Why Vulnerability Management is Better as a Service

Why Vulnerability Management is Better as a Service

Many things in IT are set and forget, you install a new application, you implement a new network or roll out  new visibility system. Sure, these things need to be maintained over time, but the main effort is at implementation time after which point you (hopefully) enjoy the benefits of the initial work.

By contrast, cyber security is an ongoing discipline – you can’t be ‘done’ with cyber security, hackers and hacking techniques are continually evolving, probing for vulnerabilities. A quick look at the growth of identified vulnerabilities from the Mitre Corporation CVE (Common Vulnerability and Exposure) system shows a continual nonlinear growth curve with a clear acceleration around 2017.

As an aside,  for thos interested in the growth of identified vulnerabilities over the last decade or so, Rapid7 have an excellent blog post on this very topic here https://blog.rapid7.com/2018/04/30/cve-100k-by-the-numbers/ (from which I ave borrowed the graph shown below).

Keeping  pace with this ever increasing deluge of vulnerabilities requires constant vigilance.  We often hear of organisations that implement Microsoft SCCM to keep their Windows desktops and servers up to date with the latest patch releases. There is no question that this is an excellent start, but deploying SCCM does not mean that you are ‘done’ with patch management.

What is missing here are the vulnerabilities outside of the base Microsoft ecosystem, third party applications, non-Microsoft machines,  network infrastructure and IoT devices such as cameras and access control systems all present potential points of vulnerability in your IT environment.

The ability to identify vulnerabilities and available software patches across the diverse range of systems in your environment is challenging, and not only that, you need to continually monitor these devices to ensure they are secure as the myriad of new vulnerabilities emerge daily.

This is where vulnerability management kicks in. A good vulnerability management (VM) solution will not only identify existing vulnerabilities across your complete IT environment, it will also identify the recommended patches to install to keep your systems safe (in fact a good VM solution like Qualys can do a whole lot more than just this … but perhaps the subject for another blog).

Vulnerability management should be considered an absolute must as part of any cyber security strategy, just like implementing firewalls or anti-virus, vulnerability management is key component in securing your organisation. But we shouldn’t consider vulnerability management as a ‘thing’ to deploy – vulnerability management is an ongoing discipline. At Counterhack, we often see organisations implement a vulnerability management system with the best of intentions, only to sit idle gathering dust with no one tasked with the critical job of actually running scans and keeping track of patch levels across the organisation.

By it’s very nature as an ongoing discipline, vulnerability management lends itself to being offered as a service. A discipline best outsourced to a specialist third party that understands the threat landscape and can identify weaknesses and help you to maintain patch levels. A service that helps you keep secure. This is the very reason that Counterhack offer a turnkey Vulnerability Management Service.

Speak to Counterhack today about your cyber security needs

Central West Man Inherits Fortune from Nigerian Prince

Central West Man Inherits Fortune from Nigerian Prince

(A Light Hearted Look at Phishing)

West Wyalong man Wazza Whiting is in a celebratory mood tonight after announcing the inheritance of $10 million dollars from a recently deceased member of the Nigerian Royal Family.  It was cold VB’s all round at the Crooked Mile RSL as Wazza shouted the bar stating, “I’m rich now, so when we’re done with the V-Bangers, we might even have some of those fancy inner city craft beers”.

When asked how it came about that an unemployed self proclaimed entrepeneur  from country NSW was the beneficiary of a West African fortune, Wazza was remarkable upfront. “It’s was easy”, he said, “I simply responded to an email asking for my bank account details and it just developed from there – the Nigerians have been very helpful in guiding me through the whole process”.

“What can I say, I’m a “clicker”, I just love to click on links in emails or websites, pretty much anywhere really. You never know what you will find, but there is definitely opportunity” said Wazza. Of course there have been setbacks along the way, not every click turned out for the best. Wazza has been married 7 times to Eastern European women he has never actually met and he has had to pay his fair share of ransomware demands to keep his computer working, but he believes it all worthwhile now that he has finally landed the ‘big one’.

But despite the celebrations, it seems that Wazza is actually still yet to receive any money. According to Wazza, the Nigerian legal system is very complex. It seems there are many checks and balances and hurdles to be negotiated. But the local team on the ground in Lagos has been very helpful. So far Wazza has sent around $10,000 to the Nigerian lawyers to facilitate the inheritance, and he is assured that it will only be a few more thousand before the full inheritance is released. According to Wazza, this is a small price to pay for such a large reward!

We will await further developments and keep you posted on progress to see how Wazza gets on with the delicate task of extracting money from the Nigerian Royals. In the meantime, we are happy to avail ourselves of the hospitality of the Crooked Mile RSL and enjoy another cold VB.

On a serious note though, clicking on phishing links presents a serious risk to business. And whilst (we hope at least) that most people will not fall for the old fashioned Nigerian inheritance scam, there are certainly many more sophisticated phishing attacks that are much more difficult to detect.  User awareness training is a complete field in itself and certainly worth considering to keep your envionrment and users safe. At the very least, consider these two simple strategies for helping to not get caught:

  • If it sounds too good to be true, then it probably is – just don’t click.
  • Take a second to pause, perhaps ask a colleague and think before you click.

Counterhack  offer a range of comprehensive cyber security services to ensure your business is secure. From user awareness training and penetration testing right through to vulnerability management, security event management and consulting, Counterhack have a range of services to meet your business requirements irrespective of size.

Speak to Counterhack today to see how we can meet you cyber security needs.

Speak to Counterhack today about your cyber security needs

Cyber security company stuns industry with advertisement that doesn’t feature a hacker in a hoodie.

Cyber security company stuns industry with advertisement that doesn’t feature a hacker in a hoodie.

Industry pundits are astounded with an advertisement placed by a top flight cyber security company that doesn’t feature a hacker in a hoodie in a dark room. Even more surprising is the total break from traditional techniques with no pad locks, no screens of code, no anonymous face masks, not even a space age blue graphic with latticework of connected dots.

Earl Counterthwack, the marketing manager of Sydney based We Be Number One Best Cyber Security Company,  speaking from his Covid safe remote office in a Kuta backstreet said he drew inspiration for the advertisement after downing 17 Bintangs in a particularly florid session last Friday afternoon. The Eureka moment came for Earl after waking up more than a little dusty in a beachside hammock surrounded by empty drinking coconuts, he knew that a change of direction for the cyber security campaign was perfect.

In fact, the advertisement is a compete departure from tradition, it plays on confidence rather than fear. When asked if this approach ran the risk of confusing potential customers by not trying to scare the ‘beejezuz’ out of them with an image that was, well, somewhat comforting. Earl responded by saying that it was either a guy in a hammock or a good looking swimsuit model. The final decision came down to the hammock after Earl’s last run in with HR relating to bikini image downloads which saw his work Internet privileges restricted.

It remains to be seen how effective this new advertisement will be, but the industry is certainly abuzz with chatter about this revolutionary approach. Earl has promised to keep us across developments as the campaign progresses.

On a serious note though, Counterhack  offer a range of comprehensive cyber security services to ensure your business is secure. From penetration testing right through to vulnerability management, security event management and consulting, Counterhack have a range of services to meet your business requirements irrespective of size.

Speak to Counterhack today to see how we can meet you cyber security needs.

Speak to Counterhack today about your cyber security needs

TLSv1.3 – The Good, The Bad and The Ugly

TLSv1.3 – The Good, The Bad and The Ugly

A new version of Transport Layer Security (TLS) is coming… welcome TLS1.3!

Well to be fair it is already here and has been for over 12 months, but as is the case with many Internet standards, adoption is taking some time. And for those not fully across exactly what TLS is, it is a security protocol designed to allow secure communication of data over the Internet. Even if you don’t know what it is, you are probably familiar with the small padlock symbol on your browser address bar signifying a ‘secure’ connection … that’s TLS.

Ok, so what’s new in TLSv1.3 and why do I care? Well, it turns out there is a whole heap of new stuff, most of which is outside the scope of a short blog post like this, but essentially it is faster and more secure. So, what’s not to like, surely faster and more secure is a good thing … right?

Well yes, it is most certainly a good thing. Internet security is increasingly issue for both personal and business communications. We are all aware that cyber security issues are increasing daily and has spawned a huge industry to combat and mitigate all aspects of networking and IT infrastructure security (think organisations like Counterhack – experts in keeping your busines cyber-safe … sorry , couldn’t resist a quick plug!) 

So the introduction of TLSv1.3 can only help in maintaining security. The issue is that, along with TLSv1.3 comes ESNI (encrypted server name identification). Web connections using older TLS versions exchange some information in the clear, such as the server certificate name allowing for the origin of the traffic to be determined, even though the communication itself is encrypted. Using ESNI, connections using TLSv1.3 can now encrypt the server name identification field resulting in the origin of the traffic being masked. Put simply, we can no longer identify the origin of the traffic by looking at the certificate name as it is no longer in the clear.  

This is great for privacy …. not so good for surveillance. 

This is a particular concern for countries that are big on surveillance. Since the end of July, China has upgraded it’s ‘Great Firewall’ to block connections using TLSv1.3 and ESNI. Russia are also in the process of adopting legislation that will ban companies or websites that hide the website identifier in encrypted traffic. And whilst China and Russia are obvious examples of jurisdictions that are ‘heavy’ on surveillance, there are plenty of other countries (some pretty close to home) that are just as interested in monitoring Internet usage.

The ultimate result of these moves by China and Russia (and no doubt other jurisdictions) is to make the Internet potentially less secure. It forces companies doing business in these jurisdictions to ‘downgrade’ (or at the very least not ‘upgrade’) making their Internet connections less secure. There are those that also argue that a less secure Internet in these countries may have more serious flow on effects for economic development and foreign investment, as well as leaving citizens of such countries more vulnerable to external privacy threats.

Whilst the jury may be out on how wide ranging the ramifications of TLSv1.3 and ESNI are, one thing is for sure – the introduction of TLSv1.3 does have the potential to fragment the Internet into those that are “secure” and those that are “less secure”. What this means long term remains to be seen, but it will certainly be an interesting space to watch over the next 12 months.

The Truth About Passwords

The Truth About Passwords

 

Anyone who hasn’t been living off the grid for the last 30 years will know the pain of having to manage numerous complex passwords every day in order to work, shop and socialise in our online world. Most of us take it for granted that this is part of the price we pay – along with our privacy – in order to be a member of modern society. But have you ever stopped to think why it has come to this? The truth is, we are paying the price for failures of IT operations teams in securing this information in the first place.

First, let’s examine the different techniques that an attacker can use in an attempt to obtain your password.

One technique is to try to brute force your credentials online. This entails knowing only the format of your login username, and trying a number of potential passwords one by one until they hit paydirt. With current computing power that can try up to 100 billion passwords per second, this seems like an unstoppable attack. However, this technique is easy to thwart simply by restricting the number of attempts that a user has to get their password right, and locking the account once this is exceeded. So even a relatively simple password (say 6 characters) is safe from this attack, as the time to try every possible combination is blown out by this account lockout feature.

Another technique is social engineering – for example phishing attacks – where a user is tricked into revealing their password. This technique’s effectiveness is completely unrelated to the length or complexity of a password. In other words, having 12-character passwords with symbols and numbers won’t offer any protection.

Apart from these, there are about a dozen other ways to steal passwords, but here’s the thing: they all exploit weaknesses in the way your IT operations teams manage their systems. As an example, let’s look at a technique called credential dumping. This involves a hacker getting their hands on the password database at the heart of your network. This may be on a domain controller, an SQL database, or some other platform.

Once a hacker has an offline copy of this password database (which shouldn’t be storing the actual passwords in cleartext, but hashing them instead), they can attempt brute force attacks like the one described earlier. The difference is that there is no rate limiting mechanism to lock them out after a few unsuccessful attempts. And because the database contains the credentials of all users on the system, this is like shooting fish in a barrel.

So, it comes down to this: system administrators force us to use ever longer and more complex passwords only because they aren’t confident that they can adequately protect their crown jewels – the password database. You could charitably view this as an example of defence in depth. Or you could view it as IT teams mitigating their risks by transferring some of the responsibility to end users, and making their life harder in the process.

What’s your view?