9 Vulnerability Management Pitfalls to Avoid

 

Vulnerability management (VM) can seem unmanageable at times. But the key to successful VM is working smarter rather than harder. If you approach VM intelligently and prioritize appropriately, you can keep the number of resulting tasks from spiraling out of control.

As with any on-going security practice, there are countless ways you can botch VM. Often the devil is in the details as well as the larger processes. That’s why it’s a good practice to step back and evaluate your vulnerability management program from end to end.

Below we list a few common pitfalls organizations need to avoid when it comes to vulnerability management.

Limited Scanning

Are you limiting your scanning to server-only or external-only scans? If so, you are missing the big picture. External scans look for vulnerabilities in your firewalls which attackers could exploit to access your network. These can include weak security configurations or unpatched protection software. Internal scans look for weaknesses within your network, such as poor configurations or even malware that has been downloaded. Both internal and external assets are vital to examine. You cannot make sound remediation decisions based on incomplete information, so don’t limit your scans to one or the other. 

Incomplete Scanning

Are you using an up-to-date Configuration Management Database (CMDB) to inform your scanning? If not, your scans could be inadvertently skipping vital assets. Be sure your CMDB is a complete and accurate representation of your assets and their interdependencies. This will help prevent the creation of scanning blind spots.

Wasted Scanning

Are you running scans and ignoring the results? If so, you are wasting time and resources, not to mention squandering an opportunity. We all know it can be tempting to just run required scans to “check a box”. However, if you do not have a plan for reviewing results and developing remediation actions, you are missing a chance to make your systems more secure. That’s not a sound business practice.

Perhaps you are hesitant to address scan results because your team is small with limited bandwidth. In these instances you must heavily prioritize your scan results. You can make a long list more manageable with several layers of prioritization, including the use of vital risk context and threat intelligence. These can help you highlight just what vulnerabilities are the most critical to your organization and what actions are absolutely necessary.  By addressing the right critical vulnerabilities immediately, you can avoid wasting resources on tasks that don’t move the needle and avoid the damage caused by an exploited vulnerability.

Improper Scanning Cadence

Are you running scans too infrequently? Or are you running them so often that they are more of a monitoring tool? If you are doing either, you are undermining your own VM efforts. It’s crucial to identify the scanning frequency that works for your organization. If you misuse scanning, you could potentially be placing unnecessary strain on bandwidth and target assets. If you run scans too infrequently, you could miss vulnerabilities and increase the likelihood that a flaw will be exploited against your system. The longer a flaw exists undiscovered, the more exposed to a breach your network becomes. To ensure you keep VM effective and manageable, assess your team’s capabilities and strike the right balance with your scanning cadence.

Restricted Scanning Results

Are you refusing to whitelist your vulnerability scanner? If so, you are not getting an accurate read on the potential vulnerabilities that exist behind your firewall. Firewall security is set up to deny malicious traffic. However, scanning results can come across as malicious because of their subject matter. Therefore, if you don’t whitelist your scanner, your firewall will deny the scanner traffic. This will result in artificially positive scanning results which can lead to a false sense of security.

Mismanaged Scanning Results

Have you been tossing giant lists of unprioritized, unvetted vulnerabilities to your team? If so, you are most likely “helping” them become less effective and less efficient. Don’t overwhelm your team with a horde of vulnerabilities that haven’t been ranked and then ask them to create order out of chaos. Use agreed upon criteria in conjunction with risk-based vulnerability management tools to sort, filter, and prioritize lists before they are handed over. The right vulnerability management solution will offer features that enable effective ranking, as well as the ability to monitor progress.

Mitigation without Remediation

When you address vulnerabilities, are you just performing fixes or stop-gap measures without any cause analysis? If so, your team will likely run up against similar issues again and again. You must identify how vulnerabilities occur or you won’t be able to avoid recurrence in the future. Fixes alone address the “symptoms”, but not the “disease” that is causing them. Be sure your team is prepared to uncover and address the root of vulnerabilities as well as provide a remedy.

Endless Exceptions

Do you have a list of exceptions that don’t have an expiration date? If so, you could be permanently ignoring some vulnerabilities that still require remediation. In VM, exceptions are made for a variety of reasons. Some are false positives that represent vulnerabilities that have already been addressed, but that some automated scans cannot distinguish as patched. Others are delayed actions, which are usually vulnerabilities that cannot be addressed within the Service Level Agreement’s (SLA’s) specified time period. This type of exception must be given an expiration date to ensure it gets addressed in the future. If you do not assign expiration dates, you run the risk of creating an ever-growing list of vulnerability exceptions with endless shelf lives. And the longer they persist, the more vulnerable your organization becomes.

Needless VM Complications

Are you using a complex vulnerability management (VM) solution because you think complexity = effectiveness? If so, you are not operating as efficiently and as effectively as you could be. Once upon a time, complicated vulnerability management was the only way to go. Large, unreadable, unactionable lists of vulnerabilities were just an accepted part of IT. But no more. There are much better options available today.

You need a VM solution designed to empower IT teams with powerful technology that is easy to use. Additionally, you should look for a SaaS-based vulnerability management tool that provides an easily deployed, flexible solution that can grow and change with your business. The right VM solution will provide filtering, sorting, and ranking features that can prioritize your vulnerabilities and help you maximize your IT team’s productivity.

Life in IT is challenging enough without adding needless complexity. Your organization will need easy-to-use, powerful technology with a user-friendly interface to simplify and streamline your VM efforts.

See How the Right Solution Makes Vulnerability Management More Effective

The Case for Risk-Based Vulnerability Management

Patch Tuesday Update - July 2023

 

Today’s Microsoft Security Update addressed 130 vulnerabilities, including 9 that are rated as Critical.  This is double the number fixed from last month, June 2023.

Microsoft included two security advisories this month, ADV230001 and ADV230002.
The ADV230001 security advisory addresses some drivers that were certified by the Microsoft’s Windows Hardware Developer Program (MWHDP) that have been used maliciously in post-exploitation activities. Microsoft has suspended the developer accounts related to the affected drivers, marked the drivers as untrusted and revoked the affected driver signing certificates.

Multiple vulnerabilities included in this month’s Patch Tuesday are currently being exploited in the wild including one which does not currently have a patch, CVE-2023-36884.

  • CVE-2023-32046 requires a specially crafted file to exploit this vulnerability and would grant the attacker the same privileges as the user that executed it.
  • CVE-2023-32049 could allow attackers to use this vulnerability to bypass the Open File – Security Warning prompt. User interaction is required for this attack as an attacker would be required to convince a user to click on a malicious URL.
  • CVE-2023-36874 is a vulnerability that can be leveraged by an attacker to escalate privileges to that of an administrator.
  • CVE-2023-36884 Microsoft is aware of targeted attacks attempting to exploit this vulnerability via a crafted Microsoft Office document to achieve remote code execution. However, for the attack to be successful the attacker would have to trick the victim into opening the malicious file. While this vulnerability does not currently have a patch, Microsoft has provided multiple mitigations until a patch is available. More information on the mitigations can be found at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884.
  • CVE-2023-35311 is a vulnerability that would allow an attacker to bypass the Microsoft Outlook Security Notice prompt, but does require user interaction to be compromised by the attacker.

CVE/AdvisoryTitleTagMicrosoft Severity RatingBase ScoreMicrosoft ImpactExploitedPublicly Disclosed
CVE-2023-21756Windows Win32k Elevation of Privilege VulnerabilityMicrosoft Graphics ComponentImportant7.8Elevation of PrivilegeNoNo
CVE-2023-33148Microsoft Office Elevation of Privilege VulnerabilityMicrosoft OfficeImportant7.8Elevation of PrivilegeNoNo
CVE-2023-33149Microsoft Office Graphics Remote Code Execution VulnerabilityMicrosoft Graphics ComponentImportant7.8Remote Code ExecutionNoNo
CVE-2023-33150Microsoft Office Security Feature Bypass VulnerabilityMicrosoft OfficeImportant9.6Security Feature BypassNoNo
CVE-2023-33151Microsoft Outlook Spoofing VulnerabilityMicrosoft Office OutlookImportant6.5SpoofingNoNo
CVE-2023-33152Microsoft ActiveX Remote Code Execution VulnerabilityMicrosoft Office AccessImportant7Remote Code ExecutionNoNo
CVE-2023-33153Microsoft Outlook Remote Code Execution VulnerabilityMicrosoft Office OutlookImportant6.8Remote Code ExecutionNoNo
CVE-2023-33165Microsoft SharePoint Server Security Feature Bypass VulnerabilityMicrosoft Office SharePointImportant4.3Security Feature BypassNoNo
CVE-2023-33166Remote Procedure Call Runtime Denial of Service VulnerabilityWindows Remote Procedure CallImportant6.5Denial of ServiceNoNo
CVE-2023-33167Remote Procedure Call Runtime Denial of Service VulnerabilityWindows Remote Procedure CallImportant6.5Denial of ServiceNoNo
CVE-2023-33168Remote Procedure Call Runtime Denial of Service VulnerabilityWindows Remote Procedure CallImportant6.5Denial of ServiceNoNo
CVE-2023-33169Remote Procedure Call Runtime Denial of Service VulnerabilityWindows Remote Procedure CallImportant6.5Denial of ServiceNoNo
CVE-2023-33172Remote Procedure Call Runtime Denial of Service VulnerabilityWindows Remote Procedure CallImportant6.5Denial of ServiceNoNo
CVE-2023-33173Remote Procedure Call Runtime Denial of Service VulnerabilityWindows Remote Procedure CallImportant6.5Denial of ServiceNoNo
CVE-2023-33174Windows Cryptographic Information Disclosure VulnerabilityWindows Cryptographic ServicesImportant5.5Information DisclosureNoNo
CVE-2023-32033Microsoft Failover Cluster Remote Code Execution VulnerabilityWindows Cluster ServerImportant6.6Remote Code ExecutionNoNo
CVE-2023-32034Remote Procedure Call Runtime Denial of Service VulnerabilityWindows Remote Procedure CallImportant6.5Denial of ServiceNoNo
CVE-2023-32035Remote Procedure Call Runtime Denial of Service VulnerabilityWindows Remote Procedure CallImportant6.5Denial of ServiceNoNo
CVE-2023-32037Windows Layer-2 Bridge Network Driver Information Disclosure VulnerabilityWindows Layer 2 Tunneling ProtocolImportant6.5Information DisclosureNoNo
CVE-2023-32038Microsoft ODBC Driver Remote Code Execution VulnerabilityWindows ODBC DriverImportant8.8Remote Code ExecutionNoNo
CVE-2023-32039Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure VulnerabilityMicrosoft Printer DriversImportant5.5Information DisclosureNoNo
CVE-2023-32040Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure VulnerabilityMicrosoft Printer DriversImportant5.5Information DisclosureNoNo
CVE-2023-32041Windows Update Orchestrator Service Information Disclosure VulnerabilityWindows Update Orchestrator ServiceImportant5.5Information DisclosureNoNo
CVE-2023-32042OLE Automation Information Disclosure VulnerabilityWindows OLEImportant6.5Information DisclosureNoNo
CVE-2023-32043Windows Remote Desktop Security Feature Bypass VulnerabilityWindows Remote DesktopImportant6.8Security Feature BypassNoNo
CVE-2023-32044Microsoft Message Queuing Denial of Service VulnerabilityWindows Message QueuingImportant7.5Denial of ServiceNoNo
CVE-2023-32045Microsoft Message Queuing Denial of Service VulnerabilityWindows Message QueuingImportant7.5Denial of ServiceNoNo
CVE-2023-32046Windows MSHTML Platform Elevation of Privilege VulnerabilityWindows MSHTML PlatformImportant7.8Elevation of PrivilegeYesNo
CVE-2023-32047Paint 3D Remote Code Execution VulnerabilityPaint 3DImportant7.8Remote Code ExecutionNoNo
ADV230002Microsoft Guidance for Addressing Security Feature Bypass in Trend Micro EFI ModulesWindows EFI PartitionImportantN/ASecurity Feature BypassNoNo
CVE-2023-32049Windows SmartScreen Security Feature Bypass VulnerabilityWindows SmartScreenImportant8.8Security Feature BypassYesNo
CVE-2023-32050Windows Installer Elevation of Privilege VulnerabilityWindows InstallerImportant7Elevation of PrivilegeNoNo
CVE-2023-32051Raw Image Extension Remote Code Execution VulnerabilityMicrosoft Windows Codecs LibraryImportant7.8Remote Code ExecutionNoNo
CVE-2023-35313Windows Online Certificate Status Protocol (OCSP) SnapIn Remote Code Execution VulnerabilityWindows Online Certificate Status Protocol (OCSP) SnapInImportant7.8Remote Code ExecutionNoNo
CVE-2023-35314Remote Procedure Call Runtime Denial of Service VulnerabilityWindows Remote Procedure CallImportant6.5Denial of ServiceNoNo
CVE-2023-35315Windows Layer-2 Bridge Network Driver Remote Code Execution VulnerabilityWindows Layer-2 Bridge Network DriverCritical8.8Remote Code ExecutionNoNo
CVE-2023-35316Remote Procedure Call Runtime Information Disclosure VulnerabilityWindows Remote Procedure CallImportant6.5Information DisclosureNoNo
CVE-2023-35317Windows Server Update Service (WSUS) Elevation of Privilege VulnerabilityWindows Server Update ServiceImportant7.8Elevation of PrivilegeNoNo
CVE-2023-35318Remote Procedure Call Runtime Denial of Service VulnerabilityWindows Remote Procedure CallImportant6.5Denial of ServiceNoNo
CVE-2023-35319Remote Procedure Call Runtime Denial of Service VulnerabilityWindows Remote Procedure CallImportant6.5Denial of ServiceNoNo
CVE-2023-35320Connected User Experiences and Telemetry Elevation of Privilege VulnerabilityWindows Connected User Experiences and TelemetryImportant7.8Elevation of PrivilegeNoNo
CVE-2023-35321Windows Deployment Services Denial of Service VulnerabilityWindows Deployment ServicesImportant6.5Denial of ServiceNoNo
CVE-2023-35322Windows Deployment Services Remote Code Execution VulnerabilityWindows Deployment ServicesImportant8.8Remote Code ExecutionNoNo
CVE-2023-35323Windows OLE Remote Code Execution VulnerabilityWindows Online Certificate Status Protocol (OCSP) SnapInImportant7.8Remote Code ExecutionNoNo
CVE-2023-35324Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure VulnerabilityMicrosoft Printer DriversImportant5.5Information DisclosureNoNo
CVE-2023-35325Windows Print Spooler Information Disclosure VulnerabilityWindows Print Spooler ComponentsImportant7.5Information DisclosureNoNo
CVE-2023-35326Windows CDP User Components Information Disclosure VulnerabilityWindows CDP User ComponentsImportant5.5Information DisclosureNoNo
CVE-2023-35328Windows Transaction Manager Elevation of Privilege VulnerabilityWindows Transaction ManagerImportant7.8Elevation of PrivilegeNoNo
CVE-2023-35329Windows Authentication Denial of Service VulnerabilityWindows Authentication MethodsImportant6.5Denial of ServiceNoNo
CVE-2023-35330Windows Extended Negotiation Denial of Service VulnerabilityWindows SPNEGO Extended NegotiationImportant7.5Denial of ServiceNoNo
CVE-2023-35331Windows Local Security Authority (LSA) Denial of Service VulnerabilityWindows Local Security Authority (LSA)Important6.5Denial of ServiceNoNo
CVE-2023-35332Windows Remote Desktop Protocol Security Feature BypassWindows Remote DesktopImportant6.8Security Feature BypassNoNo
CVE-2023-35333MediaWiki PandocUpload Extension Remote Code Execution VulnerabilityMicrosoft Media-Wiki ExtensionsImportant8.8Remote Code ExecutionNoNo
CVE-2023-35336Windows MSHTML Platform Security Feature Bypass VulnerabilityWindows MSHTML PlatformImportant6.5Security Feature BypassNoNo
CVE-2023-35337Win32k Elevation of Privilege VulnerabilityWindows Win32KImportant7.8Elevation of PrivilegeNoNo
CVE-2023-35338Windows Peer Name Resolution Protocol Denial of Service VulnerabilityWindows Peer Name Resolution ProtocolImportant7.5Denial of ServiceNoNo
CVE-2023-35339Windows CryptoAPI  Denial of Service VulnerabilityWindows CryptoAPIImportant7.5Denial of ServiceNoNo
CVE-2023-35340Windows CNG Key Isolation Service Elevation of Privilege VulnerabilityWindows CNG Key Isolation ServiceImportant7.8Elevation of PrivilegeNoNo
CVE-2023-35341Microsoft DirectMusic Information Disclosure VulnerabilityWindows MediaImportant6.2Information DisclosureNoNo
CVE-2023-35342Windows Image Acquisition Elevation of Privilege VulnerabilityWindows Image AcquisitionImportant7.8Elevation of PrivilegeNoNo
CVE-2023-35343Windows Geolocation Service Remote Code Execution VulnerabilityWindows Geolocation ServiceImportant7.8Remote Code ExecutionNoNo
CVE-2023-35344Windows DNS Server Remote Code Execution VulnerabilityRole: DNS ServerImportant6.6Remote Code ExecutionNoNo
CVE-2023-35345Windows DNS Server Remote Code Execution VulnerabilityRole: DNS ServerImportant6.6Remote Code ExecutionNoNo
CVE-2023-35346Windows DNS Server Remote Code Execution VulnerabilityRole: DNS ServerImportant6.6Remote Code ExecutionNoNo
CVE-2023-35347Microsoft Install Service Elevation of Privilege VulnerabilityWindows App StoreImportant7.1Elevation of PrivilegeNoNo
CVE-2023-35348Active Directory Federation Service Security Feature Bypass VulnerabilityAzure Active DirectoryImportant7.5Security Feature BypassNoNo
CVE-2023-35350Windows Active Directory Certificate Services (AD CS) Remote Code Execution VulnerabilityWindows Active Directory Certificate ServicesImportant7.2Remote Code ExecutionNoNo
CVE-2023-35351Windows Active Directory Certificate Services (AD CS) Remote Code Execution VulnerabilityWindows Active Directory Certificate ServicesImportant6.6Remote Code ExecutionNoNo
CVE-2023-35352Windows Remote Desktop Security Feature Bypass VulnerabilityWindows Remote DesktopCritical7.5Security Feature BypassNoNo
CVE-2023-35353Connected User Experiences and Telemetry Elevation of Privilege VulnerabilityWindows Connected User Experiences and TelemetryImportant7.8Elevation of PrivilegeNoNo
CVE-2023-35356Windows Kernel Elevation of Privilege VulnerabilityWindows KernelImportant7.8Elevation of PrivilegeNoNo
CVE-2023-35357Windows Kernel Elevation of Privilege VulnerabilityWindows KernelImportant7.8Elevation of PrivilegeNoNo
CVE-2023-35358Windows Kernel Elevation of Privilege VulnerabilityWindows KernelImportant7.8Elevation of PrivilegeNoNo
CVE-2023-35360Windows Kernel Elevation of Privilege VulnerabilityWindows NT OS KernelImportant7Elevation of PrivilegeNoNo
CVE-2023-35361Windows Kernel Elevation of Privilege VulnerabilityWindows NT OS KernelImportant7Elevation of PrivilegeNoNo
CVE-2023-35362Windows Clip Service Elevation of Privilege VulnerabilityWindows Clip ServiceImportant7.8Elevation of PrivilegeNoNo
CVE-2023-35363Windows Kernel Elevation of Privilege VulnerabilityWindows KernelImportant7.8Elevation of PrivilegeNoNo
CVE-2023-35364Windows Kernel Elevation of Privilege VulnerabilityWindows NT OS KernelImportant8.8Elevation of PrivilegeNoNo
CVE-2023-35365Windows Routing and Remote Access Service (RRAS) Remote Code Execution VulnerabilityWindows Routing and Remote Access Service (RRAS)Critical9.8Remote Code ExecutionNoNo
CVE-2023-35366Windows Routing and Remote Access Service (RRAS) Remote Code Execution VulnerabilityWindows Routing and Remote Access Service (RRAS)Critical9.8Remote Code ExecutionNoNo
CVE-2023-35367Windows Routing and Remote Access Service (RRAS) Remote Code Execution VulnerabilityWindows Routing and Remote Access Service (RRAS)Critical9.8Remote Code ExecutionNoNo
CVE-2023-36872VP9 Video Extensions Information Disclosure VulnerabilityMicrosoft Windows Codecs LibraryImportant5.5Information DisclosureNoNo
CVE-2023-36874Windows Error Reporting Service Elevation of Privilege VulnerabilityWindows Error ReportingImportant7.8Elevation of PrivilegeYesNo
CVE-2023-36884Office and Windows HTML Remote Code Execution VulnerabilityMicrosoft OfficeImportant8.3Remote Code ExecutionYesYes
CVE-2023-21526Windows Netlogon Information Disclosure VulnerabilityWindows NetlogonImportant7.4Information DisclosureNoNo
ADV230001Guidance on Microsoft Signed Drivers Being Used MaliciouslyWindows CertificatesNoneN/ADefense in DepthYesNo
CVE-2023-29347Windows Admin Center Spoofing VulnerabilityWindows Admin CenterImportant8.7SpoofingNoNo
CVE-2023-33127.NET and Visual Studio Elevation of Privilege Vulnerability.NET and Visual StudioImportant8.1Elevation of PrivilegeNoNo
CVE-2023-33134Microsoft SharePoint Server Remote Code Execution VulnerabilityMicrosoft Office SharePointImportant8.8Remote Code ExecutionNoNo
CVE-2023-33154Windows Partition Management Driver Elevation of Privilege VulnerabilityWindows Partition Management DriverImportant7.8Elevation of PrivilegeNoNo
CVE-2023-33155Windows Cloud Files Mini Filter Driver Elevation of Privilege VulnerabilityWindows Cloud Files Mini Filter DriverImportant7.8Elevation of PrivilegeNoNo
CVE-2023-33156Microsoft Defender Elevation of Privilege VulnerabilityWindows DefenderImportant6.3Elevation of PrivilegeNoNo
CVE-2023-33157Microsoft SharePoint Remote Code Execution VulnerabilityMicrosoft Office SharePointCritical8.8Remote Code ExecutionNoNo
CVE-2023-33158Microsoft Excel Remote Code Execution VulnerabilityMicrosoft Office ExcelImportant7.8Remote Code ExecutionNoNo
CVE-2023-33159Microsoft SharePoint Server Spoofing VulnerabilityMicrosoft Office SharePointImportant8.8SpoofingNoNo
CVE-2023-33160Microsoft SharePoint Server Remote Code Execution VulnerabilityMicrosoft Office SharePointCritical8.8Remote Code ExecutionNoNo
CVE-2023-33161Microsoft Excel Remote Code Execution VulnerabilityMicrosoft Office ExcelImportant7.8Remote Code ExecutionNoNo
CVE-2023-33162Microsoft Excel Information Disclosure VulnerabilityMicrosoft Office ExcelImportant5.5Information DisclosureNoNo
CVE-2023-33163Windows Network Load Balancing Remote Code Execution VulnerabilityWindows Network Load BalancingImportant7.5Remote Code ExecutionNoNo
CVE-2023-33164Remote Procedure Call Runtime Denial of Service VulnerabilityWindows Remote Procedure CallImportant6.5Denial of ServiceNoNo
CVE-2023-33170ASP.NET and Visual Studio Security Feature Bypass VulnerabilityASP.NET and Visual StudioImportant8.1Security Feature BypassNoNo
CVE-2023-33171Microsoft Dynamics 365 (on-premises) Cross-site Scripting VulnerabilityMicrosoft DynamicsImportant8.2SpoofingNoNo
CVE-2023-32052Microsoft Power Apps Spoofing VulnerabilityMicrosoft Power AppsImportant5.4SpoofingNoNo
CVE-2023-32053Windows Installer Elevation of Privilege VulnerabilityWindows InstallerImportant7.8Elevation of PrivilegeNoNo
CVE-2023-32054Volume Shadow Copy Elevation of Privilege VulnerabilityWindows Volume Shadow CopyImportant7.3Elevation of PrivilegeNoNo
CVE-2023-32055Active Template Library Elevation of Privilege VulnerabilityWindows Active Template LibraryImportant6.7Elevation of PrivilegeNoNo
CVE-2023-32056Windows Server Update Service (WSUS) Elevation of Privilege VulnerabilityWindows Server Update ServiceImportant7.8Elevation of PrivilegeNoNo
CVE-2023-32057Microsoft Message Queuing Remote Code Execution VulnerabilityWindows Message QueuingCritical9.8Remote Code ExecutionNoNo
CVE-2023-32083Microsoft Failover Cluster Information Disclosure VulnerabilityWindows Failover ClusterImportant6.5Information DisclosureNoNo
CVE-2023-32084HTTP.sys Denial of Service VulnerabilityWindows HTTP.sysImportant7.5Denial of ServiceNoNo
CVE-2023-32085Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure VulnerabilityMicrosoft Printer DriversImportant5.5Information DisclosureNoNo
CVE-2023-35296Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure VulnerabilityMicrosoft Printer DriversImportant6.5Information DisclosureNoNo
CVE-2023-35297Windows Pragmatic General Multicast (PGM) Remote Code Execution VulnerabilityWindows PGMCritical7.5Remote Code ExecutionNoNo
CVE-2023-35298HTTP.sys Denial of Service VulnerabilityWindows HTTP.sysImportant7.5Denial of ServiceNoNo
CVE-2023-35299Windows Common Log File System Driver Elevation of Privilege VulnerabilityWindows Common Log File System DriverImportant7.8Elevation of PrivilegeNoNo
CVE-2023-35300Remote Procedure Call Runtime Remote Code Execution VulnerabilityWindows Remote Procedure CallImportant8.8Remote Code ExecutionNoNo
CVE-2023-35302Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution VulnerabilityMicrosoft Printer DriversImportant8.8Remote Code ExecutionNoNo
CVE-2023-35303USB Audio Class System Driver Remote Code Execution VulnerabilityMicrosoft Windows Codecs LibraryImportant8.8Remote Code ExecutionNoNo
CVE-2023-35304Windows Kernel Elevation of Privilege VulnerabilityWindows KernelImportant7.8Elevation of PrivilegeNoNo
CVE-2023-35305Windows Kernel Elevation of Privilege VulnerabilityWindows KernelImportant7.8Elevation of PrivilegeNoNo
CVE-2023-35306Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure VulnerabilityMicrosoft Printer DriversImportant5.5Information DisclosureNoNo
CVE-2023-35308Windows MSHTML Platform Security Feature Bypass VulnerabilityWindows MSHTML PlatformImportant6.5Security Feature BypassNoNo
CVE-2023-35309Microsoft Message Queuing Remote Code Execution VulnerabilityWindows Message QueuingImportant7.5Remote Code ExecutionNoNo
CVE-2023-35310Windows DNS Server Remote Code Execution VulnerabilityRole: DNS ServerImportant6.6Remote Code ExecutionNoNo
CVE-2023-35311Microsoft Outlook Security Feature Bypass VulnerabilityMicrosoft Office OutlookImportant8.8Security Feature BypassYesNo
CVE-2023-35312Microsoft VOLSNAP.SYS Elevation of Privilege VulnerabilityWindows VOLSNAP.SYSImportant7.8Elevation of PrivilegeNoNo
CVE-2023-35335Microsoft Dynamics 365 (on-premises) Cross-site Scripting VulnerabilityMicrosoft DynamicsImportant8.2SpoofingNoNo
CVE-2023-35373Mono Authenticode Validation Spoofing VulnerabilityMono AuthenticodeImportant5.3SpoofingNoNo
CVE-2023-35374Paint 3D Remote Code Execution VulnerabilityPaint 3DImportant7.8Remote Code ExecutionNoNo
CVE-2023-36867Visual Studio Code GitHub Pull Requests and Issues Extension Remote Code Execution VulnerabilityVisual Studio CodeImportant7.8Remote Code ExecutionNoNo
CVE-2023-36868Azure Service Fabric on Windows Information Disclosure VulnerabilityService FabricImportant6.5Information DisclosureNoNo
CVE-2023-36871Azure Active Directory Security Feature Bypass VulnerabilityAzure Active DirectoryImportant6.5Security Feature Bypass

Contact Us

We can help with any cybersecurity questions.

How Enterprise VM Keeps Up with Modern Threats

 

Vulnerability management is known for being a foundational cybersecurity practice. While open-source VM solutions have perhaps provided an introduction to the benefits of VM, the modern threat landscape makes it so organizations need more advanced and reliable tools to stay secure. Here’s why enterprise grade VM solutions are more essential now than ever. 

Beating complexity with technology 

Enterprise vulnerability management tools feature a variety of technologies that enable them to keep pace with the complexities of modern organizations.  

Because these tools need to be immediately available for enterprise-level consumption, they are more frequently updated by developers focused on the tool. Open-source platforms may or may not receive the same amount of scrutiny or consistent attention.  

Additionally, enterprise VM offers more sophisticated scanning options, reaching across on-premises, cloud, and hybrid architectures. Coupled with better data manipulation and API availability, this results in better, more robust capabilities that can match today’s complicated threat onslaught. Enterprise VM can

  • Scan local systems 
  • Scan the entire global network 
  • Correlate data on dynamic assets 
  • Integrate with other enterprise-level tools 
  • Cut resource costs by being user-friendly and easy to deploy 
  • Infuse risk context for accurate, personalized remediation prioritization 

Additional technical considerations of an enterprise VM solution include: 

  1. Automated and On-Demand Scanning | Automated scanning relieves the everyday security burden for busy teams and allows companies to respond immediately to developing issues.
  2. Data Management | After scans are run, the best enterprise VM will make sense of the data, not leave teams to distill it themselves. From customized reports to being able to query against all scanned assets, data management capabilities increase the value of scanned data. 
  3. Asset Correlation | Enterprise VM solutions ensure scan results are accurate and actionable by reducing false positives. In the best systems, built-in technology automatically tracks a device through the network and any changes, reducing confusion and inefficiencies as part of asset data correlation.  
  4. Intuitive Platform Interface | A pre-built, intuitive interface takes the load off new employees and creates reliability in scan creation, even with turnover, staff shortages, and internal changes. 
  5. API Availability | Solutions that are available via API can spread their benefit throughout the broader ecosystem. Through APIs, VM data can enrich SOAR, SIEM, NAC and more.  

Superior documentation 

Advanced documentation enables organizations to sidestep inefficiencies, pass compliance audits, and avoid wasted time. 

As companies continue to grapple with the cybersecurity skills gap, it becomes essential to have thorough documentation to bring users up to speed quickly. As vulnerabilities are patched and controls are put in place, enterprise-level documentation can save companies months of effort and re-work.  

Better reporting also means better audits. Vulnerability management solutions are essential to compliance audits and enterprise grade scanners typically come with detailed reporting capabilities built in. The best VM solutions offer segmented and customized reporting so companies can tailor them to their specific vulnerability, configuration, and compliance needs. 

Additionally, interactive and visual reporting platforms enable organizations to get the most out of their data. With the help of a central dashboard, users can search, visualize, and analyze their data via interactive, non-static reports.  

Ultimately, the C-suite needs to be made aware of the results of vulnerability management scans. Superior documentation leads to cleaner communication. If an executive has a specific question, practitioners who utilize enterprise VM have the ability to draw specific answers out of a customized, malleable report.  

Continuous support 

Organizations today are too busy for constant questions and troubleshooting. Enterprise VM solutions come with continuous support for teams that want to spend more time on critical security issues.  

Expert support keeps things moving. Teams can offload the burden of the learning curve, platform problems, and administrative tasks to enterprise VM experts who can provide simple ways forward. Leverage the expertise of practitioners who know the product, understand your vulnerability management needs, and can help you meet them with minimal downtime. 

Enterprise VM solutions like Frontline Vulnerability Manager can provide 24/7 live US-based customer support. A Personal Security Analyst is available to provide personalized on-demand support, and a team of platform experts can offer unparalleled expertise to help companies get the most out of their enterprise VM. 

Conclusion 

Enterprise vulnerability management enables organizations to overcome the security challenges native to shifting and expanding environments.  

Frequently updated technologies make possible the advanced scanning, data management, and analysis capabilities needed to combat modern threat complexity. Better documentation saves time and resources while delivering streamlined reporting to executives and practitioners who need it most. And the constant level of support guaranteed with the best enterprise VM platforms pays for itself in time saved, overhead, and the cost of training. 

While all vulnerability management programs are a step in the right direction, not all can keep up. Digital ecosystems are expanding and as data explodes, open-source tools managed by in-house teams struggle to maintain the peoplepower or updated technologies needed to fight threats at scale. Frontline VM optimizes small teams and reduces inefficiencies, saving resources, and enabling organizations to keep up – not catch up – with vulnerability management demands. 

See how Beyond Security can help with future threats.

We can help with any security vulnerability questions.

BeSTORM Release 13.1.0

 

Enhancements

At Beyond Security, we continually strive to improve our products with updates and enhancements that are often customer driven. Below are the enhancements from our latest beSTORM release:

  • Support for Windows 11 has been added.
  • The following modules were updated to be compatible with Windows 10 or later:
    • IEEE802.11 (AP)
    • IEEE802.11 (AP – Simple)
    • IEEE802.11 (Subscriber)
    • IEEE802.11 (Subscriber – Simple)
  • Support for use of Kali Linux for WIFI testing in place of hardware
  • Simplified error messaging for invalid hostname or IP address on the Basic Configuration window.
  • Confirmation dialog prompt added when deleting a module’s default buffer types.
  • Removed the following modules*:
    • IEEE802.11 (Subscriber – Simple – UDP)
    • CG4579 (Over PCAN) – Custom
    • Running Speed and Cadence (Custom)

*NOTE: If your projects use these modules, substitute them with the IEEE802.11 (Subscriber – Simple), CG4579 (Over PCAN), and Running Speed and Cadence modules.

Contact Us

We can help with any cybersecurity questions.

Frontline VM Release 6.5.4

 

As part of the Infrastructure Protection Fortra family, Frontline VM and BeSECURE are a tandem solution. Each release helps update and pave the way for additional vulnerability management features and improvements.  Based off of user feedback, here are the recent updates for Frontline VM.

Linux Agent

Scan Linux assets that are not always connected to the network during normal network-based scan.  Install and configure a schedule for Agents to check-in after the initial baseline scan is completed.  Agents will report at designated intervals to indicate changes to an asset and insert results at the scheduled interval. If there are no changes, the Agent will not report in for inclusion.

Initial release of Linux Agent supports the following distros:

  • Amazon Linux (2) – x86_64Ubuntu Server (20, 22) – x86_64
  • Debian (11) – x86_64
  • Red Hat Enterprise Linux (7, 8, and 9) – x86_64
  • Oracle Enterprise Linux (7, 8, and 9) – x86_64

SUSE coming soon.  Agent scanning does not include ATS or CIS.

Security Seal

Add a badge to your website to show your current site security status. Set up recurring web application scans on your target and configure Security Seal to display pass or fail status of target with custom images based on compliance with security criteria. This seal shows when the last scan was run, who ran the last scan, the results found, and the current status of that website’s security.

Scan Groups

Users can now create Scan Groups to schedule assessments against VM and WAS targets at the same time. Automated reporting from scan groups is supported to generate the following reports: executive, detailed, vulnerability executive summary, asset CSV, and vulnerability CSV. Scan Groups is supported for PCI and non-PCI scanning.

Language Localization

Frontline now supports account-wide system emails and report generation in multiple languages.  This setting will enable reports and system generated emails to be created in English, Japanese, Spanish, Dutch, French, German, Italian, and Portuguese. Chinese and Korean will be supported in a future release.

Contact Us

We can help with any security vulnerability questions.

Vintage Vulnerabilities: New Attacks Can Exploit Old Weaknesses

 

Popular entertainment would have us believe that hackers are all sophisticated attackers ready to strike the latest vulnerabilities. That is sometimes true, but it’s become increasingly apparent that whether it’s the latest zero-day bug or something that was discovered the same year Apple released the iPad, hackers are equal-opportunity offenders.    

“Classic” Vulnerabilities

Cybersecurity professionals know the list of common vulnerabilities and exposures (CVE) seems never ending. While conscientious organizations may work to stay on top of the latest vulnerabilities, it’s easy to forget that some of the biggest threats have been around for a long time, and cyber attackers are not above going back to the classics.  Companies that haven’t always addressed CVEs in a timely manner may be surprised to learn that they’ve left some older issues unaddressed even though solutions are known and readily available. In fact, of the top most exploited CVEs, according to the US Cybersecurity and Infrastructure Agency (CISA), seven are from 2019 or earlier.  Here are a few examples:

CVE-2019-11510

Pulse Connect Secure and Pulse Policy Secure VPNs (now owned by Ivanti) contain vulnerabilities that allow an attacker to bypass authentication and access files and directories on an exposed system. It has been used in high-profile ransomware attacks, including those using Sodinokibi (aka Sodin or REvil) malware.   

Learn more about CVE-2019-11510.

Common Vulnerability Scoring System (CVSS) rating – 10, critical  

CVE-2018-13379

Fortinet FortiOS and FortiProxy can be exploited to allow a remote, unauthenticated user to execute a directory transversal attack by accessing plaintext user credentials stored in the system. Hackers used the credentials of domain administrators where multi-factor authentication wasn’t in use and gained complete access to the SSL VPN. Because the fix for this vulnerability required a password reset, which many end users neglected, organizations remain unprotected even though IT teams undertook remediation. It also highlights the importance of asset inventory and forced reboots.

Learn more about CVE-2018-13379.

CVSS rating – 9.8, critical 

CVE-2019-19781

A vulnerability in Citrix Application Delivery Controller (ADC), formerly known as NetScaler ADC, and Citrix Gateway, formerly known as NetScaler Gateway, can allow an attacker to scan the system for vulnerable servers and perform arbitrary code execution. Hackers can access configuration and other crucial files. 

Learn more about CVE-2019-19781.

CVSS rating – 9.8, critical

CVE-2019-18935

Telerik UI for ASP.NET AJAX, a set of tools for creating web apps, contains an insecure deserialization vulnerability within RadAsyncUpload. By exploiting prior vulnerabilities CVE-2017-11317 and CVE-2017-11357, attackers obtain encryption keys to exploit this bug for remote code execution. 

Learn more about CVE-2019-18935.

CVSS rating – 9.8, critical

CVE-2018-0171

A bug in Cisco IOS software’s Smart Install could allow a remote attacker to execute arbitrary code or cause a reload and, consequently, a DoS. System reboots of affected systems leads to network outages.   

Learn more about CVE-2018-0171.

CVSS rating – 9.8, critical

CVE-2017-11882

Known as the Microsoft Office Memory Corruption Vulnerability, this CVE affects Microsoft Office 2007 Service Pack 3, 2010 Service Pack 2, 2013 Service Pack 1, and Microsoft Office 2016. It’s a memory corruption problem in a part of Office that handles object linking embedding (OLE). Once the user opens a malicious document, the attacker can execute remote code. Homeland Security and the FBI say this vulnerability, which has been around since 2000, is still one of the most frequently used by hackers in China, Russia, and North Korea. 

Learn more about CVE-2017-11882.

CVSS rating – 7.8, high

CVE-2017-0199

Another Microsoft bug, affecting Office SP3, 2010 SP2, 2013 SP1, 2016, Vista SP2, Server 2008 SP2, Windows 7 SP1,  and Windows 8.1, allows attackers to take over an infected system. The vulnerability relates to the way Microsoft Office and WordPad parse specially crafted files. 

Learn more about CVE-2017-0199.

CVSS rating – 7.8, high

Not on the list of most exploited CVEs, but still worth a mention because it illustrates just how long some problems can remain unaddressed is CVE-2014-0160, aka Heartbleed. This flaw was first discovered and documented in 2014 and is still being exploited today. It has a CVSS rating of 7.5, or high.   

Potential Risks

All of these CVEs are at least three years old yet they are still among the currently exploited vulnerabilities cataloged by CISA and private cybersecurity firms. That illustrates the fact that, old or not, these CVEs are still threats to the security of systems large and small. Many of the vulnerabilities listed here can result in compromised accounts that are offered by criminals in access-as-a-service schemes. 

In its 2023 Threat Report, cybersecurity firm Sophos noted that ransomware no longer focuses almost exclusively on Windows. Mac, Linux, and mobile platforms are increasingly in the crosshairs. Attackers are also using new methods of exploitation, including leveraging data from leak sites.  

The number of CVEs cataloged each year has grown steadily since 2010. That trend is likely to continue along with increasing financial ramifications. One of the primary motivations of maliciously targeting a system is financial gain, usually achieved by ransomware attacks for ransom payment or confidential data exfiltration and sale. Many of the CVEs listed above can be used for this type of exploit. Ransomware costs American businesses $1.4 million on average per occurrence with 90% of organizations saying the attack impacted their ability to operate, according to Sophos. And Forbes reports that even after paying the ransom, businesses were only able to restore 65% of their data. Furthermore, it’s illegal to pay a ransom so even with 100% data recovery, companies can still face legal problems and lawsuits from customers and other affected parties. 

Why Old Vulnerabilities Persist

The reason these CVEs, old and new, are still exploitable is simply because systems haven’t been patched. But the why behind that can vary. In some organizations, IT staff is overwhelmed with an ever increasing workload and not enough people. Sometimes the vulnerability is so old, the staff isn’t even aware of it or may think it’s already been addressed. And as newer issues come along, grabbing headlines and attention, they may be prioritized over older CVEs that don’t seem to pose as much of a threat. Unfortunately, attackers are aware of all this. With all the attention on newer vulnerabilities, it’s often easier for hackers to slip through by exploiting older CVEs that cybersecurity teams have forgotten about or assigned a low priority. 

The bottom line is that IT teams need to be given the resources to conduct thorough assessment, testing, and remediation for the most critical threats. Additionally, cooperation of other parts of the business will make or break successful patching efforts. Employees need to follow reboot, password reset, and other instructions from security teams. Even C-level personnel, who may feel too busy to reboot, must be persuaded to take steps necessary to secure the company’s systems. In fact, IT teams may want to prioritize those machines, with their extremely sensitive data, for security audits. 

What to Do About It

While it can seem overwhelming to contend with new threats as well as old ones, it doesn’t have to be. It’s not the age, but more the risk that matters. Teams that prioritize as such can speed up time-to-remediation for vulnerabilities that are the most likely to be exploited.

Risk-based vulnerability management (VM) allows each company to examine which CVEs are most likely to impact the business and handle those issues first. Penetration testing not only identifies weaknesses, but also verifies the exploitability of vulnerabilities discovered during scans. Combining proactive security measures like VM and penetration testing help security teams pinpoint high-risk weaknesses before attacker exploits can them.

Contact Us

We can help with any security vulnerability questions.

A Beginner’s Guide to the ISO/SAE 21434 Cybersecurity Standard for Road Vehicles

 

According to Juniper Research, 206 million vehicles will have embedded connectivity by 2025 — with 30 million vehicles utilizing 5G connectivity. The connected car now contains units for communication, in-voice assistant, geolocation sensors and cloud-platforms that connect vehicles to mobility services. 

To ensure that these hyper-connected vehicles remain secure, a standard known as ISO SAE 21434 was developed. This standard is designed to guide automotive product developers and OEMs in following effective cybersecurity strategies and measures for connected vehicles. The status of ISO/SAE 21434 is currently ‘under development’, but it’s trending towards acceptance, which means it will be a part of compliance requirements in the near future.

An ISO/SAE 21434 Summary

ISO/SAE 21434 is a standard co-developed by the International Standard of Organization (ISO) and the Society of Automotive Engineers (SAE). ISO SAE 21434 “Road vehicles — Cybersecurity engineering” focuses on cybersecurity risks in the design and development of car electronics. The standard covers cybersecurity governance and structure, secure engineering throughout the life cycle of the vehicle and post-production security processes. 

This process is designed to cover automotive security of any connected vehicle from design until deployment.  The standard is to ensure that from the very first stage of vehicle development, any connective aspect included or all software implemented within that vehicle is secure from cyberattacks.  Vehicle suppliers must maintain regular security testing during this development to keep potential attack targets minimized. The earlier testing is implemented during design, the more time risks can be uncovered and remediated before vehicles are out on the road. 

Why is ISO/SAE 21434 necessary for the automotive industry?

The automotive industry saw a 605% increase in cybersecurity incidents in connected cars between 2016 to 2019. In 2022, the biggest attack targets were telematic application controls, keyless entry denial, and electronic vehicle charging systems. The increases in these attacks are surprisingly high, but threat actors targeting automotive computers is relatively new. Not only have more exploits been introduced in recent years, but the consequences in some successful attacks threaten the lives of drivers. Now that the industry has a framework to base its cybersecurity, testing for vulnerabilities during the vehicle’s lifecycle will be normalized. Standards also work together with other frameworks: in the case of ISO/SAE 21434, NIST SP-800-30 and standard ISO/IEC 31010 can be used to establish a foundation of risk assessment using tried and tested methodologies.

Improving your cybersecurity with testing

Good cybersecurity practices involve being proactive, and automotive developers and manufacturers can be proactive by integrating testing into their development lifecycle. Fuzzing an automotive computer is somewhat similar to a standard computer. The fuzzers launch tests against the automotive computer’s functionality attempting to trigger a vulnerability and exploit it. It’s done in a similar way an attacker launches an exploit, only testing performed as the product is developed can be used to improve cybersecurity rather than reactively patching a system using recalls.

Imagine a driver with a connected car experiences an attacker fuzzing the system for a buffer overflow. Specially crafted data is sent to the engine that runs on feedback from various components on the car. A buffer overflow has potential to shut down the engine. It would be a frightening experience for a driver to experience an engine shutdown while on the freeway, and this type of scenario is exactly what ISO/SAE 21434 tries to stop. By fuzzing an automotive computer during the development lifecycle, the manufacturer can avoid putting drivers in dangerous situations from lack of cybersecurity testing.

The Ramifications of Not Implementing ISO SAE 21434 Standards 

Since ISO/SAE 21434 has a primary focus on electronic automotive device connectivity security, the biggest penalty for a company would be an actual security breach.  Any company that has their vehicles cyberattacked could potentially harm the customers and the general public.  That company would instantly lose credibility with the public and face potential compliance fines depending on the country, the successful type of cyberattack, and jurisdiction since ISO/SAE 21434 is a global regulation. 

Is ISO 21434 Released? 

As of August 31, 2021, ISO/SAE 21434 has been released.  This release is being referred to as ISO/SAE 21434:2021 Road Vehicles – Cybersecurity Engineering and replaces the previous drafts from February 2020.  There are no serious changes from the previous version, namely creates mandates for: 

  • Scanning and creating risk assessments 
  • Recognizing cybersecurity vulnerabilities 
  • Ensuring safeguards are added to development to find and correct any vulnerabilities 
  • Continuously test applications, software, and hardware to ensure risks have been mitigated 

The Future of ISO/SAE

The automotive industry is at an important juncture in its history. The connected car is offering drivers an exciting new era in car ownership. But this expanded capability introduces cybersecurity risks that could threaten the safety of drivers. The ISO/SAE 21434 standard was introduced by automotive stakeholders to address the security issues that connectivity brings. The standard provides a framework for hardened security to build safer vehicles using better fuzzing and testing methodologies.

Need to get ISO/SAE 21434 compliant? Learn more about Black Box Fuzzing with beSTORM and how it can be used as an automotive security testing tool.

What Role Does ISO Play in Cybersecurity? 

ISO is a technical committee that is part of a worldwide regulatory body of national standards in cybersecurity engineering. Members are part of international regulatory committees, governmental, and non-governmental organizations. ISO works closely with the International Electrotechnical Commission (IEC) on everything that includes electrotechnical standardization. 

How Did Automotive Cybersecurity Standards Started?

The precursor to ISO/SAE 21434 is ISO 26262 “Road vehicles – Functional safety”. This does not cover software development or car sub-systems, nor does it cover how to deal with cybersecurity incidents.

ISO/SAE 21434 covers every aspect of cybersecurity — from initial design to end-of-life decommissioning of a vehicle. The supply chain is also included to cover each step in automotive production. 

All phases of a connected vehicle’s lifecycle covering electrical and electronic systems, including their components and interfaces, are covered in ISO/SAE 21434 including:

  • Design and engineering
  • Production
  • Operation by customer
  • Maintenance and service
  • Decommissioning

This lifecycle approach to cybersecurity management makes ISO/SAE 21434 one of the most comprehensive approaches to connected vehicle cybersecurity.

The Impact of Automotive Cybersecurity ISO Standards for OEMs and Developers

Although the standard is still in development, any manufacturer, developer, or OEM should consider proactively integrating ISO/SAE 21434 into their current production process. The primary concern with the new standard revolves around cybersecurity. The standards focus on providing better safety to automotive consumers by regulating the way manufacturers test their products.

ISO/SAE 21434 requires that manufacturers and developers perform a risk assessment. Before you can identify risk, you need to know what causes it. An assessment will identify any component, API, or software function that could be vulnerable to attack. With the assessment done, you then identify vulnerabilities. Blackbox fuzzing scans the system to find potential vulnerabilities in the same way an attacker would scan your system. Using the right fuzzing tools, you can ensure that development is done with security as a priority.

The impact to automotive developers and manufacturers is that they have the benefit of producing applications and components that are tested before being launched, which benefits drivers and their safety. Fuzzing applications and finding vulnerabilities before they cause harm to drivers safeguards them and your organization’s reputation. 

Black Box Fuzzers Can Protect Against Unknown Vulnerabilities

See how black box fuzzers like beSTORM can protect against known and unknown vulnerabilities prior to product launch. Read the guide, How Black Box Fuzzers Protect Against The Unknown to learn more.

Better Enterprise Security Through Forced Quarantine

 

This article was originally published on TechAeris on May 08, 2020.

What do you do if a small infected minority is threatening to infect the rest? By now, there probably isn’t a human being on the planet that doesn’t know the answer to this question: you place the infected in quarantine, separating them from the healthy. Collectively, throughout the world, we are distancing ourselves from the threat of the infected and hoping for the best possible outcome to survive the great pandemic. This concept of quarantine is not unique just to mankind but is also a vital security practice within our technological world as well.

In the enterprise security world, we face a similar problem. Most of the machines in the enterprise network are healthy and safe, but some are weak and if as little as a single machine gets infected, this may affect the entire network. We used to put guards – in the form of firewalls – to separate the network between secure enterprise machines and insecure devices. But as people work from home or bring their own devices to work, the chances of a single machine compromising the entire enterprise network rise significantly. Most of the security concepts we grapple with today date back to the 70s: passwords and access control; malicious code; software bugs leading to privilege escalation attacks – those seemingly remain the chessboard that is used to play the permanent arms-race game between the “white hats” and the “black hats”.

The solution, as mentioned, is isolation – or to use today’s terminology: forced-quarantine. Fortunately, we do not need to re-invent the wheel. The technology to do all of this already exists, although it may need minor re-purposing. Also, most enterprises will not need to buy any new products to get this done, they just need to ask their current vendors to work together and integrate. Testing tools already exist in the form of Vulnerability Assessment and Management. Isolation tools also exist and are widely popular – Network Access Control devices.

To explain how the process needs to work as soon as a problematic device is identified the Network Access Control product can easily cut that device off the network and place it in quarantine. The key, as we know from the physical world, is testing, and as mentioned we already have that – Vulnerability Scanning products can instantly detect a weak or infected device on the network. The missing piece is the integration between those two technologies, which often exists but is overlooked: many Vulnerability Assessment tools and Network Access Control products are happy to work together. This gives the outcome we were looking for: identify weak or infected devices using Vulnerability Assessment, and via integration with the Network Access Control product you get instant detection and quarantine.

The IT security world has borrowed concepts and ideas from the physical world since the days of the first computer Virus through the recent days of ransomware. Let us learn some defense from common-sense defense mechanisms in the real world; we cannot teach computers to socially-distance, but we can teach them to test, detect, and automatically quarantine. Having Vulnerability Assessment vendors collaborating with Network Access Control products is a must, to provide testing and force-quarantining in the enterprise environment, all this can be done automatically, instantly, and with zero additional spending – using already prevalent technologies in the Enterprise.

See How Vulnerability Management, SAST, and DAST
Can Protect Your Company

Schedule a demo to see which cybersecurity solution is essential for your company’s security portfolio.

Information Security Goes Non-Binary

 

This article was originally published on HelpNetSecurity on April 16, 2020.

Finding security holes in information systems is as old as the first commercially available computer. Back when a “computer” was something that sat in a computer room, users would try to bypass restrictions, sometimes simply by trying to guess the administrator’s password.

Later when Bulletin Board Systems (the primitive version of the Internet) became popular, BBS users searched for ways to gain further access in order to view private files and invented the first phishing attack – familiar to many 21st century computer users as the method that was successfully used to hack into the DNC’s computers just before the 2016 elections.

The origin of the network virus

Back in 1988, when the entire “Internet” was merely 60,000 computers, the first network virus was unleashed. Of course, computer viruses themselves date back to the early days of the personal computer, first invented by an IT shop in Pakistan who wanted to earn money fixing computers – which possibly makes the Farooq Alvi brothers the very first black-hat IT security vendor.

Most of the security concepts we grapple with today date back to the 70s: passwords and access control; malicious code; software bugs leading to privilege escalation attacks.

That would make you think that “nothing is new under the sun” when it comes to Internet security. But just the contrary: while the game stayed the same, the rules have changed.

Information security in the 2010s

From the first security bugs until the recent past, security was a game with a clear winner and loser. If the attacker gets in, the bad guy wins, and the good guy loses.

Our job as information security experts and presumed good guys was to find those security vulnerabilities and help fix them. The premise being that security could be achieved – i.e., that there was a process you could follow to be reasonably secure and be safe from most attackers. This also meant that a security attack was a failure – a catastrophic one.

But the 2010s changed all that: security breaches are still a failure, but no longer catastrophic. A security breach is now one of those bad things that happen in corporate life that you try to prevent but also accept as a possibility. In other words: information security is a part of a mature corporate life.

Hacking contests and The Matrix

It wasn’t always so. Back in the 1980s, I had a notebook where I wrote the details of all the viruses in existence with instructions on how to remove them. It wasn’t a thick notebook.

Around that same time, John McAfee, who later founded the company that still bears his name, would drive around in a van and manually scan computers for viruses (I guess he must have had a notebook similar to mine).

In those days, a computer was either infected by a virus or it wasn’t; if it was, there were a series of steps you could take to make the computer clean again. Like every other aspect of computing, security was a binary state.

We had a similar view with access control (some passwords were safe, some weren’t), encryption, network services, network protocols and more. Some things were “safe” and some were not. Either one or zero.

When viruses gave way to security vulnerabilities as the main worry for IT staff, we started along a similar route – a set of predefined tests that would indicate if a computer was vulnerable.

When vulnerability scanners were first introduced, there were hundreds of security vulnerabilities you needed to check for. It was too many to write in a notebook, but it stood to reason that if you ran a vulnerability scanner and did not find any security vulnerabilities, you were safe.

As recent as the early 2000s, my company ran public “hacking contests” that were a sucker’s bet: we challenged attackers to try and attack a public system on the Internet that was checked for security vulnerabilities and found clean.

We knew that unless they had access to NSA-level tools, a potential attacker wouldn’t be able to break in. Life was still pretty binary and we didn’t expect it to change. The Matrix sequel movie showed Trinity, the brilliant hacker from the future, attacking the villains back in 2003 using a security hole that was known and easily fixable; we all chuckled at how hapless the futuristic Matrix villains were for falling in this easily avoidable trap.

A game we can win

The 2010s came and changed the way we security professionals see the world. First the speed at which security holes were discovered rapidly increased: while some 1,000 security holes were discovered and made public in the year 2000; in 2018 that number was over 16,000 (more than 40 new security holes discovered per day).

Our definition of “computer” also changed: phones, smart TVs, thermostats, light bulbs and cars are all computers with potential security vulnerabilities. The explosion happened on both axes: the number of vulnerabilities multiplied by the number of computer assets means that an average organization no longer hopes to fix all security holes but merely to manage them. In other words: the best we can do is limit our exposure.

This may sound like we’ve hit the tipping point: did we lose the arms race to the black hats? If every organization has a security hole, we are all vulnerable, all the time. Why even play the game if you’re destined to lose? Some self-proclaimed high priests of information security, usually remnants of the 20th century or echoing its old wisdom, will tell you “no system is secure”. But that’s only true if your world is binary, and ours isn’t.

In fact, for the exact reason a security breach is now a real possibility, it is also no longer the apocalyptic scenario it was back in the early 2000s. Also, the development of information security testing and protection systems helps us cope with security breaches: multiple layers of security, the ability to alert, log and block attacks means that the attacking and defending sides both have costs associated to with both attacking and defending: instead of a chess game with a winning and losing side, this is more like a perpetual tug-of-war where as long as a constant effort is applied by both sides it’s quite possible no one will score a definite win.

And that’s a good thing.

The high priests of security

Good and bad as definite concepts belong in the religious realm. Back in the old days security advocates were, in many ways, priests of an evangelistic religion.

We spent our days trying to convince agnostic managers to believe in something they couldn’t always see: the need for security in computing systems. There were many apocalyptic prophecies on what the non-believers will suffer if the proper rituals aren’t followed; many of us believed that computer breaches happened to those who “deserved” to be punished. Those non-believers were not committed enough, or they didn’t follow the recipe for salvation.

But that was then. In this day and age no half-competent manager really believes information security is not important – our evangelism is no longer necessary. Information security is now in the corporate mainstream.

In the corporate mainstream, risk is ever-present. It was famously said that “The Limited Liability Company is the most important invention since the wheel” – and this is because companies take risks all the time.

Apple is worth over a trillion dollars but can go bankrupt tomorrow at a non-zero probability; all Apple can do is limit their corporate risk and keep doing business.

Finally, decades after the first computer virus, information security reached a similar maturity: we can no longer guarantee a zero-risk, but we don’t have to.

Information security is no longer an external component that is measured by its budget or headcount. It is finally a component in the entire corporate governance structure like finance, legal and HR.

In the age of technology and data, information security is certainly a critical component, but still just a component. Managers should pay attention and mindshare to securing their infrastructure and data, but knowing that not every mistake warrants capital punishment, we moved away from the binary “safe or unsafe” to a more nuanced model of risk management and reduction. In that, we are less the religious priests and more corporate professionals, and just in time for the new roaring 20s.

The Best Practices to Protect Systems, Data, and Stop Malware

This guide, Top 10 Secure Coding Practices to Protect Your Web Applications, will lay out the top secure coding tips and best practices.

Data Privacy in the Age of Regulations

 

This past year was a big year for data breaches, new privacy laws and cracking down on existing regulationsBritish Airways faces a £183m fine after hackers stole credit card details from nearly 400,000 customers. Many other big names were hit too. Facebook. Equifax. Twitter. Marriott. Google. They’ve all been hacked. 

The reason? Sometimes it was due to outdated security systems and other times it was the funny idea that big corporations can only fall victim to attacks from Mission Impossible-type massive spy operations.

Let me tell you something: ALL companies are susceptible to attacks – and the attacks don’t have to be very sophisticated in order to work. With the latest technology on the market, hackers with just a basic skill level can use commonly available tools to overcome the most expensive security measures. So now it’s no longer a question of “if I’m attacked” but “when”. 

The world is changing, your network is changing and hackers are on a winning streak. But enterprises can limit the effects of these attacks through awareness and preparation.

To provide guidance on what businesses should be doing to protect themselves and their customers from data theft, several compliance mandates have sprung up in recent years. Compliance with these standards include strict cybersecurity measures, software and sometimes hardware requirements, together with regular vulnerability testing, storage policies, access management, data breach notification, installation of security patches and more.

It would be impossible to cover all privacy regulations here, but I’d like to point out some of the important ones below. These include the PCI-DSS, GDPR, CCPA HIPAA, ECPA, CDSA and NERC CIP. This may sound a bit like alphabet soup, but if you manage an enterprise or you are responsible for its IT security, at least one of these regulations probably applies to you.

PCI DSS

Since Beyond Security was one of the first to achieve an Approved Scanning Vendor (ASV) status for the PCI DSS, let’s start with that.

The Payment Card Industry Data Security Standard (PCI DSS) is a set of 12 requirements created by the major credit card companies to protect both consumers and businesses from credit card fraud. 

The PCI DSS doesn’t have any legal authority, but if your business would like to process  credit card transactions, then you must abide by their standards. Moreover, if you don’t, you could be fined or lose your right to accept credit cards.  

These standards can be boiled down to 6 main points including:

  • Building and maintaining a secure network
  • Protecting cardholder data
  • Maintaining a vulnerability management program
  • Implementing strong access control measures
  • Regularly monitoring and testing networks
  • Maintaining an information security policy

GDPR

The General Data Protection Regulation (GDPR), which is an especially hot topic these days, was created about 3 years ago but implemented just last year in an attempt to reform data protection for European consumers. 

GDPR compliance includes:

  • Choosing a Data Protection Officer (DPO)
  • Training staff on GDPR compliance
  • Informing your customers how you intend to store, process and share data
  • Conducting a Data Protection Impact Assessment (DPIA)
  • Notifying authorities within 72 hours of a breach

Much like the PCI, if you do not comply with the GDPR, your company could take a large financial hit. Infringements can result in a €20m fine or 4% of the firm’s worldwide annual revenue. 

CCPA

Signed into law two years ago, and going into effect New Year’s Day, the California Consumer Privacy Act (CCPA) is California’s answer to the GDPR. But the bill, meant to protect consumer data, will likely spread to the rest of the United States due to the impact it will have on California’s many nation-wide industries.

In order to be CCPA compliant, businesses must:

  • Comply with consumer requests regarding the handling of their personal data
  • Disclose data collection policies
  • Restrict how much personal data can be collected
  • Offer the same level of service to customers who exercise their right to privacy
  • Ensure third-party data sharing meets CCPA compliance

The CPA is not a set of guidelines; it will be the law. The California Attorney General could fine you up to $2,500 if you violate any of the CCPA’s rules. 

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) was created to protect health insurance coverage in the event of a job loss or change as well as health data privacy, integrity and availability.

All businesses who have access to patient information must abide by administrative, physical and technical requirements including:

  • Training staff on HIPAA compliance
  • Choosing a HIPAA compliance officer
  • Assigning unique identifiers for providers, patients and employees
  • Conducting regular vulnerability scans
  • Defining clear processes for handling data breaches

Non compliance could cost businesses $100 to $50,000 per violation (or per record) and penalties up to $1.5 million per year and imprisonment in severe cases.

ECPA

The Electronic Communications Privacy Act (ECPA) was passed in 1986 in an effort to protect citizens from unnecessary surveillance and data theft by law enforcement and the government. There have been many provisions since, including the Wiretap Act, the Stored Communications Act, the Pen Register Act, the USA Patriot Act and the Email Privacy Act.

All amendments under the ECPA require providers to obtain a subpoena, warrant or court order before honoring government requests for user data; that’s right: Companies can and should tell government authorities “no” if they do not follow the proper procedures. This is a basic American right – to not have property seized without a proper warrant. Businesses who do not honor that right are subject to fines up to $500,000 and those held responsible for non-compliance may face lawsuits and imprisonment. 

The ECPA protects wire, oral and electronic communications including:

  • Email
  • Telephone conversations
  • Data stored electronically
  • Browsing history
  • Radio transmissions

CDSA

The Content Delivery and Security Association (CDSA) was founded in 1970 as a non-profit to protect entertainment, software and information content. Earlier in the year, the CDSA updated its guidelines to include TV and film cybersecurity.

The CDSA’s Production Security Working Group (PSWG) published 5 documents detailing industry security standards for the TV and film industry.

These guidelines include:

  • Security training
  • Access management
  • Defining assets and the perimeter
  • Data monitoring
  • Cyberdefense
  • Vulnerability assessment

It’s unclear what penalties will be incurred if productions or individuals on these productions are found to be non-compliant, but these standards are a great step in this evolving industry that suddenly found itself dealing with the same types of threats as software companies.

NERC CIP

The North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) is a set of security standards meant to protect electronic systems from cyber threats.

Compliance with CIP standards includes:

  • Cybersecurity training
  • Asset identification
  • Security management controls
  • Systems security management
  • Vulnerability assessment and management
  • Critical infrastructure penetration testing
  • Malware prevention
  • Incident reporting and recovery

Non-compliance with NERC CIP may include fines, sanctions and penalties.

Summary

Data privacy and protection regulations provide businesses with checklists to manage the risks from both known and unknown vulnerabilities and a way to make sure they conform with the regulations. The end goal is security improvement and awareness

Most businesses will be attacked, but if you comply with these data privacy standards and perform regular security testing, you can protect your business and your customers from loss of data. You can then rest assured, even in the event of an attack, knowing you did everything you could do to protect your business from fines, legal action and damaged reputation.

Beat the Business of Ransomware

Data protection is imperative, especially in the face of the growing business of ransomware. This guide, Beating the Business of Ransomware, will show you how to keep your cybersecurity measures on the offensive guard.