Merlin Labs Memo -- Week of March 13-17
Merlin Cyber
Merlin is your trusted source for best-in-class and innovative and emerging cyber solutions for the U.S. public sector.
TSA unveils emergency cybersecurity requirements for airlines, airports
The Transportation Security Administration will require agency-regulated airlines and airports to step up their ability to withstand malicious attacks, according to a?cybersecurity amendment released Tuesday.?
The move comes shortly after the Biden administration announced its national cybersecurity strategy and months after similar requirements were unveiled for?passenger and freight rail carriers.?
Regulated airlines and airports are required to develop an approved implementation plan that includes the following steps:
-- Via Cybersecurity Drive
Our Take: This is a new cyber amendment to the security programs of TSA-regulated?airport and aircraft operators, and it comes on the tail of the Biden-Harris administration’s national cyber strategy.?While none of these measures are groundbreaking, they do represent industry standard best practices; although the fact that these steps may not already be in place is a concern.?While more detail would be appreciated (e.g., the timeline for providing the implementation plans), the announcement constitutes "an emergency action," and is a proactive step that goes into effect immediately.?This announcement is comparable to the Oct. 2022 requirements announced by TSA for passenger and freight rail carriers.??
Given the breadth of TSA's responsibilities, proactive steps like this are needed, and especially welcomed by the security industry.?According to?TSA's own factsheet, its scope includes commercial and general aviation; mass transit systems; freight and passenger rail; highways, pipelines and ports.?
Tom Kellermann, senior vice president of cyber strategy at Contrast Security, noted that the guidelines are timely, and that TSA's "emergency" designation could be well warranted. "It's good that the TSA is codifying these requirements," says Mike Parkin, senior technical engineer at Vulcan Cyber, "though it remains to be seen how it will affect airline passengers."?These announcements, including the national cyber strategy, are much needed steps and we will monitor their progress and effectiveness.?Time will tell if these measures help us achieve the desired security outcomes. -- Joe DiMarcantonio, PMP
Additional Reading:
Oops, Wrong File Path, or How I Learned to Stop Worrying and Love the Default Install Directory
CISA released a report on 15 March about how a vulnerability in Telerik UI for ASP.NET was used to compromise a federal civilian executive branch (FCEB) agency. This happened in spite of the agency having a vulnerability scanner searching for the very software used by the attackers. The reason the software evaded scanning? It was not installed in a scanned file path.
Our Take: I admit, my first take was a facepalm. Most of the CISA report deals with the damage done after the breach. But the fact remains that there would have been no breach if someone hadn’t gotten cute with installation directories and the scanner had found the vulnerable software in time.?
Not all the blame falls on the directory with the bad code. The software in question was installed via continuous integration/continuous delivery (CI/CD) and most vulnerability scanners work best with packages installed via Windows installer. The report goes on to caution about phishing, encourage segmentation, and use MFA, and so on, but these are the novel elements that I see here. The installation path and installation method absolutely matter when it comes to vulnerability scanning.?
So what could have helped here? First, knowledge of the software bill of materials would have given us justification to search all devices in all locations for the file in question. Second, raw scanning tools such as are found on endpoint protection or network access control solutions would have free range to key on the file in question and locate it, so long as it was on a drive the endpoint agent was allowed to scan. Maybe we’d still be in a bad place if the file was installed on something like the P:\ drive and nobody knew about it, but that goes back to the notion of using standardized locations for software installations.?
Much as we want to use our imaginations when carrying out IT tasks, security asks us that we standardize and think?inside?the box when we build out our systems. – Dean Webb
领英推荐
Additional Reading:
AI-generated YouTube Videos Spread Infostealer Malware
A new and unsettling trend in the malware ecosystem, perpetuated by malicious actors called “traffers”, involves the use of AI-generated videos that entice victims to click malware-infected links. Traffers are information-stealing threat actors whose main objective is to spread malware. Leveraging “faked” how-to types of videos on platforms such as YouTube, the traffers are able to spread many types of stealer malware. Stealer malware gathers system information such as usernames and passwords by inserting links into videos that promise access to content and applications like Photoshop and AutoCAD for free – applications that normally come with expensive licensing price tags. In addition, the threat actors use social engineering techniques and exploit previous data leaks to “hijack legitimate YouTube accounts and push malware, often targeting popular accounts to reach a large audience in a short span of time.”?– Via: The Hacker News
Our Take: Once again we are reminded that at the end of the day, one of the greatest threats to maintaining a pristine cybersecurity posture is naive or negligent user behavior. No matter how many technical controls are in place, it’s next to impossible to protect against threat actors who skillfully prey on and leverage human emotions, needs or temptations. And while socially-engineered hacker efforts in the past were more readily recognizable in things like ads and emails with poor grammar, low-quality images and suspicious messages – the skills of those actors have evolved and matured as have the technologies at their fingertips. In this case, threat actors are being assisted by AI which has become alarmingly effective at imitating human behavior and generating seemingly legitimate content. AI-driven tech like ChatGPT and deepfake have made it very difficult to discern legitimate and trustworthy content from machine-generated untrustworthy content. Cybersecurity leaders are pressed to stay ahead of this curve and must continuously improve the breadth and depth of security and awareness training for system users. For starters, users must be reminded over and over that if something is too good to be true, it is likely a scam. Implementing multi-factor authentication and principles of least privilege as a part of a broader zero trust approach to cybersecurity are also critical steps, but can only do so much to protect us from ourselves.?– Sarah Hensley
Additional Reading:
Death Stars and Droids: Zero Trust Network Access and Appliances in the Middle
Back in 2011, Lt. Col. Dan Ward, USAF, wrote an important paper on the difference between massive Death Stars and smaller, mission-specific droids and X-Wings. The precis of his argument was that the Death Star in its various incarnations was next to impossible to get together and suffered from catastrophic failures whenever a vulnerability was inevitably found and exploited. Meanwhile, less expensive droids and X-Wings got the job done for the Rebel Alliance. They were examples of simpler, more reliable,?incremental?tools that delivered value, time and again. Ward’s lesson was that Yoda was right: “size matters not.” Go for simpler systems with finesse instead of complicated solutions that, in the end, are just an example of brute force through scale.?
Now, in 2023, we have Zero Trust Network Access (ZTNA) that asks of us to encrypt all our traffic as we communicate with endpoints far and wide, on the home network and in the cloud. What do we make of solutions that need to see every packet and decrypt every communication in order to function? We’re faced with a hard choice. Do we preserve legacy architectures so that all the traffic passes through an appliance in the middle or do we adapt to the new landscape and rely on decentralized security tools?
Our Take: While an easy answer could be to drop the legacy whole-heartedly, we can’t dive right into that. What about requirements in both public and private regulatory frameworks that require packet capture, retention, and inspection? The regulations often require Death Star-like constructs in order to be compliant. Is this an all or nothing situation?
It doesn’t have to be. The IT equivalent of a droid is the desktop agent. Yes, I hear the Desktop OS Team’s complaints that tracking agent installation is a perennial pain and when the agent steps on custom code the typical reaction is to disable the agent instead of fixing the code, but they’re the best things we have for tracking activity on individual devices. And, when we look at the situation with honesty, we see that most of what we can control and need to control is on the individual laptop or desktop. Agentless solutions are nice for periodic checks, but we need agents for around-the-clock monitoring of our user endpoints. These are the droids you’re looking for, with apologies to old Ben Kenobi. – Dean Webb
Additional Reading:
Readers of our Newsletter:?What’s working, what’s not, and what’s on your mind? Leave a comment below or email?[email protected]. Thank you!??