Nothing is more difficult than making predictions. Instead of trowing out wild ideas what might be coming, I have collected here some trends other people have predicted or reported.
Why the Future Needs Passwordless Authentication
https://securityintelligence.com/future-needs-passwordless-authentication/
As of September, Microsoft users no longer have to rely on passwords when logging in to their accounts. Passwords were suitable for authentication when users had fewer accounts, but things have changed.
Nowadays, everyone’s digital footprint is larger, making passwords more of a burden than a security necessity.
Cyber Warfare: What To Expect in 2022
https://securityintelligence.com/articles/cyber-warfare-what-to-expect-2022/
Cyberwarfare is not a future threatit’s a clear and present danger.
While the concept of cyber terrorism might sound like something from a fictional movie, our interconnected world is riddled with security flaws that make it an unfortunate reality. Read on as we cover seven cyber warfare and cybersecurity threats to watch out for in 2022.
Prediction Season: What’s in Store for Cybersecurity in 2022?
https://www.securityweek.com/prediction-season-whats-store-cybersecurity-2022
The past year has been quite challenging and tiring for many IT and security professionals, as threat actors capitalized on the rapidly changing environment created by accelerated digitalization and cloud transformation in response to the COVID-19 pandemic. And while we all hope that the next year is better when it comes to the onslaught of daily phishing, ransomware, and credential stuffing attacks; cyber criminals will likely learn from this year’s successful tactics, retool, and pivot them into next year’s campaigns to wreak even more havoc in all lives.
Consider the following threats that are on the horizon in 2022 and start preparing for them now:
Compromised Identities Continue to Fuel the Cyberattack Engine
Ransomware Attacks Evolve to Multifaceted Extortion Schemes
Pay Attention to the Supply Chain Threats
The Work from Anywhere Era Creates New Threats
“AI and ML will be an enabler for cybersecurity for the foreseeable future”
https://cisomag.eccouncil.org/ai-and-ml-will-be-an-enabler-for-cybersecurity-for-the-foreseeable-future/
We are proceeding in an era of “Malthusian” advances in science and technology, enabled by faster computing and ever-expanding data analytics. Those emerging technologies are significantly impacting cybersecurity. They include artificial intelligence (AI), machine learning, high-performance computing, cloud, edge computing, 5G, and eventually quantum technologies.
Computing systems that employ AI and ML are becoming more pervasive and critical to cyber operations and have become a major focus of cybersecurity research development and investments. Advanced 5G and wireless networks will benefit higher traffic capacities, lower latency, increased reliability, and enable processing and analytics in real-time. Edge computing strives to bring real-time computation, data storage, and operations closer to the device, rather than relying on a central location, avoiding latency issues. Technologies that improve capabilities for discovering, categorizing, monitoring, synthesizing, and automating the analysis of data are advantages in mitigating cybersecurity threats. Specifically, such tech can be used to bolster botnet detection and mitigation technology, data visualization tools, active malware protection, rootkit detection and mitigation technology, and incident response analytics.
Emerging tech can be a two-way street for good and bad. Artificial intelligence and machine learning can be used by hackers to automate target selection and more. Threat actors, especially state-sponsored and criminal enterprises, are becoming more sophisticated by searching for vulnerabilities and infiltrating malware by adapting (and automating), enabling machine learning, deep learning, artificial intelligence, and other analytic tools.
Also, the emergence of the Internet of Things presents special security challenges. There are an estimated 44 billion IoT endpoints today and trillions of sensors connected to those endpoints. Hackers have many attack options and entries for inserting malware into such a large and unregulated attack surface.
Google Finds 35,863 Java Packages Using Defective Log4j
https://www.securityweek.com/google-finds-35863-java-packages-using-defective-log4j
The computer security industry is bracing for travel on long, bumpy roads littered with Log4j security problems as experts warn that software dependency patching hiccups will slow global mitigation efforts.
The sheer scale and impact of the crisis became a bit clearer this week with Google’s open-source team reporting that a whopping 35,863 Java packages in Maven Central are still using defective versions of Log4j library.
The vulnerability, flagged as CVE-2021-44228, was first discovered and reported by the Alibaba cloud security team on November 24 this year. Less than two weeks later, exploitation was spotted in the wild, prompting the release of multiple high-priority patches and an industry-wide scramble to apply practical mitigations.
Many actors have exploited the critical Apache Log4j vulnerability named Log4Shell to infect vulnerable devices. Apache has released several Log4j versions to fix the original Log4j vulnerability (CVE-2021-44228) and newer findings on the same software (CVE-2021-44832, CVE-2021-45046, CVE-2021-45105, CVE-2021-42550).
Threat Intelligence on Log4j CVE: Key Findings and Their Implications
https://www.akamai.com/blog/security/threat-intelligence-on-log4j-cve-key-findings-and-their-implications
Expect this vulnerability to have a long attack tail. We anticipate that due to how widely used this software is and the large number of exploit variations, we will continue to see exploit attempts for months to come and expect many breaches will get uncovered going forward.
Attackers used opportunistic injections and became more targeted. Consequences of the reconnaissance may not be fully understood for months. While the attacks can be mitigated by patching and other methods, it’s unclear how many breaches have happened already. It will take time for the breaches to come to light and for us to understand their magnitude.
Ransomware in 2022: We’re all screwed
https://www.zdnet.com/article/ransomware-in-2022-were-all-screwed/
Over the past few years, we’ve seen ransomware operators evolve from disorganized splinter groups and individuals to highly sophisticated operations, with separate teams collaborating to target everything from SMBs to software supply chains. Ransomware infection is no longer an end goal of a cyberattack. We are experiencing the “golden era of ransomware,” now in part due to multiple monetization options.
Burnout: The next great security threat at work
https://blog.1password.com/state-of-access-report-burnout-breach/
Many companies feel like they’ve successfully pivoted to remote and hybrid work. Team members have learned the tools and processes required to be successful outside the office, and IT departments have adjusted their security rules and policies accordingly. But now, nearly two years into the pandemic, another cybersecurity threat has
emerged: employee burnout.
In 2022, security will be Linux and open-source developers job number one
https://www.zdnet.com/article/in-2022-security-will-be-linux-and-open-source-developers-job-number-one/
Linux is everywhere. It’s what all the clouds, even Microsoft Azure, run. It’s what makes all 500 of the Top 500 supercomputers work. Heck, even desktop Linux is growing if you can believe Pornhub, which claims Linux users grew by 28%, while Windows users declined by 3%. Its real trouble isn’t so much with open-source itself. There’s nothing magical about open-source methodology and security. Security mistakes can still enter the code. Linus’s law is that given enough eyeballs, all bugs are shallow. But, if not enough developers are looking, security vulnerabilities will still go unnoticed. As what I’m now calling Schneier’s law, “Security is a process, not a product, ” points out constant vigilance is needed to secure all software.
The future of OT security in an IT-OT converged world
https://www.theregister.com/2021/11/09/securing_ics_in_the_cloud/
Securing ICS in the cloud requires ‘fundamentally different’ approach
If you thought the industrial internet of things (IIoT) was the cutting edge of industrial control systems, think again. Companies have been busy allowing external access to sensors and controllers in factories and utilities for a while now, but forward-thinking firms are now exploring a new development; operating their industrial control systems (ICS) entirely from the cloud. That raises a critical question: who’s going to protect it all?
Dave Masson, Director of Enterprise Security at Darktrace, calls this new trend ‘ICSaaS’. “ICS for the cloud is starting to happen now. That represents a whole new world for industrial technology and security.”
This trend has been possible for the last decade or so, he explains, but the uptake has been slow. Now, Masson is hearing from clients who are actioning it.
Operational technology admins may be nervous about allowing cloud-based control of their infrastructures, but they’re attracted by the potential benefits. If operators are accessing ICS remotely anyway, then it makes it easier to consider cloud-based interfaces. These make the management infrastructure cheaper and easier to operate.
In this scenario, the hardware components that make up ICS stay where they are. We’re not talking about virtualizing programmable logic controllers here. It’s the data governing their operation that moves to the cloud. That means the applications, databases, and other services that operators rely on to keep those components running smoothly.
Security is just as important in these new cloud-enabled environments as it was in the old legacy walled gardens, but the challenges facing defenders are different. The cloud is eroding the gap between IT and OT. OT is now part of what looks increasingly like a common IT network.
“Now, anybody can access this network from anywhere, so you’ve got to make sure you have good controls around who’s got permission”
“This raises questions about data security, compliance, and regulation.”
OT admins, used to maintaining an iron grip on their infrastructure, now risk a loss of visibility and control. There are organizational worries to consider beyond the technological ones. Converging IT/OT infrastructures is only part of the story. You must also decide who is managing security for the expanded network. Is it the IT security team, or the OT team, or both?
Zero trust architecture is a common talking point today when discussing cloud-based security, and that will be important. ICSaaS is only one part of a broader shift towards OT/IT convergence. The advent of 5G, along with the development of edge computing, will accelerate the trend still further.
Sophos 2022 Threat Report: Malware, Mobile, Machine learning and more!
https://nakedsecurity.sophos.com/2021/11/09/2022-threat-report/
we’ve covered five main topics: 1 Malware, 2 Mobile, 3 Machine Learning and AI, 4 Ransomware (because we simply couldn’t not give it a section of its own), and 5 Where next?. PDF:
https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2022-threat-report.pdf
“AI and ML will be an enabler for cybersecurity for the foreseeable future”
https://cisomag.eccouncil.org/ai-and-ml-will-be-an-enabler-for-cybersecurity-for-the-foreseeable-future/
What are some of the emerging technologies in security? Would these generate opportunities and create challenges?
Critical Infrastructure (CI) and supply chain will be targeted even more in 2022 (state-sponsored, cybercriminal gangs) with ransomware and malware attacks.
• Investment and risk strategies will expand in conducting vulnerability assessments and filling operational gaps with cybersecurity tools. Tools include Data Loss Prevention (DLP), encryption, identity and access management solutions, log management, and SIEM platforms.
• Despite efforts to attract workers to security and tech jobs, the qualified cybersecurity worker shortage will continue to pose major operational challenges. Both the public and private sectors are currently facing challenges from a dearth of cybersecurity talent. A report out from the firm Cybersecurity Ventures estimates there are 3.5 million unfilled cybersecurity jobs in 2021. 2022 is not showing any signs of improvement in hiring.
• The Internet of Things (IoT) will pose a growing cybersecurity risk. IoT’s exponential connectivity is an ever-expanding mesh of networks and devices.
There are some specific areas where AI technology will contribute to making cybersecurity smarter include:
• AI can provide a faster means to detect and identify cyberthreats. Cybersecurity companies will be using software and a platform powered by AI that monitors real-time activities on the network by scanning data and files to recognize unauthorized communication attempts, unauthorized connections, abnormal/malicious credential use, brute force login attempts, unusual data movement, and data exfiltration. This allows businesses to draw statistical inferences and protect against anomalies before they are reported and patched.
• AI will impact Incident Diagnosis and Response capabilities.
While descriptive analytics provided by network surveillance and threat detection tools can answer the question “what happened,” incident diagnosis analytics address the question of “why and how it happened.” To answer those questions, new software applications and platforms powered by AI can examine past data sets to find root causes of the incident by looking back at change and anomaly indicators in the network activities
• AI will also enable better cyberthreat intelligence reports by analysts. Next year analysts will be able to use AI tools to generate automated cyberthreat intelligence reports (CTI). Cyberthreat intelligence reports provide the indicators and early warning necessary to better monitor unusual activities on a given network and detect more rapidly cyber threats.
AI and ML will be an enabler for cybersecurity for the foreseeable future. AI-powered tools and automation enablement will play an increased and integral role in keeping us cyber-safe in 2022 and beyond.
Kännyköiden tietoturva menee uusiksi
https://etn.fi/index.php/13-news/12788-kaennykoeiden-tietoturva-menee-uusiksi
In smartphones, security has been in place for more than a decade, with trusted processing performed in the TEE (Trusted Execution Environment) section of device memory. The current standard solution for smartphone security is typically created with Arm’s TrustZone technology. The phone’s own security comes from TEE. A secure boot usually includes a TEE. TEE has been an elegant solution for smartphones, although it is becoming old-fashioned (Arm TrustZone was developed 15 years ago).
The memory required by the TEE has not been available in the small controller chips used for embedded applications. Manufacturers have promoted Safe Boot and Memory Encryption or Flash Encryption, but they have been pretty weak solutions. Recently, Arm’s TrustZone M has introduced a new security model for controllers.
In recent years, this picture has begun to diversify. A revolution is underway now. Google has launched a keystone technology that allows an application to generate a system-maintained key and authenticate services (still uses TEE).
In the future, for example, encryption keys will be stored in an isolated memory area, an enclave, says Jan-Erik Ekberg, head of Huawei’s HSSL laboratory (Helsinki System Security Lab). Five years ago, Intel introduced SGX technology for PC servers, which simply means security extension commands added to the CPU chip. In this solution, TEE type protections are provided by a secure enclave. The use of this type of security enclave needs less code than traditional TEE structure. An enclave is a temporary structure in the memory of a device. It is created only for security processes and exits when it has completed its task. The difference is significant in the TEE structure, where another kernel runs all the time alongside the operating system. When there is no other parallel kernel, there is one component less to attack.
In Intel’s SGX, enclaves were implemented through caching, which limited their use. Intel has sought to overcome this limitation with newer TDX (Trust Domain Extensions) technology. AMD aims to do the same with its own SEV (Secure Encrypted Virtualization) technology.
Enclave-style solution structure will also come in the smart phones. The new Armv9-A architecture last year offers a realm mode that is very close to the technologies offered on the server side (Intel SGX). With the coming enclaves, an infinite number of secured environments will be available in principle.
In the mobile ecosystem, TEE is so deeply rooted that the transition will probably take five years. During the transition period TEE and more dynamic solutions will be on the market in parallel.
Kyberhyökkäykset uhkaavat jo tavarantoimituksiakin
https://www.uusiteknologia.fi/2021/11/08/kyberhyokkaykset-uhkaavat-jo-tavarantoimituksiakin/
Cyber attacks will cause chaos in product supply chains in the future, estimates Japanese security firm Trend Micro in its latest report. They can also cause physical harm to people, so it’s not just about problems with production or distribution.
According to Trend Micro, network connectivity by 2030 will affect our everyday lives even more, both physically and mentally. At the same time, cyber threats are constantly evolving and abusing technological innovation in ever new ways.
Artificial intelligence tools democratize cybercrime from technically savvy individuals and criminal organizations to all. The new “Everything as a Service” service model also makes cloud service providers very attractive targets for cyber attackers.
Massive IoT (MIoT) environments in industrial facilities, logistics centers, transportation systems, healthcare, education, commerce, and homes are attractive targets for saboteurs and blackmailers. The new 5G and subsequent 6G networks are also making attacks more sophisticated and targeted.
In the future, user manipulation and fake news will become increasingly important and difficult to ignore when fed to smart glasses. Reality can be badly distorted.
https://resources.trendmicro.com/rs/945-CXD-062/images/WP01_Project%202030_White%20Paper_210505US_Web.pdf
Jarno Limnéll varoittaa “kyberpandemiasta” internetin häiriö voi panna maailman taas sekaisin
https://www.tivi.fi/uutiset/tv/211df5c9-7909-47b7-842b-719f6a496206
Cyber harassment and sports doping have a lot in common. Tracing and testing methods are evolving, but so are scams. And scammers always seem to be one step ahead. Sometimes they are only revealed years later. “The world is moving in the direction that technology is evolving faster and faster, and rather increasing the possibility of various disruptions and creating new types of vulnerabilities. There is no seamless security,” Limnagl says. So even with technology, the world will not be completed. In addition, crises always come as a surprise: New York on September 11, the Bosnian war, Hitler’s rise to power, the shots in Sarajevo. “In light of history, we’re always surprised. And if you think about it, technology only adds to the complexity and surprise of crises.”
Kyberhyökkäykset kiihtyvät, mutta yritykset voivat vastata niihin
https://etn.fi/index.php/new-products/13-news/12920-kyberhyoekkaeykset-kiihtyvaet-mutta-yritykset-voivat-vastata-niihin
Cyber attacks are accelerating, but companies can respond to them A new study by security firm Trend Micro predicts that the number of cyber attacks will increase, with a particular focus on IoT devices. At the same time in 2022 global organizations will be more vigilant and better prepared to face new cyber threats. Research, foresight, and automation are critical to risk management and employee protection. The shift of workers to telecommuting has opened up new avenues for attackers, so the attack area of companies and organizations has grown exponentially. Fortunately, hybrid work is becoming more established and more predictable, allowing security decision-makers to plan and refine their security strategies. Those are:
• Enhanced server security and application management policies to combat blackmail
• A risk-based update plan and an effort to detect security vulnerabilities in advance
• Improved basic protection for SMEs using cloud services
• Active network monitoring, especially in IoT environments
• Zero Trust security model to secure international supply chains
• Cloud security focused on the risks assessed by the DevOps team and industry best practices
• Advanced Detection and Response (XDR) model to detect attacks on large networks
Trend Micron raportti: tulevaisuudessa kaikki on vaarassa
https://etn.fi/index.php/13-news/12785-trend-micro-raportti-tulevaisuudessa-kaikki-on-vaarassa
Security company Trend Micro has released its 2030 future report. Videos also tell us what the world could look like at the beginning of the next decade. From the perspective of cyber threats and cybersecurity, the future looks bleak. By 2030, connectivity, or continuous online presence, will affect our daily lives on both a physical and mental level. At the same time, cyber threats are constantly evolving and abusing technological innovation in ever new ways.
Trend Micro hopes that this review will spark debate both within the security industry and in society at large. We can only prepare for the cyber challenges of the next decade by comprehensively anticipating all possible situations and advising how governments, the business world and individuals can prepare for them.
Project 2030
https://2030.trendmicro.com/?utm_campaign=ADC2021_Corporate_2030_Predictions&utm_medium=Press-Release&utm_source=Press-Release_Glimpse-into-future_PR&utm_content=Watch-video
Welcome to your new reality, more connected than ever to all the riches modern life has to offer, yet where truth has never been more insubstantial.
3,062 Comments
Tomi Engdahl says:
https://blog.adobe.com/en/publish/2022/05/24/adobe-microsoft-announce-new-deeper-integrations-to-turbocharge-modern-workplace
Tomi Engdahl says:
https://www.politico.com/news/2022/06/13/how-doj-took-the-malware-fight-into-your-computer-00038932
Tomi Engdahl says:
https://techcrunch.com/2022/06/14/firefox-gets-a-privacy-boost-as-total-cookie-protection-becomes-the-default-for-all-users/
Tomi Engdahl says:
https://digitalinvestigator.blogspot.com/2022/06/windows-powershell-commands-for.html
Tomi Engdahl says:
https://hackaday.com/2022/06/12/yes-we-have-random-bananas/
Tomi Engdahl says:
https://www.dna.fi/yrityksille/blogi/-/blogs/tietoturva-on-alati-muuttuva-seka-vaikeasti-hahmotettava-runsaudensarvi-ja-yrittajien-suojaus-voi-helposti-jaada-riittamattomalle-tasolle
Tomi Engdahl says:
Salasanojen loputon määrä raivostuttaa käyttäjiä ja tekee tietoturvarikollisten työn helpoksi – Jyväskylässä kehitetään korvaajaa salasanoille
Jyväskylän yliopiston hanke yrittää korvata salasanat turvallisemmalla tunnistautumismenetelmällä. Vaihtoehtoja on etsitty jo pitkään, mutta toistaiseksi mikään ratkaisu ei ole onnistunut korvaamaan salasanoja kokonaan.
https://yle.fi/uutiset/3-12484896
Tomi Engdahl says:
Cybersecurity M&A Activity Shows No Signs of Slowdown
But valuations have dropped — and investors are paying closer attention to revenues and profitability, industry analysts say.
https://www.darkreading.com/cloud/no-slowdown-in-cybersecurity-m-a-activity
Tomi Engdahl says:
Onko tässä salasanasi? Vaihda heti 24 miljardia käyttäjätunnusta vuotanut pimeään verkkoon https://www.tivi.fi/uutiset/tv/9d54b8fc-89fa-4d05-bf01-f6d2772f708e
Tietoturvayhtiö Digital Shadowsin uusi raportti paljastaa, että pimeässä verkossa on vapaasti saatavilla ainakin 24 miljardia varastettua salasanaa ja käyttäjänimeä. Salasanoja on vapaassa jaossa
65 prosenttia enemmän kuin kaksi vuotta sitten, kirjoittaa Silicon Angle.
Tomi Engdahl says:
Henkilötunnuksen käyttöä halutaan muuttaa merkittävästi uudet lait voimaan jo ensi vuonna
https://www.tivi.fi/uutiset/tv/771759ad-5b87-4b1e-aa8b-1435ca87f1d8
Pelkän henkilötunnuksen käyttö tunnistautumisessa halutaan kieltää Suomessa. Oikeusministeriön valmistelema lakiluonnos on osa hallituksen esitystä väestötietojärjestelmää ja Digi- ja väestötietoviraston varmennepalveluita koskevan lain muuttamisesta.
Tarkoitus ei sinänsä ole kieltää henkilötunnuksen käyttöä, vaan jatkossa tunnistautumiseen ei riitä pelkkä henkilötunnus tai henkilötunnuksen ja nimen yhdistelmä.
Tomi Engdahl says:
New cloud-based Microsoft Defender for home now generally available https://www.bleepingcomputer.com/news/microsoft/new-cloud-based-microsoft-defender-for-home-now-generally-available/
Microsoft has announced today the general availability of Microsoft Defender for Individuals, the company’s new security solution for personal phones and computers. This new cross-device security solution is available for all Microsoft 365 customers with Personal
($6.99/month) or Family ($9.99/month) subscriptions starting today.
Tomi Engdahl says:
How Emotet is changing tactics in response to Microsoft’s tightening of Office macro security https://www.welivesecurity.com/2022/06/16/how-emotet-is-changing-tactics-microsoft-tightening-office-macro-security/
Emotet malware is back with ferocious vigor, according to ESET telemetry in the first four months of 2022. Will it survive the ever-tightening controls on macro-enabled documents?
Tomi Engdahl says:
Huolehdi ohjelmistorobotin tietoturvasta muista nämä 5 asiaa https://www.tivi.fi/uutiset/tv/7006b8ad-df08-4648-b07f-d08a83ef0d1c
Ohjelmistorobotille myönnetyt laajat oikeudet voivat olla tietoturvariski. Varsinkin prosessiautomaatiossa robotti vaatii kunnolla määritellyt käyttöoikeudet, tunnukset ja salasanat.
Tomi Engdahl says:
Police Linked to Hacking Campaign to Frame Indian Activists https://www.wired.com/story/modified-elephant-planted-evidence-hacking-police/
POLICE FORCES AROUND the world have increasingly used hacking tools to identify and track protesters, expose political dissidents’ secrets, and turn activists’ computers and phones into inescapable eavesdropping bugs. Now, new clues in a case in India connect law enforcement to a hacking campaign that used those tools to go an appalling step further: planting false incriminating files on targets’
computers that the same police then used as grounds to arrest and jail them.
Tomi Engdahl says:
Intel offers ‘server on a card’ security reference design • The Register
https://www.theregister.com/2022/06/08/intel_security_reference_design/
RSA Conference Intel has released a reference design for a plug-in security card aimed at delivering improved network and security processing without requiring the additional rackspace a discrete appliance would need.
The NetSec Accelerator Reference Design [PDF] is effectively a fully functional x86 compute node delivered as a PCIe card that can be fitted into an existing server. It combines an Intel Atom processor, Intel Ethernet E810 network interface, and up to 32GB of memory to offload network security functions.
According to Intel, the new reference design is intended to enable a secure access service edge (SASE) model, a combination of software-defined security and wide-area network (WAN) functions implemented as a cloud-native service.
This includes cloud access security broker (CASB), secure web gateway (SWG), data loss prevention (DLP), and firewall capabilities.
All of this this would typically be delivered as virtualized or containerized services running on a standard server instead of a dedicated network appliance, but the NetSec Accelerator Reference Design offers an alternative approach that reduces the infrastructure footprint by effectively putting that server onto a plug-in card, Intel claims.
https://www.intel.com/content/www/us/en/products/docs/processors/atom/netsec-accelerator-reference-design-solution-brief.html
Tomi Engdahl says:
Using the Defense Readiness Index to Improve Security Team Skills
https://www.securityweek.com/using-defense-readiness-index-improve-security-team-skills
Tomi Engdahl says:
Difference Between Agent-Based and Network-Based Internal Vulnerability Scanning
https://thehackernews.com/2022/06/difference-between-agent-based-and.html
For years, the two most popular methods for internal scanning: agent-based and network-based were considered to be about equal in value, each bringing its own strengths to bear. However, with remote working now the norm in most if not all workplaces, it feels a lot more like agent-based scanning is a must, while network-based scanning is an optional extra.
This article will go in-depth on the strengths and weaknesses of each approach, but let’s wind it back a second for those who aren’t sure why they should even do internal scanning in the first place.
Why should you perform internal vulnerability scanning?
While external vulnerability scanning can give a great overview of what you look like to a hacker, the information that can be gleaned without access to your systems can be limited. Some serious vulnerabilities can be discovered at this stage, so it’s a must for many organizations, but that’s not where hackers stop.
Techniques like phishing, targeted malware, and watering-hole attacks all contribute to the risk that even if your externally facing systems are secure, you may still be compromised by a cyber-criminal. Furthermore, an externally facing system that looks secure from a black-box perspective may have severe vulnerabilities that would be revealed by a deeper inspection of the system and software being run.
The different types of internal scanner
Generally, when it comes to identifying and fixing vulnerabilities on your internal network, there are two competing (but not mutually exclusive) approaches: network-based internal vulnerability scanning and agent-based internal vulnerability scanning. Let’s go through each one.
Network-based scanning explained
Network-based internal vulnerability scanning is the more traditional approach, running internal network scans on a box known as a scanning ‘appliance’ that sits on your infrastructure (or, more recently, on a Virtual Machine in your internal cloud).
Agent-based scanning explained
Agent-based internal vulnerability scanning is considered the more modern approach, running ‘agents’ on your devices that report back to a central server.
While “authenticated scanning” allows network-based scans to gather similar levels of information to an agent-based scan, there are still benefits and drawbacks to each approach.
Implementing this badly can cause headaches for years to come. So for organizations looking to implement internal vulnerability scans for the first time, here’s some helpful insight.
Which internal scanner is better for your business?
Coverage
It almost goes without saying, but agents can’t be installed on everything.
Devices like printers; routers and switches; and any other specialized hardware you may have on your network, such as HP Integrated Lights-Out, which is common to many large organizations who manage their own servers, may not have an operating system that’s supported by an agent. However, they will have an IP address, which means you can scan them via a network-based scanner.
This is a double-edged sword in disguise, though. Yes, you are scanning everything, which immediately sounds better. But how much value do those extra results to your breach prevention efforts bring? Those printers and HP iLO devices may infrequently have vulnerabilities, and only some of these may be serious. They may assist an attacker who is already inside your network, but will they help one break into your network to begin with? Probably not.
Meanwhile, will the noise that gets added to your results in the way of additional SSL cipher warnings, self-signed certificates, and the extra management overheads of including them to the whole process be worthwhile?
Clearly, the desirable answer over time is yes, you would want to scan these assets; defence in depth is a core concept in cyber security. But security is equally never about the perfect scenario. Some organizations don’t have the same resources that others do, and have to make effective decisions based on their team size and budgets available. Trying to go from scanning nothing to scanning everything could easily overwhelm a security team trying to implement internal scanning for the first time, not to mention the engineering departments responsible for the remediation effort.
Overall, it makes sense to consider the benefits of scanning everything vs. the workload it might entail deciding whether it’s right for your organization or, more importantly, right for your organization at this point in time.
Some company laptops get handed out and then rarely make it back into the office, especially in organizations with heavy field sales or consultancy operations. Or what about companies for whom remote working is the norm rather than the exception? Network-based scans won’t see it if it’s not on the network, but with agent-based vulnerability scanning, you can include assets in monitoring even when they are offsite.
The winner: Agent-based scanning, because it will allow you broader coverage and include assets not on your network – key while the world adjusts to a hybrid of office and remote working.
Attribution
On fixed-IP networks such as an internal server or external-facing environments, identifying where to apply fixes for vulnerabilities on a particular IP address is relatively straightforward.
In environments where IP addresses are assigned dynamically, though (usually, end-user environments are configured like this to support laptops, desktops, and other devices), this can become a problem. This also leads to inconsistencies between monthly reports and makes it difficult to track metrics in the remediation process.
Reporting is a key component of most vulnerability management programs, and senior stakeholders will want you to demonstrate that vulnerabilities are being managed effectively.
Attribution
On fixed-IP networks such as an internal server or external-facing environments, identifying where to apply fixes for vulnerabilities on a particular IP address is relatively straightforward.
In environments where IP addresses are assigned dynamically, though (usually, end-user environments are configured like this to support laptops, desktops, and other devices), this can become a problem. This also leads to inconsistencies between monthly reports and makes it difficult to track metrics in the remediation process.
Reporting is a key component of most vulnerability management programs, and senior stakeholders will want you to demonstrate that vulnerabilities are being managed effectively.
Discovery
Depending on how archaic or extensive your environments are or what gets brought to the table by a new acquisition, your visibility of what’s actually in your network in the first place may be very good or very poor.
One key advantage to network-based vulnerability scanning is that you can discover assets you didn’t know you had. Not to be overlooked, asset management is a precursor to effective vulnerability management. You can’t secure it if you don’t know you have it!
Similar to the discussion around coverage, though, if you’re willing to discover assets on your network, you must also be willing to commit resources to investigate what they are, and tracking down their owners. This can lead to ownership tennis where nobody is willing to take responsibility for the asset, and require a lot of follow-up activity from the security team. Again it simply comes down to priorities.
The winner: Network-based scanning, but only if you have the time and resources to manage what is uncovered!
Deployment
Depending on your environment, the effort of implementation and ongoing management for properly authenticated network-based scans will be greater than that of an agent-based scan. However, this heavily depends on how many operating systems you have vs. how complex your network architecture is.
Simple Windows networks allow for the easy rollout of agents through Group Policy installs. Similarly, a well-managed server environment shouldn’t pose too much of a challenge.
The difficulties of installing agents occur where there’s a great variety of operating systems under management, as this will require a heavily tailored rollout process. Modifications to provisioning procedures will also need to be taken into account to ensure that new assets are deployed with the agents already installed or quickly get installed after being brought online. Modern server orchestration technologies like Puppet, Chef, and Ansible can really help here.
Deploying network-based appliances on the other hand requires analysis of network visibility, i.e. from “this” position in the network, can we “see” everything else in the network, so the scanner can scan everything?
It sounds simple enough, but as with many things in technology, it’s often harder in practice than it is on paper, especially when dealing with legacy networks or those resulting from merger activity.
For this reason, designing a network-based scanning architecture relies on accurate network documentation and understanding, which is often a challenge, even for well-resourced organizations.
The winner: It depends on your environment and the infrastructure team’s availability.
Maintenance
Due to the situation explained in the previous section, practical considerations often mean you end up with multiple scanners on the network in a variety of physical or logical positions. This means that when new assets are provisioned or changes are made to the network, you have to make decisions on which scanner will be responsible and make changes to that scanner. This can place an extra burden on an otherwise busy security team. As a rule of thumb, complexity, wherever not necessary, should be avoided.
The winner: Agent-based scanners are much easier to maintain once installed.
Concurrency and scalability
While the concept of sticking a box on your network and running everything from a central point can sound alluringly simple, if you are so lucky to have such a simple network (many aren’t), there are still some very real practicalities to consider around how that scales.
Take, for example, the recent vulnerability Log4shell, which impacted Log4j – a logging tool used by millions of computers worldwide. With such wide exposure, it’s safe to say almost every security team faced a scramble to determine whether they were affected or not.
Even with the ideal scenario of having one centralized scanning appliance, the reality is this box cannot concurrently scan a huge number of machines. It may run a number of threads, but realistically processing power and network-level limitations means you could be waiting a number of hours before it comes back with the full picture (or, in some cases, a lot longer).
Agent-based vulnerability scanning, on the other hand, spreads the load to individual machines, meaning there’s less of a bottleneck on the network, and results can be gained much more quickly.
There’s also the reality that your network infrastructure may be ground to a halt by concurrently scanning all of your assets across the network. For this reason, some network engineering teams limit scanning windows to after-hours when laptops are at home and desktops are turned off. Test environments may even be powered down to save resources.
Intruder automatically scans your internal systems as soon as new vulnerabilities are released, allowing you to discover and eliminate security holes in your most exposed systems promptly and effectively.
The winner: Agent-based scanning can overcome common problems that are not always obvious in advance, while relying on network scanning alone can lead to major gaps in coverage.
Summary
With the adoption of any new system or approach, it pays to do things incrementally and get the basics right before moving on to the next challenge. This is a view that the NCSC, the UK’s leading authority on cyber security, shares as it frequently publishes guidance around getting the basics right.
This is because, broadly speaking, having the basic 20% of defences implemented effectively will stop 80% of the attackers out there. In contrast, advancing into 80% of the available defences but implementing them badly will likely mean you struggle to keep out the classic kid-in-bedroom scenario we’ve seen too much of in recent years.
Tomi Engdahl says:
https://www.pcworld.com/article/704687/why-quit-chrome-and-switch-to-mozilla-firefox.html
Tomi Engdahl says:
Red Line Through HTTPS
https://m.xkcd.com/2634/
Tomi Engdahl says:
https://noblesapien.com/mind/how-to-browse-the-dark-web-safely/
Tomi Engdahl says:
Venäjän hyökkäys sai tapahtumajärjestäjät varautumaan hybridiuhkiin todennäköisyys ei ole suuri, mutta uhka on mahdollinen https://yle.fi/uutiset/3-12499327?origin=rss
Tapahtumajärjestäjät ovat entistä kiinnostuneempia tapahtumiin kohdistuvista hybridiuhista. Hybridivaikuttamiseen varautuminen on noussut erityisesti esiin Venäjän aloitettua hyökkäyssodan Ukrainassa.
Tapahtumateollisuus ry:n varapuheenjohtaja Kalle Marttinen kertoo, että tapahtumajärjestäjille on tarjolla koulutusta hybridivaikuttamisesta ja sen ennaltaehkäisystä.
Venäjän hyökkäys sai tapahtumajärjestäjät varautumaan hybridiuhkiin – todennäköisyys ei ole suuri, mutta uhka on mahdollinen
https://yle.fi/uutiset/3-12499327?origin=rss
Tapahtumajärjestäjille on tarjolla koulutusta hybridivaikuttamisesta ja sen ennaltaehkäisystä. Varautuminen on tärkeää, vaikkei uhka olisikaan kovin suuri.
Tapahtumajärjestäjät ovat entistä kiinnostuneempia tapahtumiin kohdistuvista hybridiuhista.
Hybridivaikuttamiseen varautuminen on noussut erityisesti esiin Venäjän aloitettua hyökkäyssodan Ukrainassa.
Tapahtumateollisuus ry:n varapuheenjohtaja Kalle Marttinen kertoo, että tapahtumajärjestäjille on tarjolla koulutusta hybridivaikuttamisesta ja sen ennaltaehkäisystä.
– Aina on varauduttu siihen, että esimerkiksi nettiyhteydet katkeaisivat, mutta hybridiuhkiin varautuminen on noussut pinnalle nyt kevään aikana maailmanpoliittisen tilanteen takia. On järkevää varautua, jotta ollaan valmiimpia, jos jotain tapahtuu.
Marttinen tietää yhden tapauksen, jossa virtuaalitapahtuman osallistujille oli alettu levittää venäjämielisiä tekstejä.
Muita vastaavia tapauksia hänen tiedossaan ei Suomessa ole. Maailman mittakaavassa erilaiset vaikuttamisyritykset ovat kuitenkin tavallisempia ja niihin on varauduttu jo pitkään.
Tietoturvaa ja suunnittelua
Livetapahtumien järjestäjät ovat aina varautuneet ukkoseen tai rankkasateeseen, mutta nyt varaudutaan myös toisenlaisiin asioihin.
– Virtuaalitapahtumissa lähetystä yritetään todennäköisesti häiritä tai kaapata. Isoissa massatapahtumissa häirintä voi olla maksuliikenteen häiritsemistä, tai voidaan vaikka laittaa omia viestejä isolle screenille stadionille, Kalle Marttinen kertoo.
Tärkeintä varautumista on hyvän tietoturvan ylläpito, ja sitä kaikki tekevät nyt normaalia tiukemmin.
Toinen asia on, että jos jotain käy, pitää pystyä reagoimaan. Jos jalkapallo-ottelun screenille aletaan syöttää viestejä, on tiedettävä, miten homma keskeytetään.
– On tiedettävä, mistä niin sanotusti töpseli otetaan irti, jos hallintalaitteet on kaapattu.
Marttinen ei pidä tapahtumiin kohdistuvaa hybridiuhkaa kovin todennäköisenä, muttei myöskään mahdottomana. Hänen mukaansa suomalaiset tapahtumat ovat kuitenkin turvallisia.
– Ja jos joku vaikka kaappaa näyttötaulun, ovat suomalaiset valveutuneita ja ymmärtävät, mistä on kysymys. Se ei aiheuta muuta turvallisuusuhkaa.
Tomi Engdahl says:
Jessikka Aro oli vuosia Venäjän infosodan kohteena, mutta selvisi – nyt hän neuvoo, miten itseään voi suojata harmaan ajan vaaroilta
https://yle.fi/uutiset/3-12441012
Suomen Nato-jäsenyyteen liittyvä harmaa aika voi olla osalle raskas koettelemus. Kysyimme kolmelta oman alansa asiantuntijalta, miten resilienssiään eli henkistä sietokykyään kannattaa uudessa tilanteessa suojata.
– On tuntunut voimattomalta. On ahdistanut ja pelottanut. On tuntunut, että tämä ei lopu koskaan. Tai jos loppuu, loppu on ikävän näköinen minulle.
Näin kokemuksiaan kuvailee toimittaja ja tietokirjailija Jessikka Aro. Hän tietää, millaista on olla Venäjän ja sen propagandan levittäjien vaikutusyritysten kohteena.
Noista kokemuksista voi ottaa nyt laajemminkin opiksi.
Ylelle työskentelevä Aro alkoi tutkia Venäjän harjoittamaa informaatiovaikuttamista, niin sanottua trolliarmeijaa, noin kahdeksan vuotta sitten, vuonna 2014.
Aro kertoo, että Venäjän mediassa hänen väitettiin olevan “Suomen pahin vainoaja” ja työskentelevän yhteistyössä Yhdysvaltojen, puolustusliitto Naton sekä Baltian maiden tiedustelupalvelujen kanssa.
Suomalaisilla valeuutissivustoilla häntä maalitettiin jatkuvasti, mikä aiheutti vihaviestien ja uhkausten tulvan.
Muunkinlaisia seurauksia oli. Jopa jotkut Aron entisistä ystävistä alkoivat uskoa artikkeleita.
Hän kuvaa kokemaansa tyypilliseksi Venäjän informaatiosodankäynnin muodoksi.
– Levitetään salaliittoteorioita yhdestä henkilöstä tarpeeksi monta kertaa, ja siten pyritään lakkauttamaan tämän henkilön työ. Minun tapauksessani Venäjän trolleista uutisointi.
Aro ei lopulta antanut periksi pelottelulle. Eikä muidenkaan suomalaisten kannata antaa, mikäli Venäjän ennakoitua ilkeilyä kohtaa arjessaan, hän sanoo.
Sillä juuri se on vaikutusyritysten tavoite. Pelon ja ahdistuksen luominen.
Aikaa on luonnehdittu muun muassa turvallisuuden kannalta epävarmaksi ja Venäjän on arvioitu voivan kohdistaa Suomeen erilaisia hybridi-iskuja.
Laajamittaiseen huoleen ei kuitenkaan ole syytä, sanoo hybridiuhkiin erikoistuneen Hybridikeskuksen johtaja Teija Tiilikainen. Vaikutusyritykset ovat suomalaisille ennestään tuttu ilmiö, ja se itsessään antaa suojaa.
– Ei pidä ajatella, että nyt alkaa joku uusi kausi ja nähdään ihmeellisiä asioita, Tiilikainen toteaa.
– Olemme nähneet viime vuosina erilaisia hybridiuhkaoperaatioita. Monenlaista epätavanomaista vaikuttamista toisen valtion politiikkaan, kansalaisyhteiskuntaan, poliittiseen keskusteluun, kansalaisten luottamukseen valtaapitäviä kohtaan.
Vaikutusyrityksiä ovat pelkästään sellaisetkin puheet, että jos Suomi liittyy Natoon, siitä seuraa vasta-askelia (siirryt toiseen palveluun).
Vaikka ilmiö olisikin tuttu, voi epävarmuudessa eläminen koetella ainakin osan resilienssiä (siirryt toiseen palveluun) eli eräänlaista henkistä sietokykyä.
Sitäkin voi kuitenkin suojata.
Tärkein neuvo: tiedosta tilanne
Parasta varautumista harmaassa ajassa on Teija Tiilikaisen mukaan tilannetietoisuus. Se tarkoittaa, että ymmärtää, että vaikutusyrityksiä voi olla nähtävissä kiihtyvissä määrin, ja tiedostaa, minne juuret johtavat.
– Jos alkaa tulla jotain aivan kummallista informaatiota Suomea ja suomalaisia olosuhteita koskien, kannattaa miettiä kaksi kertaa ennen kuin siihen uskoo.
Tiilikainen kehottaa varautumaan myös erilaisiin arjen katkoksiin ja häiriötiloihin, mutta ennen kaikkea hän kiinnittäisi huomiota juuri informaatioympäristöön ja sen manipulointiin.
– Tämä on herkkä ja varsin käyttökelpoinen väline toisen valtion sisäisten olosuhteiden horjuttamiseksi. Kannattaa aina muistaa tilannetietoisuus, lähdekriittisyys ja outojen tietojen alkuperän ja totuusarvon tarkistaminen.
Tilanteen tiedostaminen auttoi myös vaikutusyritysten kohteeksi henkilökohtaisesti joutunutta Jessikka Aroa.
– Ymmärsin, että pelon ja ahdistuksen aiheuttaminen on informaatiosodankäynnin arkkitehtien nimenomainen tarkoitus. He haluaisivat ikään kuin kauko-ohjata minua ja saada minut perääntymään omasta ammatistani. Aiheuttaa näitä kielteisiä tunteita.
Elämme historiallista aikaa – ja se on raskasta
Osalle uusi yhteiskunnallinen tilanne voi olla raskas koettelemus, vaikka vaikutusyrityksiin osaisikin varautua.
Tätä mieltä on tutkimusprofessori Anna-Maria Teperi Työterveyslaitokselta. Hänen tutkimusaluettaan ovat inhimilliset tekijät turvallisuudessa, mukaan lukien resilienssi.
Takana on kaksi poikkeuksellista koronavuotta. Nykytilanne tulee tuon päälle, Teperi summaa.
– Tässä tapahtuu valtavia liikkeitä. Elämme historiallista aikaa, ja se on mielenkiintoista mutta samalla myös raskasta. Näistä vuosista tullaan kirjoittamaan historiankirjoissa. Olemme todella erikoisessa ajassa, ja kaikenlainen voimavarojen, toimivien puolien ja ratkaisujen etsiminen on tärkeää, jotta jaksamme tämän läpi.
Epävarmuuden keskellä tutkimusprofessori kannustaa huolehtimaan hyvinvoinnin peruspilareista: levosta, ravinnosta ja liikunnasta sekä palautumisesta.
Resilienssiä vahvistaa myös se, että kertoo ajatuksistaan ja mahdollisesti huolistaan muille.
Tomi Engdahl says:
What you need to know about PCI 4.0: Requirements 1, 2, 3 and 4 https://www.tripwire.com/state-of-security/regulatory-compliance/pci/what-you-need-to-know-about-pci-requirements-1-2-3-4/
The Payment Card Industry Security Standards Council has released its first update to their Data Security Standard (PCI DSS) since 2018. The new standard, version 4.0, is set to generally go into effect by 2024, but there are suggested updates that are not going to be required until a year after that. This, of course, creates a couple of problems for those who want to phase in the new standard.
Tomi Engdahl says:
Chinese Officials Are Weaponizing COVID Health Tracker to Block Protests https://www.vice.com/en/article/93a53v/china-covid-health-code-protest-henan
Chinese bank depositors planning a protest about their frozen funds saw their health code mysteriously turn red and were stopped from traveling to the site of a rally, confirming fears that China’s vast COVID-tracking system could be weaponized as a powerful tool to stifle dissent. A red health code designated the would-be protesters as suspected or confirmed COVID-19 patients, limiting their movement and access to public transportation. Their rallies in the central Henan province this week were thwarted as some were forced into quarantine and others detained by police.
Tomi Engdahl says:
Microsoft Dismisses False Reports About End of Patch Tuesday
https://www.securityweek.com/microsoft-dismisses-false-reports-about-end-patch-tuesday
Microsoft has dismissed reports about June 14 being the last Patch Tuesday, as the upcoming rollout of the Windows Autopatch service seems to be causing some confusion.
In April, Microsoft unveiled Windows Autopatch, an automatic update service for some Windows 10 and 11 enterprise customers. The service, designed to make it easier for administrators to manage and roll out updates for Windows and Microsoft 365 apps, aims to make Patch Tuesday “just another Tuesday” for enterprises, Microsoft representatives said at the time.
Windows Autopatch is currently in public preview and is set to become generally available in early July 2022 for Microsoft customers that have a Windows Enterprise E3 license or greater. Admins will be able to continue using their current tools and processes for deploying updates, or they can let the Autopatch service do it for them.
However, several major cybersecurity companies and prominent security news publications caused confusion this week when they reported that June 14 was the final Patch Tuesday, describing it as “the last ever Patch Tuesday,” “the end of Patch Tuesday” and “the end of an era.”
That is not accurate. The rollout of Windows Autopatch does not mean there will no longer be Patch Tuesday updates.
https://www.securityweek.com/windows-autopatch-aims-make-patch-tuesday-just-another-tuesday-enterprises
Tomi Engdahl says:
Cybersecurity M&A Deals Surge in First Half of June 2022
https://www.securityweek.com/cybersecurity-ma-deals-surge-first-half-june-2022
Tomi Engdahl says:
Using the Defense Readiness Index to Improve Security Team Skills
https://www.securityweek.com/using-defense-readiness-index-improve-security-team-skills
The challenges organizations face in developing cyber skills have never been more acute. Too often, security teams find themselves locked into reactive modes, continuously responding to immediate threats without being afforded the time to learn from them, so there’s no opportunity to cross-train and upskill is missed.
In many cases, organizations simply don’t take the time, or have the background, to craft a roadmap that allows them to measure and improve cyber competencies. Developing this roadmap can be time-consuming and expensive but, fortunately, there is a better option — a framework called the Defense Readiness Index (DRI).
What is DRI?
DRI is inspired by the Cybersecurity Maturity Model Certification, a program initiated by the United States Department of Defense in order to measure defense contractors’ capabilities, readiness, and cyber security sophistication.
DRI has five levels of controls and practices. The first level covers basic cyber hygiene. At this level there are no defined differences in security practitioner roles (such as security management, engineering, and analysis). Higher indexes add more controls and practices, rising from Intermediate Cyber Hygiene to Good Cyber Hygiene, to Proactive, to Advanced/Progressive.
Tomi Engdahl says:
Hybrid Networks Require an Integrated On-prem and Cloud Security Strategy
https://www.securityweek.com/hybrid-networks-require-integrated-prem-and-cloud-security-strategy
Today’s dynamic networks change so fast that traditional point security solutions fail to keep up
A constantly evolving network is the new reality that today’s IT teams must learn to live with. Rather than everyone transitioning to the cloud (leading to the ridiculous claim that “the network is dead”), what we are actually seeing is the near-universal adoption of a hybrid network strategy. Digital acceleration, user demand, and shifting business strategies add new edges to the network, making it increasingly difficult to manage and even harder to secure.
One of the primary issues organizations face is ensuring consistent policy enforcement and maintaining broad visibility across a network where users, devices, edge platforms, applications, and disparate compute and networking platforms – many of them temporary – are constantly churning. On average, organizations have deployed 45 cybersecurity tools in their networks, according to a 2020 report from IBM. Most of these are isolated point solutions that impede the ability of IT teams to centralize management and configurations, orchestrate policy, or even see and control their security infrastructure. And those organizations that build an overlay system to get their sprawling security under control end up spending a third of their time simply troubleshooting those workarounds, according to a separate report (PDF).
https://www.ibm.com/downloads/cas/VR9E8AKM
https://content.cdntwrk.com/files/aT0xNDI2MzgyJnY9MSZpc3N1ZU5hbWU9YXZvaWRpbmctY29tcGxleGl0eS1pbi1zbWImY21kPWQmc2lnPTAxZmZjZTc2MDk0YTdiNzhhMjlmYTFiNzcyODZiNDZj
Tomi Engdahl says:
Now On Demand: SecurityWeek Cloud Security Summit, Presented by Palo Alto Networks
https://www.securityweek.com/now-demand-securityweek-cloud-security-summit-presented-palo-alto-networks
https://www.securityweek.com/now-demand-securityweek-cloud-security-summit-presented-palo-alto-networks
Tomi Engdahl says:
https://hackaday.com/2022/06/17/this-week-in-security-pacman-hetzbleed-and-the-death-of-internet-explorer/
PING
The lowly ping command. How much can a single pair of packets tell us about a network and remote host? According to [HD Moore], quite a bit. For example, take the time given for a ping response, and calculate a distance based on 186 miles per millisecond. That’s the absolute maximum distance away that host is, though a quarter and half of that amount are reasonable lower and upper limits for a distance estimate. TTL very likely started at 64, 128, or 255, and you can take a really good guess at the hops encountered along the way. Oh, and if that response started at 64, it’s likely a Linux machine, 128 for Windows, and 255 usually indicates a BSD-derived OS.
Receiving a “destination host unreachable” message is interesting in itself, and tells you about the router that should be able to reach the given IP. Then there’s the broadcast IP, which sends the message to every IP in the subnet. Using something like Wireshark for packet capture is enlightening here. The command itself may only show one response, even though multiple devices may have responded. Each of those responses have a MAC address that has can be looked up to figure out the vendor. Another interesting trick is to spoof the source IP address of a ping packet, using a machine you control with a public IP address. Ping every device on the network, and many of them will send the response via their default gateway. You might find an Internet connection or VPN that isn’t supposed to be there. Who knew you could learn so much from the humble ping.
One ping to find them: lean network discovery
https://www.rumble.run/blog/lean-network-discovery-icmp/
Playing with ping
The standard “ping” utility is one of the most commonly used network troubleshooting tools. This utility sends an ICMP Echo Request to a specific address and reports any replies it receives. This protocol is simple: the sender creates an IP header, appends an ICMP header, sets the Type and Code fields, and then adds the Echo Request data, consisting of an identifier, sequence number, and some data to echo. Finally, this protocol is written to the network, often with an Ethernet header.
In summary
ICMP as a protocol is simple, but the amount of data that can be gleaned through a few creative packets is extensive. Systems that respond to ICMP Echo Requests are effectively providing a remote API: you give them a request, and depending on the configuration, they take various actions, which provides useful data. This “API” has limitations, including default rate limits, but it is available on nearly every networked device on the planet.
Rumble uses ICMP responses for latency measurement, subnet identification, multihomed asset discovery, operating system fingerprinting, topology mapping, and more.
Tomi Engdahl says:
Your Building’s RFID Access Tags Might Be Really Insecure
https://hackaday.com/2022/06/17/your-buildings-rfid-access-tags-might-be-really-insecure/
[Gabe Schuyler] had a frustrating problem when it came to getting into his building’s garage. The RFID access system meant he had to remove his gloves while sitting on his motorcycle to fish out the keytag for entry. He decided to whip up a better solution with less fuss.
His initial plan was to duplicate the keytag and to sew one into his gloves. Purchasing a 125 KHz RFID tag duplicator off eBay, he was able to quickly copy the tag, and create one that worked with his garage’s entry system. While the duplicate tags worked well, they were still too big to easily fit into a glove. Attempts to create a duplicate with a smaller tag failed, too. Eventually, [Gabe] turned up a ring complete with a compatible RFID chip, and was able to duplicate his entry tag onto that. Now, by wearing the ring, he can enter his garage and building with a simple wave of the hand, gloves on or off.
Of course, duplicating an RFID tag is no major hack. As per [Gabe]’s Shmoocon talk on the topic, however, it shows that many buildings are using completely insecure RFID access methods with little to no security whatsoever.
Opening the Garage with a Wave of My Hand
http://blog.fnaard.com/2021/09/opening-garage-with-wave-of-my-hand.html
So here’s the story. To get into my building’s garage, I need to wave an rf-enabled key at a reader. Problem is that I ride, so I have gloves on. I have to stop just before the gate, take a glove off, fish the key out of my pocket, stuff it into my other glove, put the first glove back on, then ride up to the gate, scan, and ride in with it still in my glove, fully expecting it to fall out on the way.
So, I know that people are getting teenty-tiny rfid chips crammed into their hands. What if I could glue/sew one of those onto my gloves?
Step one was to try to duplicate the key at all. So I popped over to eBay and looked for a duplicator. The popular match (a blue thing from China) says it’s for 125 KHz and a quick search on the interwebs indicated that my keyfob likely is one. They all come with a few blanks included, even. I found a US shipper and committed twelve dollars to the experiment.
It arrived, I tried it out (beep boop!) and the duplicate fob it made worked just fine on the garage.
Alright, now to duplicate my key onto a teeny-tiny chip. That did not go so well. I mean, I completely got the wrong type of chip, had no idea what I needed, and utterly failed.
There’s something really magical about showing people how easy it is to clone these things. Particularly because there’s something really magical about how your apartment building wants to charge you a hundred bucks if you ask them for a spare copy. These things cost fifty cents, dudes!
Back to the project though. During my research I discovered that you can actually get a ring with a chip in it! Add to cart! Ship it!
And … success! Now when I ride, I put on my ring, and opening the garage is just a wave of my hand. Total cost of the parts (that worked) is under fifty bucks. And my friends love me because I can make them spares, too. This was a good project!
Epilogue:
I couldn’t let it rest until I knew everything there is to know. I’m now using the amazing Proxmark3 with iceman’s firmware. Also, if you find you can’t rewrite tags that the silly blue cloner wrote to, it’s because they now have a password. The password is 51243648 and you can wipe the tag, removing the password in the process, with lf t5 wipe -p 51243648 on the pm3 command line.
https://www.slideshare.net/GabrielSchuyler/shmoocon-2022-rfid-key-cloning-for-angry-bikers
https://dangerousthings.com/product/proxmark3-easy/
https://github.com/RfidResearchGroup/proxmark3
RFID Reader Snoops Cards From 3 Feet Away
https://hackaday.com/2013/11/03/rfid-reader-snoops-cards-from-3-feet-away/
Tomi Engdahl says:
Build Your Own Two-Factor Authenticator With Good USB
https://hackaday.com/2022/06/18/build-your-own-two-factor-authenticator-with-good-usb/
Two-factor authentication is becoming the norm for many applications and services, and security concerns around phone porting hacks are leading to a phaseout of SMS-based systems. Amidst that backdrop, [Josh] developed his own authentication device by the name of Good USB.
The device can be built using a Arduino Leonardo, SS Micro, or even a BadUSB device. It’s the latter which [Josh] most liked, and since the nefarious device is being repurposed for good, it led to the name Good USB. Basically any Atmega32U4-based device will work, as the key functionality is the ability to emulate a USB keyboard to a host PC.
Good USB
A DIY hardware two-factor authenticator.
http://optimumunknown.com/goodusb.html
Tomi Engdahl says:
GoodUSB aka DIY YubiKey
http://optimumunknown.com/goodusb.html
An Arduino based 2-factor-authentication key. This project consists of two parts. The Arduino which types in 2FA codes by emulating a keyboard and a companion computer app for instructing the Arduino on which service’s 2FA code you want to type. The secret codes for generating the 2FA codes only lives inside the Arduino instead of within an authenticator app on your computer like Authy. Using a GoodUSB saves time since it types the 2FA code for you, it is a lot cheaper than a YubiKey, and it could be more secure than using an authenticator app with secrets stored on your computer. This is a proof of concept project. Do not use for protecting any important account.
Why is it called GoodUSB?
There are a number of small micro controller for sale labeled as BadUSB. Basically they look like innocent USB sticks, but once plugged in they pretend to be a keyboard and start typing commands to take control of a computer. This project takes the same hardware used for BadUSBs and uses them to increase security. Therefore, by doing something good instead of bad it becomes a GoodUSB.
Tomi Engdahl says:
Lehti: TikTok ei pitänyt sanaansa Yhdysvaltain viranomaisille käyttäjätietojen turvallisuudesta paljastui huolestuttavia tietoja https://www.is.fi/digitoday/art-2000008897304.html
ERITTÄIN suosittu videopalvelu TikTok ei ole pitänyt kaikkia amerikkalaisten käyttäjätietoja Kiinan ulkopuolella, vaikka palvelu on vuodesta toiseen korostanut näitä tietoja säilytettävän Yhdysvalloissa eikä Kiinassa. Näin kirjoittaa BuzzFeed News, joka kävi läpi lukuisia nauhoituksia TikTokin kiinalaisen emoyhtiön ByteDancin sisäisistä tapaamisista. Nauhoitusten perusteella kiinalaisilla työntekijöillä oli pääsy amerikkalaisten käyttäjien ei-julkiseen dataan. Sellaista tietoa voivat olla esimerkiksi syntymäpäivät, puhelinnumerot ja muut tiedot, joita kerätään mutta joita ei näy käyttäjien profiileissa.
Monessa tapauksessa kiinalaiset käsittelivät tietoja, koska he saivat siihen pyynnön amerikkalaisilta kollegoiltaan heidän selvittäessä, kuinka käyttäjätiedot kulkevat palvelussa.
Tomi Engdahl says:
Tietoturvapäällikön blogi: asetelma yrityksen ja kyberrikollisen välillä on epäreilu – siksi henkilöstöä on koulutettava https://www.epressi.com/tiedotteet/energia/tietoturvapaallikon-blogi-asetelma-yrityksen-ja-kyberrikollisen-valilla-on-epareilu-siksi-henkilostoa-on-koulutettava.html
Oma henkilöstö on tietoturvan vahvin lenkki. Rikollisten lähettämät sähköpostit ja niissä olevat vaaralliset linkit aiheuttavat uhan, johon on osattava reagoida oikein. Yli 90 prosenttia kaikista tietomurroista alkaa tietojenkalastelulla. Henkilöstön ja yhteistyökumppaneiden tietoturvaosaaminen on yrityksen keskeinen turvallisuustekijä tämän päivän digitaalisessa toimintaympäristössä.
Säännöllisillä koulutuksilla ja jatkuvalla tietoturva-asioiden esille tuomisella varmistetaan kaikkien sidosryhmien riittävä tietoturvatietoisuus.
Tomi Engdahl says:
Yli 100 miljoonaa ihmistä satuttaneen tietomurron syyllinen selviämässä “Hän halusi dataa ja rahaa”
https://www.tivi.fi/uutiset/tv/98ec63c8-1cf2-44c2-b65c-58cf1dccde77
Seattlelaisen oikeusistuimen valamiehistö on tuominnut Amazonin ohjelmistoinsinöörinä työskennelleen naisen Capital One
- -rahoituslaitokseen ja muihin yhtiöihin kohdistuneesta valtavasta tietomurrosta. Vuonna 2019 tapahtuneessa murrossa varastettiin yli 100 miljoonan ihmisen henkilötiedot.
Tomi Engdahl says:
Hakkeri varasteli nakukuvia satojen naisten iCloud-tileiltä 9 vuotta vankeutta
https://www.tivi.fi/uutiset/tv/079dd9ee-45bb-4261-9ce6-a6a1bde82302
Kalifornialainen 41-vuotias mies on saanut yhdeksän vuoden vankilatuomion tuhansien iCloud-tilien hakkeroimisesta. Mies oli varastanut erityisesti naiskäyttäjien tileiltä alastonkuvia ja myynyt niitä eteenpäin netissä. Alkup.
https://www.bleepingcomputer.com/news/security/icloud-hacker-gets-9-years-in-prison-for-stealing-nude-photos/
Tomi Engdahl says:
DDoS-for-hire service provider jailed
https://blog.malwarebytes.com/cybercrime/2022/06/ddos-for-hire-service-provider-jailed/
Matthew Gatrel, a 33-year-old man from St. Charles, Illinois, has been sentenced to two years in prison for running websites that provide powerful distributed denial-of-service (DDoS) attacks against internet users and websites. This sentencing resulted in the seizure of his websites, making the internet a little safer from DDoS attacks. Gatrel was the administrator and owner of DownThem.org and AmpNode.com, two DDoS-for-hire websites with thousands of clients which launched attacks against more than 200, 000 targets. He was convicted of three charges, including conspiracy to commit unauthorized impairment of a protected computer, conspiracy to commit wire fraud, and unauthorized impairment of a protected computer.
Tomi Engdahl says:
Ydinasevaltio julkaisi luottamukselliset tietoturvaohjeet työntekijöilleen kiusallinen asiakirja vuodettiin heti verkkoon
https://www.tivi.fi/uutiset/tv/7535f0b3-721b-405e-a077-2c9ff374e836
Intian hallitus julkaisi viime viikolla luottamukselliset tietoturvaohjeet 30 miljoonalle hallituksen työntekijälle. Tavoitteena oli parantaa työkäytäntöjä, mutta dokumentti vuodettiin nopeasti hallituksen verkkosivuille, kertoo The Register. Asiakirja paljastaa tietoturvan olevan melko heikolla tasolla maan julkisessa hallinnossa.
Ensimmäisillä sivuilla kerrotaan, miten lisääntynyt ict-teknologian käyttö on lisännyt hyökkäysten ja muiden uhkien riskiä, sillä kyberturvallisuudesta ei pidetä ruohonjuuritasolla huolta. Hallinnon työtekijöille annetut tietoturvaohjeet ovat muutenkin hyvin perustasoisia. Ohjeissa muun muassa muistutetaan, ettei puhelimitse tai muissa kanavissa saa jakaa arkaluontoisia tietoja ulkopuolisille henkilöille.
Tomi Engdahl says:
Ulkoministeriö avasi kybervakoilua “paljastuu, mitä ihminen tekee ja miten häneen voidaan vaikuttaa”
https://www.tivi.fi/uutiset/tv/ef01bf78-6f1a-4b7c-9736-3325877e2435
Ulkoministeriön virkamiesten puhelimista löytyi Pegasus-haittaohjelma viime syksynä. Ulkoministeriön tietohallintojohtaja Ari Uusikartano kertoi tapauksen taustoista helmikuun puolivälissä Digi- ja väestötietoviraston digiturvakatsauksessa. Uusikartanon mukaan ministeriö halusi olla asiassa proaktiivinen. Ulkoministeriön väen virkamatkapuhelimet tyhjennetään, kun ihmiset palaavat matkoilta kotimaahan, mutta maailmanlaajuiseen yhdeksänkymmenen toimipaikan verkostoon jää heikkoja kohtia. Sellaisia nousi esiin, kun israelilaisen NSO Groupin pahamaineinen Pegasus-ohjelma löytyi ulkoministeriön virkamiesten puhelimista. Vakoilu kohdistui Suomen ulkomailla työskentelevään lähetettyyn henkilökuntaan. Ulkoministeriö selvitti tapauksen ja kertoi helmikuun puolivälissä, ettei pitänyt Pegasus-tapausta aktiivisena uhkana.
Kuinka tunnistaa Pegasus-vakoiluohjelma puhelimessa?
https://www.tivi.fi/uutiset/tv/a3adb075-5041-46bc-bb5a-64e867a06136
Koska Pegasus pureutuu suoraan käyttöjärjestelmään, se pystyy piiloutumaan täydellisesti ja sitä on liki mahdotonta havaita virustorjuntaohjelmilla. Ihmisoikeusjärjestö Amnestyn tutkijat ovat kehittäneet avoimen lähdekoodin Mobile Verification Toolkit -ohjelman.
Se etsii puhelimesta Pegasuksen jälkiä vertaamalla selaus- ja viestihistoriaa tunnettuihin NSO:n palvelinten osoitteisiin.
Tutkimista varten koko puhelimen sisältö pitää ensin kopioida tietokoneelle, josta analyysiohjelma pääsee siihen käsiksi. Windows- ja Mac-koneissa toimiva iMazing (www.imazing.com) hyödyntää Amnestyn koodia ja pystyy tarkistamaan niin iPhone- kuin Android-puhelimetkin.
Ohjelma on kaupallinen, mutta Pegasus-tarkistuksen pystyy tekemään ohjelman kokeiluversiolla.
Tomi Engdahl says:
Android-wiping BRATA malware is evolving into a persistent threat https://www.bleepingcomputer.com/news/security/android-wiping-brata-malware-is-evolving-into-a-persistent-threat/
The threat actor behind BRATA banking trojan has evolved their tactics and improved the malware with information-stealing capabilities.
Italian mobile security company Cleafy has been tracking BRATA activity and noticed in the most recent campaigns changes that lead to longer persistence on the device. “The modus operandi now fits into an Advanced Persistent Threat (APT) activity pattern, ” explains Cleafy in a report this week.
Tomi Engdahl says:
Flagstar Bank discloses data breach impacting 1.5 million customers https://www.bleepingcomputer.com/news/security/flagstar-bank-discloses-data-breach-impacting-15-million-customers/
Flagstar Bank is notifying 1.5 million customers of a data breach where hackers accessed personal data during a December cyberattack.
Flagstar is a Michigan-based financial services provider and one of the largest banks in the United States, having total assets of over
$30 billion.
Tomi Engdahl says:
ALPHV Ransomware Operators Pressure Victim With Dedicated Leak Site
https://www.securityweek.com/alphv-ransomware-operators-pressure-victim-dedicated-leak-site
Cybercriminals who are using the ALPHV ransomware created a dedicated leak website in an apparent attempt to pressure one of their victims into paying the ransom.
First observed in November 2021 and also known as BlackCat and Noberus, ALPHV is the first ransomware family to have been developed using the Rust programming language.
ALPHV, which is believed to have ties with the cybercrime group behind the Darkside/Blackmatter ransomware, has compromised at least 100 organizations to date, based on the list of victims published on their Tor website.
The threat operates under the Ransomware-as-a-Service (RaaS) business model, with affiliates compromising organizations (via stolen credentials or by exploiting unpatched Microsoft Exchange servers) and stealing and encrypting data.
https://www.securityweek.com/fbi-shares-information-blackcat-ransomware-attacks
Tomi Engdahl says:
Jury Convicts Seattle Woman in Massive Capital One Hack
https://www.securityweek.com/jury-convicts-seattle-woman-massive-capital-one-hack
A federal jury on Friday convicted a former Seattle tech worker of several charges related to a massive hack of Capital One bank and other companies in 2019.
Paige Thompson, 36, a former Amazon software engineer who used the online handle “erratic,” obtained the personal information of more than 100 million people — a data breach that prompted Capital One to reach a tentative $190 million settlement with affected customers. The Treasury Department also fined the company $80 million for failing to protect the data.
Following a seven-day trial, the Seattle jury found her guilty of wire fraud, unauthorized access to a protected computer and damaging a protected computer. The jury acquitted her of other charges, including access device fraud and aggravated identity theft.
Thompson’s attorneys argued that she struggled with mental health issues, never intended to profit from the data she obtained, and said in court papers “there is no credible or direct evidence that a single person’s identity was misused.”
Federal prosecutors said she didn’t just steal the data, but also planted software on servers she unlawfully accessed to steal computing power to mine cryptocurrency.
“Far from being an ethical hacker trying to help companies with their computer security, she exploited mistakes to steal valuable data and sought to enrich herself,” Seattle U.S. Attorney Nick Brown said in a news release.
Wire fraud is punishable by up to 20 years in prison, while the other charges can bring a five-year maximum. U.S. District Judge Robert Lasnik is scheduled to sentence Thompson in September.
Tomi Engdahl says:
Hybrid Networks Require an Integrated On-prem and Cloud Security Strategy
https://www.securityweek.com/hybrid-networks-require-integrated-prem-and-cloud-security-strategy
Tomi Engdahl says:
Breach at Eye Care Software Vendor Hits Millions of Patients
https://www.securityweek.com/breach-eye-care-software-vendor-hits-millions-patients
The personal information of millions of individuals may have been stolen by threat actors as a result of a data breach at Eye Care Leaders, a firm that provides electronic health record and practice management solutions.
The Durham, North Carolina-based company, which sells eye care management software solutions, claims to work with more than 9,000 ophthalmologists and optometrists. At least 23 of these eye care providers have been impacted by a data breach that Eye Care Leaders disclosed in December 2021.
Tomi Engdahl says:
Many OT Security Incidents Result in Outages Posing Physical Safety Risk: Fortinet
https://www.securityweek.com/many-ot-security-incidents-result-outages-posing-physical-safety-risk-fortinet
A survey conducted in March by Fortinet shows that over 40% of global cybersecurity incidents affecting organizations with operational technology (OT) systems resulted in outages that put physical safety at risk.
The results of the survey are found in Fortinet’s 2022 State of Operational Technology and Cybersecurity report. More than 500 OT professionals across 28 countries in the Americas, Western Europe, the APAC region, and a handful of African and Middle Eastern countries took part in the survey.
The report shows that 93% of OT organizations had experienced at least one cybersecurity incident in the past 12 months, and more than three-quarters admitted suffering at least three intrusions.
The most common types of attacks involved malware and phishing, but Fortinet pointed out that these types of incidents have significantly declined in North America — along with insider breaches — compared to the previous year.
Globally, 61% of respondents said incidents impacted only OT systems or both OT and IT systems. In addition, nearly half of respondents said their organization suffered an operational outage that affected productivity. Forty-two percent of incidents resulted in an operational outage that put physical safety at risk, and the percentage exceeds 50% in Latin America.
Operational outages impacting revenue, loss of business-critical data, failure to meet compliance requirements, and a negative impact on the brand were reported by roughly 30% of respondents, for each category.
Half of respondents said it took them hours to restore impacted systems and 31% said it took them days. In some cases, it took organizations weeks and even months to restore services, but it took some of the more mature organizations only minutes to get systems back online.
Of the respondents in North America, roughly a quarter reported being hit by ransomware in the past year, but three-quarters said they were concerned about ransomware more than other types of threats.
When it comes to security posture, Fortinet’s survey saw an improvement compared to the previous year, but more still needs to be done.
https://content.cdntwrk.com/files/aT0xNDY5ODY2JnY9MSZpc3N1ZU5hbWU9MjAyMi10aGUtc3RhdGUtb2Ytb3BlcmF0aW9uYWwtdGVjaG5vbG9neS1hbmQtY3liZXJzZWN1cml0eSZjbWQ9ZCZzaWc9MzZkYjI4ODExODcxZTYyYWM5NDIzNDE5OWYxOGRjNGM%253D
Tomi Engdahl says:
Suomalaiset eivät pelkää mobiiliuhkia
https://etn.fi/index.php/13-news/13741-suomalaiset-eivaet-pelkaeae-mobiiliuhkia
Tomi Engdahl says:
A great day for non-robots: iOS 16 will bypass CAPTCHAs https://www.theregister.com/2022/06/21/believe_it_or_not_apple/
=Apple has introduced a game-changer into its upcoming iOS 16 for those who hate CAPTCHAs, in the form of a feature called Automatic Verification. =The feature does exactly what its name alludes to:
automatically verifies devices and Apple ID accounts without any action from the user. When iOS 16 ships later this year, it will eliminate the frustrating requirement to select all the stops signs in a photo or decipher a string of characters.
Tomi Engdahl says:
OT:Icefall: 56 vulnerabilities plague OT devices from 10 different major industrial manufacturers
https://www.securityweek.com/basecamp-icefall-secure-design-ot-makes-little-headway
Ten years ago, Project Basecamp introduced SCADA exploits into Metasploit. The hope was that it would encourage a ‘Firesheep Moment’ (that is, the rapid solution to a long-known security issue following publication of an exploit); and more specifically, persuade manufacturers to introduce ‘security by design’. Ten years on, researchers have examined whether it worked – and it hasn’t.
In 2013, Dale Peterson, founder and CEO at Digital Bond and contributor to Project Basecamp wrote, “We coined the term of Insecure By Design as part of Project Basecamp… Most ICS vulnerabilities matter little because most ICS protocols and controllers are Insecure By Design.”
Ten years after Basecamp, Vedere researchers at Forescout have conducted their own project, dubbed OT:Icefall, so named because Icefall is the second stop on the Everest route after Basecamp, to see if anything has changed. The conclusions are not reassuring.
“Typically, we focus our research on program error vulnerabilities,” Daniel dos Santos, head of security research at Forescout, told SecurityWeek. But most OT malware – Industroyer, Triton, Incontroller – doesn’t use programming error vulnerabilities. Instead, they use flaws in the protocols, the authorization, certifications: in fact, they use the weaknesses that shouldn’t be there if the products were not insecure by design.
Forescout found 56 insecure by design problems in ten manufacturers, including Baker Hughes (Bentley Nevada), Emerson, Honeywell, JTEKT, Motorola, Omron, Phoenix Contact, Siemens, and Yokogawa.
“We wanted to see how much has changed over the last decade since Project Basecamp – and unfortunately it’s not much.” It’s as if there is a conspiracy of silence over insecure OT design. These flaws are rarely assigned CVEs and are often effectively ignored by both the vendors and the users.
The issues are not new. Many of the products were designed long ago and are still operational and still being manufactured. Vendors are trying to improve them; but a wholesale switch to new products is not a viable solution for users. Even patching products where continuity of operation is essential is a heavy lift for OT operators.
Discovered flaws are often not given CVEs, are often not patched by vendors, and can be ignored by users. After all, some of them are deep in products that are supposedly isolated from the internet in products not accessible by attackers.
But security by obscurity does not work. The motivation for attacks against OT is growing – both for geopolitical nation state reasons and for criminal extortion attacks. Criminals can use the same vulnerability research methods used by researchers such as Forescout’s Vedere.
“Criminals can buy these products secondhand on Ebay and can then go through the same process of reverse engineering that we use. It’s not as difficult as people tend to think,” he added. “For the simplest types of protocols, it took us from one day to two weeks to understand the protocol and be able to interact and exploit things. For more complicated systems, with multiple devices and multiple types of protocols, it takes more like six man-months to understand the product family – so a group could do it in just a couple of months.”
The result is that attacks against critical industries and infrastructure are less difficult than we might assume – from disruption to ransomware and even wipers.
Dos Santos raised an additional problem with SecurityWeek; poor product certifications. “There has been a push for security certification of products – but the effect could lead to a false sense of security. Around 70% of the devices that we analyzed had some sort of security label on them, but still they had basic issues. Part of the cause has been the unwillingness to assign CVEs in the past, but other causes are limited evaluations and imprecise security definitions.”
He also noted a supply chain issue. “We didn’t focus on the supply chain, we focused on specific devices. But we found some vulnerabilities that were assigned previously to a PLC runtime – assigned by the original vendor of the software – that didn’t make it downstream to all the other vendors that were using that software. That speaks to the problem of not having software bills of materials (SBOM), not understanding precisely what components are in each device, and having vulnerable things that are not always identified. They are known to be vulnerable at the source but never make it down to other vendors.”
The overriding message from this research is that easy-to-find vulnerabilities are rife in OT devices. The problems are partly historical, but not easy to solve.