<p>Study finds organizations are not accurately measuring the business costs of cyber risk, and are unable to quantify the damage cyber attacks could have on their businesses, leaving them without the critical information needed to make decisions about resource allocation, technology investments and threat prioritization.</p>

<p>Unlike other business disciplines (CRM, ERP, HR), cybersecurity lacks the kind of clear business metrics which can help executives frame decision-making in a language the c-suite and board easily understand. When we commissioned Ponemon Research to study the effects of cyber risk on business operations, our goal was to explore how four common KPIs associated with cyber exposure translate to specific types of business risk. We wanted to go beyond assessing pure dollar impact, exploring how cyber risk influences business strategy, products, supply chain, revenue streams, operations, business technology, customer experience and regulatory compliance.</p>

<p>What we discovered -- after surveying 2,410 IT and infosec decision-makers in six countries -- is that traditional KPIs or metrics for evaluating business risks cannot be used to understand cyber risks. Organizations are not accurately measuring the business costs of cyber risk, and are unable to quantify the damage cyber attacks could have on their businesses. Thus, decisions about the allocation of resources, investments in technologies and the prioritization of threats are being made without critical intelligence. Moreover, organizations are unable to correlate the cyber risk KPIs they are using to the mitigation of a data breach or security exploit.</p>

<p>At a time when boards of directors are taking more interest in cybersecurity than ever before, the study <a href="https://www.tenable.com/cyber-exposure/ponemon-cyber-risk-report">Measuring& Managing the Cyber Risks to Business Operations</a>, conducted by Ponemon Institute on behalf of Tenable, reveals a lack of faith among cybersecurity professionals in the accuracy of their metrics. This makes CISOs and/or other security technology executives reluctant to share critical information about the business costs of cyber risks with their boards.</p>

<h2>Exploring common KPIs</h2>
<p>For the study, we identified four common KPIs used to measure cyber risk:</p>
<ul><li>time to assess;</li>
<li>time to remediate; </li>
<li>effectiveness of prioritizing cyber risk; and </li>
<li>identification of assets vulnerable to cyber risk -- including Operational Technology (OT) and Internet of Things (IoT) devices.</li></ul>

<p>In addition, we explored three KPIs most often used to measure the financial consequences of a cyber attack: </p>
<ul><li>loss of revenue; </li>
<li>loss of productivity; and</li>
<li>drop in stock price.</li></ul>

<p>The vast majority of respondents (91%) admitted they’ve experienced at least one business-disrupting cyber incident in the past 24 months; 60% have experienced two or more incidents in the same time frame. These attacks have resulted in data breaches and/or, significant disruption and downtime to business operations, plants and operational equipment.</p>

<p>The majority of respondents (58%) say traditional KPIs or metrics for evaluating business risks cannot be used to understand cyber risks. When it comes to quantifying the damage cyber events could have on their businesses, only 41% of respondents (988) say their organizations make any attempt to do so. Further, only 30% of respondents say their organizations are able to correlate information from cyber risk KPIs to taking action on reducing the risk of a data breach or security exploit. </p>

<p>Of the 988 respondents who said their organizations attempt to quantify the damage security incidents could have on their businesses:</p>
<ul><li>54% say they quantify what the theft of intellectual property would cost;</li>
<li>43% say they calculate the potential financial loss; and </li>
<li>42% consider the impact of the loss of employee productivity following a data breach or security exploit. </li></ul>

<h3>What factors are used to quantify the potential risk of a cyber attack?</h3>
<img src="/sites/drupal.dmz.tenablesecurity.com/files/images/blog/quantifying%20the%20potential%20risk%20of%20a%20cyber%20attack.png" width="2266" height="1110" alt="quantifying the business risk of a cyber attack" />
<p><i>Source: Measuring & Managing the Cyber Risks to Business Operations, Ponemon Institute & Tenable, December 2018.</i></p>

<p>We asked respondents to rate the accuracy of the information gathered using the above KPIs, measured on a scale of 1 = not accurate to 10 = very accurate. Only 38% of respondents believe their measures are very accurate, while 44% believe their measures are not very accurate.</p>

<p>The report also reveals organizations are not using the KPIs they consider most important to assessing and understanding cyber threats. For example, two thirds of respondents (64%) identified “time to assess” as an important KPI for evaluating cyber risk, yet only 49% of respondents are currently using this metric. We see similar gaps when we look at the three other KPIs discussed in the report (see below).</p>

<h3>Gaps in use and importance of KPIs</h3>
<table><tbody>
<tr>
<th>KPI</th>
<th>Used by (% respondents)</th>
<th>Considered essential (% respondents)</th>
</tr>
<tr>
<td>Time to assess cyber risk</td>
<td>49%</td>
<td>64%</td>
</tr>
<tr>
<td>Time to remediate cyber risk</td>
<td>46%</td>
<td>70%</td>
</tr>
<tr>
<td>Identifying OT and IoT assets</td>
<td>34%</td>
<td>62%</td>
</tr>
<tr>
<td>Prioritization effectiveness</td>
<td>38%</td>
<td>57%</td>
</tr>
</table>
<p><i>Source: Measuring & Managing the Cyber Risks to Business Operations, Ponemon Institute & Tenable, December 2018.</i></p>

<h2>Measuring cyber risk: Nobody said it was easy</h2>

<p>Respondents identified seven key reasons why their organizations continue to face cybersecurity challenges, including:</p>
<ul><li>An understaffed IT security function.</li>
<li>Lack of resources to manage vulnerabilities.</li>
<li>The proliferation of IoT devices in the workplace.</li>
<li>The complexity of the IT security infrastructure.</li>
<li>Lack of controls over third-party access to sensitive and confidential data.</li>
<li>Dependency on manual processes to respond to vulnerabilities. </li>
<li>Insufficient visibility into their organization’s attack surface.</li></ul>

<p>While there are no quick-and-easy fixes to any of these issues, we believe focusing on the following five steps will help put your organization on the right path to building a business-first cybersecurity strategy.</p>

<ol><li>Identify and map every asset across any computing environment.</li>
<li>Understand the cyber exposure of all assets, including vulnerabilities, misconfigurations and other security health indicators.</li>
<li>Understand exposures in context, to prioritize remediation based on asset criticality, threat context and vulnerability severity.</li>
<li>Prioritize which exposures to fix first, if at all, and apply the appropriate remediation technique.</li>
<li>Measure and benchmark cyber exposure to make better business and technology decisions.</li></ol>

<p>In addition to the above guidance, the report, <a href="https://www.tenable.com/cyber-exposure/ponemon-cyber-risk-report">Measuring& Managing the Cyber Risks to Business Operations</a>, concludes with a five-step process for measuring and managing cyber risk you can put into action in your own organization today. Download your free copy here.</p>

<h2>About this study</h2>

<p>The report Measuring & Managing the Cyber Risks to Business Operations is based on a survey of 2,410 IT and IT security decision-makers in the United States, United Kingdom, Germany, Australia, Mexico and Japan. All respondents have involvement in the evaluation and/or management of investments in cybersecurity solutions within their organizations. The consolidated global findings are presented in this report. Download your free copy <a href="https://www.tenable.com/cyber-exposure/ponemon-cyber-risk-report">here</...

<p>Tenable Research investigates compliance standards for EHR applications in the US healthcare industry and discusses possible gaps in the coverage of these standards. Real world examples are provided to demonstrate potential security impact.</p>

<p>Politics and legislation aside, it&rsquo;s no secret that the US healthcare industry is a mess. Hospital networks and small-time medical practices alike are known <a href="https://www.healthcare-informatics.com/news-item/cybersecurity/report-15... run outdated and vulnerable software</a>. Compounded by the fact that vendors are jumping on the &ldquo;smart-things&rdquo; bandwagon like groupies to a Dave Matthews Band show, the world of healthcare technology is a scary place. From <a href="https://www.wired.com/story/pacemaker-hack-malware-black-hat/">pacemaker malware</a> to <a href="https://ics-cert.us-cert.gov/advisories/ICSMA-18-219-02">compromised insulin pumps</a> and from <a href="https://www.healthcareitnews.com/projects/biggest-healthcare-data-breach... scale breaches</a> to ransomware attacks, all facets of the healthcare industry have serious issues with clear and direct impact on consumers and end users.</p>

<p>Given how common large scale breaches are, it&rsquo;s generally accepted that most people&rsquo;s data, such as <a href="https://www.fraud.org/myfitnesspal_breach">login credentials</a>, <a href="https://www.washingtonpost.com/business/2018/11/30/marriott-discloses-ma... information</a>, and <a href="https://finance.yahoo.com/news/protect-yourself-massive-equifax-breach-2... information</a>, has already been stolen. Privacy breaches of this nature are simply a fact of life we all must deal with. Perhaps one of the most notable industries affected by this trend is indeed the healthcare industry, but these breaches go beyond usernames and credit card numbers and include personal health information. These compromises are happening at organizations of all sizes, ranging from small clinics in rural suburbs to large hospitals in major metropolitan areas. While these breaches make for spectacular headlines, we don&rsquo;t often see much more beyond a surface-level analysis of the attack vectors involved. In other words, we rarely get to see the all the gory details of how attackers are compromising these health-related applications. That&rsquo;s what we&rsquo;re here to talk about today.</p>

<h3>Creating a Standard</h3>

<p>An Electronic Health Record or Electronic Medical Record (EHR / EMR) is a digital record of a patient&rsquo;s medical history. Applications managing these records typically serve other purposes as well, such as ordering prescriptions electronically, scheduling appointments, providing interfaces for medical imaging devices, handling payment and insurance information, and a variety of other practice management functions. It&rsquo;s likely anyone who&rsquo;s visited a doctor sometime in the last decade has seen one or more of these types of applications.</p>

<p>What most people may not be familiar with, however, are the <a href="https://www.healthit.gov/topic/certification-ehrs/about-onc-health-it-ce... standards</a> governing these applications.* To be brief, <a href="https://ehrintelligence.com/news/brief-history-of-ehr-incentive-payments... 2009 the US government</a> decided to incentivize medical practitioners to begin using certified health applications in order to achieve interoperable patient records and standardized metrics throughout the industry with regards to a provided set of <em>Meaningful Use</em> and <em>Clinical Quality</em> measurements. These standards are periodically reviewed and re-evaluated, but they exist today in much the same form as they did in 2009. While medical practices still have some freedom of choice, they&rsquo;re likely to stick to a certified product in order to receive the incentive bonuses (read: money).</p>

<p>As with any compliance standard, such as PCI, a big part of the game is simply figuring out how to get the guy with the clipboard to check each box and give a stamp of approval. While obviously not perfect, these certifications are necessary and at least ensure some base level of compliance. As a security professional with a background in dealing with health-related software and the EHR certification process, I am primarily concerned with the certification standards regarding the security and privacy of patient information. To note, while HIPAA - an overarching policy intended to protect communication of patient information - is obviously involved to some degree, discussion about that particular bit of legislation is best left for another time.</p>

<p>Within the Office of the National Coordinator for Health Information Technology (ONC Health IT) certification standard, there are only a handful of criteria that even mention security or privacy-related matters. Most of these criteria fall under <a href="https://www.healthit.gov/topic/certification-ehrs/2015-edition-test-meth... (d)</a>. In general, the standards listed involve user authentication, user permissions, audit logs, secure transmission to a third party, and other basic security features. While these standards are mostly sane, citing NIST as the primary source for proper hashing algorithms and secure transport protocols, they&rsquo;re often vague and the testing methodology appears to be flawed.</p>
<p>Take <a href="https://www.healthit.gov/test-method/authentication-access-control-autho... (d)(1)</a> for example. This criterion exists to ensure that the EHR allows individual logins with a varied set of permissions between users. For example, front desk staff may only be allowed to schedule appointments and print visit summaries; nurses may have the power to view prescriptions, but not order new ones; and doctors likely have the full gambit of privileges. While this is expected functionality for an application of this nature, none of the other criteria in the certification standard specifies how these users/privileges should be managed or stored. While standards and criteria do exist that govern acceptable hashing algorithms or secure transport protocols, they don&rsquo;t apply to this criterion. This trend of vague descriptions and misplaced requirements can be seen throughout the certification standard, which allows vendors and developers to make mistakes or take shortcuts in areas where they shouldn&rsquo;t. This leaves major security gaps and holes in many applications that may otherwise meet all certification criteria.</p>

<h3>Following Standards Still Leaves Gaps</h3>

<p>To further illustrate this point, take a look at some of the recent vulnerability research done in this area. Back in August, Project Insecurity looked into OpenEMR. Their <a href="https://insecurity.sh/assets/reports/openemr.pdf">findings</a> detailed over 20 vulnerabilities in the application - ranging from simple SQL injection to remote code execution, which could lead to the breach of potentially hundreds of thousands of patient records.</p>

<p>Even more recently, Tenable <a href="https://www.tenable.com/security/research/tra-2018-44">disclosed a number of vulnerabilities</a> in another popular open-source medical application, Open Dental, which is geared towards dental professionals. Open Dental Software advertises the &ldquo;ONC Certified HIT&rdquo; badge on its product <a href="http://opendental.com/">homepage</a>. The company&rsquo;s official certification status and testing results can be found on <a href="https://chpl.healthit.gov/#/product/9714">HealthIT.gov</a>. As can be seen under the <em>Certification Criterion</em> section, Open Dental does indeed meet the standards required for certification - including the standards regarding reasonable privacy and security of patient data. It was most recently evaluated on October 31, 2018.</p>

<p>From Tenable&rsquo;s research advisory, we can see the clear gaps in certification standards as they relate to the security of a given application. Open Dental implements separate authentication and authorization mechanisms with varied permissions between user types, but the application makes no effort to securely transmit this information. There is no use of parameterized queries, potentially allowing an attacker to modify requests once access to the application is granted. While some form of local network access is required for these attacks, the attacks themselves are relatively trivial. Additionally, the fundamental design of the application (which is similar to the design seen in so many other EHR systems) contains both server- and client-side logic all in a single package, meaning most security features could be easily bypassed by a local attacker. And I&rsquo;m sure we&rsquo;ve all encountered a situation where a doctor or nurse has left patients alone in the exam room without first locking the computer.</p>

<p>To be clear: Tenable is not aiming to shame vendors, developers, medical professionals, legislators, or anyone else related to the medical field. In fact, we&rsquo;d like to take a moment to compliment Open Dental on its responsiveness to its community. While the disclosure process was admittedly complicated, a peek at the company&rsquo;s community forums, blog, and public issue tracker makes it obvious the company cares about its users and community. With so many moving parts, though, it isn&rsquo;t surprising that these flaws exist. If doctors weren&rsquo;t incentivized to use a product that adheres to a given standard, they may be inclined to use cheaper options with potentially worse issues. If vendors didn&rsquo;t have a reason to get their products certified, their developers may implement features or accept risks in areas where they otherwise wouldn&rsquo;t. If legislators didn&rsquo;t create policies to emphasize the need for a standard in the first place, medical practices might be stuck using procedure codes or diagnostic codes that weren&rsquo;t transferable from one practice to another, which leads to a whole different slew of problems.</p>

<h3>Raising Awareness</h3>

<p>In short, no single entity is to blame for the issues that have arisen in this industry. In fact, many of these smaller EHR companies are so far removed from the security industry that it&rsquo;s possible they aren&rsquo;t even aware these types of flaws are problems at all. Nothing in this article is new, groundbreaking, or innovative. We see these same old problems crop up again and again in the form of data leaks, breaches, ransomware attacks and other serious incidents. The medical industry has always been slow to adopt new technology, and government regulations and legislation lag even further behind. As an outsider who recognizes these issues, it&rsquo;s difficult to stand by and watch the slow bureaucratic process chug along. In my opinion, the best way a security practitioner can effect change in this field is by researching these applications and coordinating the disclosure of findings with the appropriate vendors. By pointing out these flaws to vendors, we can hopefully bring awareness to these issues and point the industry in a more positive direction.</p>

<p>In the medical industry, the barrier to entry is high for security researchers due to <a href="https://www.ehrinpractice.com/ehr-cost-and-budget-guide.html">cost and availability</a> of software and devices to test. Trials are restricted to potential customers and open source alternatives are few and far between. Tenable&rsquo;s Zero Day Research team has an ongoing initiative to periodically review medical-related products, both hardware and software. If you make use of such products and are able to share resources or information, please feel free to reach out to jsebree@tenable.com to collaborate.</p>

<p><em>* This article primarily deals with the standards and issues mentioned as they exist in the US. While other countries and jurisdictions may experience similar issues, the regulations may differ.</em></p>

<p>Attackers are actively scanning for vulnerable Elasticsearch systems in order to implant cryptocurrency mining scripts.</p>
<h3>Background</h3>
<p>In recent weeks, attackers have been <a href="https://isc.sans.edu/diary/rss/24364">observed scanning for vulnerabilities in Elasticsearch</a>, a distributed, RESTful search and analytics engine. According to <a href="https://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurren... from Trend Micro</a>, the attackers are targeting unpatched Elasticsearch systems using vulnerabilities from 2014 and 2015 to break into systems in order to implant cryptocurrency mining (also known as “coinminer”) scripts. These scripts are designed to hijack a system’s computing resources in a race to solve complex mathematical problems (“mining”) first in order to receive a reward of cryptocurrency.</p>
<h3>Vulnerability details</h3>
<p>The Elasticsearch vulnerabilities used in these attacks include <a href="https://nvd.nist.gov/vuln/detail/CVE-2014-3120">CVE-2014-3120</a>, a remote code execution vulnerability in the ‘source' parameter of the '/_search' page as part of the Elasticsearch default configuration and <a href="https://nvd.nist.gov/vuln/detail/CVE-2015-1427">CVE-2015-1427</a>, a remote code execution vulnerability in the Groovy scripting engine part of the default configuration in Elasticsearch up to version 5.0.0. Successful exploitation of these vulnerabilities can allow an attacker to execute arbitrary code, gain a remote shell or manipulate files on the remote system. </p>
<h3>Urgently required actions</h3>
<p>Upgrading to Elasticsearch version 1.2.0 or later resolves CVE-2014-3120 while upgrading to version 1.3.8 / 1.4.3 or later resolves CVE-2015-1427. Disabling scripting altogether will also mitigate these vulnerabilities. It is also extremely important to ensure your <a href="https://www.elastic.co/guide/en/elastic-stack-overview/current/elasticse... is properly secured</a>.</p>
<h3>Identifying affected systems</h3>
<p>A list of Nessus plugins to identify these vulnerabilities can be found <a href="https://www.tenable.com/plugins/search?q=cves%3A(%22CVE-2015-1427%22%20OR%20%20%22CVE-2014-3120%22)&sort=newest&page=1">here</a>.</p>
<h3>Get more information</h3>
<ul>
<li><a href="https://isc.sans.edu/diary/rss/24364">CoinMiners searching for hosts</a></li>
<li><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurren... Miner Spreads via Old Vulnerabilities on Elasticsearch</a></li>
<li><a href="https://www.elastic.co/guide/en/elastic-stack-overview/current/elasticse... the Elastic Stack</a></li>
</ul>

<p><b><i>Learn more about <a href="https://www.tenable.com/products">Tenable</a>, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a <a href="https://www.tenable.com/products/tenable-io/vulnerability-management/eva... 60-day trial</a> of Tenable.io Vulnerability Management. </i></b></p>

<p>Researchers disclosed a remote code execution vulnerability in SQLite affecting Google Chromium-based browsers as well as the Google Home smart speaker.</p>
<h2>Background</h2>
<p>On December 14, researchers from Tencent’s Blade Team published <a href="https://blade.tencent.com/magellan/index_en.html">an advisory regarding their discovery of “Magellan,”</a> a remote code execution vulnerability in SQLite. </p>
<h2>Vulnerability details</h2>
<p>Details surrounding the Magellan vulnerability remain sparse at this time. However, the Blade Team specifies that the impact of this vulnerability includes code execution, memory leak or denial of service (DoS). Additionally, Chromium, Google’s open source codebase that powers Google Chrome, is affected by this vulnerability. There are several other browser implementations that utilize the Chromium codebase, including <a href="https://brave.com/">Brave</a>, <a href="https://www.opera.com/">Opera</a>, <a href="https://vivaldi.com/">Vivaldi</a> and <a href="https://browser.yandex.com/">Yandex</a>.</p>
<p>According to the Blade Team, they were able to use the Magellan vulnerability to exploit the <a href="https://store.google.com/us/product/google_home?">Google Home</a> smart speaker, but have stated they have no plans to release any proof-of-concept (PoC) code for Magellan. However, several hours after the Blade Team released their advisory, an app developer published a PoC that crashes Chrome 70.</p>
<h2>Urgently required actions</h2>
<p>Tenable strongly advises organizations and individuals to upgrade to patched versions as soon as possible.</p>
<p>SQLite released <a href="https://sqlite.org/releaselog/3_26_0.html">version 3.26.0</a> on December 1, 2018, while Google released <a href="https://chromereleases.googleblog.com/2018/12/stable-channel-update-for-... 71.0.3578.80</a> on December 4, 2018. Google Chrome version 71 contains the patches provided in Chromium 71.0.3578.80. Additionally, Linux distributions such as <a href="https://access.redhat.com/errata/RHSA-2018:3803">Red Hat Enterprise Linux</a>, <a href="https://www.debian.org/security/2018/dsa-4352">Debian</a> and <a href="https://lwn.net/Articles/774463/">openSUSE</a> have released security advisories that include the Chromium patch. </p>
<h2>Identifying affected systems</h2>
<p>A list of Nessus plugins to identify this vulnerability can be found <a href="https://www.tenable.com/plugins/search?q=%2271.0.3578.80%22&sort=&page=1...
<h2>Get more information</h2>
<ul><li><a href="https://blade.tencent.com/magellan/index_en.html">Tencent Blade Team: Magellan</a></li>
<li><a href="https://sqlite.org/releaselog/3_26_0.html">SQLite Release 3.26.0 On 2018-12-01</a></li>
<li><a href="https://chromereleases.googleblog.com/2018/12/stable-channel-update-for-... Releases: Stable Channel Update for Desktop</a></li>
<li><a href="https://access.redhat.com/errata/RHSA-2018:3803">RHSA-2018:3803 - Security Advisory</a></li>
<li><a href="https://www.debian.org/security/2018/dsa-4352">Debian Security Advisory DSA-4352-1</a></li>
<li><a href="https://lwn.net/Articles/774463/">openSUSE alert SU-2018:4056-1</a></li></ul>
<p><b><i>Learn more about <a href="https://www.tenable.com/products">Tenable</a>, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a <a href="https://www.tenable.com/products/tenable-io/vulnerability-management/eva... 60-day trial</a> of Tenable.io Vulnerability Management. </i></b></p>

Tenable has discovered a privilege escalation flaw in the Cisco Adaptive Security Appliance that allows low-level users to run higher-level commands when certain configuration settings are set.

• What you need to know: An authenticated remote unprivileged user can change or download the running configuration or replace the appliance firmware where they shouldn’t.
• What’s the attack vector? HTTP Requests
• What’s the business impact? Attackers could read or write files on the system, overwrite firmware and create new users.
• What’s the solution? Update to the latest version of Cisco IOS.

Background

Tenable has discovered privilege escalation flaws in the Cisco Adaptive Security Appliance (ASAv) 9.9.2. Cisco has assigned this issue CVE-2018-15465. This flaw would allow users with the lowest privilege level of 1 to potentially overwrite the system's firmware, request the full configuration file, and create new users with privilege level 15. It requires the HTTP interface for IOS to be enabled, and the “aaa” authentication scheme needs to be set, which is not part of the ASAv default configuration.

Cisco’s ASAv is a virtual machine (VM) with nearly identical features to the company’s physical ASA, which are network security devices that provide firewall, intrusion prevention and private network (VPN) capabilities. The ASAv has additional features for clustering and multiple contexts. The ASAv is primarily deployed to manage VPN and network switching in cloud or other environments.

Analysis

When command authorization is not enabled, an authenticated remote unprivileged (level 0 or 1) user can change or download the running configuration as well as upload or replace the appliance firmware. Downgrading appliance firmware to an older version would allow an attacker to leverage known vulnerabilities that have been well researched or have publicly available exploit modules.

A simple proof of concept for downloading the running configuration follows:

curl --basic -u notadmin -p -k http://<ip>/admin/system/running-config

The following proof of concept allows an unprivileged user to add a new privileged user to the running configuration:

curl --basic -u notadmin -p -k -X “POST” --data-binary “username fourthuser password backdoor privilege 15” “http://<ip>/admin/config”

According to Cisco “This vulnerability affects Cisco ASA Software that is running on any Cisco product that has web management access enabled.”

Vendor response

Cisco released an advisory, “Cisco Adaptive Security Appliance Software Privilege Escalation Vulnerability,” with details on the vulnerability and patch information. Customers can download the update here.

Solution

Cisco has released an advisory and patches. You can find full details linked below. Cisco also notes “for the fix to be effective, customers who have web management access enabled must ensure that the AAA configuration is accurate and complete. In particular, the aaa authentication http console {LOCAL | <aaa-server>} command must be present.”

Additional information

• Advisory: Cisco Adaptive Security Appliance Software Privilege Escalation Vulnerability
• Tenable Advisory

Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

<p>Clement Lecigne of Google’s Threat Analysis Group has reported exploitation of an Internet Explorer vulnerability, CVE-2018-8653, prompting an out-of-band patch from Microsoft.</p>

<h2>Background</h2>

<p>On December 19, Microsoft released a critical out-of-band (OOB) patch for a remote code execution (RCE) vulnerability in Internet Explorer (IE). This vulnerability affects all versions of IE including Windows 7, Windows 8.1, Windows 10, Windows Server 2008 (Internet Explorer 9), Windows Server 2012 (Internet Explorer 10), Windows Server 2016 and Windows Server 2019.</p>

<h2>Vulnerability details</h2>

<p>A remote code execution vulnerability was found in IE’s memory handling in Jscript.dll. An attacker could corrupt IE’s memory in a way that allows code execution on the affected system. The attacker would have the same rights as the active user, including administrators.</p>

<p>An attacker would have to convince a user to visit a malicious website, which could then exploit this vulnerability, executing code on the user’s local machine. Email- or social media-based spear phishing attempts are the most likely methods for exploitation.</p>

<p>Microsoft hasn’t given any specific details, but the advisory does show that the vulnerability has already been publicly exploited. This increases the likelihood of additional exploitation against unpatched systems in the future.</p>

<h2>Urgently required actions</h2>

<p>Organizations and individual users are strongly encouraged to apply the available patches, or relevant workaround, provided by Microsoft from its advisory page <a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2...

<h2>Identifying affected systems</h2>

<p>A list of Nessus plugins to identify this vulnerability will appear <a href="https://www.tenable.com/plugins/search?q=cves%3A(%22CVE-2018-8653%22)&sort=&page=1">here</a> as they’re released.</p>

<h2>Get more information</h2>

<ul><li><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2... Advisory for CVE-2018-8653</a></li></ul>

<p><b><i>Learn more about <a href="https://www.tenable.com/products">Tenable</a>, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a <a href="https://www.tenable.com/products/tenable-io/vulnerability-management/eva... 60-day trial</a> of Tenable.io Vulnerability Management. </i></b></p>

<p>In part two of our six-part blog series on improving your cybersecurity strategy, we discuss the need for a holistic approach and provide three tips to help you answer the question “where are we exposed?”</p>

<p>Piecemeal security efforts often result in overlapping alarms and gaping security holes. Taking a holistic approach to a security strategy is a far more successful way of covering the entirety of your company’s attack surface.</p>

<p>In <a href="https://www.tenable.com/blog/four-cybersecurity-questions-every-ciso-sho... 1</a> of our six-part series, we explained the four key questions that must be addressed for any security strategy to be truly holistic. The first of those questions is “where are we exposed?” It is the crucial question, and the most challenging to answer, as vulnerabilities are often hidden and hard to find.</p>

<h2>Finding where the danger lies</h2>

<p>Networks are continuously expanding in terms of numbers and types of internet-connected things and devices. The challenges in securing and monitoring the entire network are also growing at unprecedented speed. However, IoT devices are not the only hidden corners that provide opportunities for attackers. Cloud services and cloud environments, containers, industrial control devices, points of sale, HVAC, and anything not typically handled by the IT/SecOps teams contain significant openings for increasingly sophisticated threats to exploit.</p>

<p>According to our recent <a href="https://www.tenable.com/cyber-exposure/vulnerability-intelligence">Vulne... Intelligence Report</a>, published vulnerabilities grew by 53% in 2017 over the year before, from 9,837 in 2016 to 15,038. Fortunately, only 7% of them had publicly available exploits. Less than 1% of them pose a significant threat, of course, but knowing where to focus efforts and resources generally delivers better outcomes than trying to blanket all vulnerabilities with equal vigor. </p>

<p>With 2018 on track to close with 18,000-19,000 new vulnerabilities, the smart action to take is to find your total attack surface, so you can identify the individual risks your organization faces. Mapping and finding your cyber exposure gaps is a much bigger challenge than many realize. It requires a deep understanding of the precise nature of the risk for each vulnerability. Having the right tools to make such detailed assessments is essential.</p>

<p>Conversely, simply knowing everything is vulnerable can be overwhelming when there is no clear way to stem the tide. That can lead to desperate measures and false assumptions.</p>

<p>However, getting and maintaining a handle on where the highest risks are is necessary to protecting your company’s brand and assets. It’s also vital to mitigating liability. Ultimately, liability rests with your company as even when a third-party cloud provider says you're not liable, the judge will invariably say that you are. </p>

<h2>Three tips for understanding the full attack surface</h2>

<p>We have three tips to help you answer the question “where are we exposed” in your own organization:</p>

<ol><li><b>Check all devices and services not typically handled by IT/SecOps teams</b>. This includes BYOD (personal, bring your own devices) and BYOC (bring your own cloud). It also includes any device connected to the internet, such as printers, smart environmental control systems, industrial control devices, breakroom televisions and aquarium control systems.</li>
<li><b>Trust but verify</b>. Ask all providers, including cloud services, for the results of third-party tests and other proof of the security they offer. Then verify those findings. Also, deliberately look for the security holes you can find and layer security measures to address them.</li>
<li><b>Map your total exposures and update regularly</b>. Odds are that your total exposure map will be expansive, especially if your organization is large. Use visualizations to make this data more easily understandable. Only by knowing exactly where your exposures are can you begin to mitigate your total risks.</li></ol>

<p>In part one of our six-part blog series on improving your cybersecurity strategy, we explored <a href="https://www.tenable.com/blog/four-cybersecurity-questions-every-ciso-sho... Cybersecurity Questions Every CISO Should Be Ready to Answer</a>. In part three we’ll explore in more detail how to prepare your organization to answer the question “What should we prioritize?”</p>

<h2>Learn more:</h2>
<ul><li>Read the blog <a href="https://www.tenable.com/blog/four-cybersecurity-questions-every-ciso-sho... Cybersecurity Questions Every CISO Should Be Ready to Answer</a></li>
<li>Download the <a href="https://www.tenable.com/cyber-exposure/vulnerability-intelligence">Vulne... Intelligence Report</a> from Tenable Research</li>
<li>Read the eBook <a href="https://www.tenable.com/whitepapers/how-to-prioritize-cybersecurity-risk... to Prioritize Cybersecurity Risk: A Primer for CISOs</a></li></ul>

<p>We asked 2,410 IT and cybersecurity decision-makers in six countries to identify their top cybersecurity and governance priorities for the New Year. Here’s what we learned.</p>

<p>What are your top cybersecurity concerns for 2019? Tenable commissioned Ponemon Institute to conduct a survey of 2,410 IT and cybersecurity professionals in six countries to find out.</p>

<p>The results are included in our December 2018 report, <a href="https://www.tenable.com/cyber-exposure/ponemon-cyber-risk-report">Measuring& Managing the Cyber Risks to Business Operations</a>. The report is based on a survey fielded in fall 2018 to respondents in the United States, United Kingdom, Germany, Australia, Mexico and Japan. Respondents identified the five threats they’re most concerned about, and shared their cybersecurity and governance priorities for the year ahead. </p>

<h2>5 Top Cybersecurity Threats in 2019</h2>

<p>When we asked respondents to identify the threats they’re most worried about in the new year, their highest-rated cybersecurity concerns were third-party risks, data breaches and attacks on Internet of Things (IoT) or Operational Technology (OT) assets.</p>

<h4>Top 5 threats organizations are most worried about in 2019</h4>
<table><tbody>
<tr>
<td><b>Threat</b></td>
<td><b>Percent respondents</b></td>
</tr>
<tr>
<td>1. Third-party misuses or shares our confidential data</td>
<td>64%</td>
</tr>
<tr>
<td>2. An attack involving IoT or OT assets</td>
<td>56%</td>
</tr>
<tr>
<td>3. A significant disruption to business processes caused by malware</td>
<td>54%</td>
</tr>
<tr>
<td>4. A data breach involving 10,000 or more customer or employee records</td>
<td>52%</td>
</tr>
<tr>
<td>5. An attack against the company’s OT infrastructure resulting in downtime to plant and/or operational equipment</td>
<td>48%</td>
</tr>
</tbody>
</table>
<p><i>Source: Measuring & Managing the Cyber Risks to Business Operations, Ponemon Institute & Tenable, December 2018.</i></p>

<p>In this survey, past experience does not appear to be the driving factor for future worries. For example, although 56% of respondents said they are worried about the prospect of an attack involving IoT or OT assets in 2019, less than a quarter of respondents (23%) said they have experienced such an attack in the past 24 months. </p>

<h4>Top 5 attacks experienced in the past 24 months</h4>
<table><tbody>
<tr>
<td><b>Attack</b></td>
<td><b>Percent respondents</b></td>
</tr>
<tr>
<td>1. A careless employee fell for a phishing scam that resulted in credential theft</td>
<td>67%</td>
</tr>
<tr>
<td>2. A significant disruption to business processes caused by malware</td>
<td>48%</td>
</tr>
<tr>
<td>3. A third party misused or shared confidential information with other third parties</td>
<td>41%</td>
</tr>
<tr>
<td>4. A cyber attack that caused significant downtime</td>
<td>35%</td>
</tr>
<tr>
<td>5. A data breach involving 10,000 or more customer or employee records</td>
<td>41%</td>
</tr>
</tbody>
</table>
<p><i>Source: Measuring & Managing the Cyber Risks to Business Operations, Ponemon Institute & Tenable, December 2018.</i></p>

<p>Despite their experiences and concerns, the majority of respondents (59%) said their organization does not attempt to quantify the damage any of these events could have on their business. </p>

<h2>2019 Cybersecurity and Governance Priorities</h2>

<p>In our view, the activities involved in keeping corporate data safe and secure span multiple parts of an organization, including not only the IT and infosec teams but also the governance, risk, and compliance team. For that reason, we asked respondents to identify their cybersecurity priorities as well as their governance priorities.</p>

<p>When it comes to cybersecurity, keeping ahead of attackers and reducing complexity in the IT security infrastructure were the top two priorities for 2019. Nearly two thirds of respondents (61%) identified improving the ability to keep up with the sophistication and stealth of the attackers as a top priority. Six in 10 (60%) cited reducing complexity as important for their organization in the year ahead.</p>

<h4>Top 5 cybersecurity priorities for 2019</h4>
<table><tbody>
<tr>
<td><b>Cybersecurity priority</b></td>
<td><b>Percent respondents</b></td>
</tr>
<tr>
<td>1. Improve our ability to keep up with the sophistication and stealth of the attackers</td>
<td>61% </td>
</tr>
<tr>
<td>2. Reduce complexity in our IT security infrastructure</td>
<td>60%</td>
</tr>
<tr>
<td>3. Improve protection of sensitive and confidential data from unauthorized access</td>
<td>46%</td>
</tr>
<tr>
<td>4. Improve controls over third-party access to our sensitive and confidential data</td>
<td>42%</td>
</tr>
<tr>
<td>5. Reduce the risk of attack to the OT infrastructure</td>
<td>40%</td>
</tr>
</tbody>
</table>
<p><i>Source: Measuring & Managing the Cyber Risks to Business Operations, Ponemon Institute & Tenable, December 2018.</i></p>

<p>When it comes to governance, reducing third-party risk is the top priority for 2019. Some two thirds of respondents (67%) said they will focus on ensuring that third parties have appropriate security practices to protect sensitive and confidential data.</p>

<h4>Top 5 governance priorities for 2019</h4>
<table><tbody>
<tr>
<td><b>Governance priority</b></td>
<td><b>Percent respondents</b></td>
</tr>
<tr>
<td>1. Ensure third parties have appropriate security practices to protect sensitive and confidential data</td>
<td>67%</td>
</tr>
<tr>
<td>2. Increase communication with C-level and board of directors about the cyber threats facing our organization</td>
<td>64%</td>
</tr>
<tr>
<td>3. Increase staff training to prevent careless behavior such as falling for a phishing scam or sharing passwords</td>
<td>53%</td>
</tr>
<tr>
<td>4. Increase the number of full-time employees in our IT security function</td>
<td>48%</td>
</tr>
<tr>
<td>5. Allocate more resources to vulnerability management</td>
<td>47%</td>
</tr>
</tbody>
</table>
<p><i>Source: Measuring & Managing the Cyber Risks to Business Operations, Ponemon Institute & Tenable, December 2018.</i></p>

<p>In addition to identifying top cybersecurity priorities, the report also explores <a href="https://www.tenable.com/blog/uncovering-the-business-costs-of-cyber-risk... business cost of cyber risk</a>. We discovered most organizations are not accurately measuring the business costs of cyber risk, and are unable to quantify the damage cyber attacks could have on their businesses. Thus, decisions about the allocation of resources, investments in technologies and the prioritization of threats are being made without critical intelligence. Moreover, organizations are unable to correlate the cyber risk KPIs they are using to the mitigation of a data breach or security exploit.</p>

<h2>About this study</h2>
<p>The report Measuring & Managing the Cyber Risks to Business Operations is based on a survey of 2,410 IT and IT security decision-makers in the United States, United Kingdom, Germany, Australia, Mexico and Japan. All respondents have involvement in the evaluation and/or management of investments in cybersecurity solutions within their organizations. The consolidated global findings are presented in this report. Download your free copy <a href="https://www.tenable.com/cyber-exposure/ponemon-cyber-risk-report">here</...

<p>Adobe issued an out-of-band security bulletin which addresses two critical vulnerabilities (CVE-2018-16011, CVE-2018-16018) in Adobe Acrobat and Reader.</p>

<h2>Background</h2>
<p>On January 3, Adobe released <a href="https://helpx.adobe.com/security/products/acrobat/apsb19-02.html">a security bulletin</a> to address two critical vulnerabilities in Adobe Acrobat and Reader for both Windows and macOS. Adobe published a prenotification for this bulletin on December 27 to give users advance warning.</p>

<h2>Vulnerability details</h2>
<p>The security bulletin addresses two critical vulnerabilities. The first, CVE-2018-16011, is a <a href="https://cwe.mitre.org/data/definitions/416.html">use after free</a> vulnerability that could lead to arbitrary code execution. CVE-2018-16018 is a security bypass vulnerability that could allow an attacker to elevate privileges. An attacker could create and deliver a specially crafted PDF file to a vulnerable target in order to exploit these vulnerabilities. Adobe hasn’t provided any additional details about these vulnerabilities, including whether or not they have been observed in attacks in the wild.</p>

<p>Tenable’s Security Response Team observed that both of the CVEs listed in APSB19-02 were initially included as part of <a href="https://helpx.adobe.com/security/products/acrobat/apsb18-41.html">APSB18..., Adobe’s monthly security bulletin from December 2018. However, both CVEs were removed on or before December 20, according to the last revision date in the bulletin. Additionally, Adobe revised APSB19-02 to include CVE-2018-16018 in place of the previously listed CVE-2018-19725.</p>

<h2>Urgently required actions</h2>
<p>Adobe has <a href="https://helpx.adobe.com/security/products/acrobat/apsb19-02.html#Solutio... updated versions</a> of Adobe Acrobat DC, Adobe Acrobat Reader DC, Acrobat 2017 and Acrobat Reader DC 2017 that address these vulnerabilities. End users and IT administrators are encouraged to upgrade to these patched versions as soon as possible.</p>

<h2>Identifying affected systems</h2>
<p>Tenable’s plugins for APSB18-41 will be updated to reflect Adobe’s revised bulletin. Once updated, the following list of Nessus plugins to identify these specific vulnerabilities will appear <a href="https://www.tenable.com/plugins/search?q=cves%3A(%22CVE-2018-16011%22%20AND%20%20%22CVE-2018-16018%22)&sort=&page=1">here</a> as they’re released.</p>

<h2>Get more information</h2>
<ul><li><a href="https://helpx.adobe.com/security/products/acrobat/apsb19-02.html#Solutio... Bulletin for Adobe Acrobat and Reader | APSB19-02</a></li>
<li><a href="https://helpx.adobe.com/security/products/acrobat/apsb18-41.html">Security Bulletin for Adobe Acrobat and Reader | APSB18-41</a></li></ul>

<p><b><i>Learn more about <a href="https://www.tenable.com/products">Tenable</a>, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a <a href="https://www.tenable.com/products/tenable-io/vulnerability-management/eva... 60-day trial</a> of Tenable.io Vulnerability Management. </i></b></p>

Juniper has addressed multiple critical vulnerabilities in Junos, Junos Space, and JATP devices. Administrators are advised to update to the latest OS version on any affected Juniper device.

Background

Juniper has released a number of security advisories this week which include critical vulnerabilities across many of its devices. The Juniper Advanced Threat Prevention Appliance (JATP) update removes hardcoded admin credentials, while the Junos updates include patches for remote code execution (RCE) and denial of service (DoS) vulnerabilities. Junos Space network management devices are also vulnerable to a memory allocation vulnerability which could lead to DoS and RCE attacks as well.

Analysis

JSA10918 addresses 13 vulnerabilities, including CVE-2017-11610, CVE-2018-0020, and CVE-2019-0022 for Juniper’s ATP, a malware defense appliance designed to detect and prevent malicious activity on a network. An attacker could gain access to this device with hardcoded administrator credentials and disable a core defense against malware.

Among the many Junos updates, CVE-2017-7375 and CVE-2016-4448 addressed in JSA10916 could allow a remote unauthenticated attacker to send specially crafted extensible markup language (XML) packets that lead to privilege escalation or format string manipulation. Format string vulnerabilities allow attackers to execute commands when the device should be reading this user input as simple text.

JSA10917 for Junos Space addresses CVE-2018-1126, which relates to similar Junos vulnerabilities mentioned above. Attackers could take control of network management devices such as a Junos Space Appliance and redirect traffic to malicious sources, further infecting more vulnerable assets.

Solution

Juniper recommends updating to the latest OS version of any of the affected devices or appliances you may have. Manual updates and appliance images can be found on Juniper’s download site here.

Identifying affected systems

A list of Nessus plugins to identify these vulnerabilities will appear here as they’re released.

Get more information

• Juniper Security Advisories
• JSA10918
• JSA10916
• JSA10917
• Juniper Support Downloads Page

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

Jamie Brown joins Tenable as Director of Global Government Affairs. In this newly created role, Jamie will work with government officials worldwide to promote effective cybersecurity policies, which enhance security while enabling continued digital transformation and innovation.

Just last year, the Council of Economic Advisers reported that“malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016.” With a record number of new faces sworn into key offices on Capitol Hill last week, it’s clear cybersecurity remains at the forefront for members on both sides of the aisle. New and returning members of Congress continue to develop policies to help secure IT networks, promote good cyber hygiene and protect constituent data in 2019.

Tenable’s Government Affairs team advocates for cybersecurity solutions, programs, and policies that promote best practices and enable organizations to protect their networks against ongoing cyber threats. In 2018, our Government Affairs team worked with the Cybersecurity Coalition to successfully add language to the United States-Mexico-Canada Agreement, or USMCA, that encourages the countries to collaborate in tackling cybersecurity challenges; promoted best practices for cyber hygiene and assessing cyber vulnerabilities with government officials; and highlighted the need for additional cybersecurity funding for federal, state, and local governments. As we continue our momentum in 2019, I’m thrilled today to announce that Jamie Brown has joined Tenable’s government affairs team in the newly created role of Director of Global Government Affairs.

Jamie joins us from CA Technologies, where he was Director of Global Cybersecurity Policy and Strategy. While there, Jamie managed global cybersecurity issues and drove the company’s participation in technology trade associations, including the Software Assurance Forum for Excellence in Code (SAFECode) and the IT Sector Coordinating Council. He previously spent time on Capitol Hill as a Professional Staff Member on the House Science, Space and Technology Committee’s Subcommittee on Research and Technology.

At Tenable, Jamie will work with global government officials on promoting cybersecurity policies which help promote stronger security while enabling continued digital transformation and innovation. Tenable believes policies which recognize the critical importance of Cyber Exposure can help businesses and governments gain stronger visibility into their unique threat environments and enable them to pursue appropriate strategies to mitigate these risks.

Today’s cyber threat environment impacts a full range of businesses, governments and organizations. Effective cybersecurity requires a strong partnership between the private sector and policy makers. Tenable’s Public Affairs team looks forward to continuing our work with lawmakers and regulators on Capitol Hill and in state and local governments to help government and commercial entities understand the modern cyber attack surface, prioritize cybersecurity resources and close their respective cyber exposure gaps.

We are excited to continue bolstering our policy expertise on global, federal, state and local levels. Jamie is a welcome addition to the Tenable Global Government Affairs team that includes myself and Jill Shapiro.

Tenable Research discovered multiple zero-day vulnerabilities in the PremiSys access control system developed by IDenticard. As of January 9, IDenticard has not released a patch for these vulnerabilities.

Background

Tenable Research has discovered four vulnerabilities in the PremiSys access control system from IDenticard. The PremiSys system can be used to manage door controls and access cards, collect detailed facility data and integrate with video monitoring systems.

According to Tenable’s disclosure timeline, multiple attempts were made to contact the vendor to address these vulnerabilities. The Computer Emergency Response Team (CERT) was notified of these vulnerabilities. As of January 9, the vendor hasn’t responded. The 90-day disclosure period ended on January 3, 2019.

Analysis

The following vulnerabilities have been confirmed in versions 3.1.190 of PremiSys IDenticard. Tenable Research requested access to the latest version to verify the vulnerabilities but received no response.

CVE-2019-3906: Hardcoded Credentials (Admin Access to Service)

The service contains hardcoded credentials (CWE-798) that provide administrator access to the entire service via the PremiSys Windows Communication Foundation (WCF) Service endpoint.

Users are not permitted to change these credentials. The only mitigation appears to be to limit traffic to this endpoint, which may or may not have further impact on the availability of the application itself.

These credentials can be used by an attacker to dump contents of the badge system database, modify contents, or other various tasks with unfettered access.

CVE-2019-3907: Weak Hashing/Encryption

User credentials and other sensitive information are stored with a known-weak encryption method (Base64 encoded MD5 hashes - salt + password).

CVE-2019-3908: Hardcoded Password

Identicard backups are stored in an idbak format, which appears to simply be a password protected zip file. The password to unzip the contents is hardcoded into the application ("ID3nt1card").

CVE-2019-3909: Default Database Credentials (Full Access to Service Databases)

The IDenticard service installs with a default database username and password of "PremisysUsr" / "ID3nt1card." There are also instructions for meeting longer password standards by using "ID3nt1cardID3nt1card." Users cannot change this password without sending custom passwords to the vendor directly in order to receive an encrypted variant to use in their configurations. These known credentials can be used by attackers to access the sensitive contents of the databases.

Solution

Because there is no vendor patch, affected users will have to attempt to mitigate these vulnerabilities. Systems like this should never be open to the internet and users should ensure proper network segmentation is in place to isolate this critical system.

Additional information

Visit the Tenable Tech Blog on Medium to read researcher Jimi Sebree’s in-depth story about his work uncovering these vulnerabilities.

• Tenable Advisory

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

In today's edition of Tenable's State and Local Government Video Blog Series, we discuss how to utilize grant funding to address the top cybersecurity concerns of state CISOs.

In 2017, the profile of elections security was substantially raised when the US Department of Homeland Security (DHS) added Election Infrastructure as a cyber-resiliency Critical Infrastructure Subsector under the Presidential Policy Directive/PPD 21 (2013). The addition allowed states to integrate elections security into their existing critical infrastructure resiliency plans and to apply resources accordingly. In fact, DHS was empowered to engage in cross-sector collaboration and resource sharing as a best practice.

In today’s video blog, Steve Smith, SLG Business Development Executive for Tenable, and Kent Dyer, Tenable SLG Sales Engineer and former state agency CISO, discuss how to protect critical infrastructure containing sensitive data, and how to leverage the Help Americans Vote Act (HAVA) funding to protect state and local government computing environments.

Watch here:

Learn more

Download the whitepaper to learn more about how Tenable can help state and local government agencies address cybersecurity challenges as part of critical government infrastructure. 

Oracle addresses nearly 300 vulnerabilities in the first Critical Patch Update of 2019.

Background

On January 15, Oracle released its Critical Patch Update, a quarterly publication of fixes for vulnerabilities. This month’s update contains nearly 300 fixes across a number of Oracle products.

Analysis

The Critical Patch Update for January 2019 addresses a variety of vulnerabilities. For instance, Oracle published 30 fixes for MySQL, including a fix for MySQL Workbench to address the libssh vulnerability (CVE-2018-10933). There are also several fixes for CVE-2017-5645, a deserialization vulnerability in Apache Log4j, as well as CVE-2016-1000031, the Apache Commons FileUpload Remote Code Execution vulnerability discovered by Tenable Research.

The following is the full list of products with vulnerabilities addressed in this month’s release:

• Oracle Database Server
• Oracle Communications Applications
• Oracle Construction and Engineering Suite
• Oracle E-Business Suite
• Oracle Enterprise Manager Products Suite
• Oracle Financial Services Applications
• Oracle Food and Beverage Applications
• Oracle Fusion Middleware
• Oracle Health Sciences Applications
• Oracle Hospitality Applications
• Oracle Hyperion
• Oracle Insurance Applications
• Oracle Java SE
• Oracle JD Edwards Products
• Oracle MySQL
• Oracle PeopleSoft Products
• Oracle Retail Applications
• Oracle Siebel CRM
• Oracle Sun Systems Products Suite
• Oracle Supply Chain Products Suite
• Oracle Support Tools
• Oracle Utilities Applications
• Oracle Virtualization 

Solution

Customers are advised to apply all relevant patches provided by Oracle in this Critical Patch Update.

Identifying affected systems

A list of Nessus plugins to identify these vulnerabilities will appear here as they’re released.

Get more information

• Oracle Critical Patch Update - January 2019
• libssh Vulnerable to Authentication Bypass (CVE-2018-10933)
• Tenable Research Advisory for Apache Commons FileUpload (CVE-2016-1000031)

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

A recent ESG report shows the traditional approach to cyber risk management isn’t working anymore, if in fact it ever did. Here, we share four highlights from the report and offer two steps to help improve your organization’s strategy.

To gain insight into how cyber risk management is changing to support organizational missions and initiatives, the Enterprise Strategy Group (ESG) surveyed 340 information security professionals in organizations with over 1,000 employees.

The results show the traditional approach to cyber risk management isn’t working anymore, if in fact it ever did. The vast majority of respondents (72%) state that cyber risk management is more difficult than it was two years ago. Only 5% say it’s significantly easier than it used to be. It’s clear a new way to deal with the flood of vulnerabilities is required.

Top 4 findings from ESG’s Cyber Risk Management Survey

Here are four highlights from the survey results:

• This was never easy and it keeps getting worse. Cyber risk management is becoming increasingly important – as it tracks to a growing attack surface and an overwhelming number of vulnerabilities.
• What we have here is a failure to communicate. Organizations are finding it difficult to align cyber risk management with business goals. What the C-suite needs and what security can provide are not in sync. There’s a real language barrier. Security must translate technical jargon into terms everyone can understand and utilize for their own decision processes.
• It’s time for a change. All too often, vulnerability management is dependent upon antiquated processes and practices. Spreadsheets and intuition aren’t cutting it.
• What you can’t see CAN hurt you. Clear visibility and knowledge across the entire attack surface is essential. But business pressures are causing organizations to have an ever-expanding attack surface as cloud technologies gain ground and operational technology (OT) devices are integrated with the IT infrastructure.

Why cyber risk management is getting harder – and what you can do about it

As for what’s making things more difficult, the challenges are coming from all sides. There’s a daunting combination of more vulnerabilities, greater business pressure and, last but not least, more advanced adversaries.

Here’s what ESG survey respondents say they are facing in their environments:

• 43%: More workloads to public cloud infrastructure services
• 42%: More software vulnerabilities
• 42%: More advanced adversaries
• 41%: More sensitive data
• 30%: More exec-level analysis and reporting requirements

So, what can a beleaguered infosec professional do?

Step 1: Continuous visibility

Only 38% of ESG survey respondents continuously scan their environments. This results in blind spots and gives attackers a leg up on discovering your vulnerabilities. Instituting continuous visibility is your first line of defense.

Step 2: Prioritization of vulnerabilities

The volume of vulnerabilities is overwhelming for 70% of respondents. But only a small fraction of vulnerabilities are ever exploited. The key is finding the dangerous needles in your ever-growing haystack of vulnerabilities. And to do that you need insight into threat intelligence and a model that can help predict which of your vulnerabilities are most likely to be attacked. Prioritizing vulnerabilities based on a predictive model will improve your team’s ability to respond quickly and efficiently to the most critical threats to your business.

Learn more

• View the webinar with ESG analyst Jon Oltsik now.
• Download the White Paper: What’s the Answer to the Vulnerability Overload Problem? Key Findings from ESG’s Cyber Risk Management Survey
• Read the eBook: How to Prioritize Cybersecurity Risks: A Primer for CISOs.

It’s time for government and industry to define and follow a cybersecurity-first approach to protecting the precious data driving global commerce.

Data makes the world go round. It’s the grease keeping the machinery of modern global commerce moving quickly and efficiently. Without it, global supply chains would grind to a halt, stock markets would cease trading, and the simplest of consumer transactions would become untenable.

According to a 2017 McKinsey study, the volume of data flows, measured in terabits per second, has multiplied by a factor of 45 since 2005, to reach an estimated 400 terabits per second by the end of 2016. The McKinsey researchers find “the global flows of goods, services, finance, people, and data have raised world GDP by at least 10% in the past decade, adding US$8 trillion of GDP by 2015.”

An IDC White Paper, sponsored by Seagate, Data Age 2025: The Digitization of the World from Edge to Core (November 2018), defines three primary locations where digitization is happening and where digital content is created: the core (traditional and cloud datacenters), the edge (enterprise-hardened infrastructure like cell towers and branch oces), and the endpoints (PCs, smart phones, and IoT devices). The research firm calls the summation of all this data -- whether it is created, captured, or replicated -- “the Global Datasphere,” and predicts it will grow from 33 Zettabytes (ZB) in 2018 to 175 ZB by 2025.

You’d be hard-pressed to find any business or government leaders who would argue against the value of data in driving today’s global economy. When crucial data is rendered inaccessible -- as was the case in the 2017 ransomware attacks involving NotPetya and WannaCry -- the financial and human consequences are undeniable. This Wired article puts the total damages due to NotPetya at more than $10 billion, while WannaCry is estimated to have cost between $4 billion and $8 billion.

Yet, we continue to see organizations in the public and private sectors alike taking a cursory, and often misguided, approach to addressing the cybersecurity risks inherent in our digital supply chain. We see this manifesting in three key ways:

1. Magical thinking. Organizations continue to invest in a vast array of tools in pursuit of a technical silver bullet, yet they continue getting hacked because they’re overlooking the basics of cyber hygiene. According to the 2018 Attacker’s Advantage report from Tenable Research, cybercriminals have a median seven-day window of opportunity during which they can exploit a vulnerability to attack their victims, potentially siphoning sensitive data, launching ransomware attacks and causing extensive financial damage before organizations even take the first step to determine their cyber exposure and whether they are at risk. In the case of some major headline hacks of recent years, attackers were lurking undetected in data systems for as long as two years. This tells us organizations are failing to do the most basic blocking and tackling.
2. Asymmetrical responses. In most cases, a cyber attack -- whether by a nation-state or an individual hacker looking for financial gain -- is akin to a mouse chewing on a cable to bring down the electric grid. Sure, you can use heavy artillery to kill that mouse, but at what cost to your infrastructure? The most mature organizations use a highly strategic approach to assessing vulnerabilities. They conduct frequent vulnerability assessments with comprehensive asset coverage, as well as targeted, customized assessments for different asset groups and business units. In other words: they’re hunting the hacker mouse with sharpshooters not bombers. Yet, the 2018 Cyber Defender report from Tenable Research finds only 5% of organizations follow the most mature, “diligent” style of vulnerability assessment.
3. Poor prioritization. Cybersecurity teams face an avalanche of alerts every day, yet current methods of assessment make it difficult to understand and, therefore, prioritize the CVEs which present the greatest business risk. The 2018 Vulnerability Intelligence report from Tenable Research reveals 15,038 new CVEs were published in 2017 in total, versus 9,837 in 2016, an increase of 53%. The count of 2018 CVEs is still underway and likely to continue for a few months. We estimate 2018 to be on track for just under 18,000 new CVEs, an increase of approximately 15% over the prior year. Almost two thirds (61%) of the CVEs enterprises are finding in their environments have a CVSSv2 severity of High (7.0-10.0). Yet, public exploits are available for only 7% of all CVEs. The reality is that, for most CVEs, a working exploit is never developed. Of those, an even smaller subset is actively weaponized and employed by threat actors. Finding and fixing the 7% is critical to improving an organization’s cyber exposure -- and still difficult to accomplish.

The 2018 Global Business Risks report from the World Economic Forum ranks cyber attacks as the No. 3 global risk in terms of likelihood, behind extreme weather events and natural disasters. However, cyber is still under-resourced in comparison to the potential scale of the threat. Indeed, the 2018 Cyber Risk Report, conducted by Ponemon Research on behalf of Tenable, reveals that 58% of more than 2,400 survey respondents lack adequate staffing to scan vulnerabilities in a timely manner. More than half (51%) say their cybersecurity teams are further hindered by a reliance on manual processes.

A recent Harvard Business Review article notes: “As the digital economy continues to develop, cybersecurity will play a critical role in international trade. Instead of considering security only a regulation issue, governments need to consider ways to avoid unnecessary confrontations, and organizations should become proactively involved to address concerns and influence policy to improve outcomes for everyone.” Along these lines, Tenable joined with other industry partners to advocate for more effective cybersecurity language in the recently announced US-Mexico-Canada trade agreement, which updates the NAFTA agreement. This language recognizes the critical importance of cybersecurity in enabling modern international trade and inhibits signatories from using cybersecurity policy to unfairly restrict trade.

We believe an even stronger approach is needed, one which starts at the board level and incorporates the business discipline of Cyber Exposure across all organizational activities. It’s time for government and industry to define a cybersecurity-first approach to protecting the precious data driving global commerce. We believe this approach requires organizational leaders to commit to a strategy that ranks cybersecurity as a top economic risk, alongside natural and manmade disasters. As stated in the World Economic Forum’s December 2018 report, Our Shared Digital Future: “Even beyond the economic implications (e.g. on intellectual property or financial stability), better security is necessary in order to protect the integrity of a wide range of societal values, such as basic rights, privacy and democratic processes.” We couldn’t agree more.

I’ll be discussing these and other cybersecurity concerns with global leaders from the public and private sectors on January 22 during the Cyber Future Dialogue 2019 conference in Davos, Switzerland. I looking forward to sharing insights and highlights from the event with you hereand on social media.

Learn more:

• Read the blog: Uncovering the Business Costs of Cyber Risk
• View the webinar: Tenable Research Explores Key Vulnerability Trends
• Take the quiz: How mature are your Cyber Defender strategies?
• Download the report: Quantifying the Attacker’s First-Mover Advantage

The World Economic Forum’s Global Risks Report 2019 ranks data fraud/theft and cyber attack as two of the top five global risks in terms of likelihood. The big question now is how will organizations respond?

Reading the World Economic Forum’s annual Global Risks Report is not an exercise for the faint of heart. Now in its 14th edition, the report catalogs a litany of existential threats, such as extreme weather events and natural disasters, which would cause significant disruptions to global economies.

This year, the top five risks in terms of likelihood are: extreme weather events; failure of climate-change mitigation and adaptation; natural disasters; data fraud or theft; and cyber attack.

Yes, you read that correctly. Data fraud/theft and cyber attacks are two of the likeliest top five global risks. In fact, this is the third year in a row data fraud/theft makes it into the top five, and the second year cyber attack makes the list.

The WEF Global Risks Report 2019, created in partnership with Marsh & McLennan Companies and The Zurich Group, is based on the results of the Global Risks Perceptions Survey, which is completed by 1,000 members of the WEF community -- made up of leaders in government, private sector and academia -- along with input from the organization’s network of experts around the world.

Cybersecurity also made its way to the top 10 global risks in terms of impact. Cyber attacks and the breakdown of critical information infrastructure and networks were ranked seventh and eighth for the potential damage they could cause. This indicates survey respondents not only understand the sheer frequency of cyber attacks, they also appreciate the risk these incidents pose to our digital economy and our very way of life. These rankings reflect the global impact on our collective psyche of incidents such as WannaCry, Equifax and hundreds of other successful cyber attacks.

In fact, cyber space itself is listed among what the report calls “global commons” which need extra protection, alongside climate change, outer space, and the polar regions.

If, after reviewing all this, you’re still able to sleep at night, the report features a fun section called "Future Shocks," which considers the long term effects of things like quantum computing, weather manipulation tools, and food supply disruption. The section on quantum computing includes this comforting observation: "When the huge resources being devoted to quantum research lead to large-scale quantum computing, many of the tools that form the basis of current digital cryptography will be rendered obsolete."

While much of this won’t come as a surprise to cybersecurity professionals, it’s worth considering the significance of our quotidian work in this broader global context. When we’re caught up in the day-to-day churn of our jobs, it’s easy to lose sight of how important cybersecurity really is to the global economy. This kind of context is also helpful to keep in mind when trying to communicate the value of your work to others in your organization.

The big question is how will organizations respond? Acceptance of the problems we face is the first step. The next step must be action.

We must hold global leaders and executives accountable for managing cyber risk responsibly. We, as a society, must demand it. As customers, we deserve it. We must shift our thinking away from whom can we blame — from nation-states to 15-year-old hackers in their parents’ basement — to how we stop them. We must collectively come to terms with the reality of a digital economy.

Everything is connected, which means every aspect of today’s business opens us up to a potential attack. We must develop security strategies to address the new risks created by digital transformation. Failure to do so will lead to a watershed moment that might have irreparable consequences.

I’ll be discussing these and other cybersecurity concerns with global leaders from the public and private sectors on January 22 during the Cyber Future Dialogue 2019 conference in Davos, Switzerland. I looking forward to sharing insights and highlights from the event with you here and on social media.

Learn more:

• Read the blog: Uncovering the Business Costs of Cyber Risk
• View the webinar: Tenable Research Explores Key Vulnerability Trends
• Take the quiz: How mature are your Cyber Defender strategies?
• Download the report: Quantifying the Attacker’s First-Mover Advantage

Publicly released and newly named “PrivExchange” proof-of-concept (POC) privilege escalation code exploits protocol flaws and default configurations to give standard Exchange users Domain Administrator access.

Background

Previously documented protocol weaknesses and vulnerabilities in fully patched Microsoft Exchange are now in the spotlight due to publicly released POC code. According to security researcher Dirk-Jan Mollema, this vulnerability: “Probably affects the majority of orgs using AD and Exchange.”

The POC code submitted to Github allows a standard Exchange user to gain Domain Administrator access to a fully patched Microsoft Exchange 2016 server and dump domain credentials from the Domain Controller.

Vulnerability Details

This issue is not a single vulnerability, but rather a collection of previously disclosed protocol weaknesses affecting NT LAN Manager (NTLM) authentication and Exchange Server vulnerabilities. Per the researcher’s blog:

• Exchange Servers have (too) high privileges by default
• NTLM authentication is vulnerable to relay attacks
• Exchange has a feature which makes it authenticate to an attacker with the computer account of the Exchange server

Mollema also included a script that reportedly allows for unauthenticated attacks where one could relay the authentication of a user in the same network segment to Exchange Web Services (EWS) and use their credentials to perform the exploit.

Urgently required actions

This issue reportedly affects fully patched Microsoft Exchange servers, however the following mitigations, including one recommended by Microsoft, are listed by the security researcher:

• Remove the unnecessary high privileges that Exchange has on the Domain object (references included below).
• Enable Lightweight Directory Access Protocol (LDAP) signing and enable LDAP channel binding to prevent relaying to LDAP and LDAPS respectively
• Block Exchange servers from making connections to workstations on arbitrary ports.
• Enable Extended Protection for Authentication on the Exchange endpoints in IIS (but not the Exchange Back End ones, this will break Exchange). This will verify the channel binding parameters in the NTLM authentication, which ties NTLM authentication to a TLS connection and prevent relaying to Exchange web services.
• Remove the registry key which makes relaying back to the Exchange server possible, as discussed in Microsoft’s mitigation for CVE-2018-8518. (Tenable provides coverage for this mitigation)
• Enforce SMB signing on Exchange servers (and preferable all other servers and workstations in the domain) to prevent cross-protocol relay attacks to SMB.

Identifying affected systems

A list of Nessus plugins to identify this vulnerability can be found here.

Tenable also provides the mitigation-specific configuration audit checks below for Server Message Block (SMB) signing and NTLM v2 at https://www.tenable.com/downloads/audit using these audit files:

CIS_DC_SERVER_2012_Level_1_v2.0.1.audit

CIS_DC_SERVER_2012_R2_Level_1_v2.3.0.audit

CIS_DC_SERVER_2016_Level_1_v1.0.0.audit

CIS_MS_2008_Server_Enterprise_v1.2.0.audit

CIS_MS_2008_Server_SSLF_v1.2.0.audit

CIS_MS_SERVER_2012_Level_1_v2.0.1.audit

CIS_MS_SERVER_2012_R2_Level_1_v2.3.0.audit

CIS_MS_SERVER_2016_Level_1_v1.0.0.audit

CIS_MS_Windows_10_Enterprise_Level_1_Bitlocker_v1.3.0.audit

CIS_MS_Windows_10_Enterprise_Level_1_v1.3.0.audit

CIS_MS_Windows_Server_2008_DC_Level_1_v3.0.1.audit

CIS_MS_Windows_Server_2008_MS_Level_1_v3.0.1.audit

CIS_MS_Windows_Server_2008_R2_DC_Level_1_v3.1.0.audit

CIS_MS_Windows_Server_2008_R2_MS_Level_1_v3.1.0.audit

DISA_STIG_Server_2008_DC_v6r40.audit

DISA_STIG_Server_2008_MS_v6r40.audit

DISA_STIG_Server_2012_and_2012_R2_DC_v2r12.audit

DISA_STIG_Server_2012_and_2012_R2_MS_v2r12.audit

DISA_STIG_Windows_10_v1r13.audit

DISA_STIG_Windows_Server_2016_v1r4.audit

Get more information

• Abusing Exchange: One API call away from Domain Admin
• PrivExchange POC Code

Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

Apple has released iOS 12.1.3 to fix 31 CVEs including a FaceTime remote code execution vulnerability

Background

On January 22, Apple released iOS 12.1.3, which includes fixes for 31 different CVEs across multiple apps and services. This update also includes fixes for CVE-2019-6227 and CVE-2019-6225, which security researcher Qixun Zhao of Qihoo 360 Vulcan Team reportedly used in a code execution attack through FaceTime. The attack requires a user to tap on a malicious link, which could be achieved through social engineering.

Analysis

An attacker could craft a malicious FaceTime link that, when clicked, exploits a kernel bug in iOS allowing the attacker to jailbreak the targeted iOS device. The attacker can then make use of the jailbroken device to remotely take control as a root user.

Social engineering attacks increased in 2018, and with smartphones playing a major part in business, device security is paramount to organizational security. If employees in your organization connect to a corporate network over wifi, or charge their personal devices on their work device USB ports, we recommend encouraging your employees to be as diligent about their personal device updates as the CISO is about corporate assets.

Proof of concept

Qihoo 360 created a proof of concept (PoC) video demonstrating the attack.

Solution

Upgrade iOS devices to version 12.1.3

Identifying affected systems

Tenable Mobile Device Management (MDM) integration can identify mobile devices that are missing vendor updates. A list of our MDM plugins for this update can be found here as they’re released.

Get more information

• Apple Security Information Page for iOS 12.1.3
• 360 Core Security Research Write Up
• CVE-2019-6227
• CVE-2019-6225
• Nessus Plugin List

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

Tenable Research has discovered multiple vulnerabilities including cross site scripting, open redirects and drive mapping in LabKey Server Community Edition 18.2-60106.64. Labkey has released patches.

Background

LabKey Server, an open source medical data collaboration tool, is vulnerable to multiple cross site scripting (XSS) attacks. The flaws allow a remote unauthenticated attacker to run arbitrary code through their browser, create open redirects to push users to malicious URLs, and map malicious network drives after gaining administrative access.

Analysis

CVE-2019-3911: Cross Site Scripting vulnerabilities

Query functions are not validated or sanitized properly. Because this parameter is reflected in the output to the user and interpreted by the browser, a cross site scripting attack becomes possible. This allows an attacker to run arbitrary code within the context of the user’s browser. The XSS attacks are possible either authenticated or unauthenticated due to extra “__r#” paths that are available in a default installation.

CVE-2019-3912: Open Redirects

The returnUrl function is also unsanitized in a way that allows certain return paths to be edited. An attacker may utilize these to redirect users to a location controlled by the attacker themselves.

CVE-2019-3913: Logic Flaw in Network Drive Mapping Functionality

When mapping a network drive from command line, a lack of sanitation in the mount() function would allow an attacker to mount their own malicious drives to the server. Note that admin access to the web interface is required for this vulnerability.

Solution

LabKey Server version 18.3.0-61806.763, released on January 16 fixes all of these issues.

Additional information

• LabKey Release Notes
• Tenable Advisory

Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.