Merlin Labs Memo -- Week of July 10-14
Merlin Cyber
Merlin is your trusted source for best-in-class and innovative and emerging cyber solutions for the U.S. public sector.
Revisiting the Handling of Classified Data – Need to Know and Zero Trust
Following the recent revelation that Jack Teixeira, a low-level Massachusetts Air National Guard airman posted dozens of highly sensitive Pentagon documents to an internet chat room, the Pentagon completed a review of their policies and procedures around the handling of classified data. The recent study came to some interesting conclusions. Primarily, the study determined that “security and oversight measures have failed to keep pace with the proliferation of military facilities that handle classified information and the personnel who work there.” While there didn’t appear to be a widespread breakdown of security protocols according to the study, the “spectacular growth in military facilities and people authorized to handle classified information, particularly since the terrorist attacks on Sept. 11, 2001, had far outpaced the military’s ability to keep that information secure.” The study recommended that the Pentagon “tighten controls on access to classified information, ensuring that only those with “a need to know” are granted security clearances.” -- Via New York Times (gated)
Our Take: I’ll admit that I’m a little confused how the “far outpacing” of the military’s ability to keep information secure due to the “spectacular growth” in both facilities and people authorized to handle classified data isn’t considered some flavor of a widespread breakdown of security protocols, but I’ll chalk that up to semantics. What really jumped out at me as a cybersecurity professional was the recommendation to ensure that only those with a need to know are granted security clearances. Right. What he said. Seems obvious and simple enough. Meanwhile, I’ll take that thought and shift gears back to the ethereal cybersecurity left – you know that magical “shift left” destination where proactive steps should be happening in the form of baking security into systems from the outset. More specifically, the idea of limiting clearance (or access in this case) to those with a need to know hits at the heart of the spirit behind cybersecurity’s zero trust worldview. This worldview is based on an assumption the attacker is already lurking in your system and the insider threat is ever present – so that nobody is broadly or inherently trusted.
This isn’t the time or place to jump into all the pillars, tenets, maturity models, nuances, and crime-fighting/law-enforcing operational implications around the Marvel-esque universe of zero trust. But it’s a great reminder of why successfully navigating the zero trust journey is really hard. You may think it’s hard due to all of the instrumentation and architectural constructs up for consideration (e.g., macro and micro-segmentation, identity and privileged access management (PAM), data encryption, policy engines, policy administration, policy enforcement points, and information points), but to me, these things are not the hardest part. While not easy by any means, the aforementioned constructs are knowable, configurable, and manageable for skilled network and cybersecurity engineers. What’s really hard is managing the human factor – shifting even farther left, maybe even stepping out of bounds to where the foundation of cybersecurity zero trust begins – and that’s with a solid understanding of all of the humans who will be using the system and cruising around the dimly lit back roads of your network.
Knowing exactly which humans and associated roles should be trusted to access what information at any given time and for what transactional purposes is a job in and of itself. Having a solid grasp of this information is critical for organizations who hope to have a reasonable chance at preventing or quickly identifying a suspicious actor and/or behavior that doesn’t belong. Long story short, this type of insight into human and business-centric behaviors falls outside of the training and purview of most IT professionals. And yet, everything about zero trust (which is really the highly granular management of the granting of trust) relies on our assumed understanding of these human factors. The less we understand about the people using a system and their business and personal intentions, the less effective we will be at implementing the right zero trust access and architectural constructs, tools, monitoring rules, and policies. -- Sarah Hensley
Additional Reading:
Exploiting Corporate Policy for Root Access: Certificate Forgery and Microsoft Windows
When Microsoft wanted to tighten up its policy on driver signing – a good thing – it left open a loophole that accepted drivers signed with an old certificate – a bad thing. By permitting drivers signed with a certificate issued before July 29, 2015, Microsoft signaled to attackers that the best way to get kernel access was to sign a driver with a cert issued before that date and evade stricter controls for drivers going forward.
Our Take: The breach in trust came from developers that were part of the Microsoft Partner Center . Put another way, this issue is a flashing red light for zero-trust security approaches. There is good news – Microsoft is aware of the issues and is updating its list of blocked drivers. But is that enough?
I read another article on this topic that went into how gamers in China were getting hit hard with malware that utilizes this exploit. The first step in the exploit is a universal rootkit loader that gets access to the system’s heart and mind – the kernel. Once that’s done, the attacker has the rootkit loader invoke their specific second-stage malware that goes right past all the now-deactivated security systems on the device. As I pondered what happens to the malware after Windows releases its update, it occurred to me that more than a few of those compromised systems are likely to have a cracked version of Windows that won’t be getting any kind of automatic updates.?
Now, it’s easy to say they’re all out of luck, but what if one of those gamers with pirated Windows shows up to hang out with one of my kids and asks for my wifi access? If I say yes to that, then my network is now exposed to probes and scans and who knows what else from that infected box? I work from home, so that’s a big problem, should it happen. Fortunately for my sake, I do have zero-trust security in place and that kind of access is firewalled off – I hope. If that box gets to the router, then I’m sunk.
But back to the main point, that of policy loopholes leading to root access. It’s a huge pain point, but ending backward compatibility is going to end a whole host of security woes. All we have to do is simply rebuild our entire computing infrastructure from the ground up with security integral to every operating system and not bolted on like it is now. Except, that was first contemplated in the early 1970s and even then was deemed too costly. So that means the burden of security becomes much heavier on the customer of the product. We have to utilize supply-chain security , cryptographic hygiene, and secure patch testing to put up a proper zero-trust wall between ourselves and mistake-making vendors. -- Dean Webb
Additional Reading:
领英推荐
Forged Tokens Breach Government Outlook and Azure Assets
Attackers have forged authentication tokens to exploit a flaw in Microsoft cloud assets. In this case, they used a Microsoft consumer signing key and then used the forgeries to access OWA and Outlook.com with impersonated Azure AD users. Twenty-five government agencies globally, including the U.S. State Department , were targeted. This was not a broad attack against any and all accounts, but a deliberate effort to go after specific officials.
Our Take: The good news is that Microsoft has remediated the issue, which should stop further threat activity in this vector. Bad news is that it shows that the attackers – Chinese APT Storm-0558 – have graduated from big, noisy attacks to surgical, quiet ones.?
It also means that we have to put our cryptography solutions under the spotlight. We need zero trust when it comes to securing our Azure AD assets. Crypto-agility vendor InfoSec Global (ISG) , a Merlin Cyber partner, pointed out that an analytics platform tracking crypto assets and their usage would have been able to discover the forged keys, alert on them, and reduce the MTTR for that vector.?
Crypto analytics also has to be part of the path forward to guard our cloud AD authentication. We can’t continue to accept global token authentication. We need that function to be centralized in an organization and under constant scrutiny, or the bad news gets worse for us. -- Dean Webb
Bad Week for Microsoft: How Do We Mitigate?
In previous articles, I discussed kernel exploits and authentication failures for Outlook.com. In this one, I’ll mention a tool now openly available to send malware via Microsoft Teams. There are no patches as yet for the attack, and that brings me to the take I want to have on this story.
Our Take: The take here is to ask ourselves, are we too dependent on Microsoft for end-to-end user experience? Microsoft provides many tools that work well enough to meet day-to-day needs. When the call goes out to simplify the security stack, Microsoft is there to offer a single-vendor solution for just about everything. It’s easy – and often less costly on paper – to go with Microsoft and leave it at that. But what are the long-term costs of locking in on a single vendor??
This week illustrated that those costs could be significant, especially in the previously mentioned incidents that involved cryptographic manipulation that fooled or went around the gatekeeper functions that Microsoft had in place to protect its users. We talk about the importance of a layered defense in cybersecurity. Is defense truly layered if all the layers are from a single vendor?
When Microsoft tools are purchased in no-bid arrangements, it’s even more concerning. With no other voices in the room, we don’t know the true potential cost of locking in with Microsoft until it’s too late. That’s why the Senate’s version of the defense authorization bill demands answers about the “risks and benefits” associated specifically with Microsoft tools. With a lack of competition, do we get the best tools? Do we get the best true value? Do we set ourselves up for a catastrophic failure??
Hours before the revelation on the Chinese hackers getting access to government email accounts, Microsoft stated that the head of Microsoft Federal was leaving “to pursue new opportunities.” The timing of that pursuit, well… it leaves me with suspicions. What other shoes are yet to drop??
Realistically, we rely heavily on Microsoft operating systems and productivity tools to do our work. Those are not going away. But, increasingly, it looks like we are best served by having someone other than Microsoft put security around those things. We can’t keep on with letting Microsoft check its own homework and assuring us that everything’s fine. -- Dean Webb
Additional Reading:
Readers of our Newsletter:?What’s working, what’s not, and what’s on your mind? Leave a comment below or email?[email protected] . Thank you!