Merlin Labs Memo -- Week of October 10 - 14

Identity Swapping in Job Interviews

When we say that identity is an important pillar in cybersecurity, we need to extend that concept to the hiring process. With remote interviewing and remote work now firmly established as common practices, we now see an increase in the number of fraudulent interviews. The scam goes beyond a person lying on a resume. We now see incidents where the person doing the interview is not the person who will do the actual work. A recent high-profile case saw a person in Australia use a photo of model Kate Upton on her social media to land a job as a CIO with a government department. She also gave reference information that would reach back to her or her brother to provide herself with glowing references. After she got the role, she hired her brother as a contractor to actually do the work.

In another case, reported by one Connor Tumbleson, a firm scraped his personal information from social media sites and provided it to a native English-speaker to pretend to be him in job interviews. The firm’s representative explicitly stated that the interviewee was claiming to be someone he was not and would act as that person in all meetings, sending back any information on projects and work to be done to the firm, which would then farm out the work to low-cost programmers in the firm’s home country. The only way Tumbleson found out about the scam was that the person approached to impersonate him refused and contacted Tumbleson with information about the operation.

While the Australian case from 2017 involved two related individuals, the recent one involving Connor Tumbleson saw a firm using an assembly line-like approach to the scam, with coordination for multiple interviews being handled via a Slack channel. Persons were being told to do around 5 interviews per day with their fraudulent identities, and then to accept any offers of employment but to do no actual work: they were needed to act as go-betweens with the firms and the programmers in another country. There’s an industry built to scam employers and we have to be aware of how it operates.

Our take: What can we do? Even if we bring back in-person interviews, we can still see people representing themselves as someone they are not. Searching LinkedIn for different people with the same name isn’t conclusive. If you look, there’s another Dean Webb who’s a programmer in Atlanta and who’s a friend of mine on LinkedIn. But there is a key difference between the Dean Webbs of the world: we don’t have the same resume, and that’s where we look to find the fraud.?

When I was a teacher, I learned how to find fraud in papers submitted to me. Students would change words here and there to try and defeat web search discovery of what they had copied, but I knew to check for broad matches. When a resume submitted has a high degree of common elements with a resume belonging to a different person, or another person with the same name, suspect fraud and take protective action. Check the social media for supplied references – are they richly developed, like with real people, or are they too-sparse fake accounts? Finally, do a credit and background check on the candidate prior to a final interview where the candidate has to provide answers to questions that aren’t gleanable from what’s on social media pages.

Hiring process, meet zero-trust security. – Dean Webb

Additional Reading:

• Identity Fraud with Remote Hiring – Could Your New-Hire Be An Imposter (DJS)
• Someone is Pretending to be Me (CT)
• Former SA Public Servant Veronica Theriault Jailed for Lying on CV to Get Job (ABC News Australia)

Security Execs – Integrity in Disclosure of Breaches Matters

Uber’s former Chief Security Officer (CSO), Joe Sullivan, was convicted this week of “actively hiding a data breach from the US Federal Trade Commission (FTC) and concealing a felony” for a breach that happened in 2016. This type of criminal consequence related to an executive’s handling of a hack has not been the norm to date, but this case could change that legal precedent. ?“The case has reverberated through the security and tech worlds because it is seemingly the first time that an individual executive has faced criminal prosecution for charges related to a data breach against the executive's company.” To summarize the event and the CSO’s response, when informed in 2016 that an attack had occurred exposing personal information of roughly 57 million users, (and in spite of Uber already working with the FTC on analyzing a 2014 breach,) Sullivan chose to not disclose the new attack to the FTC. Instead, when the hackers threatened to publish the stolen data Sullivan covered up the breach, paid the hackers $100,000 under the guise of Uber’s bug bounty program, and had the hackers sign an NDA and delete the stolen data. –Via: Wired

Our Take: It’s a tough world for cybersecurity executives, who are increasingly and continuously finding themselves caught in the crosshairs of regulatory compliance, risk management, cybersecurity program management, incident management, and damage control when the inevitable happens and a breach occurs. No CISO or CSO wants their organization headlining the 10:00 news as the latest to be hit by hackers. That said, NO SYSTEM is 100% hack proof, and NO ORGANIZATION is completely safe from the potential damage caused by adversaries whose sole objective is to subvert all controls and protections that have been implemented. Lessons to be learned from this story include:

• The importance of preventative cyber hygiene;
• Diligence and maturity in cybersecurity program operations; and
• Integrity in incident response.

Embracing a zero-trust cybersecurity model and making sure your organization has adequate and comprehensive instrumentation will help ensure that your systems are not positioned as low-hanging fruit for hackers, and hopefully prevent repeated successful attacks. While a solid preventative cybersecurity posture will not stop the most aggressive and determined adversaries, it will slow them down, giving you more time to find them before they obtain command and control. It will also significantly reduce the number of hackers with the ability and willingness to launch a successful attack. With that foundation, a mature cybersecurity operation is next. The executive in charge must make sure their cybersecurity program is governed by industry best practices, NIST-guided policies and procedures, personnel training, and automated detection and response capabilities. Together, these things will allow for effective continuous monitoring as well as identification and remediation of vulnerabilities before too much damage is done. Finally, if (and when) a breach does occur – the biggest lesson is to handle the incident response and breach fallout with transparency and integrity. This means not only limiting the release of stolen data (which Uber successfully did) but also informing all stakeholders and required regulatory bodies of the event and its true nature (something Uber didn’t). Unfortunately, breaches happen, and when they do, the right response is the only response. – Sarah Hensley

Additional Reading:

• Uber admits covering up massive 2016 data breach in settlement with US prosecutors (The Verge)
• The Uber data breach cover-up: A timeline of events (Tech Target)
• Uber will pay $148 million in connection with a 2016 data breach and cover-up (CNBC)
• Uber Investigating Breach of Its Computer Systems (New York Times)

New FedRAMP Codification Bill

The House last week voted to approve an updated version of legislation that would codify into law and update the Federal Risk and Authorization Management Program (FedRAMP).?The 11-year-old program is operated by the General Services Administration (GSA) to provide a standardized, government-wide approach to security assessment, authorization, and continuous monitoring for cloud products and services used by Federal government agencies.???

The?Federal Risk and Authorization Management Program (FedRAMP) Authorization Act of 2022 ?was approved by the House on Sept. 29.??The latest bill would:

• Codify the?FedRAMP?program into Federal law;
• Reduce duplication of security assessments and other obstacles to agency adoption of cloud products by establishing a “presumption of adequacy” for cloud technologies that have received FedRAMP certification;
• Facilitate the use of cloud technologies that have already received an authorization-to-operate by requiring agencies to check a centralized and secure repository and, to the extent practicable, reuse any existing security assessment before conducting their own;
• Require that GSA work toward automating its processes, which will lead to more standard security assessments and continuous monitoring of cloud offerings, and increased efficiency for both providers and agencies; and
• Establish a Federal Secure Cloud Advisory Committee to ensure dialogue among GSA, agency cybersecurity and procurement officials, and industry for effective and ongoing coordination in acquisition and adoption of cloud products by the Federal government.

?–Via: Meritalk ?

Our Take: FedRAMP is a vitally important program for modernizing Federal agency operations and improving their cybersecurity posture.?FedRAMP empowers agencies to use modern cloud technologies, with an emphasis on security and protection of federal information.?However, the path to a FedRAMP authorization is an arduous and time-consuming process involving many steps for both a Cloud Service Provider (CSP) and a Federal agency who seeks to sponsor them.???

Agencies that agree to sponsor a solution for a FedRAMP Authorization are agreeing to commit certain resources and take on the work associated with sponsorship. Agencies need to provide an Authorizing Official (AO) and an Information Systems Security Officer or Manager (ISSO or ISSM) who can review significant amounts of documentation throughout the process, review monthly continuous monitoring reports, track Plan of Action and Milestones (POA&M) progress, and review annual re-assessment reports as well as system significant change requests and associated audit reports.?

While each agency may have requirements that are unique, this bill takes steps to promote the use of existing assessment materials so that agencies may leverage assessment work that has already been done. Another important provision requires GSA to establish annual metrics regarding the time and quality of assessment process with an eye toward reducing the reporting burden on agencies.??While the bill doesn't directly reference?OSCAL: the Open Security Controls Assessment Language , this established NIST standard is already being utilized to automate security assessments and reviews by providing control-related information in machine-readable formats.?This bill is a welcome update in the maturation process of this important program.??– Joe DiMarcantonio, PMP

Additional Reading:

• Leveraging OSCAL for FedRamp authorizations (FCW)
• Merlin's "FedRAMP Ready" Platform as a Service (PaaS) (Constellation GovCloud)

Readers of our Newsletter:?What’s working, what’s not, and what’s on your mind? Leave a comment below or email?[email protected] . Thank you!