In the Deloitte poll, 50.2% of respondents said their organization is at risk of ‘harvest now, decrypt later’ attacks

Read More

CISOs dread the “unknown unknowns” – the assets, vulnerabilities, misconfigurations and system weaknesses that the security team hasn’t detected and thus hasn’t secured. These blind spots represent a golden opportunity for attackers – and a major security risk for organizations.

“Unknown unknowns.” It’s the answer I’ve heard most consistently from CISOs and other security leaders throughout my career when they’re asked: “What keeps you awake at night?” Most security programs are built to create broad visibility into the environment and identify where the organization is most at risk. With that insight, decisions can be made on how and where to best mitigate risk to reduce potential impact of loss to the business. In many ways, being a driving force within a risk management program is the core mission of any security effort. And while there are a number of tools and techniques that contribute to providing visibility, there is still a great deal of challenge around discovering and understanding the “unknown unknowns” and shifting them into the realm of what’s known. Once they’re visible and accounted for, security teams can leverage their risk decision-making engine and mitigate those risks like all the other known ones.

In recent years, we’ve seen two techniques in particular that are helping security teams close the gap on those “unknown unknowns”: External Attack Surface Management (EASM) and Attack Path Analysis (APA). Let’s discuss what these techniques are, why they’re becoming a critical part of a mature security program and how they help security organizations get their arms around their environment’s attack surface.

Attack surface management

One area that often hides “unknown unknowns” and that is particularly difficult to understand and manage is the externally-facing part of an organization’s infrastructure. Assets which are publicly and continuously accessible from the Internet are going to be the first things that an attacker will see and attempt to compromise, as they are expected to be connected to and even probed. Where this becomes a problem for defenders, though, is when there are assets out in the public space that they don’t know about. For example, there could be a leftover DNS entry, which could be hijacked by an attacker who intends to commit fraud with it, or a poorly secured server or web application that a well-intentioned developer has spun up as a test, but with the organization’s domain information. Typically, organizations have dozens of assets and services out there that security teams are not aware of – but attackers very likely are.

EASM technology specifically addresses this problem by continuously scanning and monitoring public-facing assets. These tools provide easy-to-digest searchability into whatever is found that is associated with an organization’s public assets (i.e., domain name, IP address space, etc.). Done right, EASM provides consistent, constant visibility into those public-facing assets, wherever and whatever they are. Anecdotally, when I have worked with organizations in my previous life as a consultant, EASM tools identify an order of magnitude more public-facing assets than most security teams believe they have. And with the rise of cloud infrastructure and environments, it’s easier than ever for developers, IT staff and yes, even the security team, to spin up new assets that may not be recorded or identified consistently. Leveraging EASM, though, means those potential attack vectors become known and steps can be taken to either bring them within the purview of the risk mitigation efforts or remove them outright from existence so they can no longer be maliciously utilized. It’s a powerful tool to shine a light into an area that’s very difficult to address without an automated toolset that can find, identify and organize Internet-exposed assets.

Attack path analysis

Now, if EASM can help identify the potential entry points for an attacker, then APA can identify which vulnerabilities, misconfigurations and other system weaknesses will likely be used to reach critical datasets and assets. At the most basic level, APA creates relationships between disparate types of security findings to pinpoint places that, unbeknownst to the security team, could be compromised, or areas where security controls can be circumvented to reach critical targets. Some SIEM tools and breach attack simulation (BAS) products attempt to identify these relationships between vulnerabilities , but their capabilities are either limited in scope or only replicate known attacks in static ways against a single vulnerability. However, APA technology approaches this from the bottom up, leveraging vulnerability assessment and exposure management efforts, which provide a more complete understanding of the configuration, vulnerability state and risk context for each asset. That way, APA tools can create a far better picture of the security posture of each asset and thus offer a more comprehensive view of the relationships between all of the data.

Think of it like this. If a nail puncture can cause a flat tire, then we know that there is a threat (nails) and a vulnerability (rubber is not impervious to punctures). We could use this information to test the other tires and confirm that there is a potential they’re also at risk from a nail puncture. But, if we tried to apply that same threat to other parts of the car, the analysis falls apart. The body of the car won’t suffer the same impact if a nail punctures the metal. The engine block might not even be damaged at all. Using a single threat and vulnerability type over and over again to assess the risk to the whole of the car doesn’t really provide meaningful information about what’s at risk and what could go wrong. 

But, what if we related different types of threats that related to each other? A nail puncture could cause a flat tire, and if the tire blows out completely, the car may ride on the rim long enough to cause structural damage to the suspension or braking system. If the car is old or hasn’t been properly maintained, the domino effect could continue unfolding, causing damage to the engine or cooling systems. In this case, we’re seeing different types of threats and weaknesses, but we’re able to relate them to each other to see how there could be a broader, systemic failure that stems from a single, initial threat.

This holds true in exactly the same way for the modern attack surface within our organizations. A public-facing asset might be compromised because of a misconfigured port, which then allows the attacker to launch a SQL Injection attack from that host against a corporate web application. The breached application in turn exposes data that allows the attackers to obtain a username and password that provides access to another host. From there, they can launch a broader attack against a known exploitable Windows vulnerability that gives them elevated administrative access, which can then be used to traverse the internal network to reach whatever critical assets the attackers might want. This is a truer picture of how attacks unfold. , To successfully defend against attacks, we must be able to understand the entire path and where one vulnerability type can lead to exploiting another, often completely different type of vulnerability. This is the key for deciding where to implement security controls that are quick to deploy and cost effective, so that we can close the holes in our defenses we didn’t previously know about. 

Defense-in-depth strategies have always been about layering security controls in a way that protects the assets and pathways we know about. APA surfaces the “unknown unknowns” of where an attacker is likely to strike and traverse through the environment, making those particular attack vectors “known knowns” and allowing teams to extend their controls to close those gaps. 

No more “unknown unknowns”

As environments get more and more complex, the potential for attack vectors that are “unknown unknowns” goes up exponentially. Leveraging our existing best practices for vulnerability assessment, configuration assessment and risk management to serve as the foundation for an analysis of the relationships between all of those findings arms security teams with an invaluable tool to protect their infrastructure, reduce the number of “unknown unknowns” and, hopefully, sleep a bit better at night.

Want more guidance about your security strategy? Check out Tenable’s 2021 Threat Landscape Retrospective, which provides a comprehensive analysis of last year’s threat landscape that security professionals can use to improve their security right now, and view the webinar “Exposure Management for the Modern Attack Surface: Identify & Communicate What’s Most at Risk in Your Environment and Vital to Fix First.”

Read More

Palo Alto Networks has added a new software composition analysis (SCA) solution to Prisma Cloud to help developers safely use open-source software components. The vendor has also introduced a software bill of materials (SBOM) for developers to maintain and reference a codebase inventory of application components used across cloud environments. The updates come as open-source software risks persist with attention steadily turning toward raising the security bar surrounding open-source components.

To read this article in full, please click here

Read More

Organizations can use security best practices to achieve compliance, ensure the protection of data assets, and scale their cybersecurity efforts.[…]

Read More

Someone in the UK is stealing smartphones and credit cards from people who have stored them in gym lockers, and is using the two items in combination to commit fraud:

Phones, of course, can be made inaccessible with the use of passwords and face or fingerprint unlocking. And bank cards can be stopped.

But the thief has a method which circumnavigates those basic safety protocols.

Once they have the phone and the card, they register the card on the relevant bank’s app on their own phone or computer. Since it is the first time that card will have been used on the new device, a one-off security passcode is demanded.

That verification passcode is sent by the bank to the stolen phone. The code flashes up on the locked screen of the stolen phone, leaving the thief to tap it into their own device. Once accepted, they have control of the bank account. They can transfer money or buy goods, or change access to the account.

Read More

Uber has linked its recent cyberattack to an actor (or actors) affiliated with the notorious LAPSUS$ threat group, responsible for breaching the likes of Microsoft, Cisco, Samsung, Nvidia and Okta this year. The announcement came as the ride-hailing giant continues to investigate a network data breach that occurred on Thursday, September 15.

Attacker gained elevated permissions to tools including G-Suite and Slack

In a security update published on Monday, September 19, Uber wrote, “An Uber EXT contractor had their account compromised by an attacker. It is likely that the attacker purchased the contractor’s Uber corporate password on the dark web, after the contractor’s personal device had been infected with malware, exposing those credentials. The attacker then repeatedly tried to log in to the contractor’s Uber account.” Each time, the contractor received a two-factor login approval request, which initially blocked access, it added.

To read this article in full, please click here

Read More

Risk is one of those standard terms within cybersecurity that, when asked to define, many struggle to explain what risk is and how it applies to cybersecurity. To start, we need to understand risk as it applies to security. Risk, like mathematics, is an artificial construct that humans use to understand and describe their environment. 

In a fundamental sense, risk can be defined as the likelihood of an adverse or unwanted event occurring and the Impact should that event be realized. A simple calculation to express risk is that risk is the function (f) of the likelihood as expressed as a probability (P) and the Impact should the event occur. Often expressed in monetary terms. (I). The calculation appears as R=f(PI). (Quantifying CyberRisk- Solving the riddle | AT&T Cybersecurity (att.com)

Consider a house that is worth $100,000. Suppose that an insurance agency calculates a 1% likelihood of the house burning to the ground each year, resulting in a total loss of the house. The Annualized Loss Expectancy (ALE) can be calculated as R=f(PI) or R = f(.01 • $100,000) or $1,000 per year.  The insurance company would then calculate the premium based on the ALE and add a margin.

In much the same way, risk can be used within the safety and all security domains to identify the most significant risks to address in a prioritized fashion. Using another simple example, consider two examples. According to NASA, people are struck by meteorites approximately every nine years on Earth. There are at least seven recorded fatalities from people being struck by meteorites. (Death From Above: Seven Unlucky Tales of People Killed by Meteorites | Discover Magazine) 

While being struck by a meteorite is certainly not a fun thing to consider, compare that to the number of car accidents that result in fatality in a given year. According to the National Safety Council, there are approximately 35,000 deaths annually caused by automobile accidents and over 2 million accidents annually. ( NSC Statement on NHTSA Motor Vehicle Fatality Estimates for 2019 – National Safety Council). 

Suppose you leave your house and are only allowed to consider a single control to manage risk. You can buy a Titanium helmet to reduce the risk of a meteorite strike or buckle your seatbelt when you get into your car. Which of the controls is most likely going to mitigate the most significant amount of risk? The risk of being struck by a meteorite is infinitesimally small, whereas the likelihood of being in a car accident is much greater. In this scenario, wearing the seatbelt and forgoing meteorite protection would be wise.

In much the same way, risk analysis can help companies prioritize and mitigate their cyber risk effectively and efficiently. All companies face infinite risks, from meteorites (as demonstrated), hackers, and malicious insiders to natural events such as floods. All organizations have finite budgets and resources to address infinite risks. The question becomes: “how does a company most effectively allocate those resources to address the greatest risks?” 

By applying a risk-based approach, organizations can quickly identify and prioritize their risks based on a number of factors. While not a complete listing, aspects such as the type of data being protected (intellectual property, PII, NPI, etc.), the industry in which the organization works (national defense, retail, manufacturing, etc.), and the types of technologies employed all play a factor in identifying the risk profile and strategies to reduce the identified risks to an acceptable level. 

Many companies have chosen to use cyber insurance as their primary source of risk mitigation. This is a flawed approach. There are four different means of risk mitigation. Each should be considered for a comprehensive risk management strategy. They include 1) Risk Reduction/Control (by implementing controls as discussed), 2) Risk Transference (such as with cyber insurance) 3) Risk Acceptance (accepting the de minimus risk that is not worth addressing) 4) Risk Avoidance (avoid the risk by not engaging in the business or actions that expose one to risk).

While each of the strategies above has value, choosing one without considering the others does not allow for a comprehensive risk management strategy. By applying a risk-based approach to security, companies can most efficiently and effectively address risks and threats cost-effectively.

Read More

An undisclosed number of people have been impacted

Read More