e360 Blog

The State of Enterprise IT Security Podcast - S1 EP. 19 New CISA Guidelines, Kaiser Data Leak, Okta Credential Stuffing Attacks

Written by Brad Bussie | May 13, 2024 1:26:07 PM

Overview:

In episode 19 of the The State of Enterprise IT Security , Brad Bussie discusses new CISA guidelines designed to protect U.S. critical infrastructure from AI risks, a significant data leak affecting over 13 million Kaiser members, and a sharp increase in credential stuffing attacks against Okta accounts.

Brad discusses into the latest developments that are shaping the field, including newly implemented CISA guidelines aimed at safeguarding critical infrastructure against AI-induced risks, a substantial data breach impacting millions of Kaiser members, and a concerning surge in credential stuffing attacks targeting Okta accounts. Join us as we unpack these complex issues, offering expert insights and practical advice for enhancing security protocols and resilience in an increasingly interconnected world.

Listen to the Episode:

 

Watch the Episode:

Key Topics Covered:


      • CISA Guidelines for AI in Critical Infrastructure: Discussion on new measures to enhance the security of U.S. critical infrastructure against AI-related threats.
      • Kaiser Data Leak: Examination of a significant data breach affecting 13.4 million Kaiser members, including the inadvertent sharing of data with advertisers.
      • Okta Credential Stuffing Attacks: Analysis of the recent spike in credential stuffing attacks against Okta accounts, exacerbated by the use of residential proxy services.

Key Takeaways:

    • CISA is intensifying efforts to safeguard critical infrastructure by focusing on AI risks, proposing a comprehensive plan for risk management.
    • Kaiser's data leak highlights the ongoing challenges in protecting personal health information and the risks associated with third-party data sharing.
    • Okta's experience with credential stuffing attacks illustrates the evolving tactics of cybercriminals and the importance of robust cybersecurity measures, including enhanced authentication processes.

Read the Transcript:

[00:00:27]

[00:00:33] Brad Bussie: Hey everybody, I'm Brad Bussie, Chief Information Security Officer here at e360. Thank you for joining me for the State of Enterprise IT Security Edition. This is the show that makes IT security approachable and actionable for technology leaders. I'm happy to bring you three topics this week. The first one, CISO rolls out new guidelines to mitigate AI risks to U. S. Critical infrastructure.

[00:01:02] Brad Bussie: The second 13. 4 million Kaiser insurance members are affected by a data leak to online advertisers. And the third Okta credential stuffing attacks spike via proxy networks. And with that, let's get started.

[00:01:24] Brad Bussie: So the first one, CISA rolls out new guidelines to mitigate AI risks to something pretty important, which is U. S. critical infrastructure. Now, the team over at CISA, which, again, for those that may not know, it's the cybersecurity agency under the Department of Homeland Security, they put out some new guidelines to beef up the safety and security. Of critical infrastructure against threats related to a I so think of this as protecting power and [00:02:00] water and communications.

[00:02:01] Brad Bussie: A lot of the things that we all rely on just for survival, and they're really diving into the nitty gritty and basically they've categorized the risks into three main types. And they're using a I to basically attack. Infrastructure, they meaning attackers, they're targeting AI systems themselves, and then there's some potential mishaps in AI design and implementation that really could mess with infrastructure and operations overall.

[00:02:39] Brad Bussie: So this is looking at all of this. And they're, they're tackling it by pushing forward a four step plan. So first, they're all about fostering an organizational culture. And that culture is going to be laser focused on managing AI risks. I can definitely get behind that. They want everyone to be on the same page about the importance of safety and security, really to be super transparent about everything, and to make sure security is a top priority for business.

[00:03:20] Brad Bussie: They're also advocating for a deep dive into each organization's use of AI and understanding the unique context and risks involved, so they can tailor their efforts effectively. Really, it's, it's all about mapping out the territory, and I read an article where they were talking about how AI is going to help with the electric grid, because what's AI particularly good at right now? Again, we're talking about augmented intelligence. It's looking for patterns. It's looking for behaviors. So we're, we're trying to get in front of things. We don't [00:04:00] have blackouts and we can be more efficient. So good use of of AI. I think so.

[00:04:06] Brad Bussie: But again, the more we rely on it, the more we need to understand what is the context and what is the risk? So they're not stopping with just that aspect. They want to see systems in place to constantly assess, analyze, and monitor AI risk and the impact of that. They're really all about using methods that can be repeated and metrics that can be measured.

[00:04:36] Brad Bussie: Can't manage what you can't measure. And they're stressing the importance of management taking swift action on any identified a I risk and they want to make sure that controls are in place to maximize the benefits of a I while minimizing any potential negative effects. Really, it's all about keeping things running smoothly and securely when it comes to critical infrastructure.

[00:05:07] Brad Bussie: And when when I dig a little bit deeper into some of the categories, And the threats that we're looking at and that CIS is looking at, really, there's three types. It's attacks that are using AI. So it's the use of AI to enhance, plan, or scale physical attacks on or cyber compromises of critical infrastructure.

[00:05:37] Brad Bussie: The second one, Attacks that are targeting AI systems specifically. So targeting attacks on AI systems that are supporting critical infrastructure. And then the third is just failures in AI design and implementation. So these are like deficiencies or inadequacies in the planning, the structure implementation [00:06:00] or execution of an AI tool or system leading to malfunctions or other unintended consequences that affect critical infrastructure operations.

[00:06:13] Brad Bussie: Now, I would say if you are a listener or you're watching this and you are a critical infrastructure owner or operator, you should consider these as guidelines and look at it from your own real world circumstances and then make some decisions based on that.

[00:06:33] Brad Bussie: Second topic today, 13. 4 million Kaiser insurance members are affected by a data leak and that leak is to online.

[00:06:45] Brad Bussie: Advertisers. So this is interesting because it's right on the heels of the United Health breach. If you remember, they got hit with a pretty big data breach. Um, Kaiser, obviously another giant in health care, came out with some news of their own, and they announced that around 13. 4 million current And former insurance members were affected by a data breach.

[00:07:15] Brad Bussie: So we're gonna unpack this a little bit, and there's different definitions of like how severe a data breach is. So at the end of this, I think you'll see this one is, is it's kind of medium. So what happened? Well, it turns out that Kaiser Systems accidentally spilled patient data to third party advertisers.

[00:07:39] Brad Bussie: And it's funny when you think about what the advertisers are, because it's Google, it's Microsoft, and there were some social platforms. Like X, formerly Twitter. And how did this actually occur? I mean, apparently there was some tracking code that Kaiser had set to [00:08:00] honestly, just keep tabs on how folks were moving around their website and mobile apps, so this was kind of their own tracking that they had going on internally, but.

[00:08:11] Brad Bussie: It wasn't set up right. So, you know, I've talked about this before. What are some of the dangers of insider threat? Here's a good example. Something that was misconfigured or just not configured correctly in the first place. So what ended up happening is it shared more information than it should have with entities that it shouldn't.

[00:08:33] Brad Bussie: So in their media statement, Kaiser admitted that certain online tools they had installed ended up sending personal info, you know, to the vendors that I that I listed. I think there's some more, but I don't think that's super important to this topic. I mean, it's definitely not the kind of news anyone wants to hear, especially when it comes to sensitive medical data.

[00:08:57] Brad Bussie: And this list, I mean, I guess, think of this as is this super sensitive? The shared data. It included names, IP addresses, addresses, what pages people visited, whether they were actively signed in and even the search terms they used when visiting the company's online health encyclopedia. So could this be a little embarrassing for someone?

[00:09:25] Brad Bussie: Maybe. And could it be used for social engineering types of attacks? So according to some experts, I mean, the problem of third party trackers. From advertisers getting a hold of customer info. It's, it's pretty widespread in both the health tech and government sectors. And I would agree with this. They, they started to mention how advertisers have been using the info to now target ads.

[00:09:57] Brad Bussie: At users based on health [00:10:00] data, which has happened before. I think this happened with good Rx not too long ago, and even though it might not fit the traditional idea of a data breach, it still ends up with. Unauthorized access to data by entities. It wasn't meant. So think of this from a privacy perspective, and usually there's no system in place to catch and actually stop this from happening.

[00:10:31] Brad Bussie: Now, Kaiser supportedly and supposedly got rid of the tracking code from its sites. But even though this wasn't a hack. In the traditional sense, it's still a big deal from a security standpoint, and I think it shines a light on securing health care overall.

[00:10:52] Brad Bussie: Third topic for today, Okta credential stuffing attacks spike via proxy network.

[00:11:02] Brad Bussie: Now, recently, Okta noticed a pretty sharp rise in what's known as credential stuffing attacks. And this is where bad actors use stolen usernames. and passwords to break into your accounts. And I think by now, you know how I feel about passwords and guess what's making their job easier. It's called residential proxy services and think what goes along with this.

[00:11:34] Brad Bussie: Things like Tor browsing, other secure VPNs, anonymizers. There's a more. Easily available hacking tool set out there. And AI is just making that easier. And unfortunately, because of all the leaked credentials out there and, and people aren't going and updating and changing their passwords. This is still [00:12:00] a problem.

[00:12:01] Brad Bussie: So from April 19th to April 26th in 2024, Okta's researchers spotted a lot more of these attacks, and they're all aimed right at Okta accounts. So I think, you know, we've talked a couple of times about Okta, some of the security challenges that they've had, but I will say they've done a pretty good job of going back Down to the bedrock is what they're, what they're saying and making sure they've done a full security evaluation.

[00:12:36] Brad Bussie: So I like this because this shows that they're trying to get in front of these types of attacks. And their researchers pointed out, really, there's a common thread in these attacks, and a lot of them are hiding behind tools that anonymize their tracks, like TOR, and there's some things that you can do about that.

[00:12:59] Brad Bussie: And you can. Essentially block traffic from any of the anonymizers. So there's ways around it, but just not everybody has it configured correctly. And by default, this kind of stuff is allowed. So what's more, they've traced millions of these requests back to residential proxies. And if you're not familiar with this, look up Nsox or Luminati, look at Data Impulse, just, just do a quick search on those.

[00:13:32] Brad Bussie: High level, they're, they're basically networks made up of Just regular people's devices out there. Regular users, like what you have at home, like what I have at home. Hopefully I don't have this problem. That would be embarrassing, but they've, they've been roped into routing traffic. And this is without the owner's clear consent.

[00:13:56] Brad Bussie: So often this happens because an app [00:14:00] on the network or an app on a device was built using a compromised software development kit. So that's just one of the ways, but that's one of the more common ways. And with apps being prolific and written by just kind of whoever, Apple does a pretty good job of, of making sure this stuff is validated.

[00:14:23] Brad Bussie: Android, a little more challenging. And if you're going out and you're just downloading something onto your. Mac or, or windows device. Good luck. And according to researchers, some app developers might not even realize that they're using sketchy SDK software development case. And that turns the user's device into that traffic routing tool for the attacker.

[00:14:52] Brad Bussie: So a lot of this malicious traffic looks like it's coming from ordinary mobile devices and browsers. So a little bit of a challenge, but to fight back, Okta's rolled out a new feature in its Workforce Identity Cloud and Customer Identity Solutions that can block. Anonymized requests. I was saying it's possible they're making it even easier, and it's something you can switch on.

[00:15:21] Brad Bussie: So if you're an Octa customer, you can just turn this on in your admin console settings. But for those who need to block specific anonymizers, there's a special feature. I think they call it dynamic zones that you might want to check out. That, that gives you a little more granular control. And honestly, I would not even forget some of the basics.

[00:15:47] Brad Bussie: I talk about that all the time. We need to get back to basics with some of these things. And Okta, as I've done the same, is urging everyone to beef up their defenses. Things [00:16:00] authentication, use it everywhere, use it everywhere that matters. Both for. Things like employee portals and critical internal systems.

[00:16:12] Brad Bussie: And like I've talked about in a previous episode, protecting your personal email is probably the most important thing that you can protect because if that gets compromised, you can just start resetting all of your passwords everywhere. And I think really one of the things as an administrator or even as a, as an end user is just.

[00:16:38] Brad Bussie: Look out for any log in attempts that seem out of place. And a lot of systems have gotten better about this, where you'll get an email that says, Hey, is Brad, are you logging in from Washington DC? And I'm sitting here in Colorado. So obviously I would be. That's a little strange. And this happens a lot on social networks where someone's just trying to log in as you, and they're using credentials that they picked up from the dark web.

[00:17:05] Brad Bussie: So if you haven't updated those, that's kind of the first way in for a lot of, of these, these attackers. So keep mindful of the time, the location, the IP address. And if it's something that was intended. So thank you for joining me, and I look forward to the next time on the State of Enterprise IT Security Edition.