Merlin Labs Memo -- Week of January 15-19
Merlin Cyber
Merlin is your trusted source for best-in-class and innovative and emerging cyber solutions for the U.S. public sector.
Cybersecurity Skills Needed in PR and Marketing Teams
When we talk about “shadow IT”, we need to address not only unauthorized IT solutions cooked up by crafty end-users, but also those?authorized?IT solutions that are administered by non-IT people. In this article, I want to consider those assets in the hands of public relations and marketing teams. There’s a fun personal story here that I’ll relate to illustrate the issue.
I once was tasked with setting up host names for a group of servers. Most were internally-facing, but two would be Internet-facing. For the internal servers, I had to jump through all the hoops of proper naming convention, creating project tickets, getting approval from multiple managers, and waiting out the SLA to get those names created once I had cleared weeks of getting approval. One of the sticking points was whether or not the servers had to be named with the *nix server naming convention or with the network appliance naming convention, but we got that sorted out after a series of meetings.?
For the Internet-facing hosts, the longest time in that process was in finding out that the people I worked with for internal host names were not responsible for external hosts and then in discovering, at last, that our marketing team handled that function. I sent an email to them with my proposed host names and they got back to me that those names were OK by them and were now up and running. Their only concern was that the hostname not be something that someone on the Internet was likely to find objectionable. No manager approval, no ticket to work through the system, no rigorous review of technical setup, just a proposed hostname and IP address and we were done.
And while I loved that throwback to days where stuff got done by people who knew how to do it in a matter of minutes, it was also a throwback to the days where security concerns were easily overlooked. We now have two stories this week that illustrate that problem.
The first comes to us from the SEC, where a lack of MFA led to a compromise of their account on X. The attackers posted some things that spiked Bitcoin prices and likely made a tidy profit from being on the other side of that trade. The second involves a “no-reply” email address having poor password security. A researcher made an API request to the email address and got back a response that had a base64 hash of the password. For the layperson, a base64 hash is the digital equivalent of speaking in Pig Latin – quite easy to decipher. The researcher logged into the account and had access to every email sent from the “no-reply” alias, which was nearly all of the company’s correspondence with customers.?
Our Take: IT security teams will secure the IT assets they know about and can reach. OT security teams will do the same for OT. IoT security teams, likewise. Now, show me where there’s a marketing security team, if you can. These teams handle the “face” of the organization, but that “face” can be left wide open because those marketing teams are likely to be focused on their missions and not on the security surrounding them. Just as we had to get development teams to “shift left” and get application security put into earlier stages of development, we need a similar shift in how our marketing teams handle their outward-facing assets.??
They want to do things the right way, just like anyone else, but they also need to know when they have an issue to correct. When we fail to remember their assets as we inventory and secure our organizations, we allow a blind spot to exist, and that is what attackers love most. It’s not the failure of marketing to secure their assets. It’s a failure of cybersecurity to remember them and to give them guidance on better online hygiene. – Dean Webb
Additional Reading:
领英推荐
We Need Better Encryption to Fight New Ransomware Methods
Foxsemicon, a subsidiary of Foxconn, is a recent victim of ransomware. This one’s newsworthy because the attackers also took over the firm’s web page to announce the breach. This public defacing leaves no question about when an attack made an impact on an organization, and leaves no wiggle room for the victim to quibble about when it knew of the attack or if an attack even happened. Ransomware attackers have been changing methods to extort victims that don’t admit an attack happened and quietly restore from backups to continue business.?
Attackers still want their ransom, but they weren’t getting it as often from organizations that could recover their data. Now the ransom is in the form of “pay us or we’ll publicize”, a very traditional form of blackmail that we can all understand.?
Our Take: We can fight this form of blackmail through better encryption. By default, organizational equipment should have hard drive encryption activated. Data at rest must be encrypted, as well as data in transit. Data in use – that’s a tricky business, and there’s so much data at rest and in transit that’s not encrypted that attackers with an organizational foothold can get at the goodies through those methods. Data in the cloud? Encryption should be active on every data store in the cloud – and if that’s not a default setting in your cloud deployment, you need to get out there and turn it on.
So we get it, right? Encrypt everything. Except, there’s a catch to that. If we use weak encryption, then it’s easy for attackers to discover that and crack it. Weak encryption still checks the box by “Encryption active” and makes us blind to a possible issue there. Worse, quantum computing is still coming towards us and will break through asymmetric encryption with ease. That’s been mathematically proven. Because asymmetric encryption is used for nearly all encryption methods, attackers can steal now and decrypt later, once they have access to a commercially-viable quantum computing system.
Today is the day to get an inventory of your organization’s encryption status. Where is it used, how strong is it, what type is it, what certificates are involved, the works. With that information, an organization can plan out a strategy for improving existing encryption and replacing it with quantum-proof encryption when that becomes available. I’ve included a link in “More Reading” to ISG Federal, which does partner with my employer on solving encryption and cryptography visibility and hygiene. I link it not because it’s the greatest most wonderfulest application, but because you have a problem: no encryption visibility and no way to easily swap out weak encryption for stronger stuff. This tool solves that problem. Get aware on the issues and make your own decisions, and I’d love to have a discussion about what can be done. – Dean Webb
Additional Reading:
Readers of our Newsletter: What’s working, what’s not, and what’s on your mind? Leave a comment below or email [email protected] . Thank you!