Finally Finding the ‘Unknown Unknowns’ Across Your Entire Attack Surface

Read Time:7 Minute, 12 Second

CISOs dread the “unknown unknowns” – the assets, vulnerabilities, misconfigurations and system weaknesses that the security team hasn’t detected and thus hasn’t secured. These blind spots represent a golden opportunity for attackers – and a major security risk for organizations.

“Unknown unknowns.” It’s the answer I’ve heard most consistently from CISOs and other security leaders throughout my career when they’re asked: “What keeps you awake at night?” Most security programs are built to create broad visibility into the environment and identify where the organization is most at risk. With that insight, decisions can be made on how and where to best mitigate risk to reduce potential impact of loss to the business. In many ways, being a driving force within a risk management program is the core mission of any security effort. And while there are a number of tools and techniques that contribute to providing visibility, there is still a great deal of challenge around discovering and understanding the “unknown unknowns” and shifting them into the realm of what’s known. Once they’re visible and accounted for, security teams can leverage their risk decision-making engine and mitigate those risks like all the other known ones.

In recent years, we’ve seen two techniques in particular that are helping security teams close the gap on those “unknown unknowns”: External Attack Surface Management (EASM) and Attack Path Analysis (APA). Let’s discuss what these techniques are, why they’re becoming a critical part of a mature security program and how they help security organizations get their arms around their environment’s attack surface.

Attack surface management

One area that often hides “unknown unknowns” and that is particularly difficult to understand and manage is the externally-facing part of an organization’s infrastructure. Assets which are publicly and continuously accessible from the Internet are going to be the first things that an attacker will see and attempt to compromise, as they are expected to be connected to and even probed. Where this becomes a problem for defenders, though, is when there are assets out in the public space that they don’t know about. For example, there could be a leftover DNS entry, which could be hijacked by an attacker who intends to commit fraud with it, or a poorly secured server or web application that a well-intentioned developer has spun up as a test, but with the organization’s domain information. Typically, organizations have dozens of assets and services out there that security teams are not aware of – but attackers very likely are.

EASM technology specifically addresses this problem by continuously scanning and monitoring public-facing assets. These tools provide easy-to-digest searchability into whatever is found that is associated with an organization’s public assets (i.e., domain name, IP address space, etc.). Done right, EASM provides consistent, constant visibility into those public-facing assets, wherever and whatever they are. Anecdotally, when I have worked with organizations in my previous life as a consultant, EASM tools identify an order of magnitude more public-facing assets than most security teams believe they have. And with the rise of cloud infrastructure and environments, it’s easier than ever for developers, IT staff and yes, even the security team, to spin up new assets that may not be recorded or identified consistently. Leveraging EASM, though, means those potential attack vectors become known and steps can be taken to either bring them within the purview of the risk mitigation efforts or remove them outright from existence so they can no longer be maliciously utilized. It’s a powerful tool to shine a light into an area that’s very difficult to address without an automated toolset that can find, identify and organize Internet-exposed assets.

Attack path analysis

Now, if EASM can help identify the potential entry points for an attacker, then APA can identify which vulnerabilities, misconfigurations and other system weaknesses will likely be used to reach critical datasets and assets. At the most basic level, APA creates relationships between disparate types of security findings to pinpoint places that, unbeknownst to the security team, could be compromised, or areas where security controls can be circumvented to reach critical targets. Some SIEM tools and breach attack simulation (BAS) products attempt to identify these relationships between vulnerabilities , but their capabilities are either limited in scope or only replicate known attacks in static ways against a single vulnerability. However, APA technology approaches this from the bottom up, leveraging vulnerability assessment and exposure management efforts, which provide a more complete understanding of the configuration, vulnerability state and risk context for each asset. That way, APA tools can create a far better picture of the security posture of each asset and thus offer a more comprehensive view of the relationships between all of the data.

Think of it like this. If a nail puncture can cause a flat tire, then we know that there is a threat (nails) and a vulnerability (rubber is not impervious to punctures). We could use this information to test the other tires and confirm that there is a potential they’re also at risk from a nail puncture. But, if we tried to apply that same threat to other parts of the car, the analysis falls apart. The body of the car won’t suffer the same impact if a nail punctures the metal. The engine block might not even be damaged at all. Using a single threat and vulnerability type over and over again to assess the risk to the whole of the car doesn’t really provide meaningful information about what’s at risk and what could go wrong. 

But, what if we related different types of threats that related to each other? A nail puncture could cause a flat tire, and if the tire blows out completely, the car may ride on the rim long enough to cause structural damage to the suspension or braking system. If the car is old or hasn’t been properly maintained, the domino effect could continue unfolding, causing damage to the engine or cooling systems. In this case, we’re seeing different types of threats and weaknesses, but we’re able to relate them to each other to see how there could be a broader, systemic failure that stems from a single, initial threat.

This holds true in exactly the same way for the modern attack surface within our organizations. A public-facing asset might be compromised because of a misconfigured port, which then allows the attacker to launch a SQL Injection attack from that host against a corporate web application. The breached application in turn exposes data that allows the attackers to obtain a username and password that provides access to another host. From there, they can launch a broader attack against a known exploitable Windows vulnerability that gives them elevated administrative access, which can then be used to traverse the internal network to reach whatever critical assets the attackers might want. This is a truer picture of how attacks unfold. , To successfully defend against attacks, we must be able to understand the entire path and where one vulnerability type can lead to exploiting another, often completely different type of vulnerability. This is the key for deciding where to implement security controls that are quick to deploy and cost effective, so that we can close the holes in our defenses we didn’t previously know about. 

Defense-in-depth strategies have always been about layering security controls in a way that protects the assets and pathways we know about. APA surfaces the “unknown unknowns” of where an attacker is likely to strike and traverse through the environment, making those particular attack vectors “known knowns” and allowing teams to extend their controls to close those gaps. 

No more “unknown unknowns”

As environments get more and more complex, the potential for attack vectors that are “unknown unknowns” goes up exponentially. Leveraging our existing best practices for vulnerability assessment, configuration assessment and risk management to serve as the foundation for an analysis of the relationships between all of those findings arms security teams with an invaluable tool to protect their infrastructure, reduce the number of “unknown unknowns” and, hopefully, sleep a bit better at night.

Want more guidance about your security strategy? Check out Tenable’s 2021 Threat Landscape Retrospective, which provides a comprehensive analysis of last year’s threat landscape that security professionals can use to improve their security right now, and view the webinar “Exposure Management for the Modern Attack Surface: Identify & Communicate What’s Most at Risk in Your Environment and Vital to Fix First.”

Read More

Palo Alto adds software composition analysis to Prisma Cloud to boost open-source security

Read Time:25 Second

Palo Alto Networks has added a new software composition analysis (SCA) solution to Prisma Cloud to help developers safely use open-source software components. The vendor has also introduced a software bill of materials (SBOM) for developers to maintain and reference a codebase inventory of application components used across cloud environments. The updates come as open-source software risks persist with attention steadily turning toward raising the security bar surrounding open-source components.

To read this article in full, please click here

Read More

Credit Card Fraud That Bypasses 2FA

Read Time:51 Second

Someone in the UK is stealing smartphones and credit cards from people who have stored them in gym lockers, and is using the two items in combination to commit fraud:

Phones, of course, can be made inaccessible with the use of passwords and face or fingerprint unlocking. And bank cards can be stopped.

But the thief has a method which circumnavigates those basic safety protocols.

Once they have the phone and the card, they register the card on the relevant bank’s app on their own phone or computer. Since it is the first time that card will have been used on the new device, a one-off security passcode is demanded.

That verification passcode is sent by the bank to the stolen phone. The code flashes up on the locked screen of the stolen phone, leaving the thief to tap it into their own device. Once accepted, they have control of the bank account. They can transfer money or buy goods, or change access to the account.

Read More

Uber links cyberattack to LAPSUS$, says sensitive user data remains protected

Read Time:47 Second

Uber has linked its recent cyberattack to an actor (or actors) affiliated with the notorious LAPSUS$ threat group, responsible for breaching the likes of Microsoft, Cisco, Samsung, Nvidia and Okta this year. The announcement came as the ride-hailing giant continues to investigate a network data breach that occurred on Thursday, September 15.

Attacker gained elevated permissions to tools including G-Suite and Slack

In a security update published on Monday, September 19, Uber wrote, “An Uber EXT contractor had their account compromised by an attacker. It is likely that the attacker purchased the contractor’s Uber corporate password on the dark web, after the contractor’s personal device had been infected with malware, exposing those credentials. The attacker then repeatedly tried to log in to the contractor’s Uber account.” Each time, the contractor received a two-factor login approval request, which initially blocked access, it added.

To read this article in full, please click here

Read More

Risk counts for Cyber and here is why

Read Time:3 Minute, 35 Second

Risk is one of those standard terms within cybersecurity that, when asked to define, many struggle to explain what risk is and how it applies to cybersecurity. To start, we need to understand risk as it applies to security. Risk, like mathematics, is an artificial construct that humans use to understand and describe their environment. 

In a fundamental sense, risk can be defined as the likelihood of an adverse or unwanted event occurring and the Impact should that event be realized. A simple calculation to express risk is that risk is the function (f) of the likelihood as expressed as a probability (P) and the Impact should the event occur. Often expressed in monetary terms. (I). The calculation appears as R=f(PI). (Quantifying CyberRisk- Solving the riddle | AT&T Cybersecurity (att.com)

Consider a house that is worth $100,000. Suppose that an insurance agency calculates a 1% likelihood of the house burning to the ground each year, resulting in a total loss of the house. The Annualized Loss Expectancy (ALE) can be calculated as R=f(PI) or R = f(.01 • $100,000) or $1,000 per year.  The insurance company would then calculate the premium based on the ALE and add a margin.

In much the same way, risk can be used within the safety and all security domains to identify the most significant risks to address in a prioritized fashion. Using another simple example, consider two examples. According to NASA, people are struck by meteorites approximately every nine years on Earth. There are at least seven recorded fatalities from people being struck by meteorites. (Death From Above: Seven Unlucky Tales of People Killed by Meteorites | Discover Magazine) 

While being struck by a meteorite is certainly not a fun thing to consider, compare that to the number of car accidents that result in fatality in a given year. According to the National Safety Council, there are approximately 35,000 deaths annually caused by automobile accidents and over 2 million accidents annually. ( NSC Statement on NHTSA Motor Vehicle Fatality Estimates for 2019 – National Safety Council). 

Suppose you leave your house and are only allowed to consider a single control to manage risk. You can buy a Titanium helmet to reduce the risk of a meteorite strike or buckle your seatbelt when you get into your car. Which of the controls is most likely going to mitigate the most significant amount of risk? The risk of being struck by a meteorite is infinitesimally small, whereas the likelihood of being in a car accident is much greater. In this scenario, wearing the seatbelt and forgoing meteorite protection would be wise.

In much the same way, risk analysis can help companies prioritize and mitigate their cyber risk effectively and efficiently. All companies face infinite risks, from meteorites (as demonstrated), hackers, and malicious insiders to natural events such as floods. All organizations have finite budgets and resources to address infinite risks. The question becomes: “how does a company most effectively allocate those resources to address the greatest risks?” 

By applying a risk-based approach, organizations can quickly identify and prioritize their risks based on a number of factors. While not a complete listing, aspects such as the type of data being protected (intellectual property, PII, NPI, etc.), the industry in which the organization works (national defense, retail, manufacturing, etc.), and the types of technologies employed all play a factor in identifying the risk profile and strategies to reduce the identified risks to an acceptable level. 

Many companies have chosen to use cyber insurance as their primary source of risk mitigation. This is a flawed approach. There are four different means of risk mitigation. Each should be considered for a comprehensive risk management strategy. They include 1) Risk Reduction/Control (by implementing controls as discussed), 2) Risk Transference (such as with cyber insurance) 3) Risk Acceptance (accepting the de minimus risk that is not worth addressing) 4) Risk Avoidance (avoid the risk by not engaging in the business or actions that expose one to risk).

While each of the strategies above has value, choosing one without considering the others does not allow for a comprehensive risk management strategy. By applying a risk-based approach to security, companies can most efficiently and effectively address risks and threats cost-effectively.

Read More

Watch Out for These 3 Online Job Scams

Read Time:4 Minute, 42 Second

If you recently found yourself looking for a new job, you are far from alone. According to the Institute of Labor Economics, more Canadians were seeking new employment opportunities at the height of the pandemic than during the previous three recessions combined. Job hunters only used to have to worry about the clarity of their cover letters and impressing interviewers. Now, however, a new hurdle is in the mix in the race for a new job: online job scams. 

Here are three online job scams that you may encounter, plus a few tips on how to avoid and report them. 

1. Fake Job Ads

Fake job ads trick employment seekers into giving up their financial information. Fake job ads are more likely to appear on free sites, such as Craigslist, but they could be listed anywhere. So, no matter where you are searching, be wary that not everyone is looking for a talented individual such as yourself. They are on the hunt for sensitive personal details. 

When you are interviewing for jobs, legitimate employers are careful and intentioned about evaluating your fit for the job. For this reason, employers want to make sure they are not interviewing fake candidates, so they are likely going to want to meet you face-to-face or through a video chat. If an employer extends a job offer after a few email exchanges or an instant messenger job interview, request a more formal meeting. If they say that they would like to move fast and hire quickly, be concerned as no real employer would act that quickly. 

Guard your personal and financial information until you are 100% sure of the legitimacy of a job offer. Be on high alert if the “human resources representative” asks for your credit card or banking information to pay for training. Fake employers may also ask for your Social Insurance Number before extending a job offer letter. A great rule of thumb is to never share your SIN with anyone over the phone or over email. 

2. Phishing Emails

Between March and September 2020, 34% of Canadian respondents reported receiving a phishing message, according to a survey by Statistics CanadaPhishing emails often include malicious links that, when clicked, download malware to your device. Online job scams may not only attempt to steal your sensitive information, but they may also be phishing attempts to take over your personal devices. 

Some scammers using job offers as a guise might email people who never applied for a new opportunity. Be careful around these types of messages, urges the University of Calgary. Recruiters will most likely reach out and offer unsolicited interviews through social networking channels rather than email. Also, when you receive emails from people looking to hire you, take note of their email domain name. Is the email domain customized to the company’s name or is it a generic @gmail or @yahoo? Check the spelling of the email domain carefully too. Phishers are notoriously bad spellers and sometimes they use incorrect spelling of domain names to trick people into thinking they are the real company. 

3. Immigration Scams

Immigrating anywhere is a massive and stressful undertaking. Cybercriminals prey upon this stressful, major life event and target immigrants with enticing, but fake, job offers. The Government of Canada advises to never trust someone who says they can guarantee you a job in Canada. Also, keep an eye on the salary. Is it very high? Do your skills not completely align with the job description? Does the job seem very easy? Unfortunately, that may mean that the offer is too good to be true.  

How to Cover Your Bases

The best way to avoid falling for job scams is to know what you are looking for and to take your time when considering a new job. Check out these tips to outsmart scammers and keep your personal information and devices safe. 

1. Verify employers

Most job applications are submitted online, but if an employer is impressed by your resume, they will likely offer a screening call. When a human resources representative calls, make sure to note their name and ask for the website address of the company. Afterwards, search for the company online and the human resources representative who called you. They should show up together on a professional-looking website or a professional networking site. 

2. Read carefully

Inspect all correspondences you get from potential employers. Phishers often use language that inspires strong emotions and urges a speedy response. Strong emotions could include excitement or fear. If the email says you only have a few hours to respond or else the job will go to someone else, be skeptical. Accepting a job is a huge decision that you should be able to take at least a few days to think about. Read carefully, always hover over links to see where they redirect, and keep a level head when making decisions about your next career move. 

3. Report fraudulent activity

When you come across fraudulent activity, it is important that you report it to the correct authorities to stop it from happening to someone else. For immigration and online job scams, contact the Canadian Anti-Fraud Centre. 

4. Install security tools 

Phishers and job scammers may have gotten in contact with you with the aim of downloading malicious software on your computer. A comprehensive suite of security tools will protect you from viruses and malware that may have slipped past your eagle eye. McAfee Total Protection offers premium antivirus software, safe web browsing, and PC optimization. 

The post Watch Out for These 3 Online Job Scams appeared first on McAfee Blog.

Read More

Most common SAP vulnerabilities attackers try to exploit

Read Time:33 Second

Unpatched vulnerabilities, common misconfigurations and hidden flaws in custom code continue to make enterprise SAP applications a target rich environment for attackers at a time when threats like ransomware and credential theft have emerged as major concerns for organizations.

A study that Onapsis conducted last year, in collaboration with SAP, found attackers are continuously targeting vulnerabilities in a wide range of SAP applications including ERP, supply chain management, product life cycle management and customer relationship management.  Active scanning for SAP ports has increased since 2020 among attackers looking to exploit known vulnerabilities, particularly a handful of highly critical CVEs.

To read this article in full, please click here

Read More