Last week many of us in the industry were busy investigating a large cache of weaponized software exploits and payloads released by the ShadowBrokers group. One particular payload that received much attention was the DOUBLEPULSAR implant.

DOUBLEPULSAR is a covert command and control channel that can be used to control a compromised target. While many of the exploits that were released by the Shadow Brokers dump allow attackers to compromise a target, DOUBLEPULSAR can be used to maintain control of that compromised target in a covert manner. Attackers communicate with compromised targets using the Transaction 2 Subcommand Extension SMB feature, a feature that has not officially been used in SMB so far. If a system is compromised, an attacker can gather sensitive data, execute commands, or use the system to launch attacks against other systems in your network.

Systems that are compromised by DOUBLEPULSAR will respond to a trans2 SESSION_SETUP with a Not Implemented message that contains a Multiplex ID of 81 while a system that is not compromised will respond with the same message and a Multiplex ID of 65.

DOUBLEPULSAR can be identified by both Nessus® and PVS™. Tenable customers can use Nessus plugin ID 99439 to actively scan their networks for any hosts that are compromised.

In addition to actively scanning for DOUBLEPULSAR, PVS customers can leverage Plugin 700059 to listen for connections to compromised targets.

SecurityCenter® users can quickly identify all hosts compromised by DOUBLEPULSAR by leveraging the Shadow Brokers Vulnerability Detection dashboard. This dashboard was updated to include DOUBLEPULSAR, please re-download the dashboard to get the updated matrix.

The presence of DOUBLEPULSAR is not just a potential vulnerability on a system in your network. It means that the target is compromised and can be potentially used to exfiltrate highly sensitive data or run arbitrary commands on the system. There have been reports of scripts actively scanning the internet looking for the existence of this backdoor. By using Nessus and PVS, you can identify any compromised hosts and cut off access.

Many thanks to Andrew Orr and Ian Parker for their contributions to this blog.

Safeguarding a network in today’s dynamic threat environment is a formidable task. Mobile devices and an increasing dependence on the internet make the job of maintaining control of network systems and data seem nearly insurmountable. The continual discovery of product vulnerabilities and the advent of malware toolkits ensure that networks are continuously bombarded by increasingly sophisticated attacks. Poor asset management, weak configurations, inadequate user access controls, and insufficient network monitoring increase the risk that critical systems and sensitive data will be compromised.

The Communications Security Establishment Canada (CSEC) developed a series of guidelines for security practitioners to manage information technology (IT) security risks for Government of Canada (GC) information systems. The Information Technology Security Guidance Publication 33 (ITSG-33), IT Security Risk Management: A Lifecycle Approach, provides a comprehensive set of security controls that can be used to support a wide variety of business requirements. To support interoperability needs, the ITSG-33 guide is consistent with controls published in the U.S. National Institute of Standards and Technology (NIST) Special Publication 800-53.

Tenable™ has created a series of ITSG-33 dashboards and a report that align with ITSG-33 security controls in the following families:

• AC (ACCESS CONTROL)
• AU (AUDIT AND ACCOUNTABILITY)
• CA (SECURITY ASSESSMENT AND AUTHORIZATION)
• CM (CONFIGURATION MANAGEMENT)
• IA (IDENTIFICATION AND AUTHENTICATION)
• MP (MEDIA PROTECTION)
• RA (RISK ASSESSMENT)
• SC (SYSTEM AND COMMUNICATION PROTECTION)
• SI (SYSTEM AND INFORMATION INTEGRITY)

The goal of ITSG-33 – and of any information security framework – is to provide guidance and direction to help organizations manage risk and protect systems from compromise of confidentiality, integrity, and availability. Failure to effectively manage risk can be costly and damaging to an organization’s business and reputation.

Asset inventory and configuration management

For successful network protection, good asset inventory monitoring and configuration management are required. You can’t protect what you don’t know. If you don’t notice the three servers in a back room that haven’t been patched in two years and that are running end-of-life applications on your network, then your network is at risk.

Tenable SecurityCenter Continuous View® (SecurityCenter CV™) has the ability to actively and passively detect systems on a network. The functions of those systems, as well as what operating systems and other software are running on them, are identified. SecurityCenter CV can collect logs and detect changes such as new machines on the network and software being installed. In addition, SecurityCenter CV supports running compliance or audit scans against systems to assess their configuration security.

This inventory and security configuration information can assist your organization in protecting the network and evaluating your compliance with ITSG-33 security controls, including:

• Configuration Change Control (CM-3)
• Least Functionality (CM-7)
• Information Systems Component Inventory (CM-8)
• User-Installed Software (CM-11)

I find the Tenable ITSG-33: Configuration Management dashboard very helpful to get an overview of configuration management information. Using this dashboard, you can monitor counts of systems, such as wireless access points and web servers, and see the software detected on the network, such as which browsers are in use. The compliance summary information on the dashboard helps you know where to focus security hardening efforts. Detected changes alert you to possible unexpected or unauthorized modifications. To get specifics on hosts or change events, you can drill down into the results. This ability to drill down for further investigation is a particularly useful feature of SecurityCenter CV dashboards.

Vulnerability management

Once an accurate inventory is determined and properly configured, an important next step in securing the network is finding and fixing vulnerabilities. Vulnerable devices can be exploited, putting your network and your data at risk. Vulnerability management involves detecting vulnerabilities on network systems, prioritizing which vulnerabilities to deal with first, patching or updating to remediate the vulnerabilities, and monitoring to confirm that the vulnerabilities are fixed.

Effectively managing vulnerabilities is often a challenge due to a lack of time and resources. Fortunately, a core competency of SecurityCenter CV is vulnerability detection. SecurityCenter CV also tracks vulnerabilities, noting vulnerabilities that are not detected on rescans and marking those vulnerabilities as mitigated. SecurityCenter CV can determine the top most vulnerable systems, highlight vulnerabilities known to be exploitable, and present top remediation opportunities, all to assist in prioritizing remediation efforts.

This vulnerability detection and management information can assist your organization in securing the network and evaluating your compliance with ITSG-33 security controls, including:

• Flaw Remediation (SI-2)
• Risk Assessment (RA-3)
• Vulnerability Scanning (RA-5)

What I consider most useful about the Tenable ITSG-33: Vulnerability Management dashboard is that the dashboard makes vulnerability management more measureable, such as by tracking mitigation progress and monitoring vulnerability scanning coverage and recent activity. This dashboard also assists in identifying the top at-risk systems on your network and motivating you to ensure that the necessary organizational resources are applied to best address the vulnerabilities. The exploitable vulnerability indicators are particularly important, to identify known exploitable vulnerabilities that are a high priority to remediate before they can be taken advantage of – this is particularly useful information to act on before a red team assessment! Data from patch management solutions such as SCCM, WSUS, and Symantec Altiris is also included on the dashboard.

Authentication and access control

Controlling access to systems and data is another vital step in securing a network. Poor authentication and access control opens the door for network intrusion and data theft. Authentication mechanisms must be secure, users must not have more access than they require for their jobs, and suspicious access activity must be detected and investigated.

SecurityCenter CV can assist in this area as well. Authentication vulnerabilities and access control compliance concerns can be detected. User account logins and other user activity can be tracked. Using credentialed scans, SecurityCenter CV can obtain lists of accounts, such as disabled accounts, accounts that have never changed their password, Mac OS X admin group user accounts, and more. In addition, SecurityCenter CV can detect account and group changes, such as new users and privilege changes.

As before, this information can assist your organization in controlling access to your network and evaluating your compliance with ITSG-33 security controls, including:

• Access Enforcement (AC-3)
• Account Management (AC-2)
• Identification And Authentication (IA-Family)
• Least Privilege (AC-6)
• Separation Of Duties (AC-5)
• Session Lock (AC-11)
• Session Termination (AC-12)
• System Use Notification (AC-8)
• Unsuccessful Logon Attempts (AC-7)

The Tenable ITSG-33: Authentication and Access Control dashboard presents useful information to monitor and improve authentication and access control on your network. Knowing the top subnets with authentication and access control vulnerabilities helps you to better understand where the weak points are on your network and focus attention on these areas. You can drill down and see the vulnerability information by IP address or asset list as well. Of course, the ability to monitor account activity is very important to access control. The dashboard lists users who have performed or attempted to perform administrative actions, enabling you to identify any unexpected users who may have too much privilege. New users and access change information alert you to potential suspicious changes that you may need to further investigate.

Additional ITSG-33 resources

Tenable has additional dashboards to support ITSG-33, including Workforce Mobility, Data Protection, Audit and Monitoring, and Audit Details. The Audit Details dashboard in particular presents the results of an ITSG-33 compliance audit by individual security controls. An ITSG-33 Report is available that combines much of the information from the various dashboards into a single report. A related dashboard, Canadian Top 10 Security Actions, based on ITSB-89, is also available.

The information presented in the ITSG-33 dashboards and report can help your organization to better secure and monitor the network, enabling better defenses against attacks and responses to malicious activity, and ultimately safeguarding your critical assets and sensitive data. The dashboards mentioned here are presented in the context of ITSG-33, but many of these dashboards and the security concerns they highlight are generally applicable to any network.

According to Forrester¹, software vulnerabilities are the leading method of external intrusion in a breach. This problem will continue to grow, as the sheer number and types of IT assets increase, including cloud, IoT, mobile, and containers. Organizations must deploy security solutions that have the ability to protect the full asset landscape if they are seeking an accurate understanding of their cyber exposure.

With that in mind, last week Forrester released its Vendor Landscape: Vulnerability Management, 2017 report, by Senior Analyst Josh Zelonis. The report provides security and risk professionals an overview of the vulnerability management vendor landscape and information on trends that directly affect and enable business operations.

Tenable is recognized as the only vendor that provides 100% of the seven essential features of vulnerability management solutions, including containers

Tenable is pleased to be recognized as the only vendor that provides 100% of the seven essential features of vulnerability management solutions listed in the report, including the ability to identify vulnerabilities in container images.

The expanding asset landscape

The report notes that, “Vulnerability management has changed dramatically over the past 20-plus years.” For example, when application scanning emerged to identify critical app vulnerabilities, the threat landscape expanded to focus on application security.

This shift toward application security has continued with the rising adoption of containers. In the past, security teams have generally used vulnerability management solutions to monitor assets running in production. Now however, Zelonis writes that “Containers offer a tectonic shift to this dynamic, as developers now are responsible for specifying the runtime environments where their applications will live, at build definition, allowing security to integrate very early in the development life cycle.”

Tenable is innovating to protect emerging assets

Tenable strives to be one of the most forward-thinking companies in the vulnerability management space

The report further notes that, “Tenable has as much brand equity as a company could have with Nessus, yet it strives to be one of the most forward-thinking companies in the vulnerability management space. With its acquisition of FlawCheck in October 2016, Tenable is the first, and so far the only, traditional vulnerability management vendor to add container registry scanning capabilities.”

Now available for free trial, Tenable.io™ Container Security provides comprehensive visibility into the security posture of container images as they are developed, enabling vulnerability assessment, malware detection, policy enforcement, and remediation prior to container deployment.

With Tenable.io, organizations get access to the first vulnerability management platform built for today’s dynamic assets, including cloud, containers and web applications. Built on the leading Nessus® technology from Tenable, Tenable.io brings clarity to your security and compliance posture through a fresh asset-based approach that accurately tracks resources and vulnerabilities while accommodating dynamic assets that can otherwise cause blind spots.

For additional information, please download the full Vulnerability Management: Vendor Landscape, 2017 report.

¹Forrester Data Global Business Technographics Security Survey, 2016

Before diving into some initial findings of this year’s Verizon Data Breach Investigations Report (DBIR), here are a few things to remember. First, the report is a subset of all incident and breach data, not a comprehensive study. It is comprised only of Verizon customers and their partners, and should be weighted as such. Second, the DBIR data sources change and diversify every year. This needs to be taken into account when making comparisons from one year to the next. Third, while the DBIR can be extremely useful, it is not gospel. Treat it as a tool, as one of many data points to help you make better security decisions for your environment.

With that, let’s take a look at some high-level findings from this year’s report.

• Money and cyber espionage are still the two most popular motivations for attackers.
• This year, 62 percent of breaches were hacking-related, meaning attackers used methods like backdoors, stolen credentials, brute force, desktop sharing, web applications — all things that the industry has been dealing with for years.
• Phishing is the most common social tactic in the report dataset, accounting for 93 percent of all social engineering incidents. This reinforces the importance of organizational policies that provide employee education and awareness.
• Top breach targets are financial organizations (24 percent), healthcare organizations (15 percent) and the public sector (12 percent) — three industries that handle sensitive information and have critical devices and infrastructure that can’t be taken offline.
• While insider threats are potentially more damaging and easy to overlook, outsider threats are still the most common form of attack.
• Nation-state actors made up 18 percent of breaches.

Weak passwords and stolen credentials (81 percent) are still the biggest entry method used by attackers. It’s easier than starting from scratch and finding an exploit.

It is up to the organization to enforce strong password policies and limit user credentials and access to only that level required for users to perform their jobs. Organizations should also look at their network design, and ensure the proper controls are in place to limit lateral movement once an attacker gains entry.

At some point an attacker will inevitably compromise even a well-designed and secured network. When that happens, you need to be able to spot that intrusion quickly, close off the attacker’s access and reconstitute the network defenses. Organizations need to set the bar high and at the same time make sure they are covering the basics; make sure you know what is on your network at all times, keeping up with and prioritizing patches, actively looking for indicators of compromise and then prioritizing their actions to understand their exposure and reduce their risk.

Download a free copy of the full Verizon 2017 Data Breach Investigations Report for all the details.

The new Python SDK for Tenable.io™ was designed to easily enable powerful integrations with the Tenable.io API. The aim of this blog is to demonstrate how to get the SDK up and running, launch an external network scan against one of your publicly exposed assets, then export the results in a convenient PDF file in only four lines of Python.

The SDK is designed to easily enable powerful integrations with the Tenable.io API

Tenable.io account setup

If you don’t already have an account, the first thing you’ll need to do is create an account on Tenable.io. Tenable offers a free 60 day evaluation of the platform. Once you’ve completed the form, you’ll receive an email that will allow you to finish setting up your evaluation account.

Generating API keys

Once you have an account on Tenable.io, you need to generate API keys for your account.

1. Log into your Tenable.io account.
2. On the top menu bar, click Settings.

3. From the Settings page, click My Account from the menu on the left side of the page.

4. Click the API Keys tab.

5. Click the Generate button.

6. Store these keys somewhere safe; you’ll need them to access the API using the SDK.

Setting up a development environment (optional)

This step is not strictly required, but it is highly recommended. A virtual environment will keep your development work with the Tenable.io SDK in its own separate environment and free from any other Python packages or dependencies. For this blog, Python 3 is used, but Python version 2.7+ is also supported.

1. On Unix/MacOS (Windows blog coming soon), open a new Bash shell.
2. Create a new directory for your development work: $ mkdir tio
3. Navigate into your new directory: $ cd tio
4. Install virtualenv if you have not already done so: $pip3 install virtualenv
5. Create a new virtual environment: $ virtualenv -p $(which python3) .

6. Activate your virtual environment: $ source bin/activate
7. Installing the SDK itself can be done with a single command: $ pip install tenable_io

Installing the SDK itself can be done with a single command

The code

from tenable_io.client import TenableIOClient

client = TenableIOClient(access_key='{YOUR ACCESS KEY}', secret_key='{YOUR SECRET KEY}')
scan = client.scan_helper.create(name='{MY TEST SCAN}', text_targets='{YOUR TARGET}', template='basic')
scan.launch().download('{SCAN NAME}.pdf', scan.histories()[0].history_id) 

NOTE: Be sure to fill in the variables wrapped in curly brackets above with your own information.

Here is an explanation of what is happening line by line.

from tenable_io.client import TenableIOClient

Line 1 imports the TenableIOClient class from the tenable_io client module. The client is the simplest way to interact with the Tenable.io API and provides methods for doing anything you can do via the Tenable.io Web Application interface, and much more.

client = TenableIOClient(access_key='{YOUR ACCESS KEY}', secret_key='{YOUR SECRET KEY}')

Line 2 instantiates a TenableIOClient object with your API keys, giving it access to your Tenable.io account. Note, the SDK will only operate fully/correctly if an Admin level account is used for authorization.

scan = client.scan_helper.create(name='{MY TEST SCAN}', text_targets='{YOUR TARGET}', template='basic')

Line 3 creates a new Tenable Basic Network Nessus® scan against the domain name or IP supplied in the text_target field. You may also supply a comma-delimited list as a string in this field to scan multiple targets.

NOTE: Per the EULA, you are only permitted to scan targets that you own and are authorized to scan.

scan.launch().download('{Scan Name}.pdf', scan.histories()[0].history_id)

Line 4 is where the magic happens:

• scan.launch() launches the scan you created on line 3 using the Tenable.io US Cloud Scanners, which can be utilized for scanning your public facing assets.
• histories()[0].history_id is being passed as a parameter to the download() function. This will resolve to the history id of the scan you just launched; because the scan has only been run once, it will grab the only history id.
• The download() function takes as parameters the history id mentioned above as well as the name you give to the scan result that will be downloaded. Make sure you give the file a name that ends in .pdf as the default format for downloading scan results.

Running the script

Copy the code along with your alterations to a file named public_scan_tutorial.py and save it in the tio/ directory. Then, to run your scan:

$ python public_scan_tutorial.py

This command should take a few minutes to run as it creates your scan, scans your target, and exports the results. After it finishes, you should see a new pdf file in the tio/ directory. 

Wrapping up

Not only is the Tenable.io SDK incredibly powerful and concise, but it’s also extremely easy to use while giving you greater control and flexibility over your company’s threat and vulnerability management. This article is only the tip of the iceberg; check out the SDK documentation and subscribe to The Tenable Blog for additional tips and articles in the future.

For more information

• Tenable.io free 60-day evaluation
• Tenable.io SDK for Python
• Virtual Environments
• Python
• Tenable.io Dev space in the Tenable Community

Intel recently announced an escalation of privilege vulnerability in the Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM), and Intel® Small Business Technology firmware, versions 6 through 11.6. This vulnerability has the potential of being a proverbial big one. The vulnerability has been part of the Intel chipsets for years, specifically the Management Engine (ME). The ME runs things like DRM (Digital Rights Management) and does TPM (Trusted Platform Modules) checks as well as AMT. AMT enables systems administrators to re-image bare metal machines over a remote connection. To accomplish that, the AMT requires many privileges, from network access to writing to memory and disk. The AMT is hardware and operates separately from any operating system installed on a system. Obviously, with this much power there is some protection: in this case, access to AMT is protected by a password. The vulnerability in AMT is that the password can be bypassed.

About AMT

The vulnerability is not in all Intel chipsets, but it does heavily impact servers (not consumer PCs). If you have explicitly enabled AMT at any point, you are at risk.

There have been very few technical details published on the vulnerability itself, other than it allows unauthenticated access to AMT. Currently, it is not known whether this vulnerability impacts all AMT installations or just those in Small Business Mode or Enterprise Mode. If it is Enterprise Mode only, then the impact to regular end users will be minimal. Enterprise Mode can be challenging to set up, and few if any home or even small business users would bother. However, if this vulnerability impacts all installations of AMT or even Small Business Mode, things will be much much worse.

AMT listens to TCP ports 16992 and 16993 to accept incoming network connections. There are already reports of people (from researchers to attackers) mass scanning the entire Internet looking for systems with these ports open.

Detection methods

Nessus

Tenable provides several detection tools to identify vulnerable servers. The credentialed Nessus® plugin #97997 detects systems that are affected by the Intel vulnerability and provides remediation guidance:

Another Nessus plugin #97998 detects vulnerable versions based on the banner of the service listening on port 16992. Note though the banner versions are not always granular enough, so in some cases it could result in false negatives. But it will accurately identify all systems that are vulnerable, so the risk of false positives is very low.

Also, plugin #97999 tests for the vulnerability reported in CVE-2017-5689 by performing the authentication bypass against a provisioned AMT service to confirm that it is vulnerable.

PVS

The Tenable Passive Vulnerability Scanner® (PVS™) can also detect hosts that have AMT running via plugin #6955:

SecurityCenter

SecurityCenter® users can start assessing the risk that this vulnerability presents without having to rescan the network. SecurityCenter collects many other plugins filled with service detections, banner detection, and installed software programs. The new INTEL-SA-00075 Detection dashboard uses all these options and previously collected data to identify potentially vulnerable systems, and then uses the CVE to identify systems that are confirmed vulnerable.

The matrix in the upper left of the dashboard identifies both current and remediated vulnerabilities. As you scan your network, find the vulnerabilities, and apply patches, the numbers will move from the Cumulative row into the Mitigated row. The dashboard also shows you if the vulnerabilities are only Suspected or if they are Confirmed, using active and passive detection methods.

The INTEL-SA-00075 Detection dashboard quickly helps you understand where the most immediate risk is in your environment.

Manual

To check if you have the supported CPU, chipset, network hardware and AMT you can either use the Tenable.io plugins described above or check your BIOS. (For most systems, use CTRL-P during boot.) If you see AMT listed there, you should disable it. Determine if you have an Intel AMT, Intel SBA, or Intel ISM capable system by reviewing this document.

Mitigation

AMT has been around for about the last seven years and most machines made with AMT since then could be at risk. Once you have identified the servers that are impacted by the Intel vulnerability, you should check with your vendor(s) for a patch release – firmware updates are not automatic and are specific to each manufacturer. Older systems obviously stopped receiving firmware updates years ago and most likely won't receive a patch for this vulnerability. If your vendor does not issue a patch, you may want to follow mitigation steps recommended by Intel.

We recommend you follow these steps immediately to secure your infrastructure; otherwise, this vulnerability could result in a remotely controlled exploit and serious consequences.

On May 1, 2017 Intel disclosed the AMT vulnerability (INTEL-SA-00075), but details of that vulnerability were not made public. However, Tenable researchers were able to overcome this challenge and make Tenable the first to deliver Intel AMT vulnerability detection capabilities to customers, just minutes after Intel’s announcement yesterday. This is the story of how we did it.

The hunt

The first thing our research team tried was to set up a known vulnerable target. After some searching, we found a Dell computer that had Intel AMT support but there was a problem. It was not configured/provisioned for what we needed.

The Intel Management Engine Interface (MEI) driver was installed but the Local Management Service (LMS) was not. Intel AMT documentation says the AMT configuration tool ACUWizard.exe requires LMS to be running.

So we searched and found a software package for installing LMS on the vendor's website. After LMS was installed, we were able to configure/provision AMT on the computer, giving us access to AMT via the web interface.

Next, we logged in to the web interface and browsed the menu items:

A logical vulnerability

During this process, we found out that the HTTP Digest authentication method was used to access the web interface. In a blog post written by Embedi (the company of the researcher who discovered the vulnerability) a bullet point stood out:

With 100 percent certainty it is not an RCE but rather a logical vulnerability.

One hypothesis we had was that this logical vulnerability may be related to authentication. After all, a logical vulnerability that seems to involve decision-making and authentication certainly falls into this category (i.e., deciding whether a login credential is right or wrong). If correct, this would give a remote attacker access, as suggested by the Intel advisory.

Drawing on past experience when we reported an authentication-related vulnerability in which the length of credential comparison is controlled by the attacker (memcmp(attacker_passwd, correct_passwd, attacker_pwd_len)), we tested out a case in which only a portion of the correct response hash is sent to the AMT web server. To our surprise, authentication succeeded!

Next, we reduced the response hash to one hex digit and authentication still worked. Continuing to dig, we used a NULL/empty response hash (response="" in the HTTP Authorization header).

Authentication still worked. We had discovered a complete bypass of the authentication scheme.

With a simple find_and_replace regex (find: response\s*="[0-9a-f]+", replace: response="") in Burp Suite, we could fire up a web browser configured to use the proxy, and log in to the AMT web interface with the user admin and any password.

Coordinated disclosure

With our findings confirmed, the next question was whether the authentication bypass vulnerability that the Tenable Research team had just discovered was the same one described in the Intel AMT advisory, or if was in fact another critical vulnerability.

As any good researcher knows, it is important to get this disclosure part right – the discovery of a possible zero-day in widely distributed firmware isn’t something you take lightly.

Tenable reached out to Intel on May 3 with our proof-of-concept, asking if this was the same vulnerability previously disclosed by Intel on May 1. On May 4, Intel responded confirming that it was the same vulnerability and requested we wait to share our findings until 12:00 p.m Pacific time that day.

That meant that within minutes of the Intel deadline, Tenable was able to give customers a detection plugin (Nessus plugin 97999) to help them know exactly where they are exposed to the Intel AMT vulnerability so they can continue to confidently manage cyber risk to the business.

Inventorying and managing the software on your network is foundational to your security. Unmanaged and unauthorized software is a blind spot that increases risk and IT support costs. What you don’t know will hurt you.

According to the Center for Internet Security (CIS) Critical Security Controls, conducting an Inventory of Authorized and Unauthorized Software is a foundational cyber hygiene control that should be implemented immediately after you Inventory Authorized and Unauthorized Devices. In explaining this second most important control, the CIS instructs organizations to:

Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.

Other security frameworks and compliance standards share a common thread that recommends identifying all of your software so you can manage it

The CIS is not alone in this recommendation. Other security frameworks and compliance standards echo the importance of knowing your software, sharing a common thread that recommends identifying all of your software so you can manage it. Knowing your software enables you to identify and manage high risk or vulnerable software, block malware and audit license compliance.

Knowing and controlling your software is certainly a control that increases security – detecting and blocking malware and high risk applications reduces your attack surface and can prevent incidents. However, the benefits of knowing and controlling your software extend beyond security. For example, identifying and updating unsupported software versions reduces IT support costs, and can even increase user productivity and license compliance.

Tenable knows your software

SecurityCenter Continuous View® inventories the software that is installed and running on your network and can identify unsupported software that should be upgraded or removed. I created the custom dashboard shown below using components from two dashboard templates: CIS CSC: Software and Applications and CSF Asset Management - Software. These templates are published by the Tenable research team, and you can use them as is or tailor them, as I have done.

The dashboard contains the following components:

CSF - Top Operating Systems: The list of discovered operating systems shows the most frequently discovered operating system at the top. Unfortunately for me, Windows XP is my most common OS. Obviously I need to upgrade! My demo environment doesn’t include mobile devices, but if it did, they would be listed here.

Software Summary - Browser and Plugin Vulnerabilities: This component helps me determine which browsers and plugins have the most vulnerabilities. Java stands out as having the most critical vulnerabilities and as being the most exploitable. If this happened in your organization, it could indicate you need a stronger policy limiting Java’s use or at least limiting the use of old versions.

CSF - Software Applications and Database Servers: When a software application or database server is detected on the network, the indicator will be highlighted in purple, along with the total number of installations by count. This component can assist you in tracking software licenses for inventory and compliance purposes. Because the range of software applications and database servers can vary among organizations, you can modify this matrix to fit your specific business requirements.

Unsupported Product Summary - Application by Type and Percentage: This bar chart shows the percentage of unsupported applications and operating systems in my demo environment sorted by product type, such as database servers, web servers, operating systems or applications. Again, those pesky Windows XP systems stand out.

CSC - Inventory of Authorized and Unauthorized Software: This table displays software installs, unsupported applications and missing patches within the last 24 hours, 72 hours and 7 days.

CSF - Software Installed (Last 7 Days): This chart presents a trend of software installations within Windows, Linux and Mac OS X operating systems. It reports the number of installations on an OS by count over the last seven days.

Whitelist your applications

The CIS control, Inventory of Authorized and Unauthorized Software, includes a subcontrol (2.2):

...deploy application whitelisting, that allows systems to run software only if it is included on the whitelist and prevents execution of all other software on the system.

Whitelisting is definitely an important control and is described in an excellent publication, NIST SP 800-167: Guide to Application Whitelisting.

Although Tenable does not offer application whitelisting software, we can audit the presence of two popular whitelisting applications:

• Nessus plugin 73149 detects the installation of Microsoft Windows AppLocker
• Nessus plugin 73946 detects the installation of Symantec Critical System Protection

SecurityCenter Continuous View can inform you about systems that are expected to have one of these whitelisting applications installed, but do not.

Learn more

The CIS Critical Security Controls include four sub-controls that support Inventory of Authorized and Unauthorized Software. A detailed discussion of these sub-controls is beyond the scope of this blog – but we can help you learn more. Tenable is hosting a webinar on May 24th, when we will dive into the control details, show you how Tenable can help and answer your questions. This webinar is the second of a five-part series that will explore each of the CIS Foundational Cyber Hygiene controls. Brian Ventura, a SANS community instructor, will be our expert guest presenter. Brian teaches a 2-day course, Critical Security Controls: Planning, Implementing and Auditing. He has also taught a 5-day course, Implementing and Auditing the Critical Security Controls – in Depth. In addition to presenting valuable content, we will reserve time for questions and answers.

Look for future blogs where I will discuss the remaining Foundational Cyber Hygiene controls:

• Secure configurations for hardware and software
• Continuous vulnerability assessment and remediation
• Controlled use of administrative privileges

For anyone who has followed the the Verizon Data Breach Investigations Report (DBIR) through its many iterations, the findings for 2017 come as no surprise. Credentials theft, phishing and ransomware remain the top attack vectors, and the best defense is still to focus on the basics of cyber hygiene with the goal of achieving cyber operational excellence across the organization.

Credentials theft, phishing and ransomware remain the top attack vectors, and the best defense is still to focus on the basics of cyber hygiene

Now in its tenth year, the DBIR is an annual glimpse into the murky world of cybercrime and its impact on the enterprise. The data-driven report still carries significant influence within the information security industry, but has earned criticism for not having anything new to say in recent years. But you can’t shoot the messenger just because you don’t like the message. If the DBIR findings are starting to sound repetitive, it’s because most organizations are still making the same mistakes with cybersecurity that they have been making for over a decade, by failing to prioritize security at the board level and not investing the time and resources to do security right.

Guard your credentials

Weak, stolen or compromised credentials remain the leading cause of breaches. With more than one billion credentials stolen in 2016 (page 7), relying on passwords alone without augmenting them with two-factor authentication is throwing caution to the wind. Since users like to reuse credentials from one site to another, you not only have to worry about protecting your own credentials from being stolen, but you also have to worry every time someone else’s database of passwords gets leaked online. This is why two-factor authentication is so important.

Teach and be vigilant

Links were made to be clicked on – that is their sole purpose. Users must click on links to do their jobs, but clicking on links in phishing emails is also one of the top ways attackers can gain entry into your networks. According to the DBIR, security-awareness training exercises, while somewhat effective, will never get you to zero links clicked; there is no significant difference in industries where users click links more frequently (page 11).

Regardless of the amount of security-awareness training you provide, your users are human and they will make mistakes, sometimes clicking on the wrong things. The key then becomes detection, containment and rapid remediation so that an incident doesn’t turn into a breach.

Don’t pay, remember to backup

When looking at ransomware figures in this year’s report, keep in mind that ransomware attacks seldom result in data disclosure. That means that ransomware numbers do not fall under Verizon's definition of a breach, so the report’s charts and graphs may not include ransomware attacks. But there is an interesting ransomware statistic on page 23: ransomware accounts for 72% of malware incidents in the healthcare industry as reported by DHHS. That seems like an absurdly high number. While it could be that healthcare has been disproportionately targeted due to their predilection to pay the ransom, it could be that the U.S. Department of Health and Human Services has stricter reporting requirements. Either way, the message is clear that ransomware should be considered a significant threat. The really sad thing about these numbers is that ransomware is easily defeated by proper backups. Make sure you not only do proper backups but you also test restores to assess the integrity of your data before a crisis occurs.

You can think of ransomware as the monetization of poor cyber hygiene, because when you come right down to it, ransomware is simply an exploitation of the most well-known vulnerabilities to gain entry into enterprise networks. This is especially true of the healthcare industry, where overall cyber readiness lags behind other industries such as financial services. Keeping all your assets patched and up to date – not just servers, but mobile devices, virtual machines, cloud apps – goes a long way towards preventing ransomware attacks. Patching works, as Verizon reported in Appendix B (read on).

Patching works

Verizon takes a deeper dive into the patching process in Appendix B (page 64) of the report. The good news is that:

Only a single-digit percentage of breaches in the DBIR involved exploiting a vulnerability.

Patching vulnerabilities and configuration weaknesses is still a highly effective deterrent to attacks. But there is still more patching to be done.

Verizon found that organizations tend to patch everything that they are going to patch rather quickly, and everything else tends to stay unpatched for a very long time:

Verizon also breaks its patching data out by device type (page 65) with User and Server devices receiving the most patches, followed by Network patches and Embedded devices:

This is something that information security professionals have known for a long time: that routers, switches and other “closet” devices seldom see any patch love. It is nice to see data to back this up.

Back to basics

With data collected and collated from over sixty different organizations, the DBIR is a valuable tool to help CISOs determine how to allocate security resources to best defend their networks. such as how best to improve your threat response time, or how to make things more difficult for attackers.

A common theme throughout the report is that proper cyber hygiene, or simply following infosec best practices, will go a long way to protect your organization. Conduct a proper inventory of your hardware and software, patch systems in a prioritized manner, verify that your network equipment is properly configured and deployed, stay on top of inactive user credentials and enable two-factor authentication. Oh, and don’t forget your backups.

By now everyone has heard about the ransomware called Wanna, WannaCry or WCry spreading across the globe and locking down the data of some of the world’s largest companies. The malware appears to exploit an SMB flaw that Microsoft provided a patch for in March 2017. You may have heard that the worm has been successfully stopped and you have nothing to worry about, but the vulnerability still exists on millions of systems and can be used again. Now is not the time for complacency; it is time for action. Tenable has several ways to help you know where your business is exposed so you can make informed decisions about what to do first to detect WannaCry and protect your business.

Take action now

If you are a Tenable SecurityCenter® customer, here are three things you can do now before the next variant of WCry appears and before it encrypts the files on your machines.

1. Hunt for infected machines: Check for DNS queries and Scan for Malware.

The first version of WCry that spread across the globe performs a DNS lookup when it initializes; luckily, the Passive Vulnerability Scanner® (PVS™) can record DNS queries on your network. You can apply the following filters in Event Analysis view to hunt for hosts that send queries to this domain:

Type: dns
Syslog Text: iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea
Timeframe: Last 7 Days

After you apply the filter, change the view tools to Source IP Summary. If you have any host that sends queries to this domain, it has most likely been compromised. You should disconnect that machine from the network and take appropriate action.

Note: There are reports of some organizations attempting to block this domain at their firewalls, assuming this is a CnC domain. Don’t do that! The domain has been sinkholed and is actually a kill switch for the malware. If the malware can successfully reach that domain, it terminates - so don’t block access.

If you already have credentialed scans or Nessus Agents in place, detection is even easier; just use the Malware Scan Policy; machines infected with WCry will be reported under plugin 59275.

2. Hunt for infected machines by lateral movement.

The WannaCry ransomware spread so quickly because once it infects one machine, it scans for any other machine with port 445 open, and then infects that target. With SecurityCenter, you can search for any hosts that are scanning for port 445, by applying this filter:

Destination Port = 445
Timeframe = Last 7 Days

Using the Connection Summary tool you can identify hosts that are connecting to other hosts using port 445. For example, in the image below, one host has 1650 events using port 445 with another host. You may need to investigate a situation when the same host is talking to several other hosts. You can enhance these results by using Assets or subnets as additional filters.

3. Once your systems are clean, patch and scan.

If your environment is now clean, the best way to prevent a WCry infection is to apply patches and disable SMBv1. Tenable has several plugins that can detect if a machine is vulnerable to MS17-010:

We have developed a SecurityCenter dashboard tailored to identify hosts that may be susceptible to the WannaCry ransomware exploitation. The WannaCry Vulnerability Detection dashboard is available through the SecurityCenter Feed to provide insight into the vulnerability of your network and the progress made toward upgrading outdated hosts.

The dashboard takes all the methods of detection described in this blog and places them into an easy to use and understand location. The matrix in the upper left hand corner uses CVEs and DNS events to identify possible at-risk hosts, vs. confirmed vulnerable hosts. The dashboard also uses many of the same components used in the Shadow Brokers Vulnerability Detection dashboard, and provides an overview of patching across all operating systems, to help you understand the current progress in patch deployments.

We also suggest patching other vulnerabilities disclosed by the Shadow Brokers group with the SecurityCenter Shadow Brokers Vulnerability Detection dashboard.

Tenable.io solutions

Tenable.io™ customers can easily create a scan to find hosts that are susceptible to the WannaCry malware. Take a look at this video which walks you through a few simple steps to detect potentially vulnerable hosts. To scan internal hosts, download a Nessus scanner and link it to your Tenable.io account.

If you aren’t a Tenable.io customer, you can sign up for a free 60 day evaluation.

An ounce of prevention

Most ransomware attacks are caused by exploits of known vulnerabilities that remain unpatched on systems. This is especially true for systems running outdated and unsupported operating systems. By patching all your assets regularly and creating regular backups of your data, you can help prevent ransomware attacks.

For more information

• How to Accidentally Stop a Global Cyber Attack (about the WannaCry malware)
• Customer Guidance for WannaCrypt Attacks (Microsoft TechNet notice)
• Back to Basics with the 2017 Verizon DBIR (see the section about ransomware, Don’t pay, remember to backup)
• What the Latest Shadow Brokers Dump Means for Your Business (Tenable blog about the April 2017 Shadow Brokers dump)

Many thanks to Gavin Millard, Anthony Bettini, Cris Thomas, Cody Dumont and the entire Tenable research team for their contributions to this blog.

I am often asked, “How can I be more productive and get better results from my vulnerability scans?” This question could be the result of a failed audit, network outage or breach that was previously undetected. Traditionally, vulnerability scanning may consume a large amount of resources. Vulnerability scanning is also often perceived as being disruptive and intrusive to the environment. The Tenable.io Credentialed Scan Failures report can assist you and your organization in making better, more informed decisions on how to improve your vulnerability management program.

Identify vulnerability or prove exploitability?

Non-credentialed scanning

There are two philosophies of vulnerability scanning. The first philosophy believes that a system needs to be penetrated to prove that the system is, in fact, vulnerable. This non-credentialed type of intrusive scanning methodology is based on attacking a system in the same manner that a malicious actor would. There is merit to this type of scanning, as successful attacks prove that devices are vulnerable to exploits.

Tenable.io uses advanced technologies to try to avoid any unnecessary disruption to services, but there is the risk of having the non-credentialed scan leave fragile systems and some network devices in an unstable state. This instability may lead to a loss of data and revenue, and has the potential for significant legal or financial impact. All too often, when using non-credentialed scanning, more questions than answers are created.

Credentialed scanning

The second philosophy is credentialed scanning. Credentialed scanning is a less disruptive scanning technique that is performed with valid credentials. Operations from OS identification to port scanning are performed locally on the host. For example, devices can be queried locally to see if a patch has been applied.

Looking directly at the installed software, including the version numbers, vulnerabilities can easily be identified. Password policies can be read, USB devices can be enumerated and anti-virus software configurations can be checked, all with minimal to no impact on the device. This consumes far less system and network resources than the previous method. Credentialed scanning also presents less risk to the environment, and the results are far more accurate.

The Tenable.io solution

The benefits of credentialed scanning are significant. To ensure that you are reaping those benefits, you need to be certain that credentialed scanning is working. When I want to know how many credentialed scan failures have occurred, I look to the Credentialed Scan Failures report in Tenable.io.

The Credentialed Scan Failures report delivers an organized list of failed credentialed scans that you can use to quickly identify and remediate scanning issues on a network. The report covers a 25-day scanning history and provides a breakdown of various Windows scan issues and SSH failures, as well as general credential failures. You can use this report to present information on the success (or failures) of your credentialed vulnerability scanning program.

Key elements in this report, such as the Scan Failure Metrics element, provide an overview into many issues that may be attributed to credentialed scan failures. This summary is useful for executives who want a complete overview of the status of credentialed scanning within the organization. For those who want a deeper dive, failures identified on this element are expanded in detail in other chapters of the report.

For example, you see in the above image that there is one SMB invalid credential failure, five SSH failures and thirty hosts scanned without credentials. Referencing the report sections specific for those failures, you can identify why those failures occurred and remediate the issues. You can also identify each and every host by IP and DNS that was scanned without credentials.

Benefits of credentialed scanning

Vulnerability scanning on a regular basis, audits and penetration tests should all be part of your ongoing risk management program. Scanning without credentials is valid for some attack vectors and identifying what is visible. But credentialed scanning looks under the hood and beyond the surface to provide a very accurate snapshot of your environment. Credentialed scans are quick, easy and safe, resulting in a better picture of your overall vulnerability state and enabling you to identify and analyze potential security issues before the hackers do.

Try Tenable.io

Tenable.io provides accurate information on how well your organization is addressing security risks and helps track improvements over time. Get a free trial of Tenable.io Vulnerability Management for 60 days.

WannaCry and the vulnerability it targeted has dominated the global news all week, including technical details, prevention advice, attribution speculation and even personal details of the researcher who discovered the kill switch that stopped the aggressive ransomware. With the panic around WannaCry slowing and a clearer picture of what happened emerging, now is a good time to take stock of its global impact and see what can be done to prevent future attacks.

Ransomware attack methodologies

Most ransomware targets a handful of well-known vulnerabilities

Ransomware is the monetization of an organization’s failure to do the fundamentals of cybersecurity well. As most ransomware targets a handful of well-known vulnerabilities, keeping systems patched and up to date goes a long way towards preventing a ransomware attack. Since the re-emergence of ransomware over the last few years, the predictable attack method is typically one of two possibilities :

1. An email enticing users to either download a file or, more effectively, visit a website that hosts an exploit kit to take advantage of an existing browser-based vulnerability on the target’s computer.
2. The cyber criminals hijacking an advertising network that serves high profile websites, again taking advantage of browser-based vulnerabilities.

Experts have theorised that a ransomware attack inspired by old internet worms like Conflicker, CodeRed and Slammer could automatically hunt down the next target without any user interaction, resulting in a massive global attack. But until last Friday, this type of attack was not broadly observed. Then WannaCry burst onto the scene, ripping through networks and causing significant disruption to organisations worldwide. WannaCry exploits a flaw in the ubiquitous SMB protocol used to access shared files and printers, and once a system is infected, it leverages the infected host to find the next victim.

The vulnerability that WannaCry targeted is, like most other ransomware, quite well-known, and a fix has been available for two months. Still, the WannaCry malware targeted those systems that didn’t have the patch applied.

Patching

Patching is difficult. IT and security teams can't control everything, and the things that they can control can't always update quickly. It has become increasingly easy to deploy changes into environments, but there are systems that can’t just be updated with a click of a mouse button or a simple script. Fragile artifacts exist in many environments; taking down a manufacturer’s production system — or even reducing efficiency due to scanning or maintenance-induced latency — is rarely greeted with smiles.

Protection

Inability to patch in a timely manner shouldn’t be an excuse for poor cyber hygiene. WannaCry could have been stopped in two different ways:

1. Deploying the MS17-010 update, or
2. Firewalling off SMB to vulnerable systems

If patching critical issues like MS17-010 could cause disruption to the business, then compensating controls must be put in place and proper, risk-based decisions must be made. Put simply if you can’t patch it, protect it.

If you can’t patch it, protect it

If the system that controls an MRI machine is exposed due to an attack vector like MS17-010, then perhaps the main hospital network can operate without SMB access. If Windows XP is required by a factory automation manufacturer, the vulnerable systems must be treated like the security threats that they are — ring-fenced and monitored for unusual activity.

To do this effectively though, organisations have to understand their environments and exposures, which in itself is a significant hurdle many struggle to conquer. Continuous visibility into the vulnerability status of every asset in the modern computing environment is critical in understanding the business impact of ransomware attacks like WannaCry and to fundamentally improving how your organization thinks about cybersecurity.

Continuous visibility into the vulnerability status of every asset in the modern computing environment is critical in understanding the business impact of ransomware attacks

Tenable solutions

For information on how Tenable can help address WannaCry, we’ve posted a detailed blog on using our products to identify issues before they become problems.

To understand more about ransomware attacks and protection, read Back to Basics with the 2017 Verizon DBIR.

In 2016, due to the increasing use of information technology by banks and their customers, and the increase in cyber attacks against the financial sector, the Reserve Bank of India (RBI) provided cybersecurity guidelines to the country’s banks. Cyber Security Framework in Banks includes an Annex detailing minimum baseline requirements for network security and resilience. These requirements cover such areas as inventory management, secure configuration, patch management, access control, and advanced real-time threat defense. Tenable offers several SecurityCenter® dashboards to help monitor conformance with the RBI guidelines.

Implications of the RBI Framework

Guidelines have been published by the RBI in the past, but they have not been widely embraced by the various financial service institutions (FSIs). The ramifications of these new guidelines are significant; the Framework elevates security to a Board/C-level problem rather than just something that’s pushed to the technology organization. This means that the priority of security operations will be elevated, that the most senior levels of management will be aware of and involved in risk management and security related decisions, and that this level of management will be monitoring the situation regularly.

The guidelines also mandate the need for continuous real-time monitoring of the security situation, so breaches will be detected and mitigated early rather than later in the attack lifecycle. This is especially important as India moves to a digital economy. Additional emphasis focuses on customer protection, cyber resilience and sharing of information between banks through reporting.

SecurityCenter dashboards

Tenable SecurityCenter Continuous View® (SecurityCenter CV™) offers several specialized dashboards that can help you comply with the requirements specified in the RBI Framework.

Without proper inventory management, unauthorized software and rogue devices could infiltrate your network, bringing new vulnerabilities and increasing the risk of dangerous network attacks and compromises of sensitive data. The RBI Framework covers good inventory management in baseline controls 1 (Inventory Management) and 2 (Prevent Execution of Unauthorised Software), as well as in other baseline controls that mention identifying mobile devices and controlling software installation. The RBI: Inventory Management dashboard provides an overview of system counts, mobile devices, new MAC addresses, installed software, cloud service use and changes detected throughout your network. This information will enable you to gain control over your inventory and better secure your network.

Network vulnerabilities can lead to critical failures of devices, dangerous network attacks, and compromise of sensitive data. The RBI Framework covers vulnerability and patch management in paragraph 6 ("Testing for vulnerabilities at reasonable intervals…") and baseline controls 7 (Patch/Vulnerability and Change Management) and 18 (Vulnerability Assessment). The RBI: Vulnerability Management dashboard provides clear information about detected vulnerabilities and helps you to identify where vulnerability remediation efforts can best pay off. Having accurate information to confidently address vulnerabilities and track remediation progress will enable you to reduce risk to a manageable level in a timely manner.

Of course, optimal network security requires more than just preventive measures. Without monitoring configuration compliance, misconfigured devices could facilitate actions that put critical systems and sensitive data at risk. Without continuously monitoring network activity, unusual activity that could be dangerous or malicious in nature might never be seen. The RBI Framework covers continuous network monitoring in paragraph 12 ("Banks need to take effective measures … to promptly detect any cyber-intrusions…") and several baseline controls, including 5 (Secure Configuration) and 13 (Advanced Real-time Threat Defence and Management). The RBI: Compliance and Monitoring dashboard helps you lock down and monitor configurations, and detect potentially malicious activity. Continuous monitoring catches cyber attacks early, before serious damage to systems and data can be done.

Other dashboards are available in the Tenable SecurityCenter feed that can assist you in securing your network and thwarting cyber attacks. Some dashboards focus on specific threats or products; find these in the feed by searching for keywords such as “Cisco”, “database”, or “Shellshock”. These dashboards focus attention on specific systems and may be called for in response to specific threats. Other dashboards, like the RBI dashboards discussed above, cover general cyber security concepts and support drilling down into the data to obtain more detailed information. For example:

• NIST 800-53: Authentication and Access Control
• CSF: Malware
• Incident Response Support

The RBI Framework is a powerful tool to help banks conform with cybersecurity best practices. Tenable SecurityCenter dashboards help monitor and measure progress against the RBI controls.

Many thanks to David Schwalenberg for his contributions to this article.

According to the 2017 Verizon Data Breach Investigations Report (DBIR), time to patch plays a critical role in the risk exposure to your network. The DBIR states (page 13) “research has shown that vulnerabilities are either patched during that initial cycle or tend to hang around for a long time,” meaning that if you don’t patch early and often, then patches don’t get applied and you are at risk of a breach or ransomware attack. Have you implemented the right mitigating controls or has your organization ignored the possible impact of not patching a system? Tenable.io™ can help you understand your current risk exposure by monitoring the time taken to patch vulnerabilities.

If you don’t patch early and often, you are at risk of a breach or ransomware attack

Attackers continue to be successful due to unpatched applications

When discussing risk mitigation strategies I often hear, “The patching process is just one part of our overall security strategy.” In some cases, organizations allow patching to take a backseat to focus on other efforts. The DBIR offers potential justifications (page 13) for organizations failing to patch, “that other controls are in place, or the vulnerabilities may not be exploitable.” Security operation teams may tend to focus more on managing devices that restrict access, including firewalls, intrusion prevention and detection systems. While keeping an unwanted visitor out of your environment is important, patching is critical. Breaches occur by giving an attacker the opportunity to compromise existing vulnerabilities, gaining a greater foothold within your organization.

Practicing good patch management is critical in maintaining a secure environment

Today’s environments are no longer defined by clear boundaries, and access to information is harder to control using traditional methods. Patching applications such as web browsers remains a critical effort. The DBIR (page 41) advises to “Prioritize patching vulnerabilities associated with browser exploitation. This includes the browser software, but also plug-ins.” Likewise, remote devices and/or mobile employees potentially increase risk to your network, as they can leave the protective confines of the network and should be patched appropriately.

Poor security results in organizational cost increases

Since 2008, the Verizon DBIR has provided organizations with insight into managing their risk and avoiding cybersecurity pitfalls. Over the years, we have seen a disturbing trend, where exploits enabled by vulnerabilities that have had patches for at least six months prior to the attacks have skyrocketed. This pattern can easily be broken by timely patch management programs.

For example, according to the DBIR (page 68), “In September, Yahoo announced a data breach from 2014 that compromised the accounts of 500 million.” The Yahoo data breach was made possible by exploiting an unpatched vulnerability in an Account Management Tool. The exploit eventually led to executive resignations and a loss of $350 million of revenue in a buyout offer. These types of attacks can also result in a tarnished reputation. All these consequences are the result of patch management not being practiced on a regular and timely basis.

Tenable.io solutions

Your organization’s patching process should focus on coverage and consistency. Patching efforts should also be aligned with other important parts of your cybersecurity program, such as firewalls, IDS and other defenses. Tenable.io offers several options to support your patch management program.

At the center of Tenable.io is the Vulnerability Workbench. You can view the cumulative vulnerability data here. You can also use the Advanced Search filters to quickly and easily display details of currently missing patches and other vulnerabilities.

From the vulnerability workbench, select Advanced on the top navigation bar to access the Advanced Search window.

Set the filter to Patch Publication Date and select a time, such as earlier than today’s date.

Applying this filter will change the workbench data results (see the next image). You can use this display as a discussion point with administrators and executives. You can also quickly identify the number and severities of the missing patches and available exploits. The trend graph indicates if missing patch counts are increasing or decreasing, and reports how many patches are over 30 days old.

You are not limited to viewing vulnerability data by Plugin on the Workbench. When asked what types of assets are missing patches, click on the By Assets tab.

This Workbench tab displays ring charts that indicate which operating systems and device types are missing patches.

The Outstanding Patch Tracking dashboard and corresponding report provide easy to understand metrics that can be communicated to anyone in your organization.

Tenable.io uses these visual tools to provide insight into the risk exposure of your organization. The vulnerability data enables you to calculate projected costs per vulnerability associated with missing patches, and assists in managing risk. Use this information to effectively discuss the risk potential of delayed patch deployment and its impact on the business with executives.

Use this information to discuss the risk potential of delayed patch deployment and its impact on the business

For more information

Whether you are communicating up the chain, to peers or to your team, Tenable.io provides key analytics to help you address your risk mitigation tasks and to track progress.

Interesting in learning more about Tenable.io?

• Visit the Tenable.io area of our website
• Start a free Tenable.io Vulnerability Management trial

A new network worm dubbed EternalRocks is making the news this week as the successor to the WannaCry ransomware. EternalRocks leverages some of the same vulnerabilities and exploit tools as WannaCry but is potentially more dangerous because it exploits seven NSA tools that were released as part of the ShadowBrokers dump for infection instead of two used by WannaCry. So EternalRocks has the potential to spread faster and infect more systems. EternalRocks is currently dormant and isn’t doing anything nefarious such as encrypting hard drives. But EternalRocks could be easily weaponized in an instant, making the need for preventive action urgent.

Why EternalRocks may be bigger than WannaCry

WannaCry used only two of the SMB exploit tools: ETERNALBLUE and DOUBLEPULSAR. EternalRocks leverages seven NSA SMB exploit tools to locate vulnerable systems:

• ETERNALBLUE
• DOUBLEPULSAR
• ETERNALCHAMPION
• ETERNALROMANCE
• ETERNALSYNERGY
• SMBTOUCH
• ARCHITOUCH

EternalRocks does not have a kill-switch which helped curtail WannaCry and mitigate the ransomware damage.

The clock is ticking with EternalRocks; take advantage of the Tenable detection tools now before any damage is inflicted on your systems.

Tenable solutions

Nessus plugins for SMBv1 and MS17-010

All of the vulnerabilities exploited by the EternalRocks worm were patched by Microsoft earlier this year as part of MS17-010. Tenable released several Nessus plugins to look for unpatched systems or systems that could be vulnerable by having SMBv1 running.

Malware detection plugin

Tenable can also detect if the remote host is infected by EternalRocks worm through its malware detection plugin.

Here’s an example of an EternalRocks hash detected with the Malicious Process Detection plugin ID 59275:

Yara Detection

Tenable customers can also use YARA rules to identify infected systems through the Malicious File Detection Using Yara Nessus plugin.

Here’s a sample rule which can be used with Nessus to detect the EternalRocks worm:

SecurityCenter dashboard

The WannaCry Vulnerability Detection dashboard has been updated to include information about EternalRocks. The filters did not require updating, so if you have the WannaCry Vulnerability Detection dashboard, you are all set. If you have not installed the previous dashboard, you can now download the Detecting WannaCry and EternalRocks dashboard.

Patch, don’t panic

We are fortunate to have some time to detect and patch EternalRocks vulnerabilities before they are exploited. There’s no need for a panic attack, but take time today to protect your systems.

If you don’t patch soon, there might be reason to panic later. One of the things EternalRocks does is that it leaves the DOUBLEPULSAR implant unprotected, which means other threat actors could leverage EternalRocks infected machines for their own intents and purposes.

Make it a habit to patch regularly and often. The single best thing you can do to protect your networks against malware attacks, worms and ransomware is to patch the known vulnerabilities; this is low-hanging fruit with a big return.

For more information

• What the Latest Shadow Brokers Dump Means for Your Business
• DOUBLEPULSAR Backdoor Detection with Nessus and PVS
• WannaCry? Three Actions You Can Take Right Now to Prevent Ransomware
• WannaCry? Patch or Protect

Many thanks to Tyler Coumbes, Cody Dumont and the Tenable research team for their contributions to this blog.

Does your company do business with the Department of Defense? Do you want that business to continue after 2017? If you answered yes to both of these questions, you need to know about Defense Federal Acquisition Regulation Supplement (DFARS) clause 225.204-7012 and its potential impact on your business. As of December 2015, DFARS 225.204-7012 requires contractors to implement NIST Special Publication (SP) 800-171 standards “as soon as practical, but not later than December 31, 2017.” The title of NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, should give you a sense of what is behind this directive. In practical terms, the Department of Defense (DoD) is telling its contractor community that if you want to be allowed to receive information determined by DoD to be of a sensitive nature, you must provide assurance to DoD that your own IT systems will provide an acceptable level of security for that information. Failing to do so after 2017 will preclude you from contracting with DoD.

DFARS 225.204-7012 requires contractors to implement NIST SP 800-171 standards, not later than December 31, 2017

DFARS 225.204-7012 is now included in all solicitations issued and contracts awarded by the DoD (except solicitations/contracts strictly for commercial off-the-shelf items). Subcontracting does not exempt you – the clause is flowed down in cases where covered defense information is to be passed to the subcontractor. As its title implies, the clause relates to Safeguarding Covered Defense Information. The clause also lays out cyber incident reporting requirements which, although highly relevant, are beyond the scope of this blog. You can read the full clause here.

So what, you may ask, is “covered defense information”? In short, it is the DoD version of “Controlled Unclassified Information” which is the focus of NIST SP 800-171. Here is how DFARS 225.204-7012 defines it:

“Covered defense information” means unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.html, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies, and is—

(1) Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or

(2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.

While achieving compliance may at first seem like a daunting task, keep in mind that the NIST standards are generally best practice standards that, in some instances, your company may already have implemented. Rest assured, however, that achieving compliance will take an organized and disciplined effort (there is a reason that DoD is not requiring immediate compliance). So if you have not started to implement a program to achieve compliance, time is of the essence.

The good news is that there are numerous resources available to help you achieve compliance. You might consider bringing in a third-party security auditor, well versed in the NIST 800-171 standards, to assess your situation and recommend an action plan. You might also want to assess your current contract portfolio – what security and reporting standards apply to your company right now. Establishing an accurate baseline is an essential first step to achieving compliance.

Monitoring and documenting continuing compliance

NIST SP 800-171 compliance is a dynamic process. Your IT systems, as well as government security standards, are always changing. Achieving compliance is only the start; maintaining compliance is an ongoing process. Automating your company’s monitoring program is the ideal way to ensure ongoing success in maintaining and documenting compliance on a continuous basis.

Achieving compliance is only the start; maintaining compliance is an ongoing process

SecurityCenter Continuous View® (SecurityCenter CV™) from Tenable automates the monitoring and assessment of NIST SP 800-171 technical security controls, helping you to measure, visualize and graphically communicate adherence to the standards. SecurityCenter CV offers several reports, dashboards, and Assurance Reports Cards® (ARCs) that are both ready-to-use for NIST SP 800-171 compliance and customizable to your business needs.

The Audit and Monitoring Dashboard is the best example of a SecurityCenter CV tool that aligns with NIST SP 800-171. The dashboard monitors the Audit and Accountability (section 3.3) and System and Information Integrity (section 3.14) sections, known as “families” in SP 800-171. These two families require the monitoring, analysis and reporting of unlawful, unauthorized or inappropriate system activity to detect potential attacks. For example, inbound and outbound communications traffic could be indicators of suspicious activity. Such behavior could trigger your immediate investigation and responsive actions to thwart an attack. Security Center CV, with its passive monitoring capability, delivers the continuous visibility required to detect the suspicious activity. Once detected, the enabling dashboard also helps you correlate your audit reviews, assessment and reporting processes, facilitating compliance with 800-171.

You can read more about SecurityCenter CV SP 800-171 dashboards and ARCs on the Tenable website.

The DFARS deadline is closer than you think

If you work with DoD, now is the time to implement NIST SP 800-171 and to automate the controls with SecurityCenter CV

After a two-year compliance period, the DFARS deadline is fast approaching. If you work with DoD, now is the time to implement NIST SP 800-171 and to automate the controls with SecurityCenter CV. Don’t let non-compliance compromise your ability to win new contracts.

We’ve seen several critical vulnerabilities lately. First there was WannaCry, and then WannaCry 2.0 (EternalRocks), and now do we have WannaCry 3.0? Well, not really. But a new seven-year-old remote code execution vulnerability (CVE-2017-7494) that is affecting Samba versions 3.5.0 and higher is making news this week. The vulnerability is billed as the WannaCry equivalent for Linux, and some are even calling it SambaCry since it affects the SMB protocol implementation in Linux and is potentially wormable. To be clear, this new vulnerability is unrelated to the SMB exploits that were released by the Shadow Brokers group and used by WannaCry ransomware to infect a large number of systems. SambaCry is similar only because the vulnerability affects the SMB protocol in Linux. The Tenable research team is always on top of these news-worthy vulnerabilities, and this latest Samba weakness is no different. You’ll find multiple detection tools in your Tenable feed, ready to use in your scan program.

What’s the attack surface?

Samba is an open source re-implementation of the SMB/CIFS networking protocol, which provides file and print services for various Microsoft Windows clients. It runs on most Unix, OpenVMS and Unix-like systems, such as Linux, Solaris, and AIX and is standard in most Linux distributions. As a result, it's available on a large variety of Unix-like systems.

A quick Shodan search shows over 475,000 Samba-enabled hosts are accessible over the internet. However, it isn’t clear how many of them are running vulnerable versions of Samba.

The vulnerability itself can be exploited with a single line of code. A malicious client can upload and cause the smbd server to execute a shared library from a writable share. Exploit modules are already available from Metasploit to exploit this issue.

What steps can you take?

The first step is to patch vulnerable versions of Samba right away. Tenable has several tools to help you detect affected Samba versions.

Nessus

Tenable has released multiple credentialed Nessus® plugins to check for vulnerable Samba versions, and will continue to release more plugins as patches become available for other Linux distributions.

For example, here are results similar to what you might see after running plugin #100388 to detect vulnerable Samba versions:

Tenable has also released a remote banner check to identify vulnerable Samba versions. The check only runs in paranoid mode because vendors have historically backported Samba patches and hence can result in false positives. Make sure that the following setting is checked when you create a new scan:

Settings > Assessment > General > Show Potential False Alarms

Next, check results for Nessus plugin 42411 to determine if there are any SMB shares which provide access to unprivileged users. If you find any instances, fix the permissions on those shares.

PVS

The Passive Vulnerability Scanner® (PVS™) is also capable of actively detecting vulnerable versions of SMB affected by SambaCry with plugin #700127.

SecurityCenter 

The SecurityCenter® SambaCry Vulnerability Detection dashboard is developed and tailored to identify Linux hosts that may be susceptible to the SambaCry vulnerability. The dashboard uses the methods of detection described in this blog and places them into an easy-to-use and understand location. The matrix in the upper left hand corner uses CVEs and plugin name strings to identify possible at-risk hosts vs. confirmed vulnerable hosts. The dashboard also uses many similar components used in the Detecting WannaCry and Eternal Rocks dashboard, and provides an overview of patching across all operating systems, to help you understand the current progress in patch deployments.

What if you can’t patch?

And finally, it's not possible to apply the patches, update smb.conf as a workaround. Add the parameter:

nt pipe support = no

to the [global] section of your smb.conf and restart smbd. This prevents clients from accessing any named pipe endpoints.

Note: This can disable some expected functionality for Windows clients.

Follow Tenable

Tenable strives to enhance visibility into your network systems and potential vulnerabilities, helping you proactively manage risk on a regular basis. Subscribe to the Tenable Blog as we share more tips and tools to add to your cyber arsenal.

Thanks to the Tenable research team for their contributions to this blog.

According to the 2017 Verizon Data Breach Investigations Report (DBIR), privilege misuse accounts for approximately 15% of breaches and 18% of incidents among the organizations surveyed (page 38). Monitoring your network for unauthorized insider access and privilege misuse is essential to keeping your valuable data secure and meeting many regulatory requirements. Verizon estimates that as much as 60% of this threat pattern is the result of average users “absconding with data in the hope of converting it to cash somewhere down the line” (page 48). How can you block privilege misuse and tackle malicious insiders in your organization? Tenable.io™ can help you detect misconfigured accounts and unauthorized usage through credentialed compliance audit scanning.

What data is being accessed or stolen?

The Verizon DBIR tells us that personal information and medical records are the most common targets for financially-motivated actors, making up about 71% of the data targeted. Unauthorized database access (57%) and employee email access (9%) contributes to approximately 66% of these types of breaches (page 48). According to Verizon:

The practice of limiting, logging and monitoring internal account usage extends beyond rogue employees. One of the main goals of external adversaries is to gain access to legitimate internal credentials to advance their assault (page 49)

Verizon also notes:

The discovery timeline for this pattern … shows that these breaches are more likely to take months and years to detect rather than weeks or less (page 49)

Source: Verizon 2017 Data Breach Investigations Report, page 49

This is where Tenable.io can help.

What can be done?

Blocking the impact of these incidents requires a two-fold approach: preventing unprivileged access and detecting anomalous or unauthorized behavior. There are many best practices to these ends, including monitoring system configurations, account usage, and password policies. Tenable.io supports configuration monitoring using several standards such as the CIS benchmarks, which can provide you with helpful guidelines that are known to promote operational excellence in network security. In addition to a variety of compliance check options, other common settings such as password policies, group assignments, and dormant user accounts can also be easily monitored using Tenable.io.

Configuration scanning in Tenable.io

Performing configuration and vulnerability scans is key to detecting insufficient passwords, misassigned user groups, and dormant user accounts. Luckily, setting up a compliance scan in Tenable.io is simple. Log into Tenable.io and navigate to Scans > My Scans. Click New Scan for a variety of scan templates to choose from. There are multiple templates that involve compliance auditing, but we are going to focus on the Policy Compliance Auditing and Advanced Network Scan templates.

Policy Compliance Auditing template

Once you create a new scan and choose the Policy Compliance Auditing template, you can configure the rest of the scan settings. In the first tab, fill in the settings you want to use and the targets you wish to scan. Use the second tab to enable credentialed scanning, which is required for compliance checks. On the last tab, choose Tenable audit files to use as baselines against the target hosts. Use the search field at the top of the page to filter the audit files by keyword, or simply browse through them manually. Once all the settings are chosen, save and run the scan to gather policy compliance data from hosts in your organization.

Advanced Network Scan template

If you want more control over the settings used in your policy compliance scan or want to merge a vulnerability and compliance scan, you can also use the Advanced Network Scan template. Customizing an advanced scan can be especially useful because many vulnerability plugins can aid in identifying privilege misuse or unusual user behavior. Simply configure the settings in each tab, then save and run your custom scan.

Sifting through results

Once scans have been run and data has been gathered, you can start reviewing the results to understand potential weaknesses in your network. Analyzing the results from the vulnerability and compliance scans can easily be done using the scan results page.

Scan results

Click on a scan in the My Scans list to view a page of details. If the scan is currently running, the History tab will be the first displayed. Once a scan has been run multiple times, use the Diff feature to compare the results of two runs. Note that choosing the more recent scan as the primary result will give you everything that disappeared between scans, and choosing the earlier scan as the primary result will give you everything new. The Hosts tab lists all the hosts scanned, the Vulnerabilities tab lists any vulnerabilities that were detected, and the Compliance tab lists the results of the policy compliance audit. Drill into the results in all three tabs for more detailed information. Advanced filters will apply to all tabs and be sustained until cleared. Filters will not apply if the scan being viewed is still running.

Compliance results

Results under the Compliance tab of a scan are related to the audit file(s) you chose during the scan configuration. Compliance results use three severity levels to indicate the outcome of that particular check:

• Failed severity checks are indicated in red.
• Warning severity uses orange and indicates that manual verification is needed to determine whether the check passed or failed.
• Passed severity results are in green, indicating that the check passed.

Clicking on any of the results will provide you with detailed information about that check, including a description, solution, and output that includes a list of impacted hosts.

Advanced filters

In the scan results, advanced filters identify results of particular concern. To focus on failed compliance checks, apply an advanced filter using Severity is equal to High. To filter for compliance checks requiring manual verification, set the severity filter to Medium. Set the severity filter to None to filter for passed compliance checks.

Scoring a win

The 2017 Verizon Data Breach Investigations Report details how privilege misuse and unauthorized access is a growing problem for all organizations, and such compromises can lay dormant for months. In order to dominate the line of scrimmage and not be blind-sided, defending your network is the name of the game. Hardening your access and authorization policies and systems can help block rogue insiders and protect your most valuable data. With Tenable.io on your team, you can carry the ball and defend your endzone.

For more information

Interesting in learning more about Tenable.io?

• Visit the Tenable.io area of our website
• Start a free Tenable.io Vulnerability Management trial

More about the 2017 Verizon DBIR:

• Money, Hackers and Spies: Quick Bytes from Verizon's 2017 DBIR Report
• Back to Basics with the 2017 Verizon DBIR
• Patch or Risk Being Breached: Tenable.io and the Verizon 2017 DBIR

CISOs often ask “How vulnerable are we?” when presented with vulnerability metrics and reports. As the head of a security team, are you prepared to answer that question? The answer to that question often lies in the relationship between vulnerability and exploitability. All exploitable vulnerabilities are, of course, vulnerabilities. But when a vulnerability isn’t marked “exploitable,” what does that mean? The most accurate answer would be that an exploitation hasn’t been discovered yet, but the vulnerability still has the potential to be exploited.

CISOs often ask “How vulnerable are we?”

Tenable.io™ helps you better understand the vulnerability of your network and your risk exposure with the data presented in the Critical and Exploitable Vulnerabilities report.

Tenable.io helps you better understand the vulnerability of your network and your risk exposure

First, let’s clear up some terminology.

Vulnerabilities

In computer security, a "vulnerability" is a weakness in the steps that are taken to secure a system that may allow unauthorized access to privileged data. In the simplest form, a misconfiguration of file level permissions can grant unauthorized users access to a file, folder, application, or service. In a more complex example, unpatched versions of SMB on Windows hosts allow attackers to bypass authentication and execute code remotely as demonstrated by the WannaCry ransomware. Regardless of how simple or complex the vulnerability, the question quickly becomes: can the vulnerability be exploited? Tenable.io leverages your scan data to provide accurate insight into all the vulnerabilities detected in your organization.

Exploits

The term "exploit" is commonly used to describe software that has been developed to attack an asset by taking advantage of a vulnerability. The objective of many exploits is to gain control of an asset. For example, a successful exploit of a database vulnerability can provide an attacker with the means to collect or exfiltrate all the records from that database, resulting in a data breach. Exploits are also developed to attack a vulnerability in order to gain remote administrative privileges on a host. With Tenable.io, you can identify which hosts in your network have exploitable vulnerabilities, and prioritize remediation efforts accordingly.

Exploit frameworks

Security researchers know that to truly test and understand the nature of exploiting a vulnerability, an exploit framework is needed. An exploit framework is an abstraction in which the foundation of the software provides the generic functionality, and users can write code modules to perform specific tasks. For example, the developers of Metasploit, Core Impact and several others created exploit frameworks to leverage common attack techniques and delivery methods, while the users create the actual exploits. These exploit frameworks can be used by inexperienced attackers to create an attack that may look sophisticated because most of the difficult work has been created by the framework. For example, once you understand how to leverage the exploit framework to exploit a buffer overflow, replicating the attack seems trivial. The industry is seeing a rise in malware code that appears to have been developed using the various exploit frameworks as they become more popular. Tenable.io enables you to search for the presence of vulnerabilities in your network related to specific exploit frameworks.

The Tenable.io solution

Tenable.io can easily identify systems that are more vulnerable and exploitable than other systems. The Critical and Exploitable Vulnerabilities report provides detailed information on these hosts.

The chapters in the Critical and Exploitable Vulnerabilities report give you a comprehensive list of the hosts on your network with critical or exploitable vulnerabilities identified during vulnerability scanning. Also included are the top ports being leveraged and lists of the most critical or exploitable vulnerabilities. All of this detailed information can be used to prioritize hosts and vulnerabilities for remediation.

The Critical Vulnerabilities tables in two of the chapters list the most pervasive exploitable and critical vulnerabilities. The vulnerabilities in these lists should be targeted for efficient remediation to effectively reduce the overall vulnerability and risk exposure of the network.

Regardless of your approach to mitigating risks identified by Tenable.io – by applying patches, configuring mitigation controls, or hardening operating systems – the first step is to clearly qualify the risks into actionable tasks and deliverables. Tenable.io provides information security professionals with the tools and resources needed to perform a detailed qualitative analysis of the risk that threatens business assets. The Critical and Exploitable Vulnerabilities report provides insight into your current risk exposure. Armed with Tenable.io, you’ll be prepared to provide an accurate answer the next time the CISO asks you how vulnerable your organization is.

Armed with Tenable.io, you’ll be prepared to provide an accurate answer the next time the CISO asks you how vulnerable your organization is

Try Tenable.io

Tenable.io provides accurate information on how well your organization is addressing security risks, and helps track improvements over time. Get a free trial of Tenable.io Vulnerability Management for 60 days.

According to the 2017 Verizon Data Breach Investigations Report (DBIR), web applications are under attack even more so than last year (page 57), especially in the financial sector. Primary targets are personal data and credentials: in over half of the reported non-botnet breaches resulting from web application attacks, personal data was compromised. Use of stolen credentials is the top method of hacking web applications, but SQL injection (SQLi) continues to be a dangerous vector (page 58). With enterprises moving more software services to the web, safeguarding the sensitive data handled by web applications is critically important.

Use of stolen credentials is the top method of hacking web applications

Tenable.io™ now incorporates Web Application Scanning (WAS) to help you discover web application vulnerabilities and better protect your data. Tenable.io WAS is a new solution from Tenable that offers significant improvements over the existing web application tests provided by the Nessus® scanner. Tenable.io WAS is compatible with modern web applications that make heavy use of JavaScript and are built on HTML5 and AJAX, enabling you to have a more complete picture of the state of your web application security posture. Tenable.io WAS offers safe external scanning that ensures production web applications are not disrupted or delayed. The results from a Tenable.io WAS scan highlight potential web application problems, offer solution advice, and provide links for more information, including links to the Open Web Application Security Project (OWASP) and the Common Weakness Enumeration (CWE) list of common software security weaknesses.

Tenable.io Web Application Scanning offers significant improvements over the existing Nessus web application tests

Stolen information

Attackers can leverage stolen credentials to install software, steal information, and do other nefarious things on your network. While phishing attacks are the most common way for attackers to obtain credentials, attackers can also obtain credentials and other sensitive information from vulnerable web applications. The DBIR recommends limiting the amount of personal information and credentials stored on web applications and in backend databases (page 58, Areas of focus). This recommendation corresponds to security weaknesses A6 (Sensitive Data Exposure) and A5 (Security Misconfiguration) in the OWASP Top Ten, and also to various CWEs, including CWE-200 (Information Exposure).

Tenable.io WAS can help you find where sensitive data might be exposed by a web application. While some of the exposed data may not seem particularly sensitive, attackers may be able to make use of the data in subsequent attacks, such as using the information to make phishing attacks seem more genuine. The following is a partial list of the plugins whose results indicate exposed data. You should investigate the results from these and related plugins to determine if any sensitive data is being put at risk, and to take appropriate action.

• Common Directory (plugin 98072)
• Private IP Address Disclosure (plugin 98077)
• Email Address Disclosure (plugin 98078)

Several plugins also highlight website weaknesses that have the potential to expose sensitive data. For example, Missing ‘X-Frame-Options’ header (plugin 98060) detects when the website is at risk for clickjacking, which tricks users into clicking on something different than what they think they’re clicking on, and potentially revealing confidential information. Unencrypted password form (plugin 98082) detects when credentials information is not being transmitted securely, potentially revealing the information to anyone sniffing the network traffic.

SQL injection

The DBIR notes (pages 57 and 58) that SQLi is still around, and recommends performing web application scanning and testing to find potential input validation weaknesses. SQLi can be used to dump confidential information from backend databases, and even to modify or delete information within a database. The DBIR recommendation corresponds to the OWASP Top Ten security weakness A1 (Injection) and to CWE-89 (SQL Injection).

Tenable.io WAS has several plugins in the injection plugin family that can help you discover SQLi weaknesses in an application, including:

• SQL Injection (plugin 98115)
• NoSQL Injection (plugin 98116)
• Blind SQL Injection (timing attack) (plugin 98118)

The plugin output contains the requests and responses sent to the web application verifying that one or more web pages were vulnerable to SQLi. The solution to SQLi is as it has always been: implementing parameterized queries, aka prepared statements. If you are using third party web applications that are vulnerable to SQLi, upgrade them as soon as possible.

Web application vulnerabilities

This leads to another DBIR recommendation (page 58): consistent patching of content management systems such as WordPress and Drupal, and all their related plugins. This recommendation corresponds to the OWASP Top Ten security weakness A9 (Using Components with Known Vulnerabilities). As with any vulnerabilities, web application and web server vulnerabilities could be – and very likely will be – exploited by attackers to wreak havoc on your network.

Web server vulnerabilities such as outdated versions of Apache or IBM WebSphere can be discovered by doing Nessus scans of your web servers. Monitoring these boxes with the Nessus Network Monitor (formerly PVS™) may also reveal vulnerabilities. Some of these detected vulnerabilities may indicate vulnerabilities in web applications, such as detections of vulnerable versions.

Web application and web server vulnerabilities can also be detected by Tenable.io WAS. Various plugins detect misconfigurations and potential vulnerability to attacks such as Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF) and code execution. In addition, Backdoor Detection (plugin 98097) identifies URLs that contain potential backdoor scripts.

Informational plugins in Tenable.io WAS gather additional information about web applications that may be helpful. For example, Scan Information (plugin 98000) presents summary information about the scan, such as scan duration, number of requests, and protocols and authentication detected. Web Application Sitemap (plugin 98009) provides a hierarchy of all URLs discovered during the scan, along with the response code and other information for each. Interesting response (plugin 98050) notes when a response status code other than 200 (OK) or 404 (Not Found) is returned, which may provide useful insights into the behavior of the web application.

Tenable.io WAS helps you find and fix the top web application attacks noted in the 2017 DBIR

Tenable.io WAS is an important addition to the arsenal of Tenable tools to protect your network. Tenable.io WAS helps you find and fix the top web application attacks noted in the 2017 DBIR, enabling you to better secure your web-facing assets, your data and your overall network.

For more information

Tenable.io

• Visit the Tenable.io area of our website
• Start a free Tenable.io Vulnerability Management trial
• Learn about the Tenable.io Web Application Scanning app

2017 Verizon DBIR

• Money, Hackers and Spies: Quick Bytes from Verizon's 2017 DBIR Report
• Back to Basics with the 2017 Verizon DBIR
• Patch or Risk Being Breached: Tenable.io and the Verizon 2017 DBIR
• Blocking and Tackling Unauthorized Access: Tenable.io and the 2017 Verizon DBIR