61% of organizations perform attack surface discovery to offset frequently changing assets in their attack surface and attack surface expansion, yet 40% of companies perform continuous attack surface management, a Bugcrowd survey reveals.
Only one out of five organizations surveyed qualified as a “leader” in how they execute attack surface and vulnerability management, while 49% ranked in the second tier as “fast-followers” and 39% ranked in the bottom tier as “emerging organizations.”
The survey discovered several key differences between leaders and other respondents in their strategy for attack surface and vulnerability management. Of note, 72% of leaders perform continuous attack surface management, signaling attack surface discovery frequency as a sign of maturity.
Augmenting security efforts with crowdsourced cybersecurity solutions
Organizations that qualify as leaders recognize their own limitations and are much more likely to supplement their security efforts with crowdsourced penetration testing and bug bounty programs than the fast-followers and emerging organizations.
In fact, 59% of leaders use bug bounty programs to discover previously unknown or undiscovered attack surface, compared to 43% of fast followers and 34% of emerging organizations.
Furthermore, 41% of leaders plan to use crowdsourced security platforms for penetration testing over the next 24 to 36 months compared to just 19% of fast followers and 27% of emerging organizations.
“This research demonstrates how COVID-19 spurred many organizations to accelerate their digital transformation efforts, thus increasing the size and complexity associated with managing their attack surface,” said Ashish Gupta, CEO, Bugcrowd.
“One factor really separated the more successful organizations from the rest of the pack: the leaders clearly lean more heavily on crowdsourced security solutions to augment their security efforts. This layered approach to security has significantly strengthened their ability to protect their attack surface and mitigate vulnerabilities.”
Distinguishing leaders from less mature organizations
Fast-followers and emerging organizations are far less proactive in performing attack surface and vulnerability discovery compared to leaders. For example, 72% of leaders conduct attack surface discovery on a continual basis, compared to just 52% of fast-followers and 3% of emerging organizations.
Additionally, 59% of leaders perform penetration testing for vulnerability discovery more often than once per month, while only 23% of fast-followers and 3% of emerging organizations do on the same frequency.
However, the less mature companies report higher confidence in their attack surface and vulnerability discovery tooling and technologies, demonstrating a lack of awareness of potential risk.
“There is a stark contrast between what the leaders are doing and what everyone else is doing, and the latter group should take note of the difference,” said Jon Oltsik, Senior Principal Analyst and Fellow, ESG.
“Leading organizations use a diverse combination of tools, automated processes, and integrated workflows to constantly look for problems in their attack surface and vulnerability management. They unify efforts across their organization and are proactive in taking necessary actions to mitigate any risks they discover.
“Perhaps most important, leaders are aware of their limitations and are much more likely to use bug bounties, crowdsourced penetration testing and other external services.”
To uncover security blind spots and stay ahead of rapidly evolving cybersecurity threats, organizations across all security maturity levels can embrace crowdsourced cybersecurity to protect their attack surface and remedy vulnerabilities before they can be exploited.
Zoom Video Communications, the maker of the popular Zoom video conferencing solution, has agreed to settle allegations made by the US Federal Trade Commission (FTC) that it “engaged in a series of deceptive and unfair practices that undermined the security of its users.”
The settlement requires Zoom to – among other things – establish and implement a comprehensive security program and to not engage in further privacy and security misrepresentations.
The conditions put forth by the settlement
The FTC complaint said that:
- Since at least 2016, the company misled users by touting that it offered “end-to-end, 256-bit encryption” to secure users’ communications, when in fact it provided a lower level of security, i.e., it encrypted communications but stored the encryption keys on its servers
- The company misled users by saying that recorded meetings that were stored on the company’s cloud storage were encrypted immediately after the meeting ended, which was untrue in some cases
- In July 2018, the company compromised the security of some users when it secretly installed a hidden web server on Macs that helped with frictionless installation of the Zoom application
The settlement does not oblige Zoom to admit fault or pay a fine, but obligates it to:
- Refrain from misrepresenting privacy and security practices, including about how it collects, uses, maintains, or discloses personal information; its security features; and the extent to which users can control the privacy or security of their personal information
- Implement a comprehensive information security program and obtain biennial assessments of its security program by an independent third party and notify the FTC if it experiences a data breach
- Implement a vulnerability management program
- Assess and document on an annual basis any potential internal and external security risks and develop ways to safeguard against such risks
- Deploy safeguards such as MFA to protect against unauthorized access to its network; institute data deletion controls; and take steps to prevent the use of known compromised user credentials
- Review any software updates for security flaws and ensure the updates will not hamper third-party security features
Two of the FTC commissioners disagreed with the settlement
FTC commissioner Rohit Chopra pointed out that it provides no help for affected users, does nothing for small businesses that relied on Zoom’s data protection claims, and does not require Zoom to pay a fine. Also, that Zoom’s misrepresentation of its security practices allowed it to steal users from competing players in the video conferencing market, and to “cash in” on the pandemic.
“Zoom stands ready to emerge as a tech titan. But we should all be questioning whether Zoom and other tech titans expanded their empires through deception,” he added.
FTC Commissioner Rebecca Kelly Slaughter also stressed that many Zoom customers were left stranded.
“Zoom is not required to offer redress, refunds, or even notice to its customers that material claims regarding the security of its services were false. This failure of the proposed settlement does a disservice to Zoom’s customers, and substantially limits the deterrence value of the case,” she said.
She also noted that Zoom should have been ordered regularly “engage in a review of the risks to consumer privacy presented by its products and services, to implement procedures to routinely review such risks, and to build in privacy-risk mitigation before implementing any new or modified product, service, or practice. ”
It remains to be seen if Zoom will fulfill and continue to fulfill the conditions of the settlement. Each violation of an FTC order may result in a civil penalty of up to $43,280, which is a negligible sum for a company that’s worth $35 billions.
UPDATE (November 10, 2020, 4:10 a.m. PT):
“The security of our users is a top priority for Zoom. We take seriously the trust our users place in us every day, particularly as they rely on us to keep them connected through this unprecedented global crisis, and we continuously improve our security and privacy programs,” a Zoom spokesperson told Help Net Security.
“We are proud of the advancements we have made to our platform, and we have already addressed the issues identified by the FTC. Today’s resolution with the FTC is in keeping with our commitment to innovating and enhancing our product as we deliver a secure video communications experience.”
Vulnerability management (VM) technology addresses the threat landscape, which is in a constant state of flux. The wider dispersal of endpoints across private and public cloud environments increases the points of vulnerabilities in an enterprise network, intensifying the demand for VM solutions that make endpoints easier to track, verify, and secure.
To prevent attacks and damage to a business, VM providers employ various means of identifying, prioritizing, communicating, and suggesting possible responses to the risks companies face in their networked business environments.
The leading VM platforms provide a complete picture of a client’s security posture, correlating the client organization’s assets, classifying their importance with the vulnerabilities identified in the scan, and offering information for remediation.
A multilayered defense
Frost & Sullivan’s latest thought leadership paper analyzes the threat landscape and the role of VM in addressing the security concerns of the entire enterprise. It analyzes end-user willingness to invest in VM platforms that help provide a holistic cybersecurity approach in various areas, including vulnerability prioritization, automated workflows, and third-party integration.
“This aids a multilayered defense, which has proven to be superior to discrete technologies working separately in network defense. VM platforms that allow IT departments to conduct continual vulnerability assessments are emerging as one of the top five solutions for organizations concerned about system vulnerabilities as part of their security maturity improvement initiatives.”
According to the research, two out of every three cyberattacks in the United States and three out of every four in Europe are categorized as severe by the organizations affected by them.
Azure Defender for IoT – Microsoft’s new security solution for discovering unmanaged IoT/OT assets and IoT/OT vulnerabilities – is now in public preview and can be put to the test free of charge.
The solution can alert administrators about unauthorized devices connected to the network and unauthorized connections to the internet, changes to firmware versions, potentially malicious commands, illegal DNP3 operations, known malware, unauthorized SMB logins, and more.
About Azure Defender for IoT
“As industrial and critical infrastructure organizations implement digital transformation, the number of networked IoT and Operational Technology (OT) devices has greatly proliferated. Many of these devices lack visibility by IT teams and are often unpatched and misconfigured, making them soft targets for adversaries looking to pivot deeper into corporate networks,” Phil Neray, Director of Azure IoT Security Strategy at Microsoft, explained.
Azure Defender for IoT enables agentless IoT/OT asset discovery, vulnerability management, and continuous threat monitoring.
The solution can be deployed on-premises and can be integrated with (i.e., send data/alerts to) Azure Sentinel, Microsoft’s cloud-native security information event management (SIEM) and security orchestration automated response (SOAR) solution. It can also be deployed without sending any data to Azure.
After being connected to the existing network, the solution uses IoT/OT-aware behavioral analytics and machine learning to eliminate the need to configure any rules, signatures, or other static IOCs, says Neray.
“To capture the traffic, it uses an on-premises network sensor deployed as a virtual or physical appliance connected to a SPAN port or tap. The sensor implements non-invasive passive monitoring with Network Traffic Analysis (NTA) and Layer 7 Deep Packet Inspection (DPI) to extract detailed IoT/OT information in real-time.”
Out-of-the box integration with third-party IT security tools (e.g., Splunk, IBM QRadar, and ServiceNow) is available, and the solution woks seamlessly with diverse automation equipment by Rockwell Automation, Schneider Electric, GE, Emerson, Siemens, Honeywell, ABB, Yokogawa, and so on.
Andrew Magnusson started his information security career 20 years ago and he decided to offer the knowledge he accumulated through this book, to help the reader eliminate security weaknesses and threats within their system.
As he points out in the introduction, bugs are everywhere, but there are actions and processes the reader can apply to eliminate or at least mitigate the associated risks.
The author starts off by explaining vulnerability management basics, the importance of knowing your network and the process of collecting and analyzing data.
He explains the importance of a vulnerability scanner and why it is essential to configure and deploy it correctly, since it gives valuable infromation to successfully complete a vulnerabilty management process.
The next step is to automate the processes, which prioritizes vulnerabilities and gives time to work on more severe issues, consequently boosting an organization’s security posture.
Finally, it is time to decide what to do with the vulnerabilities you have detected, which means choosing the appropriate security measures, whether it’s patching, mitigation or systemic measures. When the risk has a low impact, there’s also the option of accepting it, but this still needs to be documented and agreed upon.
The important part of this process, and perhaps also the hardest, is building relationships within the organization. The reader needs to respect office politics and make sure all the decisions and changes they make are approved by the superiors.
The second part of the book is practical, with the author guiding the reader through the process of building their own vulnerability management system with a detailed analysis of the open source tools they need to use such as Nmap, OpenVAS, and cve-search, everything supported by coding examples.
The reader will learn how to build an asset and vulnerability database and how to keep it accurate and up to date. This is especially important when generating reports, as those need to be based on recent vulnerability findings.
Who is it for?
Practical Vulnerability Management is aimed at security practitioners who are responsible for protecting their organization and tasked with boosting its security posture. It is assumed they are familiar with Linux and Python.
Despite the technical content, the book is an easy read and offers comprehensive solutions to keeping an organization secure and always prepared for possible attacks.
Government and financial service sectors globally are the most hack-resistant industries in 2020, according to Synack.
Government and financial services scored 15 percent and 11 percent higher, respectively, than all other industries in 2020. Government agencies earned the top spot in part due to reducing the time it takes to remediate exploitable vulnerabilities by 73 percent.
Throughout the year, both sectors faced unprecedented challenges due to the global pandemic, but still maintained a commitment to thorough and continuous security testing that lessened the risk from cyberattacks.
“It’s a tremendously tough time for all organizations amidst today’s uncertainties. Data breaches are the last thing they need right now. That’s why it’s more crucial than ever to quickly find and fix potentially devastating vulnerabilities before they cause irreparable harm,” said Jay Kaplan, CEO at Synack. “If security isn’t a priority, trust can evaporate in an instant.”
The government sector earned 61 — the highest rating
The chaos of 2020 added new hardship to many government bodies, but security hasn’t necessarily suffered as many agencies have become more innovative and agile. Their ability to quickly remediate vulnerabilities drove this year’s top ranking.
Financial services scored 59 amidst massive COVID-19 disruptions
Financial services adapted quickly through the pandemic to help employees adjust to their new remote work realities and ensure customers could continue doing business. Continuous security testing played a significant role in the sector’s ARS.
Healthcare and life sciences scored 56 despite pandemic challenges
The rush to deploy apps to help with the COVID-19 recovery led to serious cybersecurity challenges for healthcare and life sciences. Despite those issues, the sector had the third highest average score as research and manufacturing organizations stayed vigilant and continuously tested digital assets.
ARS scores increase 23 percent from continuous testing
For organizations that regularly release updated code or deploy new apps, point-in-time security analysis will not pick up potentially catastrophic vulnerabilities. A continuous approach to testing helps ensure vulnerabilities are found and fixed quickly, resulting in a higher ARS metric.
On this September 2020 Patch Tuesday:
- Microsoft has plugged 129 security holes, including a critical RCE flaw that could be triggered by sending a specially crafted email to an affected Exchange Server installation
- Adobe has delivered security updates for Adobe Experience Manager, AEM Forms, Framemaker and InDesign
- Intel has released four security advisories
- SAP has released 10 security notes and updates to six previously released notes
Microsoft has released patches for 129 CVEs, 23 of which are “critical”, 105 “important”, and one “medium”-risk (a security feature bypass flaw in SQL Server Reporting Services). None of them are publicly known or being actively exploited.
Trend Micro Zero Day Initiative’s Dustin Childs says that patching CVE-2020-16875, a memory corruption vulnerability in Microsoft Exchange, should be top priority for organizations using the popular mail server.
“This patch corrects a vulnerability that allows an attacker to execute code at SYSTEM by sending a specially crafted email to an affected Exchange Server. That doesn’t quite make it wormable, but it’s about the worst-case scenario for Exchange servers,” he explained. “We have seen the previously patched Exchange bug CVE-2020-0688 used in the wild, and that requires authentication. We’ll likely see this one in the wild soon.”
Another interesting patch released this month is that for CVE-2020-0951, a security feature bypass flaw in Windows Defender Application Control (WDAC). Patches are available for Windows 10 and Windows Server 2016 and above.
“This patch is interesting for reasons beyond just the bug being fixed. An attacker with administrative privileges on a local machine could connect to a PowerShell session and send commands to execute arbitrary code. This behavior should be blocked by WDAC, which does make this an interesting bypass. However, what’s really interesting is that this is getting patched at all,” Childs explained.
“Vulnerabilities that require administrative access to exploit typically do not get patches. I’m curious about what makes this one different.”
Many of the critical and important flaws fixed this time affect various editions of Microsoft SharePoint (Server, Enterprise, Foundation). Some require authentication, but many do not, so if you don’t want to fall prey to exploits hidden in specially crafted web requests, pages or SharePoint application packages, see that you install the required updates soon.
Satnam Narang, staff research engineer at Tenable, pointed out that one of them – CVE-2020-1210 – is reminiscent of a similar SharePoint remote code execution flaw, CVE-2019-0604, that has been exploited in the wild by threat actors since at least April 2019.
CVE-2020-0922, a RCE in Microsoft COM (Common Object Model), should also be patched quickly on all Windows and Windows Server systems.
He also advised organizations in the financial industry who use Microsoft Dynamics 365 for Finance and Operations (on-premises) and Microsoft Dynamics 365 (on-premises) to quickly patch CVE-2020-16857 and CVE-2020-16862.
“Impacting the on-premise servers with this finance and operations focused service installed, both exploits require a specifically created file to exploit the security vulnerability, allowing the attacker to gain remote code execution capability. More concerning with these vulnerabilities is that both flaws, if exploited, would allow an attacker to steal documents and data deemed critical. Due to the nature and use of Microsoft Dynamics in the financial industry, a theft like this could spell trouble for any company of any size,” he added.
Jimmy Graham, Sr. Director of Product Management, Qualys, says that Windows Codecs, GDI+, Browser, COM, and Text Service Module vulnerabilities should be prioritized for workstation-type devices.
Adobe has released security updates for Adobe Experience Manager (AEM) – a web-based client-server system for building, managing and deploying commercial websites and related services – and the AEM Forms add-on package for all platforms, Adobe Framemaker for Windows and Adobe InDesign for macOS.
The AEM and AEM Forms updates are more important than the rest.
The Adobe Framemaker update fixes two critical flaws that could lead to code execution, and the Adobe InDesign update five of them, but as vulnerabilities in these two offerings are not often targeted by attackers, admins are advised to implement them after more critical updates are secured.
None of the fixed vulnerabilities are being currently exploited in the wild.
Intel took advantage of the September 2020 Patch Tuesday to release four advisories, accompanying fixes for the Intel Driver & Support Assistant, BIOS firmware for multiple Intel Platforms, and Intel Active Management Technology (AMT) and Intel Standard Manageability (ISM).
The latter fixes are the most important, as they fix a privilege escalation flaw that has been deemed to be “critical” for provisioned systems.
SAP marked the September 2020 Patch Tuesday by releasing 10 security notes and updates to six previously released ones (for SAP Solution Manager, SAP NetWeaver, SAPUI5 and SAP NetWeaver AS JAVA).
Patches have been provided for newly fixed flaws in a variety of offerings, including SAP Marketing, SAP NetWeaver, SAP Bank Analyzer, SAP S/4HANA Financial Products, SAP Business Objects Business Intelligence Platform, and others.
84% of security and IT leaders feel their enterprise programs are mature, but a deeper dive reveals a major disconnect between perception and reality, Vulcan Cyber reveals.
“We already know most enterprise programs are immature – we see it every day in the field. What caught us off guard was that the vast majority of respondents felt otherwise,” said Yaniv Bar Dayan, CEO of Vulcan Cyber.
“Given the amount of breaches caused by known, unpatched vulnerabilities, that reveals a surprising disconnect that merits a closer look. So we mapped the survey data to our maturity model – the only way to raise the bar for vulnerability management is to show IT leaders how to transition their programs from managing vulnerabilities to remediating them.”
Key research findings
- The most mature element of enterprise vulnerability management programs are vulnerability scanning (72%), followed by the effective use of vulnerability remediation tools (49%) and vulnerability prioritization (44%).
- The three least-mature elements are orchestrated, collaborative remediation (48%), continuous, automated remediation (48%) and business alignment around cyber hygiene objectives (31%). This indicates that vulnerability management processes are siloed, ad-hoc, and inefficient, calling into question their ability to produce outcomes that actually remediate vulnerabilities and secure IT.
- 89% of security and IT teams say they spend at least some time collaborating with cross-functional teams to remediate vulnerabilities, with 42% reporting they spend “a lot” or “too much” (7%) time every week working with other teams. A notable 83% of companies that said they spend too much time collaborating with other teams have 500-1,000 employees.
- Roughly 50% of IT and security teams share responsibility for key remediation functions (identifying vulnerabilities, prioritization, crafting remediation strategies, deploying patches and remedies, etc.), revealing an opportunity to facilitate more effective and efficient collaboration by clearly defining the division of labor.
“Vulnerability scanning and prioritization are essential functions, but they are the bare minimum – not what constitutes a mature program,” Bar-Dayan continues.
“In our experience, program bottlenecks are further along in the remediation lifecycle, stemming from inefficient cross team collaboration. Changing that requires organizations to update and automate their remediation processes. It’s a serious undertaking, but one that transforms vulnerability management programs into a powerful lever for shrinking security debt and strengthening the company’s security posture.”
Too many organizations have yet to find a good formula for prioritizing which vulnerabilities should be remediated immediately and which can wait.
According to the results of a recent Tenable research aimed at discovering why some flaws go unpatched for months and years, vulnerabilities with exploits show roughly the same persistence as those with no available exploit.
“Defenders are still operating as though all vulnerabilities have the same likelihood of exploitation,” says Lamine Aouad, Staff Research Engineer at Tenable.
The research has also revealed that:
- In organizations that have remediated at least one instance of a vulnerability, nearly one-third of all detected vulnerabilities remain open after a year, and over one-quarter are never remediated – and the percentages are similar for vulnerabilities with exploits
- It takes organizations a median of 29 days to assess the existence of a vulnerability in their environment and a median of 40 days to remediate all instances of it
- The most persistent vulnerabilities are:
- Client-side vulnerabilities
- Vulnerabilities in difficult-to-update/upgrade software
- Vulnerabilities with larger affected software lists
“The more operating systems and product versions a vulnerability affects, the harder it is to fix, leading to persistence. A larger list of CPEs would also reflect a bigger volume of assets in many cases and consequently a higher difficulty to remediate comprehensively by just sheer volume,” Aouad told Help Net Security.
“CVE-2018-8353, CVE-2018-8355 and CVE-2018-8373 are remote memory-corruption vulnerabilities, affecting multiple versions of Internet Explorer, which could allow remote attackers to execute arbitrary code. Their persistence is most likely related to the list of CPEs or affected software configurations.”
Only 5.5 percent of organizations remediate more vulnerabilities than they discover during a given timeframe, Tenable found.
Whether for the lack of resources, effective remediation processes, or simply the staggering amount of newly disclosed vulnerabilities, most organizations cannot keep up with the flow of vulnerabilities they assess in their environment.
Finding the right approach to vulnerability remediation prioritization
Effective vulnerability remediation prioritization is important, but using vulnerabilities’ CVSS scores as the basis for making decisions is not a good choice, as it does not reflect the risk a vulnerability poses to the organization.
CVSS scores can be one element of an effective prioritization formula, but organizations must also take into consideration factors such as whether a vulnerability:
- Is actively exploited
- Is prevalent in their environment and widely present in other organizations’ environments
- Affects critical assets within their environment
- Is targeted via existing attacker toolkits, etc.
Total vulnerabilities in OSS more than doubled in 2019 from 421 Common Vulnerabilities and Exposures (CVEs) in 2018 to 968 last year, according to the RiskSense report.
Top 10 weaponized CWEs
The study also revealed that it takes a very long time for OSS vulnerabilities to be added to the National Vulnerability Database (NVD), averaging 54 days between public disclosure and inclusion in the NVD. This delay can cause organizations to remain exposed to serious application security risks for almost two months.
These very long lags were seen across all severities including vulnerabilities rated as ‘Critical’ and those that were weaponized, meaning those where an exploit is present in the wild.
“While open source code is often considered more secure than commercial software since it undergoes crowdsourced reviews to find problems, this study illustrates that OSS vulnerabilities are on the rise and may be a blindspot for many organizations,” said Srinivas Mukkamala, CEO of RiskSense.
“Since open source is used and reused everywhere today, when vulnerabilities are found, they can have incredibly far-reaching consequences.”
OSS vulnerabilities doubled in 2019
The number of published open source CVEs more than doubled compared to any previous year. Vulnerabilities increased 130% between 2018 and 2019 (from 421 to 968 CVEs), and was 127% higher than 2017 (435). This increase does not appear to be a flash in the pan since the number of new CVEs has remained at historically high levels through the first three months of 2020.
NVD disclosure latency is dangerously long
Vulnerabilities in open source software are taking an extremely long time to be added to the U.S. NVD. The average time between the first public disclosure of a vulnerability and its addition to the NVD was 54 days.
The longest observed lag was 1,817 days for a critical PostgreSQL vulnerability. 119 CVEs had lags of more than 1 year, and almost a quarter (24%) had lags of more than a month. These lags were consistent across all severities of vulnerabilities, with critical severity vulnerabilities having some of the longest average lag times.
Jenkins & MySQL have the most vulnerabilities
The Jenkins automation server had the most CVEs overall with 646 and was closely followed by MySQL with 624. These two OSS projects also tied for the most weaponized vulnerabilities (those for which exploit code exists) with 15 each.
By contrast, HashiCorp’s Vagrant only had 9 total CVEs, but 6 of them were weaponized, making it one of the most weaponized open source projects in terms of percentage. Meanwhile, Apache Tomcat, Magento, Kubernetes, Elasticsearch, and JBoss all had vulnerabilities that were trending or popular in real-world attacks.
XSS and Input Validation
Cross-Site Scripting (XSS) and Input Validation weaknesses were both some of the most common and most weaponized types of weaknesses in the study. XSS issues were the second most common type of weakness, but were the most weaponized.
Likewise Input Validation issues were the third most common and second most weaponized. Input Validation and Access Control issues were both common and were seen trending in real-world attacks.
Projects by percent of weaponized CVEs
Rare does not equal less dangerous
Some weaknesses were far less common, yet remained very popular in active attack campaigns. Deserialization Issue (28 CVEs), Code Injection (16 CVEs), Error Handling Issues (2 CVEs), and Container Errors (1 CVE) were all seen trending in the wild.
The fact that these issues are rare in OSS is a positive sign for the security of open source code, but also serves as a reminder that when problems do arise they can be attacked quite broadly.
Providing real-world context
Open source software now represents a significant percentage of the average organization’s attack surface. And while open source has many benefits, managing vulnerabilities can pose unique challenges.
Greenbone Networks revealed the findings of a research assessing critical infrastructure providers’ ability to operate during or in the wake of a cyberattack.
The cyber resilience of critical infrastructures
The research investigated the cyber resilience of organizations operating in the energy, finance, health, telecommunications, transport and water industries, located in the world’s five largest economies: UK, US, Germany, France and Japan. Of the 370 companies surveyed, only 36 percent had achieved a high level of cyber resilience.
To benchmark the cyber resilience of these critical infrastructures, the researchers assessed a number of criteria. These included their ability to manage a major cyberattack, their ability to mitigate the impact of an attack, whether they had the necessary skills to recover after an incident, as well as their best practices, policies and corporate culture.
Infrastructure providers in the US were the most likely to score highly, with 50 percent of companies considered highly resilient. In Europe, the figure was lower at 36 percent. In Japan, is was just 22 percent.
There were also marked differences between industry sectors, with highly-regulated organizations, such as finance and telecoms, most likely to be cyber resilient (both at 46 percent). Transport providers were the least likely to be considered highly resilient (22 percent), while energy providers (32 percent), health providers (34 percent) and water utilities (36 percent) were all close to the average.
Characteristics of a highly-resilient infrastructure provider
They are able to identify critical business processes, related assets and their vulnerabilities: Highly-resilient organizations thoroughly analyse their critical business processes and know which digital assets underpin these processes. They continuously check for vulnerabilities, taking appropriate measures to mitigate or close them.
They deploy cybersecurity architectures that are tailored to their business processes: This focus places them in a strong position to mitigate damage caused by an attack.
They have well-established and well-communicated best practices: The highest performing organizations have well-defined policies and best practices. For example, in 95 percent of highly-resilient organizations, the person responsible for managing a digital asset is also responsible for securing it. This level of expertise and responsibility allows organizations to close gaps and repair damage quickly.
They are more likely to seek third-party support: These companies are more likely to engage with specialist providers, not only to manage security technologies, but also to obtain advice.
For example, they might employ consultants to help develop a security strategy for the company, select suitable technology, implement managed security services, establish metrics for success or calculate the business case for a security project.
They place greater importance on the ability to respond to cyber incidents and mitigate the impact on critical business processes: The ability to prevent cyber incidents is of secondary importance to highly-resilient organizations as they recognize attacks are inevitable.
They are more likely to focus on procedures that lessen the impact of an attack or accelerate their ability to bounce back after an incident.
They prepare for attacks through simulation: They simulate various what-if scenarios in training sessions and also involve stakeholders outside the IT department. They also apply the same cybersecurity rules to all digital assets.
“Cyberattacks are inevitable so being able to firstly withstand them and then recover from them is vital. Nowhere is this more important than in the critical infrastructure industries where any loss or reduction in service could be devastating both socially and economically, so it’s a concern than only just over a third of providers are what we consider to be highly-resilient,” said Dirk Schrader, cyber resilience architect at Greenbone Networks.
“Being cyber resilient involves much more than having enough IT security budget or deploying the right technologies. We hope that – by highlight the key characteristics of highly-resilient organizations – this research will provide a blueprint for others.”
The US Cybersecurity and Infrastructure Security Agency (CISA) is urging organizations to patch a slew of old and new software vulnerabilities that are routinely exploited by foreign cyber actors and cyber criminals.
“Foreign cyber actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets, including public and private sector organizations. Exploitation of these vulnerabilities often requires fewer resources as compared with zero-day exploits for which no patches are available,” the agency noted.
“A concerted campaign to patch these vulnerabilities would introduce friction into foreign adversaries’ operational tradecraft and force them to develop or acquire exploits that are more costly and less widely effective. A concerted patching campaign would also bolster network security by focusing scarce defensive resources on the observed activities of foreign adversaries.”
The most often exploited CVE-numbered vulnerabilities
The list of the ten most often exploited flaws between 2016 and 2019 includes seven affecting Microsoft offerings (Office, Windows, SharePoint, .NET Framework), one affecting Apache Struts, one Adobe Flash Player, and one Drupal.
They are as follows:
IT security professionals are advised to use this list alongside a similar one recently compiled by Recorded Future, which focuses on the ten most exploited vulnerabilities by cybercriminals in 2019.
In addition to all these flaws, CISA points to several others that have been under heavy exploitation in 2020:
Additional warnings and help
CISA has also warned organizations to check for oversights in their Microsoft O365 security configurations (and to implement these recommendations and to start fixing organizational cybersecurity weaknesses they might have.
“March 2020 brought an abrupt shift to work-from-home that necessitated, for many organizations, rapid deployment of cloud collaboration services, such as Microsoft Office 365. Malicious cyber actors are targeting organizations whose hasty deployment of Microsoft O365 may have led to oversights in security configurations and vulnerable to attack,” they noted.
Organizations can apply for CISA’s help in scanning internet-facing systems and web applications for vulnerabilities and misconfigurations – the agency offers free scanning and testing services (more info in the alert).
In this podcast, Prateek Bhajanka, VP of Product Management, Vulnerability Management, Detection and Response at Qualys, discusses how you can significantly accelerate an organization’s ability to respond to threats.
Qualys VMDR enables organizations to automatically discover every asset in their environment, including unmanaged assets appearing on the network, inventory all hardware and software, and classify and tag critical assets. VMDR continuously assesses these assets for the latest vulnerabilities and applies the latest threat intel analysis to prioritize actively exploitable vulnerabilities.
Here’s a transcript of the podcast for your convenience.
Hi everyone. This is Prateek Bhajanka, VP of Product Management, Vulnerability Management, Detection and Response at Qualys. Today I’m going to talk about the new concept that Qualys has introduced in the market. That is vulnerability management detection and response, which talks about the entire lifecycle of vulnerability management using a single integrated workflow in the same platform altogether.
Security is only as strong as the weakest link that you have in your organization. There could be so many assets and devices which are on the network, which are connected to the enterprise network, which are consuming your enterprise resources, which you may not even know of. You will not be able to secure anything that you do not know of. That’s the reason the VMDR concept picks up the problem of vulnerability management right from the bottom itself where it is helping you discover the assets which are connected, or which are getting connected to your enterprise network.
No matter whether it is getting connected using VPN, or locally, or through a network, as soon as a device is getting connected, it will be discovered by the sensors that are located in the network, which can tell you that these are the new assets which are connected and then you can go about inventoring them. You can maintain the asset inventory of those devices. Then the next step is that if you look at performing vulnerability management, then you go ahead and perform vulnerability assessment, vulnerability management of those devices, the existing ones, the ones which are already discovered and the ones which are now getting discovered. Then identify all the vulnerabilities which are existing in those assets, and then as it is perceived in the market, that vulnerability is a number game, but vulnerability management is no longer a number game.
The reason is, if you look at the statistics over the last 10 years, you would see that the total number of vulnerabilities which get discovered in a year, maybe let’s say 15,000 to 16,000 of vulnerabilities that are getting discovered, out of those vulnerabilities, only a handful, like 1000 vulnerabilities get exploited. That means the fraction of vulnerabilities which are getting exploited are not more than 10 to 12%. Let’s say that you have a thousand vulnerabilities in your organization, and even if you fixed 900 vulnerabilities, you cannot say that you have implemented vulnerability management effectively because the rest of the hundred vulnerabilities could be all the way more riskier than the 900 vulnerabilities that you fixed, and the rest hundred vulnerabilities that you left could be the vulnerabilities which are getting exploited in the wild.
Now we are bridging the gap and with the concept of VMDR, we are not just calculating these thousand vulnerabilities for you, but we are also helping you understand what hundred vulnerabilities are getting exploited in the wild using various formats. It could be malware, it could be ransomware, it could be nation-state attacks, it could be a remote code execution. So, what are the vulnerabilities that you should pay immediate attention to, so that you can prioritize your efforts because you have limited amount of remediation efforts, limited number of personnel, limited number of resources to work on vulnerability management, so that you would be able to focus on the areas which would be all the way more impactful then what it is today. So, right from asset discovery to asset inventory to vulnerability management, and then prioritizing those vulnerabilities on the basis of the threat which are active in the wild.
Right now, so far what we are doing is problem identification, but we may not be actually solving the problem. How to solve that problem? With the concept of VMDR, we are also adding response capabilities in the same platform, so that it is not just about identifying the problem and leaving it on the table, but it is also about going and implementing the fixes. If you see a particular vulnerability, you would also be able to see which particular patch can be implemented in order to remediate this particular vulnerability.
That kind of correlation from CVE to the missing patch, it tells you the exact parts that you need to deploy so that this particular vulnerability can be remediated. It also tells you the list of prioritized assets on the basis of various real-time threat indicators, on the basis of various attack surfaces.
Once you have the vulnerability data, while we are doing the scanning, you have a lot of asset context that you can use to filter the number of vulnerabilities. When I say that you divide the context into two parts: internal and external. Your external context would be your threat intelligence feed that is coming from so many different sources or which may be inbuilt in the platform itself. And this threat intelligence is an external context because this is not taking into account your asset context or your internal organization context. So this will help you identify the vulnerabilities which are getting exploited in the wild today, which are expected to get exploited in the wild, for which there are some kind of chatter going around in the dark web, and that these are the vulnerabilities for which the exploits have been developed, the proof of concept is available, and so many things. This is very external.
Now, the internal context. Out of 1000 vulnerabilities, let’s say, on the basis of external context, you are able to prioritize or filter out, 800 vulnerabilities and now you’re left with 200 vulnerabilities. But how to go down further, how to streamline your efforts and prioritize your efforts.
Now comes the internal context. Whether this particular vulnerability is on a running kernel or a non-running kernel. Of course, I would like to focus my efforts on the running kernel first, because those are the kernels which would be exposed to any outsider. This is the asset context I would be putting in. What are the vulnerabilities which are already mitigated by the existing configuration? Let’s say, the BlueKeep vulnerability. BlueKeep vulnerability is a vulnerability which is on port 3389. If the network devices or if the network level authentication is already enabled on the network, that means I do not need to worry about the BlueKeep vulnerability.
If that is already enabled, I can also filter out those vulnerabilities on which the assets have been tagged as BlueKeep vulnerabilities existing. On the basis of all these many factors, whether this is remotely discoverable or not, because you will have to see the vulnerabilities which are getting remotely discoverable, they can be remotely discovered by the attackers also. That means it’s a priority that you should go ahead and fix those vulnerabilities first. On the basis of so many other internal context filters that are available with the VMDR concept and VMDR platform, you would be able to identify those vulnerabilities, those hundred vulnerabilities out of a thousand vulnerabilities, which you should pay immediate attention to.
With the click of a button which is available on the console, you would be able to go ahead and deploy the remediation measures from the console itself so that the time to remediation is reduced to the minimum possible. And the ideal time to remediation, as our Chief Product Officer likes to call it as zero, the ideal time to remediation is zero because the average days before the vulnerability gets exploited in the wild is getting reduced. And now the average number of days has come down to seven.
You cannot have a significant delay before the vulnerability gets discovered and a vulnerability gets patched. This all, putting right from asset discovery to asset inventory, to vulnerability management, then prioritizing on the basis of the threats which are active, and then go about remediating and fixing those problems. This is the concept of vulnerability management, detection and response.
vFeed is a truly exciting company and we had to include them in our list of the 10 hot industry newcomers to watch at RSA Conference 2020. In this podcast, Rachid Harrando, Advisory Board Member at vFeed, talks about how their correlation algorithm analyzes a large plethora of scattered advisories and third-party sources, and then standardizes the content with respect to security industry open standards.
Here’s a transcript of the podcast for your convenience.
Hello, my name is Rachid Harrando. I’m in the Office of the CISO at ServiceNow and partner and advisor for vFeed.io that I will introduce today.
What is vFeed? We would like to tagline vFeed with vulnerability intelligence as a service. That’s our tagline. Of course, we have to explain what it is, right? What we found out is there are more and more systems that have more and more vulnerabilities. And it’s difficult for any security team to maintain a good repository of all the different indicators and information related to those vulnerabilities.
The founders of vFeed have spent many years doing that tracking to do their security job. That’s where the idea comes from, to maintain an accurate and complete database that you can quickly refer to when you do your security investigation, to find security issues and remediate and prioritize. What happened after so many years is, this database became automated, and now provided to customers such as large SOC teams who have many areas going on. But they need information data to be able to pinpoint a rapid remediation or prioritization to know what to look for.
And vFeed is helping large SOC teams doing exactly that, because large SOC teams need to focus on their infrastructure. We don’t want to spend our time go looking for all the sources that would help them to fix it. They can rely on vFeed to maintain the most comprehensive and accurate database, to help large or even small SOC teams focus on the issues we have at hand, which is already a big task.
They don’t need to go and maintain these databases. We do it for them, we are part of their team, they can trust us. And we only do that, we only maintain the database. We are a pure player in that space, we don’t want to do anything else. We were doing other things in the past, but to be the best at what we do, we need to stay focused. So, a small team at vFeed is doing that and only that.
Like I said before – who can use it are the SOC team, or security team, who already are doing the job of looking for threats, looking for incidents. And of course, once they’ve found the incident, they need to have information to help them remediate as soon as possible, and make sure they are working on the most important issues. That’s what vFeed is helping them to do, by providing them the best data that exists.
When you don’t have a SOC team and you don’t have solutions, it’s going to be difficult to ingest vFeed data. You need to have that, since we provide only this database, which is, we are hiding the complexity of going and fetching these data sources and putting them in aggregate form, with all the correlation that you need to do to make it a nice format for you to consume.
You can find more information on our website – vfeed.io. You will find different use cases, the names of our customers as well, some of them have agreed to put the names on, and you can understand what type of data we are. We also give a free trial, people can of course try before they buy, it’s clear.
Every day there are new vulnerabilities, and every day we have a new update, new information, and that’s what we provide.
Cybersecurity is one of the most daunting challenges enterprises will face in 2020. According to IBM’s 2019 Cost of a Data Breach report, the average cost of a data breach in the U.S. is $8.19 million, with companies averaging 206 days to identify breaches before even attempting to address them (a task that averages another 38 days).
These stats and hundreds of others on cybercrime are quite sobering. Cyberattacks are beginning to seem like an inevitability, another cost of doing business. Yet, a lot can be done to reduce risk, particularly when it comes to vulnerability management.
Top vulnerability management myths
The importance of vulnerability management is often discounted or overlooked. Let’s look at and debunk the top vulnerability management myths, so that enterprises may opt to change their practices in ways that make fortifying cyber defenses and reducing risks significantly easier.
Myth 1: Periodic scanning is enough
One common and dangerous myth to dispel is that periodic vulnerability scans are good enough. Not true. Even once a day is no longer enough. New apps and endpoints are added to corporate networks each day — and this does not happen in unison at 8 am. Changes are made throughout the day, which means network compromise can happen at any time. And it can take a mere 18 minutes for hackers to go from foothold to a full-on breach.
Companies can’t just scan once per day, even if they fix a number of vulnerabilities every day. The rate at which new vulnerabilities appear is simply too high. Enterprises must scan continuously to be protected. Fortunately, new vulnerability management solutions make scanning at scale significantly faster and easier without impacting network performance, so there is really no good reason why enterprises should put networks at risk unnecessarily.
Myth 2: Vulnerabilities = patching
Many people equate vulnerabilities with patching. In reality, vulnerability management can be much more detailed and complex. For example, a configuration change might solve an issue, or if a company is running an old piece of software, a patch or configuration update might not be available. In this case, teams might need to put in a mitigating control, such as a firewall or routing change, to prevent certain types of traffic from getting to a port or application. In fact, sometimes mitigating controls work better than patches.
The bottom line is this: to think solely in terms of patching is short-sighted. Taking a broader view of vulnerability management will serve organizations better.
Myth 3: Fixing critical vulnerabilities ensures safety
The view that organizations have to fix Level 5 vulnerabilities first is outdated. Conventional logic goes that the most serious vulnerabilities demand immediate attention. The problem is that cybercriminals are aware of this mentality. As a result, they’ve begun attacking lower hanging fruit in middle-layer vulnerabilities. These are not as attention grabbing; they don’t have people playing beat-the-clock to remediate them, which gives hackers longer to figure out a way in, and they can ultimately cause tremendous damage as they go undetected for long periods of time.
When it comes to vulnerability management, companies need to adjust their approach. They either need to adopt new considerations and ranking systems for how they address vulnerabilities or they should opt for a two-pronged strategy, leveraging automated vulnerability management solutions to immediately remediate lower level vulnerabilities while freeing up team members to fix higher level vulnerabilities simultaneously.
Myth 4: Vulnerability management is no big deal
There is a distinct lack of respect for vulnerability management. Whether it is from teams that adopt a certain arrogance about their abilities — a “my guys can fix anything manually” attitude — or those that operate under the assumption that vulnerability management is a low priority background task, the result is the same: vulnerability management has taken a back seat.
The problem is that there are simply too many vulnerabilities popping up too quickly. Even the most talented, best staffed teams are not equipped to deal with all of them. By viewing them as a lower priority or letting vulnerability management fall by the wayside due to a lack of time or resources, companies open the door to cyberattacks, ultimately making their jobs exponentially more difficult in the long run — not to mention potentially costing their companies millions of dollars if/when a breach occurs.
Some companies that hold cyber insurance policies may feel a false sense of safety. I would urge these organizations to take a look at Merck or Mondelēz, which held policies they perceived will protect them financially in the event of an attack. They were wrong. After NotPetya, their claims have been denied through a loophole that declared NotPetya an act of war. Today, these companies are hundreds of millions of dollars out of pocket and are tied up in legal battles with their insurance companies – battles that are expected to take years to resolve.
I would encourage all IT teams to prioritize vulnerability management, throw out their preconceived notions and myths. It may not be the sexiest task IT teams deal with but vulnerability management very well could be the biggest factor in preventing a serious malicious attack.
Only half of the vulnerabilities in cloud containers ever posed a threat, according to a Rezilion study.
The top 20 most popular container images on DockerHub were analyzed to discover that 50% of vulnerabilities were never loaded into memory and therefore did not pose a threat, regardless of Common Vulnerability Scoring System (CVSS) scores and despite vast resources in budget and manpower spent on patching or mitigation.
By triaging vulnerabilities using a continuous adaptive risk and trust assessment (CARTA) approach and then prioritizing treatment of those that are commonly targeted, companies can significantly reduce their security budgets or free up manpower to focus on other critical issues.
Firms with good security posture are equally breached
According to IDC, enterprises are spending 7-10% of their security budget on vulnerability management as daily operations become increasingly more dependent on cloud services. Vulnerability scanners overload and confuse security teams with mountainous results that would be impossible to patch all at once.
The existing prioritization practices such as CVSS provide no notable reduction of breaches in organizations with mature vulnerability management programs. Firms with good security posture are equally breached by known vulnerabilities as those with poor security posture.
A risk-based approach to vulnerability management
Gartner recommends that “security and risk management leaders should rate vulnerabilities on the basis of risk in order to improve vulnerability management program effectiveness”.
Gartner also predicts that “by 2022, approximately 30% of enterprises will adopt a risk-based approach to vulnerability management” and “by 2022, organizations that use the risk-based vulnerability management method will suffer 80% fewer breaches.”
“A vulnerability is only as dangerous as the threat exploiting it and in some instances during our research, we found the figure dropped to as low as 2%. By focusing on actual vs. perceived risk, we found the security industry has been unnecessarily exaggerating the number of vulnerabilities security teams must address, which has dangerous ramifications to the cloud security landscape,” said Shlomi Boutnaru, CTO at Rezilion.
“A continuous adaptive risk and trust assessment-based approach reduces friction and overhead by identifying vulnerabilities running in memory and then prioritizing treatment to those vulnerabilities commonly targeted by hackers as well as any that don’t have mitigations.”
Which ten software vulnerabilities should you patch as soon as possible (if you haven’t already)?
Table of top exploited CVEs between 2016 and 2019 (repeats are noted by color)
Recorded Future researchers have analyzed code repositories, underground forum postings, dark web sites, closed source reports and data sets comprising of submissions to popular malware repositories to compile a list of the ten most exploited vulnerabilities by cybercriminals in 2019.
The list is comprised of two vulnerabilities in Adobe Flash Player, four vulnerabilities affecting Microsoft’s Internet Explorer browser, three MS Office flaws and one WinRAR bug:
Most have been flagged and patched in the last few years – as can be seen by their CVE numbers – but one of them dates as far back as 2012.
The researchers put the popularity of Microsoft vulnerabilities (as compared to Flash bugs) down to a combination of better patching and Flash Player’s impending demise in 2020, and noted the importance of patching Microsoft products in a timely manner.
Among other, more recently patched flaws that made the top 20 list are CVE-2019-0841, a privilege escalation vulnerability in the Windows AppX Deployment Service and CVE-2019-3396, a server-side template injection vulnerability in the Atlassian Confluence Server and Data Center Widget Connector that could be used for remote code execution.
With all of this in mind, they advise admins to prioritize the patching of Microsoft products (and all the aforementioned vulnerabilities), automatically disable Flash Player wherever possible, remove affected software if it’s not needed, and install browser ad-blockers to prevent exploitation via malvertising.