Hamburgers, TSA, and TPM
Jim Tiller
Fractional Executive (CISO/CIO) | Author | Patent Holder | Industry Leader | Co-Host DtSR Podcast | NIST | CMMC | CISSP | CISM | CISA | NYDFS | FAIR | NSA IEM | NSA IAM
What Does This Say
There are a lot of stories this week – the week of International Women’s Day - being shared about gender equality, rights, and even violence against women. Adding to the mix was an interesting report from Trendmicro about gender equality in cybercrime. Interestingly, it highlights that 30% of those operating in cybercriminal forums (darkweb) are women. A percentage that exceeds how many women working in cybersecurity as a profession today. The study is a must read. It’s very comprehensive and covers a lot of points, such as the types of crimes women commit verses men and how this is manifesting in cyberspace.
AI Powered Hamburger
I once wrote an article about the use of the term “security”. It was being attached to everything in the very early 2000’s, like the letter “i” was prefixed to something to make it seem more internet ready. Today we’re starting to see AI Powered attached to a lot of things. But unlike in the old days where the prefix was marketing, I’m fairly convinced that when we see AI Powered malware we’re in trouble. An interesting blog was published this week speaking of the creation of an AI backed polymorphic malware called BlackMamba as a proof of concept about how AI can make malware bypass security controls. The thing here is that this was just a POC… imagine what the bad guys are going to do.
Wait, the TSA?
The US’s Transportation Security Administration (TSA) issued a press release this week stating new cybersecurity requirements to TSA-regulated airports and aircraft operators in response to Biden administration’s National Cybersecurity Strategy published the week prior. The new requirements are actually an amendment to the TSA’s cybersecurity requirements published in October last year, which was in response to the Biden administration’s commitment to strengthen the cybersecurity of U.S. critical infrastructure brief that came out – you guessed it – the week prior. Of course, the presidential “note” from October was a bit lackluster (IMHO) and more of a “hey look how awesome we are”. However, the new national strategy looks interesting, but we’ll see how some of this actually materializes…and when. Nevertheless, despite the almost comedic reactive echo of the TSA, the new cyber requirements are actually straightforward… 1) segment, 2) control access, 3) monitor, and 4) patch (and kudos to them for adding firmware to the list of things to get patched). Any company that does those 4 things well will be more secure than your average bear. Of course, it’s all in how well you’re doing it, managing it, measuring its performance, and continuously improving. But those things are boring, so they don’t get done.
TSA March press release - https://www.tsa.gov/news/press/releases/2023/03/07/tsa-issues-new-cybersecurity-requirements-airport-and-aircraft
National security strategy (read it) - https://www.whitehouse.gov/briefing-room/statements-releases/2023/03/02/fact-sheet-biden-harris-administration-announces-national-cybersecurity-strategy/
TSA Oct. press release - https://www.tsa.gov/news/press/releases/2022/10/18/tsa-issues-new-cybersecurity-requirements-passenger-and-freight
领英推荐
Whitehouse Oct. press release - https://www.whitehouse.gov/briefing-room/statements-releases/2022/10/11/fact-sheet-biden-harris-administration-delivers-on-strengthening-americas-cybersecurity/
While we’re in the topic of government, whitehouse, etc. I highly recommend you read the recently published National Cybersecurity Strategy (https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf). If you’ve been in security forever, or just starting, or just curious how it could impact your business… it’s definitely worth the read. Trust me, you’ll have mixed reactions and interpretations.
BIOS Baby
When you turn your computer on a lot happens long before you’re greeted with a desktop. Early in the process is firmware built into your system fires off and starts checking to make sure everything is where it should be and running, and then when satisfied hands things over to the boot device, like your hard drive, which in turn contains the boot record for your operating system. Our diabolical friends in the hacker world have created all kinds of malware to infect that firmware, completely by passing any security controls implemented higher up the stack. In short, they own you to your bones.
Of course, vendors of computer systems like HP with Itanium, started implementing controls and created a replacement for BIOS called UEFI (Unified Extensible Firmware Interface) intended to be better in every possible way, going back to 2005. In most of that time, thanks to integrated encryption and security, hackers have not a lot of success (none) in getting to the firmware like they had done before with BIOS. Enter BlackLotus (the coolest name for malware – ever). Researchers recently published an analysis of the malware that’s being advertised for sale for $5000, with a $200 maintenance fee as late as last year (even bad guys are stuck with maintenance fees). In a word, this is bad and basically your best hope of dealing with it is monitoring your environment, because stopping it will be difficult.
Trust, We Don’t Need No Stink’n Trust
Last week the internet was flooded with reports of two newly identified vulnerabilities within the TPM 2.0 Module specification and therefore code developed based on that specification. Ok, why the big deal? TPM is the Trust Platform Module (aka ISO/IEC 11889) that is hardware in virtually every computer that provides the system – like Windows – with tamper-resistant secure cryptographic functions, you know, like device encryption, sharing and storing of keys, passwords, and all kinds of things. To get to the point, a hacker can access the TPM interface and send commands that will provide access to and the ability to overwrite very sensitive data – data so important that it was stored on a chip buried in your computer… so important to you that you don’t have access to it. How do you fix it? You guessed it – patch you system. But how often do you do that?
There are a ton of articles, but I think this one is in the top 5 - https://www.bleepingcomputer.com/news/security/new-tpm-20-flaws-could-let-hackers-steal-cryptographic-keys/