Earlier this week SonicWall patched 11 vulnerabilities affecting its Network Security Appliance (NSA). Among those is CVE-2020-5135, a critical stack-based buffer overflow vulnerability in the appliances’ VPN Portal that could be exploited to cause denial of service and possibly remote code execution.
The SonicWall NSAs are next-generation firewall appliances, with a sandbox, an intrusion prevention system, SSL/TLS decryption and inspection capabilities, network-based malware protection, and VPN capabilities.
CVE-2020-5135 was discovered by Nikita Abramov of Positive Technologies and Craig Young of Tripwire’s Vulnerability and Exposures Research Team (VERT), and has been confirmed to affect:
- SonicOS 220.127.116.11-79n and earlier
- SonicOS 18.104.22.168-4n and earlier
- SonicOS 22.214.171.124-93o and earlier
- SonicOSv 126.96.36.199-44v-21-794 and earlier
- SonicOS 188.8.131.52-1
“The flaw can be triggered by an unauthenticated HTTP request involving a custom protocol handler. The vulnerability exists within the HTTP/HTTPS service used for product management as well as SSL VPN remote access,” Tripwire VERT explained.
“This flaw exists pre-authentication and within a component (SSLVPN) which is typically exposed to the public Internet.”
By using Shodan, both Tripwire and Tenable researchers discovered nearly 800,000 SonicWall NSA devices with the affected HTTP server banner exposed on the internet. Though, as the latter noted, it is impossible to determine the actual number of vulnerable devices because their respective versions could not be determined (i.e., some may already have been patched).
A persistent DoS condition is apparently easy for attackers to achieve, as it requires no prior authentication and can be triggered by sending a specially crafted request to the vulnerable service/SSL VPN portal.
VERT says that a code execution exploit is “likely feasible,” though it’s a bit more difficult to pull off.
Mitigation and remediation
There is currently no evidence that the flaw is being actively exploited nor is there public PoC exploitation code available, so admins have a window of opportunity to upgrade affected devices.
Aside from implementing the offered update, they can alternatively disconnect the SSL VPN portal from the internet, though this action does not mitigate the risk of exploitation of some of the other flaws fixed by the latest updates.
A number of organizations face shortcomings in monitoring and securing their cloud environments, according to a Tripwire survey of 310 security professionals.
76% of security professionals state they have difficulty maintaining security configurations in the cloud, and 37% said their risk management capabilities in the cloud are worse compared with other parts of their environment. 93% are concerned about human error accidentally exposing their cloud data.
Few orgs assessing overall cloud security posture in real time
Attackers are known to run automated searches to find sensitive data exposed in the cloud, making it critical for organizations to monitor their cloud security posture on a recurring basis and fix issues immediately.
However, the report found that only 21% of organizations assess their overall cloud security posture in real time or near real time. While 21% said they conduct weekly evaluations, 58% do so only monthly or less frequently. Despite widespread worry about human errors, 22% still assess their cloud security posture manually.
“Security teams are dealing with much more complex environments, and it can be extremely difficult to stay on top of the growing cloud footprint without having the right strategy and resources in place,” said Tim Erlin, VP of product management and strategy at Tripwire.
“Fortunately, there are well-established frameworks, such as CIS benchmarks, which provide prioritized recommendations for securing the cloud. However, the ongoing work of maintaining proper security controls often goes undone or puts too much strain on resources, leading to human error.”
Utilizing a framework to secure the cloud
Most organizations utilize a framework for securing their cloud environments – CIS and NIST being two of the most popular – but only 22% said they are able to maintain continuous cloud security compliance over time.
While 91% of organizations have implemented some level of automated enforcement in the cloud, 92% still want to increase their level of automated enforcement.
Additional survey findings show that automation levels varied across cloud security best practices:
- Only 51% have automated solutions that ensure proper encryption settings are enabled for databases or storage buckets.
- 45% automatically assess new cloud assets as they are added to the environment.
- 51% have automated alerts with context for suspicious behavior.
The Open Cybersecurity Alliance (OCA) today announced the availability of OpenDXL Ontology, the first open source language for connecting cybersecurity tools through a common messaging framework.
With open source code freely available to the security community, OpenDXL Ontology enables any tool to automatically gain the ability to communicate and interoperate with all other technologies using this language. By eliminating the need for custom integrations between individual products, this release marks a major milestone in the OCA’s mission to drive greater interoperability across the security industry.
Automatically connecting cybersecurity tools
The Open Data Exchange Layer (OpenDXL) is an open messaging framework that over 4,100 vendors and enterprises already utilize to develop and share integrations with other tools. The release of the OpenDXL Ontology now offers a single, common language for these notifications, information and actions across security products that any vendor can adopt in order to communicate in a standard way with all other tools under this umbrella. This provides companies with a set of tooling that can be applied once and automatically reused everywhere across all product categories, while also eliminating the need to update integrations as product versions and functionalities change.
For example, if a certain tool detects a compromised device, it could automatically notify all other tools and even quarantine that device using a standard message format readable by all. While previously this was only possible with custom integrations between individual products, it will now be automatically enabled between all tools that adopt OpenDXL Ontology. Through continued development by the community, this common language will facilitate a wide variety of interoperability uses case, from sharing threat intelligence to triggering remediation between tools, such as isolating a device or updating a policy.
The adoption of OpenDXL Ontology will help create a stronger, united front to defend and protect across all types of security tools, while reducing the burden of point integrations between individual products.
The Open Cybersecurity Alliance and its projects
The Open Cybersecurity Alliance was launched in October 2019 to connect the fragmented cybersecurity landscape with common, open source code and practices that allow companies to “integrate once, reuse everywhere.”
Since the launch, the OCA has expanded to include more than 25 partner organizations, with the following new members joining: Armis, Center for Internet Security, CyberNB, Cydarm, Gigamon, Raytheon, Recorded Future, sFractal Consulting, and Tripwire.
The OCA community is currently collaborating on GitHub and Slack to further new open-source code and use-cases for cybersecurity industry interoperability. In addition to the development of OpenDXL Ontology for a common, open-source language between tools, the OCA is also continuing to build out capabilities for STIX-Shifter, a universal, out-of-the box search capability for security products of all types. Since bringing STIX Shifter to the open-source community, hundreds of visitors have accessed this technology on GitHub, with dozens of users initiating new project forks for development on top of the primary STIX Shifter code.
The OCA will continue development for both STIX Shifter and OpenDXL Ontology, and is actively seeking additional contributors from across the security industry to help guide and drive innovative new use-cases for these open source projects.
In addition to the availability of OpenDXL Ontology, the OCA is also announcing the formation of its Technical Steering Committee, who will drive the technical direction and development of the organization.
83% of IT security professionals feel more overworked going into 2020 than they were at the beginning of 2019, and 82% said their teams were understaffed, according to a Tripwire survey.
Hard to find skilled security staff
The strain on cybersecurity teams is exacerbated by the inability to find experienced staff, and 85% acknowledged it has become more difficult over the past few years to hire skilled security professionals.
“It’s getting harder and harder for organizations to fill open positions on their security teams,” said Tim Erlin, vice president of product management and strategy at Tripwire.
“Larger organizations, which you might assume have more resources, are experiencing the skills gap issue even more acutely than smaller organizations. It’s a challenge to hire the right skill sets – they keep changing along with security, which is always evolving.
“Nearly all of those we surveyed said the skills required to be a great security professional have changed over the past few years.”
In recent years, cybersecurity conferences and online communities have been emphasizing the need to manage work stress and increase focus on mental health. While 93% expressed interest in understanding wellness issues, only 19% of companies provide resources for managing the stress associated with the specific issues of IT security.
Addressing the skills gap
In assessing the various ways organizations address the skills gap and strain on their teams, the survey found the following:
- A large majority (85%) believe managed services are a good option for addressing security skills gaps.
- Nearly half (46%) said they plan to use more managed services in 2020.
- Half (50%) said they will invest more heavily in training existing staff.
The survey also explored views on chief information security officer (CISO) involvement. Of the 85% that said they have CISOs in their organizations, 40% said their CISOs are not involved enough in day-to-day operations, while 10% believed their CISOs are already too involved.
Erlin added: “CISOs should be focusing on high-level strategy, but because their teams are understaffed and have an overwhelming volume of work on their desks, they may have to get involved in daily operations, if they haven’t already. To solve the problems caused by skills gap issues, training and managed services are both good approaches.
“By partnering with providers, organizations can free themselves from operational work and gain insights that will help inform decisions. And because recruiting and training isn’t always possible, managed services provide businesses a way to augment their teams.”
With this partnership, Tripwire and Eaton are making it easier and faster for U.S. utilities to comply with evolving cybersecurity requirements, including North American Electric Reliability Corporation critical infrastructure protection (NERC CIP).
“Tripwire’s partnership with Eaton allows utility companies to run their cybersecurity programs more efficiently and operate with confidence,” said Kristen Poulos, VP and general manager of industrial cybersecurity at Tripwire.
“Integrating our complementary technologies enhances the security of critical substation environments by streamlining tools and processes, without risking interruptions to their operations.”
The Eaton and Tripwire technology partnership eliminates the manual process of entering data across disparate risk and compliance tools. The technology integration will allow Tripwire Enterprise for Industrial Devices to automate data collection and analysis from Eaton’s IED Manager Software that monitors intelligent electronic devices (IEDs), such as relays, remote terminal units (RTUs), and connected input/output (I/O).
“Eaton grid automation solutions yield powerful data for a smarter grid, while our enterprise-wide cybersecurity approach enables our customers to meet stringent specifications and expectations for secure power,” said Ken Polarek, global marketing director of Energy Automation Solutions at Eaton.
“Eaton is creating strong industry partnerships, including with Tripwire, that help customers simplify and save time when assessing the NERC-CIP compliance of their substations.”
Eaton’s structured database of IED configuration settings can consist of thousands of valuable attributes for understanding security posture and compliance status, such as password changes, firmware versions, and protection settings.
The integration with Tripwire Enterprise provides consolidated reports against NERC CIP and custom policies in a single user interface.
Tripwire, a leading global provider of security and compliance solutions for enterprises and industrial organizations, has announced the launch of the Tripwire Industrial Appliance line of hardware for securing industrial environments.
In addition, Tripwire has announced that it has joined the ISA Global Cybersecurity Alliance as a founding member. As a Belden company, Tripwire continues to build on the significant growth in industrial cybersecurity achieved over the past year.
Expanding industrial cybersecurity capabilities
Tripwire’s Industrial Appliance provides industrial organizations a one-box solution for gaining visibility into their operational technology (OT) networks through a passive asset discovery approach.
The solution, embedded with Tripwire Industrial Visibility software, offers industrial and enterprise grade hardware, and will soon come with an option for bump-in-the-wire deployment capability designed for sensitive and large industrial environments without network disruption.
Tripwire is also expanding its Tripwire Industrial Visibility capabilities. Tripwire expects to release a new version of this software, featuring secure cloud capabilities, an improved user interface, and automatic threat intelligence updates, soon.
The solution will also feature policies and zones management capabilities that allow users to set, control and edit firewall-like rules to determine allowable communications, and enhanced discovery and classification capabilities for gathering important device information such as vendor, model and operating system versions from a broad range of IoT devices.
Tripwire joins ISA Global Security Alliance as founding member
In becoming a founding member of ISA Global Cybersecurity Alliance (ISAGCA), Tripwire will participate in creating initiatives to increase industry awareness, creating education and certification programs, and advocating for sensible cybersecurity approaches with regulatory bodies and world governments.
“Our founding members are united in their belief that security is a journey, not a destination, and they’re committed to developing the resources that asset owners need to make progress,” said ISA Executive Director Mary Ramsey. “We are proud to call Tripwire one of our founding members and we are excited to collaborate with their experts to deliver these solutions.”
Tripwire’s continued focus on industrial cybersecurity
“We’re excited to introduce these new capabilities and deployment options for critical infrastructure operators and industrial organizations to strengthen the security, safety and productivity of their operations,” said Kristen Poulos, VP and general manager of industrial cybersecurity at Tripwire.
“We’re also proud to partner across the industry in bringing more cybersecurity to the industrial space by joining the ISA Global Cybersecurity Alliance. Tripwire has made great strides in industrial cybersecurity over the past year and we’ll continue that focus throughout 2020 and beyond.”
Tripwire’s industrial cybersecurity 2019 highlights include a partnership with Baker Hughes. Under the agreement, Nexus Controls, a Baker Hughes business, will integrate Tripwire’s industrial cybersecurity capabilities into their SecurityST solution aimed at achieving safe, reliable, and predictable plant and process operations in critical infrastructure environments.
Earlier in the year, Tripwire launched Industrial Cybersecurity Assessment services, which provide specialized evaluation of vulnerabilities in industrial control system (ICS) environments, taking into account the OT requirements.
In 2019, Tripwire also continued to work closely with the National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST), contributing to the NIST Special Publication 1800-23, Energy Sector Asset Management, a new guide to help energy utilities and the oil & gas industry develop an automated solution to better manage their ICS assets.