MSP White Labeling Guide

 

Beyond Security’s MSP Vulnerability Scanner

Our MSP vulnerability scanner will deliver website scanning and network vulnerability assessment services to your customers using our easy to use MSP platform. Our focus: high accuracy, easy management, low cost and integration with your existing systems. With our SaaS platform, automation simplifies the scanning process with deployment that includes a range of servers, data centers, or an organization’s own network. Get all of the features and options with none of the complication, MSP’s find our vulnerability scanner easy and effective.

Test our managed security service platform today, and you’ll want to add website scanning and network vulnerability assessment to your service menu.

Why Would Managed Service Providers Choose a White Label Solution?

Beyond Security’s MSP White Label MSP Services have five benefits that a white labeled managed security service offers, augmented by two additional pieces of the cybersecurity puzzle:

Vulnerability Assessment 

White labeled vulnerability assessment services provide a way to test IT systems and find vulnerabilities before they become a security incident. Vulnerability assessments give an organization an in-depth view of where systems are most vulnerable to a cybersecurity attack. White label vulnerability assessments provide application testing tools including static application security testing (SAST), dynamic application security testing (DAST), and mobile application security testing (MAST). These specialist tools are used to look for security vulnerabilities across the entire organization’s IT resources, including mobile devices.

Compliance with Regulations 

Data protection and privacy regulations such as the EU’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and industry specific regulations such as PCI-DSS and HIPAA, are becoming increasingly stringent in an effort to tackle increased cyber-threats. White label managed security services can provide the experts needed to evaluate the compliance posture of an organization and determine the right tools to ensure regulatory compliance.

Full Branding, Marketing, and Sales Simplicity

Make your MSP unique and different from competitors. Easily promote and sell your brand with:

  • Easy account setup and maintenance
  • Services priced by number of IPs scanned each month
  • Low cost allows you to bundle scanning into any service plan
  • Full branding is available

Efficient Platform

  • Simple, automated platform sets up fast, requires little maintenance
  • Wide range of deployment options: We’ll host on our servers, run from your own data center or install fully managed VA/VM system in your customer’s network
  • Integrates with your billing, CRM and ticketing systems using APIs to automate deployment
  • Monitor and centrally manage your scanning services across all customers from a single interface
  • Deliver security services that are usually available only to the largest corporations
  • Step up to delivering Vulnerability Assessment and scanning services as anti-virus and firewalls become commodities with thin margins and declining effectiveness
  • Use differential reporting to document network changes and the appearance of new vulnerabilities in client networks or websites

Robust Integrations

Seamless integrations allow our vulnerability scanner to fit into your tech stack without any hassle. Some of the other features are flexibility, compliance adherence, and scalability.

  • Deploy VA/VM with no installation of clients required
  • Deliver network and website testing (including website security seals) from one control panel
  • New equipment, operating systems, ports and applications are automatically identified and tested
  • Scale from testing 1 IP or domain up to the largest, complex corporate network
  • Replace multiple security testing tools that produce conflicting reports and high false positives with one service that has the lowest false positive level in the industry
  • Scan time and bandwidth is completely controllable for the testing of production equipment without fear of reduced availability
  • Catch security problems as they occur instead of leaving holes open for months while waiting for the next annual or semi-annual penetration test.

Schedule a demo and see how easy it is to add MSP scanning solutions to your services.

How Automated Detection and Network Access Control Work Together to Improve Incident Response

 

When a network or device is compromised, it is critical to respond as quickly as possible in order to minimize the risk to your business. To have an almost instantaneous incident response, you have to do two things: you have to detect the incident immediately and you have to respond immediately. 

Here we’ll show how combining automated detection with network access control (NAC) can improve incident response.

Networks are becoming increasingly difficult to protect

Networks have morphed into heterogeneous, hybrid-cloud infrastructures populated with multi-vendor devices. Making matters worse is the proliferation of IoT devices which come with very little built-in visibility or security. And on top of this, at the start of 2020, countless companies were suddenly put in a position where large segments of their workforce started working remotely.

With remote work came increased use of personal devices. And with this increase in BYOD, came a corresponding increase in endpoint security risks that were both difficult to track and difficult to manage.

As the adage goes, if you can’t see it and you can’t assess it, how can you protect it? More importantly, how do you protect a network with such a diverse number of endpoints? How do you keep up with them all? That’s the challenge facing IT departments today. 

As things turn out, there’s a solution. A potent mix of vulnerability detection and network access control technology can be used to deliver almost instantaneous incident response.

Start with automated threat detection

As we’ve said in a previous article, the technology to detect weak or infected devices and the technology to quarantine them has long existed – but until now, the missing link has been the integration between the two.

You can’t respond to an incident you don’t know about. So it goes without saying, you must start with detection. Using a combination of agentless and agent-based vulnerability scanning and monitoring, you can identify vulnerable devices as soon as they appear on your network.

Both solutions offer automated detection, but some devices lend themselves to agentless discovery and detection, while others, like IoT devices, will need agents placed on the device. If you have a large number of devices in your network, you’re likely going to need both of these to stay ahead of the threats in your environment.

Agentless scanning can be used to find unmanaged devices and perform regular scans of everything on your networks without having to install additional software. But there’s a catch: you won’t be able to detect devices not connected to the network at the time of the scan, nor devices that are turned off at the time of the scan. 

Agent-based scanning increases the visibility and security of all devices on the network – including IT, IoT and BYOD devices. These lightweight programs work in the background to continuously monitor network activity generated by endpoints and instantly detect signs of suspicious activity – but you have to gain permission of the user to install these agents.

Both solutions can be used to enact custom security policies and detect a range of threats from outdated software and missing patches to vulnerabilities, bugs and hijacked devices. Whenever a weak or vulnerable device is identified on your network, it is evaluated to determine the level of risk – and registered as an event. But what action should be triggered? 

Continue with proactive analysis and prioritization 

The flood of incidents can overwhelm an organization. According to an IDC study, “firms experience an average of 40 actionable incidents per week. Some of these will translate into genuine attacks but others require investigation in order to determine that they are benign.” 

Over two thirds take between 1 – 4 hours. You don’t have to do much math to realize that’s one or more full time resources just responding to incidents. The bottom line is you cannot just scan your network for incidents. You also have to analyze and prioritize those incidents.

You must leverage technology to contextualize threats in real-time so you can take intelligent action. Most vulnerability assessment solutions use a combination of CVSS (common vulnerability scoring system) scores and insights gathered from CVE (common vulnerability and exposure) databases and real-time threat intelligence feeds to prioritize risks of incidents to the organization. 

Everything you monitor and detect must be evaluated for its relative risk, otherwise you run the risk of trying to “drink water from a fire hose.”

Finish the job with automatic quarantine

What do you do once you have analyzed and prioritized incidents? You use network access control (NAC) to initiate automatic and immediate quarantine. When you synchronize your NAC service with your security scanning solution, as soon as a threat is detected, your NAC solution kicks into action – suspending access and preventing a security risk from expanding. You have almost instantaneous incident resolution by combining these two technologies.

With the user’s device now quarantined, the technology team can reach out to the user to safely address the security concern without leaving company networks open to ongoing threats.

Companies that don’t have a NAC solution in place should consider one of the vendors that now offer NAC in the cloud. It doesn’t require additional on-premises equipment and can quietly work in the background – jumping into action once the security software identifies a threat.

Detection, analysis and instant action – the key to improving incident response

A combination of automated detection with incident analysis, alongside the ability to automatically quarantine devices, delivers quick protection when an unknown system-wide threat emerges. It rapidly protects your network, giving you time to eradicate the threat.

Of course, the method we outlined is just one part of a broader cybersecurity strategy, but we are confident that automated detection and analysis, plus instant NAC-driven quarantine will deliver the incident response times CISOs demand.

Black Box Fuzzing Uncovers Known and Unknown Vulnerabilities

Black box fuzzer tools can find your known AND the unknown vulnerabilities. This cybersecurity guide, How Black Box Fuzzers Protect Against The Unknown can help you create layered security to find the unknown vulnerabilities and cover the known ones as well.

Start Using Fuzzing to Improve Autonomous Vehicle Security

 

This article was originally published on Techaeris on August 07, 2020.

For centuries, the automotive industry has benefited from the rapid development of technology. From the introduction of Ford’s Model A back in 1903 till in recent times, when cars are being equipped with assistive sensors helping the driver park safely, with the evolution of multimedia systems, or the computerized engine systems that can alert of technical issues, we have come a long way since the horse-driven buggies. But what we were not counting on is that with innovations came vulnerabilities and fully computerized IoT connected automobiles are exposed to the same type of security threats as your laptop. But there is a simple solution to take the necessary precautions and it is called Fuzzing. 

What is fuzzing?

Fuzzing is an automated process used to find 0-day vulnerabilities in software and devices. Fuzzers use permutations of data that are randomly or in a unique order being fed into the DUT ( device under test). As a result, a fuzzing tool is capable of finding vulnerabilities that were not found before and would be announced as a zero-day. Fuzzers will normally target the buffers within the protocol and send sequences of bytes, letters, or integers.

Connecting cars to the Internet

Nowadays cars are equipped with a much more sophisticated technology rather than just having an engine. With that comes the connectivity to IoT (Internet of Things) which is the main mode of attacking the car’s control systems. Every new technology introduced comes with benefits to society in general but also with security loopholes that bad actors can take advantage of.

New vehicle technology can introduce new security loopholes for hackers.

Even though cars today are fully equipped with computers and computerized control systems, they still require a human operator. As we know from previous research done by Fagnant and Kockelman back in 2015, humans are responsible for 90% of all road accidents. But according to a recent study by Bertoncello, et al has predicted that 80% of road accidents would be reduced by 2040 due to the increasing utilization of automated cars.

Security implications for automated cars

Researchers worldwide have considered the benefits and risks of the usage of automated cars. Dino Causevic has even suggested the use of machine learning for improving the security aspects of automated cars in an article published at toptal.com. It is great to see the rising awareness of the security issues in automated cars, but here we would like to suggest a new way of looking at the problem.

While Machine Learning and Artificial Intelligence require “training sets” to enhance the system’s ability to operate and one needs to feed the machine with enough scenarios for it to develop enough intelligence to operate in an adequate manner, this training might not be enough to prevent new security issues.

What further complicates things, even more, is the fact that car manufacturers typically developed their own security protocols on top of proprietary platforms and standards such as Canbus, OBDII, and CAN-FD. Therefore, training the computer on all those unique protocols and situations becomes an expensive and extensive process.

Fully automated cars are not yet widely used and therefore security holes are not yet properly researched and documented. For example, the national institute of Standard and Technology (NIST) has very few documented issues in its CVE database (common vulnerability and exposure) for automated car systems and components. Therefore, I would like to introduce to you today the concept of fuzzing and how it could assist in ensuring the security of automated cars.

Fuzz testing autonomous and connected cars

Imagine the following situation: you are driving your automated car, the engine communicates with its sensors, thousands of packets are being sent and received by the engine. Suddenly another node is sending thousands of more packets to your engine. This node is not playing by the rules and doesn’t send the accepted number of bytes as defined in the protocol. Your engine has been tested so it has the ability to resist those packets, however as the node keeps on sending more and more packets and they are of integers or hexadecimal combinations that are not usually processed by the engine, suddenly a buffer overflow created, causing your engine to shut down while you are on the freeway. It’s a terrifying scenario yet very simple to carry out. To prevent such situations, it is recommended using fuzzers that would test each specified region and buffer in the protocol one that can suggest a fix to the engineers and assurance that this automated car is safe against attackers trying to crash the DUT, Bypass login and operate a remote code execution.

An attack as simple as a buffer overflow could potentially shutdown your engine without notice.

There are several well-known fuzzing methods known in the industry today:

  1. Mutation: samples of valid codes are being mutated randomly in order to create malformed inputs, mutation may not be providing a clear output on what buffer caused the DUT to crash, it is difficult to replay the scripts and find the exact loopholes.
  2. Replay: the fuzzer will use saved sample inputs mutate them and then replay to create an attack, it is not a recommended or effective way to fuzz automotive as it will require a robust set of information and it does not work well in dynamic protocols in automotive where the communication is bidirectional.
  3. Grammar and generation based: in this method the fuzzer will learn the RFC and understand its grammar, the fuzzer would learn what fields may not be mutated and what fields can be tested. It gives a more in-depth ability to communicate with the DUT, the packets are generated based on the grammatical structure of the RFC. Unlike mutation, the fuzzer will be able to create attacks and replay it to a specific field later. The generation-based fuzzer will construct valid sequences of inputs applying fuzzing to specific parts of that communication it will be more time effective since it will assure that all packets are not being immediately blocked by the DUT, unlike mutation where my first sequence of packets will be normally indigestible and would not be testing my protocols since those would be blocked immediately.

While fuzzing is not the only solution out there it is indeed the best fit for the automated cars industry. Static analysis tools would require source code access to detect potential vulnerabilities fuzzing does not require. The source code is not being fuzzed at all rather it is the protocol and communication method that are being fuzzed.

Additionally, static analysis would require information about the DUT, what language the source code was written in, and what is the entire stack fuzzing on the other hand operates as a black box test. It does not require any information about the DUT, it does not require special access for testing, and it would be finding vulnerabilities in the post-development and prerelease stages.

Nowadays vehicles are using several protocols such as Can and OBDII, which have been described before in addition to Bluetooth stack and even in-car Wifi using the IEEE 802.11 protocol. Machine learning would not be able to provide an extensive solution to all of those potential points of entering and taking over car control it will test the car in endless scenarios as one operating unit while has fuzzing will test endless scenarios for each protocol and for each unique situation.

Another key advantage of fuzzing is the ability to communicate over protocols that require a serial connection. Unlike vulnerability assessment, which is used for finding vulnerabilities by using IP communication fuzzing can provide robust testing for products that do not have TCP/IP communication.

As we understand that the security implications of automation should be addressed and there might be other solutions that give adequate security coverage, there is still no solution as fuzzing that gives a full extensive and exhaustive testing that can assure the safety of automated cars while they are in the verification stage. If using the right type of fuzzer, you will benefit from the ability to recreate the attack and understand the structure of your protocol thus having the ability to understand what parts of your protocols are more vulnerable and what are the methods and causes. So next time you are in the open road, driving your smart car, keep in mind that fuzzing can be the smart way to avoid unnecessary and often critical unseen danger.

ABOUT THE AUTHOR

Joel Sivan is a Senior Engineer and Support team leader at Beyond Security (www.beyondsecurity.com), a US-based company specializes in vulnerability scanning, source code analysis, and black-box testing. He has extensive experience in the field of IT security, which started at the age of 19 when he became a communication sergeant in the IDF responsible for radio communication systems and proprietary.

 Joel has specialized in these unique tools which emerged him to understand the importance of protecting OT equipment and protocols which are not covered in regular IT vulnerability testing. While serving at the IDF Joel also worked at Magic Software where he handled projects involving interconnecting IT systems and supporting the sales and R&D by ensuring that the servers and environment is secured and scalable. At

At Beyond Security, he oversees vulnerability scanning and fuzzing of unique protocols. He has seen hundreds of test cases as part of his role as Senior Sales Engineer and his work with high caliber clientele within North America, Europe, and Africa. He is currently pursuing a degree in Business Administration and Psychology. He is an assistant researcher at the Research Center for Internet Psychology.

Other Publications

Business Telegraph

Techregister

Black Box Fuzzers: A Tool Against the Unknown

Black box fuzzing tools like beSTORM protect against both known and unknown vulnerabilities. This guide, How Black Box Fuzzers Protect Against The Unknown has more information about protecting against the unknown.

To Fuzz or Not to Fuzz: 8 Reasons to Include Fuzz Testing in Your SDLC

 

Developing software today requires a keen sensitivity to creating secure code. Even NIST admits that “Few software development life cycle (SDLC) models explicitly address software security in detail, so secure software development practices usually need to be added to each SDLC model to ensure the software being developed is well secured.”

This is why NIST developed the secure software development framework (SSDF) to be part of the SDLC. Because software should be tested while it’s being developed, not afterwards. But the question that always arises is, what’s the best way to test software during the SDLC? One possibility is fuzz testing. Fuzzing has proven effective in detecting critical vulnerabilities during the SDLC. Fuzzing allows you to stay one step ahead of hackers by helping to discover coding errors and security loopholes in your software while it’s being developed.

As hackers continue to evolve in the way they exploit critical systems and software vulnerabilities, the importance of including fuzz testing as a core part of your SDLC becomes obvious. 

8 Reasons to Include Fuzz Testing in Your SDLC

Your SDLC defines the steps or tasks your development team should follow in the creation of applications for your organization. As a result, it’s important to ensure that the right tasks or processes, like fuzzing, are included in this framework.

[ Learn about fuzzing APIs. | Want to see how it works or try 30-day free trial? ]

1. Test your application with real-world attacks

Cyberattacks are evolving by the day and it’s nearly impossible to determine how hackers will attack. As a result, your software development team will need to constantly think about all the possible modes of attack that can be launched at your enterprise. Integrating fuzz testing into the different stages of your SDLC allows you to think like a hacker and stop potential attacks in advance.

While hacker sophistication will ultimately vary among cyberattackers, they all typically launch attacks by probing your network or program to find vulnerabilities. Fuzz testing is centered around this concept, and by including it as part of your SDLC you will be giving your enterprise its best shot at remaining one step ahead of these hackers.

2. Eliminate zero-day attacks

Zero-day attacks continue to grow in size and impact every year. With 37% of cyberattacks on enterprises reportedly leveraging zero-day exploits, enterprises must recognize the problem at hand.

Whether you include fuzzing at the implementation or verification phase of your SDLC, you can be sure that it’ll help you uncover security vulnerabilities in your code long before hackers are able to. As zero-day attacks continue to rise, fuzz testing offers an innovative way of ensuring you’re not a part of this statistic by finding zero-day vulnerabilities that may exist in your enterprise’s software or network.

3. Create more efficient code

Since fuzz testing at any stage of your SDLC can generally uncover bugs that were missed in a manual audit, it will in the long run help your development team to create more efficient code in terms of weaknesses and loopholes. As hackers continue to improve their sophistication, enterprises will need to ensure that they get their coding right from the development stage.

4. Detect software vulnerabilities before deployment

By integrating fuzz testing into the SDLC, either before or as part of your implementation phase, you can easily detect software vulnerabilities before deployment. This should help you uncover loopholes that hackers may likely exploit when the software is eventually deployed. This is even more necessary as zero-day attacks show no signs of slowing down in the cybersecurity landscape today.

Considering that smart fuzzing also covers more attack entry points than many other appsec solutions, it should certainly be included as an essential component of your SDLC rather than an optional activity.

5. Save time and money

One of the most notable reasons why you should include fuzzing in your SDLC is that it takes little effort to get results once you have it up and running. Once you’ve set up your fuzzer, you can leave it running for days or months to discover security weaknesses without any additional interaction (or expense).

Although the duration of a fuzz test will vary from one network, program or enterprise to another, the entire process is usually automated, saving you time and effort. The emergence of smart fuzzers, with auto-learn capabilities that can seamlessly test over 250,000 attacks per second, means that automated fuzzing will become even faster in the future.

6. Test applications without knowing the source code

Blackbox fuzzers are able to test applications without access to the source code. This is essential for uncovering zero-day vulnerabilities in commercial applications where there is no access to the source code. By including blackbox fuzzing in your SDLC, you’re able to test completely closed systems, like VoIP, and close loopholes before implementation.

Since hackers will most likely have little or no information about your network or application, blackbox fuzzing offers a more reliable simulation of what you can expect hackers to find when they probe your enterprise. Interestingly, you should know that if you use open source software, hackers may already have access to key components of your code for scrutiny.

7. Test all protocols

Fuzzers can be portable in the way they allow you to test a wide range of protocols and applications. For instance, a basic protocol fuzzer may allow you to test multiple web browsers across different vendors. Some smart fuzzers also support bring-your-own-device (BYOD) scanning which is a growing necessity in today’s evolving digital world.

The benefit of being able to test or adapt to different protocols also means your developers and network administrators can create more secure applications and defend your network more effectively without having to rely on disparate testing tools.

8. Reduce false alerts

False positive threat alerts can be overwhelming and is a major cause of analyst fatigue. Fuzz testing can help test the actual code of your software and provide reports for bugs that actually exist, thereby resulting in fewer false positives than static code scanning. 

Smart fuzzers allow you to create enterprise-oriented rules based on your in-house frameworks. These rules ultimately help your analysts identify simple issues and reduce the time spent triaging and filtering out false positives. Similarly, fuzz testing also results in fewer false negatives as it mostly seeks out real vulnerabilities that can crash your network or program.

The Bottom Line

The rise of zero-day exploits means that your enterprise will need to do more to discover security weaknesses in a timely fashion. That means only one thing: discovering vulnerabilities while the software is being developed—as part of the SDLC. And one very effective way of doing that is with fuzz testing.

Fuzz testing helps detect zero-day exploits of your software using real-world attacks so you can detect vulnerabilities before deployment. Fuzzing can save time and money by automating testing, which not only results in safer code, but more efficient code too. And it does it all without having to know the source code.

If you’d like to incorporate fuzz testing into your SDLC, you can request a demo to gain first hand experience on how fuzz testing using beSTORM can help your organization detect vulnerabilities long before hackers can exploit them.

Playing the Long Game for Secure Remote Access With Complete Visibility and Controlled Access

 

Now more than ever, businesses are adapting to long-term remote work policies. This causes staff to greatly rely on personal devices to access corporate networks, which often contain sensitive data. But being away from the office, and the in-house security infrastructure presents new opportunities for malicious actors to breach your network.

Furthermore, newer technologies, such as the IoT, present complex security challenges for businesses to protect company and client data from exploitation. This dynamic environment also increases the complexity associated with data regulations and policy compliance. 

With a myriad of devices entering the scene, this article explores how business owners and CISOs can implement new strategies and tools to protect against this evolving threat landscape while employees are working remotely.

[ Learn about the human elements of cybersecurity. | Get started with a 30-day free trial. ]

1. Take advantage of cloud-based IT systems

Adopting a cloud-based IT strategy is advantageous for many businesses. It’s a particularly favorable solution for businesses with remote workers who would otherwise be using disparate browsers, email clients, video conferencing tools or general data handling apps.

Cloud-based systems can integrate all necessary business applications into one single computing environment. Within this secure platform, users can be verified, devices authorized, and all data processed and stored in the cloud. Cloud solutions eliminate the need for third-party software and eradicate pathways for malicious actors who would otherwise take advantage of software which is either outdated or unvetted by security teams.

Of course, data held within the cloud can also be compromised. Many cloud solutions incorporate AI-based tools to detect unusual activity and protect against unauthorized access, such as behavioral analytics and device authentication practices.

Cloud solutions are frequently paired with a professional VPN which provides remote workers with an extra layer of security while away from the office. A VPN will encrypt and tunnel all internet traffic to a remote server, which is a safer way to connect to the internet. Transmitted data will remain unreadable to snoopers and hackers as they’re unlikely to break through the wall of encryption.

Overall, cloud-based systems are more cost effective as they eliminate much of the physical IT infrastructure that would require on-going maintenance and upgrades. They also provide greater scalability for businesses who anticipate future growth, offering nearly unlimited data storage without investing in physical storage.

2. Use available security for IoT devices 

IoT devices continue to gain popularity in both personal and business environments. Unfortunately, this new technology adds additional risk and opportunity for hackers looking to circumvent security parameters. IoT devices may improve data management and increase profits, but they pose a whole new level of cybersecurity challenges.

There are a number of vulnerabilities that exist within IoT devices. For example, failing to update the devices’ firmware or devices that lack adequate encryption when receiving updates provide pathways for malware and ransomware to enter a network. Insufficient monitoring of how each device is set, such as leaving ports open, neglecting to use a firewall, or not disabling file sharing can weaken the overall network. Even human errors such as creating weak passwords that are easy to guess is still a common way attackers exploit networks.

The world of IoT is rapidly evolving and security has to keep up. Thankfully, there are tools available now to address IoT security such as AI-based behavioral analytics, vulnerability scanning and endpoint detection and response (EDR). These technologies are being increasingly adopted to tackle the challenges that IoT networks present.

3. Implement NAC and MDM solutions

Network access control (NAC) is a type of cyber security technology that allows an organization to define and implement policies that control the access of endpoints to a network – while at the same time providing visibility of each device trying to gain access. NAC provides security posture assessments for the endpoints, highlighting the risks, and can control access based on the level of risk tolerated by the organization.

An important element of NAC is controlling risk associated with mobile devices. Many organizations allow or provide mobile device usage on a corporate network. These devices are often used for both business and personal use and introduce additional risk to the organization. Implementing a mobile device management (MDM) system is a risk mitigation control which gives companies more centralized control over employees’ devices to ensure they remain compliant with BYOD policies.

MDM solutions work on smartphones, laptops, tablets and also IoT devices. They provide companies with the ability to manage apps remotely, troubleshoot devices, and obtain location and usage data.

This solution boosts security, as any device that could be deemed compromised, such as a lost  or stolen device, can even be found via the location tracking, or even remotely wiped if necessary.

Of course, as a result of MDM solutions giving greater control, with bigger insights into how devices are being used, it’s important to maintain respect for employee privacy and ensure trust is maintained. 

4. Don’t forget PAM and 2FA

As important as access control is when employees are in house, that urgency really gets ramped up with remote workers. It’s essential that you implement available access control technologies like privileged account management (PAM) and two-factor authentication (2FA) for all your remote workers.

PAM enables you to tailor access to specific roles and adhere to the doctrine of least privilege. Whether it’s service, application, root or administrative access that’s required, a PAM system will keep your remote workers where they’re supposed to be.

No company should let their remote workers login without two-factor authentication. Phishing and email compromise are growing rapidly with the increase in remote work. One easy and inexpensive way to protect against these threats is with 2FA. In the event the bad guys get the login credentials, it won’t do them any good if you use 2FA.

Final Words

As the operating environment and threat landscape evolves, it is critical that organizations implement a layered security approach to mitigate risk. No one security appliance or approach is full proof. Instead organizations must implement multiple technologies throughout the network to help identify, detect and respond to threats. In addition to the technologies mentioned here, organizations should also incorporate external vulnerability assessments and scans to mitigate risks into which they normally wouldn’t have visibility.

The way people work is changing and remote and mobile work is increasing in popularity. This new normal is presenting additional risks with heightened attention by both adversaries and network defense professionals. The good news is your security partners can help you understand your risks and choose the best risk mitigation, network access control and mobile device security solutions for your needs. 

Looking for a vulnerability scanner? Contact us to schedule a free demo of our products in action.

Fuzzing: An Important Tool in Your Penetration Testing Toolbox

 

While fuzzing may sound like just another buzzword in the cybersec landscape, it has continued to gain popularity over the last several years and shows no signs of going away. 

Development teams know that unless their developers all just came down from Mount Olympus, there are likely to be security holes in their applications – and they need tools that can be used by anyone to simulate real attacks. 

So they turned to fuzz testing, or fuzzing – a new approach to security testing that gives users the ability to think like a hacker

Is fuzzing a new tool? Yes and no. 

With several popular fuzzers on the market, fuzzing may have become a buzzword in the AppSec and DevOps communities in recent years, but the concept is not new

The term “fuzzing” has been widely used for the better part of three decades after getting its name from Barton Miller during a 1988 University of Wisconsin class project. However, the concept, originally known as random testing and monkey testing, has been around since at least the 1950s.

What is fuzzing? And is it really random? 

What is fuzz testing?

Simply put, fuzzing is a “black box testing” method in which the application is tested from the outside in – as in a hacker trying to break in without having access to the source code. 

Today, fuzz testing refers to the automated process of uncovering software security bugs by feeding permutated inputs into a program and analyzing the results until one of those inputs uncovers a vulnerability. It is a black box testing and quality assurance (QA) technique that relies on inputting massive amounts of data called fuzz into a target software in a bid to crash it.

Fuzzing has been around for a while but has recently gained prominence as organizations are starting to understand the importance of thinking like a hacker in the fight against cyber attacks. 

In your quest to discover zero day vulnerabilities, fuzz testing is one of the most effective processes you can engage in to improve your cybersecurity resilience. Developers are able to use fuzzing to create more secure code through testing during development and QA stages. 

How does fuzz testing work?

Although it may seem that hackers spend a great deal of time studying different software or systems for security vulnerabilities, that isn’t always the case. They usually just poke around until they find a weakness to exploit. When this process of poking around is carefully recreated into a well defined testing process, it’s called fuzzing. 

Fuzz testing works by poking into software, firmware, networks and even hardware, in an effort to uncover bugs that can be exploited by hackers. Specialized tools, called fuzzers, are used to detect these vulnerabilities as quickly as possible. 

While other application security (appsec) testing tools focus on detecting known vulnerabilities, which requires access to source code, fuzzers rely on using as many inputs as possible to uncover new and unknown bugs. Fuzzers can function with or without access to the software’s source code.

Smart fuzzers and dumb fuzzers

While most fuzzers use strictly random inputs to probe software (i.e, dumb fuzzers), there is a new breed of fuzzers, smart fuzzers, that are programmed with some knowledge of inputs and file types required.

Rather than throw lots of random fuzz at software, smart fuzzers use algorithms to determine which attacks are most likely to succeed. Smart fuzzers can test all internet protocols, even complex ones such as SIP. And smart fuzzers test the binary application, and are therefore programming language independent. All of these capabilities mean smart fuzzers are more likely to find a vulnerability and in less time.

The 5 benefits of fuzzing

As hacker mentality continues to evolve, so too will the need for more effective security testing tools. If your organization is going to stay ahead of cyber criminals in today’s world, it will need a cybersecurity strategy that actively promotes fuzzing at every stage of the software development life cycle. Here are five benefits of adding fuzzing to your penetration testing toolbox.

A cost effective security test

The benefits-to-cost ratio of fuzz testing, when compared with other security testing techniques, makes it ideally suited for businesses on a budget. By allowing cost-conscious companies to discover software bugs exploitable by hackers, fuzzing delivers a cost effective security testing solution.

Guards against zero-day vulnerabilities

Zero-day vulnerabilities are the nightmares of every CISO. However, when executed successfully as part of your organization’s black box testing, fuzzing can effectively help you reduce the possibility of zero-day vulnerabilities.

Discovers coding errors at early stages of your SDLC

By incorporating fuzz testing in different stages of your software development life cycle (SDLC), you’re able to discover most coding errors during the development or quality assurance (QA) stages, which is much cheaper than discovering them in production.

Improves security testing results

While fuzz testing may not be a comprehensive security testing solution on its own, when deployed as part of your black box security testing strategy, it certainly enhances your security testing results.

Ensures that all potential security vulnerabilities are explored

The concept of fuzzing works in such a way that all potential loopholes are explored or tested, and unknown vulnerabilities are discovered.

How to choose a fuzzing tool

Different providers offer fuzzers with a wide range of features and capabilities. However, there are some essential features you should look for in a fuzzing tool.

Support for multiple protocols

With more than 250 fuzzers in the market, there’s a great deal of variation among them. While some fuzzers offer support for vendor and self developed protocols which can be extended, others may not. Fuzzers should support your existing protocols as well as future ones.

Speed

When it comes to detecting vulnerabilities, time is everything. A reliable fuzzer should be able to support load tests of as many attacks as possible per second. Whether it’s dumb fuzzing that requires random inputs or smart fuzzing that utilizes intelligent inputs, getting a fuzzer that can run as many test cases as possible per second is crucial to discovering your application security (appsec) vulnerabilities. 

Code coverage

Code coverage refers to how much of a software’s code has been executed by a fuzzer. The more code covered the more thorough the test. However, just testing a lot of code is not the answer. Unless you know which parts of the source code are executed, you don’t really know how thorough the test is. Ideally you have a fuzzer that lets you know which sections of the source code have been tested.

Crash categorization

The role of fuzz testing does not end with discovering potential crashes. Once you find a crash, the next step will usually be to correct the code. However, with potentially hundreds of thousands of test cases being run per second, treating each crash on an individual basis is impossible. A fuzz tester that categorizes crashes will allow you to prioritize them and identify those with similar bugs for more efficient problem resolution.

The future of fuzz testing

As artificial intelligence (AI) and machine learning (ML)  continue to evolve, their impact will eventually be felt in fuzz testing. The future will see more fuzzers integrate AI and ML in a bid to make the tools simpler to use and more intelligent. While this is generally a good idea, there are concerns that hackers will also find it easier to use these tools in discovering security weaknesses on a large scale. In addition, businesses will require faster and deeper tools that perform exhaustive tests in the shortest time frames.

Closing thoughts on Fuzzing

The cybersecurity landscape is rapidly evolving and for businesses to stay ahead, proven solutions like fuzz testing have become a necessity. The financial and reputational costs of zero-day vulnerabilities can be devastating. CISOs must take proactive steps to discover these vulnerabilities ahead of hackers if their organizations are to survive these rapidly evolving times. And fuzz testing is one of the tools to make sure that happens.

Looking for a fuzzing or other application security testing methods? Contact us to schedule a free demo of our application security testing and vulnerability assessment solutions.

BeSECURE Provides a Quick and Easy Way to Assess Your Risk of a CCPA Violation

 

The California Consumer Privacy Act (CCPA) is as much about process administration as it is about data security. Systems must be compliant, for both data security and administration, and offer a reasonable verification method such as audit trails.

Often described as a mini-GDPR, CCPA is the State of California’s effort to tighten laws around information sharing and the privacy of personal data. And just like GDPR, violating CCPA can cost you in fines and legal fees. Now, there’s an easy way to avoid that.

Our vulnerability assessment and management platform, BeSECURE, now includes a CCPA report specific to CCPA standards.  If you’re a  CIO, CISO or compliance auditor, you can use this detailed vulnerability report to identify risks and quickly understand which specific remediation steps you need to take to address them.

What is CCPA?

CCPA was signed into law on June 28, 2018, came into effect at the start of 2020 – and last month, the Office of the California Attorney submitted the final text for the proposed CCPA regulations.

It broadly applies to companies with revenue of over USD 25m and to some smaller businesses too.

Similar to GDPR, any company affected by the law must declare what information it collects, what it does with it and whether it is sent to third parties. Furthermore, companies must comply if a customer officially requests that their data is deleted while allowing customers to opt-out of the resale of their data.

While it is a law of California, CCPA affects companies across the U.S. and the globe because CCPA covers all California residents. In other words, if your business deals with the personal details of anyone who lives in California, you’re affected by CCPA – no matter where your business is registered or located.

California authorities have the power to fine companies who violate CCPA laws. These fines are nothing to sniff at: GDPR has proven to have teeth, with British Airways subject to a massive USD 240m fine in 2018, while Marriot was fined USD 130m under GDPR. Simply put, companies can’t afford to ignore CCPA.

CCPA impacts your cybersecurity responsibilities

The main tenets of CCPA appear to center around data collection and data sharing, but the practical implications are more complex. In fact, it is an extensive law, and the one clause companies should be most concerned about is this one:

Any consumer whose nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to anunauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:

Unfortunately for businesses, the phrase “reasonable security practices” is very open-ended.

One point that is not up for debate is that a security-related data breach may fall under the CCPA remit. With 48% of data breaches the result of a malicious or criminal attack, there is without a doubt a link between potentially expensive CCPA fines and a security vulnerability.

Providing a detailed situational awareness of system vulnerabilities like that available from the BeSECURE report, and acting on that information to mitigate the risks, would certainly be considered a reasonable security practice.

What does The CCPA Mandate?

A mandate for security best practice is arguably the only clear conclusion one can draw from the CCPA law. By consequence, it can be argued that any company that does not make use of cybersecurity best practices will risk falling foul of CCPA.

CCPA does not explicitly require companies to use security techniques and assessments such as fuzzing, website vulnerability scanning and network vulnerability assessment. Instead, by implication, companies who ignore essential security techniques and  assessments such as these will be at risk of a data breach, and as a result a heavy fine – never mind the costs of clearing up after the breach. 

Outlining a comprehensive approach to cybersecurity is beyond the scope of this article, but we can propose that, in order to minimise exposure to CCPA-related fines, companies should consider these five steps:

  • Catalogue data held and processed. Companies can only effectively secure customer data if they know what data is held, at what risk it is and how it is processed. The nature of data matters too – a database of pet names is a far lower risk than intimate healthcare records.
  • Get certified or employ a partner. Whether it is an ISO standard or PCI DSS, make sure your company complies with a security standard that is widely recognised, or get a security partner to get you up to speed.
  • Put in place good practice. From vulnerability assessment and penetration testing through to multi-factor authentication and comprehensive encryption, ensure your company applies cybersecurity good practice.
  • Monitor and react. The severity of fines is often related to the severity of the breach, and the response to a breach. Companies that catch intrusions quickly and mitigates damage while notifying immediately are less likely to be fined heavily. A basic process for security helps too.
  • Map out third-party sharing. You’re only as safe as your most vulnerable technology partner, so make sure you know who you are sharing customer data with. In fact, this aspect alone warrants a regular, thorough audit.

Conclusion

If you want to avoid the wrath of CCPA violations, at the very least you must be able to demonstrate you’ve done due diligence to understand your organization’s security posture, your vulnerabilities and what you’ve done to address them. 

Reach out to Beyond Security to learn more about how BeSECURE can help you reduce your risk of a CCPA violation.

Get a 5-Minute Guided Tour

Take a quick, step-by-step vulnerability management tour and see how VM can work for you.

Ping Identity PingID SSH before 4.0.14 Out-of-bounds Write Vulnerability

 
Details

Ping Identity PingID SSH before 4.0.14 contains a heap buffer overflow in PingID-enrolled servers. This condition can be potentially exploited into a Remote Code Execution vector on the authenticating endpoint.

Vulnerable Systems:

Ping Identity PingID SSH before 4.0.14

CVE Information:

CVE-2020-10654

Disclosure Timeline:
Published Date:5/13/2020

Vulnerability Management, SAST, and DAST Solutions

Get a demo and see how vulnerability management, SAST, and DAST are the beginning of a strong, layered offensive security solution.

OpenShift Container Platform Cleartext Storage of Sensitive Information Vulnerability

 

Published on June 29th, 2020

Summary

A flaw was found in OpenShift Container Platform where OAuth tokens are not encrypted when the encryption of data at rest is enabled.

Credit:

The information has been provided by Stefan Schimanski

The original article can be found at:https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10706

Details

This flaw allows an attacker with access to a backup to obtain OAuth tokens and then use them to log into the cluster as any user who logged into the cluster via the WebUI or via the command line in the last 24 hours. Once the backup is older than 24 hours the OAuth tokens are no longer valid.

Vulnerable Systems:

OpenShift Container Platform

CVE Information:

CVE-2020-10706

Disclosure Timeline:
Published Date:5/12/2020

Get The Guide for Best Practices of Vulnerability Management

Best practices will help you create or improve your cybersecurity. Get the guide, 7 Best Practices for Vulnerability Assessment & Management and improve your vulnerability management strategy.

How to Use SAST and DAST to Meet ISA/IEC 62443 Compliance

 

In a recent cyber-attack, a metallurgy company became infected with ransomware. The firm shut down for a week to deal with the infection; the final costs for the system backup and production downtime came to over 50 million euros ($54 million). 

This follows a Kaspersky report, “The State of Industrial Cybersecurity” that shows 70% of companies expect an attack on their Operational Technology/ Industrial Control Systems (OT/ICS) infrastructure.

The connectivity required for Industry 4.0 has meant that the once tightly controlled, closed perimeter of manufacturing is now hyper-connected. The Industrial IoT (IIoT), the convergence of OT and IT, and connected Industrial Control Systems (ICS), etc., means that the cyber-attack surface has opened up to increasing cyber-threats. 

To reflect increasingly sophisticated cyber-threats in the sector, regulations controlling the manufacturing industry offer a framework for cybersecurity controls and measures. The main regulation covering the sector is ISA/IEC 62443 compliance regulation. This sets out a series of standards that provide advisories and procedures that help manufacturing companies prevent cyber-attacks. 

[ Learn about fuzzing APIs. | Want to see how it works or try 30-day free trial? Request a demo  today. ]

ISA, IEC, and the ISA / IEC 62443 compliance regulation

The International Society of Automation (ISA) 99 Committee, a global team of industrial cybersecurity experts, is behind ISA/IEC 62443. The scope developed for the regulation covers many situations including:

  • hardware and software systems such as DCS, PLC, SCADA, networked electronic sensing, and monitoring and diagnostic systems
  • associated internal, human, network, or machine interfaces used to provide control, safety, and manufacturing operations functionality to continuous, batch, discrete, and other processes.

The work carried out by the ISA99 Committee on ISA/IEC 62443 compliance regulation has been adopted by the International Electrotechnical Commission (IEC) giving the standard global reach.

ISA/IEC 62443 compliance regulation is a series of standards that focus on security for industrial automation and control systems. The different series the standard is composed of, work together to create a holistic framework used to mitigate security vulnerabilities in Industrial Automation and Control Systems (IACS). 

ISA/IEC 62443 has five security levels (SLs):

  • SL 0 – no security
  • SL 1 – protects against accidental security
  • SL 2 – simple but international attack protection
  • SL 3 – protect against more sophisticated attacks with moderate resources and knowledge
  • SL 4 – protect against highly sophisticated attacks e.g., nation-state attacks 

The levels set out the types of security measures needed to meet those requirements. For example:

  • Levels 3 or 4 require hardware, e.g., certified hardware security chips
  • Security levels 1-4 all require user authentication. 
  • Security levels 2-4 require device authentication (in addition to the hardware requirements at levels 3 and 4)

ISA/IEC 62443 part 4-1

ISA/IEC 62443 Part 4-1 “Product Security Development Life-Cycle Requirements”, was published on March 28, 2018, and is part of the standard series. ISA/IEC 62443 Part 4-1 focuses on requirements for achieving a secure product development lifecycle (SDL). Specifically, it sets out the process requirements for the secure development of products used in industrial automation and control systems. The SDL security requirements, which apply to the developer and maintainer of the product, include details on:

  • definition
  • secure design,
  • secure implementation (including coding guidelines)
  • verification and validation
  • defect management
  • patch management 
  • product end-of-life 

The various requirements apply to both new and existing processes within a given product development lifecycle and apply to software, firmware, and hardware.

Where does security testing fit with ISA / IEC 62443

A Deloitte survey of advanced manufacturing companies found that less than half of manufacturing industry executives felt their facility was protected. One of the top concerns being the increasing sophistication of cyberthreats against connected Industrial Control Systems (ICS). This issue was then exacerbated by only half of those surveyed carrying out regular ICS vulnerability testing.

The publication of ISA/IEC 62443 Part 4-1 covers the development lifecycle of products. By referring to the standard, manufacturing companies can design security into their development processes helping to prevent flaws being populated downstream to systems and processes. 

ISA/IEC 62443 Part 4-1 includes the following in the requirements:

  • Static code analysis (tools to check and debug source code)
  • Software composition analysis (tools that generate an inventory of open source code components) 
  • Malformed input testing (e.g., fuzz testing)

Tools for testing 

Vulnerability testing is included in “Practice 5 – Security verification and validation testing” of the standard.  Vulnerability testing is a process that uses a number of tools and procedures to locate flaws in a system, service, product, component or similar. The process is multi-part and includes the use of automation tools to locate vulnerabilities. 

The types of tools that can be used to perform vulnerability testing include:

Static code analyzers: Source code is run through a code analysis engine to look for weaknesses and vulnerabilities. 

Fuzzing and blackbox fuzzing: These tools will cover the requirement for malformed input testing. Fuzz testing is a type of automated testing that adds ‘fuzz’ i.e., random or invalid data to a given system to generate unusual behavior, systems crashes, etc. Any API-driven system can use multi-protocol fuzz testing as this works systematically across the entire API surface.

Static Application Security Testing (SAST): Used during development and can be part of ongoing code analysis. SAST is part of a developer’s toolkit to spot issues before integration into a wider component ecosystem. 

Dynamic Application Security Testing (DAST): Used to look for vulnerabilities in areas such as exposed APIs or open network services. 

Attack Surface Analysis: Looks at the entire system, including software, physical, and network vulnerabilities. Utilizes multiple tools and processes.

Conclusion

ISA/IEC 62443 has been designed to offer a framework to protect Industrial Control Systems (ICS), Programmable Logic Controllers (PLC), and SCADA, as well as general OT/IT systems from cyber-attacks. The use of appropriate testing tools within the context of the guidance offered by ISA/IEC 62443 Part 4-1 can ensure that during the development of industrial systems, vulnerabilities are spotted early. As manufacturing industries embrace the Industrial IoT (IIoT) they come under increasing pressure from cyber-attacks; applying ISA/IEC 62443 standards, developed by industry experts, is vital in protecting our manufacturing systems and infrastructures.

Need to get ISA/IEC 62443 compliant? Contact us to schedule a free demo of our network and application vulnerability assessment products.