With the anniversary of Log4j looming, it is a good time to reflect on the wider significance of the vulnerability that had security teams scrambling in December 2021. What can the response to the flaw in a widely used Apache Software Foundation logging tool tell us about the state of global IT security? Most importantly, how should we respond to similar vulnerabilities that are bound to emerge in the future? 

The reason for the heightened concern surrounding Log4j stemmed not only from the scale of the exposure, but also the difficulty in quantifying that exposure. People knew or suspected they were using Log4j but did not necessarily know to what extent and on which devices. It’s like a fire alarm going off: You suddenly know you may have a problem, but you don’t know exactly how big a problem or where in the house it might be. 

Log4j also speaks to the well-documented challenge of relying on open source software. We cannot live without it, but in doing so we introduce dependency and risk in ways we had not always anticipated or prepared for. Events like Log4j won’t deter organizations from using open source software. The cost and pain of building tech stacks from scratch is simply too great for the vast majority of organizations.

Much of the media coverage of Log4j highlighted the panicked response. Security teams reacted swiftly and decisively as they sought to contain the risk, with much of the work happening over the festive holiday period to the chagrin of those affected.

That was the right course of action, but it is unsustainable to react in crisis mode all the time. This will burn out your hard-working security team, not least the experts on your networks and systems—key people you don’t want to lose. Vulnerabilities like Log4j are a fact of life, so a different pattern of response is needed. One that allows business operations to continue and risk to be continuously managed. 

That calls for first understanding the information security risks you are trying to manage. It sounds obvious, but can you articulate this for your organization? Does your leadership fully understand? Is this something you review with your board periodically? Your security response should flow from a set of priorities articulated by your experts and endorsed by your leadership, or else you are destined for infosec busywork rather than purposeful risk management. 

It follows closely that you also need to understand your assets. What data, information and systems do you have? How do you rely on them and what happens if they go away?

With these foundations in place, you can start to build what you need to take all sorts of security challenges in stride, including the next Log4j, whatever that may be.

Training is a key aspect of a measured response. Your whole organization should be trained on the basics of cybersecurity and how to improve cyber hygiene. The security, engineering and infrastructure teams need a plan of action to manage your organization’s response to a new, major vulnerability. Plan your incident response and consider simulating how you would respond as part of a table-top exercise. Revisit this plan from time to time—don’t let it gather dust in a ring-binder in an office no one goes to any more! 

These suggestions aren’t easy to implement, but they’re an investment in the longevity of your organization and your security teams. Synack can help augment your security team’s efforts by leading one-off missions to assess assets, going through security checklists or performing continuous pentesting on your entire organization. Contact us to learn more.

The post Battling the Next Log4j: How to Prepare Your Security Team While Avoiding Burnout appeared first on Synack.

Working Together to Provide Comprehensive Cybersecurity

Protecting Your Organization from Cybercrime

You already know that you need to be proactive regarding cybersecurity to protect your organization’s information and your resources. In 2020 cybercrime cost organizations an average of $4.35 million, and it took 277 days to find and contain the attack. But what’s the best way to mitigate against your organization falling prey to an attack? There are a number of different types of cybersecurity tools available with more being announced seemingly every day. VC funding for cybersecurity startups reached a record high of $29.5 billion in 2021 and there have been 300+ new startups every year. With this assortment of tools at your disposal, which ones should you deploy? 

One way to proceed is to select tools that complement each other. For example, deploying pentesting for breadth of vulnerability test coverage works hand in hand with red teaming for more targeted testing of specific assets or problem areas. Another complementary pairing is pentesting with asset discovery and management. In this article, we’ll take a look at how penetration testing can use the information from asset discovery and management tools to make sure you are testing everything you need to test and provide you with comprehensive cybersecurity protection.

Asset Discovery and Management

Pentesting will provide you with actionable knowledge of how a cyber attacker can hack into your organization and what damage that attack can cause. But before diving into pentesting it’s important to have a picture of your organization’s external attack surface and an assessment of its known vulnerabilities. 

Determining Potential Attack Points with External Attack Surface Management (EASM)

EASM is at the forefront of Gartner’s Top Security and Risk Management Trends for 2022. Broadly defined EASM is the process of identifying, inventorying and assessing your organization’s IT assets including all external-facing internet assets and systems. And with the increasing use of cloud resources, your attack surface is expanding rapidly. Forty-three percent of IT and business leaders state that the attack surface is spiraling out of control, and nearly three-quarters are concerned with the size of their digital attack surface. Having a good EASM process will provide your pentesters with a map of where all of your assets are, whether they are internal or external, so they can better determine how to mount as all-inclusive a test as possible.

Identifying and Managing Your Vulnerabilities

A vulnerability scan can identify gaps in your security controls and find security loopholes in your software infrastructure. These scans are optimized for breadth and completeness of coverage with the goal of ensuring that no vulnerabilities are missed. A vulnerability assessment will check for security issues such as misconfigurations, unchecked or incorrect privileges, excessive services and missing operating system updates. You can then prioritize the exposed vulnerabilities according to how likely they are to be exploited in your organization and how much damage can be caused by a hacker exploiting them. 

Putting It All Together

EASM, vulnerability management and penetration tests complement each other but have different goals. The first step in determining your organization’s vulnerability to cyberattack is to do an EASM study. EASM results helps you see what all of your potential attack points are. It’s not uncommon for an EASM study to expose assets and points of potential attack an organization didn’t even know they had. 

Using the EASM results you can perform a vulnerability assessment to expose any known vulnerabilities associated with those assets. The vulnerability scan and prioritization will tell you what your known vulnerabilities are. Usually these vulnerabilities are already known to the security community, hackers, and software vendors. These scans normally don’t uncover unknown vulnerabilities.

With an EASM and vulnerability results in hand you can then perform a penetration test.  Where vulnerability scans are optimized for depth and completeness, penetration tests are optimized for depth and thoroughness. Pentests will search for all potential attack points and actively exploit all detected known and as yet unknown vulnerabilities to determine if unauthorized access or malicious activity is possible. Then a good pentesting operation will prioritize its results and assist in remediation or mitigation of detected problems.

Using these three cybersecurity tools and processes will help you answer these important questions:

• What do we have that might be attacked? (EASM)
• Could an attack happen on things we own and how likely is it that something will happen to us? (Vulnerability Assessment and Management)
• What can happen if an attacker gets into our system? (Pentesting)

The post Pentesting and Asset Discovery & Management: Symbiotic Benefit of Complementary Cybersecurity Tools appeared first on Synack.