Merlin Labs Memo -- Week of July 18-22

C-Suite Cyber Hygiene: Risk of Personal At-Home IoT Devices

“Proliferation of IoT devices means not only are leaders’ email accounts targets for hackers, but so are their home security cameras. Experts warn that the modern attack surface has expanded, and board members’ homes are now the soft underbelly of enterprise security. Ignorance or negligence relating to securing today’s connected homes is creating substantial risk for board members with access to and influence over company finances, confidential information and proprietary data.”

A recent study from BlackCloak delved into the need for digital executive protection based on many data points about those executives, including the following:

• 99% of execs have personal information being shared on multiple websites.
• 70% of exec profiles contain personal social media information and photos.
• 40% of online data brokers had IP addresses of executives’ home networks.
• 27% of personal devices contain malware.
• 76% of personal devices are actively leaking data.
• 87% of personal devices have no security installed.
• Only 8% have MFA enabled on most apps/devices.
• 87% have passwords currently leaked on the dark web.
• 54% have poor password hygiene.

--?Via: Corporate Compliance Insights

Our Take: The last few years have given us some amazing technological advances, allowing us to manage everything from our thermostats to sprinkler systems to personal surveillance systems from anywhere. We can answer the doorbell when we’re 1000 miles from home, see who’s there, and hold a conversation – telling the delivery girl to tuck the package behind the pot of geraniums. This explosion of smart devices has blanketed our world with a pervasive mesh of connectedness. At the same time, enterprises are stepping up their cybersecurity and cyber-hygiene games, making it more difficult for attackers to successfully exploit corporate networks. I just discussed last week the growing successes of good cyber hygiene practices, including continuous vulnerability testing and patching, in the prevention of in-the-wild, zero-day attacks. It was a glass half full story of attacks that never were.?

Enter stage left this article, shifting the light from the shrinking number of vulnerabilities left exposed in corporate networks to the blossoming landscape of vulnerabilities sprouting up across home networks and personal devices. Bottom line, highly insecure home systems and IoT devices have emerged as today’s low hanging fruit, especially when those systems and devices are owned by C-suite executives and leaders with known organizational ties. Those home systems and personal devices are significantly easier to breach than corporate devices and systems, and still provide an opportunity-rich environment for hackers to begin their lateral journey toward an organization’s crown jewels and high value digital assets. Once a home network is breached, attackers are able to intercept and reroute traffic, gaining access to personal and work devices – including data, files, and applications.

It’s time for cybersecurity experts and solutioners to ramp up their efforts on the broader cybersecurity landscape and cyber-hygiene solutions. IT departments and organizations must start identifying, building, and offering solutions that fully cover IoT and home smart devices for executives (and other employees as well), and figuring out how to improve the overall health of our holistic cybersecurity posture. As the digital, highly-connected nature of every-day gadgets supporting activities of daily living have evolved, it is simply no longer effective to view the traditional worlds of physical security, cybersecurity, corporate devices/networks, and personal devices/networks as completely separate, disconnected entities. -- Sarah Hensley

Additional Reading:

• Addressing cyber security concerns on employees’ personal devices (CyberTalk)
• Five Ways Hackers Target the Personal Lives of CEOs (Chief Executive)
• If your home is getting smarter, don’t leave it vulnerable to hackers: Cyber strategist (CNBC)
• How to Avoid Being Hacked when Working from Home (The Street)

Attacking the Air-Gapped Device

Cybersecurity researcher Dr. Mordechai Guri of Ben Gurion University of the Negev in Israel has added another method of attacking air-gapped devices to his already lengthy list: Serial ATA or SATA cables can send electromagnetic signals to devices about a meter away. While this and other air-gap attacks are not easy to pull off, they are nevertheless possible when attackers are able to gain entrance to a facility or introduce their gear through compromised peripherals.

Our Take: Two major pieces to consider here. First is supply chain security and the second is technology needed to detect attacker devices on the other side of the air gap. Both are addressed with solutions like Sepio*, a product that will check networks and peripherals for electromagnetic activity by comparing devices to known electromagnetic profiles. These variances cannot be detected on a network or application level, so we need tools like Sepio that make a closer examination on the physical level. -- Dean Webb

*Sepio is a portfolio investment of Merlin Ventures

Additional Reading:

• New Air-Gap Attack Uses SATA Cable as an Antenna to Transfer Radio Signals (The Hacker News)
• Air-Gap Research Page (Advanced Cyber-Security Research Lab)

OT Engineers are getting SALTed

“Industrial engineers and operators are the target of a new campaign that leverages password cracking software to seize control of Programmable Logic Controllers (PLCs) and co-opt the machines to a botnet.” --?Via: The Hacker News

Our Take: All that is free….ain't.

To our minds there are two really interesting events occurring here. Each taking advantage of a vulnerability -- it's just one happens to be the engineers themselves.

First: the device password can be retrieved via vulnerability. In this case its firmware is vulnerable to direct COM commands that reveal a configured password. While bad, it's rapidly fixable and is being approached in a responsible manner by the vendor.

Second: the device vulnerability is taking advantage of the needs of an organization to retrieve passwords from hardware after an employee leaves or hardware has been recycled thru resale. The password itself is in the device and needs to be retrieved. It has to be done, even though it's risky…and Google finds me the tool. Alas… it also infects my environment and wrecks the day. The vulnerability here is simple -- the engineer and the need. ?

The needs of the OT environment to have managed secrets either vaulted or proxied is undeniable. The needs of an OT environment to be able to leverage an Identity solution to provide password rotation, storage and even MFA for OT and IOT systems has certainly arrived. Yes, it is another step. Yes it requires thought and design, but it's very doable, and modern solutions can meet the OT needs without introducing unnecessary risk. -- Jeremy Newberry

Additional Reading:

• The Trojan Horse Malware & Password "Cracking" Ecosystem Targeting Industrial Operators (Dragos)
• (CVE)

Readers of our Newsletter:?What’s working, what’s not, and what’s on your mind? Leave a comment below or email?[email protected] . Thank you!