VMware releases workarounds for another critical flaw (CVE-2020-4006)

For the second time in less than a week, VMware is warning about a critical vulnerability (CVE-2020-4006). This time, the affected solutions are VMware Workspace One Access, Access Connector, VMware Identity Manager and VMware Identity Manager Connector.

CVE-2020-4006

As some of these are components of the VMware Cloud Foundation (vIDM) and vRealize Suite Lifecycle Manager (vIDM) product suites, those are impacted as well.

About the vulnerability (CVE-2020-4006)

Not much has been shared about CVE-2020-4006, except that it’s a command injection vulnerability that could allow a malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account to execute commands with unrestricted privileges on the underlying operating system.

The vulnerability was privately reported to VMware and the company categorized it as “critical.”

Affected products include:

  • VMware Workspace One Access v20.10 (Linux)
  • VMware Workspace One Access v20.01 (Linux)
  • VMware Identity Manager v3.3.3 (Linux)
  • VMware Identity Manager v3.3.2 (Linux)
  • VMware Identity Manager v3.3.1 (Linux)
  • VMware Identity Manager Connector v3.3.2 and 3.3.1 (Linux)
  • VMware Identity Manager Connector v3.3.3, 3.3.2, and 3.3.1 (Windows)
  • VMware Cloud Foundation (vIDM) v4.x (running on any platform)
  • vRealize Suite Lifecycle Manager (vIDM) v8.x (running on any platform)

VMware did not say whether the flaw is under active exploitation, but they released workarounds (and instructions on how to remove them) as they are working on the patches.

“This workaround is relevant for the configurator hosted on port 8443. Impacts are limited to functionality performed by this service. Configurator-managed setting changes will not be possible while the workaround is in place. If changes are required please revert the workaround following the instructions below, make the required changes and disable again until patches are available. In addition, most of the system diagnostics dashboard will not be displayed,” the company noted.

Last week, VMware patched critical flaws in its ESXi hypervisor that were exploited during the Tianfu Cup Pwn Contest that was held in Chengdu, China, earlier this month.

AWS adds new S3 security and access control features

Amazon Web Services (AWS) has made available three new S3 (Simple Storage Service) security and access control features:

  • Object Ownership
  • Bucket Owner Condition
  • Copy API via Access Points

Object Ownership

Object Ownership is a permission that can be set when creating a new object within an S3 bucket, to enforce the transfer of new object ownership onto the bucket owner.

AWS S3 security

“With the proper permissions in place, S3 already allows multiple AWS accounts to upload objects to the same bucket, with each account retaining ownership and control over the objects. This many-to-one upload model can be handy when using a bucket as a data lake or another type of data repository. Internal teams or external partners can all contribute to the creation of large-scale centralized resources,” explained Jeff Barr, Chief Evangelist for AWS.

But with this set up, the bucket owner doesn’t have full control over the objects in the bucket and therefore cannot use bucket policies to share and manage objects. If the object uploader needs retain access to it, bucket owners will need to grant additional permissions to the uploading account.

“Keep in mind that this feature does not change the ownership of existing objects. Also, note that you will now own more S3 objects than before, which may cause changes to the numbers you see in your reports and other metrics,” Barr added.

Bucket Owner Condition

Bucket Owner Condition allows bucket owners to confirm the ownership when they create a new object or perform other S3 operations.

AWS recommends using Bucket Owner Condition whenever users perform a supported S3 operation and know the account ID of the expected bucket owner.

The feature eliminates the risk of users accidentally interacting with buckets in the wrong AWS account. For example, it prevents situations like applications writing production data into a bucket in a test account.

Copy API via Access Points

S3 Access Points are “unique hostnames that customers create to enforce distinct permissions and network controls for any request made through the access point. Customers with shared data sets […] can easily scale access for hundreds of applications by creating individualized access points with names and permissions customized for each application.”

The feature can now be used together with the S3 CopyObject API, allowing customers to copy data to and from access points within an AWS Region.

Global NAC market estimated to reach $2.21 billion by 2024

The proliferation of the IoT, the convergence of IT and OT, and customers’ migration to the cloud at a faster pace are rapidly driving the global NAC market, according to Frost & Sullivan.

global NAC market

The sector is estimated to increase by two-thirds, reaching $2.21 billion by 2024 from $1.35 billion in 2019, at a compound annual growth rate (CAGR) of 10.4%. With 60.2% market share, North America will continue to be the largest market for NAC until 2024; APAC is the fastest-growing region and its share of the global NAC market is estimated to increase from 9.9% in 2019 to 11.9% in 2024.

Cloud security innovation is essential

The COVID-19 pandemic will cause a severe slowdown in 2020. Thereafter, the NAC market is expected to regain annual double-digit growth rates as organizations settle into a “new normal.”

“Security vendors are working closely with their customers in order to support them in this unprecedented transition to work from home (WFH). They are focused on ensuring their clients’ business continuity, and the pandemic has underlined the value of cloud services in delivering and deploying security solutions to remote devices,” said Tony Massimini, Senior Industry Analyst at Frost & Sullivan.

“However, the cloud environment needs security as well. Having a remote workforce highlights the need to leverage NAC. Large cybersecurity vendors with broad product portfolios will want to add this solution as well.”

Vendors should continue to innovate cloud security, work closely with AWS, Azure, Google Cloud, and other tech vendors, and focus on virtual appliances and NAC as Software-as-a-Service (SaaS). Additionally, NAC is adapting to a more mobile environment as enterprises expand beyond the traditional secure walls.

Technologies to boost growth opportunities

The complexity of 802.1X deployment (one of the best methods for authentication), surging diversity of IoT devices, and increasing NAC solution costs for large enterprises are likely to hinder the market. NAC vendors’ move to work beyond the traditional IT perimeter and innovation in other technologies will boost growth opportunities via:

  • Incorporating NAC into OT to improve security tools for better coordination and to leverage IoT technology.
  • Focusing on virtual appliances and SaaS for customers’ quick migration to public and private clouds.
  • Instrumentalizing the concept of zero trust networking (ZTN)—the never trust, always verify principle—so security vendors, including NAC, can promote their capabilities via integration of their product portfolios.
  • Capitalizing on use cases of IoT, BYOD, and mobility, which are increasing at a significant rate. Most IoT devices do not have the resources to handle an agent, so agentless technology is required.

Looking at the future of identity access management (IAM)

Here we are: at the beginning of a new year and the start of another decade. In many ways, technology is exceeding what we expected by 2020, and in other ways, well, it is lacking.

Back to the Future made us think we would all be using hoverboards, wearing self-drying and fitting jackets, and getting to and from the grocery store in flying cars by Oct. 21, 2015. Hanna-Barbera promised us a cutting-edge, underwater research lab in its 1972 cartoon, Sealab 2020.

While some of the wildest technology expectations from the big and small screen may not have come to fruition, the last decade of identity and access management development didn’t let us down.

And, I believe identity access management (IAM) cloud capabilities and integrations will continue their rapid spread – as well as their transformation of enterprise technology and the way we do business – in this new decade and beyond.

Here are three IAM predictions for 2020.

1. Single sign-on (SSO) protocols steadily decrease the need for unique accounts and credentials for every resource, so Active Directory (AD) is put on notice.

SAML, OAuth 2.0, OpenID, and other protocols mean people will see a drastic reduction in the number of unique accounts and credentials necessary to log in to certain websites. Do you need to log in to manage a site or do some online shopping? Likely, you can just use your Google or Facebook account to verify your identity.

This trend will continue to dominate throughout business-to-consumer efforts. I believe it will also take hold of business-to-business and internal business operations, thanks to the SSO developments made by Okta, Tools4ever, and other industry leaders.

The rise of SSO and the maturation of cloud platforms, such as G Suite, will likely result in a reduction in Microsoft’s market hold with on-premise AD. As more enterprises transition to hybrid infrastructures to the cloud, flexibility means relying less on systems and applications that pair with AD to authorize user access.

Google Chromebook and other devices prove that the AD divorce is possible. Because of this, expect to see directory battles between Davids and Goliaths like Microsoft.

2. Downstream resources benefit from improved integration.

Along with the increasing use of protocols connecting IT resources, expect downstream systems, applications, and other resources to utilize identity data better. We’ll see how information transferred within the protocols mentioned above can be leveraged.

Provisioning will be far more rapid since transferred identity data will help to create accounts and configure access levels immediately. Continual improving integrations will provide administrators and managers with far more granular control during initial setup, active management, and deactivation.

Also, increasing connectivity allows centralized management at the source of the authoritative identity data and pushed easily from there. At the same time, systems and applications will better incorporate identity data to enforce a given user’s permissions within that resource.

3. Multi-factor authentication (MFA) pervades our login attempts and increases the security of delivery to stay a step ahead.

MFA is already popular among some enterprise technologies and consumer applications handling sensitive, personal data (e.g., financial, healthcare), and will continue to transform authentication attempts. A lot has been said about increased password complexities, but human error is still persistent.

The addition of MFA immediately adds further security to authentication attempts by having the user enter a temporarily valid pin code or verify their identity by other methods.

An area to watch within MFA is the delivery method. For example, SMS notifications were the first stand-out but forced some organizations to weigh added costs that messaging might bring on their mobile phone plans. SMS remains prevalent, but all things adapt, and hackers’ increased ability to hijack these messages have made their delivery less secure.

Universal one-time password (OTP) clients, such as Google Authenticator, have both increased security and made the adoption of MFA policies much easier through time-sensitive pin codes. Universal OTPs also do away with the requirement for every unique resource to support its own MFA method.

PIN codes are now getting replaced by “push notifications,” which send a simple, secure “yes” or “no” verification prompt that allows access. After the client app is downloaded and registering your user account, a single screen tap is all that is needed for additional security to your logins.

Gartner has been praising push notifications as the way of the future for a couple of years. Gartner predicted that 50% of enterprises using mobile authentication would adopt it as their primary verification method by the end of 2019.

The cloud will undoubtedly control IAM’s potential for the foreseeable future.

Do third-party users follow security best practices and policies?

Many organizations across the globe fall short of effectively managing access for third-party users, exposing them to significant vulnerabilities, breaches and other security risks, One Identity reveals. Most organizations grant third-party users access to their network Based on a Dimensional Research-conducted survey of more than 1,000 IT security professionals, the research evaluates organizations’ approaches to identity and access management (IAM) and privileged access management (PAM), including how they apply to third-party users – from vendors … More

The post Do third-party users follow security best practices and policies? appeared first on Help Net Security.

It Is Time To Think About Data Leakages.

Data-Security-USB-Drive-Locked

Do You Know Data Leakages Are?

data-leakage-1

Do you know all the possible ways to take information out of company so that no one would know? I’m sure that there are means and methods for data leakage despite security controls.

Let’s think about how can we control this process better.

First, it’s necessary to understand that there no absolute controls around security. Even if a USB port is blocked, it’s still possible to write some data to USB, if there is system that controls outgoing mails, then it’s still possible to use some trick that intruder might use to send out important data out of the company.

So how to manage information security policies to prevent possible data leakages? Let’s list all possible ways to prevent leakage. There are two general categories – active and proactive security. These terms are sometime hard to understand in real word, so let’s discuss another approach. There are means that will help to prevent the fact of information leakage, and there are means that will help to find out, if information was leaked. Both methods should be considered when building information security at your company.

Data-Leakage-Poster
Data-Leakage-Poster

How to prevent information leakage. First, it’s necessary to apply a security policy which will guaranty the access to the certain data only for trusted persons, in this way you will always know who has access to the data, so it is easier to find possible intruder and to control your employees.

Second, consider all possible ways for information to be stolen, such as sent out by email, copies by some employee, stolen by some spyware software, copies to the external drive, etc. Think about all possible ways and think about risks applied. Try to minimize the risk for the most important data.

Let’s list some possible security issues and the ways how we can get rid of them.

Keyloggers and other spyware software. Keylogger is a program that works in background, records all keystrokes and send out information to third-party. The good idea is to start with firewall, which will allow access to the internet only for a certain programs.

Intruder insider your company. Statistics shows that there are some in most companies. The bad news is that these people might produce more damage that all other attackers. Make sure you know about what employee do, what he or she keeps on his hard disk and all you do comply with privacy policy of your company.

secure-USB
secure-USB

Hardware that might be dangerous. There are software that allows to lock USB ports, there are software that allows to block access to any other writeable media, consider installing these tools on computers and user accounts which doesn’t need to use this functions during their work.

Finally, the key principle about fighting information leakage is to be proactive. You don’t need to wait until some information will be stolen, being a little paranoid will help to save your business. It’s easy to install and integrate into the security policy some audit measures, that will regularly check your company for possible security holes, it’s simple, but it will work.