Merlin Labs Memo -- Week of May 29-June 2
Government Agencies Aren’t Maintaining FedRAMP Standards for Authorized Vendors
The Government Accountability Office (GAO) recently completed an audit across 4 large government agencies (Treasury, Labor, Homeland Security and Agriculture) and fifteen FedRAMP (Federal Risk and Authorization Management Program) authorized systems in use across those agencies. The audit revealed that only 4 of the 15 systems were fully in compliance with the FedRAMP program’s requirements. The findings also showed deficiencies related to both the implementation and continuous monitoring requirements around the FedRAMP controls baseline. -- Via: FedScoop
Our Take: Cybersecurity is a hot topic. Damage and losses caused by a lack of adequate cybersecurity is an even hotter topic with the average cost of a data breach exceeding the $4 million dollar mark according to a study by IBM and the Ponemon institute. In response to these disruptive trends, government regulatory agencies such as NIST and OMB have invested considerable effort into defining baseline standards and issuing prescriptive guidance to help organizations mitigate the associated risks. FedRAMP is one resulting program and aims to mitigate risk associated with the government’s use of cloud solutions by requiring those solutions to meet the high standards of FedRAMP’s cybersecurity control baselines. In December 2022 the White House passed the FedRAMP Authorization Act, codifying the program into law. One of the tenets of the law is that a FedRAMP authorization means a “presumption of adequacy” thereby allowing authorized cloud solutions to be used by any federal agency without further validation or assessment. This audit shines a cautionary spotlight on the concept of presumption and tells us there is a lot more work to do related to program improvement, as well as in our collective fight against threat actors and cyber criminals. The takeaway here is twofold. First, cybersecurity controls standards are only effective if they are expertly implemented and diligently adhered to. Second, maintaining a cybersecurity posture that consistently meets said standards requires a focused and ongoing commitment. It’s not a one-and-done type of effort. It’s not easy. It’s a continuous learning journey for all involved. Finally, it’s not the time to point fingers, rather it’s the time to learn from this audit and make the changes necessary to do better tomorrow than we did yesterday. -- Sarah Hensley, MS-SLP
Additional Reading:
?
Lets talk Supply Chain – Gigabyte Boards Are Now Your Vector of Choice
Motherboards are providing the entry point into an organizations infrastructure. Gigabyte motherboards are the latest to be actively exploited via their management utility for UEFI bios updates.
Cybersecurity firm Eclypsium discovered
There are mixed reports of active exploitation of the UEFI update process however Gigabyte was breached in 2021 and 2022 and thier UEFI update via App Center has minimal security applied to it. -- Via: Eclypsium
Our Take: While its Gigabytes turn to be the target of the day, the difficulty of updating a systems motherboard has been around for years. In 2022 it was AMI motherboards within BMC Servers and there have been a others over the last few years. The issue stems from the innate difficulty in updating the Motherboard for a systems BIOS. Doing so requires extensive permissions for the updating software at the system level, direct machine level access, and administrative rights at the OS level for the BIOS updater to accommodate the needs. This creates a security hole within the system that if not locked down properly leaves the consumer open to an attack. The problem for the manufacturers is the BIOS utilities that are used must be able to be used by a normal consumer as well as expert IT support teams. Thus the lowest common denominator of simplicity for the tools.
If breached, ridding an environment of the UEFI infection is a long term task and will usually require direct access to the infected system.
How to Mitigate at the Enterprise level?
领英推荐
Is this a moment for panic? No it is not, however it is an powerful argument for supply chain monitoring to know whether potential systems are within you’re environment and if you are vulnerable to these types of attacks. As the industry moves forward we should be a greater need for supply chain monitoring and mitigation. -- Jeremy Newberry
Additional Reading:
Return to a Spotlight on OT – Russian Focuses on the Energy Sector from Industroyer to CosmicEnergy
“CosmicEnergy was created to target a communication protocol commonly used in the electric power industry in Europe, the Middle East, and Asia. This protocol facilitates the exchange of data between control centers and various devices, including remote terminal units (RTUs), that are essential for operating and controlling electric transmission and distribution systems.” -- Via: The Record
“The malware specifically targets IEC-104-compliant remote terminal units (RTUs) commonly used in electric transmission and distribution operations across Europe, the Middle East, and Asia.” -- Via: Bleeping Computer
Our Take: For Cyber defenders Ukraine continues to be the proving ground for new attack methods and vectors targeting the energy sector. While in thise case is specifically attributed to Russia, the are not the only aggressor that targets OT infrastructure.
Ramifications: The use of COSMICENERGY and Industroyer malware strains poses a serious threat to critical infrastructure. These malware strains are capable of causing widespread damage to power grids, water systems, and other critical systems.
What can be done to mitigate the risk? There are a number of things that can be done to mitigate the risk of attack by COSMICENERGY or Industroyer malware strains. These include:
Additional Reading:
Readers of our Newsletter:?What’s working, what’s not, and what’s on your mind? Leave a comment below or email?[email protected]. Thank you!