Merlin Labs Memo -- Week of June 13-17

Compliance Alone Isn’t Enough?

Founder and CEO of KnowBe4, Stu Sjouwerman, cautions organizations bent on compliance to not conflate compliance with an adequate level of risk reduction, as one doesn’t necessarily result in the other. Doing so can give organizations a false sense of security, as meeting the letter of the law may not be enough. With a large number of regulatory bodies mandating compliance with various sets of standards (e.g., GDPR, SOX, HIPAA), it is important to remember the following limitations of exclusively taking a compliance approach to cybersecurity and risk mitigation:

• Compliance is associated with an audit mentality vs a real-world risk reduction mentality.
• Compliance goals will trump security goals if there is a conflict, potentially weakening an actual security posture.
• Compliance goals are rarely if ever prioritized or ranked for risk relevance.
• Compliance is binary (meets/doesn’t meet) whereas actual risk posture is a continuum.
• Compliance controls are often vague, lacking specific and prescriptive outcomes-centric guidance.

-- Summary of an article from Corporate Compliance Insights

Our Take: While compliance with any set of standards, even the more prescriptive and outcomes-driven controls found in NIST and FedRAMP, may not be the ONLY solution, compliance is still a very reasonable and important foundation for a cybersecurity program targeting risk reduction. Being compliant, however, should be viewed as a minimum accomplishment in the journey of risk reduction and a foundation for a robust cybersecurity program, and not the single final destination.

Compliance, therefore, needs to be incorporated into a broader cybersecurity/risk reduction program. Building a cybersecurity program that effectively mitigates risk while fully enabling business operations is a complex practice. No two organizations share identical threat/adversarial posture demographics, operational criticalities, vulnerabilities and risk profiles, breach implications, and the cybersecurity needs associated with those unique attributes. Because of that, every organization must build a program to meet their specific business/customer needs and risk profile, incorporating tenets of zero trust, identity and privileged access management, data protection, vulnerability management (scanning, continuous monitoring, patch management, etc.), and cyber hygiene management in a way that prioritizes the protection of high-value assets and critical services. Understanding the needs and risks specific to an organization, and implementing the right systems, automation, security tools/processes/procedures, and employee training programs must happen regardless of the compliance standards that govern operations. -- Sarah Hensley

Additional Reading:?

• Compliance isn’t Enough: Security is Key (Forbes)
• Compliance Isn’t Enough: Your Customers Deserve Data Privacy (The Fintech Times)
• Compliance vs. Security: Why Compliance Isn’t Enough (Altitude Integrations)

Fake Removable Devices in Latest APT Discovery

The recently-discovered "Aoqin Dragon" APT has been running for 10 years, involving fake removable devices to gain access to target systems. We’ve all known not to put just any USB into our systems for many years, but what do we do when a fake removable device is presented via a desktop shortcut? The answer is that many people will click on that link and launch the malware connected to it. By presenting as a removable device, the malware is able to evade normal protections and take advantage of expected operating system behavior to do its dirty work.

Our Take: We need to add one more tactic to our cybersecurity bag of tricks. Not clicking on unexpected desktop links should now be up there with not using unknown USB drives or responding to phishing emails. In this particular case, the malware was generated entirely by the attackers. When attackers don’t use commonly-available malware building blocks, it’s harder for many endpoint protection systems to detect it.

The attackers also used copies of security product icons as camouflage intended to make users more likely to click on the links. This underlines all the more reasons to adapt our cybersecurity training to being suspicious of anything unexpected happening on our systems, even if it seems like a friendly, expected act. Users need to be kept informed about what changes are coming for their systems so that they know what to click, what not to click, when a reboot is expected, and when a reboot is not. -- Dean Webb

Original Sources:

• Chinese Threat Actor Employs Fake Removable Devices as Lures in Cyber-Espionage Campaign (Dark Reading)
• Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years

SaaS Mesh and Supply-Chain Risk Management

The Log4j issues have put supply-chain risk management (SCRM) concerns in the spotlight. We want to know what modules are in our software, under the hood so to speak, so that we can know where we’re vulnerable when a problem is announced. But what do we do for visibility when our software is in a SaaS mesh?

A SaaS mesh happens when one SaaS application connects with one or more other SaaS applications as part of its workings. The MFA process used to gain access to your SaaS – who provided that? The mechanism that automatically alerts you in a SaaS messaging app when another SaaS tool completes a task – what’s the SaaS module used to provide that functionality? And so on. Will customer data be exposed as it passes through the SaaS mesh?

Our Take: As SaaS application usage multiplies, we need to be aware of what privileges they are granted and what they can do. We need to be able to clean up SaaS applications that are no longer being used but still have dormant access rights. Low-code/no-code development platforms typically aren’t under the supervision of internal security teams; do we know if their inexpert users are handling data in them appropriately?

Necessity being the mother of invention, we are seeing SaaS mesh visibility vendors enter the cybersecurity spectrum of toolmakers. The solution may not be something that the customer organization has to handle in its entirety but instead is something more often on the provider’s side of the shared responsibility model. Even so, as the cloud grows and matures, this is a space we need to keep our eyes on. -- Dean Webb

Original Sources:

• Quantifying the SaaS Supply Chain and Its Risks (Dark Reading)
• Service mesh SaaS springs up in fragmented market (Tech Target)

What is the Best Way to Combat Ransomware??

"... threat actors ... are sometimes choosing targets based on political motives rather than just financial gains. ... some attacks are more destructive than disruptive, involving deleting or damaging backups. This destroys Plan B and makes it harder for a compromised target to get back up and running. ... Organizations' leaders must recognize that ransomware is a business risk, not simply a cybersecurity problem, and they should take the right steps in the right order to handle any crisis." -- Via Dark Reading

Our Take: Ransomware tactics and techniques used by malicious attackers are continually evolving.?The statistics show that no organization is immune from attack and this threat is not going away.?What can organizations do??When it comes to combating ransomware, prevention and response are the keys. ?

Prevention

There are numerous resources available to help you identify, prevent, and mitigate a ransomware attack.?Start with the Cybersecurity Infrastructure and Security Agency Ransomware Guide.?The guide provides extensive information on ransomware prevention and best practices, including details about the most common attack vectors, a ransomware response checklist, and access to no-cost resources that CISA provides.?A great source of local threat intel is your own environment and there are plenty of useful?open-source threat intelligence tools available.?

Response

Organizations would be wise to consider the business ramifications of a ransomware attack and prepare to respond as if it were any other business disruption or crisis.?The organization should understand the processes and dependencies that will impact them.?Consider the highest-priority assets, the stakeholders impacted, customers, the supply chain, reporting and regulatory requirements, and so on.?Creating an effective crisis communications plan that considers both the technical and business issues and is implemented quickly is key to limiting the impact of the attack.??

CISA's guide recommends joining an information-sharing organization and further engaging with CISA to enable your organization to receive critical information and access to services to better manage the risk posed by ransomware and other cyber threats. -- Joe DiMarcantonio?

Additional Reading:

• Black Basta Ransomware Targets ESXi Servers in Active Campaign (Dark Reading)
• Incident response for surviving a ransomware attack (Fast Company)
• Open Source Threat Intelligence Searches for Sustainable Communities (Dark Reading)

We Ain't Got the People

"... the cybersecurity industry is struggling with an ongoing job crisis, lacking skilled workers to fill vacancies – with an estimated 2.7 million jobs unfilled, according to the?(ISC)2 Cybersecurity Workforce Study." -- Via Forbes

Our Take: It’s a real problem. Over the last couple of weeks, my team and I have been to conferences and industry days for both private and government agencies and heard the recurring theme of a lack of skilled or trained cybersecurity practitioners. We’ve all been there and have experienced the struggle of finding people to fill the roles, while those who are employed are overworked and under extreme stress.

But what can we actually do about it? As an industry we need to:

• Create apprenticeship programs
• Support a cybersecurity trade school program – practical hands-on experience is needed to prepare newcomers for the demands of the industry
• Make the entry point into the industry easier with accessible training and openness to hiring junior employees who are willing and show potential
• Make the investment in new cyber warriors

-- Jeremy Newberry

Additional Reading:

• Merlin joins industry campaign that aims to close the cybersecurity talent gap
• The Cybersecurity Talent Shortage: An Urgent Threat (Emsi)
• Is cybersecurity talent shortage a myth? (Help Net Security)

Readers:?What would you like to read about in future editions? We started this weekly memo as a simple way to share 3-5 bits of news and/or ideas, along with our professional opinions. What’s working, what’s not, and what’s on your mind? Let us know by leaving a comment below or sending a note to?[email protected].