Security headlines distract, but the threats keeping CISOs awake are fundamental gaps and software supply chain risks. Learn why basics and visibility matter most.
The post Sleepless in Security: What’s Actually Keeping CISOs Up at Night appeared first on Security Boulevard.
The EU’s Cyber Resilience Act is reshaping global software security expectations, especially for SaaS, where shared responsibility, lifecycle security and strong identity protections are essential as attackers increasingly “log in” instead of breaking in.
The post The Cyber Resilience Act and SaaS: Why Compliance is Only Half the Battle appeared first on Security Boulevard.
Continuous Vulnerability Management: The New Cybersecurity Imperative Security leaders are drowning in data but starving for actionable insights. Traditional penetration testing has become a snapshot of vulnerability that expires faster...
The post Innovator Spotlight: Xcape appeared first on Cyber Defense Magazine.
Unifying IT Management and Security with ManageEngine In today’s digital landscape, IT can feel like juggling flaming torches, one wrong move and the consequences can be costly. From managing endpoints,...
The post Innovator Spotlight: ManageEngine appeared first on Cyber Defense Magazine.
Data from a recently released Security Navigator report shows that companies still need 215 days to fix a reported vulnerability. Even critical vulnerabilities usually take more than 6 months to fix.
Good vulnerability management does not mean that all potential data breaches are fixed quickly enough. The goal is to focus on real risk, prioritizing vulnerabilities to fix the most critical bugs and reduce the company's attack surface as much as possible. Business data and threat intelligence must be interconnected and automated. This is necessary so internal teams can focus on resolution. Appropriate techniques may take the form of a global vulnerability intelligence platform. Such a platform can help prioritize vulnerabilities using risk scores and allow companies to focus on their true organizational risk.
Get started
Three facts to consider before building an effective vulnerability management program:
1. The number of discovered vulnerabilities increases every year. On average, 50 new security holes are discovered every day, so we can easily understand that it is impossible to fix all of them.
2. Only a few vulnerabilities are actively exploited and pose a very high risk to all organizations. About 6 percent of all vulnerabilities are exploited in the wild. We need to reduce the burden and focus on the real risks.
3. The same vulnerability can have completely different effects on the business operations and infrastructure of two separate companies, so both business exposure and vulnerability severity must be considered. Based on these facts, we understand that there is no point in patching all the security holes. Instead, we should focus on those that pose a real threat based on the threat landscape and organizational context.
Risk-Based Vulnerability Management Concept
The goal is to focus on the most critical and higher-risk assets that are targeted by threat actors. To approach a risk-based vulnerability program, we need to look at two environments.
Internal environment: The customer landscape represents the internal environment. As corporate networks grow and diversify, so does their attack surface. The attack surface represents all the components of the information system that hackers can reach. A clear and up-to-date overview of your information system and attack surface is the first step. It is also important to consider the business environment. Companies can actually be a bigger target depending on the industry because of the proprietary information and documents they hold (intellectual property, classified protection, etc.). A final important factor to consider is the unique context of the business itself. The goal is to categorize assets according to their criticality and highlight the most important. For example: assets that are unavailable would cause significant disruption to business continuity, or highly confidential assets that become available if the organization is involved in multiple lawsuits.
External Environment: The threatening landscape represents the external environment. This information is not available from the intranet. Organizations must have the human and financial resources to find and manage this information. Alternatively, this activity can be outsourced to specialists who monitor the threat landscape on behalf of the organization. Knowing about actively exploited security holes is important because they pose a greater threat to the enterprise. These actively exploited security holes can be tracked thanks to threat intelligence features and vulnerabilities. Even better is to connect and correlate threat intelligence sources for the most effective results. Understanding what attackers are doing is also valuable because it helps prevent potential threats. For example: intelligence about a new zero-day or a new ransomware attack can be reacted in time to prevent a security incident. Combining and understanding both environments help organizations define their true risks and more effectively determine where preventive and remedial actions should be implemented. It is not necessary to install hundreds of patches, but ten of them, selected to significantly reduce the organization's attack surface.
Five Key Steps to Implementing a Risk-Based Vulnerability Management Program Detection: 1. Identify all your assets to find the attack surface: Exploratory scanning can help provide initial insight. Then regularly scan your internal and external environment and share the results with a vulnerability intelligence platform.
2. Contextualization: Determine the criticality of your business context and assets in a vulnerability intelligence platform. The scan results are then put into context with a specific asset-based risk score.
3. Enrichment: To prioritize the threat landscape, scan results must be enriched with additional sources provided by the vulnerability intelligence platform, such as threat intelligence and attacker activity.
4. Fix: A vulnerability-specific risk score that can be targeted based on threat intelligence criteria such as "easily exploited", "exploitable in the wild", or "widely used" makes it much easier to prioritize effective remediation.
5. Evaluation: Track and measure the progress of your vulnerability management program using KPIs and custom dashboards and reports. It is a continuous process of improvement!
Common Enterprise Network Security Vulnerabilities That Need Attention
A few years ago, corporate network security viewed differently than they are today. As companies began to apply modern technologies to their businesses, they opened the door to digital attacks, exposing additional network vulnerabilities that attackers could easily exploit. As such, "enterprise web security" has become one of the key considerations for companies as they grow their digital business. The web security at companies must effectively control network threats to avoid the financial or reputational damage normally associated with data breaches. Prioritizing web security as an active part of an enterprise risk management solution can therefore help organizations protect their sensitive digital assets.
Before we delve into the vulnerable areas of corporate web security, let's understand what they are:
What is corporate security? It includes systems, processes and controls to protect IT systems and critical data in an organized manner.
Privacy and compliance regulations are tightening around the world as organizations continue to rely on cloud-based infrastructure. Therefore, appropriate measures should be taken to protect critical assets.
Let's take a look at common cyber vulnerabilities faced by organizations:
What are the common cyber vulnerabilities of enterprise organizations? It has become one of the biggest concerns for companies in the industry.
Review these common vulnerabilities and stay alert.
Missing or Weak Data Encryption
Missing or weak encryption coverage makes it easier for cyber attackers to access end-user and central server communication data. Unencrypted data exchange makes it a very easy target for attackers to access sensitive data and inject malicious files into your server.
Malware files can seriously undermine an organization's cybersecurity compliance efforts and result in fines from regulators. Organizations typically have multiple subdomains, so using a multi-domain SSL certificate is ideal. Organization can protect the main domain and multiple domains with a single certificate.
Certain software vulnerabilities that are ultimately known to an attacker but have not yet been discovered by an organization can be defined as zero-day vulnerabilities. Regarding the zero-day vulnerability, there is no resolution or fix available as the vulnerability has not yet been reported or detected by the system vendor. There is no protection against such vulnerabilities until an attack takes place, so of course they are very dangerous.
The least an organization can do is to stay vigilant and regularly scan systems for vulnerabilities to minimize, if not stop, zero-day attacks. Apart from that, businesses can be armed with a comprehensive endpoint security solution to prepare for malicious events.
Social Engineering Attacks
Malicious actors launch social engineering attacks to bypass verification and authorization security protocols. This is a widely used method for accessing networks.
“Social engineering” can be defined as any malicious activity carried out through human interaction. This is done through psychological manipulation that tricks web users into making security mistakes or accidentally sharing sensitive data.
Over the past five years, network vulnerabilities have increased significantly, making it a lucrative business for hackers. Internet users are not fully aware of Internet security and may (unintentionally) pose a security risk to your organization. They accidentally download malicious files thereby causing severe damages.
Common social engineering attacks include:
Phishing Email
Spear Phishing
Whaling
Vishing
Smiting
Spam
Pharming
Tailgating
Shoulder Surfing
Trash Diving
Accidentally exposing an organization's network to the Internet is one of the biggest threats to an organization. If an attacker is detected, they can snoop corporate web traffic, compromise a network, or steal data for malicious purposes.
Network resources with weak settings or conflicting security controls can lead to system misconfiguration. Cybercriminals typically scan networks for system misconfigurations and use them to misuse data. As digital transformation progresses, network misconfigurations are also increasing.
To eliminate this, an organization often uses a "firewall" in his DMZ. It acts as a buffer between your internal network and the Internet, acting as your first line of defense. Therefore, it tracks all outgoing and incoming traffic and decides to limit or allow traffic based on a set of rules.
Outdated or Unpatched Software
Software vendors typically release updated versions of their applications to patch known critical vulnerabilities or to incorporate new features or vulnerabilities. Outdated or unrepaired software is an easy target for sophisticated cybercriminals. Such vulnerabilities can be easily exploited.
Software updates may contain important and valuable security measures, but organizations should update their network and each or all endpoints. However, it is quite possible that updates for various software applications will be released daily.
This puts a heavy burden on the IT team and can delay patching and updating. This situation paves the way for ransomware attacks, malware, and multiple security threats.
These are some of the most common vulnerabilities in enterprise web security. Therefore, take appropriate measures to counter these threats.
There is always the risk of network vulnerabilities being compromised as malicious actors try to find various ways to exploit and gain access to systems. And as networks become more complex, there is an imperative to proactively manage cyber vulnerabilities.
Vulnerability management is the consistent practice of identifying, classifying, remediating, and mitigating security vulnerabilities within organizational systems such as endpoints, workloads, and systems.
Summary- An organization's IT environment can have multiple cybersecurity vulnerabilities, so a robust vulnerability management program is required. Use threat intelligence and IT and business operations knowledge to identify risks and detect all cybersecurity vulnerabilities in the shortest possible time.
Today’s complex software systems often include code that leaves them vulnerable to attack by hackers who are always looking for a way to break in. And even with a system with no inherent vulnerabilities, a misconfiguration or careless deployment of credentials handling can afford hackers an opportunity for infiltration. A record 26,448 software security flaws were reported in 2022, with the number of critical vulnerabilities up 59% on 2021. So a good cybersecurity program should include a program for vulnerability management.
Vulnerability management is the process of identifying and remediating weaknesses in your systems, including your applications, infrastructure and security processes. And a key component of that program should be penetration testing, actively probing your system to identify vulnerabilities so they can be analyzed, prioritized and remediated.
As companies move to agile models for software development, the release of new features or products becomes more frequent. And that code can introduce vulnerabilities. Similarly, more systems are being deployed in the cloud. And cloud assets can fall out of compliance or become susceptible to attacks after a single update.
Traditionally, pentesting has been performed on a tactical, one-time basis. But the most thorough penetration test, even if repeated periodically, is only a snapshot in time. While one-time pentesting can be an essential part of any vulnerability management program, this tactical approach is most appropriate for obtaining a picture of your security posture. Identify your vulnerabilities and address them as needed. It is also useful in testing for and proving compliance in regard to security standards such as OWASP, PCI and NIST.
Comprehensive cybersecurity requires more strategic thinking, going beyond the concept of a snapshot. You need to leverage test results for operational purposes, track changes over time, understand performance across the organization, analyze root cause, and communicate your security posture. And to accomplish this you need to have a program of continuous pentesting like those available through Synack. Synack can pentest agile development output at multiple stages of development and assist developer and QA teams with quick remediation through real-time reporting and patch verification. Continuous testing is also best for cloud assets. To facilitate cloud security testing, Synack has integrations with AWS, Azure and GCP that enable detection of changes that could cause problems.
For strategic vulnerability management Synack provides continuous pentesting in 90- and 365-day increments (Synack90 and Synack365) to address a wide range of use cases. Both programs help you catch vulnerabilities as they are introduced, and track your security posture across the organization and over time.
Two of the tools in the Synack platform, whether they are deployed tactically or strategically, that provide an effective one-two punch for identifying and remediating exploitable vulnerabilities are Synack SmartScan and Synack’s transformational penetration testing. Deploying these two tools can help you cut through the noise, taking automated vulnerability testing results and applying human intelligence to improve the vulnerability management workflow. You can address the problems that really matter.
Vulnerability scanning is most appropriate for low-importance assets. Traditional vulnerability scanners are good at identifying known vulnerabilities. But they typically treat all assets the same and are not able to distinguish exploitable vulnerabilities from the noise. They require expert reviews and triage. Synack SmartScan takes the scanning idea to another level. SmartScan is an automated set of scanning tools that continuously watch for changes in your environment to identify and triage security vulnerabilities. SmartScan identifies potential vulnerabilities and engages the Synack Red Team (SRT) to evaluate the results. The SRT along with Synack Operations generates a vulnerability report, including steps to reproduce and remediate the vulnerability. SmartScan enables rather than burdening your security and operations teams.
Pentesting gives you the more accurate and complete vulnerability information that high-importance assets require. To pentest your organization Synack calls on a vetted community of security researchers to actively probe your assets for exploitable vulnerabilities, much like a hacker would. You get top-tier talent to find and fix exploitable vulnerabilities, and confirm remediation efforts across your external attack surface.
With Synack’s flexibility, you can integrate automated scanning and pentesting into your existing workflow, or deploy them as a new process. Either way you get comprehensive end-to-end offensive testing, taking you from discovery through to remediation. And Synack tools can be deployed as an add-on to larger security systems such as Splunk’s data platform or Microsoft’s Sentinel security information and event manager (SIEM).
For the most comprehensive vulnerability management, deploy continuous scanning and pentesting to help you identify and remediate vulnerabilities across your entire asset base.
The post How to Deploy Strategic Pentesting in Your Vulnerability Management Program appeared first on Synack.
With the anniversary of Log4j looming, it is a good time to reflect on the wider significance of the vulnerability that had security teams scrambling in December 2021. What can the response to the flaw in a widely used Apache Software Foundation logging tool tell us about the state of global IT security? Most importantly, how should we respond to similar vulnerabilities that are bound to emerge in the future?
The reason for the heightened concern surrounding Log4j stemmed not only from the scale of the exposure, but also the difficulty in quantifying that exposure. People knew or suspected they were using Log4j but did not necessarily know to what extent and on which devices. It’s like a fire alarm going off: You suddenly know you may have a problem, but you don’t know exactly how big a problem or where in the house it might be.
Log4j also speaks to the well-documented challenge of relying on open source software. We cannot live without it, but in doing so we introduce dependency and risk in ways we had not always anticipated or prepared for. Events like Log4j won’t deter organizations from using open source software. The cost and pain of building tech stacks from scratch is simply too great for the vast majority of organizations.
Much of the media coverage of Log4j highlighted the panicked response. Security teams reacted swiftly and decisively as they sought to contain the risk, with much of the work happening over the festive holiday period to the chagrin of those affected.
That was the right course of action, but it is unsustainable to react in crisis mode all the time. This will burn out your hard-working security team, not least the experts on your networks and systems—key people you don’t want to lose. Vulnerabilities like Log4j are a fact of life, so a different pattern of response is needed. One that allows business operations to continue and risk to be continuously managed.
That calls for first understanding the information security risks you are trying to manage. It sounds obvious, but can you articulate this for your organization? Does your leadership fully understand? Is this something you review with your board periodically? Your security response should flow from a set of priorities articulated by your experts and endorsed by your leadership, or else you are destined for infosec busywork rather than purposeful risk management.
It follows closely that you also need to understand your assets. What data, information and systems do you have? How do you rely on them and what happens if they go away?
With these foundations in place, you can start to build what you need to take all sorts of security challenges in stride, including the next Log4j, whatever that may be.
Training is a key aspect of a measured response. Your whole organization should be trained on the basics of cybersecurity and how to improve cyber hygiene. The security, engineering and infrastructure teams need a plan of action to manage your organization’s response to a new, major vulnerability. Plan your incident response and consider simulating how you would respond as part of a table-top exercise. Revisit this plan from time to time—don’t let it gather dust in a ring-binder in an office no one goes to any more!
These suggestions aren’t easy to implement, but they’re an investment in the longevity of your organization and your security teams. Synack can help augment your security team’s efforts by leading one-off missions to assess assets, going through security checklists or performing continuous pentesting on your entire organization. Contact us to learn more.
The post Battling the Next Log4j: How to Prepare Your Security Team While Avoiding Burnout appeared first on Synack.
Security is too often an afterthought in the software development process. It’s easy to understand why: Application and software developers are tasked with getting rid of bugs and adding in new features in updates that must meet a grueling release schedule.
Asking to include security testing before an update is deployed can bring up problems needing to be fixed. In an already tight timeline, that creates tension between developers and the security team.
If you’re using traditional pentesting methods, the delays and disruption are too great to burden the development team, who are likely working a continuous integration and continuous delivery process (CI/CD). Or if you’re using an automatic scanner to detect potential vulnerabilities, you’re receiving a long list of low-level vulns that obscures the most critical issues to address first.
Instead, continuous pentesting, or even scanning for a particular CVE, can harmonize development and security teams. And it’s increasingly important. A shocking 85% of commercial apps contain at least one critical vulnerability, according to a 2021 report, while 100% use open-source software, such as the now infamous Log4j. That’s not to knock on open-source software, but rather to say that a critical vulnerability can pop up at any time and it’s more likely to happen than not.
If a critical vulnerability is found–or worse, exploited–the potential fines or settlement from a data breach could be astronomical. In the latest data breach settlement, T-Mobile agreed to pay $350 million to customers in a class action lawsuit and invest additional $150 million in their data security operations.
This is why many companies are hiring for development security operations (DevSecOps). The people in these roles work in concert with the development team to build a secure software development process into the existing deployment schedule. But with 700,000 infosec positions sitting open in the United States, it might be hard to find the right candidate.
If you want to improve the security of your software and app development, here are some tips from Synack customers:
Security is a vital component to all companies’ IT infrastructure, but it can’t stand in the way of the business. For more information about how Synack can help you integrate security checkpoints in your dev process, request a demo.
The post Testing Early and Often Can Reduce Flaws in App Development appeared first on Synack.
By Kim Crawley
The annual Verizon Data Breach Investigations Report is a wealth of valuable information about the state of cybersecurity today.
Of course, data breaches remain one of the biggest problems in cybersecurity. Many of the worst breaches expose financial data, authentication credentials, and sensitive legal and medical information. In the wrong hands, this data can help cybercriminals access organizations’ and individuals’ most sensitive data and valuable networks.
Ransomware that targets enterprises is also growing. In fact, ransomware incidents are up 13 percent from the previous year, a larger increase than the previous five years combined. Another data breach vulnerability trend is an increase in human exploitation, whether by phishing, stolen credentials or user errors.
The DBIR is a massive report that resulted from Verizon analyzing a large number of data breaches, which they’ve also verified directly for authenticity. Here’s how Verizon determines which breaches to include:
“The incident must have at least seven enumerations (e.g., threat actor variety, threat action category, variety of integrity loss, et al.) across 34 fields or be a DDoS attack. Exceptions are given to confirmed data breaches with less than seven enumerations. The incident must have at least one known VERIS threat action category (hacking, malware, etc.).”
Verizon acknowledges that many data breaches still go undetected. Nonetheless, as organizations improve their systems for detecting indications of compromise (IOCs), there’s a lot of useful data to be analyzed.
Here are five key findings:
Whenever organizations are testing to see how vulnerable they are to a data breach, it’s important to simulate internal, external and supply chain attacks. Web application pentesting is also more important than ever. As DBIR makes clear, it’s critical that every organization test for unauthorized credential exploitation and phishing attacks, too.
Thank you Verizon for helping our industry better understand data breach threats! For more information about how Synack can help organizations prevent data breaches, get in touch here.
The post Five Big Takeaways from Verizon’s 2022 Data Breach Investigations Report appeared first on Synack.
By Kim Crawley
The key to cyberattacks evading detection from antivirus software and intrusion detection systems is often to exploit operating system processes. That’s a feature of a recently discovered fileless Windows exploit discovered by Kaspersky researchers.
Fileless malware attacks computer systems without writing new files to a computer’s data storage. If antivirus software scans a hard drive for malware, it won’t find any files related to a fileless attack. It’s a popular obfuscation technique with cyber threat actors.
Kaspersky hasn’t given this new exploit any particular name. Kaspersky’s Denis Legezo explained that some DLLs (Windows Dynamic Link Libraries) involved in the exploit resemble tools in commercial pentesting platforms:
“Regarding the commercial tools, traces of SilentBreak and Cobalt Strike toolset usage in this campaign are quite visible. Trojans named ThrowbackDLL.dll and SlingshotDLL.dll remind us of Throwback and Slingshot, which are both tools in SilentBreak’s framework, while the ‘sb’ associated with the dropper (sb.dll) could be an abbreviation of the vendor’s name.
Here we want to mention that several .pdb paths inside binaries contain the project’s directory C:\Users\admin\source\repos\drx\ and other modules not named after Throwback or Slingshot, such as drxDLL.dll. However, encryption functions are the same as in the publicly available Throwback code.”
The new exploit puts malicious shellcode into Windows event logs. Cyberattacks that use fundamental code libraries such as “Log4Shell” and “Spring4Shell” are recent concerns in the cybersecurity community. So, I’ll call this attack “ThrowShell.” Maybe it’ll stick.
The ThrowShell attack starts by persuading a user to download a file with a Cobalt Strike module. Kaspersky researchers have observed this as a RAR archive file with a Cobalt Strike certificate distributed through file.io, a file sharing site the researchers consider to be legitimate. Yes, “ThrowShell” starts as a Trojan. But interestingly, when I tried to visit file.io in Firefox, my Malwarebytes Browser Guard extension blocked the site as a suspected phishing domain. I’ve personally never visited file.io.
Anti-detection wrappers are used with the Trojans. MSVC, Go compiler 1.17.2 and GCC under MinGW are the compilers researchers have seen.
Once the RAR file has been extracted and its contents executed, it’s then much easier for the attacker to send additional malicious DLLs to the targeted device.
Werfault.exe is the initial Windows executable file that’s targeted for code injection by ThrowShell. It’s Microsoft Windows Error Reporting Fault Reporter in Windows 10 and Windows 11. The important role that the process serves in Windows assures that the file is whitelisted in endpoint security applications. It’s almost as sneaky as exploiting svchost.exe, in my opinion.
The malicious executed code is signed with a certificate for an application called “Fast Invest,” which the researchers didn’t see any legitimate code signed with. Once extracted, decrypted and signed, ThrowShell’s malicious code spreads within Windows through dropper injection with Cobalt Strike pentesting software. Explorer.exe, the main file manager for all supported versions of Windows, is one of the processes that ThrowShell targets for code injection. That’s the way fileless malware typically works; inject malicious code into ordinary OS processes and execute it that way.
While spreading through a variety of ordinary Windows DLLs and processes, shellcode is eventually inserted into Windows event logs. Researchers have seen ThrowShell fingerprint Windows targets for MachineGUID, computer names, local IP addresses, OS version, CPU architecture, and SeDebugPrivilege status in processes currently running in memory.
This is all a really stealthy way to infect client Windows targets, get right into the memory, evade detection, establish persistence, and maintain a backdoor right into the Windows shell. This exploit can possibly sit in a Windows client for months or longer with an easy way for the attacker to perform all kinds of malicious activity with administrative privileges.
The post Why the newly discovered Microsoft Windows ‘fileless’ log exploit is a marvel of stealth appeared first on Synack.
Vulnerability testing, whether via an automatic scanning program or human-based penetration testing, can find an overwhelming number of vulnerabilities in your system as recent trends would suggest. Since 2017, record numbers of Common Vulnerabilities and Exposures (CVEs) have been reported, with 2022 on track to set a new high.
Sorting through a record number of vulnerabilities to keep your organization secure is a daunting task without additional support and distillation.
The good news is that of all the vulnerabilities that might show up on a traditional vulnerability report, only around 5% of vulnerabilities discovered are ever exploited in the wild. And most of the exploited vulnerabilities are those with the highest CVSS (Common Vulnerability Scoring System) severity score of 9 or 10.
So how do you know which vulnerabilities in your system need to be addressed right now, and which can be put on the back burner? Some vulnerabilities are an immediate risk to the business, while others are highly unlikely to be exploited. Prioritizing critical vulnerabilities can mean the difference between preventing an attack and responding to one.
Finding and triaging critical vulnerabilities is where Synack’s pentesting outperforms traditional models. We continuously prioritize impactful vulns for your organization, surfacing only vulnerabilities that are reproducible and show exploitability.
The Synack Platform is the only solution to harness the best in augmented intelligence for more effective, continuous pentesting. First, the Synack Red Team (SRT), a group of vetted researchers, conducts open vulnerability discovery, while our automated SmartScan provides broad attack surface coverage. Together, they find vulnerabilities across your attack surface.
Next, the Synack Vulnerability Operations team assesses vulnerabilities found by the SRT and SmartScan by using a rigorous vetting process. Noise, such as duplicate submissions by SRT or non-replicable exploits, low-impact vulns, is kept to a minimum during penetration testing and you’re ultimately served vulnerabilities that present a clear risk.
This additional step to triaging is key to faster remediation and minimizing business risk.
The Vulnerability Operations team is a group of seasoned security professionals with hacking expertise. They are full-time Synack employees with extensive vulnerability knowledge–they’ve seen tens of thousands of them. For the most accurate triaging, high impact vulnerabilities are often reviewed by multiple team members. So, when you get a vulnerability report from Synack, you know that it matters.
The Vulnerability Ops team works alongside the SRT 365 days a year to bring order to the thousands of CVEs. When the team receives an initial vulnerability report, they will first validate the vulnerability by replicating it based on details provided in the report. When the vulnerability is confirmed, the Ops team proofreads and formats the report for utility and readability by a development team. Everything needed to reproduce the vulnerability is provided in each report.
After vulnerabilities are deemed exploitable and impactful, and the report has been detailed with steps to reproduce and suggestions on remediation, it will be published to the Synack Platform.
From there, the Synack Platform provides real-time findings on vulnerabilities found–their CVSS score, steps to remediate and evidence of the researcher’s finding. With this information you can address the vulnerabilities that are most important to your organization in a systematic and thorough manner.
Through the Synack Platform, teams are also able to check if their remediation efforts were successful with Patch Verification. Patch Verification can be requested on-demand, and the researcher will provide further communications on the patch efficacy.
Most organizations don’t have the resources to go chasing every vulnerability reported from initial testing. To further safeguard your organization, someone needs to determine which are true vulnerabilities and which of those are exploitable and at what level of criticality. That process is noise reduction, and it is essential for any cybersecurity operation to shoot for the highest level of noise reduction before proceeding to remediation. Synack, through the Vulnerability Operations, team can take on this task for you.
Using Synack’s unique approach to continuous pentesting, your team will be able to proceed with confidence that their remediation efforts are critical to keeping the organization secure. Get started with Synack penetration testing today.
The post Synack Triaging Prioritizes the Vulnerabilities that Matter appeared first on Synack.
By Kim Crawley
The impact of some software vulnerabilities is so far-reaching and affects so many applications that the potential damage is near impossible to measure. The series of vulnerabilities known as Spring4Shell is a perfect example.
The vulnerability is found in the Spring Framework, which is used in too many Java-based applications to name. Its framework contains modules that include data access and authentication features, so there’s a potential disaster if an attacker can exploit it.
Vx-underground shared news of the discovery of Spring4Shell and linked to a proof-of-concept exploit via Twitter on March 30. The vulnerability facilitates remote code execution and impacts Spring Core in JDK (Java Development Kit) 9 through 18. Frustratingly, Spring4Shell pertains to a bypass for another remote code execution vulnerability that researchers discovered in 2010. That alone emphasizes how critical Spring4Shell is, and how difficult it is to patch or otherwise mitigate.
Because Spring Framework’s modules have so many functions and because of how Spring Framework is used in so many different types of networking applications, there are many ways to exploit Spring4Shell.
One worrisome example is how Spring4Shell has been used to execute Mirai malware and acquire remote root access maliciously.
First surfacing in 2016, Mirai botnet malware has been used by attackers to execute crippling assaults and now it’s coming back with a vengeance. It works by infecting routers and servers and giving attackers the ability to control massive botnet networks. One of the most damaging Mirai attacks hit the Dyn DNS network hard and took out much of the internet in October 2016.
Now, Spring4Shell is aiding the return of Mirai. Spring4Shell’s bugs have been used to write a JSP web shell into web servers with a carefully coded request. Then remote attackers use the shell to execute commands with root access. Mirai is downloaded to a web server’s “/tmp” folder before execution.
Spring4Shell is similar in many ways to Log4Shell, which was initially discovered in November 2021. Log4J is Apache’s Java logging utility that’s been implemented in a plethora of network logging applications from 2001 to today. It’s a little bit of useful software code that’s run in a wide variety of internet servers and services. Exploiting the Log4Shell vulnerability can give attackers administrative access to all kinds of internet targets. Ars Technica’s Dan Goodin called it “arguably the most severe vulnerability ever,” and Apache started deploying patches on Dec. 6. It has not been an easy job because there are multiple CVEs and they aren’t simple to fix.
Spring4Shell and Log4Shell both pertain to Java’s vast libraries and resources. Java is one of the most commonly used application development technologies on internet servers and on a variety of types of endpoints, especially Android devices. The downside to a technology being so popular and useful is that it’ll also be a prime target for attackers. Inevitably, there will be many more devastating Java library vulnerabilities discovered in the years to come.
Businesses should quickly work to patch Spring4Shell and Log4Shell vulnerabilities across their entire networks.
Rigorous, continuous pentesting can help organizations spot these vulnerabilities quickly. The more traditional approach to pentesting just isn’t robust enough to help organizations find and fix the latest complex vulnerabilities.
Reach out today to discover how Synack can help.
The post What’s the Spring4Shell Vulnerability and Why it Matters appeared first on Synack.
Part 1: Getting rid of the noise and focusing on the vulnerabilities that matter most
In this blog series, Tim Lawrence, a Synack solutions architect and former chief security officer, breaks down the essentials for a more effective and powerful cybersecurity strategy.
By Tim Lawrence
Building a stronger cybersecurity strategy starts with a solid foundation. That means looking first at the vulnerability management process to ensure it’s fine-tuned, so your organization can quickly find and remediate the threats that put businesses at risk. Fine-tuning reduces the noise so teams know where and how to focus their efforts—on the vulnerabilities that matter most.
During my 22-year career in cybersecurity, I’ve been guilty of bombarding the vulnerability management team with too much noise. As security professionals, we tend to rely too heavily on vulnerability scanners for our vulnerability results. We take those findings and send them to the remediation side of our team without really verifying whether those results are actually exploitable or represent a serious risk.
To address this problem we need to move to a scan, validate, remediate and test mentality.
Scanners are great as they get us going in a general direction. We need to be able to take that scan data and turn it into something actionable for the team. To do that we need to validate the scan finding to make sure they are truly exploitable and a risk to our business. Once there is tangible data that proves the vulnerability is exploitable and poses a risk to our business, then we pass that information to the remediation experts. Once the remediation team has completed the remediation, we verify it is no longer a risk to our business. This means we need to test that the remediation did the job.
The reality is that security teams never grow as fast as the companies they support. This is one of the key reasons that teams are overworked and have trouble keeping up with increased risk as businesses’ overall threat surface expands. I saw this first hand having spent 16 years in an extremely fast-growing company, with six of those years as the chief information security officer.
Now as a solutions architect at Synack, I talk with IT and security leaders every day, and they echo these same problems. It’s from these experiences that I’ve developed five steps for building a better security strategy.
Overall, the goal is to approach vulnerability management with a shift-left mentality and build efficiencies into the process for security teams to maximize their results, build trust across their organization and demonstrate their value.
For more information about how Synack can help your organization build a better security strategy, get in touch today.
The post 5 Steps for Building a Better Security Strategy appeared first on Synack.
Kim Crawley
NVIDIA. Samsung. Microsoft. Okta. Globant. At least one of these Lapsus$ targets could be in your company’s tech supply chain. Regardless, these high-profile attacks highlight how interconnected and dependent IT systems become as companies grow and innovate, and the need to secure your supply chain.
Lapsus$, a global cybercrime group, has a tendency to go deep into a major tech vendor’s networks, find sensitive data and leak it. The breached data so far has included authentication credentials and encryption keys.
In the case of Lapsus$, they used a smaller vendor as a means of compromising a bigger target, like Okta, which then created a domino effect of having access to hundreds or thousands more credentials of those companies that contract with the bigger company. We saw a similar strategy with SolarWinds, wherein SolarWinds was breached and a vulnerability was pushed to its customers within a software update, leading to additional breaches. The risk of a breach is on both entry and exit: which vendors might lead to a breach within your network and which of your customers might then be breached?
The City of London police arrested several individuals who are alleged to be members of Lapsus$. But Lapsus$ struck Globant after the arrests, which indicates there may be many members who are continuing to execute cyber attacks.
Lapsus$ isn’t the first cybercrime group to wreak havoc upon vendor supply chains, and they definitely won’t be the last. Unfortunately, security researchers know that the proliferation of critical vulnerabilities is growing rapidly, and so too are the number of cyber attackers exploiting them. According to the CVE database, 18,325 vulnerabilities were added in 2020, and 20,149 in 2021. More than 6,000 vulnerabilities have been added in the first quarter of 2022. If this year continues at that rate, we’ll end 2022 with over 24,000 new vulnerabilities.
Traditional, point-in-time pentesting can’t keep up with the pace. When you add the complexity of cloud networks and diverse supply chains to the mix, it’s inevitable to lose visibility into your network’s security.
Cloud networks have been a boon for business, allowing companies to scale IT systems quickly and efficiently. But this also means that companies can add publicly accessible cloud services at will, with little oversight from the security team. Then factor in all of your vendors that provide services and infrastructure beyond security. Their vulnerabilities are also your company’s vulnerabilities. When cybercrime groups like Lapsus$ attack them, they’re also attacking your business up the chain.
You need a solution that will empower your security team to quickly find vulnerabilities wherever they emerge in your supply chain and remediate them with ease.
Synack combines an automated scanner, SmartScan, with the human intelligence of more than 1,500 carefully vetted security researchers from the Synack Red Team to find critical vulnerabilities across your network and tech supply chain. That combination of automation and human intelligence is at the core of the Synack Platform’s ability to bring you a better way to pentest. Within the Synack Platform, you can also request on-demand checks for specific vulns, like the OWASP top 10, or new critical CVEs when they appear, such as log4j.
It’s the most efficient and thorough way to conduct on-demand pentests in today’s complex computer. A few point-in-time pentests per year conducted by just a few people, simply to meet compliance, doesn’t cut it anymore. With densely networked supply chains and rapidly multiplying cloud services, new vulnerabilities are implemented faster than ever before. Whether Lapsus$ strikes one of your vendors, or one of many cybercrime groups that will inevitably emerge, your organization will be ready to defend against the evolving cyber threat landscape.
The post The Lapsus$ Threat Reinforces Critical Need to Secure Your Supply Chain appeared first on Synack.
By Kim Crawley
If your organization is pentesting like it’s 2004, you’re missing most of the ways attackers are attempting to exploit your network in 2022.
Stale, outdated pentesting practices are putting enterprises, in all industries and of all sizes, at considerable risk. In today’s rapidly evolving cyber threat landscape, malicious hackers are breaching companies and cyber criminals are infecting them with ransomware at an unprecedented rate that even the most seasoned security teams haven’t experienced.
In the words of Roman Medina, CISO at Jefferson Bank in Texas, “I do think we may miss critical issues or vulnerabilities if we stick to the same annual pentest year after year. The way we pentest has to evolve. I am looking at starting a continuous pentest service next year.”
Let’s examine the issues with traditional pentesting.
Traditional pentesting methodologies and procedures were designed for the computer networks of 15 to 20 years ago. That’s when organizations typically hosted networks on premise. Those networks changed gradually. IT teams updated operating systems and applications infrequently and added new data assets only every so often. For a deeper dive on traditional pentesting flaws check out our white paper: Traditional Pentesting: a Turtle Chasing a Cheetah
Today, cloud providers have made it much easier for enterprises to leverage fully scalable and flexible networks. Containerization and virtualization make it possible for data assets to be added or subtracted on a dime. According to research from Palo Alto Networks, organizations can, and did add as many as 693 cloud services in a day.
Unfortunately, the new paradigm of enterprise computing means the old ways to pentest won’t cut it anymore.
Pentesting annually or according to compliance requirements is too slow and too infrequent to get an accurate understanding of your organization’s vulnerabilities day to day. In 2017, the number of CVEs (common vulnerabilities and exposures) spiked significantly. Since then, each year has been a record year for the number of CVEs discovered and reported. The pace is unrelenting.
Once a traditional pentest is conducted, which can be disruptive in its own way, a physical report is delivered with results. This report doesn’t plug in to the existing ticketing tools your team might have, and it doesn’t give you clear steps for remediation. The pentest results become the elephant in the room. When is your overworked, overburdened security team going to be able to take action on pentest results?
Let’s say your team does begin to tackle the issues presented by the pentest. They’re making headway through the results, but some issues need to be retested. Patches or other fixes issued need to be verified that they were an effective remediation measure.
Leaders in charge of approving pentests likely won’t be keen on the idea of having the two guys, two laptops, two weeks repeated again. Without verification that the issues were resolved, was the original pentest of much use?
Security teams should be searching for a pentesting solution that a) provides immediate value with actionable results and b) is easy to implement so retesting and remediation verification are easy to do.
Scanners used in traditional pentests surface noisy results, distracting from critical vulnerabilities.
Network and application vulnerability scanners can spit out massive amounts of vulnerability data but without much triaging or prioritization. Much like a doctor walking into a hospital and being told every single patient is a top priority, a vulnerability manager or other security practitioner needs additional context to know which vulnerabilities to tackle first. No amount of medical schooling, or security chops, can help you decide which issues to prioritize without going back to review every case. It’s not feasible.
In short, traditional pentesting has hardly grown with the needs of the industry. It’s time to start looking for new, innovative solutions to testing your digital environment for vulnerabilities. To learn more about the burgeoning list of issues with traditional pentesting, download our white paper.
The post 3 Signs You Deserve Better Pentesting appeared first on Synack.
Cybersecurity for web apps has never been more important than it is today. Websites and online applications are under constant attack by people and groups looking to penetrate systems to cause damage or steal vital information. And it’s not just criminals and mischief-makers; government-sponsored attackers are at work as well. Consider these cybersecurity statistics compiled by Patchstack:
Even more, telling is a 2019 report that found that 47% of all hacked websites contained at least one backdoor, allowing hackers access to the website. And the costs associated with data breaches continue to climb. The average cost of a data breach among companies surveyed in a 2021 IBM report reached $4.24 million per incident, the highest in 17 years.
Security personnel has a number of tools at their disposal to thwart cyberattacks. One of the most valuable is pentesting — checking for vulnerabilities that could give a hacker access to the system. But although not as reactive as remediating a breach that has already occurred, traditional pentesting is still somewhat reactive in nature. You’re being proactive in checking for vulnerabilities that could potentially be used by an attacker, but the vulnerabilities already exist. It’s like calling in a plumber to check for leaks in your pipes that could potentially cause water damage. The leaks are expected to already be there and be found, just as the vulnerabilities are in a pentest. So, although a valuable tool, pentesting only takes you part of the way to a truly security-hardened organization.
What you need is a way to check your security posture for conditions that might lead to a future vulnerability and remediate those issues as well. Only then can you consider your site truly security-hardened. It’s like that plumber fixing all the leaks in your pipes, then going back and making a systematic check of your pipes for conditions that could lead to a leak, such as rusting, pipes located in places where they are likely to freeze or improperly connected pipes.
ASVS provides for this by listing security conditions analogous to those that might lead to leaky pipes. This is how ASVS benchmarks enable proactive security.
The Application Security Verification Standard (ASVS) was developed by the Open Web Application Security Project (OWASP) to help organizations examine the state of their cybersecurity. The primary aim of the ASVS Project was to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls and technical security controls in the environment that protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection.
The ASVS benchmark provides a compilation of security controls that are expected to be in place in a well-secured application. It also provides developers with a list of requirements for secure development. The ASVS does not provide a framework to check for vulnerabilities. Rather, it provides a framework to check for controls that prevent, and conditions that could lead to, exploitable vulnerabilities. Synack recommends performing ASVS benchmark testing as part of an ongoing security process for maximum cybersecurity.
OWASP lists the following as objectives achieved by ASVS:
The ASVS framework is best suited for organizations that are relatively mature in their security posture. Since the tests don’t actually check for vulnerabilities, it is most appropriate to run ASVS tests after you have examined your system for existing vulnerabilities and remediated them through continuous and effective penetration testing. Once existing vulnerabilities have been discovered and remediated or resolved, then it is time to check your security controls for best practice implementations. Running the ASVS benchmark can then help the organization create a better defense in depth posture.
There are three levels of ASVS benchmarks available in the Synack Catalog – Basic, Standard, and Advanced. You choose the Synack ASVS Campaign to run based on the level that is appropriate for the organization. Across levels, an ASVS Campaign can ensure that an application follows best practices to protect user data and prevent exploitation by adversaries. An ASVS Campaign does this while respecting the appropriate level of security for an application, one that thoroughly protects the application, while not hampering user experience or business needs.
This process to engage Synack to prevent vulnerabilities before they occur is unique. Testing the ASVS framework lets us look for and proactively address the systemic issues that let the vulnerabilities come to an exploitable state and unlock the door for an attacker.
With an ASVS benchmark test, you will receive a detailed report from a researcher on the Synack Red Team, our community of global ethical hackers, regarding their findings on the security posture of your assets. Their mission is to evaluate your assets relative to the ASVS framework. The goal of this assessment is to determine if your security controls are adequate for the application use case your organization has.
This report can offer guidance on where efforts would be best applied to further harden and future-proof assets. It can also be used to show a year-over-year improvement in the asset hardness, and can help quantify the effectiveness with both the ASVS metrics and a reduction in vulnerability findings. Long-term, the ASVS campaign can help support a multi-year effort to reduce the attack surface and improve the controls in assets against flaws.
Completing an ASVS assessment for your organization is easy with Synack Campaigns. The ASVS campaigns are listed in the Security Benchmark section of the Catalog. Once credits are purchased, you can activate your campaign on-demand any time in the Synack Platform.
Synack researchers complete the missions specified by the ASVS benchmark tests. After completing them, your team can leverage Synack’s Custom Report feature for audit-ready reports that will provide you with a view of security issues discovered by our testing.
When you are comfortable that pentesting and resulting remediation has moved your site to a sufficiently secure security posture, evidenced by pentesting not finding a significant number of new vulnerabilities, then you can move on to running the Synack ASVS Campaign. After completing the ASVS Campaign and remediating any discovered issues, it’s time to set up a plan for periodic testing going forward. Then you can be assured that you have applied the most comprehensive security testing to protect your assets.
To learn more about Synack ASVS Campaigns and how it can expose conditions that could lead to exploitable vulnerabilities, contact Synack at sales@synack.com.
The post Get Ahead of Vulnerabilities With Proactive ASVS Benchmark Pentesting appeared first on Synack.
By Kim Crawley
Keep your trenchcoat in your closet. The only magnifying glass you’ll need is that icon on your PC monitor or smartphone touchscreen. In the world of cybersecurity, you can become a detective by learning open-source intelligence, or OSINT for short.
OSINT is all about how to use publicly available information sources to better understand cyberthreats, attacks and targets. Occasionally, OSINT work can be done by looking through old books, newspapers or paper documents like property or court records, but most relevant open-source intelligence sources can be found on the internet. All of that means you can become a master detective without ever leaving home.
OSINT isn’t accessing information that’s legally protected or requires hacking or other illicit actions to acquire. Doxxing isn’t OSINT. Spyware isn’t OSINT. It doesn’t involve bypassing encryption. Also, OSINT is passive research. If you need to communicate with the subjects of your research, that’s not OSINT. But exploring publicly available information sources, both digital and analog, is what OSINT is all about. And, more and more, it’s an important skill that’s used by both offensive and defensive security professionals.
In Episode 14 of WE’RE IN!, Micah Hoffman, principal investigator and owner of Spotlight Infosec and founder of MyOSINT.Training, discusses how he honed his OSINT skills and how those abilities help offensive and defensive cybersecurity practitioners.
“OSINT is a reconnaissance skill. It’s all about that preparation work that needs to be done before you do anything in cyber, whether it’s attacking or defending,” he told WE’RE IN! co-hosts Bella DeShantz-Cook and Jeremiah Roe.
[You can listen to this episode of WE’RE IN! on Apple, Spotify, Simplecast or wherever you get your podcasts.]
Hoffman also discussed that often just really clever Googling can help security researchers who are hunting for vulnerabilities in customers’ websites. “Part of our process was just to Google the name of the website. I pulled back a PDF help document that said, ‘Hey, if you want to log into this website, use a username like this and a password like that.’ And wouldn’t, you know, it, I just typed those exact credentials in … and logged right in.”
He remembered thinking: “Wow, this is so powerful. Who needs hacking when I can just log right in?”
While OSINT researchers take advantage of just how easy it is to access individuals’ private information on the open web, they also understand the privacy risks of social media platforms better than most. “People don’t realize what is online and being revealed about their organizations, themselves, their activities and their families,” said Hoffman. “The reality is that we give up our privacy every single time we use an app, every single time we choose to purchase something.”
The full transcript of the interview is available here.
The post WE’RE IN! Episode 14: How to Become a Master OSINT Detective Without Leaving Home appeared first on Synack.
Login