipate operations to be significantly impacted.

According to its website, Globe Life companies have more than 17 million policies.

This comes during the aftermath of the UnitedHealthcare February attack, one of the worst to hit American healthcare impacting an estimated 50% of U.S. medical claims.

Experts with Cyware and Horizon3.AI offer perspectives on the matter.

Stephen Gates, Principal Security SME, Horizon3.AI had this to say:

   “In this scenario, it seems that a web portal was likely there to allow third-parties, agents, or employees to remotely access insurance information, initiate new applications, potentially make claims, and so on. It is also likely that two-factor authentication (2FA) was not implemented, as indicated by the mention of “potential vulnerabilities related to access permissions and user identity management.

   “Typically, a portal provides access to information stored in a database within the network. If an attacker gained access to the portal, it would generally imply they could access the data stored in that database. While there isn’t sufficient evidence to suggest that the attacker moved laterally within the network, there are indications of a potential breach involving confidential data.

   “I would suggest looking for any information that may have been logged by the web portal in the context of activities that would suggest a breach of information. This is one of the reasons why logging user activities are always recommended.”

Emily Phelps, Director, Cyware follows with this comment:

   “When dealing with potential vulnerabilities in web portals, detaching the portal from the network can be a quick mitigation step, but it’s often more complex. There’s always a chance of lateral movement, especially if the attacker had time to explore the network before detection. It’s crucial to conduct a thorough investigation to understand the extent of the breach and whether any data was exfiltrated or manipulated.

   “The depth of the information stolen and the exact nature of the breach—whether it involves ransomware or not—can impact the company’s response and regulatory obligations. Companies often report breaches to demonstrate transparency and compliance, but the material impact can vary widely.

   “The SEC has been progressively tightening regulations around data breaches and cybersecurity. As breaches continue to occur, we can expect even stricter oversight and requirements for companies to implement robust cybersecurity measures and provide timely, detailed disclosures.

   “In general, these incidents highlight the need for continuous improvement in cybersecurity practices, particularly in access permissions and user identity management, to prevent unauthorized access and minimize potential damage from breaches.”

No breach is good. But this one seems really bad based on scale alone. Until companies get their heads around looking holistically at their security, this sort of thing will unfortunately keep happening.

Leave a comment »