How to find the most updated list of network vulnerabilities and exposures

There has been a lot of discussion recently about which is the most up to date and definitive list of network vulnerabilities.  We’ve decided to list the industry standard network vulnerability lists.  Please don’t consider the order of the list:

National Vulnerability Database Version 2.2: (http://nvd.nist.gov/):  The U .S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. NVD includes databases of security checklists, security related software flaws, misconfigurations, product names, and impact metrics.

 

The Common Vulnerabilities and Exposures (http://www.cve.mitre.org/):  Common Vulnerabilities and Exposures (CVE®) is a dictionary of common names (i.e., CVE Identifiers) for publicly known information security vulnerabilities. CVE’s common identifiers make it easier to share data across separate network security databases and tools, and provide a baseline for evaluating the coverage of an organization’s security tools. If a report from one of your security tools incorporates CVE Identifiers, you may then quickly and accurately access fix information in one or more separate CVE-compatible databases to remediate the problem.

 

SANS (Sys Admin, Audit, Network, Security) Top 20 (www.sans.org/top20):

The Critical Security Controls effort focuses first on prioritizing security functions that are effective against the latest Advanced Targeted Threats, with a strong emphasis on “What Works” – security controls where products, processes, architectures and services are in use that have demonstrated real world effectiveness.

United States Computer Emergency Readiness Team (CERT) Vulnerability Notes Database (www.kb.cert.org/vuls/):

The Vulnerability Notes Database provides timely information about software vulnerabilities. Vulnerability notes include summaries, technical details, remediation information, and lists of affected vendors. Many vulnerability notes are the result of private coordination and disclosure efforts.

Related articles

• CVE-2013-4883 (epolicy_orchestrator, epolicy_orchestrator_agent) (web.nvd.nist.gov)
• Cve-2013-4674 (web.nvd.nist.gov)

Note to CSO: why companies don’t remediate vulnerabilities

A recent survey by WhiteHat Sentinel contains some industry data on factors that inhibit companies from remediating vulnerabilities.  Here is a summary of the research

1)  Lack of understanding and/or responsibility for maintaining the code

2)   Lack of knowledge, understanding or respect for the vulnerability

3) A third party vendor is responsible for the effected code and that vendor is unresponsive

4) Insufficient budget to address vulnerability

5) The risk of exploitation is acceptable and/or it is not a priority based on compliance

6) The solution conflicts with the business use case

 The full report is available here.

 

Most websites have at least one vulnerability

WhiteHat Sentinel latest research report indicates that 86% of all websites had at least one serious vulnerability that cannot be easily fixed.  These have been defined as one in which the hacker can control at least some of the website, access sensitive information or compromise user account information.  A significant finding was that for 61% of these vulnerabilities, it took an average of 193 days to resolve.

Other findings include:

• 57% of organizations said they provide some amount of instructor-led or distance cyber security training for their programmers.
• When companies institute mandatory cyber security training for their programmers, there is a 40% decline in vulnerabilities.   These companies also resolve them 59% faster than companies that do not have these trainings in place.
• 23% of organizations website(s) had a data or system breach as a result of an application layer vulnerability. These organizations experienced 51% fewer vulnerabilities, resolved them 18% faster, and had a 4% higher remediation rate.

 

The full report is available here.

Related articles

• Application Vulnerability Is the Top Concern for Information Security Professionals (quatrashield.com)
• Threats, Vulnerabilities, and News…where do you get your infomation? (skeeterspray.blogspot.com)

Alert: SMB’s Vulnerable to the Risks of Default Passwords on the Internet

US CERT (Cyber Emergency Response Team) has issued an alert that hackers can easily identify and access default manufacturer passwords, thereby gaining access to networks and critical systems.   In many cases, the default passwords are provided in publicly available documentation or in compiled lists that are available online and can be identification for all systems from a particular vendor or within product lines.    Vendors typically recommend changing the password before the deployment of a system in a production environment.

CERT highlights the risk that hackers can identify exposed systems using search engines like Shodan.   The danger is that the attacker with access of the password and network access to system can log in, usually with root or administrative privlige.  Here are some examples of damage that has been caused by attacks involving unchanged default passwords:

• Internet Census 2012 Carna Botnet distributed scanning
• Fake Emergency Alert System (EAS) warnings about  zombies
• Stuxnet and Siemens SIMATIC WinCC software
• Kaiten malware and older versions of Microsoft SQL  Server
• SSH access to jailbroken Apple iPhones
• Cisco router default Telnet and enable passwords
• SNMP community strings

CERT offers the following prescriptive guidance:

• Change Default Passwords and Use Unique Default Passwords
• Use Alternative Authentication Mechanisms
• Force Default Password Changes
• Restrict Network Access
• Identify Affected Products

Finally, there are both free and commercially-available application vulnerability scanners that can identify systems using default passwords.

The full bulletin is available here.

Related articles

• physorg: ‘Password fatigue’ haunts Internet masses (phys.org)

Detecting Application Vulnerabilities Is Important to Your Business

There is some interesting data in the 2013 Global Information Security Workforce Study that requires further examination. When asked about organizational priorities with respect to to-be-avoided categories, the top five category responses were damage to the organization’s reputation (83%), breach of laws and regulations (75%), service downtime (74%), customer privacy violations (71%) and customer identify theft or fraud (61%).

Looking beyond the raw numbers, it is clear that the organizational priorities are aligned to the priorities of IT security professionals whose job it is to counter cyber-attack.

Here is a link to the study.

Related articles

• Application vulnerabilities still a top security concern (net-security.org)
• Application Vulnerability Is the Top Concern for Information Security Professionals (quatrashield.com)

How vulnerable is your WordPress site to attack?

A company called Checkmarx has released a report on the vulnerability of WordPress to attack. Some of the data should be of concern to those companies that rely on wordpress to host their website or blogs. Here is a summary of the findings:
• 40% of the top most popular plugins are vulnerable to common web attack such as SQL Injection, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), and Path Traversal (PT).
• 70% of the most common e-commerce plugins are vulnerable.

The report authors provide the following prescriptive guidance for web administrators:

1. Download plugins only from reputable sources. For WordPress, this means WordPress.org

2. Verify the security posture of the plugin by scanning it for security issues

3. Ensure all your plugins are up to date

4. Remove any unused plugins

Please following this link to access the full report: http://www.checkmarx.com/wp-content/uploads/2013/06/The-Security-State-of-WordPress-Top-50-Plugins.pdf

New OWASP Releases 2013 Top 10 Risks: Mostly Unchanged from Last Year

The Open Web Application Security Project has just released its annual Top 10 risks for developers for 2013. OWASP is an open community that provides the industry standard for improving application security and has been releasing its Top 10 list since 2003.

Because of the widespread use of OWASP as an industry benchmark, cyber-security analysts offer some cautionary advice when evaluating OWASP.

Fellow blogger, Vincent Liu, stresses the need to prioritize risk that an organization is facing and just “because a threat is new doesn’t mean it’s always worth your time to go chasing after it. And just because something shows up at the top of the OWASP Top 10 doesn’t mean it’s the most important problem facing your organization.”

Rohit Sethi, writing in the SD Times, reminds us that The Top list is not meant to be a prescriptive guide for software development, but that many treat it that way. Rohit states that OWASP is “simply too broad to be used for specific requirements” and uses the example of the sensitive data exposure category which “is much more open-ended and could mean several things.”

Below is the complete list:
1. Injection
2. Broken Authentication and Session Management
3. Cross-Site Scripting (XSS)
4. Insecure Direct Object References
5. Security Misconfiguration A6-Sensitive Data Exposure
6. Sensitive Data Exposure
7. Missing Function Level Access Control A8-Cross-Site Request Forgery (CSRF)
8. Cross-Site Request Forgery (CSRF)
9. Using Components with Known Vulnerabilities
10. Unvalidated Redirects and Forwards

More details are available on the OWASP site:
https://www.owasp.org/index.php/Top_10_2013-Top_10

Application Vulnerability Is the Top Concern for Information Security Professionals

The 2013 Global Information Security Workforce Study highlights the concern on the part of security professionals that relate to application vulnerabilities. Out of a choice of 12 vulnerabilities and threats, the top three selected by security professionals were application vulnerabilities (69% of respondents), malware (67% of respondents) and mobile devices (66% of respondents).
Here is a summary of other interesting findings from the report:
•    There has been a jump in concern relating to cloud-based services. In the 2011 survey, 43% of respondents had high concern related to cloud based services. This number rose to 49% of respondents in 2013 reflecting increased adoption of cloud-based services.
•    C-Level executives tend to be more concerned about vulnerability categories than respondents who have other job titles. 72% of C-Level executives who were interviewed picked application vulnerabilities and 70% selected mobile devices. This is a somewhat higher number than other job categories.
•    Respondents in developing countries are more concerned than developed countries. Reflecting relative less sophisticated cyber security defense mechanisms in developing countries, there is much higher concern.
•    Smaller companies tend to underestimate the different threat and vulnerability categories relative to larger companies. The authors of the report hypothesize that larger companies have more resources in place to examine threats (penetration testing, web application vulnerability scanners) and may therefore be more aware of potential risks.
•    Response data varied by industry. Companies in the financial industry and also government entities surpass those of other industries. This is largely attributed to the fact that these are higher targets for hackers and organized criminals.

Here is a link to the study: https://www.isc2.org/uploadedFiles/(ISC)2_Public_Content/2013%20Global%20Information%20Security%20Workforce%20Study%20Feb%202013.pdf

How companies get hacked: the human factor

As we’ve stated before, hacking is about exploiting vulnerabilities -whether they are system, technical or people related. A lot of the publicly available research points to human error as a major contributor of data breaches. According to the Symantec/Ponemon study, at least a third of serious data breaches were connected to human error or negligence.

In some cases, disgruntled employees with access to confidential information directly cooperate with hackers. Although there have been some high profile cases of this occurring, in most cases negligence and social engineering are more significant factors.

What can be done to reduce the hacking resulting from human error?
In order to change behavior you will need to train your employees about how to handle information in the age cyber-crime. Training can be both formal and informal and should vary by role. Frontline employees who handle credit cards need very different training than back office accounting and finance staff.

Here are some of the areas that need to be covered:

•  The dangers of posting personal information on social media. E.g. hacker can use your place of birth in password reset questions to hack into an account. (E.g. Sarah Palin’s email got hacked this way).

•  How to handle sensitive company information such as passwords and customer data. Your employees need to understand the dangers of malware, viruses etc. One that should be reinforced is never to give out passwords or confidential information over the phone or via email.

•  Other areas that can reduce the level of cyber-crime due to human error include:

• Put in place security protocols that relate to access to data, encryption of files and confidentiality of information.
• Limit access to confidential information and put mechanisms in place

Choosing a Malware Scanner: What is Heuristic Analysis?

The basic form of malware scanning is signature-based. When a new strain of a virus is identified, a unique signature is created and added to the dictionary. The malware scanner will compare the code to the signatures of all known viruses and exploits during the scanning process.

The drawback of signature-based scanning methods is that they are only effective if the scanner is frequently updated and viruses are identifiable based on the signature. To bypass the traditional scanners, virus creators develop viruses that mutate, attach extra code and/or encrypt themselves in such a way that they cannot be compared to known signatures.

The heuristic approach is based on artificial intelligence: it applies rules-based logic and uses cumulative experience in similar way that the human mind works to identify suspicious code. Heuristic scanners assign a numeric value based on the probably that a file is suspicious and once the score meets a pre-assigned threshold, the file is marked as suspicious.