As remote work expands the enterprise attack surface, a federal advisory committee highlights the key challenges in securing critical IT infrastructure and building more resilient organizations.

On October 6, the President’s National Security Telecommunications Advisory Committee (NSTAC) voted to approve a letter to the President recommending ways to strengthen the resiliency of our nation’s information and communications technology (ICT) infrastructure as the U.S. government continues to consider the effects of the COVID-19 pandemic.

The country pivoted to remote work almost overnight – and with it, the attack landscape changed, too. The rapid transition to remote work left employees connecting to enterprise networks from personal and potentially unsecured and unmanaged environments, which also host any number of personal devices and applications. The blended and expanded enterprise attack landscape poses ongoing challenges to security teams in keeping critical infrastructure and data secure.

The letter recommends that the federal government, and in particular the Executive Office of the President (EOP) and the U.S. Cybersecurity and Infrastructure Agency (CISA), “should communicate and reinforce the responsibilities of enterprise leaders to ensure their employee home-points and—by extension—enterprise networks, systems, and cloud-based services, are secure, thereby upholding the national security imperative and delivering broad economic benefits."

This is spot-on – ensuring that organizations understand these threats is the first step towards mitigating them, and CISA and the federal government should take this recommendation seriously. As we know, attackers go where the money is and where they expect to have the most success.

As remote work continues, organizations and governments must take these threats seriously and work to adapt their security programs accordingly. This trend isn’t going away once a vaccine hits – remote work is likely here to stay, and enterprise leaders have significant responsibility in securing their own networks and information.

And it does not have to be complicated. Earlier this year, Tenable CSO Bob Huber laid out several important ways to secure a work-from-home organization’s network. The simple things organizations must do include securing your cloud-based applications, adding IT systems management platforms to company laptops and using local vulnerability detection agents. These are all simple steps that can go a long way in securing enterprise networks in the work-from-home environment.

CISA has also developed important telework guidance to help enterprises and organizations improve their security posture, with a strong focus on cyber hygiene practices. As the letter points out, CISA and the entire federal government must continue publicly communicating these recommendations across the public and private sectors.

NSTAC has listed several areas for improvement that should be taken to heart, but critically important is the fact that the attack landscape is changing. It is expanding more rapidly than ever before and should serve as an important reminder that enterprises must continue to adapt their risk management practices to account for these changes.

Cyber hygiene is at the heart of what we do at Tenable because we know it is effective. Patching vulnerabilities and keeping systems updated are basic, preventive steps that can dramatically decrease the frequency of successful attacks, like what we have continued to see throughout the pandemic. These are simple steps, but they have to happen, and it’s on enterprise leaders to ensure they do. We must stay on top of the threat landscape to keep the nation’s cyber exposure in check. 

Learn more:

• Read the blogs: 
• Designing IT Infrastructure for a Distributed Workforce: Insights from a CIO
• How to Secure a Work-from-Home Organization: Insights from a CSO
• View our Edge Week sessions: 
• Tenable CTO & co-founder Renaud Deraison on “The Rise of BYOE”
• Maryland Gov. Larry Hogan reflects on cybersecurity in times of crisis
• Washington State CISO Vinod Brahmapuram on building organizational resiliency

U.S. Government agencies issue joint cybersecurity advisory cautioning that advanced threat groups are chaining vulnerabilities together to gain entry into government networks and elevate privileges.

Background

On October 9, the Cybersecurity Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) published a joint cybersecurity advisory. The advisory, identified as Alert AA20-283A, provides insight into advanced persistent threat (APT) actors’ activity against networks associated with federal and state, local, tribal, and territorial (SLTT) governments. The alert details how APT actors are using vulnerability chaining or exploit chaining, incorporating a recently disclosed elevation of privilege vulnerability in their attacks.

The following is a list of vulnerabilities referenced in the CISA/FBI joint cybersecurity alert:

*Please note Tenable VPR scores are calculated nightly. This blog post was published on October 12 and reflects VPR at that time.

Analysis

Initial access gained through SSL VPN vulnerability

According to the CISA/FBI alert, the APT actors are “predominantly” using CVE-2018-13379 to gain initial access to target environments.

CVE-2018-13379 is a path traversal vulnerability in Fortinet’s FortiOS Secure Socket Layer (SSL) virtual private network (VPN) solution. It was patched by Fortinet in April 2019. However, it wasn’t until after exploitation details were made public in August 2019 that reports emerged of attackers exploiting it in the wild.

In addition to the Fortinet vulnerability being used to gain initial access, CISA/FBI have also observed “to a lesser extent,” APT actors using CVE-2020-15505, a remote code execution vulnerability in MobileIron’s Core and Connector.

Post exploitation elevation of privilege using Zerologon

Once the APT actors have gained an initial foothold into their target environments, they are elevating privileges using CVE-2020-1472, a critical elevation of privilege vulnerability in Microsoft’s Netlogon. Dubbed “Zerologon,” the vulnerability has gained notoriety after it was initially patched in Microsoft’s August Patch Tuesday release.

On September 18, CISA issued Emergency Directive 20-04 in an effort to ensure Federal Civilian Executive Branch systems were patched against the vulnerability.

Zerologon observed as part of attacks in the wild

On September 23, Microsoft’s Security Intelligence team tweeted that they had observed the Zerologon exploits being “incorporated into attacker playbooks” as part of threat actor activity.

Microsoft is actively tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon EoP vulnerability, dubbed Zerologon. We have observed attacks where public exploits have been incorporated into attacker playbooks.

— Microsoft Security Intelligence (@MsftSecIntel) September 24, 2020

In a follow-up tweet on October 6, Microsoft’s Security Intelligence team noted a new campaign leveraging CVE-2020-1472 originating from a threat actor known as CHIMBORAZO, also known as TA505, a financially motivated nation-state actor.

We’re seeing more activity leveraging the CVE-2020-1472 exploit (ZeroLogon). A new campaign shrewdly poses as software updates that connect to known CHIMBORAZO (TA505) C2 infrastructure. The fake updates lead to UAC bypass and use of wscript.exe to run malicious scripts.

— Microsoft Security Intelligence (@MsftSecIntel) October 6, 2020

CISA/FBI warn of additional vulnerabilities being targeted for initial access

In addition to the Fortinet and MobileIron vulnerabilities identified in recent campaigns, the CISA/FBI alert also warns that these APT threat actors may also leverage one of the following vulnerabilities to gain entry into their targeted networks:

• CVE-2019-11510 is an arbitrary file disclosure vulnerability in Pulse Connect Secure SSL VPN
• CVE-2019-19781 is a path traversal vulnerability in Citrix Application Delivery Controller (ADC), Citrix Gateway and Citrix SD-WAN WANOP appliances
• CVE-2020-1631 is a local file inclusion (LFI) vulnerability in Juniper’s Junos OS HTTP/HTTPS service
• CVE-2020-2021 is an authentication bypass vulnerability in the Security Assertion Markup Language (SAML) authentication in PAN-OS when certain prerequisites are met
• CVE-2020-5902 is a path traversal vulnerability in the traffic management user interface (TMUI) in F5’s BIG-IP application delivery service.

Evergreen vulnerabilities remain popular amongst threat actors

Many of the vulnerabilities referenced in this joint alert from CISA/FBI have become evergreen flaws for threat actors. As part of CISA’s Top 10 Routinely Exploited Vulnerabilities alert, they reference both the Pulse Secure and Citrix ADC vulnerabilities.

In September, CISA issued two separate alerts (AA20-258A, AA20-259A) that highlight how APT actors from China and Iran are targeting unpatched vulnerabilities in Pulse Connect Secure, Citrix ADC, and F5’s BIG-IP.

Elections support systems accessed, yet elections data integrity intact

In Alert AA20-283A, CISA mentions that they observed activity that “resulted in unauthorized access to elections support systems.” However, they also mention that despite said unauthorized access, they have no evidence to support that the “integrity of elections data has been compromised.”

Zerologon needs to be patched immediately

With the latest alert from CISA and the FBI, coupled with reporting from other vendors, it seems clear that Zerologon is becoming one of the most critical vulnerabilities of 2020.

Proof of concept

A number of proofs-of-concept (PoC) and exploit scripts were made available soon after these vulnerabilities were publicly disclosed. The following is a subset of some of the PoCs and exploit scripts:

Solution

Patches are available for all of the vulnerabilities referenced in the joint cybersecurity advisory from CISA and the FBI. Most of the vulnerabilities had patches available for them following their disclosure, with the exception of CVE-2019-19781, which received patches a month after it was originally disclosed.

Please refer to the individual advisories below for further details.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities can be found here:

• CVE-2019-11510
• CVE-2018-13379
• CVE-2019-19781
• CVE-2020-1631
• CVE-2020-2021
• CVE-2020-5902
• CVE-2020-15505
• CVE-2020-1472
• All CVEs combined

Get more information

• CISA/FBI Alert: APT Actors Chaining Vulnerabilities
• CISA Top 10 Routinely Exploited Vulnerabilities
• Tenable Blog for CISA Alerts AA20-258A, AA20-259A
• Tenable Blog for CVE-2019-11510
• Tenable Blog for CVE-2018-13379 and CVE-2019-11510 Exploited in the Wild
• Tenable Blog for CVE-2019-11510 Used in Ransomware Attacks
• Tenable Blog for CVE-2019-19781
• Tenable Blog for CVE-2019-19781 Exploit Scripts
• Tenable Blog for CVE-2019-19781 Exploited in the Wild
• Tenable Blog for CVE-2020-2021
• Tenable Blog for CVE-2020-5902
• Tenable Blog for CVE-2020-1472

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Securing industrial environments requires a form factor that is optimal for your business. The latest Tenable.ot product updates provide greater freedom to deploy your security and manage threats the way you want to see them.

Every modern industrial organization needs a plan for securing their operational technology (OT) environments. If that wasn’t already clear, the latest alerts from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA) offer clear evidence that OT cyberattacks have occurred and are ongoing. The continued rise of emerging technologies like IT/OT convergence and Industry 4.0 only further expose industrial environments to cyber risk.

OT security is essential to protecting critical infrastructure and capitalizing on new innovations. But the optimal way of deploying that security can differ based on your organization’s unique mission, goals and requirements. Like any other technology, OT security should be agile enough to operate around the business with minimal disruption, rather than the other way around. This is especially true during the COVID-19 response, as organizations seek greater agility in equipping their teams – both on-prem and remote – with the visibility, security and control they need to keep essential systems running. 

We’re excited to announce a few updates to Tenable.ot™ that can help any industrial or critical infrastructure organization solve for the most urgent cyberthreats, in a way that maximizes uptime, safety and efficiency. 

‘OT Anywhere’: Gain remote visibility into your OT infrastructure

We built Tenable.ot to support a variety of options for achieving visibility across your converged IT/OT operations. Building on our traditional appliance- and OS-based deployments, Tenable.ot is now fully integrated with Tenable.io. For the first time ever, you can leverage the power of the cloud to gain visibility into your OT infrastructure - from anywhere in the world with an internet connection.

As modern OT infrastructure converges with IT systems and connected devices, the cloud becomes a much more attractive, efficient and cost-effective way of managing and securing industrial environments. This is especially true if your organization is: 

• Adopting data-rich Industry 4.0 workflows
• Deploying industrial IoT devices such as smart sensors, monitors and alarms
• Distributed across multiple locations
• Not able to accommodate additional gear

Rather than shipping staff members to remote locations to collect data or make adjustments, you can now pipe all of that OT information into the cloud and manage your controls from anywhere. This versatility is key to supporting more agile collaboration and innovating without introducing additional cyber exposure.

Achieve a single view of all your IT and OT vulnerability data

Visibility is the first part of the OT security equation; you also need a solution capable of managing the vast number of vulnerabilities that might exist across your converged IT/OT environment. Siloed views of one side or the other will inevitably create blind spots and lead to inefficient workflows. 

Security teams can maximize their impact by finding a solution that prioritizes vulnerabilities based on the latest threat intelligence and recommends clear actions to reduce the greatest amount of risk with your limited resources. By harnessing the combined power of Tenable.ot and Tenable.sc, we’re proud that our platform is the first on the market to provide converged IT/OT vulnerability management, including

• A “single pane of glass” view with triaged threats across your IT/OT attack surface
• VPR scoring that predicts the 3% of vulnerabilities that pose the greatest risk
• Unparalleled asset discovery through patented Active Querying technology (for OT assets) and our Nessus® Professional integration (for IT assets)

Streamline your traditional OT security deployments 

In addition to equipping your team with the latest capabilities, you also want to make sure you’re getting the basics right. For traditional deployments, Tenable.ot offers a dedicated appliance with optional sensors or deployment on your own gear that meets our tested minimum requirements. This is known as “Tenable Core.”  

By packaging the application with a supported version of CentOS, Tenable Core further streamlines the deployment and management of multiple products, including Nessus, Tenable.sc, and the Nessus Network Monitor (NNM). This expedites your time to deploy and eliminates the disruption of a production environment. 

The freedom to choose

The rising tide of industrial cyberattacks shows no signs of letting up anytime soon. Defending your critical infrastructure requires a solution capable of providing comprehensive security across your converged environment. With Tenable’s “OT Anywhere” initiative, you can now choose the optimal form factor for your organization to most efficiently guard your OT infrastructure against unacceptable threats.

To choose the right OT security technology that suits your needs, check out our industrial cybersecurity checklist for an overview of key criteria and capabilities your team should consider. When you’re ready to learn more, you can send us a note to schedule a demo.

For the first time in seven months, Microsoft patches less than 100 CVEs, addressing 87 CVEs in its October release.

Microsoft patched 87 CVEs in the October 2020 Patch Tuesday release, including 11 CVEs rated critical. This release follows seven consecutive months of over 100 CVEs patched, in what has been an unusually busy year for Microsoft Patch Tuesday updates. This month's release includes fixes for Microsoft Windows, Microsoft Office and Microsoft Office Services and Web Apps, Microsoft JET Database Engine, Azure Functions, Azure Sphere, Open Source Software, Microsoft Exchange Server, Visual Studio, PowerShellGet, Microsoft .NET Framework, Microsoft Dynamics, Adobe Flash Player, and Microsoft Windows Codecs Library.

CVE-2020-16898 | Windows TCP/IP Remote Code Execution Vulnerability

CVE-2020-16898, dubbed “Bad Neighbor,” is a critical remote code execution (RCE) vulnerability within the Windows TCP/IP stack. The vulnerability exists due to improper handling of ICMPv6 Router Advertisement packets using Option Type 25 and an even length field. According to a blog post from McAfee, Microsoft Active Protections Program (MAPP) members were provided with a test script that successfully demonstrates exploitation of this vulnerability to cause a denial of service (DoS). While the test scenario does not provide the ability to pivot to RCE, an attacker could craft a wormable exploit to achieve RCE. While an additional bug would be required to craft an exploit, it is likely that we will see proof-of-concept (PoC) code released in the near future.

CVE-2020-16899 | Windows TCP/IP Denial of Service Vulnerability

Similar to CVE-2020-16898, CVE-2020-16899 is a DoS vulnerability within the Windows TCP/IP stack. The vulnerability also results from the improper handling of ICMPv6 Router Advertisement packets. Exploitation of this flaw requires an attacker to send crafted ICMPv6 Router Advertisement packets which could cause the system to stop responding. While Microsoft does recommend applying the security update to patch this flaw, a workaround is available via a PowerShell command to disable ICMPv6 RDNSS (Recursive DNS Server) in the event the patch cannot be immediately applied.

CVE-2020-16951, CVE-2020-16952 | Microsoft SharePoint Remote Code Execution Vulnerability

CVE-2020-16951 and CVE-2020-16952 are RCE vulnerabilities in Microsoft SharePoint resulting from a failure to validate an application package’s source markup. To exploit the vulnerability, an attacker would need to be able to upload a specially crafted SharePoint application package to a vulnerable SharePoint server. Successful exploitation could allow an attacker to execute arbitrary code under the context of the SharePoint application pool and the SharePoint server farm account.

Steven Seeley, a security researcher on Qihoo 360’s Vulcan Team, is credited with discovering CVE-2020-16952. Seeley published an advisory on his website, which includes a PoC exploit script for the vulnerability.

CVE-2020-16947 | Microsoft Outlook Remote Code Execution Vulnerability

CVE-2020-16947 is an RCE flaw in Microsoft Outlook due to the improper handling of objects in memory. An attacker can exploit this vulnerability using a crafted email file sent to a user of a vulnerable version of Microsoft Outlook. Because Outlook’s Preview Pane is affected by this flaw, a user does not have to open the message in order for the vulnerability to be exploited. As Outlook is widely used for enterprise email, we highly recommend prioritizing the patching of this CVE.

CVE-2020-16929, CVE-2020-16930, CVE-2020-16931, CVE-2020-16932 | Microsoft Excel Remote Code Execution Vulnerability

CVE-2020-16929, CVE-2020-16930, CVE-2020-16931 and CVE-2020-16932 are RCE vulnerabilities in Microsoft Excel because of the way the software improperly handles objects in memory. To exploit these vulnerabilities, an attacker must create a malicious Excel file and convince their target to open the file using a vulnerable version of Microsoft Excel, either by attaching the file to an email or hosting it on a website and enticing a user to visit the website. Successful exploitation would allow an attacker to gain arbitrary code execution on the vulnerable system with the same rights as the current user. Exploitation of this vulnerability could be exponentially worse if the current user has administrative privileges, which could grant the attacker the ability to perform a complete takeover of the vulnerable system.

CVE-2020-16918, CVE-2020-17003 | Base3D Remote Code Execution Vulnerability

CVE-2020-16918 and CVE-2020-17003 are RCE vulnerabilities in Base3D because its rendering engine handles memory improperly. Successful exploitation of these vulnerabilities would allow an attacker to gain arbitrary code execution on a vulnerable system.

CVE-2020-1167, CVE-2020-16923 | Microsoft Graphics Components Remote Code Execution Vulnerability

CVE-2020-1167 and CVE-2020-16923 are RCE vulnerabilities in Microsoft Graphics Components because of the way objects are handled in memory. To exploit these vulnerabilities, an attacker must create a specially crafted file and convince their target to open the file. This could be achieved through targeted social engineering. Successful exploitation would allow an attacker to gain arbitrary code execution on the vulnerable system.

CVE-2020-16891 | Windows Hyper-V Remote Code Execution Vulnerability

CVE-2020-16891 is an RCE vulnerability on the host server of Windows Hyper-V when inputs from an authenticated user on the guest operating system (OS) are not properly validated. To exploit this vulnerability, an attacker would need to run a malicious application on the guest OS, which could result in arbitrary code execution on the host OS.

Tenable solutions

Users can create scans that focus specifically on our Patch Tuesday plugins. From a new advanced scan, in the plugins tab, set an advanced filter for Plugin Name contains October 2020.

With that filter set, click the plugin families to the left and enable each plugin that appears on the right side. Note: If your families on the left say Enabled, then all the plugins in that family are set. Disable the whole family before selecting the individual plugins for this scan. Here’s an example using March 2019 from Tenable.io:

A list of all the plugins released for Tenable’s October 2020 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.

Get more information

• Microsoft's October 2020 Security Updates
• Tenable plugins for Microsoft October 2020 Patch Tuesday Security Updates

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

The future belongs to cybersecurity leaders who can align their objectives with an understanding of business risk. Here are eight daily actions you can take to get there.

I've been working in cybersecurity for 20 years. I've been on the technical end performing penetration tests and malware analysis. I've run intrusion detection programs and security operations centers and was responsible for policy and compliance of all those components. In my current role at Tenable, I manage vendor relationships for 40 security tools and can tell you, with a fair degree of granularity, what each of those tools is doing on a daily basis and how it's performing. I can give you a list of all the vulnerabilities we patched on which systems in the past 30 days. But whenever I've talked to C-level business executives and the board — in my current role or in previous organizations — none of that matters.

At the end of the day, I always get asked one simple question: "How secure, or at risk, are we?" And, for 20 years, arriving at a meaningful answer to that question has remained a struggle. 

Earlier this year, Tenable commissioned Forrester Consulting to conduct a study of more than 800 business and cybersecurity leaders globally to find out why. What it boils down to is this: There is a chronic disconnect between cybersecurity and business that is compounded by limitations in the technology, processes and data available to security leaders.

But we would be misguided if we do not also consider the human factors that lie at the core of the disconnect.

Business as a Second Language

CISOs and other cybersecurity leaders are unique participants in the executive suite. We have to be equally fluent in the languages of technology and business. Yet, unlike our colleagues in finance or sales — who may hold master's degrees in business or have other similar educational backgrounds — many cybersecurity leaders have technical backgrounds such as computer science. We typically rise up through the technical ranks of an organization. This puts us at an immediate disadvantage when we finally arrive at a senior managerial or C-level role. 

Technology is our first, native language. And the tools and processes we use are all based on the language of technology, giving us results we can clearly articulate in our native tongue. Most of us have learned to passably speak "business as a second language" but a disconnect remains, in part, because the tools and frameworks we need to do our jobs don't lend themselves to easy translation.

"It's knowing how to translate a bunch of the things we find from a security perspective and making that relatable to the business, said Rick Vadgama, VP and CISO at a global online travel platform, in an interview with Tenable. "There are many InfoSec professionals who certainly understand what the vulnerabilities or exploits are, but they don't know how to translate that so that a regular business person can understand. They don't know how to make it relatable."

Vadgama, who majored in finance and accounting in college and held business roles early in his career before realizing it wasn't his calling and switching to IT, said his diverse background helps him in his current role. "I understand the business aspect. I understand the financials. And then, because I've come up through the ranks of IT and I've worked in various functions — including being a director of IT, owning networks, and owning developing groups — I also have context about those functions. So, as I've gone into security, I already had that context and awareness, I know how to cross the chasm between the technical people and the business people."

For cybersecurity leaders who have advanced through the technical ranks, Vadgama has this advice: "Leave the security space and go work in some other functions for a time, so that you have context as to how to run a business or group, and then come back to infosec."

It's all in a day's work

A SANS Institute paper from way back in 2003 articulated the challenges, which remain current to this day: "[CISO] responsibilities are unlike any other in the C-suite, not even CIOs have this scope."

The SANS paper details the following as being among the most important responsibilities carried out by most CISOs: 

• Act as the organization's representative with respect to inquiries from customers, partners, and the general public regarding the organization's security strategy.
• Act as the organization's representative when dealing with law enforcement agencies while pursuing the sources of network attacks and information theft by employees.
• Balance security needs with the organization's strategic business plan, identify risk factors, and determine solutions to both.
• Develop security policies and procedures that provide adequate business application protection without interfering with core business requirements.
• Plan and test responses to security breaches, including the possibility for discussion of the event with customers, partners, or the general public.
• Oversee the selection testing, deployment, and maintenance of security hardware and software products as well as outsourced arrangements.
• Oversee a staff of employees responsible for organization's security, ranging from network technicians managing firewall devices to security guards.

Given the sheer scope of the role, it can be difficult to figure out where to prioritize your time on a typical day. Most of us would prefer to live in the technical comfort zone represented by the last three bullets above, spending our days planning for incidents and overseeing operations designed to minimize their likelihood. 

But staying in our comfort zone is not making any of us safer. According to the Forrester study, The Rise of the Business-Aligned Security Executive, 94% of organizations have experienced a business-impacting cyberattack in the past 12 months that resulted in at least one of the following: a loss of customer, employee, or other confidential data; interruption of day-to-day operations; ransomware payout; financial loss or theft; and/or theft of intellectual property. And the vast majority of respondents (77%) expect cyberattacks to increase in the next two years.

The study also finds that 66% of business leaders are — at most — only somewhat confident in their security team's ability to quantify their organization's level of risk or security. 

Becoming a business-aligned security leader: 8 steps

It's clear that something needs to change. As security leaders we need to find ways to improve our alignment with the business. And that requires effort every single day. You need to be mindful of how you're prioritizing your time to make sure you've structured your operations in a way that allows you ample time to focus on business alignment.

"The most important thing to become a business-aligned cybersecurity leader is to deliver value to business and create a co-ownership engagement cycle," said Jose Maria Labernia Salvador, head of IT security and internal control for LafargeHolcim IT EMEA in Madrid, in an interview with Tenable. "Mission and vision are also very important to agree with business, and a trusting, partner relationship needs to be established to make sure a direct channel is in place."

Making the effort to build trusting relationships throughout the organization is key, according to Vadgama. At his current company, the chance to participate in the organization's privacy committee gave him the opportunity to collaborate with leaders from the legal team as well as product management and engineering, among others. But even without a formal committee it's possible to reach out and connect across the organization.

"It's not just meeting with the IT team," Vadgama said. "It's also meeting with engineering and marketing and sales, and so on and so forth, and building those relationships. That way, when we do find something these teams need to address and I show up at their doorstep, they're like, ‘Okay. Yeah, we know we need to take care of this.' " 

Here are eight practices you can incorporate into your days that will set you on the path toward a business-aligned future:

1. Spend time each day reviewing your company's external-facing documents. Pay attention to what your organization's executives are communicating via financial statements, press releases, news articles, social media sites and industry forums.
2. Schedule time with line-of-business executives to develop an understanding of their day-to-day challenges and build rapport. Learn how their performance is measured. Help them to see security as an enabler of their business needs rather than an impediment. This way they'll be more likely to involve you earlier in their strategic plans.
3. Cultivate a working knowledge of the priorities and challenges facing organizations in your industry sector. Join trade associations or other professional organizations, read business-to-business articles in trade journals, attend webinars and other industry events. By doing so, you'll gain a working vocabulary and important perspectives to help you better align your security initiatives to your organization's unique business needs.
4. Schedule regular check-ins with your fellow C-suite executives and use the time to learn what keeps them up at night. It's only by understanding broader business pain points that you can begin to develop a holistic understanding of what "risk" really means to your organization.
5. Use quarterly business reviews as a prime learning opportunity. Listen closely to the strategic priorities and pain points articulated by your peers and consider the external business factors influencing them. Pay attention to how each executive demonstrates the return on their business investments and find ways to tailor your own security ROI metrics accordingly.
6. Build a network of trusted business advisors. Engage mentors from across the business spectrum to provide guidance and offer a sounding board to help you refine your communications to become more business-friendly.
7. Build relationships with the risk professionals in your organization. Cybersecurity is both a risk unto itself and a factor in all other business risk conversations. Find out how you can effectively participate in developing enterprise risk management strategies that keep cyber front-and-center.
8. Pay attention to the third-party relationships happening across the organization. You may have a working knowledge of key relationships, such as your payroll processing or enterprise resource planning vendors. But how much visibility do you have into the tools and platforms used by your web team or the service and support contractors who maintain and service your organization's operational technology?


Finding time for all of the above, in addition to effectively performing all the other aspects of your role, may seem like a daunting proposition. You won't be able to do all of them all at once. Choose the one or two that resonate most for you, and start there.

One approach, said Labernia, is to "start at the top. Business leaders tend to be very open to discussion once they understand the complexity and risks of today's cybersecurity situation. Then you can extend progressively to other key areas of the organization. Try to shift from the common approach of saying ‘NO' to saying ‘KNOW.' You can always find a way to run the business securely once you understand the goals."

By making the active choice to break out of your technology comfort zone and become more business-aligned, you will not only benefit your organization, you will also enhance your career, setting yourself up to take that coveted "seat at the table" in driving business risk strategies.

Read the blog series

Additional blogs in this series focused on the challenges of aligning cybersecurity and business and why cybersecurity leaders struggle to answer the question “how secure, or at risk, are we?”. We also examined what COVID-19 response strategies reveal about the business-cyber disconnect, discussed why existing cybersecurity metrics fall short when communicating cyber risk and explored five steps for achieving alignment with the business.

Learn more:

• See additional study highlights here
• Download the full study, The Rise of the Business-Aligned Security Executive
• Read the blogs
  • Aligning Cybersecurity and the Business: Nobody Said It Was Easy
  • Why Cybersecurity Leaders Struggle to Answer the Question ‘How Secure Are We?’
  • What COVID-19 Response Strategies Reveal About the Business-Cyber Disconnect
  • Communicating Cyber Risk: Why Existing Cybersecurity Metrics Fall Short
  • 5 Steps for Becoming a Business-Aligned Cybersecurity Leader
• Download the white paper, What It Takes to Be a Business-Aligned Cybersecurity Leader
• Read the eBook, How to Become a Business-Aligned Security Leader
• Listen to the Cyber Exposure Podcast series, "Interview with Tenable CSO Bob Huber"
• View the webinar, "The Rise of the Business-Aligned Security Executive" 

Researchers disclose a critical pre-authentication vulnerability in the SonicWall VPN Portal that is easily exploitable.

Background

On October 12, SonicWall published a security advisory (SNWLID-2020-0010) to address a critical vulnerability in SonicOS that could lead to remote code execution (RCE). The vulnerability was discovered by security researchers at Tripwire’s Vulnerability and Exposure Research Team (VERT).

Analysis

CVE-2020-5135 is a stack-based buffer overflow vulnerability in the VPN Portal of SonicWall’s Network Security Appliance. A remote, unauthenticated attacker could exploit the vulnerability by sending a specially crafted HTTP request with a custom protocol handler to a vulnerable device. At a minimum, successful exploitation would result in a denial of service condition against the exploited device, exhausting its resources.

Remote code execution “likely feasible” but not without additional footwork

The researchers added that they were able to “divert execution flow through stack corruption” which means achieving RCE is “likely feasible.” In an interview with Threatpost, Craig Young of VERT noted that to gain RCE, an attacker would also need “an information leak and a bit of analysis.”

Hundreds of thousands of devices may be impacted

According to VERT, nearly 800,000 hosts may be affected. This is based on a Shodan search for the HTTP server banner, which was not provided.

Our own Shodan search for vulnerable SonicWall devices led us to two specific search queries:

• product:"SonicWALL firewall http config"
• product:"SonicWALL SSL-VPN http proxy"

The combined results from Shodan using these search queries led to a total of 795,674 hosts. In the VERT advisory, they specified that 795,357 hosts were vulnerable.

The Tenable Security Response Team was not able to independently confirm the hosts found on Shodan were indeed affected by this particular vulnerability. The hosts discovered with our Shodan queries are indicative that they are internet facing SonicWall servers, their respective versions could not be determined and thus it is unclear if they are vulnerable.

SSL VPN vulnerabilities: the gift that keeps on giving

Over the last year, cybercriminals and threat actors have been steadily leveraging vulnerabilities in a variety of SSL VPN solutions. As VPNs are found at the edge of a network and in most cases, publicly accessible, they are an enticing target for attackers. Exploitation of these devices can allow an attacker to pivot to an internal network and begin targeting additional hosts. Some notable vulnerabilities in VPN devices over the past year include:

*Please note Tenable VPR scores are calculated nightly. This blog post was published on October 15 and reflects VPR at that time.

In the Cybersecurity Infrastructure Security Agency (CISA) alert (AA20-133A) entitled “Top 10 Routinely Exploited Vulnerabilities,” both CVE-2019-11510 and CVE-2019-1978 are featured as two of the most routinely exploited vulnerabilities in 2020.

In subsequent alerts from CISA, they’ve observed foreign threat actors utilizing several SSL VPN vulnerabilities as part of their attacks. On October 9, CISA issued a joint cybersecurity advisory with the Federal Bureau of Investigation regarding advanced persistent threat (APT) group activity, which highlighted the usage of CVE-2018-13379, CVE-2019-11510, CVE-2019-19781 as part of APT toolkits to gain initial access into their targeted environments.

With CVE-2020-5135, attackers potentially have another SSL VPN vulnerability in their respective toolboxes to target vulnerable systems.

SonicWall patched 10 additional vulnerabilities

In total, SonicWall patched 11 vulnerabilities on October 12. The following table lists the remaining 10 vulnerabilities that were patched:

All of these vulnerabilities were discovered by security researcher Nikita Abramov of Positive Technologies Offensive Team. Abramov is credited with discovering CVE-2020-5135 along with Craig Young of VERT.

Proof of concept

At the time this blog post was published, no PoC code was available for any of the vulnerabilities, including CVE-2020-5135.

Solution

SonicWall published patches for all 11 vulnerabilities. The following table lists the affected versions along with their associated fixed version. Organizations are strongly encouraged to upgrade to a fixed version as soon as possible.

If upgrading is not feasible at this time, a temporary workaround, while inconvenient, would be to ensure the SonicWall SSL VPN portal has been disabled.

Identifying affected systems

A list of Tenable plugins to identify CVE-2020-5135 will appear here as they’re released.

Get more information

• SonicWall Advisory for CVE-2020-5135 (SNWLID-2020-0010)
• Tripwire VERT Blog Post for CVE-2020-5135

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

To maximize the impact of your security advisories, here are some key steps vendors can take to support automated workflows and timely remediation efforts.

Over the years we’ve seen every variation of security advisory imaginable: plain text, good HTML, bad HTML, machine readable, machine readable with giant blobs of embedded text (which potentially negates the value of the machine readable parts). Regardless of the format in which they are delivered, security advisories are a critical mechanism for providing customers as well as infosec vendors and practitioners the necessary knowledge to ensure vulnerabilities are identified, reviewed and remediated as quickly as possible. 

What makes a good security advisory? There are three core data points: vulnerability information, affected versions and potential remediations.

Within each of these is a subset of data that helps communicate clearly the impact and risk, how to know if you are vulnerable, and what specific actions you can take to remediate or mitigate the relevant threats. It’s critical that vendors provide all the necessary information and follow best practices to ensure that their advisories can support automated workflows and timely discovery and remediation of new vulnerabilities.

1. Disclose specific vulnerability details

First off, each vulnerability should be clearly associated with a unique identifier. Ideally this would be a common vulnerability and exposure (CVE) number issued by a CVE Numbering Authority (CNA). When that is not possible, a vendor should provide an internally unique identifier such as a Bugtraq ID. This makes it possible for multiple parties to communicate about the vulnerability without wondering if everyone is talking about the same issue.

For each vulnerability disclosure, the security advisory should also include a detailed description of the issue and the CVSSv3 metrics. This ensures that customers and security vendors are able to clearly understand the impact of the vulnerability and communicate that with others using the industry-standard CVSS metrics, such as Attack Vector (AV) or Exploit Code Maturity (E). Two common pitfalls we see with severity metrics are vendors not including any metrics or developing their own. Both of those force customers to invest additional time in translating these security advisories into usable information. 

Ideally, vendors will also include data on the vulnerability disclosure timeline, as well as who disclosed the vulnerability.

2. Identify affected versions and devices

In addition to benchmarking technical severity, customers need to know which versions of a product are impacted by a particular vulnerability to understand whether or not they need to take action. For example, a vulnerability may only exist in a newer version of an impacted product that the customer is not currently running. 

It is also critical to communicate any special conditions that must be met for the software to be affected, as well as how customers can determine if that special condition is met. This is particularly true with hardware vulnerabilities. For example, many vulnerabilities in Cisco and Juniper devices are only present if the device is running with a particular feature enabled. Advisories from these vendors will typically include an example of the command users should run to determine if the device has the impacted feature enabled.

3. Clearly explain the remediation options

Unless no fix is available, each affected branch or version should have a clear link to the minimum required version to which a customer needs to upgrade to remediate the vulnerability. If a particular branch does not have a fix, it is equally important to communicate that no fix is available and that customers need to upgrade to a more recent release. 

We have encountered many situations where a security advisory is vague about whether a branch has a fix or not, and that leads to many back-and-forth discussions between our support teams and customers. In many cases, the customer is also working with the vendor support team, leading to a significant amount of email and phone tag to untangle what should be a simple and easily available answer.

4. Format your information for both humans and machines 

Nearly as important as the content within a security advisory is how that information is communicated. It is important to format security advisories in a way that is useful for humans as well as automation processes. Many vendors succeed at providing the former, but despite several standardized industry reporting frameworks, few provide security advisories in a machine-readable format. (Popular standards include the Open Vulnerability and Assessment Language (OVAL), Common Vulnerability Reporting Framework (CVRF), and Common Security Advisory Framework (CSAF).)

When machine-readable formats are available, it allows security providers and customers to build automated processes around those security advisories. These automated processes can reduce the time to remediate or, at a minimum, reduce the amount of overhead for reviewing and prioritizing newly published advisories. The reductions typically come in the form of automatic prioritization based on the severity of the vulnerability, the impacted versions and the availability of a fix. Any steps that we as an industry can take to reduce the amount of effort required to review and remediate newly published vulnerabilities allow customers to better reduce their overall exposure.

5. Improve accessibility with a centrally indexed dataset

Another component in which we have seen varying levels of maturity is how and where security advisories are hosted. Common channels include mailing lists, forum posts, blog posts, indexed HTML pages and APIs. 

While mailing lists are useful for pushing the advisory out to subscribers, any archive of those notifications tends to be plain text, which is challenging for automation and human readers alike. Forum posts suffer from this same limitation, and also tend to get lost in the noise of other forum posts. Blog posts and indexed HTML pages are great, particularly when they are served up from a page that contains an index of previous and new security advisories that users can subscribe to with an RSS feed. From an automation perspective, APIs are extremely useful as they allow us to build targeted queries. 

In all of these cases, it is critical to have an easy-to-find location that centralizes access for past and present security advisories. Without a centralized index, it can be a challenging search for customers, which in turn increases the amount of effort required to review and remediate newly published vulnerabilities.

Stronger advisory practices narrow the attacker’s advantage

Providing detailed, well-formatted and easily accessible security advisories makes a significant difference in the customer experience and their ability to quickly identify and remediate new vulnerabilities. When vendors fall short on any of the aspects discussed here, it increases the level of effort for a customer to become aware of new security advisories, understand their associated risks and make informed decisions regarding remediation. 

A bad security advisory can make the difference between quick coverage and no coverage. Every delay increases the customer’s exposure time, which in turn increases the risk that the vulnerability in question is exploited by an attacker. Good security advisories empower customers with the information they need to close these critical exposure gaps and reduce risk across their attack surface.

Learn more

• View our Edge Week session, “Tenable Research: Tales of Disclosure”

Oracle’s latest Critical Patch Update surpasses the 400 mark for the second time this year with 402 security patches addressing 230 CVEs, including numerous critical vulnerabilities in Oracle Fusion Middleware products.

Background

On October 20, Oracle released the Critical Patch Update (CPU) Advisory for October 2020, its final quarterly release of security patches for the year. This update contains fixes for 230 CVEs in 402 security patches across 27 Oracle product families. This quarter’s update marks the second-highest count in Oracle CPUs, surpassed only by the July 2020 update which holds the record with over 440 patches.

* Chart is accurate as of October 21, 2020

Analysis

This quarter’s CPU includes 35 critically rated CVEs across a wide range of Oracle products. The table below lists the product families with vulnerabilities addressed in this month’s release along with the number of vulnerabilities that are remotely exploitable without authentication.

* Table is accurate as of October 21, 2020

Notable Vulnerabilities

Considering the large number of patches released in this CPU, it may be hard to digest, filter and prioritize these vulnerabilities. However, a few Oracle WebLogic Server vulnerabilities are of note due to their criticality and potential for being targeted by attackers.

CVE-2020-14825, CVE-2020-14841, CVE-2020-14859 | Oracle WebLogic Server - Component: Core

CVE-2020-14825, CVE-2020-14841 and CVE-2020-14859 are vulnerabilities in the Core component of Oracle WebLogic Server. Oracle has classified these vulnerabilities as “easily exploitable” as they would allow an unauthenticated attacker with network access via Oracle’s T3 or Internet Inter-ORB Protocol (IIOP) to compromise the server. All three vulnerabilities affect versions 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. CVE-2020-14841 and CVE-2020-14859 also affect versions 10.3.6.0.0 and 12.1.3.0.0.

CVE-2002-14841 Proof of Concept

On October 21, security researcher Hamid Kashfi shared a proof of concept (PoC) for CVE-2020-14841 in a tweet stating “Another Oracle Tomcat JNDI bypass: CVE-2020-14841.”

Another Oracle Tomcat JNDI bypass: CVE-2020-14841

PoC: https://t.co/xETErLhzPr

— Hamid K (@hkashfi) October 21, 2020

CVE-2020-14882 | Oracle WebLogic Server - Component: Console

CVE-2020-14882 is a vulnerability in the Console component of Oracle WebLogic Server. Oracle has highlighted this vulnerability as “easily exploitable” as it would allow an unauthenticated attacker to compromise the Oracle WebLogic server over HTTP resulting in the takeover of the targeted server. This vulnerability affects versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0.

CVE-2019-17267 | Oracle WebLogic Server - Component: Centralized Thirdparty Jars (jackson-databind)

CVE-2019-17267 is a vulnerability in the Centralized Thirdparty Jars (jackson-databind) component of Oracle WebLogic Server. Oracle notes that this vulnerability is “easily exploitable” and would allow an unauthenticated attacker with network access over HTTP to compromise and take over a targeted server. Version 12.2.1.3.0 is the only version affected by this vulnerability.

Oracle has assigned all five of the vulnerabilities discussed in this section a CVSSv3.1 score of 9.8 due to their impact and ease of exploitation. Oracle WebLogic Server vulnerabilities have appeared in every Oracle CPU this year.

Oracle WebLogic Servers have always been a prime target for threat actors. On April 30,, Oracle published a blog post warning of in-the-wild exploitation of CVE-2020-2883, a deserialization vulnerability in the Oracle Coherence library of Oracle WebLogic Server that was patched in the April 2020 Oracle CPU. CVE-2020-2883 is a patch bypass of CVE-2020-2555, another deserialization vulnerability in Oracle Web Server, which was included in the January 2020 CPU.

Less than a week after the July 2020 Oracle CPU, a PoC was released for CVE-2020-14645, another vulnerability affecting the Core component of Oracle WebLogic Server. Based on this consistent interest in WebLogic Server from threat actors and researchers, we expect to see additional patches and perhaps PoCs for this product in the future.

Solution

Customers are advised to apply all relevant patches in this CPU. Please refer to the October 2020 advisory for full details.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.

Get more information

• Oracle Critical Patch Update Advisory - October 2020
• Oracle Advisory to CVE Map
• Oracle October 2020 CPU Risk Matrices

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

In a rare move, the WordPress Security Team forced a plugin update to over one million sites to address a vulnerability in a popular WordPress plugin used for brute force protection.

Background

On October 21, the developers of Loginizer, a popular WordPress plugin that offers protection against brute force attacks, published a blog post about a recent update to their plugin that addresses a severe vulnerability. The vulnerability was discovered and disclosed by a vulnerability researcher at WP Deeply, Slavco Mihajloski.

Analysis

CVE-2020-27615 is a SQL injection (SQLi) vulnerability in the WordPress Loginizer plugin due to a lack of input sanitization. According to a blog post from Mihajloski, the vulnerability exists in two parts of the Loginizer plugin: the loginizer_login_failed function, which contains unsanitized database requests, and the lz_valid_ip function. Mihajloski notes the potential for a stored cross-site scripting (XSS) vulnerability as well.

An unauthenticated, remote attacker could exploit the vulnerability by crafting a malicious SQL query and including it in the username field of the WordPress site’s login page. Successful exploitation could lead to remote code execution.

Loginizer plugin has a history of vulnerabilities

This vulnerability isn’t the first to be reported in the Loginizer plugin. In 2017, researchers at WPSec published a blog post detailing their discovery of an SQLi and cross-site request forgery (CSRF) vulnerability, identified as CVE-2017-12650 and CVE-2017-12651 respectively.

In 2018, researcher and CEO of WPScan, Ryan Dewhurst, discovered and disclosed a stored XSS vulnerability in Loginizer. The vulnerability is identified as CVE-2018-11366.

WordPress Security team takes an unprecedented step to secure WordPress sites

It is not uncommon for researchers to uncover and disclose hundreds of vulnerabilities in WordPress plugins each year. However, according to a thread on the Loginizer Support Page, the WordPress Security team took an unprecedented step, swiftly addressing CVE-2020-27615 by using a “forced update” functionality in WordPress to migrate Loginizer users over to the patched version of the software. Apparently, this functionality has been present in WordPress for nearly seven years; it was introduced in WordPress version 3.7. According to Samuel Wood, a WordPress.org administrator, they have used this feature “many times.”

Image Source: WordPress Loginizer Plugin Statistics Page

On October 15 and 16, the Loginizer plugin saw a significant spike in downloads, being downloaded 1,127,855 times. This appears to be when the WordPress Security Team issued the forced update to the Loginizer plugin.

Proof of concept

Mihajloski published a proof of concept (PoC) for this vulnerability as part of his blog post.

Solution

The Loginizer developers patched this vulnerability in Loginizer version 1.6.4. Because WordPress has proactively forced updates to sites using the plugin, we expect many sites have already been patched. However, there still may be some sites out there that have not yet patched.

Image Source: WordPress Loginizer Plugin Statistics Page

The Loginizer statistics page on WordPress.org shows that 89% of sites running the plugin are on the 1.6.x branch. However, it’s unclear whether all of those sites on that branch are running 1.6.4. Almost 11% of Loginizer sites are using the 1.4.x branch or an unreported version of the branch. If your site has not been patched yet, we strongly advise you to upgrade to 1.6.4 immediately.

Identifying affected systems

A list of Tenable plugins to identify this vulnerability will appear here as they’re released. Additionally, vulnerable versions of Loginizer can be identified using our WordPress Outdated Plugin Detection plugin.

Get more information

• Loginizer 1.6.4. Security Fix Blog Post
• Slavco Mihajloski's Blog Post

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

State-sponsored actors from Russia and China are leveraging several of the same publicly known vulnerabilities in their attacks, all of which have patches available.

On October 20, the National Security Agency (NSA) published a detailed security advisory to inform defenders about Chinese state-sponsored "cyber actors" exploiting known vulnerabilities. The advisory is meant to help network defenders prioritize patching and mitigation efforts and further specifies that internet-facing assets like remote access tools and external web services are key targets for threat actors.

Two days later, the Cybersecurity and Infrastructure Security Agency (CISA) published a joint cybersecurity advisory with the Federal Bureau of Investigation (FBI) about Russian state-sponsored advanced persistent threat (APT) actors leveraging five publicly known vulnerabilities in attacks. Three of the five vulnerabilities listed in this advisory were also in the NSA alert.

While the NSA alert focused primarily on National Security Systems, it ends with a broader warning, "Due to the various systems and networks that could be impacted by the information in this product [the NSA alert] outside of these sectors, NSA recommends that the CVEs above be prioritized for action by all network defenders."

Many of the vulnerabilities in these advisories align with similar alerts that have been published by CISA over the last year and all of the vulnerabilities listed have patches available.

Prior Advisories

This is the latest in a series of alerts this year from government agencies warning about threat actors leveraging known vulnerabilities with patches available. Two of the vulnerabilities listed in the NSA alert, CVE-2020-19781 and CVE-2019-11510, were identified as some of the most exploited vulnerabilities in 2020 in the CISA Top 10 Routinely Exploited Vulnerabilities alert. Earlier in October, CISA partnered with the FBI on a joint advisory regarding APT activity leveraging several known vulnerabilities, including CVE-2020-1472 "Zerologon." Several of the vulnerabilities listed in that joint advisory are also included in the latest NSA alert.

Patching and Mitigation

The NSA lists six steps for general mitigation in its alert. First on the list is timely patching and updating:

• Keep systems and products updated and patched as soon as possible after patches are released.
• Expect that data stolen or modified (including credentials, accounts, and software) before the device was patched will not be alleviated by patching, making password changes and reviews of accounts a good practice.
• Disable external management capabilities and set up an out-of-band management network.
• Block obsolete or unused protocols at the network edge and disable them in device configurations.
• Isolate internet-facing services in a network Demilitarized Zone (DMZ) to reduce the exposure of the internal network.
• Enable robust logging of internet-facing services and monitor the logs for signs of compromise.

This series of warnings from government agencies should sufficiently underscore the importance of quickly and completely patching these vulnerabilities. Threat actors of various skill levels are actively exploiting these flaws in attacks against diverse targets and will continue to do so as long as targets have not applied the available patches for their respective devices.

Tenable Coverage

Tenable has product coverage for all 27 vulnerabilities listed in both the NSA and CISA/FBI alerts. The table below includes links to the relevant plugins for each vulnerability as well as Tenable Research analysis.

Get more information

• Attend our October 29 webinar: Ramp-Up Your Response to Latest State Sponsored Attacks, 2pm ET, Thursday, Oct. 29, 2020
• NSA Alert: Chinese State-Sponsored Actors Exploit Publicly Known Vulnerabilities
• CISA/FBI Alert (AA20-296A): Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Turning your Nessus scan results into actionable reports helps you dynamically visualize the vulnerability assessment process.

Vulnerability scanning is typically a multi-step process, one that doesn't simply begin and end with the scan itself. This is certainly true of a comprehensive assessment tool like Nessus Professional. Whether you're using it as part of an internal information security team or as a third-party consultant, one of the essential steps is to report the results of your scan and explain the details of what you've found to key stakeholders.

Nessus offers a great deal of flexibility for your reporting needs. In this post, we'll explore those options, guide you through generating a report in four easy steps and cover some best practices for reporting in specific contexts and drawing actionable conclusions from your scans' findings.

Nessus reporting options: Reports vs. exports and customization concerns 

When the time comes to present the results of Nessus scans, you must first choose between reports and exports (although, strictly speaking, all of the options below involve exporting files):

• Reports: You have the most versatility with the presentation of your vulnerability scan findings if you decide to turn them into reports. Reports can be PDFs or HTML-based and are easily customizable in terms of what information you include, how it is presented and their overall visual aesthetic.
• Exports: Scans themselves can be exported as files in .XML, .CSV or Nessus's proprietary DB format. .CSV is especially useful for importing into external databases, and .XML files can be imported into other tools, kept as a historical reference for auditing purposes or also later used as a policy template for future Nessus scans. 

So you have to decide what you want most out of the report: Do you need to distribute and present it to a client team for remediation or put it into practice as a policy template for future efforts? Or are you building a historical record of scanning practices? Nessus has you covered for both of these reporting needs and many more.

Nessus scan reporting step by step

In some ways, the reports you end up with are only as strong as the policy you use to establish the parameters of your vulnerability scan. First, you need a clear understanding of the scan scope so that you're looking through the network areas you (or your client, if you're scanning as a consultant) are most concerned about and seeking out priority targets. To get started quickly, you can choose the proper template from among the pre-built options available in Nessus, or use any custom policies you may have added to the library. 

Once the scan is complete and you've taken the time to look at your results, it's time to create your report:

1. If exporting in the .XML, or .CSV formats for future importation into a policy library or other database, simply click Export in the upper right-hand corner of the scan's results page and choose the desired format from a drop-down menu.
2. For PDF and HTML reports that display the scan results without any alterations, select the Executive Summary option, choose a file format and then click Export. (If choosing PDFs, remember that you need either Java or an open-source version of the Java Development Kit to generate them.)
3. To put together customized reports in either of those styles, select the Custom option on the scan results page. Then choose which scan results you want to include - Vulnerabilities, Remediations, Hosts, Notes, History and Dashboard view can all be shown or hidden depending on your needs (and those of your client.)
4. Last but not least, determine whether you want to group any vulnerabilities you've discovered by hosts or plugins affected, and then click Export.

Report reading pointers

How you look at reports depends largely on your position and responsibilities within your organization - or, if you're consulting, what the client expects to learn from the vulnerability scanning, assessment and reporting processes.

If you're part of the infosec or IT team, you'll certainly want to read your scan reports as thoroughly as possible. It's on you and your colleagues to review system vulnerabilities, project the levels of risk these issues create and determine the best strategy for ridding the network, servers and hosts of the most critical threats. Given how meticulously you need to understand your vulnerabilities, it may be best to create reports in multiple formats, and with different configurations: Specifically looking at ERP tech stack vulnerabilities and nothing else, for example, might help you really dig into those problems, and then you'd switch back to a full-scan report or one displaying flaws in another asset type. Nessus makes this simple, and also allows you to easily compare results of different scans.

Things are a bit different from the consultant's perspective. You still need to understand scan details front to back, but consider your audience - how much of that information does the client need immediately? You can start by presenting a succinct version of the report that covers essential details – especially when creating .HTML reports, which have an Executive Summary template – while including links to additional content for those who want more information. 

Nessus Professional includes many predefined reports which are configured to provide useful summaries of scan results. Some of the reports you can create include:

• Unsupported software: provides insight into unsupported software found in your environment
• Exploitable vulnerabilities: details all detected vulnerabilities which have known exploits
• Operating system detections: lists all operating systems found on the scanned targets

However you need to configure your reports for optimal effectiveness, Nessus Professional can accommodate you. 

Start Your Free Nessus Trial

A remote code execution vulnerability in Oracle WebLogic Server has been actively exploited in the wild just one week after a patch was released and one day after a proof of concept was published.

Background

On October 29, Dr. Johannes Ullrich, Dean of Research at SANS Internet Storm Center (ISC), published a post disclosing active exploitation of a critical vulnerability in Oracle WebLogic Server just over a week after a patch was released in Oracle’s October 2020 Critical Patch Update (CPU). Ulrich observed the attacks against one of his honeypots within a day of a proof of concept (PoC) becoming publicly available. The post notes that the exploitation against the honeypot was only probing to determine if the device was vulnerable; follow-up requests could not be analyzed as the honeypot was configured to respond with an “incorrect” response. Ulrich assumes that all IPv4 addresses have been scanned for this vulnerability as he has witnessed scans slow down. Ulrich also warns that if your server is vulnerable “assume it has been compromised.”

Image Source: SANS ISC Post

Analysis

CVE-2020-14882 is a remote code execution (RCE) flaw in the Console component of Oracle WebLogic Server. The pre-authentication flaw was given an attack complexity of “low” and highlighted as “easily exploitable” by Oracle resulting in it being assigned a critical CVSSv3 score of 9.8. Successful exploitation would allow an unauthenticated attacker to compromise the Oracle WebLogic server over HTTP and take complete control of the host.

On October 28, security researcher named Jang published a blog post (in Vietnamese) about CVE-2020-14882, including partial details that could be used for a PoC. Jang is no stranger to WebLogic flaws, being credited with discovering and reporting CVE-2020-2555 to Oracle, which patched the vulnerability in its January 2020 CPU. In March, Jang confirmed that CVE-2020-2555 was not completely fixed. The bypass for CVE-2020-2555 was disclosed by another researcher, Quynh Le of VNPT Information Security Center (ISC). Both Le and Jang are credited with reporting this bypass, which is identified as CVE-2020-2883.

According to the SANS post, Ulrich found that the exploits he observed appear to be based on the content of Jang's blog post.

Analysis of CVE-2020-14882
Weblogic RCE via HTTP CVSS 9.8/10
Hope you enjoy it ;)
Thanks an anonymous man for supporting!https://t.co/Olhn9oye0r

— Jang (@testanull) October 28, 2020

This is the second occurrence this year of an Oracle WebLogic vulnerability being actively targeted soon after a patch release. The CPU for April 2020 addressed CVE-2020-2883, a critical deserialization vulnerability in Oracle WebLogic Server. Less than a month after the patch was released, Oracle published a blog post strongly encouraging customers to patch “without delay” as they had received reports of exploitation in the wild. WebLogic patches have become a recurring trend in the quarterly Oracle CPUs and have continued to be a keen target for threat actors.

Proof of concept

A PoC for this vulnerability was published to GitHub by a security researcher that goes by the handle Jas502n. Jas502n has a history of producing PoCs for vulnerabilities soon after their disclosure, including CVE-2019-12409 and CVE-2019-17558, a pair of vulnerabilities in Apache Solr. Additionally, a Python-based PoC bearing Jang's name was found on Packet Storm, a site providing tools and information on the latest vulnerabilities and exploits.

Solution

Oracle released patches for CVE-2020-14882 as part of the Oracle CPU for October 2020. We strongly recommend applying those patches as soon as possible. The following versions of WebLogic Server are affected:

Identifying affected systems

A list of Tenable plugins to identify this vulnerability can be found here.

Get more information

• Johannes Ullrich Post on SANS ISC
• Jang Nguyen's Blog Post
• Oracle October Critical Patch Update
• Tenable Blog Post for CVE-2020-2883

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

A pair of zero-day vulnerabilities in Google Chrome (CVE-2020-15999) and Microsoft Windows (CVE-2020-17087) were chained together and exploited in the wild in targeted attacks. A separate Chrome vulnerability (CVE-2020-16009) has also been exploited in the wild.

Background

On October 20, Google released a stable channel update for Chrome for Desktop to address five security fixes, one of which (CVE-2020-15999) had been discovered by a member of its Project Zero research team and exploited in the wild.

Project Zero discovered and reported an actively exploited 0day in freetype that was being used to target Chrome. A stable release that fixes this issue (CVE-2020-15999) is available here: https://t.co/ZRQe72Qfkh

— Ben Hawkes (@benhawkes) October 20, 2020

On October 30, Ben Hawkes, a founding member and technical lead on Project Zero tweeted that the team had “detected and reported” a kernel vulnerability in Microsoft Windows (CVE-2020-17087) that was exploited alongside the Chrome vulnerability.

In addition to last week's Chrome/freetype 0day (CVE-2020-15999), Project Zero also detected and reported the Windows kernel bug (CVE-2020-17087) that was used for a sandbox escape. The technical details of CVE-2020-17087 are now available here: https://t.co/bO451188Mk

— Ben Hawkes (@benhawkes) October 30, 2020

Analysis

CVE-2020-15999 is a heap buffer overflow vulnerability in the “Load_SBit_Png” function of FreeType 2 library used for font rendering across a variety of applications, including Google Chrome. The vulnerability was discovered by Sergei Glazunov, a security researcher on the Project Zero team. An attacker could exploit the vulnerability by using social engineering to trick a user to visit a malicious website hosting a specially crafted font file. The vulnerability would be triggered when loaded through the malicious website.

CVE-2020-10787 is a “pool-based” buffer overflow vulnerability in the Windows Kernel Cryptography Driver, cng.sys according to the Project Zero team. In the team’s issue tracker, Mateusz Jurczyk, a Project Zero security researcher, says the flaw exists in the cng!CfgAdtpFormatPropertyBlock function as a result of a 16-bit integer truncation.

Chaining together CVE-2020-15999 and CVE-2020-10787 would allow an attacker to break out of Google Chrome’s sandbox. Exploiting a vulnerability in a browser may seem useful, but an attacker would still be limited in their actions by sandbox technology. Therefore, discovering a viable sandbox escape vulnerability is a valuable asset for cybercriminals, as they can use such flaws to elevate privileges on the system or potentially execute code, depending on the nature of the chained vulnerabilities.

Second chained vulnerability used to escape Chrome sandbox in the last year

This isn’t the first time two vulnerabilities have been exploited together as part of targeted attacks in Chrome and Windows. On October 31, 2019, Google patched CVE-2019-13720, a use-after-free zero-day vulnerability that was exploited in the wild. Researchers at Kaspersky were credited with discovering the vulnerability as part of a targeted attack operation known as Operation WizardOpium. One month later, Kaspersky disclosed that CVE-2019-13720 was used in the Operation WizardOpium attacks in conjunction with CVE-2019-1458, an elevation of privilege vulnerability in Microsoft Windows in order to escape Google Chrome’s sandbox.

Patch for CVE-2020-17087 expected in November Patch Tuesday

In a tweet, Hawkes says a fix for the Windows Kernel vulnerability is expected to be released on November 10 as part of Microsoft’s Patch Tuesday release. In his tweet, Hawkes preemptively stated that these vulnerabilities were not associated with recent attacks against U.S. election-related infrastructure.

Currently we expect a patch for this issue to be available on November 10. We have confirmed with the Director of Google's Threat Analysis Group, Shane Huntley (@ShaneHuntley), that this is targeted exploitation and this is not related to any US election related targeting.

— Ben Hawkes (@benhawkes) October 30, 2020

CVE-2020-16009: Google discloses additional vulnerability exploited in the wild

On November 2, As we were preparing to publish this blog post, Google released a new stable channel update for Chrome to address 10 vulnerabilities, including CVE-2020-16009, a vulnerability in Google Chrome’s V8 JavaScript engine due to “inappropriate implementation.” The vulnerability was discovered by security researchers Clement Lecigne of Google's Threat Analysis Group and Samuel Groß of the Project Zero team. The vulnerability has reportedly been exploited in the wild, but no further details were available at the time this blog post was published.

Today Chrome fixed two more vulnerabilities that were being actively exploited in the wild (discovered by Project Zero/Google TAG last week). CVE-2020-16009 is a v8 bug used for remote code execution, CVE-2020-16010 is a Chrome sandbox escape for Android. https://t.co/IOhFwT0Wx1

— Ben Hawkes (@benhawkes) November 2, 2020

Proof of concept

Glazunov has published a proof-of-concept (PoC) font file for CVE-2020-15999, and Marcin Kozlowski also published an in-progress PoC.

For CVE-2020-17087, a PoC was included as an attachment to the Google Project Zero issue tracker entry.

Details for CVE-2020-16009 were restricted at the time this blog post was published and no PoC was publicly available.

Solution

Google has addressed CVE-2020-15999 and CVE-2020-16009 in Google Chrome for Desktop for Windows, macOS and Linux.

Users are strongly recommended to upgrade to as soon as possible.

CVE-2020-17087 will reportedly be fixed as part of Microsoft’s November 2020 Patch Tuesday release. We will update this blog post once that fix becomes available.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. Additionally, customers can use our OS Identification plugin to identify Windows assets that will need to be patched once a patch becomes available.

Get more information

• Google Chrome: Stable Channel Update for Desktop (86.0.4240.111)
• FreeType Project Bug Tracker #59308: Heap Buffer Overflow in Load_SBit_Png
• Google Chromium Tracker Issue #1139963: Heap buffer overflow in FreeType
• Google Project Zero Tracker Issue #2104: Pool-based buffer overflow in Windows Kernel
• Google Chrome: Stable Channel Update for Desktop (86.0.4240.138)

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

SaltStack recommends immediate patching after their disclosure of three new vulnerabilities, two of which are rated critical and can be remotely exploited without authentication."

Background

On October 30, SaltStack published a pre-announcement advisory regarding three new vulnerabilities which had been discovered in Salt versions 3002 and earlier. The pre-announcement advisory stated that two of the vulnerabilities were likely to be rated high or critical severity and that updates would be released on November 3. In the November 3 advisory, SaltStack provided additional details about these CVEs and included a strong recommendation to prioritize these updates.

Analysis

CVE-2020-16846 is a critical shell injection vulnerability in the netapi Salt SSH client. According to the advisory, an unauthenticated attacker could use shell injection to execute arbitrary code on the Salt-API via the Salt SSH client. Interestingly, the patch was pushed to SaltStack’s GitHub on August 18th, though it’s not clear why the update and details were only recently disclosed. Based on the patch details, the fix prevents Popen with shell=True in the Salt SSH client.

Image Source: SaltStack Github Repository

CVE-2020-25592 is an improper authentication vulnerability affecting users running the Salt API. Due to a validation issue when calling Salt SSH via the salt-api, an attacker could bypass authentication by simply supplying any value for “eauth” or “token” which would grant them the ability to run commands using Salt SSH.

CVE-2020-17490 is a low severity vulnerability in the SaltStack TLS module affecting any minions or masters which have used the create_ca, create_csr, and create_self_signed_cert functions. According to the information provided, private keys were created with world-readable permissions when these functions were used. The patch corrects this to ensure that private keys are not created with world-readable permissions.

Both CVE-2020-16846 and CVE-2020-17490 are credited to a researcher going by the nickname KPC, who reported these vulnerabilities through Trend Micro’s Zero Day Initiative (ZDI). KPC is also credited with four ZDI IDs which are listed in the upcoming advisories page, though we cannot confirm if those IDs are related to the recently disclosed vulnerabilities.

Image Source: Zero Day Initiative Upcoming Advisories

Ghosts of Vulnerabilities Past

The announcement of these critical vulnerabilities is reminiscent of flaws in the Salt framework disclosed earlier in the year. CVE-2020-11651, an authentication bypass vulnerability, and CVE-2020-11652, a directory traversal vulnerability, were both seen actively exploited just days after their patches were released by SaltStack. With a pre-announcement and advisory from SaltStack both encouraging users to apply these updates quickly, we anticipate attackers will be targeting these flaws and releasing exploits soon.

Over 6,000 publicly accessible Salt Master Nodes

According to data from Shodan, there are over 6,000 Salt master nodes publicly accessible, with a majority found in the United States.

Image Source: Shodan

We anticipate that attackers will likely target these systems in the near future. Therefore, we highly recommend ensuring that these updates are applied as soon as possible.

Proof of concept

At the time this blog post was published, no proof-of-concept (PoC) code was available for any of the vulnerabilities.

Solution

SaltStack has published updates addressing all three of these CVEs. The following is a list of versions which have patches available:

• 3002.x
• 3001.x
• 3000.x
• 2019.x

The patches available have been released for the following versions:

• 3002
• 3001.1, 3001.2
• 3000.3, 3000.4
• 2019.2.5, 2019.2.6
• 2018.3.5
• 2017.7.4, 2017.7.8
• 2016.11.3, 2016.11.6, 2016.11.10
• 2016.3.4, 2016.3.6, 2016.3.8
• 2015.8.10, 2015.8.13

SaltStack encourages users running older versions of Salt to update to one of the versions listed above prior to applying available patches.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.

Get more information

• SaltStack Advisory for CVE-2020-16846, CVE-2020-25592, CVE-2020-17490
• Tenable Blog for CVE-2020-11651 and CVE-2020-11652
• Patch details for CVE-2020-16846
• Patch details for CVE-2020-25592
• Patch details for CVE-2020-17490

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Researchers disclose critical zero-day vulnerability in Oracle Solaris that was exploited in the wild by an uncategorized threat actor.

Background

On November 2, researchers at FireEye published a blog post detailing findings from a Mandiant incident response investigation that led to the discovery of an uncharacterized (UNC) group they refer to as UNC1945. As part of this investigation, they discovered that UNC1945 was leveraging a critical Oracle Solaris zero-day vulnerability to install a backdoor as part of their attacks.

Image Source: Twitter

On November 4, FireEye published a follow-up blog post providing additional details about the vulnerability.

Analysis

CVE-2020-14871 is a critical pre-authentication stack-based buffer overflow vulnerability in the Pluggable Authentication Module (PAM) in Oracle Solaris. PAM is a dynamic authentication component that was integrated into Solaris back in 1997 as part of Solaris 2.6. The vulnerability received a CVSSv3 score of 10.0, the maximum possible score. The Tenable VPR score for this vulnerability is also 10.0 at the time of publication.

The vulnerability exists in the PAM library’s parse_user_name function due to the improper input validation of a username that exceeds a certain length (512 bytes). An unauthenticated, remote attacker could exploit the vulnerability by attempting to log in to a vulnerable Solaris server via Secure Shell (SSH) keyboard-interactive authentication, a passthrough authentication method that has support for PAM. Using a specially crafted request containing a username that exceeds 512 bytes, the attacker could pass limitless input to the PAM parse_user_name function after forcing the keyboard-interactive authentication to prompt for a username.

Determining whether or not the remote server is vulnerable is as simple as looking at the server’s response to this request. If the server returns an “Authentication failed” message, the server is vulnerable. If the server continues to provide the username prompt, the server is not vulnerable.

Exploitation via SSH not possible on Oracle Solaris 11.1 and higher

The researchers note that in Oracle Solaris versions 11.1 and higher, the vulnerability still persists in the parse_user_namefunction. However, they determined that an unintentional change made to the PAM library negates the exploitation vector via SSH as a result of the username being truncated prior to being passed to the parse_user_name function.

Zero-day exploit reportedly acquired for $3,000 dollars

In their initial blog post regarding UNC1945, the researchers say they identified an advertisement for an “Oracle Solaris SSHD Remote Root Exploit” in the underground market that was being sold for $3,000 dollars. They believe that this is likely where the UNC1945 attackers obtained the exploit tool, which they refer to as EVILSUN.

Vulnerability has persisted in PAM library for many years

The researchers also point out that this vulnerability has likely persisted in PAM “for decades” because most applications may already perform input validation on the username before it gets passed to the PAM library. However, SSH is not one of them, which is how the attackers managed to exploit this flaw.

On October 22, a commit was pushed to the Illumos PAM library to address the parse_user_name function, which was called “sloppy” as part of the commit message. This means that other technologies implementing PAM are also likely to be vulnerable and this issue may not be unique to Solaris.

Attackers used BlueKeep vulnerability for additional reconnaissance

While CVE-2020-14871 was used to gain initial access to victim networks, the researchers also discovered the use of a variety of tools, including the use of the BKScan toolkit, which contains an exploit for CVE-2019-0708, a critical remote code execution vulnerability in Microsoft’s Remote Desktop Protocol. Dubbed "BlueKeep” by security researcher Kevin Beaumont, the vulnerability was patched in May 2019 as part of Microsoft’s Patch Tuesday.

Proof of concept

A security researcher that goes by the pseudonym Hacker Fantastic has published a proof-of-concept (PoC) exploit for CVE-2020-14871 to their GitHub page.

On x86 and Intel architecture, CVE-2020-14871 is so trivial to exploit. It's literally 512 bytes+ebp+eip and straight forward control of the program counter, you just need to ROP your shellcode in. pic.twitter.com/K0pklCNt0a

— Hacker Fantastic (@hackerfantastic) November 3, 2020

Solution

CVE-2020-14871 was addressed in Oracle’s quarterly Critical Patch Update (CPU) in October. The following table lists the affected versions and availability of security updates.

Since October 2014, Oracle Solaris 9 is no longer receiving extended support. Oracle Solaris 9 customers are encouraged to upgrade to a supported version as soon as possible.

If upgrading is not feasible at this time, FireEye recommends modifying the sshd_config file and configuring the ChallengeResponseAuthentication and KbdInteractiveAuthentication options to no. This will limit the current attack vector that UNC1945 and others have attempted to exploit, but there may be other ways to trigger the exploit. This mitigation should only be applied on a temporary basis until upgrading is feasible.

Identifying affected systems

A list of Tenable plugins to identify this vulnerability can be found here.

Additionally, a compliance audit file, available here, can be used to ensure that the ChallengeResponseAuthentication and KbdInteractiveAuthentication configuration options are set to no.

Get more information

• FireEye Blog Post on UNC1945
• FireEye Blog Post on CVE-2020-14871

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

With cyberattacks on the rise, a new study shows how a disconnect between cyber and business executives is putting organizations in Mexico at risk. 

The vast majority of organizations in Mexico (95%) suffered at least one business-impacting¹ cyberattack over the past year and nearly three quarters (74%) expect cyberattacks to increase over the next 24 months. 

The data is drawn from The Rise of the Business-Aligned Security Executive — a Spotlight on Mexican Organizations. The commissioned study derives data from a survey of 104 business and security executives in Mexico conducted by Forrester Consulting on behalf of Tenable.

The study points to an alarming disconnect between security and business leaders which is challenging organizations in Mexico to effectively manage their cyber risk. For example, while nearly all of the security leaders surveyed (97%) had been asked by their organization's top executives or board to present on cyber risk, just five out of 10 said they could answer the question "how secure, or at risk, are we?" with a high degree of confidence. And fewer than half of security leaders in Mexico are framing the impact of cyberthreats within the context of a specific business risk.

Even more concerning: as organizations scrambled to adopt new remote working practices in response to the COVID-19 pandemic, cybercriminals seized the opportunity. Three out of 10 Mexican business and security leaders report having experienced COVID-19-related malware or phishing attacks; an unlucky 4% were victims of both. In fact, 75% of security leaders are very or extremely concerned that COVID-19-related workforce changes will increase their organizations' level of risk.

Yet, even when confronting a global pandemic, the study shows business and cybersecurity leaders failed to connect: 79% of respondents said their COVID-19 response strategies are, at best, only "somewhat" aligned. This misalignment has significant effects on organizations in Mexico, with respondents experiencing one or more of the following as a result of a cyberattack in the past two years:

• Lost productivity (47%)
• Identity theft (29%)
• Loss of employee data (28%)
• Financial loss or theft (27%)
• Loss of customer data (25%)

Technological challenges contribute to the disconnect

Numerous organizational, operational and technological challenges contribute to the lack of business and cybersecurity alignment for organizations in Mexico. For example, over half of security leaders (53%) say their teams do not have good visibility into the state of security for their organization's most critical assets and only 51% report having a holistic understanding and assessment of the organization's entire attack surface. 

Yet, there are actions security leaders can take today to help improve alignment with the business, including establishing a regular cadence of communication with business colleagues and working together to identify the organization's most business-critical assets. Once security leaders establish a clear understanding of which assets matter most to the business they're better equipped to assess risk and communicate using metrics that business executives can understand.  

When business and security teams are aligned, the results are significant. For example, the study reveals:

• Business-aligned security leaders are eight times as likely as their more siloed peers to be highly confident in their ability to report on their organizations' level of security or risk.
• 85% of business-aligned security leaders have metrics to track cybersecurity ROI and impact on business performance versus just 25% of their more reactive and siloed peers.
• Business-aligned security leaders outpace their more reactive and siloed counterparts in automating key vulnerability assessment processes by margins of +49 to +66 percentage points.

With threats on the rise and workforce dynamics changing rapidly, it's clear that cybersecurity needs to evolve as a business strategy. Security leaders who understand their organization's current risk posture and are able to predict the greatest threats to the business are much better equipped to speak the language of business risk. These business-aligned security leaders are 8x as likely as their more siloed peers to be highly confident in their ability to answer the question, "How secure, or at risk, are we?" 

Learn more

• See additional study highlights in Spanish here
• Download the study in Spanish: The Rise of the Business-Aligned Security Executive - a Spotlight on Mexican Organizations
• Evaluate your own organization (tool is available in English language only): How Business Aligned Are You?

¹"Business-impacting" relates to a cyberattack or compromise that results in a loss of customer, employee or other confidential data; interruption of day-to-day operations; ransomware payout; financial loss or theft; and/or theft of intellectual property.

As Australian business leaders prepare for incoming cyber regulation as part of the government's Cyber Security Strategy 2020 initiative, an independent study finds security executives are struggling to quantify their level of risk.

Ninety four percent of Australian cybersecurity leaders have been asked by top executives to report on their organisation's level of exposure to a specific threat or publicised vulnerability in the past 12 months. Yet, a whopping 81% of business leaders are — at most — only somewhat confident in their security teams' ability to quantify their organisations' level of risk or security. 

Security teams, meanwhile, say they're hamstrung by a lack of data, technology and processes, preventing them from effectively communicating about cyber risk in a language the business can understand. 

The data are drawn from The Rise of the Business-Aligned Security Executive: a Spotlight on Australian Organisations, a commissioned study of 105 business and cybersecurity leaders in Australia conducted by Forrester Consulting on behalf of Tenable. 

Despite increased focus and investment in cybersecurity, the study found that 92% of Australian organisations experienced a business-impacting¹ cyberattack in the past 12 months. Roughly three quarters of these attacks (73%) involved operational technology (OT). Even more concerning: 76% expect to see an increase in cyberattacks over the next two years.

These attacks came in the form of fraud (45%), COVID-19 phishing incidents (44%), data breaches (43%), ransomware (39%) and software vulnerabilities (36%). Their business impact included: financial loss or theft; loss of customer and employee data; and lost productivity.

The study also found that 67% of business leaders think their security counterparts are, at best, only "somewhat effective" in communicating threats that pose the greatest risk to the organisation. This finding, coupled with the onslaught of business-impacting cyberattacks, raises questions about the level of visibility organisations have into their most critical assets to make risk reduction decisions.

Coinciding with Australia's Cyber Security Strategy 2020— which states that the government will invest $1.67 billion over 10 years to achieve the vision of "a secure online world for Australians, their businesses and the essential services on which we all depend" — the Forrester study highlights the need for business and infosec leaders to improve the way they're measuring and communicating cyber risks.

Cyber Security Strategy 2020 initiatives include:

• Protecting and actively defending the critical infrastructure that all Australians rely on, including cybersecurity obligations for owners and operators.
• Clear guidance for businesses and consumers about securing Internet of Things devices.
• Stronger defences for Government networks and data. 
• Increased situational awareness and improved sharing of threat information. 
• Stronger partnerships with industry through the Joint Cyber Security Centre program. 
• Advice for small and medium enterprises to increase their cyber resilience. 

Enhancing the existing regulatory framework for organisations involved in critical infrastructure and introducing new laws to set a minimum cybersecurity baseline across the entire economy are among the measures the government will take to achieve these goals. The efforts serve as a clarion call for business and security leaders in Australia to align on cyber imperatives. 

In order for executives to make appropriate risk-informed decisions, security leaders must be able to communicate cyber risk in business terms. But, the Forrester study reveals that a lack of visibility into their entire attack surface makes it challenging for security leaders to even analyse and combat cyber risks, let alone communicate them effectively to the business. 

Before they can improve alignment with the business, the study finds security organisations need the following:

Holistic visibility of business-critical assets: Security leaders reported that they have limited visibility over important company assets. Only six out of 10 security leaders say they have ‘high or complete visibility' into their organisations' IoT and operational technology (OT); 47% are across the risk posed to employees who are remote or working from home; and only 30% have visibility over third-party vendors. As a result, few security leaders have a holistic understanding of their organisations' modern attack surface.

Security metrics that speak to business risk: Just four out of 10 Australian security leaders say they work with business stakeholders to align cost, performance, and risk reduction objectives with business needs. Fewer than 50% state that they use contextual threat metrics to measure their organisations' cyber risk. 

Predictive business risk context for incoming threats: Forty percent of Australian security leaders aren't confident that they have the technology, processes or data to predict cybersecurity threats. This could, in part, be due to a lack of automation technologies since three out of 10 security leaders say their organisations still manually review spreadsheets to track cybersecurity performance.

As the Forrester study notes: "Today's digital business requires a new way to measure and manage cybersecurity as a strategic business risk. This new approach needs to be focused on both understanding the current risk posture and predicting the greatest threats to the business. These insights empower more informed risk-based decisions and focus security on what matters to the business." The study found that security leaders who excel in these areas are much better equipped to speak the language of business risk. 

Learn more

• See additional study highlights here
• Download the study: The Rise of the Business-Aligned Security Executive - Spotlight on Australian Organisations
• Evaluate your own organisation: How Business Aligned Are You?
• Attend the Webinar: The Rise of the Business-Aligned Security Executive
• Watch Customer Video: Cyber Risk Strategy: Building a Security Strategy that Aligns and Addresses Business Goals

¹"Business-impacting" relates to a cyberattack or compromise that results in a loss of customer, employee, or other confidential data; interruption of day-to-day operations; ransomware payout; financial loss or theft; and/or theft of intellectual property.

A lack of alignment on COVID-19 response plans exemplifies how a chronic disconnect between cybersecurity and business leaders increases organizational risk. 

As organizations in France grapple with yet another wave of COVID-19 infections, driving a further push toward remote work, a lack of alignment between business and cybersecurity leaders is proving detrimental. The vast majority of business and security leaders in France (88%) acknowledge that their pandemic response strategies are only somewhat aligned, at best. And two thirds said they are very or extremely concerned that COVID-19-related workforce changes would increase their organizations' level of risk. 

The self-reported data is drawn from a commissioned study of 104 business and cybersecurity leaders in France. The study, The Rise of the Business-Aligned Security Executive - a Spotlight on French Organizations, was conducted by Forrester Consulting on behalf of Tenable. 

The effects of the disconnect are readily apparent: 30% of respondents said their organization had already experienced at least one business-impacting cyberattack related to COVID-19 by April 2020.

The pandemic brings to light a lack of alignment that is chronic and potentially harmful to business operations even in the best of times. In fact, 34% of business executives said that they rarely consult with security leaders when developing their organization's business strategies. Almost half (42%) of French security leaders said they don't work with business stakeholders to align cost, performance and risk reduction objectives with the needs and priorities of the business.

Meanwhile, 90% of French organizations have experienced at least one business-impacting¹ cyberattack in the past 24 months and 40% have experienced five or more. The business fallout as a result of these attacks includes: 

• Loss of productivity (38%)

• Loss of customer data (33%)

• Financial loss or theft (31%)


The misalignment between security and business leaders is exacerbated by the challenges infosec professionals face in communicating risk in a language the business understands. A lack of visibility is compounding the issue, particularly in light of the newly distributed and dynamic environments made necessary by COVID-19. The study found that:  

• 40% of French security leaders said they had limited visibility into the risk posed by employees - whether on-premises or working from home. 

• Roughly a third reported a similar lack of visibility into their IT, operational technology (OT) and internet of things (IoT) devices.

• More than half of respondents had limited visibility into mobile devices. 


With cyber risk now an integral part of business risk, direct, consistent and effective communication is the only way to develop strategies that further organizational goals while prioritizing risk reduction around the most business-critical assets. The study shows that when business and cybersecurity leaders are aligned, the results are significant. In fact, 72% of business aligned security leaders are very or completely confident in their ability to report on their organizations' level of risk versus just 9% of their more siloed peers. And, in a time of global economic uncertainty, it's worth noting that 85% of business-aligned security leaders have metrics to track cybersecurity ROI and impact on business performance versus just 25% of their more reactive and siloed peers.

When cybersecurity strategy is aligned with business needs, security teams are equipped to deliver an informed, risk-based approach that prioritizes what matters most to the business, making the organization more resilient in times of crisis and more productive when circumstances improve.

Learn more:

• See additional study highlights in French here
• Download the study in French here: The Rise of the Business-Aligned Security Executive - a Spotlight on French Organizations

• Evaluate your own organization (tool is available in English language only): How Business Aligned Are You?


¹"Business-impacting" relates to a cyberattack or compromise that results in a loss of customer, employee, or other confidential data; interruption of day-to-day operations; ransomware payout; financial loss or theft; and/or theft of intellectual property.

A chronic lack of collaboration between German business and security executives was exacerbated during the global COVID-19 pandemic.

The disconnect between business and cybersecurity leaders in Germany is a chasm. Nearly half of business executives in Germany rarely consult with security leaders when developing their organization's business strategy. Likewise, 66% of German security leaders fail to work with business stakeholders to align cost, performance, and risk reduction objectives with the needs and priorities of the business.

The global COVID-19 pandemic served to bring this disconnect into stark relief. Even as organizations across Germany scrambled to accommodate the needs of a newly remote workforce, the vast majority of business and security leaders (75%) said their COVID-19 response strategies were, at best, only somewhat aligned. 

The self-reported data is drawn from The Rise of the Business-Aligned Security Executive — a Spotlight on German Organizations. The commissioned study of 103 business and cybersecurity leaders in Germany was conducted by Forrester Consulting on behalf of Tenable. 

With approximately 25% of German employees now estimated to be working from home — an increase from 12% before the pandemic, according to Hubertus Heil, Germany's labor minister — the lack of business-cyber alignment is particularly troubling. Indeed, 42% of respondents in the Forrester study said their organization had already experienced at least one business-impacting1 cyberattack related to COVID-19. And more than half (55%) are very or extremely concerned that COVID-19-related workforce changes would increase their organizations' level of risk.  

These concerns are not surprising, given that only 50% of German security leaders reported having high or complete visibility into the risk posed by remote employees. The study shows that German security leaders are challenged to find the right mix of technology, processes and data to predict the business impact of cyberthreats. And the concerns extend beyond remote employees. According to the study:

Sixty-one percent of German security leaders report that they lack a holistic understanding and assessment of the organization's entire attack surface.

Nearly two thirds (63%) say they lack good visibility into the state of security of their most critical assets. 

The lack of alignment and visibility has tangible effects on organizations in Germany, where half of the respondents confirmed their organization had experienced five or more business-impacting¹ cyberattacks over the past two years. The business fallout from these attacks included:

• Loss of productivity (45%)
• Loss of customer data (37%)
• Financial loss or theft (35%)

So, what's the good news? The study shows that when business and cybersecurity are aligned, the results are significant. For example, Business-aligned security leaders are eight times as likely as their more siloed peers to be highly confident in their ability to report on their organizations' level of security or risk. By locking arms with business leaders, security teams are empowered to deliver an informed, risk-based strategy that focuses on what matters most to the business.  Rather than work in silos, security and business leaders must partner together to take an offensive view of cybersecurity risk that ensures the business, and its most critical functions, are secure. 

Learn more:

• See additional study highlights in German here
• Download the study in German: The Rise of the Business-Aligned Security Executive - a Spotlight on German Organizations
• Evaluate your own organization (tool is available in English language only): How Business Aligned Are You?

¹"Business-impacting" relates to a cyberattack or compromise that results in a loss of customer, employee or other confidential data; interruption of day-to-day operations; ransomware payout; financial loss or theft; and/or theft of intellectual property.

For over 100 years, Veterans Day has been celebrated by nations across the globe. Tenable supports and honors the international military community, and today announces the launch of a new Veterans@Tenable resource group.

November 11th is the date when many countries celebrate those who have served in the armed forces. In the United States, it is called Veterans Day, but other countries celebrate Remembrance Day and Armistice Day. The date is significant because at 11 a.m. (Paris time) on November 11, 1918, the Armistice was signed with Germany, ending World War I. Here at Tenable, we are privileged to work with a diverse team from all over the world. Many of us have served in our countries’ militaries, and though many countries celebrate their veterans on a different date, we honor you now. It is also today that Tenable officially launches the Veterans@Tenable Employee Resource Group (ERG).

Making the transition from the military to cybersecurity 

It can be difficult for those who have not served to understand what it means to be a veteran. Even among vets, that meaning can be personal and deep-seated. There is a common saying in the U.S. military that “all gave some; some gave all.” Our ERG is here to support those at Tenable who have served with honor, as well as their families, providing a place for veterans to gather, share and ask for help when it’s needed. We’ll be attending recruiting events, volunteering for service projects, hosting webinars, and sponsoring initiatives like the University of Louisville’s C4 Project, which strives to bring more veterans, active duty and military family members into the cybersecurity industry.

Veterans@Tenable leadership will also generally be available to help veterans shoulder the unseen burdens they may face in transitioning to the private sector and civilian life. Not everyone understands these struggles, both physical as well as mental, which is why the ERG exists. The camaraderie that exists between veterans is unique. We joke with one another, roast each other and get into heated discussions about who was worse off when deployed. At the end of the day, though, there is a feeling of family and belonging. Shared hardships and a common devotion to honor and duty bring us together in a way that few other groups can. As our mission evolves to address our new lives as civilians, we still carry with us the memories both good and bad from our military service.

Celebrating the spirit of those who serve around the world 

Veterans Day, and other celebrations across the world, allow our home countries to reflect and show their continued support towards all who have served both past and present. Veterans have never looked for prestige or glory in the sacrifices made by themselves and their families. We do not demand parades, free meals, or even that simple “thank you for your service.” As veterans, we each answered the call from our great nations and took up the oath to defend and preserve our ways of life with a grateful and highly patriotic heart. Our honor comes not from praise or discounts, but from our ability to serve our respective countries.

To all of our veterans at Tenable, we extend our most sincere gratitude for your commitment and sacrifice and are proud to stand together with you to salute all veterans and active military team members. Thank you for your service and sacrifice.

Learn more 

• Register for our upcoming webinar, “Veteran Success Stories: From Military to Cybersecurity Professional”
• Are you a veteran in crisis or concerned about one? Visit VeteransCrisisLine.net to connect with a trained responder, or call 1-800-273-8255 and press 1.
• Reflect on the meaning of service by reading the following poems:
• “In Flanders Fields,” by John McCrae
• “To One of the Brave,” by Lucian B. Watkins 

Chris Banta, contributing author