CDM-CYBER-DEFENSE-eMAGAZINE-March-2019

More documents

Recommendations

Info

kind. Many of them require some kind of privileged access already and as I alluded to earlier, remote code execution is exceedingly rare. This brings us to Schrodinger’s vulnerability, a play on the oft used trope of Schrodinger’s cat, which to paraphrase implies that until you look in the box, the cat is both alive and dead. A more contemporary reference would be the response that former Secretary of Defense Donald Rumsfeld once blurted out in reference to ‘known knowns’, ‘known unknowns’ and ‘unknown unknowns’ with the latter being the riskiest. Let’s map this to an information asset today and call-back the alarmist reference I started this article with on. This information asset that is out of date but might have a vulnerability even there are none publicly available is going into the region of ‘unknown unknowns’. We know there are no publicly available vulnerabilities but there may be a vulnerability that exists that we just don’t know about. So how probable is this. Fortunately there’s no need to speculate since there’s plenty of research to draw conclusions from. ‘Zero days, Thousands of Nights: The Life and Times of Zero-Day vulnerabilities and their Exploits’ is a piece of research by Lillian Ablon and Andy Bogart that focuses on this very issue. They found that if a zero-day existed and was hoarded by an entity but kept from public view, it would stay that way for an average of 7 years. What this means for us is that regardless of what version of software you are on, there may be a zero-day that exist (however improbable) but no one will know about it and it will stay that way for an average of 7 years. What's worse is that if you update your software to the latest version, then that version too may also contain this zero-day, even though you are ‘fully patched’, simply because the code refactoring in the new version has not taken into the account the zero-day by virtue of the fact that it’s still an unknown. The research does make a distinction for end of life software, since this will never be patched again, so if a new zero-day is discovered then it effectively becomes ‘immortal’ since the vendor will never release a new patch to cover this. Using exploitability for defense Combining a few approaches can stave off junk risk and avoid you chasing contrived scenarios that will never materialize: • Switch from pentesting to crowdsourced security for external assets: Pentesting methodology is starting to be considered a legacy approach to offensive security testing. It does not emulate a hacker in any way – it only gives you a frozen snapshot of security posture at a specific point in time, nothing more. Crucially, crowdsourced also gives you actionable threats with proof of concept and their methodology maps more realistically to how attackers behave (for example, no time limit on testing), while pentesting focuses on theoretical threats. • Having out of date software doesn’t mean you’re automatically vulnerable! While this may shock some individuals, if the specific threat vector that your version of software is vulnerable to isn’t exposed in its current configuration, then you are safe. • Practically all attacks focus on known vulnerabilities so updating your software to the latest version to protect against ‘zero-day’ attacks is irrelevant. The new version is as likely to be vulnerable since no code has been refactored to account for the zero-day, hence its unknown status. Updating software is for known threats, not unknown ones.
• Even if you are exposed to a vulnerability, what are the steps needed for it to materialize. The likelihood of many vulnerabilities drops to almost zero once you factor in the first two variables required: Someone has to want to hurt you and someone has the skill level to exploit that vulnerability. The former is more common than the latter, as an offensive security skillset is still so rare nowadays even in professionals who work within information security. • Examine your threat model and know who your bad actors are. Are you protecting against nation-state attackers or script kiddies with slap? Many vulnerabilities that focused on a contrived chain of attacks or any kind of physical proximity (think Bluetooth and Wi-Fi vulnerabilities for example) will never materialize unless you are subjected to a specific targeted attack that requires the physical deployment of malicious attackers to your geographical location. Aside from nation state attackers this has never occurred so chase things that are likely to occur (remote attacks on your assets exposed to the internet) rather than those that won’t (Someone taking over your Alexa with a Bluetooth vulnerability to pivot into your network). Naturally I’m not advocating not updating your systems. It’s a good practice to get into but for many operational and human reasons many systems are just left behind in the scrum. When you have limited resources a view on ‘exploitability’ rather than ‘vulnerability’ can help manage risk far better than chasing down every single vulnerability that exists on your assets. If you take into consideration your threat model, and then sift through your external assets first viewing vulnerabilities through the lens of ‘exploitability’ you will be able to make your infrastructure far safer than chasing Schrodinger’s vulnerability. About the Author Alex Haynes is CISO at CDL. He has a background in offensive security and is credited for discovering vulnerabilities in products by Microsoft, Adobe, Pinterest, Amazon Web Services, IBM and many more. He is a former top 10 ranked researcher on Bugcrowd - a vulnerability disclosure platform with over 400 vulnerabilities to his name.
Page 1 and 2:
Data Breaches: Beyond Exposing Iden
Page 3 and 4:
CONTENTS (cont') Prioritizing Secur
Page 5:
@CYBERDEFENSEMAG CYBER DEFENSE eMAG
Page 22 and 23: Data Breaches: Beyond Exposing Iden
Page 24 and 25: About the Author Kem Gay is an Inte
Page 26 and 27: Rip Off the Band-Aid This leaves us
Page 28 and 29: Why Biometric Data Use Poses Unique
Page 30 and 31: • DNA Kits: If you purchased or u
Page 32 and 33: How to be Workforce Ready and Stand
Page 34 and 35: Maximiliano Gigli, a third-year cyb
Page 36 and 37: Interestingly, the two groups diffe
Page 38 and 39: Cross-site Scripting Is an Underrat
Page 40 and 41: Stealing HTML5 web storage data: HT
Page 42 and 43: Cybersecurity in New York City, the
Page 44 and 45: A boom in cybersecurity startups se
Page 46 and 47: illion risks and threats among its
Page 48 and 49: Some Important Developments in the
Page 50 and 51: About the Author Sharmistha Sarkar
Page 52 and 53: employees to contractors and sub-co
Page 54 and 55: The Internet of Things Engineering
Page 56 and 57: About The Author Milica D. Djekic i
Page 60 and 61: 2019 Risks in Focus: Cyber Incident
Page 62 and 63: However, the past year has also wit
Page 64 and 65: Why Insider Threats Are One of the
Page 66 and 67: Unlike with outside security threat
Page 68 and 69: Organizations will also frequently
Page 70 and 71: The US Must Catch Up to Other Promi
Page 72 and 73: The fact is, the wider internationa
Page 74 and 75: Integrate Compliance and Regulation
Page 76 and 77: Security have and have-nots How org
Page 78 and 79: 1. People Having the right people c
Page 80 and 81: sources (such as syslog’s, Net Fl
Page 82 and 83: Limitations of Current Endpoint Sec
Page 84 and 85: For effective detection, most EDR s
Page 86 and 87: Why Wi-Fi Hacking Will Persist Desp
Page 88 and 89: About the Author Ryan Orsi is Direc
Page 90 and 91: questions such as, “Who added a w
Page 92 and 93: About the Author Josh Paape is an O
Page 94 and 95: for well-known, repeatable needs fi
Page 96 and 97: Overcoming Software Security Issues
Page 98 and 99: Implementing Security Checks at Str
Page 100 and 101: Phishing in the Dark: Employee Secu
Page 102 and 103: phishing threats. Furthermore, almo
Page 104 and 105: Unfortunately, once an application
Page 106 and 107: Software Should Come with a “Nutr
Page 108 and 109:
vulnerabilities. If they find vulne
Page 110 and 111:
I can't get no satisfaction, I can'
Page 112 and 113:
How Organizations Should Choose a L
Page 114 and 115:
load balancers capable of integrati
Page 116 and 117:
SaaS DNS Security: Are you Protecte
Page 118 and 119:
associated with any security event
Page 120 and 121:
120
Page 122 and 123:
122
Page 124 and 125:
124
Page 126 and 127:
126
Page 128 and 129:
128
Page 130 and 131:
130
Page 132 and 133:
132
Page 134 and 135:
134
Page 136 and 137:
136
Page 138 and 139:
138
Page 140 and 141:
140
Page 142 and 143:
142
Page 144 and 145:
144
Page 146 and 147:
146
Page 148 and 149:
148
Page 150 and 151:
We’ve launched http://www.CyberDe
Page 152 and 153:
Marketing and Partnership Opportuni
Page 154 and 155:
Regent University’s Institute for
Page 156 and 157:
156
show all

CDM-CYBER-DEFENSE-eMAGAZINE-March-2019

Create successful ePaper yourself

Delete template?

Save as template?