Merlin Labs Memo -- Week of January 16-20
Merlin Cyber
Merlin is your trusted source for best-in-class and innovative and emerging cyber solutions for the U.S. public sector.
EmojiDeploy Remote Code Execution Flaw Threatens Microsoft Azure
“A new critical remote code execution (RCE) flaw discovered impacting multiple services related to Microsoft Azure could be exploited by a malicious actor to completely take control of a targeted application.” The vulnerability may be breached through a session riding attack vector (also known as a Cross-Site Request Forgery or CSRF attack) - where a threat actor “tricks an authenticated user of a web application into executing unauthorized commands on their behalf.” The attack targets Azure’s Kudu Source Control Management (SCM) service, allowing an adversary to deploy malicious files to Azure applications and achieve remote code execution, potentially giving the hacker command and control of the application. Damage to an organization is largely related to the managed identity permissions in its applications. --?Via The Hacker News
Our Take: Thankfully, this vulnerability was found and quickly remediated, although adversaries still had weeks, if not months, to exploit EmojiDeploy before a fix was provided. Committing to continuous health monitoring and vulnerability scanning as a part of an end-to-end cybersecurity program goes a long way toward protecting your organization from these types of vulnerabilities. More importantly, however, is putting the right protections in place that limit the impact of these types of vulnerabilities in the event of an exploit. While this one appears to have been identified and fixed relatively quickly, there are undoubtedly many other vulnerabilities yet-to-be discovered and skilled hackers who are endlessly devoted to finding and making the most of those vulnerabilities in the pursuit of an organization’s crown jewels. To further limit risk, organizations need to embrace and implement zero trust architectures and the principles of least privilege through privileged access management (PAM) tools and policies, threat detection, and even strong endpoint protection – all of which will limit the damage of the exploits sure to come. -- Sarah Hensley
Additional Reading:
Talent Shortage May Actually Be an Entry-Level Shortage
When we want a cybersecurity hire, we typically want someone with experience. That means we are essentially all competing for the same limited pool of candidates and are not contributing to the growth of that pool. There’s only one employer in the USA that is consistently adding candidates to the cybersecurity pool: the military. The rest are waiting for someone with experience to show up and, hopefully, stay. HR managers complain of a talent gap, but if we have few to no entry-level jobs available, then it’s a problem of our own making.?
We need to take a hard look at our unfilled roles and ask if they truly need someone with experience right now, or if they need someone who has basic skills and can be trained quickly to learn the role. Consider which might be a better scenario: letting a role go unfilled for a year or getting someone new and spending a year growing and training the person to be right for the role.
True, we may want someone as skilled as the previous person to fill the open role or someone with skills on par with the rest of the team in a new role, but that keeps the door closed on new candidates. Is the experience truly necessary, or is it something that can come with, well… experience??
Then there’s the matter of the job descriptions copied together from multiple sources and combined in a way to where the employer isn’t looking for a unicorn so much as a ten-headed hydra.
Our Take: Mythical creatures will not do as good a job as a new person willing to learn, I can guarantee you that. As a former teacher, I both know how hard it is to break into cybersecurity from personal experience as well as what it would take to get someone trained up. If we say a person shows promise but needs more skills to fill a role, then we’re really saying that we aren’t willing to grow that person into the role. As a teacher, I took people with zero skills or knowledge in an area and trained them up. I can vouch for the bright young people out there: they’re bright and can learn surprisingly quickly.?
I love this quote from Rob Duhart, Jr., the deputy CISO at Walmart : “You can't have job descriptions that require 10 years of experience and a CISSP and a master's degree. You've got to be able to meet people where they are — and teach, coach and grow them."
There are some great suggestions in the articles below and I hope you’re able to take time to read them over and give a re-think about your open cybersecurity roles. Let’s think about how we can train up new people or cross-train people from other disciplines and grow that talent pool instead of scratching our heads over why it seems to be shrinking. -- Dean Webb
领英推荐
Additional Reading:
“Cloud?≠?Secure”
“Let’s move everything to the cloud. It's secure, right?” Not exactly.
Easy is never the path to security under any circumstances today. There was a perception that cloud was easier and cheaper, but I think most are figuring out now that’s not the case.?
Providers work hard to secure their side of the environments between tenants, but the security of your workloads is squarely placed on you. Defaults are never a security policy that will be safe and with the focus on zero trust , this should now be glaringly obvious.
There are many examples of cloud workloads and services that are dangerous to use with default settings. Developers sometimes try to make it easier to deploy an app at the sacrifice of security. We need to constantly be wary of the security profiles of any application.
Work must be done to assure that our cloud workloads are properly secure. Besides the controls within the CSPs, there are other technologies like application micro-segmentation that can help lock things down even more and make sure only certain systems communicate with each other.
Our Take: Even when we try our best to make things secure, things can slip through the cracks. That’s why it's wise to have a cloud posture management system utilized to assure things are properly deployed and not using excessive privileges. They can be your lifeline to save you from unintentional mistakes or developers who may have left the back door open for trouble by accident, or even on purpose. They can also help you build consistent policies across your cloud workloads to prevent accidents from happening. -- David Maphis
Additional Reading:
Readers of our Newsletter:?What’s working, what’s not, and what’s on your mind? Leave a comment below or email?[email protected] . Thank you!???