- Vulnerability Scanning being added as a regulatory or compliance issue.
- A recent breach where vulnerability scanning, part of a vulnerability management program, would have prevented or minimized the impact of.
- Recent strategies, such as new vulnerability scanning techniques.
Remember to include the URL of the article being referenced.
Jerry Butler says
Vulnerability scanning is a huge part of keeping hardware and software safe from threat actors. As apart of vulnerability scans, companies also look at there whitelisted applications, email, and URLs. Sengrid is a trusted resource whose negligence is going to cost their reputation. Sendgrid is ignoring the issues that will have many companies opting to not white list or trust them.
https://krebsonsecurity.com/2020/08/sendgrid-under-siege-from-hacked-accounts/
Nicholas Fabrizio says
Hi Jerry,
That was an interesting article. I wonder if Sendgrid will make two factor authentication mandatory for all their customers if the major email providers threaten to begin filtering their emails.
Zhuofu Wang says
Hi Jerry,
Thanks for your sharing.
Multi-factor authentication always be an effective way. But many people don’t like this because they find it inconvenient. But as Laurent said in the comments, the company wasn’t actively filtering at all those emails. Most of spam/phishing emails would be easy to block.
Candace T Nelson says
Interesting article, Jerry. I always find it interesting when a company such as Twilio Inc. (the parent company of SendGrid) that provides technology services is slow to respond to ever-increasing cyber security risks. Neal Schwartzman, Executive Director of anti-spam group CAUCE echoed my sentiments in his statement: “Single-factor authentication for a company like this in 2020 is just ludicrous given the potential damage and malicious content we’re seeing” after noting that Twilio acquired Authy in 2015 with the intention of implementing multi-factor authentication for its customer accounts.
I visited the Twilio Inc. Investor Relations page and looked at the company’s Stock Chart, noting common stock TWLO – that was trading at $273.24 on September 1st –dropped to $245.02 as of September 25th. While it is difficult to pin this greater than 10% drop in value entirely on the impacted reputation of SendGrid, this has undoubtedly been a factor in the sharp market decline.
Nicholas Fabrizio says
Title: A Patient Dies After Ransomware Attack Paralyzes German Hospital Systems
URL: https://thehackernews.com/2020/09/a-patient-dies-after-ransomware-attack.html
On September 10 a ransomware attack occurred at the University Hospital of Dusseldorf in Germany which caused their IT systems to fail. The result of this attack caused the hospital to have to send patients to other hospitals which lead to the death of a women. This attack exploited a Citrix Application Delivery Controller (ADC) vulnerability, CVE-2019-19781, which has a base score of 9.8 critical in the National Vulnerability Database. Citrix released a patch for this vulnerability in January 2020, but the hospital did not install the patch. This attack is believed to have been directed for another university based on the extortion note left and when law enforcement contacted the attackers informing them it was a hospital the attacker gave them the decryption key. This hospital could of avoided this situation if they had a better security assessment plan and patched known vulnerabilities quicker.
Anthony Wong says
It’s horrible to hear that someone lost their lives due to this attack. The industry as a whole seems to be extremely slow in staying up to date of the latest and greatest technologies. I would assume a vulnerability with almost a max critical score would have been patched almost immediately, but unfortunately not… definitely lessons learned.
Nicholas Fabrizio says
Hi Anthony,
It is sad to hear a life was lost over this ransomware attack and hopefully other hospitals will learn from this situation by beginning to scan/patch their systems for any found vulnerabilities. As well as look into creating a business continuity plan so they can try to keep the hospital running if a cyberattack ever were to occur again.
Anthony Wong says
And to complement the business continuity plan, develop a disaster recovery plan as well.
Amelia Safirstein says
Exactly. It’s troubling that practices were not in place to ensure that this system was updated in a timely manner but it’s even more troubling that there was not a strong disaster recovery plan in place for such an essential system.
Anthony Wong says
Agreed… This would prevent the need to transport the patients, which would decrease the chance of any deaths.
Candace T Nelson says
My revulsion of this intrusion and its consequences is beyond words – especially since the University Hospital of Düsseldorf and the poor woman who died, her family and friends – were all unintended victims. I truly hope the perpetrators are identified and that justice is served.
I noted that the article highlighted an increase in ransomware incidents on UK educational institutions and that the most common infection vectors have been remote desktop protocol (no doubt due to the increase in distance learning brought about by COVID ), vulnerable hardware/software, and email phishing. I found it interesting that the UK National Cyber Security Centre recommended that organizations “maintain up-to-date offline backups, adopt endpoint malware protection, secure RDP services using multi-factor authentication, and have an effective patch management strategy in place.”
I wonder if any of my classmates noticed that these recommendations do not address the risk of social engineering tactics such as email phishing. In my experience, the best way to prevent such attacks is to provide security awareness training accompanied by phishing simulations to continually reinforce the need for users to remain vigilant about the threat of attack.
Humbert Amiani says
CISA Joins MITRE to Issue Vulnerability Identifiers
Due to a planned epansion in the number of organizations managing vulnerability information, the Cybersecurity and Infrastructure Security Agency (CISA) -A branch within the U.S Department of Homeland security- has joined MITRE in asigning Common Vulnerability Enumeration identifiers. This assignment is for software vulnerabilities in the Medical and Industrial control systems industries.
Both entities will maintain root-level CVE Number Authourity and will report to the board managing the CVE program. The entry of CISA in assigning CVE Identifiers assits MITRE in efforts to decongest the process and avoid delays as seen between 2014 and 2016. This addition is expected to result in more coverage of software in the respective industries (Medical and ICS) and as a result, more vulnerabilities will be named and addressed appropriately.
https://www.darkreading.com/vulnerabilities—threats/vulnerability-management/cisa-joins-mitre-to-issue-vulnerability-identifiers/d/d-id/1338930?&web_view=true
Kelly Sharadin says
Hi,
I don’t think there is any industry more resistant to implementing patches than the medical sector. While this is certainly a necessary expansion of resources (CISA +MITRE) I would be curious to know what plans exist to improve/enforce these updates. Otherwise it feels like a fairly empty endeavor if theres no way to ensure any of these systems actually get patched. Possibly because healthcare is part of critical infrastructure – hospitals that are operating in the public sector might have to prove proper security measures as a mandatory requirement for funding. Interesting article and thought provoking.
Humbert Amiani says
Hi Kelly,
The Medical industry has much to do in terms of catching up on patching the different systems in use. It does not help that there is so many systems that need to be integrated to wok as one major system. The addition of CISA to CVE assignments can help them identify more vulnerabilities but it is up to the industry players to patch them up before they get exploited.
Anthony Wong says
I agree Kelly, I would be interesting in seeing their mitigation plans and strategies for all the vulnerabilities that arise for their system(s). Furthermore, the healthcare industry collects an abundance of PII and confidential medical data for all their patients that needs to be protected. I would think applying patches regular would help their over cyber security objectives, but I understand the criticality if a system is offline due to issues.
Amelia Safirstein says
I agree that this may be an empty endeavour without any enforcement of updates. I’m sure the creation of any regulations on this would be incredibly complicated given the critical infrastructure involved.
Candace T Nelson says
I agree, Kelly. When one considers the level of risk associated with the personally identifiable, sensitive, confidential, etc. information that the medical sector routinely maintains, processes, stores and communicates, it is hard to understand why there haven’t been more regulations imposed. HIPAA only goes so far.
Perhaps one of the reasons this industry is resistant to implementing patches is because their systems have been customized and/or converged over time (due to mergers and acquisitions) in such a manner that complicates the deployment of standard patches. We recently encountered a situation at my place of business whereby a small portion of a routine upgrade did not affect all records that were expected, and it is believed that this is due to a portion of the software that was customized and; therefore, the changes were not fully applied.
Anthony Wong says
On New Year’s Eve, Travelex was the victim of a ransomware attack that affected its websites in 30 countries and had 5GB of customer data stolen. The cybercriminals were able to execute the hack due to two vulnerabilities in Travelex’s network. The first vulnerability was from the Pulse Connect Secure VPN (CVE-2019-11510) and the other was a Windows Vulnerability (CVE-2018-8453). The VPN vulnerability was announced in May meaning Travelex failed to patch their VPN for over seven months and the Windows vulnerability was left unpatched for a little over a year. Failure to patch these vulnerabilities cost Travelex $2.3 million in ransom and additionally, the hackers demanded another $6 million to not leak the customer data. Furthermore, the organization could face a fines for not notifying the Information Commissioner’s Office about the breach because it believe data was not stolen.
URL:
https://threataware.com/travelex-hacked/
https://riskonnect.com/cyber-security/industry-news-cost-and-consequences-of-travelex-hack-could-run-and-run/
Kelly Sharadin says
Most of you have probably heard of ‘tech debt’ before, well now we have ‘security debt.’ In this article from Dark Reading, the average firm “fails to patch 28% of vulnerabilities, leading to a backlog of more than 57,000 unfixed security issues every six months” (Lemos, 2020). The statistics in this article are pretty staggering regarding how ill-equipped businesses are when it comes to effective vulnerability management. The article quotes the head of IBM’s X-Force Red, saying while firms are good at finding flaws, they do the bare minimum to fix them, thus contributing to an endless security debt. Furthermore, businesses struggle to prioritize vulnerabilities based on business impact. To that end, in terms of this week’s discussion prompt – it seems that vulnerability scans can do little to prevent breaches if no one in the organization is applying the remediation. Is it possible we will see remediation as a service soon – if it doesn’t already exist?
thttps://www.darkreading.com/vulnerabilities—threats/vulnerability-management/firms-still-struggle-to-prioritize-security-vulnerabilities/d/d-id/1338687
Zhuofu Wang says
Hi Kelly,
Thank you for sharing.
Once the product is developed, the security vulnerabilities discovered at this time are often difficult to repair or require high costs to repair. This is the reason why safety management began to intervene in the early stages of product development and will continue until product development is completed. Even so, there may still be unexpected security vulnerabilities. Therefore, the company can only address high risk first, and the rest may be overlooked as the product version is iterated. And eventually became ‘security debt’.
Kelly Sharadin says
Hi,
This article is speaking to a firm’s overall security posture and the subsequent backlog of unpatched/non-rememdiated incidents that leave a business exposed rather than appsec alone. However do you share an interesting perspective on how to prioritize fixing vulnerbailities in the development phase!
Nicholas Fabrizio says
Hi Kelly,
Thank you for sharing the article it was interesting. What stood out to me was the Ponemon Institute study which said “42% of those respondents blame the breach on known but unpatched security vulnerabilities”. This percentage seems unnecessarily high for preventable breaches and organizations need to be more diligent in their risk assessments of found vulnerabilities and how it will impact them.
Amelia Safirstein says
Nick,
I agree. It sounds like in many cases, decision makers are not conducting or not presented with risk assessments. In turn, they are only focused on avoiding immediate losses from downtime and don’t put efforts toward patching. In some cases, it may make sense for a business to accept the risk but the “only a quarter of firms are prioritizing vulnerabilities based on business impact” shows that this likely isn’t the case.
Kelly Sharadin says
Hi,
To me it seems that firms are more concerned with just meeting bare minimum requirements for compliance (not sure if this what you’re referring to as immediate losses). Failure to conceptualize the financial consequences of neglected vulnerabilities is a total absence of IT/IS goverance for organizations.
Nicholas Fabrizio says
Amelia,
I agree. The immediate losses from the downtime of patching a vulnerability would be far less than the costly repercussions of responding to a preventable breach.
Amelia Safirstein says
Kelly,
Great/shocking read! This article also brings up an interesting point when it mentions a quote from Henderson “Organizations are focused on meeting compliance requirements with vulnerability management rather than actually eliminating the vulnerabilities,”. It highlights the importance of regulation because, who knows how many more vulnerabilities would be overlooked or ignored if these organizations weren’t forced to deal with them. It also shows how important it is for decision makers to gain a full understanding of the potential losses due to security failures.
Kelly Sharadin says
Amy,
I just read your above comment before reading this response. Exactly, we’re in total agreement there. I’m sure if you were to survey these firms you would see that IT/IS is probably fairly segerated from the overall business goverance.
Candace T Nelson says
This was a great article, Kelly. As an Accountant, when I hear the term debt I automatically associate it with a dollar impact. I noted that Amelia mentioned “it may make sense for a business to accept the risk…” which is entirely true. However, management generally needs to understand the qualitative and quantitative likelihood and impact of risks before they can perform a cost benefit analysis (weighing the sum of the benefits of an action [patching vulnerabilities] against the negatives/costs of that action [downtime]).
I was surprised to read that 38%of companies utilize the Common Vulnerability Scoring System (CVSS) to prioritize which vulnerabilities to patch, even though CVSS has proven to be less than reliable. Then, the fact that another 37% of companies prioritize based on which vulnerabilities have been weaponized seems short sighted and only partially effective. My initial thought was that prioritization should be based on the assets that are most important to the business (in accordance with a Business Impact Analysis), and this is consistent with 25% of the companies that were surveyed. In actuality, a hybrid method is probably the best approach – one that utilizes a weighted version of each of the aforementioned approaches, as well as others that may be more specific to industries, infrastructure, etc.
Zhuofu Wang says
Google makes Tsunami vulnerability scanner open-source
The Tsunami is Google’s internal vulnerability scanner. Google said it has been designed to have extremely adaptable. It supports scanning for a wide variety of device types. There has a two-step process for Tsunami to scan a system. The first step is reconnaissance, it will scan the network for seeking the open ports, the protocols, and services running on these ports. The second step is vulnerability verification, it will use the collected information to analyze if there have any vulnerabilities. Also, the Tsunami supports the extension for its vulnerability verification module. ( Anthony, 2020)
With the increase of users and the support of the open source community, Tsunami’s functions will become more and more perfect. This may be a good news for small companies and startups, because the open source tools like Tsunami can help them save costs.
URL: https://www.techradar.com/news/google-open-sources-tsunami-vulnerability-scanner
Humbert Amiani says
Hi Zhuofu,
This is definitely good news for most organizations, especially smaller ones. Tsunami is a good vulnerability scanning tool and I have to wait and see how making it open source will turn out. Hopefully we get to see more improvements. However standardization of versions will no longer exist with different releases coming out randomly.
Zhuofu Wang says
Hi Hunbert,
Yeah, that’s true. This is determined by the nature of open-source software. Using device types with a larger base will have better support, while other smaller ones will not have frequent updates and upgrades.
Anthony Wong says
Hi Humbert,
Do you have experience using Tsunami? If so, how would you compare it to Nessus, which we are playing around with this week?
Hi Zhoufu,
I think one thing to consider with open source software is that you won’t necessarily get better support because there is not a designated group of experts to support user’s needs. You may be able to find help within the community, but that could take time.
Amelia Safirstein says
IBM found a vulnerablity in a group of IoT connectivity chips. IoT device manufacturers often purchase and embed these chips in their products for connectivity. The chips were used in critical machinery including medical devices, manufacturing and energy/utility machinery. If bad actors take advantage of the vulnerability, they could endanger the lives of patients or damage a power grid. A patch for the vulnerability has been released but historically, IoT devices have been overlooked as a security concern. One infamous example of IoT devices being overlooked in security is the “smart” fish tank that was used in an otherwise locked-down casino network. You can read more on the fish tank incident here: https://www.washingtonpost.com/news/innovations/wp/2017/07/21/how-a-fish-tank-helped-hack-a-casino/
Article on the vulnerability found in EHS8 chips: https://techhq.com/2020/08/billions-of-industrial-iot-devices-could-be-flawed/
Candace T Nelson says
The Payment Card Industry (PCI) Security Standards Council (SSC) is a global forum of payments industry stakeholders who jointly develop and drive the adoption of Data Security Standards (DSS, or the Standards) and resources for safe payments worldwide. The Standards were developed to protect payment account data and enable technology solutions that devalue the data, thereby eliminating the incentive for hackers to steal it.
The Standards consist of the following six broad goals and 12 underlying requirements that:
1. Cultivate security best practices for merchants, service providers and financial institutions with regard to their technologies and processes, and
2. Guide developers and vendors in the creation of secure payment products and solutions.
Build and Maintain a Secure Network and Systems
1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks.
Maintain a Vulnerability Management Program
5. Protect all systems against malware and regularly update antivirus software or programs.
6. Develop and maintain secure systems and applications.
Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need to know.
8. Identify and authenticate access to system components.
9. Restrict physical access to cardholder data.
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
Maintain an Information Security Policy
12. Maintain a policy that addresses information security for all personnel.
The link below will bring you to the PCI DSS Quick Reference Guide (Guide) that was last updated in July 2018. The purpose of Guide is to inform and educate merchants/other entities that process, store or transmit cardholder and/or sensitive authentication data. On pages 23 and 24, Requirement 11 – Regularly test security systems and processes (that relates specifically to internal and external vulnerability scanning) – is broken down into the following six steps:
11.1 Identify all authorized/unauthorized wireless access points (WAP’s) quarterly; maintain an inventory of authorized WAP’s; and implement incident response procedures for when unauthorized WAP’s are detected.
11.2 Perform internal and external network vulnerability scans at least quarterly {1} and after significant changes {2}; address vulnerabilities; and perform rescans until they pass, after which an entity must subsequently complete four consecutive quarters of passing scans.
11.3 Develop and implement a penetration testing methodology that includes external and internal testing at least annually and after significant upgrades/modifications.
11.4 Use up-to-date IDS/IPS techniques to detect and/or prevent network intrusions; monitor all traffic at the perimeter of – and critical points inside – the cardholder data environment; and alert personnel to suspected compromises.
11.5 Deploy change detection mechanisms to alert personnel to unauthorized modification of critical system files, configuration files or content files; implement a process to respond to alerts generated by these mechanisms; and configure the software to perform critical file comparisons at least weekly.
11.6 Ensure related security policies/operational procedures are documented, known to all affected parties, and in use.
{1} Quarterly external scans must be performed by an Approved Scanning Vendor.
{2} Scans conducted after network changes and internal scans may be performed by internal staff.
https://www.pcisecuritystandards.org/documents/PCI_DSS-QRG-v3_2_1.pdf?agreement=true&time=1601231978296
Bryan Garrahan says
https://kirkpatrickprice.com/blog/best-practices-vulnerability-scanning/?utm_campaign=coschedule&utm_source=facebook_page&utm_medium=KirkpatrickPrice&utm_content=Best+Practices+for+Vulnerability+Scanning
This article discusses the different levels and frequencies of vulnerability scanning for organizations that are subject to regulatory compliance. Additionally, the article points out that the frequency of vulnerability scanning is dependent on a few things such as organizational changes, compliance standards, and security program goals.You can expect to see requirements for vulnerability scanning from these industry compliance and regulatory standards:
– ISO 27001: Requires quarterly external and internal vulnerability scans
– HIPAA: Requires a thorough risk assessment and vulnerability process, which can be identified with vulnerability scanning
– PCI DSS: Requires quarterly external and internal scans conducted by an ASV (Approved Scanning Vendor)
– FISMA: Requires documentation and implementation of a vulnerability program to protect the availability, confidentiality, and integrity of IT systems
– NIST: Requires either quarterly or monthly vulnerability scans depending on the particular NIST framework (8001-171, 800-53, etc.)
For me personally, I know my company (insurance services) is subject to both HIPAA and PCI DSS requirements. We actually have an upcoming penetration test engagement in which I am assigned to work on so I am very interested to see what kind of vulnerability scanning tools and techniques we utilize.
Bryan Garrahan says
https://searchitoperations.techtarget.com/news/252489043/DevSecOps-strategy-mimics-cloud-shared-responsibility-model
This article outlines how the term DevSecOps came to be through security automation tools to include in DevOps pipelines and how to explain what those tools do to auditors. Additionally, the article reveals how DevSecOps mimics the shared responsibility model employed by hyperscale cloud providers. The article outlines how Mettle, a UK based startup, has adopted DevSecOps and deployed it across their IT enterprise. The article notes, “Similarly, DevSecOps organizations delegate specific, manageable areas of responsibility to developers, security and IT ops pros, respectively, within a set of shared tools. Some even emulate the customer-provider relationship among teams as well.” Within this framework, the responsibility around managing vulnerabilities falls on the Mettle’s developers. The article states, “Meanwhile, developers ensure application security through a set of continuous integration tests pre-deployment, using open source tools such as Aqua’s Trivy vulnerability scanner, Conftest for configuration testing and kubeval, which scans Kubernetes YAML and JSON files.”
Jerry Butler says
https://www.darkreading.com/vulnerabilities—threats/vulnerability-management/cisa-joins-mitre-to-issue-vulnerability-identifiers/d/d-id/1338930?&web_view=true
The US Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA) has taken over responsibility for assigning Common Vulnerability Enumeration (CVE) identifiers for software vulnerabilities in two specific industries — medical devices and industrial control systems — as part of a planned expansion in the number of organizations managing vulnerability information, according to CISA and government contractor MITRE.