Merlin Labs Memo -- Week of April 25-29

Environmental, Social and Governance (ESG) Best Practices in Cybersecurity

“Carbon footprints need to be reduced, but it’s understandably difficult during a time when people want to do more online and require better and faster protection in parallel. Applying sustainability principles to hardware and software makes this an achievable goal. IT usage can become more effective and safer at the same time. So, why is it important to have sustainable cybersecurity? The benefits of sustainable security and IT are akin to the benefits we get at home from installing smart-heating controls at home – aka – saving money. Still, sustainability is also a key driver in some regulatory decisions and helps develop and maintain a positive corporate profile for businesses today.” -- Via Security Week

Laurence Pitt, the article’s author also mentions a few specific approaches to best practices in cybersecurity that will hopefully result in cost savings through gained efficiencies, including:

• Ensuring an incident response plan is in place, and reviewing it regularl
• Implementing endpoint detection and response (EDR) solutions
• Improving staff awareness through better security and awareness training
• Making ESG a priority (flexible work environments, update manufacturing, using refurbished assets)

Our Take: This was an interesting article because environmental consciousness is not a traditional talking point or consideration when discussing cybersecurity or governance/compliance programs. That said, it’s always good to understand the broader context into which our solutions operate, and make sure we are prepared to address important topics like sustainability with our customers and partners, as well as plan for potential introduction of environmental impact controls in future revisions of certain governance and compliance standards.

Whether considering the merits of a cybersecurity program on its ability to reduce risk, its ability to protect critical data while enabling business continuity, its impact on/impacts by employees and customers, or its environmentally-conscious operations, it seems that the right answer is always about finding the efficiencies. Do more with less. Work smarter, not harder.

And while the author did hit on a few important topics (leveraging EDR solutions, improving security and awareness training, etc.), one of the most important considerations for our industry is the use of automation. Cybersecurity automation tools that leverage machine learning and AI, specifically, can add magnitudes of efficiencies to the process of complying, protecting, detecting, preventing, responding, and remediating cybersecurity issues. These tools, when equipped with solid notification workflows and intelligent mobile-ready dashboards, also allow cybersecurity professionals to work from anywhere, shrinking the social and environmental impacts of travel and secondary brick-and-mortar work locations. Addressing cybersecurity and compliance in a manner that is both faster and more laser-focused is one of the biggest ways to achieve the best efficiencies and is a win-win that better protects our data and our environment. -- Sarah Hensley

Additional Reading

• The effects of climate change on cybersecurity (Malwarebytes)

---------------------------------------------------------------------------------------------------------------

VMware Continues To Be in the Crosshairs

“Advanced hackers are actively exploiting a critical remote code execution (RCE) vulnerability,?CVE-2022-22954, that affects in VMware Workspace ONE Access (formerly called VMware Identity Manager).” -- Via Bleeping Computer

“The security team of the UK National Health Service (NHS) said that it detected an unknown threat actor using the Log4Shell vulnerability to hack VMware Horizon servers and plant web shells for future attacks.” -- Via The Record

Our Take: Why is this so important? VMware became the major player in server virtualization over the last 15 years. With more than 25% market share, the technology is the go-to for engineers, admins, and hobbyists alike. This essentially places millions of servers at risk in environments in every part of the industry; it would be difficult to find an organization that does not have a VMware installation. The attacks in both cases are at the management infrastructure of the platform itself. Once the parent is infected, the hosted servers are vulnerable to a complete RCE (remote code execution) attack.

In many ways, the difficulty of updating VMware management planes is similar to the issues around updating OT environments. When the host plane is patched, it requires significant planning for downtime and potential troubleshooting. If things go wrong, then all the hosted servers also go down or need to be migrated to another host in that timeframe, which itself takes time and planning. Patching is not as simple as it sounds but putting it off is not an option when you’re dealing with an RCE bug. -- Jeremy Newberry

Additional Reading

• Iranian Hacking Group Among Those Exploiting Recently Disclosed VMware RCE Flaw (Dark Reading)

---------------------------------------------------------------------------------------------------------------

White Hat Hackers Say That OT is the Easiest Place To Play While Winning Hackathon?

“… breaking into OPC UA, an open source communications protocol used by a majority?of industrial control systems around the world, was the “easiest” thing they’d hacked at the conference so far… . “In industrial control systems, there is still so much low-hanging fruit … The security is lagging behind badly.”” -- Via Gizmodo

Our Take: Week after week, we are seeing more exposure of the vulnerabilities of our OT environments. Fortunately, it was just for fun this time: 26 unique exploits were discovered during the event, awarding $400,000 in bounties and prizes.

When considering the exploits used, most were considered old fashioned living-off-the-land types of attacks. Privilege escalation attacks, spamming control codes, DDoS fashioned attacks—each of these are common methods but the OT devices were largely unprotected from them. Does this point to disaster in the future? Possibly.

Why? In the scenarios that were presented, access to the OT environments was already assumed and they had an open run at the devices in question. Much of OT security starts with secure enclaves and there were no monitoring or defensive tools deployed to protect the OT infrastructure itself. ?While this certainly level-sets to an “assume breach” posture and is a cause for alarm, I would point out that vendors are taking the bug reports seriously and are actively involved in remediation at this point. -- Jeremy Newberry

Additional Reading

• Pwn2Own Miami 2022 results (Zero Day Initiative)
• These hackers showed just how easy it is to target critical infrastructure (MIT Technology Review)
• Hackers earn $400K for zero-day ICS exploits demoed at Pwn2Own (Bleeping Computer)

---------------------------------------------------------------------------------------------------------------

Readers: What would you like to see in future editions? We've started this weekly memo as a simple way to share 3-5 bits of news and/or ideas, along with our professional opinions. What’s working, what’s not, and what’s on your mind? Let us know by leaving a comment below or sending a note to [email protected].