The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Where do vulnerabilities fit with respect to security standards and guidelines? Was it a coverage issue or an interpretation and implementation issue? Where does a product, environment, organization, or business vertical fail the most in terms of standards requirements? These questions are usually left unanswered because of the gap between standards or regulations on the one hand, and requirements interpretation and implementation, on the other. Certified products and environments often suffer from security issues that were supposed to be covered by the requirements of the standard.

In [1], for instance, the authors give examples of vulnerable products that were IEC 62443 certified. In [2], SANS discusses the case of PCI-certified companies and why they are still being breached. This “interpretation gap,” whether it manifests in the implementation of requirements or in the assessment process, hinders security and leads to the fact that being compliant is not necessarily the same as being secure.

Admittedly, the interpretation of guidelines and requirements in standards, which have a descriptive approach in general, is not an easy task. Requirements can be rather generic and wide open to interpretation depending on the context, resources, the current threat landscape, the underlying technologies, etc. Specific requirements might also lead to conflicting interpretations depending on the type of stakeholder, which will inevitably affect the implementation side.

Threat modeling is one way to avoid shortcomings (or even possible shortcuts) in the implementation of standards, and the organization’s own security policies. Think of threat modeling as an enforcement mechanism for the proper implementation of requirements. The reason this is the case is simple; threat modeling thinks of the requirements in terms of relevant threats to the system, and determines mitigations to reduce or completely avoid the associated risks. Consequently, each requirement is mapped to a set of threats and mitigations that covers relevant use cases under specific conditions or context, e.g., what are the trust boundaries, protocols and technologies under use or consideration, third-party interactions, dataflows, data storage, etc.

This is becoming a must-have nowadays since, when it comes to technical requirements, the concern about their interpretation still persists even when companies have been audited against them. In the following, the presented data analysis makes the link between disclosed vulnerabilities in Industrial Control Systems (ICS) and the technical requirements reported in the ‘gold standard’ of standards in this area, namely the IEC 62443. It shows the difficulty of satisfying the requirements in broad terms and the need for more specific context and processes.

CISA ICS advisories’ mapping

The analysis of CISA ICS advisories data, representing close to 2,5K advisories released between 2010 and mid-2023 [3], reveals the extent of the challenge an implementer or an assessor is faced with. Table 1 presents the top weaknesses and the associated count of advisories as well as IEC 62443 requirements’ mapping. Affected sectors, the CVSS severity distribution, and top weaknesses per sector are also reported; in Figures 1 and 2, and Table 2.

Table 1. Top weaknesses in CISA’s ICS advisories and their IEC 62443 mapping.

Weakness

Name

Number of advisories

IEC 62443 technical requirement

CWE-20

Improper Input Validation

266

SR/CR 3.5 – Input validation

CWE-121

Stack-based Buffer Overflow

257

CWE-79

Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

205

CWE-119

Improper Restriction of Operations within the Bounds of a Memory Buffer

185

CWE-284

Improper Access Control

159

FR1 – Identification and authentication control (IAC)

 

FR2 – Use control (UC)

CWE-125

Out-of-bounds Read

158

SR/CR 3.5 – Input validation

CWE-22

Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

149

CWE-400

Uncontrolled Resource Consumption

145

SR/CR 7.1 – Denial of service protection

 

SR/CR 7.2 – Resource management

CWE-787

Out-of-bounds Write

139

SR/CR 3.5 – Input validation

CWE-287

Improper Authentication

137

SR/CR 1.1 – Human user identification and authentication

 

SR/CR 1.2 – Software process and device identification and authentication

CWE-122

Heap-based Buffer Overflow

128

SR/CR 3.5 – Input validation

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

115

FR4 – Data confidentiality (DC)

 

SR/CR 3.7 – Error handling

CWE-798

Use of Hard-coded Credentials

101

SR/CR 1.5 – Authenticator management

CWE-306

Missing Authentication for Critical Function

98

SR/CR 1.1 – Human user identification and authentication

 

SR/CR 1.2 – Software process and device identification and authentication

 

SR/CR 2.1 – Authorization enforcement

CWE-352

Cross-Site Request Forgery (CSRF)

84

SR/CR 1.4 – Identifier management

CWE-89

Improper Neutralization of Special Elements Used in an SQL Command (‘SQL Injection’)

81

SR/CR 3.5 – Input validation

CWE-319

Cleartext Transmission of Sensitive Information

75

SR/CR 4.1 – Information confidentiality

CWE-427

Uncontrolled Search Path Element

64

SR/CR 3.5 – Input validation

 

CR 3.4 – Software and information integrity

CWE-120

Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)

62

SR/CR 3.5 – Input validation

CWE-522

Insufficiently Protected Credentials

62

SR/CR 1.5 – Authenticator management

 

Figure 1. Number of vulnerabilities per sector

 

Figure 2. CVSS severity distribution.

 

Table 2. Top weaknesses per sector.

Sector

Top Weakness

Name

Number of advisories

Critical Manufacturing

CWE-121

Stack-based Buffer Overflow

175

Energy

 

CWE-20

Improper Input Validation

147

Water and Wastewater

CWE-20

Improper Input Validation

87

Commercial Facilities

CWE-79

Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

42

Food and Agriculture

CWE-20

Improper Input Validation

55

Chemical

CWE-20

Improper Input Validation

54

Healthcare and Public Health

CWE-284

Improper Access Control

32

Transportation

CWE-121

Stack-based Buffer Overflow

31

Oil and gas

CWE-119

Improper Restriction of Operations within the Bounds of a Memory Buffer

18

Government Facilities

CWE-121

Stack-based Buffer Overflow

18

 

Guiding requirements’ interpretation

Table 1 shows the varied levels of abstraction the vulnerabilities map to. This is one of the main issues leading to the increased complexity associated with the interpretation of requirements; for both the implementation and the assessment. While a high level of granularity allows for the definition of needed security mechanisms, a low level of granularity during the interpretation and implementation is necessary as it allows for a better understanding of all the types of threats or failures that a specific system might be subject to, e.g., given a deployment model or an underlying technology.

The case of the “Input validation” requirement is revealing, with eleven of the top twenty weaknesses in Table 1 falling under it. On the surface, input validation is rather straightforward; analyze inputs and disallow anything that can be considered unsuitable. In practice, however, the number of properties of the data and input use cases to potentially validate can be daunting. It might also be hard, or even impossible, to flush out all possible corner cases. The IEC 62443 “input validation” requirement is quite generic and encapsulates two CWE categories; “Validate Inputs” [4] and “Memory Buffer Errors” [5]. It is then essential to have a clear understanding of the target application or system to be able to identify relevant threats under each requirement and how to prevent them, i.e., achieve the said requirement.

On the other hand, the “Improper access control” weakness [6] is also an interesting use case. It is extremely high-level and maps to two foundational requirements of the IEC 62443. This highlights an issue in vulnerability reports, where high-level abstraction weaknesses are being misused in disclosure reports. More specific weaknesses related to the kind of access control involved would have been more appropriate, e.g., missing or weak authentication, missing or incorrect authorization, etc. This is not useful for trend analysis, especially on how real-world vulnerabilities relate to technical requirements in standards and regulations.

Threat modeling is helpful in both cases. Software developers, system architects, and security professionals can understand the requirements and address the predictable security issues that fall under them, given specific assumptions about the application or the system setup. In addition, current threat modeling tools can speed up the process by generating the relevant threats and their mitigations automatically, including based on threat intelligence data. The set of mitigations can also be tailored to meet different needs; for instance, the strength of a potential adversary, as is the case in the IEC 62443 standard, where four security levels are defined. These security levels (1 to 4) define technical requirements, along with requirement enhancements, in order to counter different levels of risk.

I believe that by using threat modeling as a framework, the interpretation and mapping of requirements into implementation and deployment measures become more predictable. It will also give developers and system architects a better chance of more complete coverage and accurate description of what the requirements ought to be, given the target system context, its dependencies, and the current threat landscape.

The guest author of this blog is a security researcher at iriusrisk.com.

References

[1] https://arxiv.org/pdf/2303.12340.pdf

[2] https://www.sans.org/white-papers/36497/

[3] https://www.cisa.gov/news-events/cybersecurity-advisories

[4] https://cwe.mitre.org/data/definitions/1019.html

[5] https://cwe.mitre.org/data/definitions/1218.html

[6] https://cwe.mitre.org/data/definitions/284.html 

Read More

It’s that time of year again: election season! You already know what to expect when you flip on the TV. Get ready for a barrage of commercials, each candidate saying enough to get you to like them but nothing specific enough to which they must stay beholden should they win.  

What you might not expect is for sensationalist election “news” to barge in uninvited on your screens. Fake news – or exaggerated or completely falsified articles claiming to be unbiased and factual journalism, often spread via social media – can pop up anytime and anywhere. This election season’s fake news machine will be different than previous years because of the emergence of mainstream artificial intelligence tools. 

AI’s Role in Fake News Generation 

Here are a few ways desperate zealots may use various AI tools to stir unease and spread misinformation around the upcoming election. 

Deepfake 

We’ve had time to learn and operate by the adage of “Don’t believe everything you read on the internet.” But now, thanks to deepfake, that lesson must extend to “Don’t believe everything you SEE on the internet.” Deepfake is the digital manipulation of a video or photo. The result often depicts a scene that never happened. At a quick glance, deepfakes can look very real! Some still look real after studying them for a few minutes. 

People may use deepfake to paint a candidate in a bad light or to spread sensationalized false news reports. For example, a deepfake could make it look like a candidate flashed a rude hand gesture or show a candidate partying with controversial public figures.  

AI Voice Synthesizers 

According to McAfee’s Beware the Artificial Imposter report, it only takes three seconds of authentic audio and minimal effort to create a mimicked voice with 85% accuracy. When someone puts their mind to it and takes the time to hone the voice clone, they can achieve a 95% voice match to the real deal. 

Well-known politicians have thousands of seconds’ worth of audio clips available to anyone on the internet, giving voice cloners plenty of samples to choose from. Fake news spreaders could employ AI voice generators to add an authentic-sounding talk track to a deepfake video or to fabricate a snappy and sleazy “hot mike” clip to share far and wide online. 

AI Text Generators 

Programs like ChatGPT and Bard can make anyone sound intelligent and eloquent. In the hands of rabble-rousers, AI text generation tools can create articles that sound almost professional enough to be real. Plus, AI allows people to churn out content quickly, meaning that people could spread dozens of fake news reports daily. The number of fake articles is only limited by the slight imagination necessary to write a short prompt. 

How to Spot AI-assisted Fake News

Before you get tricked by a fake news report, here are some ways to spot a malicious use of AI intended to mislead your political leanings: 

Distorted images. Fabricated images and videos aren’t perfect. If you look closely, you can often spot the difference between real and fake. For example, AI-created art often adds extra fingers or creates faces that look blurry.  
Robotic voices. When someone claims an audio clip is legitimate, listen closely to the voice as it could be AI-generated. AI voice synthesizers give themselves away not when you listen to the recording as a whole, but when you break it down syllable by syllable. A lot of editing is usually involved in fine tuning a voice clone. AI voices often make awkward pauses, clip words short, or put unnatural emphasis in the wrong places. Remember, most politicians are expert public speakers, so genuine speeches are likely to sound professional and rehearsed.  
Strong emotions. No doubt about it, politics touch some sensitive nerves; however, if you see a post or “news report” that makes you incredibly angry or very sad, step away. Similar to phishing emails that urge readers to act without thinking, fake news reports stir up a frenzy – manipulating your emotions instead of using facts – to sway your way of thinking. 

Share Responsibly and Question Everything  

Is what you’re reading or seeing or hearing too bizarre to be true? That means it probably isn’t. If you’re interested in learning more about a political topic you came across on social media, do a quick search to corroborate a story. Have a list of respected news establishments bookmarked to make it quick and easy to ensure the authenticity of a report. 

If you encounter fake news, the best way you can interact with it is to ignore it. Or, in cases where the content is offensive or incendiary, you should report it. Even if the fake news is laughably off-base, it’s still best not to share it with your network, because that’s exactly what the original poster wants: For as many people as possible to see their fabricated stories. All it takes is for someone within your network to look at it too quickly, believe it, and then perpetuate the lies. 

It’s great if you’re passionate about politics and the various issues on the ballot. Passion is a powerful driver of change. But this election season, try to focus on what unites us, not what divides us. 

The post This Election Season, Be on the Lookout for AI-generated Fake News appeared first on McAfee Blog.

Read More

Suspected Indonesian admin arrested in multi-national operation

Read More

UK financial regulator in new consumer awareness campaign

Read More

Another busy Patch Tuesday for sysadmins

Read More