DevSecOps plan process

Read Time:4 Minute, 27 Second

In the DevOps and DevSecOps Introduction, What is DevOps, we reviewed how our security teams overlay onto DevOps for visibility and increased security throughout the software lifecycle. This article explores DevSecOps during the planning phase of the project and why it’s important for developers to be trained on how to help protect the software they are writing from Free Open-Source Software “FOSS” risks and supply chain attacks.

Development’s role in DevSecOps

Development teams that have an Agile culture will be familiar with DevOps frameworks and the ability to deal with rapid change effectively. As developers work through user stories, they may search for available FOSS that is useful and speeds up the user story delivery. DevSecOps collaboration with developers during this process helps protect user stories from the risks associated with using FOSS and supply chain attacks.

Free Open-Source Software “FOSS” risks

Arguably the most popular FOSS is the Linux operating system released in 1991 by Linus Torvalds. It is free to use, and the source code is publicly available. The copyleft license type that covers Linux requires a developer who modifies certain parts of the Linux operating system to share the source code they created. The two main categories of FOSS licenses are copyleft and permissive.

Copyleft license means that the software author has a claim on the copyright of their work, and anyone that uses, modifies, or shares the work must make their code publicly available. A developer in a private company that adds to or modifies copyleft licensed software could be forced to expose proprietary code or trade secrets. An example of a copyleft license is GNU v2 created by Richard Stallman.

Permissive license allows much more freedom to the developer when adding to or modifying the software and generally requires nothing in return. Some permissive licenses attach more requirements than others. But in general, they are less risky for a business to use with proprietary software. An example of a permissive license is the MIT License, created at the Massachusetts Institute for Technology.

The US Courts have set a precedent in favor of the FOSS author when there is a dispute. Which is why the organizations security and compliance teams should create a policy providing an authorized list of FOSS licenses for use within the organization. Developers should consult with Security and Compliance teams for any additional questions or request for FOSS exceptions.

The collaboration of the team will protect the company from potentially having to share proprietary software, paying fines, or defending itself in litigation. More important, protecting proprietary software from a FOSS license violation can also limit the risk of a supply chain attack.

Supply chain attacks

In 2020, the network monitoring company SolarWinds unknowingly distributed malicious software to their customers. It was a huge event that went unnoticed for months and exposed many well-known technology companies to hackers. Evidence of the incident showed that malicious software was injected into the SolarWinds Orion software during the build process. When the new version of software was released to customers, hackers were unknowingly granted access to systems.

Supply chain attacks occur when developers include (accidently or intentionally) FOSS that is malicious or contains vulnerabilities with their own software during the build process. With it imbedded in the developer’s software release, the malicious software acts like a trojan horse. Once it’s been installed by a user, the malicious software activates and either waits for commands from the controller or starts performing pre-defined actions like a ransomware attack, obtaining login and password credentials, or scanning the network for other places it can jump to. Below are some of the common ways supply chain attacks happen along with how DevSecOps can work with developer teams to prevent these during the planning process.

Compromised software updates – Software developers release patches and updates to their software on a regular cadence. DevSecOps helps protect users by making sure developers only use software updates that come from a valid and protected source.
Inherent defects in FOSS – FOSS is not immune to bugs, security flaws, and malicious actors. DevSecOps advises software developers to pull FOSS from reputable public repositories. Developers should also search the version history for security issues or concerns before implementing FOSS into their software builds.
FOSS download limitations – FOSS from public repositories and registries have a limited number of daily downloads for free. Large development organizations can quickly exceed these daily downloads which can result in failed software builds or delay a planned production deployment. DevSecOps can provide private repositories and registries for developers to store FOSS that is under the control of the business and has unlimited downloads.
Manual steps in a build and release process – Developers should plan their projects around the use of automated build and release pipelines. Pipelines allow DevSecOps to use security scanning tools to identify malicious software.

Licensing and supply chain attacks can expose business systems to serious risks and be very difficult to eliminate when embedded in a software release. Planning with DevSecOps helps software developers navigate the risks associated with FOSS and supply chain attacks.

Next steps

When planning is complete and developers begin coding their software, they need a secure place to store and protect their work.  The next article will cover how we secure repositories to protect the company’s proprietary code.

Read More

QNAP: Act Now to Mitigate DeadBolt Ransomware

Read Time:1 Minute, 58 Second

QNAP: Act Now to Mitigate DeadBolt Ransomware

A leading maker of network-attached storage (NAS) devices is urging customers to upgrade to the latest software version and reconfigure their systems in order to thwart a new ransomware campaign.

Taiwan vendor QNAP released a statement yesterday in response to the mounting threat from a new variant known as “DeadBolt.”

It advised customers to ensure their devices are not exposed to the internet, by opening the Security Counselor and checking if the dashboard displays the following message: “The System Administration service can be directly accessible from an external IP address via the following protocols: HTTP.”

If it does, organizations should check the Virtual Server, NAT or port forwarding settings, and disable the port forwarding setting of the NAS management service port – which, by default, means port 8080 and 443.

Next, they should disable UPnP by going to “myQNAPcloud” on the QTS menu, clicking “Auto Router Configuration,” and de-selecting “Enable UPnP port forwarding,” the vendor explained.

“DeadBolt has been widely targeting all NAS exposed to the internet without any protection and encrypting users’ data for Bitcoin ransom,” it warned.

“QNAP urges all QNAP NAS users to follow the security setting instructions below to ensure the security of QNAP NAS and routers, and immediately update QTS to the latest available version.”

The threat actors behind DeadBolt are purportedly claiming to leverage a zero-day exploit in their attacks, which would presumably work even on updated QTS versions. However, disconnecting from the internet would keep organizations safe.

“Organizations right now should have critical insight into the use of SSH and Telnet into their QNAP devices as well as connections on port 8080 and 443 emanating from their QNAPs and historic levels of UPnP traffic,” advised Armis cyber risk officer, Andy Norton.

“There are threads surfacing on some of the support forums, where the decryption key did not work after payment, but it is also possible to remove DeadBolt using other utilities on the QNAP device.”

A report out yesterday warned that vulnerability exploits are an increasingly popular initial access vector for ransomware gangs, with the number of bugs associated with such attacks jumping 29% year-on-year in 2021.

This is far from the first time QNAP customers have been targeted by ransomware. Over the past year, AgeLocker and eCh0raix variants prompted warnings from the vendor.

Read More

Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution.

Read Time:36 Second

Multiple vulnerabilities have been discovered in Apple Products, the most severe of which could allow for arbitrary code execution.

iOS is a mobile operating system for mobile devices, including the iPhone, iPad, and iPod touch.
iPadOS is the successor to iOS 12 and is a mobile operating system for iPads.
macOS Monterey is the 18th and current major release of macOS.
macOS Big Sur is the 17th release of macOS.
macOS Catalina is the 16th major release of macOS
watchOS is the mobile operating system for Apple Watch and is based on the iOS operating system.
tvOS is an operating system for fourth-generation Apple TV digital media player.
Safari is a graphical web browser developed by Apple.

Read More

12 steps to take when there’s an active adversary on your network

Read Time:35 Second

CISOs know they must respond quickly and effectively to an incident, yet surveys point to continuing challenges to deliver on that goal.

The State of Incident Response 2021 report, from tech companies Kroll, Red Canary and VMware, surveyed more than 400 IS professionals and 100 legal and compliance leaders and found that 45% of them identified inadequacies in detection and response resources. Additionally, 55% wanted to improve time to containment and incident response automation.

[ Learn 8 pitfalls that undermine security program success and 12 tips for effectively presenting cybersecurity to the board. | Sign up for CSO newsletters. ]

There are compelling reasons for investing in improved incident response.

To read this article in full, please click here

Read More

IT and DevOps Staff More Likely to Click on Phishing Links

Read Time:2 Minute, 20 Second

IT and DevOps Staff More Likely to Click on Phishing Links

IT staff are more likely to click on phishing links and are often worse at reporting threats than their peers elsewhere in the organization, according to new research from F-Secure.

The security vendor tested over 82,000 participants from four organizations to compile its studyTo Click or Not to Click: What We Learned from Phishing 80,000 People. They were exposed to several tactics commonly used by cyber-criminals to steal data, deploy malware and conduct business email compromise (BEC).

Worryingly, in the two organizations studied where technical staff were tested, they showed a greater propensity to click.

In one of the companies, 30% of DevOps and 21% of IT staff clicked on test phishing emails, compared to an average of just 11% for all departments. In the other organization, the rate for DevOps was 26%, slightly higher than the average of 25% overall.

That’s despite more technical staff than the average claiming to be alert to the problem of phishing. In one organization, 17% of respondents said they had noticed a phishing email in their inbox in the past, versus 27% of IT and 29% of DevOps respondents.

In the other, the average for spotting phishing was 44% but shot up to 60% for those working in DevOps.

Technical staff members are also poor at flagging phishing attacks. In one organization, IT and DevOps came third and sixth out of nine departments in terms of reporting. In the other, DevOps was the twelfth best at reporting out of 17 departments, while IT came down in fifteenth place.

Matthew Connor, F-Secure service delivery manager and lead author of the report, claimed that over-confidence might be partly to blame for the results.

“I don’t believe you reduce susceptibility by teaching people about phishing. I believe you reduce susceptibility by making sure staff know the basics and by motivating them to want to spend the time and effort identifying and reporting phishing attacks,” he told Infosecurity.

“It is possible that the technical staff know what phishing is but have too much confidence in the technical protective measures in place and in their own ability to spot attacks. This leads them to be relaxed and susceptible, rather than alert and secure.”

Connor argued that reporting is a crucial link in the corporate security chain to help detect and prevent attacks and build resilience.

“Either technical staff in these organizations genuinely did not spot the phishing attempts and are not as adept as they may think, or they are not following the best practices to support the business,” he concluded.

“Ultimately for me, this study shows that technical staff need just as much support as the rest of the organization in combatting phishing.”

Read More

North Korea Loses Internet in Suspected Cyber-Attack

Read Time:1 Minute, 49 Second

North Korea Loses Internet in Suspected Cyber-Attack

North Korea has experienced an internet outage that may have been caused by a cyber-attack.

The country lost internet access for approximately six hours on Wednesday morning local time. The incident was the second outage to hit North Korea in the past two weeks.

Junade Ali, a cybersecurity researcher who monitors various North Korean web and email servers from a location in Britain, told Reuters that the latest outage could have resulted from distributed denial-of-service (DDoS) attack.

Describing the recent incident, Ali said: “When someone would try to connect to an IP address in North Korea, the internet would literally be unable to route their data into the country.”

Within a few hours of the suspected DDoS attack, servers supporting email were back up and running. However, disruption and downtime continued to impact individual web servers of institutions, including North Korea’s ministry of foreign affairs, the Air Koryo airline, and Naenara – the official portal for the North Korean government.

Seoul-based news site NK Pro, which monitors events in North Korea, reported that log files and network records indicated that websites ending in .kp and hosted on North Korean web domains were mostly unreachable. The reason given for this was that North Korea’s Domain Name System (DNS) had ceased to communicate the routes that data packets are meant to take.

The news site observed that a similar incident had occurred in North Korea on January 14 2022. 

Ali said that how the server outage had occurred connoted that it was “the result of some form of network stress rather than something like a power cut.”

He said that no traffic was being sent to or from North Korea at the apex of the recent attack.

“It’s common for one server to go offline for some periods of time, but these incidents have seen all web properties go offline concurrently. It isn’t common to see their entire internet dropped offline,” said Ali.

He added: “During the incidents, operational degradation would build up first with network timeouts, then individual servers going offline and then their key routers dropping off the internet.”

Read More

Mac webcam hijack flaw wins man $100,500 from Apple

Read Time:15 Second

An independent researcher has received a $100,500 bug bounty from Apple after discovering a security hole in the company’s Safari browser for macOS that could allow a malicious website to hijack accounts and seize control of users’ webcams.

Read more in my article on the Hot for Security blog.

Read More

Mac webcam hijack flaw wins man $100,500 from Apple

Read Time:15 Second

An independent researcher has received a $100,500 bug bounty from Apple after discovering a security hole in the company’s Safari browser for macOS that could allow a malicious website to hijack accounts and seize control of users’ webcams.

Read more in my article on the Hot for Security blog.

Read More

2022 Cybersecurity Predictions to Watch Out For

Read Time:36 Second

As eventful as 2020 was, 2021 was equal to its predecessor. It was a year that bounced from hope to cautious optimism, then back to disquiet. While some of our cybersecurity predictions for 2021 were accurate, the year came to a close as organizations are forced to address the significant challenges of dealing with the Log4j vulnerability. As we enter 2022, we’ve asked a few of the experts on the CIS team to share their 2022 cybersecurity predictions. Some, you’ll notice, are similar to last year’s, as we work hard to stay steps ahead of threats and bad actors. But there are also a few new predictions we’ll be sure to keep an eye on as we step into 2022. […]

Read More

Critical VMware vCenter Server vulnerability (CVE-2021-22005) being exploited in the wild

Read Time:1 Minute, 29 Second

FortiGuard Labs is aware that VMware disclosed a critical vulnerability (CVE-2021-22005) on September 21st, 2021 that affects vCenter Server versions 6.7 and 7.0. A malicious attacker with network access to port 443 on vCenter Server can exploit the vulnerability and can execute code on vCenter Server upon successful exploitation. The VMware advisory was updated on September 24th that the vulnerability is being exploited in the wild. In addition, exploit code is publicly available.Why is this Significant?VMware has one of the highest market shares in the server virtualization market so the vulnerability can have widespread affect. Also, some public reports indicate that CVE-2021-22005 is being exploited in the wild. With exploit code being publicly available, more attackers are expected to leverage the security bug. Because of the potential impact the vulnerability has in the field, CISA released an advisory on September 24th, 2021.What are the Details of the Vulnerability?Details of the vulnerability have not been disclosed by VMware.Has VMware Released an Advisory for CVE-2021-22005?Yes, the vendor released a cumulative advisory on September 21st, 2021. See the Appendix for a link to VMSA-2021-0020.1. The vendor also released a supplemental blog post and an advisory. See the Appendix to a link to “VMSA-2021-0020: What You Need to Know” and “VMSA-2021-0020: Questions & Answers”.Has the Vendor Released a Patch?Yes. VMware released a patch on September 21st, 2021.Any Mitigation and or Workarounds?VMware provided workarounds in a blog. See the Appendix to a link to “Workaround Instructions for CVE-2021-22005 (85717)”.What is The Status of Coverage?FortiGuard Labs is investigating for IPS protection. This Threat Signal will be updated with protection information as it becomes available.

Read More