Demand for private network deployments will be driven by heavy industry verticals

With enterprise 5G maturing, the importance of private networks for the enterprise domain will continue to grow.

private network deployments

According to ABI Research, the demand for private network deployments will be driven primarily by heavy industry verticals. Industrial manufacturing, energy production (including mining, oil and gas, and logistics) alone will generate private network revenues of $32.38 billion by 2030, representing half of the $64 Billion overall private network revenues.

“These findings show the importance of private networks, particularly for automating mission- or even life-critical use cases, that require the highest possible network reliability and availability and are characterized by a high degree of network integrity to prevent data from leaving the enterprise premises,” says Leo Gergs, Research Analyst for 5G Markets at ABI Research.

“Enterprises that require network slicing capabilities to separate mission-critical from non-mission-critical use cases within the same physical network will turn to private networks.”

What’s causing the surge in private network demand?

Two main factors are causing the surge in private network demand. Gergs explains, “First, there is a huge rise in demand for automation and enterprise digitization. What has started with Industry 4.0 is now exacerbated by the aftermath of the global COVID-19 outbreak.

“Enterprises in industrial manufacturing, logistics, and oil and gas are now accelerating their digitization plans to reduce their dependency on manual labor availability and increase the resilience of their business operations against sudden disruptions to supply chains. The second is the addition to the demand-side effect.”

Gergs continues, “The market for private network deployments will also benefit from a supply-side effect. The freeze of Release 16 gives enterprises the much-needed reassurance of 5G capabilities for enterprise-grade connectivity, which allows chipset and module manufacturers to grow the device ecosystem for compatible hardware.

“The maturing device ecosystem, in turn, drives down prices per module and therefore makes the deployment of private 5G network more cost-efficient, which will spur additional interest from enterprises.”

A durable business strategy is key

There is a growing number of private network offerings emerging on the market to address this rising opportunity. While private network operators like Ambra, Citymesh or Edzcom are threatening traditional CSPs’ market share by monetizing managed services other than connectivity, hyperscalers like AWS, Google, and IBM are launching their private network offerings in co-creation efforts with telco players.

In addition, software companies like Athonet or Quortus benefit from trends toward network virtualization, which allows them to offer a virtualized core network either through System Integrators or to enterprises directly.

“These breathtaking developments show the amazing pace at which this market is evolving. Against this backdrop, it is important that all players in the enterprise connectivity domain develop a durable business strategy to profit from this rising market,” concludes Gergs.

Pandemic thinking: What if there were a vaccine for OT ransomware?

The year 2020 has been defined globally by the COVID-19 pandemic. One of few silver linings for this difficult set of circumstances is innovation – redesigning normal processes so that life can carry on with some degree of regularity and reliability.

OT ransomware

Pre-COVID, we all took certain risks routinely, and the consequences were minor. Now the consequences are much more serious and we respond to these risks by very carefully deciding how we expose ourselves to the coronavirus. Whether sheltering in place, social distancing, or in full government lock-down, we have all felt the fatigue of being under the siege of an invisible threat.

The good news is there is hope at the end of the tunnel – in a matter of months, medical science will catch up to the threat and normal life will resume.

The cyber pandemic

The pandemic has digital consequences as well, for both enterprise networks and OT networks. Not only has the pandemic brought us more online, and forced us into doing nearly everything remotely, macro trends continue as well.

Computers are getting cheaper and CPUs are more ubiquitous than ever before – which means there are more targets for cyber attacks than ever before. Communications is getting cheaper, faster and more universal, and all this connectivity means steadily-increasing opportunities to attack the steadily-increasing number of targets.

The trend towards remote work is not likely to reverse very much post-pandemic, and the macro trends certainly will not reverse – no amount of social distancing will slow down cyber breaches, targeted attacks or targeted ransomware.

Unfortunately, many conventional IT security defenses that we deploy to protect against these threats are porous and hackable. Firewalls, IDS, security updates, VPNs are all software, with inevitable bugs and security holes, which means that all these defenses can be compromised. This is especially troubling in a world of physical, industrial operations that are increasingly dependent on these software-based protections for safe and reliable operation.

Worse, the industrial equivalent of “lock-down”, which is air-gapping, is folklore of the past; air-gapping defeats modern efficiency initiatives and so is either consciously avoided as a modern security strategy, or is implemented badly, resulting in residual connectivity and associated cyber risks.

To operate efficiently, industrial operations nearly always must share data with enterprise and customer systems, and – just as in a global pandemic – the risks and consequences of such contact through cyber connections must be weighed very carefully.

What if there were a vaccine for cyber?

Every pandemic begs a vaccine. What if there were a vaccine for the cyber pandemic? What if there were a vaccine that could prevent OT attacks and the OT ransomware that has shut down hundreds of industrial sites in 2020? Targeted ransomware is one of today’s biggest and nastiest cyber threats.

These targeted attacks defeat conventional defenses at heavily-defended industrial sites. In a sense this is no surprise – many of today’s targeted ransomware groups use attack tools and techniques that were once the sole province of nation-states. A cyber vaccine is needed, urgently.

Unidirectional Security Gateways

The good news – future-proofing our most important services and industries from the cyber pandemic is not as difficult as a COVID vaccine. Today’s hardware-enforced unidirectional gateways stop targeted ransomware and other targeted, remote-control attacks from reaching into industrial networks.

The physical security embedded in the unidirectional hardware does not protect the information, but rather protects the industrial networks from information, more specifically from attacks that may be embedded in information that enters industrial networks.

And unlike air gaps, unidirectional gateways enable seamless flows of operations information from industrial operations out into the enterprise or even out into the Internet beyond the enterprise.

Unidirectional hardware prevents attacks from entering industrial networks, while unidirectional gateway software makes copies of databases and other servers from industrial networks to external networks.

Enterprise and other users simply access the industrial data in the external replica databases. Unidirectional gateways “vaccinate” industrial networks against online attacks, while providing the kind of seamless access to industrial data that modern, efficient enterprises rely on.

There are indeed lessons from the pandemic that we can apply to our industrial networks. Using only software protections means making difficult risk decisions on a regular basis, just as we do with social distancing and lock-downs.

We all look forward to the day of the COVID19 vaccine, when these difficult decisions and risks will disappear. The good news on the cyber side is that the vaccine for OT networks is already available, in the form of Waterfall’s Unidirectional Security Gateways.

VMware releases workarounds for another critical flaw (CVE-2020-4006)

For the second time in less than a week, VMware is warning about a critical vulnerability (CVE-2020-4006). This time, the affected solutions are VMware Workspace One Access, Access Connector, VMware Identity Manager and VMware Identity Manager Connector.

CVE-2020-4006

As some of these are components of the VMware Cloud Foundation (vIDM) and vRealize Suite Lifecycle Manager (vIDM) product suites, those are impacted as well.

About the vulnerability (CVE-2020-4006)

Not much has been shared about CVE-2020-4006, except that it’s a command injection vulnerability that could allow a malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account to execute commands with unrestricted privileges on the underlying operating system.

The vulnerability was privately reported to VMware and the company categorized it as “critical.”

Affected products include:

  • VMware Workspace One Access v20.10 (Linux)
  • VMware Workspace One Access v20.01 (Linux)
  • VMware Identity Manager v3.3.3 (Linux)
  • VMware Identity Manager v3.3.2 (Linux)
  • VMware Identity Manager v3.3.1 (Linux)
  • VMware Identity Manager Connector v3.3.2 and 3.3.1 (Linux)
  • VMware Identity Manager Connector v3.3.3, 3.3.2, and 3.3.1 (Windows)
  • VMware Cloud Foundation (vIDM) v4.x (running on any platform)
  • vRealize Suite Lifecycle Manager (vIDM) v8.x (running on any platform)

VMware did not say whether the flaw is under active exploitation, but they released workarounds (and instructions on how to remove them) as they are working on the patches.

“This workaround is relevant for the configurator hosted on port 8443. Impacts are limited to functionality performed by this service. Configurator-managed setting changes will not be possible while the workaround is in place. If changes are required please revert the workaround following the instructions below, make the required changes and disable again until patches are available. In addition, most of the system diagnostics dashboard will not be displayed,” the company noted.

Last week, VMware patched critical flaws in its ESXi hypervisor that were exploited during the Tianfu Cup Pwn Contest that was held in Chengdu, China, earlier this month.

Cisco Webex vulnerabilities may enable attackers to covertly join meetings

Cisco Webex vulnerabilities

Cisco has fixed three bugs in its Cisco Webex video conferencing offering that may allow attackers to:

  • Join Webex meetings without appearing in the participant list (CVE-2020-3419)
  • Covertly maintain an audio connection to a Webex meeting after being expelled from it (CVE-2020-3471)
  • Gain access to information (name, email, IP address, device info) on meeting attendees without being admitted to the meeting (CVE-2020-3441)

About the Cisco Webex vulnerabilities

The three flaws were discovered by IBM researchers, after the company’s research department and the Office of the CISO decided to analyze their primary tool for remote meetings (i.e., Cisco Webex).

“These vulnerabilities work by exploiting the handshake process that Webex uses to establish a connection between meeting participants,” the researchers shared.

“These flaws affect both scheduled meetings with unique meeting URLs and Webex Personal Rooms. Personal rooms may be easier to exploit because they are often based on a predictable combination of the room owner’s name and organization name. These technical vulnerabilities could be further exploited with a combination of social engineering, open source intelligence (OSINT) and cognitive overloading techniques.”

The vulnerabilities can all be exploited by unauthenticated, remote attackers, either by sending crafted requests to a vulnerable Cisco Webex Meetings or Cisco Webex Meetings Server site or by browsing the Webex roster.

More details about the possible attacks are available in this blog post, though details about the flaws will be limited until more users are able to implement the provided updates/patches.

Patches and security updates

The bugs affect both Cisco Webex Meetings sites (cloud-based) and Cisco Webex Meetings Server (on-premises).

Cisco addressed them in Cisco Webex Meetings sites a few days ago and no user action is required.

Users of Cisco Webex Meetings Server are advised to upgrade to 3.0MR3 Security Patch 5 or 4.0MR3 Security Patch 4, which contain the needed fixes.

CVE-2020-3419 also affects all Cisco Webex Meetings apps releases 40.10.9 and earlier for iOS and Android, so users are urged to implement the provided updates.

Critical vulnerabilities in Cisco Security Manager fixed, researcher discloses PoCs

Cisco has patched two vulnerabilities in its Cisco Security Manager solution, both of which could allow unauthenticated, remote attackers to gain access to sensitive information on an affected system.

Cisco Security Manager vulnerabilities

Those are part of a batch of twelve vulnerabilities flagged in July 2020 by Florian Hauser, a security researcher and red teamer at Code White.

About the Cisco Security Manager vulnerabilities

Cisco Security Manager is a security management application that provides insight into and control of Cisco security and network devices deployed by enterprises – security appliances, intrusion prevention systems, firewalls, routers, switches, etc.

Cisco has fixed two vulnerabilities affecting Cisco Security Manager v4.21 and earlier, by pushing out v4.22:

  • CVE-2020-27130, a critical path traversal vulnerability that could be exploited by sending a crafted request to the affected device and could result in the attacker downloading arbitrary files from it
  • CVE-2020-27125, which could allow an attacker to view static credentials in the solution’s source code

Cisco has also simultaneously announced that it will fix multiple Java deserialization vulnerabilities (collectively designated as CVE-2020-27131) in the upcoming v4.23 of the Cisco Security Manager solution. Those could allow unauthenticated, remote attackers to execute arbitrary commands on an affected instance and could be triggered by sending a malicious serialized Java object to a specific listener on an affected system.

The company’s Product Security Incident Response Team (PSIRT) has noted that public announcements about all these vulnerabilities are available, but that they are “not aware” of instances of actual malicious use in the wild.

The public announcements they are referring to is a post on Gist, a pastebin service operated by GitHub, through which Hauser shared PoCs for the flaws he discovered and flagged.

2021 predictions for the Everywhere Enterprise

As we near 2021, it seems that the changes to our working life that came about in 2020 are set to remain. Businesses are transforming as companies continue to embrace remote working practices to adhere to government guidelines. What does the next year hold for organizations as they continue to adapt in the age of the Everywhere Enterprise?

everywhere enterprise

We will see the rush to the cloud continue

The pandemic saw more companies than ever move to the cloud as they sought collaboration and productivity tools for employee bases working from home. We expect that surge to continue as more companies realize the importance of the cloud in 2021. Businesses are prepared to preserve these new working models in the long term, some perhaps permanently: Google urged employees to continue working from home until at least next July and Twitter stated employees can work from home forever if they prefer.

Workforces around the world need to continue using alternatives to physical face-to-face meetings and remote collaboration tools will help. Cloud-based tools are perfect for that kind of functionality, which is partly why many customers that are not in the cloud, want to be. The customers who already started the cloud migration journey are also moving more resources to public cloud infrastructure.

People will be the new perimeter

While people will eventually return to the office, they won’t do so full-time, and they won’t return in droves. This shift will close the circle on a long trend that has been building since the mid-2000s: the dissolution of the network perimeter. The network and the devices that defined its perimeter will become even less special from a cybersecurity standpoint.

Instead, people will become the new perimeter. Their identity will define what they’re allowed to access, both inside and outside the corporate network. Even when they are logged into the network, they will have minimal access to resources until they and the device they are using have been authenticated and authorized. This approach, known as zero trust networking, will pervade everything, covering not just employees, but customers, contractors, and other business partners.

User experience will be increasingly important in remote working

Happy, productive workers are even more important during a pandemic. Especially as on average, employees are working three hours longer since the pandemic started, disrupting the work-life balance. It’s up to employers to focus on the user experience and make workers’ lives as easy as possible.

When the COVID-19 lockdown began, companies coped by expanding their remote VPN usage. That got them through the immediate crisis, but it was far from ideal. On-premises VPN appliances suffered a capacity crunch as they struggled to scale, creating performance issues, and users found themselves dealing with cumbersome VPN clients and log-ins. It worked for a few months, but as employees settle in to continue working from home in 2021, IT departments must concentrate on building a better remote user experience.

Old-school remote access mechanisms will fade away

This focus on the user experience will change the way that people access computing resources. In the old model, companies used a full VPN to tunnel all traffic via the enterprise network. This introduced latency issues, especially when accessing applications in the cloud because it meant routing all traffic back through the enterprise data center.

It’s time to stop routing cloud sessions through the enterprise network. Instead, companies should allow remote workers to access them directly. That means either sanitizing traffic on the device itself or in the cloud.

User authentication improvements

Part of that new approach to authentication involves better user verification. That will come in two parts. First, it’s time to ditch the password. The cybersecurity community has advocated this for a long time, but the work-from-home trend will accelerate it. Employees accessing from mobile devices are increasingly using biometric authentication, which is more secure and convenient.

The second improvement to user verification will see people logging into applications less often. Sessions will persist for longer, based on deep agent-based device knowledge that will form a big part of the remote access experience.

Changing customer interactions will require better mobile security

It isn’t just employees who will need better mobile security. Businesses will change the way that they interact with customers too. We can expect fewer person-to-person interactions in retail as social distancing rules continue. Instead, contact-free transactions will become more important and businesses will move to self-checkout options. Retailers must focus more on mobile devices for everything from browsing products, to ordering and payment.

The increase in QR codes presents a great threat

Retailers and other companies are already starting and will continue to use QR codes more and more to bridge contact with things like menus and payment systems, as well as comply with social distance rules. Users can scan them from two meters away, making them perfect for payments and product information.

The problem is that they were never designed for these applications or digital authentication and can easily be replaced with malicious codes that manipulate smartphones in unexpected and damaging ways. We can expect to see QR code fraud problems increase as the usage of these codes expands in 2021.

The age of the Everywhere Enterprise

One overarching message came through clearly in our conversations with customers: the enterprise changed for the longer term in 2020, and this will have profound effects in 2021. What began as a rushed reaction during a crisis this year will evolve during the next as the IT department joins HR in rethinking employee relationships in the age of the everywhere enterprise.

If 2020 was the year that businesses fell back on the ropes, 2021 will be the one where they bounce forward, moving from a rushed reaction into a thoughtful, measured response.

What is confidential computing? How can you use it?

What is confidential computing? Can it strengthen enterprise security? Sam Lugani, Lead Security PMM, Google Workspace & GCP, answers these and other questions in this Help Net Security interview.

what is confidential computing

How does confidential computing enhance the overall security of a complex enterprise architecture?

We’ve all heard about encryption in-transit and at-rest, but as organizations prepare to move their workloads to the cloud, one of the biggest challenges they face is how to process sensitive data while still keeping it private. However, when data is being processed, there hasn’t been an easy solution to keep it encrypted.

Confidential computing is a breakthrough technology which encrypts data in-use – while it is being processed. It creates a future where private and encrypted services become the cloud standard.

At Google Cloud, we believe this transformational technology will help instill confidence that customer data is not being exposed to cloud providers or susceptible to insider risks.

Confidential computing has moved from research projects into worldwide deployed solutions. What are the prerequisites for delivering confidential computing across both on-prem and cloud environments?

Running workloads confidentially will differ based on what services and tools you use, but one thing is given – organizations don’t want to compromise on usability and performance, at the cost of security.

Those running Google Cloud can seamlessly take advantage of the products in our portfolio, Confidential VMs and Confidential GKE Nodes.

All customer workloads that run in VMs or containers today, can run as a confidential without significant performance impact. The best part is that we have worked hard to simplify the complexity. One checkbox—it’s that simple.

what is confidential computing

What type of investments does confidential computing require? What technologies and techniques are involved?

To deliver on the promise of confidential computing, customers need to take advantage of security technology offered by modern, high-performance CPUs, which is why Google Cloud’s Confidential VMs run on N2D series VMs powered by 2nd Gen AMD EPYC processors.

To support these environments, we also had to update our own hypervisor and low-level platform stack while also working closely with the open source Linux community and modern operating system distributors to ensure that they can support the technology.

Networking and storage drivers are also critical to the deployment of secure workloads and we had to ensure we were capable of handling confidential computing traffic.

How is confidential computing helping large organizations with a massive work-from-home movement?

As we entered the first few months of dealing with COVID-19, many organizations expected a slowdown in their digital strategy. Instead, we saw the opposite – most customers accelerated their use of cloud-based services. Today, enterprises have to manage a new normal which includes a distributed workforce and new digital strategies.

With workforces dispersed, confidential computing can help organizations collaborate on sensitive workloads in the cloud across geographies and competitors, all while preserving privacy of confidential datasets. This can lead to the development of transformation technologies – imagine, for example, being able to more quickly build vaccines and cure diseases as a result of this secure collaboration.

How do you see the work of the Confidential Computing Consortium evolving in the near future?

Google was among the founding members of the Confidential Computing Consortium, operating under the umbrella of the Linux Foundation to facilitate adoption of confidential computing.

Cloud providers, hardware manufacturers, and software vendors all need to work together to define standards to advance confidential computing. As the technology garners more interest, sustained industry collaboration such as the Consortium will be key to helping realize the true potential of confidential computing.

SecOps teams turn to next-gen automation tools to address security gaps

SOCs across the globe are most concerned with advanced threat detection and are increasingly looking to next-gen automation tools like AI and ML technologies to proactively safeguard the enterprise, Micro Focus reveals.

next-gen automation tools

Growing deployment of next-gen tools and capabilities

The report’s findings show that over 93 percent of respondents employ AI and ML technologies with the leading goal of improving advanced threat detection capabilities, and that over 92 percent of respondents expect to use or acquire some form of automation tool within the next 12 months.

These findings indicate that as SOCs continue to mature, they will deploy next-gen tools and capabilities at an unprecedented rate to address gaps in security.

“The odds are stacked against today’s SOCs: more data, more sophisticated attacks, and larger surface areas to monitor. However, when properly implemented, AI technologies such as unsupervised machine learning, are helping to fuel next-generation security operations, as evidenced by this year’s report,” said Stephan Jou, CTO Interset at Micro Focus.

“We’re observing more and more enterprises discovering that AI and ML can be remarkably effective and augment advanced threat detection and response capabilities, thereby accelerating the ability of SecOps teams to better protect the enterprise.”

Organizations relying on the MITRE ATT&K framework

As the volume of threats rise, the report finds that 90 percent of organizations are relying on the MITRE ATT&K framework as a tool for understanding attack techniques, and that the most common reason for relying on the knowledge base of adversary tactics is for detecting advanced threats.

Further, the scale of technology needed to secure today’s digital assets means SOC teams are relying more heavily on tools to effectively do their jobs.

With so many responsibilities, the report found that SecOps teams are using numerous tools to help secure critical information, with organizations widely using 11 common types of security operations tools and with each tool expected to exceed 80% adoption in 2021.

Key observations

  • COVID-19: During the pandemic, security operations teams have faced many challenges. The biggest has been the increased volume of cyberthreats and security incidents (45 percent globally), followed by higher risks due to workforce usage of unmanaged devices (40 percent globally).
  • Most severe SOC challenges: Approximately 1 in 3 respondents cite the two most severe challenges for the SOC team as prioritizing security incidents and monitoring security across a growing attack surface.
  • Cloud journeys: Over 96 percent of organizations use the cloud for IT security operations, and on average nearly two-thirds of their IT security operations software and services are already deployed in the cloud.

Review: Netsparker Enterprise web application scanner

Vulnerability scanners can be a very useful addition to any development or operations process. Since a typical vulnerability scanner needs to detect vulnerabilities in deployed software, they are (generally) not dependent on the language or technology used for the application they are scanning.

This often doesn’t make them the top choice for detecting a large number of vulnerabilities or even detecting fickle bugs or business logic issues, but makes them great and very common tools for testing a large number of diverse applications, where such dynamic application security testing tools are indispensable. This includes testing for security defects in software that is being currently developed as a part of a SDLC process, reviewing third-party applications that are deployed inside one’s network (as a part of a due diligence process) or – most commonly – finding issues in all kinds of internally developed applications.

We reviewed Netsparker Enterprise, which is one of the industry’s top choices for web application vulnerability scanning.

Netsparker Enterprise is primarily a cloud-based solution, which means it will focus on applications that are publicly available on the open internet, but it can also scan in-perimeter or isolated applications with the help of an agent, which is usually deployed in a pre-packaged Docker container or a Windows or Linux binary.

To test this product, we wanted to know how Netsparker handles a few things:

1. Scanning workflow
2. Scan customization options
3. Detection accuracy and results
4. CI/CD and issue tracking integrations
5. API and integration capabilities
6. Reporting and remediation efforts.

To assess the tool’s detection capabilities, we needed a few targets to scan and assess.

After some thought, we decided on the following targets:

1. DVWA – Damn Vulnerable Web Application – An old-school extremely vulnerable application, written in PHP. The vulnerabilities in this application should be detected without an issue.
2. OWASP Juice Shop simulates a modern single page web application with a REST API backend. It has a Javascript heavy interface, websockets, a REST API in the backend, and many interesting points and vulnerabilities for testing.
3. Vulnapi – A python3-based vulnerable REST API, written in the FastAPI framework running on Starlette ASGI, featuring a number of API based vulnerabilities.

Workflow

After logging in to Netsparker, you are greeted with a tutorial and a “hand-holding” wizard that helps you set everything up. If you worked with a vulnerability scanner before, you might know what to do, but this feature is useful for people that don’t have that experience, e.g., software or DevOps engineers, who should definitely use such tools in their development processes.

Review Netsparker Enterprise

Initial setup wizard

Scanning targets can be added manually or through a discovery feature that will try to find them by matching the domain from your email, websites, reverse IP lookups and other methods. This is a useful feature if other methods of asset management are not used in your organization and you can’t find your assets.

New websites or assets for scanning can be added directly or imported via a CSV or a TXT file. Sites can be organized in Groups, which helps with internal organization or per project / per department organization.

Review Netsparker Enterprise

Adding websites for scanning

Scans can be defined per group or per specific host. Scans can be either defined as one-off scans or be regularly scheduled to facilitate the continuous vulnerability remediation process.

To better guide the scanning process, the classic scan scope features are supported. For example, you can define specific URLs as “out-of-scope” either by supplying a full path or a regex pattern – a useful option if you want to skip specific URLs (e.g., logout, user delete functions). Specific HTTP methods can also be marked as out-of-scope, which is useful if you are testing an API and want to skip DELETE methods on endpoints or objects.

Review Netsparker Enterprise

Initial scan configuration

Review Netsparker Enterprise

Scan scope options

One feature we quite liked is the support for uploading the “sitemap” or specific request information into Netsparker before scanning. This feature can be used to import a Postman collection or an OpenAPI file to facilitate scanning and improve detection capabilities for complex applications or APIs. Other formats such as CSV, JSON, WADL, WSDL and others are also supported.

For the red team, loading links and information from Fiddler, Burp or ZAP session files is supported, which is useful if you want to expand your automated scanning toolbox. One limitation we encountered is the inability to point to an URL containing an OpenAPI definition – a capability that would be extremely useful for automated and scheduled scanning workflows for APIs that have Swagger web UIs.

Scan policies can be customized and tuned in a variety of ways, from the languages that are used in the application (ASP/ASP.NET, PHP, Ruby, Java, Perl, Python, Node.js and Other), to database servers (Microsoft SQL server, MySQL, Oracle, PostgreSQL, Microsoft Access and Others), to the standard choice of Windows or Linux based OSes. Scan optimizations should improve the detection capability of the tool, shorten scanning times, and give us a glimpse where the tool should perform best.

Integrating Netsparker

The next important question is, does it blend… or integrate? From an integration standpoint, sending email and SMSes about the scan events is standard, but support for various issue tracking systems like Jira, Bitbucket, Gitlab, Pagerduty, TFS is available, and so is support for Slack and CI/CD integration. For everything else, there is a raw API that can be used to tie in Netsparker to other solutions if you are willing to write a bit of integration scripting.

Review Netsparker Enterprise

Integration options

One really well-implemented feature is the support for logging into the testing application, as the inability to hold a session and scan from an authenticated context in the application can lead to a bad scanning performance.

Netsparker has the support for classic form-based login, but 2FA-based login flows that require TOTP or HOTP are also supported. This is a great feature, as you can add the OTP seed and define the period in Netsparker, and you are all set to scan OTP protected logins. No more shimming and adding code to bypass the 2FA method in order to scan the application.

Review Netsparker Enterprise

Authentication methods

What’s more, Netsparker enables you to create a custom script for complex login flows or javascript/CSS heavy login pages. I was pleasantly surprised that instead of reading complex documentation, I just needed to right click on the DOM elements and add them to the script and press next.

Review Netsparker Enterprise

Custom scripting workflow for authentication

If we had to nitpick, we might point out that it would be great if Netsparker also supported U2F / FIDO2 implementations (by software emulating the CTAP1 / CTAP2 protocol), since that would cover the most secure 2FA implementations.

In addition to form-based authentication, Basic NTLM/Kerberos, Header based (for JWTs), Client Certificate and OAuth2-based authentication is also supported, which makes it easy to authenticate to almost any enterprise application. The login / logout flow is also verified and supported through a custom dialog, where you can verify that the supplied credentials work, and you can configure how to retain the session.

Review Netsparker Enterprise

Login verification helper

Scanning accuracy

And now for the core of this review: what Netsparker did and did not detect.

In short, everything from DVWA was detected, except broken client-side security, which by definition is almost impossible to detect with security scanning if custom rules aren’t written. So, from a “classic” application point of view, the coverage is excellent, even the out-of-date software versions were flagged correctly. Therefore, for normal, classic stateful applications, written in a relatively new language, it works great.

From a modern JavaScript-heavy single page application point of view, Netsparker correctly discovered the backend API interface from the user interface, and detected a decently complex SQL injection vulnerability, where it was not enough to trigger a ‘ or 1=1 type of vector but to adjust the vector to properly escape the initial query.

Netsparker correctly detected a stored XSS vulnerability in the reviews section of the Juice Shop product screen. The vulnerable application section is a JavaScript-heavy frontend, with a RESTful API in the backend that facilitates the vulnerability. Even the DOM-based XSS vulnerability was detected, although the specific vulnerable endpoint was marked as the search API and not the sink that is the entry point for DOM XSS. On the positive side, the vulnerability was marked as “Possible” and a manual security review would find the vulnerable sink.

One interesting point for vulnerability detection is that Netsparker uses an engine that tries to verify if the vulnerability is exploitable and will try to create a “proof” of vulnerability, which reduces false positives.

On the negative side, no vulnerabilities in WebSocket-based communications were found, and neither was the API endpoint that implemented insecure YAML deserialization with pyYAML. By reviewing the Netsparker knowledge base, we also found that there is no support for websockets and deserialization vulnerabilities.

That’s certainly not a dealbreaker, but something that needs to be taken into account. This also reinforces the need to use a SAST-based scanner (even if just a free, open source one) in the application security scanning stack, to improve test coverage in addition to other, manual based security review processes.

Reporting capability

Multiple levels of detail (from extensive, executive summary, to PCI-DSS level) are supported, both in a PDF or HTML export option. One nice feature we found is the ability to create F5 and ModSecurity rules for virtual patching. Also, scanned and crawled URLs can be exported from the reporting section, so it’s easy to review if your scanner hit any specific endpoints.

Review Netsparker Enterprise

Scan results dashboard

Review Netsparker Enterprise

Scan result details

Instead of describing the reports, we decided to export a few and attach them to this review for your enjoyment and assessment. All of them have been submitted to VirusTotal for our more cautious readers.

Netsparker’s reporting capabilities satisfy our requirements: the reports contain everything a security or AppSec engineer or a developer needs.

Since Netsparker integrates with JIRA and other ticketing systems, the general vulnerability management workflow for most teams will be supported. For lone security teams, or where modern workflows aren’t integrated, Netsparker also has an internal issue tracking system that will let the user track the status of each found issue and run rescans against specific findings to see if mitigations were properly implemented. So even if you don’t have other methods of triage or processes set up as part of a SDLC, you can manage everything through Netsparker.

Verdict

Netsparker is extremely easy to set up and use. The wide variety of integrations allow it to be integrated into any number of workflows or management scenarios, and the integrated features and reporting capabilities have everything you would want from a standalone tool. As far as features are concerned, we have no objections.

The login flow – the simple interface, the 2FA support all the way to the scripting interface that makes it easy to authenticate even in the more complex environments, and the option to report on the scanned and crawled endpoints – helps users discover their scanning coverage.

Taking into account the fact that this is an automated scanner that relies on “black boxing” a deployed application without any instrumentalization on the deployed environment or source code scanning, we think it is very accurate, though it could be improved (e.g., by adding the capability of detecting deserialization vulnerabilities). Following the review, Netsparker has confirmed that adding the capability of detecting deserialization vulnerabilities is included in the product development plans.

Nevertheless, we can highly recommend Netsparker.

2020 brings unique levels of PKI usage challenges

Organizations are rapidly increasing the size, scope and scale of their data protection infrastructure, reflected in dramatic rises in adoption of public key infrastructure (PKI) across enterprises worldwide, according to Entrust research.

PKI usage

PKI is at the core of nearly every IT infrastructure, enabling security for critical digital initiatives such as cloud, mobile device deployment, identities and the IoT.

The annual study is based on feedback from more than 1,900 IT security professionals in 17 countries.

IoT, authentication and cloud, top drivers in PKI usage growth

As organizations become more dependent on digital information and face increasingly sophisticated cyberattacks, they rely on PKI to control access to data and ascertain the identities of people, systems and devices on a mass scale.

IoT is the fastest growing trend driving PKI application deployment, up 26 percent over the past five years to 47 percent in 2020, with cloud-based services the second highest driver cited by 44 percent of respondents.

PKI usage surging for cloud and authentication use cases

TLS/SSL certificates for public-facing websites and services are the most often cited use case for PKI credentials (84 percent of respondents).

Public cloud-based applications saw the fastest year-over-year growth, cited by 82 percent, up 27 percent from 2019, followed by enterprise user authentication by 70 percent of respondents, an increase of 19 percent over 2019. All underscore the critical need of PKI in supporting core enterprise applications.

The average number of certificates an organization needs to manage grew 43 percent in the 2020 study over the previous year, from 39,197 to 56,192 certificates, highlighting a pivotal requirement for enterprise certificate management.

The rise is likely driven by the industry transition to shorter certificate validity periods, and the sharp growth in cloud and enterprise user authentication use cases.

Challenges, change and uncertainty

The study found that IT security professionals are confronting new challenges to enabling applications to use PKI. 52 percent cited lack of visibility of an existing PKI’s security capabilities as their top challenge, an increase of 16 percent over the 2019 study.

This issue underscores the lack of cybersecurity expertise available within even the most well-resourced organizations, and the need for PKI specialists who can create custom enterprise roadmaps based on security and operational best practices.

Respondents also cited inability to change legacy applications and the inability of their existing PKIs to support new applications as critical challenges – both at 51 percent.

When it comes to deploying and managing a PKI, IT security professionals are most challenged by organizational issues such as no clear ownership, insufficient skills and insufficient resources.

PKI deployment figures from the study clearly indicate a trend toward more diversified approaches, with as-a-service offerings even becoming more prevalent than on-premise offerings in some countries.

The two greatest areas of PKI change and uncertainty come from new applications such as IoT (52 percent of respondents) and external mandates and standards (49 percent). The regulatory environment is also increasingly driving deployment of applications that use PKI, cited by 24 percent of respondents.

Security practices have not kept pace with growth

In the next two years, an estimated average of 41 percent of IoT devices will rely primarily on digital certificates for identification and authentication. Encryption for IoT devices, platforms and data repositories, while growing, is at just 33 percent – a potential exposure point for sensitive data.

Respondents cited several threats to IoT security, including altering the function of IoT devices through malware or other attacks (68 percent) and remote control of a device by an unauthorized user (54 percent).

However, respondents rated controls relevant to malware protection – like securely delivering patches and updates to IoT devices – last on a list of the five most important IoT security capabilities.

The US National Institute of Standards and Technology (NIST) recommends that cryptographic modules for certificate authorities (CAs), key recovery servers and OCSP responders should be validated to FIPS 140-2 level 3 or higher.

Thirty-nine percent of respondents in this study use hardware security modules (HSMs) to secure their PKIs, most often to manage the private keys for their root, issuing, or policy CAs. Yet only 12 percent of respondents indicate the use of HSMs in their OSCP installations, demonstrating a significant gap between best practices and observed practices.

“PKI underpins the security of both the business and the consumer world, from digitally signing transactions and applications to prove the source as well as integrity, to supporting the authentication of smart phones, games consoles, citizen passports, mass transit ticketing and mobile banking, says Larry Ponemon, founder of the Ponemon Institute.

“The 2020 Global PKI and IoT Trends Study shows a surge in the use of PKI credentials for cloud-based applications and enterprise user authentication, underscoring the criticality of PKI in supporting core enterprise applications.”

“We are seeing increasing reliance on PKI juxtaposed with struggles by internal teams to adapt it to new market needs — driving changes to traditional PKI deployment models and methods,” says John Grimm, vice president strategy for digital solutions at Entrust.

“In newer areas like IoT, enterprises are clearly failing to prioritize security mechanisms like firmware signing that would counter the most urgent threats, such as malware.

“And with the massive increase in certificates issued and acquired found in this year’s study, the importance of automated certificate management, a flexible PKI deployment approach, and strong best practice-based security including HSMs has never been greater.”

Most enterprises struggle with IoT security incidents

The ongoing global pandemic that has led to massive levels of remote work and an increased use of hybrid IT systems is leading to greater insecurity and risk exposure for enterprises.

IoT security incidents

According to new data released by Cybersecurity Insiders, 72% of organizations experienced an increase in endpoint and IoT security incidents in the last year, while 56% anticipate their organization will likely be compromised due to an endpoint or IoT-originated attack with the next 12 months.

The comprehensive survey of 325 IT and cybersecurity decision makers in the US, conducted in September 2020, represented a balanced cross-section of organizations from financial services, healthcare and technology to government and energy.

IoT and enpoint security challenge

Alongside headline data that the majority experienced an endpoint and IoT security incident over the last 12 months, the top 3 issues were related to malware (78%), insecure network and remote access (61%), and compromised credentials (58%).

Perhaps more concerning was that 43% of respondents expressed “moderate to unlikely means to discover, identify, and respond to unknown, unmanaged, or insecure devices accessing network and cloud resources.”

“It is clear from this new research that the challenge of securing IoT and endpoints has escalated considerably as employees have been forced to work remotely while organizations try to rapidly adapt to the situation,” said Scott Gordon, CMO at Pulse Secure.

“The threat is real and growing. Yet, on a positive note, the survey shows that organizations are investing in key initiatives and adopting zero trust elements such as remote access device posture checking and Network Access Control (NAC) to address some of these issues.“

The negative impact of an endpoint or IoT security issue

The research found that 41% will implement or advance on-premise device security enforcement, 35% will advance their remote access devices posture checking, and 22% will advance their IoT device identification and monitoring capabilities.

For those that have been victim of an endpoint or IoT security issue, the most significant negative impact was a reported loss of user (55%) and IT (45%) productivity, followed by system downtime (42%).

Holger Schulze, CEO at Cybersecurity Insiders added, “The diversity of users, devices, networks, and threats continue to grow as enterprises take advantage of greater workforce mobility, workplace flexibility, and cloud computing opportunities.

“Not only do organizations need to ensure endpoints are secure and adhering to usage policy, but they must also manage appropriate IoT device access. New zero trust security controls can fortify dynamic device discovery, verification, tracking, remediation, and access enforcement.”

IoT security incidents

Additional key findings

  • Respondents rated the biggest endpoint and IoT security challenges as #1 insufficient protection against the latest threats (49%), #2 high complexity of deployment and operations (47%), and #3 inability to enforce endpoint and IoT device access/usage policy (40%).
  • Respondents rated the most critical capabilities required to mitigate endpoint and IoT security as #1 monitoring endpoint or IoT devices for malicious or anomalous activity (54%), #2 blocking or isolating unknown or at-risk endpoint and IoT devices’ network access (51%), and #3 blocking at-risk devices’ access to network or cloud resources (46%).
  • When asked about anticipated investments to secure remote worker access and endpoint security technology, most organizations (61%) anticipate an increase, or significant increase, while few expect a decrease (6%).

HP Device Manager vulnerabilities may allow full system takeover

Three vulnerabilities affecting HP Device Manager, an application for remote management of HP Thin Client devices, could be chained together to achieve unauthenticated remote command execution as SYSTEM, security researcher Nick Bloor has found.

HP Device Manager vulnerabilities

The vulnerabilities have been patched by HP nearly two weeks ago, but additional vulnerability and research details published on Monday may help attackers to craft a working exploit.

The vulnerabilities

Thin clients are low-performance computers optimized for establishing a remote connection with a server-based computing environment.

HP Device Manager allows IT admins to remotely deploy, update, and manage thousands of HP Thin Clients through a single console.

The three vulnerabilities discovered by Bloor “may allow locally managed accounts within HP Device Manager to be susceptible to dictionary attacks due to weak cipher implementation (CVE-2020-6925) and allow a malicious actor to remotely gain unauthorized access to resources (CVE-2020-6926), and/or allow a malicious actor to gain SYSTEM privileges (CVE-2020-6927).”

CVE-2020-6925 and CVE-2020-6926 affect all versions of HP Device Manager, CVE-2020-6927 (a privilege escalation vulnerability) affects HP Device Manager 5.0.0 to 5.0.3.

CVE-2020-6925 doesn’t impact customers who are using Active Directory authenticated accounts, HP pointed out, and CVE-2020-6927 doesn’t impact customers who are using an external database and have not installed the integrated Postgres service.

Fixes and mitigations

HP has provided a security update for the HP Device Manager 5.0.x branch – HPDM v5.0.4 – and will include the fixes for the 4.x branch in HP Device Manager 4.7 Service Pack 13.

Mitigations that partially mitigate these issues are also available, and include:

  • Limiting incoming access to Device Manager ports 1099 and 40002 to trusted IPs or localhost only
  • Removing the dm_postgres account from the Postgres database; or updating the dm_postgres account password within HP Device Manager Configuration Manager; or
    creating an inbound rule within Windows Firewall configuration to configure the PostgreSQL listening port (40006) for localhost access only.

Admins are advised to implement the offered security updates or mitigations as soon as possible.

The biggest cyber threats organizations deal with today

Microsoft has released a new report outlining enterprise cyberattack trends in the past year (July 2019 – June 2020) and offering advice on how organizations can protect themselves.

Based on over 8 trillion daily security signals and observations from the company’s security and threat intelligence experts, the Microsoft Digital Defense Report 2020 draws a distinction between attacks mounted by cybercriminals and those by nation-state attackers.

The cybercrime threat

In the past year, cybercriminals:

  • Were quick to exploit the fear and uncertainty associated with COVID-19 as a lure in phishing emails, and the popularity of some SaaS offerings and other services
  • Exploited the lack of basic security hygiene and well-known vulnerabilities to gain access to enterprise systems and networks
  • Exploited supply chain (in)security by hitting vulnerable third-party services, open source software and IoT devices and using them as a way into the target organization

More often than not, phishing emails impersonate a well-known service such as Office 365 (Microsoft), Zoom, Amazon or Apple, in an attempt to harvest login credentials.

“While credential phishing and BEC continue to be the dominant variations, we also see attacks on a user’s identity and credential being attempted via password reuse and password spray attacks using legacy email protocols such as IMAP and SMTP,” Microsoft noted.

The attackers’ reason for exploiting these legacy authentication protocols is simple: they don’t support multi-factor authentication (MFA). Microsoft advises on enabling MFA and disabling legacy authentication.

Cybercriminals are also:

  • Increasingly use cloud services and compromised email and web hosting infrastructures to orchestrate phishing campaigns
  • Rapidly changing campaigns (sending domains, email addresses, content templates, and URL domains)
  • Constantly changing and evolving payload delivery mechanisms (poisoned search results, custom 404 pages hosting phishing payloads, etc.)

One of the biggest and most disruptive cybercrime threat in the past year was ransomware – particularly “human-operated” ransomware wielded by gangs that target ogranizations they believe will part with big sums if affected.

These gangs sweep the internet for easy entry points or use commodity malware to gain access to company networks and change ransomware payloads and attack tools depending on the “terrain” they landed in (and to avoid attribution).

“Ransomware criminals are intimately familiar with systems management concepts and the struggles IT departments face. Attack patterns demonstrate that cybercriminals know when there will be change freezes, such as holidays, that will impact an organization’s ability to make changes (such as patching) to harden their networks,” Microsoft explained.

“They’re aware of when there are business needs that will make businesses more willing to pay ransoms than take downtime, such as during billing cycles in the health, finance, and legal industries. Targeting networks where critical work was needed during the COVID-19 pandemic, and also specifically attacking remote access devices during a time when unprecedented numbers of people were working remotely, are examples of this level of knowledge.”

Some of them have even shortened their in-network dwell time before deploying the ransomware, going from initial entry to ransoming the entire network in less than 45 minutes.

Gerrit Lansing, Field CTO, Stealthbits, commented that the speed at which a targeted ransomware attack can happen is really determined by one thing: how quickly an adversary can compromise administrative privileges in Microsoft Active Directory.

“Going from initial infiltration to total ownership of Active Directory can be a matter of seconds. Once these privileges are compromised, an adversary’s ability to deploy ransomware to all machines joined to Active Directory is unfettered, which explains how an adversary can go from initial infiltration to total ransomware infection in such a short period of time,” he noted.

Finally, to counter the threat of supply chain insecurity, Microsoft advises companiessupply to:

  • Vet their service providers thoroughly
  • Use systems to automatically identify open source software components and vulnerabilities in them
  • Map IoT assets, apply security policies to reduce the attack surface, and to use a different network for IoT devices and be familiar with all exposed interfaces

enterprise cyberattack trends 2020

Nation-state threats

The company has been following and mapping the activities of a number of nation-state actors and has found that – based on the nation state notifications they deliver to their customers – the attackers’ primary targets are not in the critical infrastructure sectors.

Instead, the top targeted industry sectors are non-governmental organizations (advocacy groups, human rights organizations, nonprofit organizations, etc.) and professional services (consulting firms and contractors):

enterprise cyberattack trends 2020

Microsoft found the most common attack techniques used by nation-state actors in the past year are reconnaissance, credential harvesting, malware, and VPN exploits. Web shell-based attacks are also on the rise.

The report delineates steps organizations can take to counter each of these threats as well as to improve their security and the security of their remote workforce.

“Given the leap in attack sophistication in the past year, it is more important than ever that we take steps to establish new rules of the road for cyberspace; that all organizations, whether government agencies or businesses, invest in people and technology to help stop attacks; and that people focus on the basics, including regular application of security updates, comprehensive backup policies, and, especially, enabling MFA. Our data shows that enabling MFA would alone have prevented the vast majority of successful attacks,” the Microsoft Security Team concluded.

Phishers are targeting employees with fake GDPR compliance reminders

Phishers are using a bogus GDPR compliance reminder to trick recipients – employees of businesses across several industry verticals – into handing over their email login credentials.

Phishers GDPR compliance

The lure

“The attacker lures targets under the pretense that their email security is not GDPR compliant and requires immediate action. For many who are not versed in GDPR regulations, this phish could be merely taken as more red tape to contend with rather than being identified as a malicious message,” Area 1 Security researchers noted.

In this evolving campaign, the attackers targeted mostly email addresses they could glean from company websites and, to a lesser extent, emails of people who are high in the organization’s hierarchy (execs and upper management).

Every and any pretense is good for a phishing email, but when targeting businesses, the lure can be very effective if it can pass as an email sent from inside the organization. So the attackers attempted to make it look like the email was coming from the company’s “security services”, though some initial mistakes on their part would reveal to careful targets that the email was sent from an outside email account (a Gmail address).

“On the second day of the campaign the attacker began inserting SMTP HELO commands to tell receiving email servers that the phishing message originated from the target company’s domain, when in fact it came from an entirely different origin. This is a common tactic used by malicious actors to spoof legitimate domains and easily bypass legacy email security solutions,” the researchers explained.

The phishing site

Following the link in the email takes victims to the phishing site, initially hosted on a compromised, outdated WordPress site.

The link is “personalized” with the target’s email address, so the HTML form on the malicious webpage auto-populates the username field with the correct email address (found in the URL’s “email” parameter). Despite the “generic” look of the phishing page, this capability can convince some users to log in.

Once the password is submitted, a script sends the credentials to the phishers and the victim is shown an error page.

As always, users/employees are advised not to click on links in unsolicited emails and to avoid entering their credentials into unfamiliar login pages.

Incident management tools and processes insufficient to enable innovation

Enterprise digital transformation budgets continue to increase despite a recession, developers find it challenging to innovate and standard incident management tools and processes hinder digital service resilience, an xMatters research reveals.

incident management tools

Digital service resilience is the ability to recover quickly, adapt and learn from incidents such as outages and interruptions to prevent future technology and customer-impacting issues.

The report also analyzed the varying degrees of incident management readiness or preparedness within an organization to identify its position in the Incident Management Spectrum.

The research found that comparatively, across the Incident Management Spectrum, only the most advanced organizations have isolated keys to success across business and incident management functions.

“Through a series of research reports over the past year, we studied the growing challenges faced by those tasked with the delivery and maintenance of digital services. Customer-impacting issues continue to be a roadblock to innovation as today’s digital, fast moving environment requires technology teams to spend more time supporting operations,” said Troy McAlpin, CEO at xMatters.

“However, there is an opportunity for technology professionals to evolve incident management approaches through incident response automation, collaboration and constant learning in order to achieve customer delight and further innovation.”

Pandemic forces digital transformation

Spending on digital transformation has increased continually since the November 2019 research. Twenty percent of companies with 1,001-5,000 employees are budgeting more than $10 million on digital transformation initiatives, compared with 9.3% in November 2019.

This focus on digital transformation was accelerated by the COVID-19 pandemic. Findings from the April 2020 Impact of COVID-19 on Digital Transformation survey showed more than half of consumers experienced a rise in application performance issues, forcing many companies to accelerate digital transformation in order to deliver accessible digital experiences for customers and employees.

Customer-impacting issues are a roadblock to innovation

The research found that the proportion of technology professionals affected by customer-impacting issues when building out services has increased by almost ten percentage points to 84.3%, compared to results from the November 2019 Incident Management in the Age of Customer-Centricity research. Overall, there is a marked need for improvement in customer experiences and an organizational commitment to innovation across industries.

72.3% of respondents—across a variety of titles including development, SRE, IT operations and management—reported that at least half of their team’s time is spent resolving incidents compared to time spent on innovation. Of these respondents, 27.3% said at least 80% of their team’s time is spent resolving incidents.

Opportunity for advancement in the Incident Management Spectrum

To assess the efficacy of incident management in organizations, the State of Automation in Incident Management analyzed components of a comprehensive incident management practice (i.e., team structure, tools) and how organizations detect, resolve and learn about incidents.

Responses to survey questions were further analyzed and scored to determine an organization’s position in the Incident Management Spectrum based on approaches to incident management.

The four categories within the Incident Management Spectrum include: ad hoc where there is no formal incident management practice; traditional incident management, an approach driven by service desk tickets and ITIL processes; modern incident management where individual teams detect and resolve service-based issues; and adaptive incident management where a scalable and service-centric model harnesses as much automation as possible.

The results of the research found that almost all respondents employ either a traditional (40.1%) or modern (58.6%) approach to incident management.

“Traditional teams spend much of their time on firefighting and completing non-value-added tasks compared to innovation, while modern teams, who have allocated more budget toward digital transformation, spend equal amounts of time resolving incidents and building out features,” continued McAlpin.

incident management tools

Automation, collaboration and learning are key to superior customer experiences

While most technology professionals reported the implementation of team-oriented incident management processes, there is room for advancement in multiple aspects of day-to-day processes.

43.4% of technology professionals deploy less sophisticated processes such as alerting; emailing and paging; conference bridges; or manual setup and outreach to engage team members, stakeholders and customers during an incident.

Most organizations who employ a traditional approach to incident management use service desks and process-heavy approaches, whereas modern organizations leverage incident management tools for incident response and management.

Moreover, as companies look to reliable digital services as an indicator of customer success, there is an opportunity to automate the postmortem process.

When asked about top benefits of using artificial intelligence or machine learning for incident management, respondents identified informing post-incident reporting with data from previous, related incidents (36%) and aggregation of data to detect anomalies early (28.9%).

Are your domain controllers safe from Zerologon attacks?

CVE-2020-1472, a privilege elevation vulnerability in the Netlogon Remote Protocol (MS-NRPC) for which Microsoft released a patch in August, has just become a huge liability for organizations that are struggling with timely patching.

Secura researchers – the very same ones who found and disclosed the flaw to Microsoft – have published additional technical details on Monday, and just a few hours later several PoC exploit/tools have been published on GitHub.

CVE-2020-1472

About CVE-2020-1472

CVE-2020-1472 (aka Zerologon) affects all supported Windows Server versions, but the danger is highest for servers that function as Active Directory domain controllers in enterprise networks.

The vulnerability stems from a flaw in a cryptographic authentication scheme used by the Netlogon Remote Protocol.

“By simply sending a number of Netlogon messages in which various fields are filled with zeroes, an attacker can change the computer password of the domain controller that is stored in the AD. This can then be used to obtain domain admin credentials and then restore the original DC password,” Secura researchers explained.

“This attack has a huge impact: it basically allows any attacker on the local network (such as a malicious insider or someone who simply plugged in a device to an on-premise network port) to completely compromise the Windows domain. The attack is completely unauthenticated: the attacker does not need any user credentials.”

“In a hypothetical attack, one could use this vulnerability to deploy ransomware throughout an organization and maintain a persistent presence if cleanup and restoration efforts miss any additional malicious scripts,” Tenable security response manager Ryan Seguin noted.

“Organizations with network-accessible backups could end up with a perfect storm if a ransomware group destroys backups to increase their likelihood of payout from the victim organization.”

Exploitation

Many PoC exploits have been released security researchers in the past day (1, 2, 3, 4), and the effectiveness of some of them has been confirmed:

Secura researchers published a Python script organizations can used to check whether a domain controller is vulnerable or not.

Remediation

Systems that have received the patch released in August are safe from attack, as it enforces secure NRPC for all Windows servers and clients in the domain. All Active Directory domain controllers should be updated, including read-only domain controllers.

“The updates will enable the Domain Controllers (DCs) to protect Windows devices by default, log events for non-compliant device discovery, and have the option to enable protection for all domain-joined devices with explicit exceptions,” Microsoft explained.

But complete remediation will happen after organizations deploy Domain Controller (DC) enforcement mode, which requires all Windows and non-Windows devices to use secure NRPC or to explicitly allow the account by adding an exception for any non-compliant device.

While organization can deploy DC enforcement mode immediately by enabling specific registry key, on February 9, 2021, DCs will be placed in enforcement mode automatically.

This phased rollout is due to the fact that there are many non-Windows device implementations of the Netlogon Remote Protocol, and vendors of non-compliant implementations have been given enough time to provide customers with the needed updates.

Attackers are exploiting two zero-day flaws in Cisco enterprise-grade routers

A technical support intervention has revealed two zero-day vulnerabilities in the OS running on Cisco enterprise-grade routers that attackers are trying to actively exploit.

zero-day Cisco enterprise routers

Cisco plans to release software updates to plug these security holes, but in the meantime administrators are advised to implement one or all of the provided mitigations.

About the vulnerabilities

The two zero-day flaws – CVE-2020-3566 and CVE-2020-3569 – affect the Distance Vector Multicast Routing Protocol (DVMRP) feature of Cisco IOS XR Software, running on Cisco enterprise-grade routers for service providers, data centers, enterprises, and critical infrastructure.

They can be exploited by an unauthenticated, remote attacker by sending crafted IGMP (Internet Group Management Protocol) traffic to an affected device.

“A successful exploit could allow the attacker to cause memory exhaustion, resulting in instability of other processes. These processes may include, but are not limited to, interior and exterior routing protocols,” Cisco explained.

Proposed mitigations include:

  • Implementing a rate limiter for IGMP traffic
  • implementing an access control entry (ACE) to an existing interface access control list (ACL). “Alternatively, the customer can create a new ACL for a specific interface that denies DVMRP traffic inbound on that interface,” the company noted.

The company has also provided indicators of compromise, i.e., messages that can be seen in the system logs if a device is experiencing memory exhaustion based on exploitation of these vulnerabilities.

“These vulnerabilities affect any Cisco device that is running any release of Cisco IOS XR Software if an active interface is configured under multicast routing,” they added.

ERP security: Dispelling common misconceptions

Enterprise resource planning (ERP) systems are an indispensable tool for most businesses. They allow them to track business resources and commitments in real time and to manage day-to-day business processes (e.g., procurement, project management, manufacturing, supply chain, human resources, sales, accounting, etc.).

ERP security

The various applications integrated in ERP systems collect, store, manage, and interpret sensitive data from the many business activities, which allows organizations to improve their efficiency in the long run.

Needless to say, the security of such a crucial system and all the data it stores should be paramount for every organization.

Common misconceptions about ERP security

“Since ERP systems have a lot of moving parts, one of the biggest misconceptions is that the built-in security is enough. In reality, while you may not have given access to your company’s HR data to a technologist on your team, they may still be able to access the underlying database that stores this data,” Mike Rulf, CTO of Americas Region, Syntax, told Help Net Security.

“Another misconception is that your ERP system’s access security is robust enough that you can allow people to access their ERP from the internet.”

In actual fact, the technical complexity of ERP systems means that security researchers are constantly finding vulnerabilities in them, and businesses that make them internet-facing and don’t think through or prioritize protecting them create risks that they may not be aware of.

When securing your ERP systems you must think through all the different ways someone could potentially access sensitive data and deploy business policies and controls that address these potential vulnerabilities, Rulf says. Patching security flaws is extremely important, as it ensures a safe environment for company data.

Advice for CISOs

While patching is necessary, it’s true that business leaders can’t disrupt day-to-day business activity for every new patch.

“Businesses need some way to mitigate any threats between when patches are released and when they can be fully tested and deployed. An application firewall can act as a buffer to allow a secure way to access your proprietary technology and information during this gap. Additionally, an application firewall allows you to separate security and compliance management from ERP system management enabling the checks and balances required by most audit standards,” he advises.

He also urges CISOs to integrate the login process with their corporate directory service such as Active Directory, so they don’t have to remember to turn off an employee’s credentials in multiple systems when they leave the company.

To make mobile access to ERP systems safer for a remote workforce, CISOs should definitely leverage multi factor identification that forces employees to prove their identity before accessing sensitive company information.

“For example, Duo sends a text to an employee’s phone when logging in outside the office. This form of security ensures that only the people granted access can utilize those credentials,” he explained.

VPN technology should also be used to protect ERP data when employees access it from new devices and unfamiliar Wi-Fi networks.

“VPNs today can enable organizations to validate these new/unfamiliar devices adhere to a minimum security posture: for example, allowing only devices with a firewall configured and appropriate malware detection tools installed can access the network. In general, businesses can’t really ever know where their employees are working and what network they’re on. So, using VPNs to encrypt that data being sent back and forth is crucial.”

On-premise vs. cloud ERP security?

The various SaaS applications in your ERP, such as Salesforce and Oracle Cloud Apps, leave you beholden to those service providers to manage your applications’ security.

“You need to ask your service providers about their audit compliance and documentation. Because they are providing services critical to your business, you will be asked about these third parties by auditors during a SOC audit. You’ll thus need to expand your audit and compliance process (and the time it takes) to include an audit of your external partners,” Rulf pointed out.

“Also, when you move to AWS or Azure, you’re essentially building a new virtual data center, which requires you to build and invest in new security and management tools. So, while the cloud has a lot of great savings, you need to think about the added and unexpected costs of things like expanded audit and compliance.”

Save-to-transform as a catalyst for embracing digital disruption

Organizations that invest in key capabilities today to navigate a post COVID-19 business environment can position themselves to thrive in the “next normal”, according to a Deloitte survey.

embracing digital disruption

The survey also found that expectations for positive revenue growth have declined significantly since the 2019 edition of the study, and two-thirds of respondents expect at least one more wave of COVID-19 relapses to occur. As a result, 66% of companies globally now expect to pursue cost reduction over the next 12 months, compared to 38% before the pandemic.

In addition, the percentage of respondents pursuing cost reduction targets greater than 10% increased by 61% (25 percentage points) compared to pre-COVID-19 levels.

The report, conducted between June and July 2020, aims to understand the short- and long-term impacts of the COVID-19 crisis on global cost management, performance improvement practices and transformation trends.

Survey results include responses from 1,089 global executives from 14 countries in the U.S., Latin America, Europe and Asia Pacific regions that have direct involvement in their companies’ cost management and enterprise transformation efforts.

Shifting cost management strategy from “Save-to-Transform”

The 2019 survey, conducted prior to the COVID-19 pandemic, found that the prevailing mindset for strategic cost management and enterprise transformation was “Save-to-Transform.”

In this approach, businesses evolve through infrastructure investments in digital technologies. In turn, these technologies can deliver dramatic improvements in competitiveness, performance and operating efficiency.

In response to the pandemic, the survey shows that organizations are evolving into a “Save-to-Thrive” mindset, in which they are accelerating strategic transformation actions specifically in response to challenges posed by COVID-19 to make shifts to their operating models, products and services and customer engagement capabilities.

“The Save-to-Thrive framework will be essential to success in the next normal as companies rely on technology and digital enablement — with a renewed emphasis on talent — to improve their plans for strategic cost transformation and overall enterprise performance improvement,” said Omar Aguilar, principal and global strategic cost transformation leader, Deloitte Consulting.

“Companies that react quickly and invest in technology and digital capabilities as they pursue the strategic levers of cost, growth, liquidity and talent will be best-positioned to succeed.”

Business challenges in a COVID-19 world

As countries responded to the pandemic by implementing restrictions such as stay-at-home orders and mandatory shutdowns, organizations began to experience demand-driven financial impacts.

According to the study, the top external challenge reported globally is a drop in consumer demand (74%), followed by a related shift in consumer behavior (67%). Cybersecurity vulnerabilities (65%) and supply chain challenges (65%) were also reported by survey respondents as top issues impacting their organizations.

In addition, industry-specific impacts are posing challenges — though they vary significantly by sector. A decline in revenue is expected by 61% of transportation sector and 60% of hospitality sector respondents, many of whose operations have been significantly curtailed by consumer demand and public health measures.

On the positive side, revenue growth is expected by 63% in the medical technology sector followed closely by telecom (58%), pharmaceuticals (58%) and software and information technology services (57%).

Finally, inability to adjust cost structure to meet demand is the top internal challenge globally and across all regions. Inability to meet employee safeguards and satisfy increased demand round out the top three internal challenges globally.

Coping with COVID-19: respond, recover, thrive

Current actions to address the COVID-19 crisis can be divided into three major stages: “respond” (immediate actions to respond to the crisis), “recover” (stabilize operations), and “thrive” (defined strategy with structural changes to thrive).

These stages culminate into a long-term operating environment we call the “next normal,” which represents new business conditions established as a result of the societal, commercial and technological changes caused by public and private reactions to COVID-19.

Today, survey respondents report that they are mostly in the “recover” phase as they respond to the immediate crisis and turn to recovery actions. The study also shows, as organizations move through these phases, that expectations for revenue growth, although down from pre-COVID-19 levels, remain somewhat positive in the respond stage (55%) and “recover” stage (58%).

In the “thrive” stage, the vast majority of companies globally (74%) and in all regions have a positive outlook for revenue growth, with only 24% globally expecting flat or declining revenue.

Lastly, automation has emerged as the top transformation action with about 2 in 3 companies expecting to pursue automation in all three stages of the respond-recover-thrive framework.

Succeeding in the next normal: New business conditions after COVID-19

When mapping out strategies to respond, recover and thrive, organizations should have informed insights about the future business environment. The 2020 Cost and Transformation Survey reports several trends that are shaping the next normal, including:

  • Revenue sources will be fundamentally different: According to the survey, the fastest growing revenue sources will be: digital channels; new products and services; and domestic operations.
  • IT infrastructure, remote work, and digital channels will be the top operating model priorities: The survey reports the top priorities as: enhance IT infrastructure (78%); enable remote work (76%); and enable pre-sale, sale and post-sale activities through digital channels (72%).
  • Top product strategies for the next normal focus on innovation, health and safety measures and customization: Globally, the top product strategies include: adjust, redesign or innovate your product/service offering to expand to adjacent and/or new markets (74%); leverage new health and safety measures by redesigning your current product/service offering (73%); and customize products or services to meet new customer and/or government requirements (74%).
  • Next normal customer engagement strategies will be driven by digital channels and flexible customer experiences: Globally, the most popular strategy for customer engagement will be to shift most transactions to digital channels (75%).
  • Cybersecurity and cloud will be the key technologies: Respondents report the most relevant technologies in the next normal will be cybersecurity solutions (80%) and cloud computing (80%).

“Our 2020 Global Cost and Enterprise Transformation survey shows how organizations that strategically pursue cost reduction in the wake of COVID-19, while concurrently reimagining the enterprise and transforming work and business models, can be more successful in the next normal,” said Sam Balaji, Deloitte global consulting leader.

“Investing in critical technology capabilities such as cloud and digital can increase business agility, improve competitiveness and better prepare organizations to persevere, and position them well for the post-COVID environment.”

3 tips to increase speed and minimize risk when making IT decisions

There is nothing like a crisis to create a sense of urgency and spawn actions. This is especially true for enterprise IT teams, who are tasked with new responsibilities and critical decisions. Speed matters in the heat of the moment and many leaders may not take the necessary steps to assess the risk of their decisions in order to mitigate the crisis quickly. When processes are rushed, security concerns and other gaps in the system … More

The post 3 tips to increase speed and minimize risk when making IT decisions appeared first on Help Net Security.