Merlin Labs Memo -- Week of January 30 - February 3

What’s Worse Than a Weak Password?

A recent audit in the U.S. Department of Interior found that there were far too many passwords that were easily cracked. With a rig costing under $15,000, the auditors were able to crack 21% of passwords tested, including 288 with elevated privileges and 362 that belonged to senior employees. Inside of 90 minutes, 16% of the department’s user accounts were cracked. Weak passwords, indeed!

But what is worse than the weak password? A lack of implementing multi-factor authentication (MFA). It’s also a bad password policy.

Our Take: The DoI report calls out how having a 60-day password change policy with complexity requirements “created a negative feedback loop that encouraged users to select weak passwords that were easy to remember.” Users who maintained multiple accounts would share passwords across those accounts, so cracking one password meant compromising more than one account.?

On the MFA front, DoI does have an MFA solution, but it’s one that breaks with mobile device applications. The report discusses ways to overcome that situation, and I strongly recommend reading it to understand both problems and solutions regarding identity management. -- Dean Webb

Additional Reading:

• P@s$w0rds at the U.S. Department of the Interior: Easily Cracked Passwords, Lack of Multifactor Authentication, and Other Failures Put Critical DOI Systems at Risk (Doioig.gov)
• Passwords Are Terrible (Surprising No One) (Schneier on Security)

Cybercrime is Predicted to Cost the World $8T USD in 2023

Cybercrime is predicted to cost the world $8 trillion USD in 2023, according to Cybersecurity Ventures. Measured as a country, cybercrime would be the world’s third largest economy after the U.S. and China.

We expect global cybercrime damage costs to grow by 15% per year over the next three years, reaching $10.5 trillion USD annually by 2025, up from $3 trillion USD in 2015.?Cybercrime costs include damage and destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data and systems, and reputational harm. -- Via Cybersecurity Ventures

Our Take: As predictions go, this seems like a real whopper simply meant to grab your attention and get you to click on the link.?The cost number seems unrealistically high.?In reality, there is likley no way to know just how much cybercrime costs the world on an annual basis.?However, after reviewing the list of costs associated with cybercrime, and the cybercrime examples cited, the estimated costs suddenly don't seem unrealistic.?

The Cybersecurity Ventures report does a thorough job of breaking down the costs and highlighting the areas of greatest risk.?For example, the ransomware threat continues to grow rapidly.?Companies are fighting back, however. According to KnowBe4 (link below), fewer companies are paying the ransom (41% in 2022 compared to 78% in 2019) and companies are taking additional steps to protect themselves, such as creating immutable backups, purchasing cyber insurance, etc.?In response, trends from the?latest Quarterly Ransomware Report?from ransomware response company Coveware show ransomware gangs are ratcheting up their efforts by targeting larger enterprises and demanding higher ransom payments.?Small-and-medium-sized companies are still at risk as the median target company size is now 275 employees, which is an increase of 10% over the previous quarter.

Further increasing risk is the professionalization of ransomware gangs and the growing efficiency of their "RaaS" offerings.?This?recent research?by Venafi and Forensic Pathways uncovered 475 web pages filled with listings for ransomware strains, ransomware source code, build and custom-development services, and full-fledged RaaS offerings.?The Cybersecurity Ventures report also lists the talent crunch for security expertise as one of the major challenges for companies; not only hiring for open positions, but retaining their cybersecurity talent as well.?The cybercrime gangs are also in the hiring business; over a 30-month period, cybercriminal gangs and threat groups posted more than 200,000 advertisements seeking workers with skills in software development, maintaining IT infrastructure, and designing fraudulent sites and email campaigns. The cybercrime ecosystem has spawned a lucrative underground economy, which peaked during the COVID pandemic and drove significant activity.??

While $8 trillion may seem like an exaggeration at first glance, the issue is very real and it is growing, with significant evidence to support it.?The Cybersecurity Ventures report is definitely eye-opening and worth a read. -- Joe DiMarcantonio, PMP

Additional Reading:

• Is Cybercrime the World's Third Largest Economy after the U.S. and China? (KnowBe4.com)
• Cybercrime Ecosystem Spawns Lucrative Underground Gig Economy (Dark Reading)
• Ransomware Professionalization Grows as RaaS Takes Hold (Dark Reading)
• Ransomware Targets are Getting Larger and Paying More as Fewer Victims Are Paying the Ransom (KnowBe4.com)

CISA Establishes New Supply Chain Risk Management Office

“The Cybersecurity and Infrastructure Security Agency is building out a new supply chain risk management office to help agencies, industry and other partners put a torrent of recent guidance and policies into practice.”?Shon Lyublanovits, who is spearheading the effort, is looking to help evolve supply chain security by synthesizing and translating the general concepts around supply chain risk management into a prioritized roadmap in a way that the program can move forward. Meanwhile, The Federal Acquisition Security Council (FASC) is focused on coordinating government-wide guidance, which includes establishing a scorecard to help government agencies determine the right best practices and criteria for their specific mission and use cases. Ultimately the article goes on to say that addressing supply chain risk is going to require a close and ongoing partnership between agencies and the contractors/suppliers of tech solutions. -- Via Federal News Network

Our Take: With a growing number of headline-worthy breaches pointing directly at supply chain vulnerabilities, it isn’t surprising that the government is taking steps to mature and escalate their approach to supply chain risk management. Organizations that embrace NIST 800-53 controls whether on their own or as a part of a standardized baseline such as FedRAMP know that the most recent Rev. 5 version has a new control family specifically devoted to supply chain risk management (SCRM). This new family elevates the focus on supply chain from earlier versions where supply chain risks were addressed (the threat isn’t new) but in a less specific and robust manner. Software developers often leverage open source and other third-party or commercial components under the covers, obscuring visibility into such downstream tech elements. So, what does this mean for managers and consumers of IT? To get started, SCRM plans should consider the following:

• Software Bill of Materials (SBOM) Management – Establishing a nested inventory that reflects all of the software and elements that make up the software in an IT system. Having a robust, accurate SBOM is the first step in identifying everything that needs to be managed, and revealing possible weak third-party links.
• 3rd Party Vendor Assessments (and cybersecurity/performance agreements) – To include some analysis of and insight into the maturity, stability, and cybersecurity practices of down-stream vendors who supply elements or components of the software (or hardware) in an IT system.
• Anti-Counterfeit Capabilities – From end-to-end encryption to robust key management, there are steps that can be taken to tamper-proof software. Hardware tampering is also a very real concern, with a tool like Sepio uniquely designed to identify suspicious hardware assets, or hardware that appears as one thing (e.g., a mouse) and actually behaves as something else like a server via an embedded Raspberry Pi.
• Supply Chain Threat Detection & Incident Response – To include cyber and logistical threats with tools that can collect, interpret, and integrate information providing situational awareness about all types of threats to the supply chain. If critical services are being provided from a geographic location hit with a natural disaster as an example, a good SCRM plan will be prepared with a contingency plan, as well as a solid incident response plan. Each system has a unique supply chain profile, and a threat detection/response model should be built to align with that profile.
• Zero Trust and Privileged Access Management (PAM) – Limiting access to system elements and controlling user rights with tools like CyberArk PAM will go a long way toward mitigating risk and limiting damage in the event of a breach. Incorporating other zero trust pillars around data protection/encryption and automation are critical to protecting a system against supply chain attacks as well as other types of attacks.

While including these elements into a broader cybersecurity plan won’t necessarily cover everything required for SCRM, it will give organizations a very good head-start. I would encourage anyone responsible for an IT system to become familiar with the recent NIST 800-53 supply chain control changes and expect more guidance to follow from industry leaders. -- Sarah Hensley

Additional Reading:

• Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (NIST SP 800-161r1)
• 98% of organizations have been impacted by a cyber supply chain breach (Security Magazine)
• Healthcare Supply Chain Attacks Raise Cyber Security Alarm (Tripwire)
• Dealing with cyber breaches in the supply chain (Financier Worldwide)

Apache SAML Vulnerability Opens ManageEngine Service Desk to RCE

“The Cybersecurity and Infrastructure Security Agency (CISA) has added a remote code execution (RCE) affecting most Zoho ManageEngine products to its catalog of bugs known to be exploited in the wild.

This security flaw is tracked as CVE-2022-47966?and was patched in several waves starting on October 27th, 2022.” -- Via Bleeping Computer

"Rapid7 observed exploitation across organizations as early as January 17, 2023 (UTC). This was confirmed by researchers at the Shadowserver Foundation, who said they are "picking up exploitation attempts from at least 10 IPs for CVE-2022-47966 unauthenticated RCE affecting multiple Zoho ManageEngine products (that have SAML SSO enabled)."

Their findings were also confirmed by threat intelligence firm GreyNoise which began tracking CVE-2022-47966 exploitation attempts last week, on January 12." -- Via Bleeping Computer

Our Take: The older versions of Apache Santuario (prior 2.2.3) provide a direct vulnerability to the ManageEngine community. While ManageEngine does provide remediation for the issues, the long term vulnerability of the libraries (since 2019 at least) showcases the importance of SBOM vulnerability tracking and better development hygiene. Tracking the usage of vulnerable libraries and proactively remediating them is becoming more important every day. In the case of ManageEngine where the Service Desk and CMDB can reveal critical internal information and provide a real threat to the environment, it becomes even more critical.

In the name of holy hygiene...patch my friends, patch! -- Jeremy Newberry

Additional Reading:

• CVE-2021-40690 Detail (NIST)
• CISA orders federal agencies to fix hundreds of exploited security flaws (Bleeping Computer)
• Security advisory for remote code execution vulnerability in multiple ManageEngine products (ManageEngine)

Readers of our Newsletter:?What’s working, what’s not, and what’s on your mind? Leave a comment below or email?[email protected]. Thank you!??