Continuous Vulnerability Management Service, Continuous Monitoring, Secure VPN Vulnerabilities, Secure Virtual Private Network
The traditional security assessment formula has become stale and obsolete. Some companies perform vulnerability assessments or Penetration Tests (“PenTest”) only once a year. This isn’t sufficient because as technology advances, modern society is now more interconnected and software driven. It’s very typical that new technology comes with undiscovered security issues that remain unknown until discovered and disclosed by security researchers who reveal them publicly or seek legitimate compensation through the software company’s “Bug Bounty” program.
But the threat landscape is evolving and hackers are quick to weaponize high profile vulnerabilities. The attackers, (or bad guys) have developed faster times to weaponize vulnerabilities disclosed by researchers. By “weaponized” we mean they can take a vulnerability or a technical issue and create a proof of concept code or scripts that then make it easier to attack your information systems; in essence they create a weapon out of these vulnerabilities. Here are examples of two such high profile issues:
Examples of Recent High Profile Vulnerabilities
- The first example is the Salt stack authentication bypass.
- Open source configuration management framework typically used to manage large fleets of servers. The salt master server will send commands to minion servers which will automate and execute instructions on demand
- Two specific vulnerabilities disclosed in late April 2020 – CVE-2020-11651 (an authentication bypass flaw) and CVE-2020-11652 (a directory traversal flaw) combined to allow unauthenticated remote attackers to execute code on the affected system
- The second example is the Citrix Application Delivery Controller (ADC), otherwise known as NetScaler ADC, and Citrix Gateway – Around the beginning of 2020 these network appliances had a serious issue that could allow an attacker to gain remote control of those affected systems. 2 stage attack, first to upload a malicious payload into the filesystem of the Netscaler, and second stage to execute that payload in the context of the system
- So, What is NetScaler in layman terms? – Application Load Balancer, it also has VPN functionality and is installed at the perimeter of the network as a security device often to allow employee access sensitive applications remotely from home. Think about that for a moment, the VPN that was supposed to keep you safe is now putting your company in danger
- F5 TMUI authentication bypass – (similar to the Citrix example)
- The benefits of a continuous approach in contrast to the periodic or 1x/year assessment approach:
- The biggest benefit is that we reduce the Time to discovery and speed up the response time to fix serious issues.
- Instead of a snapshot once a year, we would be continuously assessing for any new vulnerabilities that could affect the organization
- How we define the term “Continuous” in this sense or context? There are two primary aspects:
- The 1st aspect is: Continuous monitoring, threat intelligence gathering of events and attacker activity in the wild, along with security researchers or vendor disclosures. This needs to happen continuously because these issues can be made known at any time throughout the year.
- The 2nd aspect is the technical testing, or Scanning for vulnerabilities. These are scheduled in accordance to your unique environment. Depending on the complexity of your networks, we may elect to do this weekly or daily just to make sure that we have full coverage of your systems
- Question: If a client had the Salt Stack, Citrix and F5 vulnerabilities we discuss here, and had hired a penetration test firm (Cybersecurity Consultant), wouldn’t they find all these issues?
The answer is, maybe.
- Penetration tests (a/k/a “PenTests”) have a strict scoping and duration and the focus is, in a short timeline, find out if there are any vulnerabilities or issues in the environment in that moment of time, that could be leveraged by attackers to cause a breach. In other words, it may not be feasible to cover a huge environment with such limiting factors. The goal of the PenTest then, is to find out the quickest or easiest ways to achieve a data breach. In some cases, a PenTest may come across serious vulnerabilities which then become disclosed to the entire security community, but that isn’t the primary focus.
- Another factor is that security researchers may have elevated positions or privileges with software companies and have direct access to source code to be able to find issues.
- Question: What types of clients, business industries, or characteristics will benefit most from a continuous approach?
- All business organizations benefit. There is no “one size fits all” in data security. Each business organization has unique characteristics: Assets and operations are unique, and so is staff size and capabilities.
- Example of e-commerce, little necessary for a non-existent internal network, but more focus on webapp issues
- Example of a larger internal network but limited public presence, means that internal scans need to prioritize not just servers but also workstations that may go on and off the network
- Question: What if a company uses cloud infrastructure, Do they need to be concerned with Continuous Vulnerability Management?
- IT operations can be outsourced to a cloud provider but not the responsibility of protecting your data
- Amazon AWS S3 is an example. Amazon will allow clients to store information without regard to security; the default setting is open/unsecure.
- Q: How can KLC Consulting help?
- We have “red team” (attack simulation) and “blue team” (defender, incident response investigation) expertise.
- We perform Continuous Vulnerability Management services for client information and IT systems, on a unique case-by-case basis.
- We Coordinate vulnerability scanning and validation of identified vulnerabilities and prioritize issues based on criticality
- We provide advanced notification of potential threats based on proactive threat intelligence assessment reports that cover the technologies deployed for each client.
- Question: How would a customer know if a vulnerability would impact them?
- We perform the intake and triage to weed out any false positives.
- Citrix as an example, if you dont have this tech in place, you dont need to get a call in the middle of the night. But if you do, then we will absolutely call you in the middle of the night to fix the issue
- We’re cybersecurity consultants who help clients resolve the issues we talk about in these blog posts and videos. To learn more about the services we offer please click here: https://klcconsulting.net/services/secure-it-network-cloud-network-and-wireless-network-design-cloud-migration/
- To contact us directly, please call Paul Casassa at (617) 314-9721×158 or by email: email@example.com Please visit our YouTube channel for more cybersecurity information discussion videos at https://www.youtube.com/channel/UC7YHBN8MC2T2sVB411jC79Q
- and our LinkedIn profile at https://www.linkedin.com/company/klc-consulting-inc-
- Thank you!