Tag: vulnerability

The importance of the Vulnerability Operations Centre for cybersecurity

Post author By lisa nichols
Post date April 19, 2024
No Comments on The importance of the Vulnerability Operations Centre for cybersecurity

[ad_1]

Traditional cybersecurity is laser-focused on incident detection and response. In other words, it’s built around a Security Operations Centre (SOC). That’s no bad thing in itself. Read between the lines, however, and that assumes we’re waiting on the threats to come to us. With cyber adversaries evolving their tactics through AI, automated ransomware campaigns, and other advanced persistent threats (APTs), adopting advanced, proactive measures has never been more critical. Except that your SOC team is already drowning in vulnerabilities and knee-jerk remediations. How can they even begin to manage this?

Today’s ever worsening threat landscape calls for a strategic pivot towards the establishment of a Vulnerability Operations Centre (VOC) to rethink the foundational challenges of vulnerability management and cyber resilience.

The Strategic Imperative of the VOC

Traditional strategies are necessary but painfully insufficient. As an industry, we’ve predominantly been reactive, focusing on the detection and mitigation of immediate threats. This short-term perspective overlooks the underlying, ongoing challenge posed by a vast backlog of vulnerabilities, many of which have been known but unaddressed for years. Alarmingly, over 76% of vulnerabilities currently exploited by ransomware gangs were discovered more than three years ago. Either SOC teams don’t care – which we know is not true – or they can’t keep up on their own. It’s time to admit that the main problem they face is knowing which handful of threats to focus on amidst the tidal wave.

Sylvain Cortes

VP of Strategy, Hackuity.

The VOC provides a new approach to this challenge, offering a centralized, automated, and risk-based approach to vulnerability management. Unlike the SOC, whose primary objective is to manage incidents and alerts, the VOC is designed to predict and prevent these incidents from occurring in the first place. It focuses exclusively on the prevention, detection, analysis, prioritization, and remediation of security flaws that affect an organization’s unique IT environment. By doing so, VOCs enable organizations to address the far narrower, infinitely more manageable list of vulnerabilities that pose a significant, actual threat to their operations and sensitive data.

Linking SOC to VOC: A synergistic approach

The synergy between the SOC and VOC is essential to creating a comprehensive security framework that not only responds to threats but proactively works to prevent them.

The process of linking SOCs to VOCs begins with CISOs recognizing that patch management is not a standalone task but a core component of the broader security strategy. A dedicated team or unit, ideally under the guidance of the Chief Information Security Officer (CISO) or another appointed security leader, should spearhead the establishment of the VOC. This approach underscores the importance of a clear directive from the highest levels of cybersecurity leadership, ensuring that the VOC is not just an operational unit, but a strategic endeavor aimed at enhancing the organization’s overall cyber resilience.

Establishing a VOC involves leveraging existing vulnerability assessment tools to create a baseline of the current security posture. This initial step is crucial for understanding the scope and scale of vulnerabilities across the organization’s assets. From this baseline, the team can aggregate, deduplicate, and normalize vulnerability data to produce a clear, actionable dataset. Integrating this dataset into the SOC’s security information and event management (SIEM) systems enhances visibility and context for security events, enabling a more nuanced and informed response to potential threats.

The transition from technical vulnerability assessment to risk-based prioritization is a pivotal aspect of the VOC’s function. This involves evaluating how each identified vulnerability impacts the business, then prioritising remediation efforts based on this impact. Such a shift allows for a more strategic allocation of resources to focus on vulnerabilities that pose the highest risk to the organization.

Automation must play a key role in this process, enabling routine vulnerability scans, alert prioritization, and patch deployment to be conducted with minimal human intervention. This not only streamlines operations but also allows analysts to concentrate on complex tasks that require intricate human judgment and expertise.

The VOC empowers cybersecurity teams with a comprehensive and systematic approach to vulnerability management, significantly simplifying the process of handling an exponentially increasing number of CVEs. The immediate benefits include:

Centralization of Vulnerability Data: By aggregating and analyzing vulnerability information, the VOC provides a unified view that makes life easier for teams identifying and prioritizing critical vulnerabilities.

Automation and Streamlining Processes: The use of automation tools within the VOC framework accelerates the detection, analysis, and remediation processes. This not only reduces the manual workload but also minimizes the likelihood of human error, enhancing the overall efficiency of vulnerability management.

Risk-Based Prioritization: Implementing a risk-based approach allows teams to focus their efforts on vulnerabilities that pose the highest risk to the organization, ensuring that resources are allocated effectively and that critical threats are addressed ASAP.

Enhanced Collaboration and Communication: The VOC fosters better collaboration across different teams by breaking down silos and ensuring that all relevant stakeholders are informed about the vulnerability management process. This shared understanding improves the organization’s ability to respond to vulnerabilities swiftly and effectively.

Ownership and Accountability: Centralizing operations for vulnerability management within the VOC framework ensures clear accountability and ownership across teams. This organizational clarity is vital to removing siloes and reducing risk, as it establishes well-defined roles and responsibilities for vulnerability management, ensuring that all team members understand their part in safeguarding systems and networks.

That’s a lot to digest but, put simply, it’s time to rethink how we approach vulnerability management. Check the news – or better yet, check in with the rest of your cybersecurity team. A VOC reduces the crushing burden of vulnerability management on SOCs and makes the lives of all security teams that much easier. By centralizing operations, automating routine tasks, and emphasizing risk-based prioritization, the VOC enhances the organization’s security posture. Linking your SOC to your future VOC creates a seamless flow of actionable intelligence directly into the threat response mechanism.

The endgame? Ensuring that your organization’s defense mechanisms are both proactive and responsive for a far more secure and resilient digital environment.

We feature the best cloud antivirus.

This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

[ad_2]

Source Article Link

Tags Centre, Cybersecurity, Importance, Operations, vulnerability

Featured

Hackers are already attacking this Microsoft SharePoint vulnerability, so patch now

Post author By lisa nichols
Post date March 29, 2024
No Comments on Hackers are already attacking this Microsoft SharePoint vulnerability, so patch now

[ad_1]

The US Cybersecurity and Infrastructure Security Agency (CISA) has added a new Microsoft Sharepoint Server vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, signaling that hackers have begun exploiting it in the wild.

The vulnerability is tracked as CVE-2023-24955, and carries a severity score of 7.2. It is described as a critical remote code execution (RCE) flaw, that allows an authenticated threat actor, with Site Owner privileges, to execute arbitrary code on the vulnerable endpoints.

Such a vulnerability could be used for a number of things, from malware deployment, to information stealing.

FCEBs on a deadline

“In a network-based attack, an authenticated attacker as a Site Owner could execute code remotely on the SharePoint Server,” Microsoft said in an advisory.

The fix was released with the May 2023 Patch Tuesday cumulative update, so in case you skipped that one, you might want to reconsider. Those who have automatic updates enabled are most likely already protected, though.

Two months ago, CISA added a separate flaw, CVE-2023-29357, to KEV. This flaw was chained together with the newly-added RCE last year, at the Pwn2Own Vancouver hacking contest. StarLabs SG, who demonstrated how the two vulnerabilities could be combined for devastating effects, won $100,000 for their efforts.

While threat actors currently might be abusing these two, there is no evidence that anyone chained them together yet.

Federal Civilian Executive Branch (FCEB) agencies have until April 16 this year to apply the patch.

Microsoft SharePoint is a web-based collaborative platform, available through the Microsoft 365 productivity suite. It was first launched in 2001 as a document management and storage system. It was also used to share information via intranet. According to Microsoft’s 2020 figures, SharePoint had more than 200 million active monthly users, with Gitnux adding that 80% of Fortune 500 companies use the tool.

Via TheHackerNews

Apple Silicon Vulnerability Allows Hackers to Extract Encryption Keys

Post author By miranda cosgrove
Post date March 22, 2024
No Comments on Apple Silicon Vulnerability Allows Hackers to Extract Encryption Keys

[ad_1]

An unpatchable vulnerability has been discovered in Apple’s M-series chips that allows attackers to extract secret encryption keys from Macs under certain conditions, according to a newly published academic research paper.

m1 vs m2 air feature toned down
Named “GoFetch,” the type of cyber attack described involves Data Memory-Dependent Prefetchers (DMPs), which try to predict what data the computer will need next and retrieve it in advance. This is meant to make processing faster, but it can unintentionally reveal information about what the computer is doing.

The paper finds that DMPs, especially the ones in Apple’s processors, pose a significant threat to the security provided by constant-time programming models, which are used to write programs so that they take the same amount of time to run, no matter what data they’re dealing with.

The constant-time programming model is meant to protect against side-channel attacks, or types of attacks where someone can gain sensitive information from a computer system without directly accessing it (by observing certain patterns, for example). The idea is that if all operations take the same amount of time, there’s less for an attacker to observe and exploit.

However, the paper finds that DMPs, particularly in Apple silicon, can leak information even if the program is designed not to reveal any patterns in how it accesses memory. The new research finds that the DMPs can sometimes confuse memory content, which causes it to treat the data as an address to perform memory access, which goes against the constant-time model.

The authors present GoFetch as a new type of attack that can exploit this vulnerability in DMPs to extract encryption keys from secure software. The attack works against some popular encryption algorithms that are thought to be resistant to side-channel attacks, including both traditional (e.g. OpenSSL Diffie-Hellman Key Exchange, Go RSA decryption) and post-quantum (e.g. CRYSTALS-Kyber and CRYSTALS-Dilithium) cryptographic methods.

In an email to ArsTechnica, the authors explained:

Prefetchers usually look at addresses of accessed data (ignoring values of accessed data) and try to guess future addresses that might be useful. The DMP is different in this sense as in addition to addresses it also uses the data values in order to make predictions (predict addresses to go to and prefetch). In particular, if a data value “looks like” a pointer, it will be treated as an “address” (where in fact it’s actually not!) and the data from this “address” will be brought to the cache. The arrival of this address into the cache is visible, leaking over cache side channels.

Our attack exploits this fact. We cannot leak encryption keys directly, but what we can do is manipulate intermediate data inside the encryption algorithm to look like a pointer via a chosen input attack. The DMP then sees that the data value “looks like” an address, and brings the data from this “address” into the cache, which leaks the “address.” We don’t care about the data value being prefetched, but the fact that the intermediate data looked like an address is visible via a cache channel and is sufficient to reveal the secret key over time.

In summary, the paper shows that the DMP feature in Apple silicon CPUs could be used to bypass security measures in cryptography software that were thought to protect against such leaks, potentially allowing attackers to access sensitive information, such as a 2048-bit RSA key, in some cases in less than an hour.

According to the authors, the flaw in Apple’s chips cannot be patched directly. Instead, the attack vector can only be reduced by building defenses into third-party cryptographic software that could result in an extreme performance degradation when executing the cryptographic operations, particularly on the earlier M1 and M2 chips. The DMP on the M3, Apple’s latest chip, has a special bit that developers can invoke to disable it, but the researchers aren’t yet sure what kind of penalty will occur when this performance optimization is turned off.

As ArsTechnica notes, this isn’t the first time researchers have identified threats in Apple DMPs. Research documented in 2022 discovered one such threat in both the ‌M1‌ and Apple’s A14 Bionic chip for iPhones, which resulted in the “Augury” attack. However, this attack was ultimately unable to extract the sensitive data when constant-time practices were used.

“GoFetch shows that the DMP is significantly more aggressive than previously thought and thus poses a much greater security risk,” the researchers claim on their website. “Specifically, we find that any value loaded from memory is a candidate for being dereferenced (literally!). This allows us to sidestep many of Augury’s limitations and demonstrate end-to-end attacks on real constant-time code.”

Users concerned about the vulnerability are advised to check for GoFetch mitigation updates that become available in future macOS updates for any of the encryption protocols known to be vulnerable. Apple representatives declined to comment on the record when ArsTechnica asked about the research.

[ad_2]

Source Article Link

Tags Apple, encryption, extract, hackers, Keys, silicon, vulnerability

Featured

Another Microsoft vulnerability is being used to spread malware

Post author By lisa nichols
Post date March 19, 2024
No Comments on Another Microsoft vulnerability is being used to spread malware

[ad_1]

Hackers are using a novel phishing technique to deliver remote access trojans (RAT) to unsuspecting victims.

According to the report, published this Monday, threat actors are using a technique called Object Linking and Embedding (OLE).

This is a Windows feature that allows users to embed and link documents within documents, resulting in compound files with elements from different programs.

New phishing methods

This is according to cybersecurity experts Perception Point, who recently detailed a campaign they dubbed Operation PhantomBlu.

The campaign starts with the usual phishing email, seemingly coming from the victim’s company accounting department. The emails are being sent from a legitimate marketing platform called Brevo, suggesting the platform was most likely compromised in some way.

Attached with the email is a Word “monthly salary report” document. The victims that download the file are first asked to enter a password to open it, and then double-click a printer icon embedded in the doc.

By doing that, the victim runs a ZIP archive file holding a Windows shortcut file, which runs a PowerShell dropper which deploys the NetSupport RAT from a remote server.

“By using encrypted .docs to deliver the NetSupport RAT via OLE template and template injection, PhantomBlu marks a departure from the conventional TTPs commonly associated with NetSupport RAT deployments,” said Ariel Davidpur, the report’s author, adding the updated technique “showcases PhantomBlu’s innovation in blending sophisticated evasion tactics with social engineering.”

NetSupport RAT is a weaponized version of NetSupport Manager, a legitimate remote control software, first released in 1989. For years now, NetSupport RAT was one of the most commonly used remote access trojans, allowing attackers unabated access to compromised devices. They can then use that access to deploy even more dangerous malware, including infostealers and ransomware.

The best way to protect against these attacks is to be vigilant when receiving emails and only downloading attachments from verified sources.

ASUSTOR Severe Vulnerability Detected – update Surveillance Center now

Post author By miranda cosgrove
Post date February 8, 2024
No Comments on ASUSTOR Severe Vulnerability Detected – update Surveillance Center now

ASUSTOR Severe Vulnerability Detected - update Surveillance Center now

ASUSTOR has released an emergency update for its Surveillance Center software after discovering a severe vulnerability that could allow attackers to gain elevated privileges and execute malicious code on the ADM platform. The company has released an urgent security update for its Surveillance Center software, which is a critical move to address a serious vulnerability that could potentially allow cyber attackers to gain unauthorized access and control.

This vulnerability is particularly alarming because it could enable attackers to gain elevated privileges within the ADM platform, which is the core of ASUSTOR’s network storage systems. If this security gap were to be exploited, it could lead to the introduction of harmful code, resulting in malware infections that could compromise the integrity and security of the system.

The risk posed by this vulnerability cannot be overstated. It could allow for unauthorized manipulation of surveillance systems, leading to significant security breaches. ASUSTOR’s proactive release of the emergency update is a clear indication of the company’s commitment to protecting its users’ data from such threats.

ASUSTOR Severe Vulnerability Detected

To further enhance the security of your system, ASUSTOR recommends that users take several additional steps. First and foremost, it is crucial to update your passwords. Passwords should be strong and unique, avoiding simple combinations that can be easily guessed. A good password typically includes a mix of letters, numbers, and symbols, making it much harder for attackers to crack. ASUSTOR strongly recommends taking the following actions to ensure your data is secure:

Change your password.
Use a strong password.
Change default HTTP and HTTPS ports. Default ports are 8000 and 8001 respectively.
Turn off Terminal/SSH and SFTP services and other services you do not use.
Make regular backups and ensure backups are up to date.
Turn on and update snapshots if available.
Enable the AbuseIPDB risk detection greylist.

Another important security measure is to change the default HTTP and HTTPS ports. These ports, which are often set to 8000 and 8001, should be changed to less common numbers. This simple change can significantly reduce the risk of unauthorized access attempts, as it makes it more difficult for attackers to target your system.

Users should also consider disabling services that are not regularly used, such as Terminal/SSH and SFTP. These services can act as potential entry points for attackers if they are left enabled without proper security monitoring. By disabling them, you can close off these vulnerabilities and make your system more secure.

Update Surveillance Center

Regular backups are a cornerstone of data protection. It is essential to perform backups consistently and verify that they are up to date. In the event that your system is compromised, having a recent backup is invaluable for restoring your data quickly and efficiently.

Adding another layer of protection, ASUSTOR suggests implementing snapshots. Snapshots can capture the state of your system at specific intervals, which can be incredibly helpful for a speedy recovery process if your system encounters any issues.

Lastly, enabling the AbuseIPDB risk detection greylist can provide an additional layer of defense. This service helps to identify and block potential threats by cross-referencing a database of known malicious IP addresses. By using this service, you can prevent many known threats from ever reaching your system.

The emergency update from ASUSTOR is a critical response to a significant security threat. By following the company’s guidance on password security, port adjustments, service management, backup practices, snapshot maintenance, and risk detection, users can significantly enhance the security of their ADM platform. It is imperative for users to take immediate action to ensure the continued safety and reliability of their surveillance systems.

Filed Under: Technology News, Top News

Latest timeswonderful Deals

Disclosure: Some of our articles include affiliate links. If you buy something through one of these links, timeswonderful may earn an affiliate commission. Learn about our Disclosure Policy.

Tags ASUSTOR, center, Detected, Severe, Surveillance, update, vulnerability

News

ZOOM VISS vulnerability impact scoring system announced

Post author By miranda cosgrove
Post date December 19, 2023
No Comments on ZOOM VISS vulnerability impact scoring system announced

ZOOM VISS vulnerability impact scoring system announced

The digital landscape, ever expanding and evolving, has given rise to an increasing number of security vulnerabilities. To address this issue, a new open-source project called the Vulnerability Impact Scoring System (VISS) has been introduced. VISS is designed to enhance security measures by providing a unique assessment tool that measures the impact of vulnerabilities from a defender’s perspective. This innovative approach focuses on the actual impact of potential threats, rather than on their theoretical existence.

Since March 2023, Zoom, a leading video conferencing platform, has been utilizing VISS to assess reward disbursements within its Bug Bounty Program. This program encourages security researchers and product users to uncover and disclose security vulnerabilities, providing them with legal protection. The incorporation of VISS into this program has been instrumental in helping Zoom prioritize vulnerabilities that are most likely to impact them, thus allowing for more efficient use of resources.

The Vulnerability Impact Scoring System analyzes vulnerabilities based on 13 impact aspects. These aspects are categorized into three groups: platform, infrastructure, and data. The resulting score, ranging from 0 to 100, reflects the severity of the impact within a specific environment. This scoring system provides an objective measure of the potential damage a vulnerability could inflict, enabling organizations to prioritize their response efforts accordingly.

ZOOM VISS vulnerability impact scoring

VISS was put to the test during the HackerOne H1-4420 live-hacking event in London in 2023. The event demonstrated the effectiveness of VISS in improving resource allocation and focusing on addressing Critical and High severity vulnerabilities. The implementation of VISS led to a shift in vulnerability report submissions towards these higher severity categories, with a significant reduction observed in medium severity submissions.

This shift towards targeting higher severity vulnerabilities is a testament to the efficacy of VISS. By providing a clear, objective measure of the potential impact of a vulnerability, VISS enables organizations to focus their resources where they are most needed. This, in turn, leads to a more robust and secure digital environment.

VISS is not just a tool for individual organizations, but a global mission to enhance security measures. By providing a comprehensive and objective measure of vulnerability impact, VISS aims to enhance the capabilities of incident response and security teams across the globe. The open-source nature of the project invites contributions to its development, fostering a collaborative approach to improving digital security.

The development and implementation of the Vulnerability Impact Scoring System is a significant stride forward in the realm of digital security. By focusing on the actual impact of vulnerabilities, VISS offers a more realistic and effective approach to managing digital threats. The system’s successful use in Zoom’s Bug Bounty Program and the HackerOne H1-4420 live-hacking event highlights its potential to transform the way organizations respond to security vulnerabilities.

The VISS project is open for exploration and contribution under the GPL 3.0 license at https://github.com/zoom/viss. This open-source project is a testament to the collaborative spirit of the digital community, inviting all to contribute to the ongoing development and enhancement of this innovative security tool. With the continued development and implementation of VISS, the future of digital security looks promising.

Filed Under: Technology News, Top News

Latest timeswonderful Deals

Disclosure: Some of our articles include affiliate links. If you buy something through one of these links, timeswonderful may earn an affiliate commission. Learn about our Disclosure Policy.

Tags announced, Impact, scoring, system, VISS, vulnerability, Zoom