Better Enterprise Security Through Forced Quarantine

 

This article was originally published on TechAeris on May 08, 2020.

What do you do if a small infected minority is threatening to infect the rest? By now, there probably isn’t a human being on the planet that doesn’t know the answer to this question: you place the infected in quarantine, separating them from the healthy. Collectively, throughout the world, we are distancing ourselves from the threat of the infected and hoping for the best possible outcome to survive the great pandemic. This concept of quarantine is not unique just to mankind but is also a vital security practice within our technological world as well.

In the enterprise security world, we face a similar problem. Most of the machines in the enterprise network are healthy and safe, but some are weak and if as little as a single machine gets infected, this may affect the entire network. We used to put guards – in the form of firewalls – to separate the network between secure enterprise machines and insecure devices. But as people work from home or bring their own devices to work, the chances of a single machine compromising the entire enterprise network rise significantly. Most of the security concepts we grapple with today date back to the 70s: passwords and access control; malicious code; software bugs leading to privilege escalation attacks – those seemingly remain the chessboard that is used to play the permanent arms-race game between the “white hats” and the “black hats”.

The solution, as mentioned, is isolation – or to use today’s terminology: forced-quarantine. Fortunately, we do not need to re-invent the wheel. The technology to do all of this already exists, although it may need minor re-purposing. Also, most enterprises will not need to buy any new products to get this done, they just need to ask their current vendors to work together and integrate. Testing tools already exist in the form of Vulnerability Assessment and Management. Isolation tools also exist and are widely popular – Network Access Control devices.

To explain how the process needs to work as soon as a problematic device is identified the Network Access Control product can easily cut that device off the network and place it in quarantine. The key, as we know from the physical world, is testing, and as mentioned we already have that – Vulnerability Scanning products can instantly detect a weak or infected device on the network. The missing piece is the integration between those two technologies, which often exists but is overlooked: many Vulnerability Assessment tools and Network Access Control products are happy to work together. This gives the outcome we were looking for: identify weak or infected devices using Vulnerability Assessment, and via integration with the Network Access Control product you get instant detection and quarantine.

The IT security world has borrowed concepts and ideas from the physical world since the days of the first computer Virus through the recent days of ransomware. Let us learn some defense from common-sense defense mechanisms in the real world; we cannot teach computers to socially-distance, but we can teach them to test, detect, and automatically quarantine. Having Vulnerability Assessment vendors collaborating with Network Access Control products is a must, to provide testing and force-quarantining in the enterprise environment, all this can be done automatically, instantly, and with zero additional spending – using already prevalent technologies in the Enterprise.

Information Security Goes Non-Binary

 

This article was originally published on HelpNetSecurity on April 16, 2020.

Finding security holes in information systems is as old as the first commercially available computer. Back when a “computer” was something that sat in a computer room, users would try to bypass restrictions, sometimes simply by trying to guess the administrator’s password.

Later when Bulletin Board Systems (the primitive version of the Internet) became popular, BBS users searched for ways to gain further access in order to view private files and invented the first phishing attack – familiar to many 21st century computer users as the method that was successfully used to hack into the DNC’s computers just before the 2016 elections.

The origin of the network virus

Back in 1988, when the entire “Internet” was merely 60,000 computers, the first network virus was unleashed. Of course, computer viruses themselves date back to the early days of the personal computer, first invented by an IT shop in Pakistan who wanted to earn money fixing computers – which possibly makes the Farooq Alvi brothers the very first black-hat IT security vendor.

Most of the security concepts we grapple with today date back to the 70s: passwords and access control; malicious code; software bugs leading to privilege escalation attacks.

That would make you think that “nothing is new under the sun” when it comes to Internet security. But just the contrary: while the game stayed the same, the rules have changed.

Information security in the 2010s

From the first security bugs until the recent past, security was a game with a clear winner and loser. If the attacker gets in, the bad guy wins, and the good guy loses.

Our job as information security experts and presumed good guys was to find those security vulnerabilities and help fix them. The premise being that security could be achieved – i.e., that there was a process you could follow to be reasonably secure and be safe from most attackers. This also meant that a security attack was a failure – a catastrophic one.

But the 2010s changed all that: security breaches are still a failure, but no longer catastrophic. A security breach is now one of those bad things that happen in corporate life that you try to prevent but also accept as a possibility. In other words: information security is a part of a mature corporate life.

Hacking contests and The Matrix

It wasn’t always so. Back in the 1980s, I had a notebook where I wrote the details of all the viruses in existence (yes) with instructions on how to remove them. It wasn’t a thick notebook.

Around that same time, John McAfee, who later founded the company that still bears his name, would drive around in a van and manually scan computers for viruses (I guess he must have had a notebook similar to mine).

In those days, a computer was either infected by a virus or it wasn’t; if it was, there were a series of steps you could take to make the computer clean again. Like every other aspect of computing, security was a binary state.

We had a similar view with access control (some passwords were safe, some weren’t), encryption, network services, network protocols and more. Some things were “safe” and some were not. Either one or zero.

When viruses gave way to security vulnerabilities as the main worry for IT staff, we started along a similar route – a set of predefined tests that would indicate if a computer was vulnerable.

When vulnerability scanners were first introduced, there were hundreds of security vulnerabilities you needed to check for. It was too many to write in a notebook, but it stood to reason that if you ran a vulnerability scanner and did not find any security vulnerabilities, you were safe.

As recent as the early 2000s, my company ran public “hacking contests” that were a sucker’s bet: we challenged attackers to try and attack a public system on the Internet that was checked for security vulnerabilities and found clean.

We knew that unless they had access to NSA-level tools, a potential attacker wouldn’t be able to break in. Life was still pretty binary and we didn’t expect it to change. The Matrix sequel movie showed Trinity, the brilliant hacker from the future, attacking the villains back in 2003 using a security hole that was known and easily fixable; we all chuckled at how hapless the futuristic Matrix villains were for falling in this easily avoidable trap.

A game we can win

The 2010s came and changed the way we security professionals see the world. First the speed at which security holes were discovered rapidly increased: while some 1,000 security holes were discovered and made public in the year 2000; in 2018 that number was over 16,000 (more than 40 new security holes discovered per day).

Our definition of “computer” also changed: phones, smart TVs, thermostats, light bulbs and cars are all computers with potential security vulnerabilities. The explosion happened on both axes: the number of vulnerabilities multiplied by the number of computer assets means that an average organization no longer hopes to fix all security holes but merely to manage them. In other words: the best we can do is limit our exposure.

This may sound like we’ve hit the tipping point: did we lose the arms race to the black hats? If every organization has a security hole, we are all vulnerable, all the time. Why even play the game if you’re destined to lose? Some self-proclaimed high priests of information security, usually remnants of the 20th century or echoing its old wisdom, will tell you “no system is secure”. But that’s only true if your world is binary, and ours isn’t.

In fact, for the exact reason a security breach is now a real possibility, it is also no longer the apocalyptic scenario it was back in the early 2000s. Also, the development of information security testing and protection systems helps us cope with security breaches: multiple layers of security, the ability to alert, log and block attacks means that the attacking and defending sides both have costs associated to with both attacking and defending: instead of a chess game with a winning and losing side, this is more like a perpetual tug-of-war where as long as a constant effort is applied by both sides it’s quite possible no one will score a definite win.

And that’s a good thing.

The high priests of security

Good and bad as definite concepts belong in the religious realm. Back in the old days security advocates were, in many ways, priests of an evangelistic religion.

We spent our days trying to convince agnostic managers to believe in something they couldn’t always see: the need for security in computing systems. There were many apocalyptic prophecies on what the non-believers will suffer if the proper rituals aren’t followed; many of us believed that computer breaches happened to those who “deserved” to be punished. Those non-believers were not committed enough, or they didn’t follow the recipe for salvation.

But that was then. In this day and age no half-competent manager really believes information security is not important – our evangelism is no longer necessary. Information security is now in the corporate mainstream.

In the corporate mainstream, risk is ever-present. It was famously said that “The Limited Liability Company is the most important invention since the wheel” – and this is because companies take risks all the time.

Apple is worth over a trillion dollars but can go bankrupt tomorrow at a non-zero probability; all Apple can do is limit their corporate risk and keep doing business.

Finally, decades after the first computer virus, information security reached a similar maturity: we can no longer guarantee a zero-risk, but we don’t have to.

Information security is no longer an external component that is measured by its budget or headcount. It is finally a component in the entire corporate governance structure like finance, legal and HR.

In the age of technology and data, information security is certainly a critical component, but still just a component. Managers should pay attention and mindshare to securing their infrastructure and data, but knowing that not every mistake warrants capital punishment, we moved away from the binary “safe or unsafe” to a more nuanced model of risk management and reduction. In that, we are less the religious priests and more corporate professionals, and just in time for the new roaring 20s.

Data Privacy in the Age of Regulations

 

This past year was a big year for data breaches, new privacy laws and cracking down on existing regulationsBritish Airways faces a £183m fine after hackers stole credit card details from nearly 400,000 customers. Many other big names were hit too. Facebook. Equifax. Twitter. Marriott. Google. They’ve all been hacked. 

The reason? Sometimes it was due to outdated security systems and other times it was the funny idea that big corporations can only fall victim to attacks from Mission Impossible-type massive spy operations.

Let me tell you something: ALL companies are susceptible to attacks – and the attacks don’t have to be very sophisticated in order to work. With the latest technology on the market, hackers with just a basic skill level can use commonly available tools to overcome the most expensive security measures. So now it’s no longer a question of “if I’m attacked” but “when”. 

The world is changing, your network is changing and hackers are on a winning streak. But enterprises can limit the effects of these attacks through awareness and preparation.

To provide guidance on what businesses should be doing to protect themselves and their customers from data theft, several compliance mandates have sprung up in recent years. Compliance with these standards include strict cybersecurity measures, software and sometimes hardware requirements, together with regular vulnerability testing, storage policies, access management, data breach notification, installation of security patches and more.

It would be impossible to cover all privacy regulations here, but I’d like to point out some of the important ones below. These include the PCI-DSS, GDPR, CCPA HIPAA, ECPA, CDSA and NERC CIP. This may sound a bit like alphabet soup, but if you manage an enterprise or you are responsible for its IT security, at least one of these regulations probably applies to you.

PCI DSS

Since Beyond Security was one of the first to achieve an Approved Scanning Vendor (ASV) status for the PCI DSS, let’s start with that.

The Payment Card Industry Data Security Standard (PCI DSS) is a set of 12 requirements created by the major credit card companies to protect both consumers and businesses from credit card fraud. 

The PCI DSS doesn’t have any legal authority, but if your business would like to process  credit card transactions, then you must abide by their standards. Moreover, if you don’t, you could be fined or lose your right to accept credit cards.  

These standards can be boiled down to 6 main points including:

  • Building and maintaining a secure network
  • Protecting cardholder data
  • Maintaining a vulnerability management program
  • Implementing strong access control measures
  • Regularly monitoring and testing networks
  • Maintaining an information security policy

GDPR

The General Data Protection Regulation (GDPR), which is an especially hot topic these days, was created about 3 years ago but implemented just last year in an attempt to reform data protection for European consumers. 

GDPR compliance includes:

  • Choosing a Data Protection Officer (DPO)
  • Training staff on GDPR compliance
  • Informing your customers how you intend to store, process and share data
  • Conducting a Data Protection Impact Assessment (DPIA)
  • Notifying authorities within 72 hours of a breach

Much like the PCI, if you do not comply with the GDPR, your company could take a large financial hit. Infringements can result in a €20m fine or 4% of the firm’s worldwide annual revenue. 

CCPA

Signed into law two years ago, and going into effect New Year’s Day, the California Consumer Privacy Act (CCPA) is California’s answer to the GDPR. But the bill, meant to protect consumer data, will likely spread to the rest of the United States due to the impact it will have on California’s many nation-wide industries.

In order to be CCPA compliant, businesses must:

  • Comply with consumer requests regarding the handling of their personal data
  • Disclose data collection policies
  • Restrict how much personal data can be collected
  • Offer the same level of service to customers who exercise their right to privacy
  • Ensure third-party data sharing meets CCPA compliance

The CPA is not a set of guidelines; it will be the law. The California Attorney General could fine you up to $2,500 if you violate any of the CCPA’s rules. 

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) was created to protect health insurance coverage in the event of a job loss or change as well as health data privacy, integrity and availability.

All businesses who have access to patient information must abide by administrative, physical and technical requirements including:

  • Training staff on HIPAA compliance
  • Choosing a HIPAA compliance officer
  • Assigning unique identifiers for providers, patients and employees
  • Conducting regular vulnerability scans
  • Defining clear processes for handling data breaches

Non compliance could cost businesses $100 to $50,000 per violation (or per record) and penalties up to $1.5 million per year and imprisonment in severe cases.

ECPA

The Electronic Communications Privacy Act (ECPA) was passed in 1986 in an effort to protect citizens from unnecessary surveillance and data theft by law enforcement and the government. There have been many provisions since, including the Wiretap Act, the Stored Communications Act, the Pen Register Act, the USA Patriot Act and the Email Privacy Act.

All amendments under the ECPA require providers to obtain a subpoena, warrant or court order before honoring government requests for user data; that’s right: Companies can and should tell government authorities “no” if they do not follow the proper procedures. This is a basic American right – to not have property seized without a proper warrant. Businesses who do not honor that right are subject to fines up to $500,000 and those held responsible for non-compliance may face lawsuits and imprisonment. 

The ECPA protects wire, oral and electronic communications including:

  • Email
  • Telephone conversations
  • Data stored electronically
  • Browsing history
  • Radio transmissions

CDSA

The Content Delivery and Security Association (CDSA) was founded in 1970 as a non-profit to protect entertainment, software and information content. Earlier in the year, the CDSA updated its guidelines to include TV and film cybersecurity.

The CDSA’s Production Security Working Group (PSWG) published 5 documents detailing industry security standards for the TV and film industry.

These guidelines include:

  • Security training
  • Access management
  • Defining assets and the perimeter
  • Data monitoring
  • Cyberdefense
  • Vulnerability assessment

It’s unclear what penalties will be incurred if productions or individuals on these productions are found to be non-compliant, but these standards are a great step in this evolving industry that suddenly found itself dealing with the same types of threats as software companies.

NERC CIP

The North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) is a set of security standards meant to protect electronic systems from cyber threats.

Compliance with CIP standards includes:

  • Cybersecurity training
  • Asset identification
  • Security management controls
  • Systems security management
  • Vulnerability assessment and management
  • Critical infrastructure penetration testing
  • Malware prevention
  • Incident reporting and recovery

Non-compliance with NERC CIP may include fines, sanctions and penalties.

Summary

Data privacy and protection regulations provide businesses with checklists to manage the risks from both known and unknown vulnerabilities and a way to make sure they conform with the regulations. The end goal is security improvement and awareness

Most businesses will be attacked, but if you comply with these data privacy standards and perform regular security testing, you can protect your business and your customers from loss of data. You can then rest assured, even in the event of an attack, knowing you did everything you could do to protect your business from fines, legal action and damaged reputation.

5 Simple and Effective Tips to Protect from Cyber Attacks for Cyber Security Awareness Month

 

This article was originally published on EIN Presswire on October 07, 2019.

SACRAMENTO, CALIFORNIA, UNITED STATES, October 7, 2019 /EINPresswire/ — To mark the month of October being Cyber Security Awareness Month, Beyond Security, a leading provider of automated security testing solutions, is providing 5 effective and easy to follow tips for protecting against Internet security threats that can cause both financial and emotional damages. While the future remains uncertain when it comes to sophisticated cyber-attacks, it’s important to be prepared and safe guard vital and confidential data against any kind of security breach.

1. Update Your Software

Security is an arms-race, but thankfully the good guys aren’t resting. Make sure to use an up-to-date and supported operating system, browser and other software. Windows 10 has built-in protective measures that obstruct many forms of ransomware, and all leading browsers are continuously updated to combat the latest threats and attacks. The update is often simple and automated but the responsibility is on the user to make sure the updates are taking place. Don’t wait – check and make sure today that all software you are using is the latest version.

2. Deploy Preventative Tools

Don’t be reactive, be proactive. Deploy preventive tools like vulnerability assessment tools – those can accurately identify close to 100% of common vulnerabilities that are exploited by attackers. A simple, and regular vulnerability assessment for your systems will identify potential weak points and suggest proper remediation actions such as patch management that will stop a would-be attacker in its tracks.

3. Test Your Software

Most companies are unable to develop all the necessary software in-house and use independent software vendors (ISVs) to build the required software. The problem is that these applications are not always built with security in mind. Make sure your ISVs are using the accepted standard for security testing, including static code analysis (white box testing) and dynamic code analysis (black box testing or fuzzing) which drastically reduce the attack surface of applications. Having the ISV perform these tests during development will save you money in the long run compared to having to fix a security hole when the software is deployed.

4. Backup Critical Data

Make sure you have redundancy. Backing up your critical data regularly reduces the impact of a potentially successful Ransomware attack. It goes without saying that data storage must be coupled with other hardening measures such as encryption and strong authentication.

5. Buy Security Insurance

Buy insurance. Even with taking all the above measures, there is a chance that an attacker may get through since full security is never guaranteed. No one can achieve perfect security, and security risk needs to be managed just like every other business risk. There are options to buy cybersecurity insurance policies that will protect you in rare cases that an attack is successful.

CVSS Explained

 

What Is CVSS?

The common vulnerability scoring system (CVSS) is open and free to industry for evaluating the seriousness of the software security vulnerabilities and is used in vulnerability management software. CVSS gives scores to vulnerabilities per the seriousness of the threat. Scores are computed considering several metrics. Scores are given between 0-10, with most severe score being 10.

First and CVSS

FIRST.Org, Inc (FIRST) is a non-profit organization based out of US that owns and manages CVSS. It is not required to be a member of FIRST to utilize or implement CVSS but FIRST does require any individual or organization give appropriate attribution while using CVSS. FIRST also states that any individual or organization that publishes scores follow the guideline so that anyone can understand how the scare was calculated.

CVE vs CVSS

Common Vulnerability Scoring System (CVSS) is a universal metric that measures the severity of a security vulnerability.  This makes it an integral part of vulnerability scanning tools.  Common Vulnerabilities and Exposures (CVE) is a list of publicly known and reported vulnerabilities.

What is CVSS Used For?

Organizations used to adopt their own ways to create a score for security vulnerabilities.  However, these didn’t include crucial details about how each score was measured and weighted.  Not having a baseline for scoring created an overall problem from organization to organization.

The US National Infrastructure Assurance Council (NIAC) developed CVSS and the standards to measure the impact of severity in an IT environment.  CVSS is an open framework, so organizations have access to the measuring criteria used to create scores, enabling everyone to have a clear understanding of the vulnerability scores.

Organizations use this system to gauge the impact of vulnerabilities that are discovered.  These organizations use the scale to meet security requirements, regulations, standards, and compliance.  This system makes it easy to prioritize security tests and measure the most severe vulnerabilities, so they can be prioritized.

Do All Vulnerabilities have a CVSS?

If it’s a publicly known vulnerability, CVSS has a score for it.  The scores range from 0.0 to 10.0, which are based on a large number of varied, grouped metrics.

What Are the Three Metrics Groups of CVSS?

Base metric group

The base metric group shows the qualities of vulnerability that are consistent over a period of time and among different user environments. It is further made up of two sets of metrics.

Exploitability Metric

It shows how easily a vulnerability can be exploited. Referred to as “exploited component”. They have 4 components – attack vector, attack complexity, privileges required, and user interaction.

Impact metrics

Impact metrics show the result of a successful exploitation of a vulnerability referred to as “impacted component”.

Temporal metric group

The temporal metric group shows the characteristics of a potential threat or vulnerabilities that may change after sometime however may not change across users.

Environmental metric group

The environmental metric group shows the characteristics of vulnerability that are important and unique to a specific user’s environment. Affected users calculate this measure usually.

Below each metric is discussed in detail.

Understanding the CVSS Score:  Base Metrics

Base metrics are a representation of the vulnerability.  These characteristics never change and aren’t dependent on exploitability or based on an organizational security program that’s been implemented.  The rankings are listed in the National Vulnerability Database and are exclusive to base CVSS scores.

Base CVSS scores provides an easy starting point for patching and remediation, but it is also limited because it doesn’t account for real world exploits, patching availability, or mitigating organizational controls in place.

What are CVSS Metrics Based Off Of?

Exploitability – Exploitability metrics are based on the characteristics of the vulnerable component, with four sub sections; attack vector, attack complexity, privileges required, and user interaction.

Attack Vector – this metric is based on the level of access required to exploit a vulnerability.  A higher score represents that an exploit can be executed remotely outside of the organization vs a lower score requires an attack to be at a physical on-premise location.

Attack Complexity – this metric is based on things outside of an attacker’s control, such as key theft or a middle-man attack.  The higher score is based on extra effort the attacker needs to take outside of the cyber attack itself.

Required Privileges – this metric is based on the attacker’s privileges to exploit a vulnerability.  A higher score represents the level of administration privileges that are required to carry out an attack, whereas a lower score represents little to no privileges required. part.

User Interaction – this metric is based on if the attacker needs to recruit a willing or unknowing person in order to complete the attack.  A higher score represents no additional participation needed.

Scope – Scope metrics are based on the number of components needed to exploit a vulnerability.  The higher score if one exploit attack can lead into a deeper backend system attack.

Impact – Impact metrics are based on actual outcomes from an attack result.  There are three sub sections that weigh into this metric; confidentiality, integrity, and availability.

Confidentiality – this metric is based on the amount of data the attacker has access to.  The higher score equals the most data the attacker can access, lower means no data can be reached.

Integrity – this metric is based on the ability of the attacker to alter data on the exploited system.  The score is high if the attacker can completely or severely modify the data.

Availability – this metric is based on the system loss once it’s exploited.  A higher score means the system will no longer be accessible by authorized users because of an attack.

1. Exploitability metric

1.1 Attack vector – shows how the vulnerability can be exploited.

Attack Vector
ValueDescription
Network (N)Attacker exploits vulnerability only through OSI layer 3 and are called “remotely exploitable”.
Adjacent (A)Attacker exploits vulnerability only through shared physical network.
Local (L)Attacker exploits the vulnerability locally or may depend on user interaction.
Physical (P)Vulnerable component must be physically touched or controlled by the attacker.

1.2 Attack complexity (AC) – This metric depicts the situations that are not under the attackers control and are required to exploit vulnerability.

Attack Complexity
ValueDescription
Low (L)Attacker can be successful more than once against the vulnerable component.
High (H)Attacker must be more prepared to execute a successful attack on the vulnerable component.

1.3 Privileges Required (PR) shows the amount of privileges the attacker must have to exploit the vulnerability successfully.

Privileges required
ValueDescription
None (N)The attacker doesn’t need access to files or setting to attack. Attacker is unauthorized.
Low (L)Attacker requires privileges to attack usually affects files and owned settings. Attacker has low authorization.
High (H)Attacker needs privileges that give them control and affects component wide files and settings.

1.4 User interaction (UI) it is a user oriented metric. It determines whether a separate user must be present or the attacker or alone exploit the vulnerability.

User Interaction
ValueDescription
None (N)Exploitations of vulnerability can be done without any interaction from any user.
Required (R)The user can do exploitation of vulnerability only after any action.

1.5 Scope scope refers to the group of privileges that are characterized by a computing authority when giving access to computing resources. These privileges are appointed based on a technique of approval and identification.

Scope
ValueDescription
Unchanged (U)The impacted component and the vulnerable component are the same. Resources affected are controlled by the same authority.
Changed (C)The impacted component and the vulnerable component are different. The same authority does not control resources affected.

2. Impact Metrics

2.1 Confidentiality Impact (C) this metrics limits access to information and reveals information only to authorized users. Also, prevents disclosure of information to unauthorized users.

Confidentially impact
ValueDescription
High (H)All resources of the impacted component are disclosed to the attacker due to total loss of confidentiality.
Low (L)Attacker can’t control the restricted information that is obtained. Some loss of confidentiality.
None (N)No loss of confidentiality.

2.2 Integrity impact (I) Measures the true nature of the information and how much it can be trusted. Successful exploitation of vulnerability is measured through impact to integrity.

Integrity Impact
ValueDescription
High (H)Total loss of integrity or protection. Attacker can alter any file.
Low (L)Attacker can modify a file but cannot control the consequences.
None (N)No loss of integrity.

2.3 Availability impact (A) Refers to how much information resources are accessible.

Availability Impact
ValueDescription
High (H)Attacker can deny full access to resources in the impacted component. Total loss of availability.
Low (L)Attacker cannot deny totally. Partial or full resources are available only for a certain period.
None (N)No loss of availability.

Temporal Metrics

1. Exploit code maturity (E) Exploit codes that are publicly available and are easy to use gives advantage to a potential attacker. This metric is based on the current state of techniques that measures the possibility of the vulnerability attack.

Exploit code maturity
ValueDescription
Not defined (X)The score will not be influenced if given this metric value.
High (H)Autonomous agents deliver exploit code on a regular basis and works in all situations.
Functional (F)If the vulnerability exists, the exploit code will work.
Proof-of-concept (P)Modifications are required to use such code by a professional attacker.
Unproven (U)No code is available.

2. Redemption level (RL) – The remediation level of a vulnerability is an imperative component for prioritization. The average weakness is unpatched when first distributed.

Redemption level
ValueDescription
Not defined (X)The score will not be influenced if given this metric value.
Unavailable (U)It is either impossible to apply or there is no solution.
Workaround (W)User provides their own solution unofficially.
Temporary fix (T)Temporary fix is available and is official.
Official fix (O)Official fix is available by the vendor.

3. Report confidence (RC) – At times only the presence of vulnerabilities is made public without giving specific details. This metric helps in measuring the credibility of the information and amount of confidence in the existence of the vulnerability.

Report confidence
ValueDescription
Not defined (X)The score will not be influenced if given this metric value.
Confirmed (C)Source code and reports are available in detail to verify the research independently.
Reasonable (R)Important details are published but there is no full access to source code to verify research independently.
Unknown (U)Reports indicate presence of vulnerability. Less confidence in reports that are available.

Environmental metrics

1. Security requirements (CR, IR, AR) – This metric helps in customization of CVSS score based on the affected IT to a user’s organization. Characterized as following:

  • Confidentiality (CR)
  • Integrity (IR)
  • Availability (AR)
Security requirements
ValueDescription
Not defined (X)The score will not be influenced if given this metric value.
High (H)Very serious consequences on the organization and associates due to loss of CR, IS, AR.
Medium (M)Serious consequences on the organization and associates due to loss of CR, IR, AR.
Low (L)Limited consequences on the organization and associates due to loss of CR, IR, AR.

2. Modified base metrics – It helps the adjustment of base metrics in accordance with the modification that is already present in the analyst’s environment.

Security requirements
Modified Base MetricValue
Modified Attack Vector (MAV)Same as base metrics above and not defined (default).
Modified Attack Complexity (MAC)
Modified Privileges Required (MPR)
Modified User Interaction (MUI)
Modified Scope (MS)
Modified Confidentiality (MC)
Modified Integrity (MI)
Modified Availability (MA)
Low (L)Limited consequences on the organization and associates due to loss of CR, IR, AR.

Company Profile

Fortra’s Beyond Security’s testing solutions accurately assess and manage security weaknesses in networks, applications, industrial systems and networked software. We help businesses and governments simplify the management of their network and application security, thus reducing their vulnerability to attack and data loss. We specialize in DAST – our product, beSTORM will help you secure your network and applications, comply with your NERC CIP policy requirements and exceed industry and government standards.

CVE Explained

 

About CVE ( Common Vulnerability Exposures/Enumeration)

Common vulnerabilities and exposure gives common names to openly known security issues or vulnerabilities. The objective of CVE is to make it simpler to impart information over different databases and make available a common platform to evaluate security tools.

What is a CVE scan?

CVE depends on freely accessible data. For the duration of the life of the CVE list, MITRE corporation has depended on external information sources to recognize vulnerabilities. CVE provides information on vendor patches and fix information which it might have obtained from unverified third party.

AVDS actively checks for these patches and fixes and notifies the user about the updates. AVDS also tests if the patches and fixes don’t compromise or harm the user system in any way. AVDS tests a user’s system with every possible CVE listed in its database (provided by Securiteam) which is updated every day. AVDS also maintains consistent standard and accuracy, thus helping to reduce the overall false positives.

With the help of CVE, AVDS provides information such as vulnerability details, risk level, the impact on system, and solutions. Assigning a CVE number does not mean that it will end up being an official CVE entry, there might be duplicate CVE number or even false entries. The AVDS team independently validates each CVE for especially unique features and authenticity.

CVE Identifier creating process starts with the identification of possible security vulnerability. The information is then allotted a CVE identifier by CNA (CVE numbering authority) and listed by the CVE editor (the MITRE corporation) on the CVE website posted under the CVE List.

CVE Identifier

MITRE corporation’s documentation characterizes CVE identifiers as one of kind, common identifiers for openly known data security vulnerabilities released to the public in a form of a software package. Following are the CVE Identifiers:

  • CVE names
  • CVE numbers
  • CVE-IDs
  • CVE’S

Difference between Vulnerabilities and Exposures

VulnerabilityExposures
Allows the hacker to intrude a system or network due to an error in the software code.Provides the hacker access to the data that can be sold or misused.
Allows the hacker to execute commands with unauthorized permissions.Allows the hacker to get into data gathering activities.
Allows the hacker to get information which is restricted.Allows the hacker to conceal activities.
Allows the hacker to act like another entity.Used as a main entry point by hackers to access the framework and information.
Allows the hacker to deny a service.This is viewed as a major issue in security policy.

CVE community

Following are the major contributors to the CVE community

  • CVE board – The CVE Board incorporates individuals from various cyber security-related associations globally, like government offices, research organizations and other security specialists. Through open discussions, the board decides the entries on the CVE List.
  • CVE sponsor – US-CERT sponsors CVE at the U.S. department of homeland security. Sponsors page consist of all the past sponsors.
  • CVE Numbering authorities – CVE numbering authorities (CNAs) allocate CVE identifiers to newly found problems without including MITRE.
  • CVE-compatible products and services – various organizations globally have incorporated CVE identifiers to make their cyber security products and services “CVE-compatible”

CVE Vulnerability Scanner

Beyond Security’s testing solutions accurately assess and manage security weaknesses in networks, applications, industrial systems and networked software. We help businesses and governments simplify the management of their network and application security, thus reducing their vulnerability to attack and data loss. Our product lines, AVDS (network and SCADA vulnerability management) and beSTORM (software security testing), will help you secure your network and applications, comply with your security policy requirements and exceed industry and government standards.

SQL Injection Scanner Tools

 

What is SQL Injection?

SQL injection is currently the most common form of website attack in that web forms are very common, often they are not coded properly and the hacking tools used to find weaknesses and take advantage of them are commonly available online. This kind of exploit is easy enough to accomplish that even inexperienced hackers can accomplish mischief. However, in the hands of the very skilled hacker, a web code weakness can reveal root level access of web servers and from there attacks on other networked servers can be accomplished.

What is SQL?

Structured Query Language (SQL) is the nearly universal language of databases that allows the storage, manipulation, and retrieval of data. Databases that use SQL include MS SQL Server, MySQL, Oracle, Access and Filemaker Pro and these databases are equally subject to SQL injection attack.

Web based forms must allow some access to your database to allow entry of data and a response, so this kind of attack bypasses firewalls and endpoint defenses. Any web form, even a simple logon form or search box, might provide access to your data by means of SQL injection if coded incorrectly.

How SQL Injection Works

Prospects, customers, employees and business partners may all have the right to store or retrieve information from your database. Your site probably allows any site visitor to submit and retrieve data. Legitimate access for visitors includes site search, sign up forms, contact forms, logon forms and all of these provide windows into your database. These various points of access are quite possibly incorporated in ‘off-the-shelf’ applications or may be custom applications set up just for your site. These forms and their supporting code have likely come from many sources, were acquired at different times and possibly installed by different people.

SQL injection is the use of these publicly available fields to gain entry to your database. This is done by entering SQL commands into your form fields instead of the expected data. Improperly coded forms will allow a hacker to use them as an entry point to your database at which point the data in the database may become visible and access to other databases on the same server or other servers in the network may be possible.

Web site features such as contact forms, logon pages, support requests, search functions, feedback fields, shopping carts and even the functions that deliver dynamic web page content, are all susceptible to SQL injection attack because the very fields presented for visitor use MUST allow at least some SQL commands to pass through directly to the database.

Get a demo and see how you can defend against SQL injection attacks.

SQL Injections Risk

Since databases control many web site functions, nearly all websites invite input from visitors and so many web forms are vulnerable, SQL injection has become and for years remained the most common form of website hacking tool used. Additionally, so many criminals are now using SQL injection that new server, application and code weaknesses are being discovered almost daily.

How Common are SQL Injection Attacks?

Our own records indicate that most (over half) of the web sites we have been asked to scan had SQL injection risks of either High or Medium levels. A high level of risk is one that is effectively an unlocked, unguarded door. A medium risk is one that when combined with one or more other factors could mean trouble. An even larger number of sites had Low risk issues. What you need to know: The percentage of sites that have at least one major risk is actually increasing.

Even though SQL injection has been a known issue for years, there are several factors causing the rate of risk to increase. First is that more companies are offering more website interaction with visitors and this trend is increasing dramatically. Second is that as more hackers gain skills in SQL injection, they are discovering more applications and services that are susceptible to attack and are developing new attacks on old applications. The result is a nearly exponential increase in the opportunities to use this attack method.

Am I at Risk for an SQL Injection Attack?

Your risk of being successfully attacked using SQL injection is based on these factors: the size of your business and the age, status of updates and patches on your applications and the skill and number of your technical staff. It boils down to whether you are an interesting target and whether your web server, the applications on it and your website code are well designed, well integrated and have all the current patches and updates.

Your site is in immediate danger if your company stores data of high value, if your company or entity is operating in a highly contested field of business, or if your site has political or social importance or value. Naturally if you have something of monetary value then you are a target. But you are also a target if your site is an opinion leader in a contentious environment. We have been asked by bloggers for help because the subject matter covered there had drawn SQL injection attacks. Explore common use cases for DAST here.

SQL injection attacks are now being solicited online. An upset customer, competitor, or even ex spouse can now easily hire a ‘script kiddie’ – or worse, a talented hacker – to attack a site. The chance of the hacker getting caught is low. The chance that the upset party can cause damage to your site without being fingered as the responsible party is high.

You are at risk of SQL injection if you have any equipment or applications which have not been routinely updated and patched, or if you have code on your site that was not correctly written. The age of equipment, the applications and the code is a rough indicator of risk. Another is the number of servers involved, number of applications and number of web site access points. If you are using hosted servers or if you are using outsourced technical resources, then a third party review of your site security is important. And even in-house staff can be so pressed for time and short on resources that updates and patches can get delayed or old legacy code get used without proper review.

SQL Injection Example

Every time a web site visitor enters data into a form on your site a SQL query is generated and delivered to your database. In the case of a simple logon form the username and password is presented to the database and if valid, the database responds with an answer and user is allowed access (or not). So, no matter how simple the form or web process, database access is required and a response is expected.

Using SQL injection, a hacker will try to enter a specifically crafted SQL commands into a form field instead of the expected information. The intent is to secure a response from the database that will help the hacker understand the database construction, such as table names. The next step would be to access and view data in important tables or to add data to tables, such as adding new accounts or user names and passwords. The third step, roughly, would be to use access to the database to discover and change security settings on a server that would allow a hacker administrative access.

Any dynamic script language including ASP, ASP.NET, PHP, JSP, and CGI is vulnerable to attack. The only equipment needed is a web browser. There are tools widely available online that will semi-automate the process of searching for weaknesses, and there are many forums in which hackers share exploits and help each other overcome obstacles.

SQL Injection Outcomes

As you can imagine, a hacker gaining administrative access to your server means that you will have effectively lost all of the data on that server to the invader. Worse yet there is now a beachhead behind your firewall from which attacks on other servers and services can now be made. In this way SQL injection can provide access to all company or personal data.

From a hacker’s point of view a component part of the hack that is almost as important as the break-in is maintaining secrecy. Setting off an ‘alarm’ of some sort is the last thing they want to do. Their infiltration work takes time and often the value of stolen data drops if the theft is discovered (information of value in identity theft or credit card theft for example). Thus SQL injection hacks are often discovered months and in some cases years after their initiation.

Alternatively, if outright damage is the intent then there is no shortage of bad things that can be done to a database once one has gained access to running commands. An entire table can be permanently deleted using a single SQL command. However a more sophisticated SQL injection attack could involve massive corruption of large databases and even destruction of backup copies.

Defense Against SQL Injection

Because web sites require constant access to the database, firewalls provide little or no defense against SQL injection attacks. Your website is public and firewalls must be set to allow every site visitor access to your database, usually over port 80/443.

Antivirus programs are equally ineffective at blocking SQL injection attacks. They are intended to spot and stop an entirely different kind of incoming data.

The most commonly used SQL injection defense is made up of two components. First there is routine updating and patching of all servers, services and applications which of course has many advantages and is common practice. Then there is producing and using well written and well tested website code that disallows unexpected SQL commands.

These two defenses are by definition enough to halt any SQL injection attack. So, why are web site vulnerabilities and risks on the rise and why are successful attacks occurring more often? The answers are each simple, and combine into a daunting list:

  • The number of servers, applications and volume of code on web sites is increasing
  • These servers, applications and code languages interact with each other in sometimes unpredictable ways
  • The number and frequency of updates and patches is increasing
  • IT departments are doing more work with fewer staff and some activities such as updates get postponed
  • IT staff turnover and layoffs sometimes leave camouflaged holes in security routines
  • Automatically installing every patch and update that comes along often produces unwanted side effects
  • Legacy code is often re-used when sites are updated, sometimes keeping code written to old standards in use long after it was obsolete
  • The number of people attempting to do hacks and the number of tools available to simplify hacking are both going up almost exponentially

More and more companies with huge risk factors and large web ‘footprints’ are coming to conclude that patching everything and hiring more staff to watch the work of existing staff is no longer viable.

Web Site SQL Injection Scanner Tool Solution

The new solution to SQL injection attacks (and all other web-based attacks) is to focus limited and valuable IT time on the serious risks that are actually present, rather than to use a shotgun approach and apply every possible fix to every server, every application and every page of code whether it was needed or not. This new approach is like having a doctor evaluate a patient and proscribe the ONE medicine that is needed to produce a cure, rather than have the patient go directly to the pharmacy to get every possible medicine and take them all at once.

Thus greater security is accomplished through using web application testing tools, such as beSECURE, as an SQL injection scanner tool to examine (scan) a web site using a list of thousands of known attacks and then report on the relatively few (usually less than a dozen) serious issues.

Web site scanning works on the basis of spotting and reporting KNOWN risks. Common hacking is very ‘public’ activity. The tools are widely promoted. Techniques are broadly disseminated in public forums. Even new methods become public within hours or days of their first use, thanks to groups who watch for and then broadly warn others.

BeSECURE, the automated vulnerability detection system, is a web-based service that uses a compilation of all known risks into families and all families into a single database that has taken many years to compile and many hours a day to maintain. Using this database beSECURE can evaluate any web site and produce a report of REAL and PRESENT risks rated according to their relative importance – often within hours and without disturbing ongoing site activities.

Now, you can take your valuable IT man hours and directly address real risks such as SQL injection rather than spend hundreds of hours installing patches and updates, most of which you don’t need or that handle risks that are so small as to be negligible.

Microsoft is Right, Mandatory Password Changes are Obsolete

 

This article was originally published on Help Net Security on August 1 , 2019.

Microsoft has recently come out and said that mandatory password changing is ancient and obsolete. This goes directly against everything we were trained to think for the last couple of decades, and against most compliance directives including some of the most dominant security standards. And it is correct.

If anything, Microsoft hasn’t gone far enough: password changing is the visible tip of the iceberg – there are many other major inconveniences for our users that make bad security policy and should be done with.

One of the most destructive notions against good and practical IT security is the supposed axiom that security is the opposite of simplicity. This manifests in the popular “Dilbert” comics that depicts the typical office IT environment and has a recurring character called “Mordac the Preventer of Information Services”, which comes to capture the common belief that the IT security team is there to circumvent and ideally block all usable functions.

Like many things in life, the relationship between security and usability isn’t straightforward. In the very extremes that axiom seems to hold: if I can block all access to a machine (for example: bury a computer under 30 feet of concrete) that would probably make it as secure as it can ever be, and completely useless at the same time.

The other extreme is mostly correct too: if I give free and unfiltered access to a certain computer, it will be as insecure as can be: any wannabe hacker will be able to access any information on that machine (not to mention anyone passing by the server will be able to physically pick it up and take it) while anyone who wanted to use it for anything proper will have open and unfiltered access to it. Perfect usability with zero security, achieved.

As tempting as it may be to now draw a straight line between the “full security, no usability” and “no security, full usability” data points, the reality is that this is grossly incorrect in the middle. In most cases reducing inconvenience does not make something more secure and vice versa. No security feature shows it better than passwords.

Passwords were necessary to control access from the time humans started using non-human devices. Door keys are passwords that control who can access a house. Speakeasies used passwords to allow patrons to visit an illegal bar while blocking uninvited people from nosing around.

While with other humans we have a range of options, machines are not as flexible; it’s unlikely that a liquor store owner will card my grandfather, for example, but it’s near certain that the self-checkout machine will ask him for his ID every single time he buys a six-pack of beer. As we interact more and more with machines, passwords become a way we identify ourselves. In classic security theory we call this granting access based on “something I know”. That something is the secret password.

Playing the password game was reasonably ok while we were humans trying to prevent other humans from breaking into our systems; I choose a secret password and not tell you. The only way you can break into my system is try to guess what password I used. Not knowing what I know means you’ll have a very hard time guessing. There are more than 170,000 words in the English language. Good luck trying to guess the words I used as a password (assuming they’re even in the dictionary in the first place).

The problem with passwords surfaced once computers got involved in attacking other computers. Passwords are asymmetrical: humans are not good at remembering while machines have perfect memory. Humans take time to recall and type things while computers do it in milliseconds. So, as soon as those human attackers started getting assistance from computers, the game was skewed against us – like teenagers playing casual neighborhood basketball when suddenly one team asks their NBA player uncle to join their team. A computer that tries 1000 passwords per second will go through the entire oxford dictionary in just 3 minutes. It isn’t fun to play this game against computers.

This is where things took a bad turn. Applying the false maxim that “security is the opposite of usability”, security experts decided that making it harder for users to use systems via passwords will enhance its security. They therefore opted for more complex passwords; if dictionary words produce hundreds of thousands of combinations, adding digits (and then uppercase characters, and then symbols) adds order of magnitude of complexities. Suddenly computers need days, or weeks, or months to go through all combinations. Aha! Thinks Mordac the preventer, I may be making it somewhat difficult for my users, but I’m also blocking would-be attackers. What other choice do I have; after all, security is the opposite of usability!

What an unfortunate turn of events. Not only has this proven to not be true, but it also derailed the security world from finding a good solution to the problem (there are several). Let’s first see why it didn’t work.

The human brain likes simple patterns; the password ‘12345’ is easy to remember. So is the word ‘password’ (both were the world’s single most used password at some time or another). Team preventers decided to force users to use complex passwords, but humans adapt well. If ‘12345’ is not allowed, and ‘abcde’ is not allowed, I can use ‘abc123’ instead. Anyone who ever worked at a large IT company knows of dozens of clever ways to construct an amazingly simple password while bypassing the restrictions set by the password policy makers. In other words, an arms race started between users and their IT security people. The loser: both. The IT security staff was busy implementing advance password policies, the users were busy finding ways to circumvent these policies (not to mention posting secret passwords on post-it notes around the office) and attackers using computers were still able to crack these simple passwords in a variety of ways. In short – low security coupled with low usability.

Next came the single complex password era: as a user, I can come up with a single very complex password and remember it. The problem – I use dozens, maybe hundreds of services online and they all want me to use a security password. And so, this single (but very secure) password is used across hundreds of sites, and everything seems good for a while.

Until attackers compromise one of those online services. It doesn’t seem alarming at first: who cares if a cat meme generator site gets compromised by some hacking group? The problem is, of course, that my password is now exposed – the same complex password I use for my bank account and my main server at work. Computers have the ability to try my password against thousands of online services almost immediately, so before I hear about my password being compromised, dozens of my online services are already hacked. But what could I, as a user, do? I can remember a few simple passwords, or I can remember one complex password. But how can I remember many complex passwords? There is an obvious asymmetry between the attacker (using a computer) and the user (using a human brain). It’s not a fair match.

It took us more than 30 years to realize that passwords are the wrong direction. It could have been an instant conclusion if we just had gotten rid of the ‘security is the opposite of usability” false narrative. What if we come up with something that is easy for users to do but difficult for computers? Eureka.

As soon as we change the definition, solutions pop up everywhere. The Bank of America allows me to choose any 4-digit PIN that I want and then use it to withdraw real cash. They do that in a way that I can remember it and will not need to write it down; why is a simple 4-digit PIN (only 10,000 combinations) secure? Because it requires “something I have” (a debit card) in addition to “something I know” (the PIN code). Gmail and Facebook use the same method when they send you an SMS to confirm that it’s really you who is logging into the account – a mobile phone is “something you have”.

We also know how to block computers while minimizing disturbance for humans. The ‘CAPTCHA’ tests use abilities humans have naturally (like finding all the stop signs in a set of pictures) and computers struggle with. Another behind-the-scene protection is a temporary account lock-out after a few attempts. If you can’t enter your password within 3 tries you probably need a long time-out to quietly figure out what the password is before you can continue. Why allow a computer try millions of combinations an hour where we can limit it to 3 per hour, blocking these brute-force attacks while giving a very minor inconvenience to legitimate users?

We are just starting to move away from passwords, and unfortunately their inconvenience will be with us for a while. But realizing you have a problem is a necessary step towards a solution. The security world is just now realizing that inconveniencing users is not the right way to enhance security.

Our job as security professionals is to find those security solutions that provide maximum security with minimal inconvenience to humans; in a few decades it will be common knowledge that user convenience provides the best security. Let getting rid of passwords be the first step in that seemingly utopian direction.

What Is the One Thing We Can Do Right Now to Improve Our Cybersecurity?

 

This article was originally published on U.S. Chamber of Commerce on April 08, 2019.

If you could create your own fantasy Board of Directors, who would be on it? CO— connects you with thought leaders from across the business spectrum and asks them to help solve your biggest business challenges. In this edition, a CO— reader asks how to improve a business’s cybersecurity when expert help isn’t affordable.

Aviram Jenik, founder and CEO of network security company Beyond Security, answers…

The first, and arguably most important thing a small company can do is realize that improving security, no matter how small of an improvement, is a good thing.

It is a logical fallacy to think, “A determined hacker can get in anyway, so why bother with more IT security?” Security is a continuous process; so, instead, a small business should try and say, “How can I be more secure today than I was yesterday?” The goal shouldn’t be perfect security; it should be improved security.

Next, small businesses should realize that the security solutions market is large and quite competitive. There are security solutions at almost infinite quality levels and budgets; and, with some legwork, any small business should be able to find a solution that fits its budget.

You will probably want to start with things you are required to do, due to regulations or requirements by third parties:

  • Setting up perimeter defenses.
  • Performing regular security assessments or penetration tests.
  • Installing reasonable end-point protection.

All of these can be found at variable pricing points to fit almost any budget. Coupled with the first point above, it’s important to realize that if you can’t afford a product or service, your choice should not be to do nothing, but find an intermediate solution to marginally improve your security with the budget you have.

The goal shouldn’t be perfect security; it should be improved security.

Aviram Jenik, founder and CEO of Beyond Security

I’m regularly asked by businesses small and large — if they could only do one thing, what it is they should do. I invariably give the same answer I’ve been giving for over two decades as a security professional: If you aren’t already, you should be doing regular security checkups.

These go by many names: vulnerability scans, penetration tests, security assessments. But they all essentially mean the same thing: getting a clear and concise report about your network and internet-based assets, along with security issues they have and simple recommendations on how to fix them.

Getting an analysis of your security posture is probably what will get you the most bang for your buck and can help you plan the next steps. At a minimum, you’ll know which areas need improvement and which don’t, which can help you plan the next steps in the continuous security process.

CO— aims to bring you inspiration from leading respected experts. However, before making any business decision, you should consult a professional who can advise you based on your individual situation.