Year: 2018

Posted on

Threat Brief: Information on Critical Apache Struts Vulnerability CVE-2018-11776

Situation Overview

On August 22, 2018, the Apache Foundation released a critical security update for CVE-2018-1176, a remote code execution vulnerability affecting Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16. The Apache Foundation has urged everyone to apply the security updates as soon as possible.

This blog is to provide information to help organizations assess their risk of the vulnerability and to inform Palo Alto Networks customers of protections in place that can help mitigate their risk until they can apply the security updates. Palo Alto Networks customers who have deployed the latest vulnerability signatures released on August 24, 2018, are protected.

 

Vulnerability Information

According to both the Apache Foundation and security researcher Man Yue Mo, this vulnerability can enable remote code execution on a server running a vulnerable version of Apache Struts. The method of attack would be through a specially crafted URL sent to the vulnerable system. In most cases, this means no authentication is required to exploit the vulnerability.

A successful attack would run code in the security context that Struts is using. In some cases, this could effectively lead to a total compromise of the system.

It’s important to note, however, that the vulnerability is not exploitable in default configurations. The following two conditions must both be met for a system to be vulnerable to attack:

  1. The alwaysSelectFullNamespace flag is set to “true” in the Struts configuration. (Note: If your application uses the popular Struts Convention plugin this is set to “true” by default by the plugin.
  2. The Struts application uses “actions” that are configured without specifying a namespace, or with a wildcard namespace. This condition applies to actions and namespaces specified in the Struts configuration file . NOTE: your application uses the popular Struts Convention plugin this condition also applies to actions and namespaces specified in Java code.

If your Struts application does not meet both of these conditions, your application may still be vulnerable but not (currently) exploitable via CVE-2018-11776.

In particular, if your application uses the popular Struts Convention plugin, it appears to potentially increase your risk of exploitability vis-à-vis other Struts implementations that do not use that plugin.

 

Threat Environment Information

The vulnerability was disclosed on August 22 in conjunction with security updates that address it. There is detailed information about the vulnerability and how to exploit it available currently. There is also proof of concept (PoC) code available already. As noted above, the PoC works only against systems that are vulnerable and meet both conditions for exploitability.

Some have noted that a previous critical Struts vulnerability was actively attacked last year only three days after the release of the security update and vulnerability information.

There are no known active attacks at this time and the current requirement that two, non-default conditions need to be met for the vulnerability to be exploitable makes for a different threat environment.

However with active PoC available we can expect at the minimum probing, if not active exploitation of this vulnerability in the near term.

Organizations should focus their risk assessments for possible attack until they can patch on four things:

  1. Are they using the Struts Convention plugin?
  2. Do they meet both of the required conditions for exploitation?
  3. Any weaponization or indication of attacks using the current PoC
  4. Developments of new PoC or attacks that render moot the two conditions required for exploitability?

 

Guidance and Protections for Palo Alto Networks Customers

All organizations running vulnerable versions of Apache Struts should deploy the security updates as soon as possible.

Organizations can and should prioritize scheduling and deployment of the security updates based on their security policy and risk assessment, and  on currently available information.

Palo Alto Networks customers who have deployed vulnerability signatures in content release version 8057 released on August 24, 2018, which include ID 33948 Name: Apache Struts 2 Remote Code Execution Vulnerability, are protected against currently known exploits against that vulnerability.

Our customers should still deploy the security update as recommended above, but can and should deploy the latest vulnerability signature immediate for additional protection. With this addition protection available, our customers can and should include that as part of their decisions around security and deployment of the security updates and their risk assessment of the vulnerability and threat environment.

As always, we are monitoring the situation closely and will provide additional details as they become available.

[Palo Alto Networks Research Center]

Posted on

Traits of a Successful Threat Hunter

Threat hunting is all about being proactive and looking for signs of compromise that other systems may have missed. As defenders, we want to cut down the time it takes to detect attackers. To accomplish this, we assume the bad guys have penetrated our defenses, and then proceed to look for traces that their activities have left behind.

Putting aside the technical details, it is extremely important to consider the person, or perhaps the team, who is doing the hunting. I describe a good threat hunter as a person with a wide skill set who has “been there and done that” in multiples areas of IT and security. There are four main dimensions that help shape a good hunter:

Curiosity
A threat hunter needs to be patient, highly motivated, and driven by a desire to know more. The person needs to start asking questions such as why in order to understand whatever activity may be under analysis. In order to be able to answer the why, the drive to go deep into the rabbit hole is essential.

Critical thinking
Being able to analyze and solve problems also is important. The hunter must always keep an open mind and be able to consider alternative solutions to the problem. Thinking like an attacker usually helps frame an investigation from a different angle and could be the key to uncovering evil within your systems.

Technical expertise
A wide array of technical knowledge is essential. A person who is an expert in network and knows very little about other disciplines such as forensics, applications, databases, etc., may not be able to see the big picture. Ideally, the hunter has cross-discipline knowledge and knows who to reach out to when more in-depth analysis is required.

Ability to connect the dots
This is one of the most important aspects. Many analysts struggle when presented with multiple sets of information and therefore are unable to connect the dots and put together the puzzle. An efficient hunter should be able to understand the data and its business context, perform the appropriate correlations, and reach conclusions.

Professionals with this sort of talent and skill are scarce. Remember that in many cases it makes perfect sense to develop hunting talent in-house. An employee who has worked in a few IT or information security disciplines who knows your business brings great value to the table. Look around and see who is up to the challenge.

Editor’s note: Roger O’Farril will be presenting further insights on this topic at ISACA’s CSX North America conference, to take place 15-17 October in Las Vegas, Nevada, USA.

Roger O’Farril, Information Security Team Lead, Federal Reserve Bank of Chicago

[ISACA Now Blog]

Posted on

What CISOs Can Do Today

In part three of our series, we laid out the five top priorities for CISOs as they shift their focus to the executive aspects of their roles and build out their teams. In this final part of our series, I join my colleagues Aileen Alexander from Korn Ferry and Paul Calatayud from Palo Alto Networks to look at those priorities in greater depth. Specifically, we focus on what CISOs can do today to empower their organizations.

No. 1: Addressing the cybersecurity skills gap and increasing cyber awareness

  • Be creative. Think differently about the teams you have today, how their skills match to the latest trends and train them as needed.
  • Work with HR to develop university outreach programs that focus on acquiring young talent early into the organization.
  • Focus on making it easier to consume security technology. If you can make it easier for others to approach your team and understand what your team does, then you have a higher likelihood of attracting a different type of talent that can bring a unique set of skills to your team.

No. 2: Incorporating regional laws and regulations into cyber strategy

  • Familiarize yourself with the impact of these regulations. Bring in a third-party expert to explain the intricacies and considerations.
  • Consider introducing the role of a business information security officer (or BISO) in certain key regions.  While they may not be focused on cybersecurity, they should focus on the risks, regulatory impact and privacy laws in their respective countries.
  • Align closely with legal and policy teams to advise on the impact of these laws on your organization.

No. 3: Embracing the DevOps philosophy

  • Forge strong relationships with these teams and become more involved in their development processes.
  • In meetings and conversations, focus on risk guidance and why security is important to every application deployment.
  • Define and share security requirements in a way that they become a natural part of the development process.

No. 4: Tackling IoT security (corporate and personal)

  • Get involved in the process of IoT purchases at your company.
  • Expand cybersecurity awareness training to include education about personal IoT devices and the far-reaching impact these devices can have on the organization.
  • Advise employees on how to adjust device and app settings, such as location and data access, to protect employees and the company.

No. 5: Aligning with product and physical security

  • Proactively get involved and forge relationships with product and physical security teams.
  • Highlight the unique security risks and considerations for new products during early development stages.
  • Develop steering councils or security review committees with the teams responsible for product or physical security.

Conclusion

This is a very challenging time to be in cybersecurity. At the same time, it can be very exciting. The threat environment is becoming more sophisticated and the impact of cybercrime and data breaches is becoming more high profile and potentially disruptive. It is not unfair to say that the future of the organizations often rests in the hands of our CISOs and their teams.

As we’ve seen in this four-part series The Evolution of the Chief Information Security Officer, the increased profile, visibility and accountability of the CISO is causing significant changes in who will succeed in these positions and how they will operate. Being the most technically astute individual in the organization is not a bad thing, but it’s not the only attribute that will define a successful CISO, now and in the future.

Instead, CISOs will need to fit comfortably in the executive suite, speak the language of business and recognize that one of the most important roles they have to play is as a change agent. As we said at the outset, cybersecurity has expanded well beyond the confines of IT and is now a concern at the highest enterprise level. That reality will continue to determine how the role of the CISO continues to evolve in the future.

Editor’s note: thank you for reading part IV of our Korn Ferry CISO series. To catch up, you can view all of the articles in the series here.

Source: https://www.securityroundtable.org/what-cisos-can-do-today/

Posted on

Top 5 Priorities of the CISO of Tomorrow

As the role of the CISO continues to evolve, areas that were once the personal responsibility of the CISO will shift to other members of their team.

What does that mean for the CISOs of tomorrow? How will how they shift their focus to the “executive” aspects of their roles and build out their teams? How will they prioritize their roles and responsibilities? How will they interact with and communicate to the rest of the organization, whether it is the board, the C-suite, their own teams or the rank and file?

Working with my colleague Jamey Cummings at Korn Ferry and Paul Calatayud from Palo Alto Networks, we have identified the top five things CISOs will need to prioritize as they shift their focus to a role of business enablement, higher visibility, and greater accountability. They are:

No. 1: Addressing the cybersecurity skills gap and increasing cyber awareness.

This is a current challenge that is only growing. Addressing these needs sets the foundation for everything else the CISO must do in the coming years. Since the cybersecuritylandscape is constantly changing, in addition to attracting new talent to the industry, continuous training and skills development for existing teams are essential. As different business units move data and services to the cloud, the CISO must develop programs and personnel to train the entire organization on proper cyber hygiene and cybersecurity awareness.

No. 2: Incorporating regional laws and regulations into cyber strategy

For multinational companies, larger strategic regional teams will be needed to address the complexity of data and privacy laws. GDPR, for example, is a regulation that is global in nature because of the number of companies around the world it impacts. When thinking about regulations like this, the question for companies becomes: how do you create capabilities that address something like GDPR in the context of European stakeholders while still considering Canadian or U.S .privacy laws?

No. 3: Embracing the DevOps philosophy

DevOps is a movement to reduce the technical inefficiencies between IT, developers and security teams. It is about automating the deployment, maintenance and security tasks that these teams have traditionally done manually and separately. What DevOps means for CISOs and security teams is that cybersecurity is starting to be prioritized at the outset of any IT-related project. CISOs who embrace the DevOps concept and prioritize DevOps roles on their teams will be better aligned to the rest of the organization in the coming years.

No. 4: Tackling IoT Security (Corporate and Personal)

According to Gartner Research, the projected number of connected devices is expected to reach 20 billion by 2020. With this comes more security risks. CISOs will need to start thinking about how to not only protect the IoT devices that are corporate property, but also the personal devices that are coming in and out of their networks. Oftentimes, IoT devices connect to company laptops or mobile phones that have legitimate access to the corporate network. It’s reasonable to assume that, if a personal IoT device is compromised, the corporate network might be vulnerable as well. Progressive CISOs will need to think about how to guard against threats posed by personal devices and figure out which members of their team are best-suited to manage that.

No. 5: Aligning with Product and Physical Security

While product and physical security teams might not fall under the CISO’s umbrella today, they will become increasingly intertwined as cybercriminals become more creative. CISOs should be thinking about how they will better align with the groups responsible for these disciplines to make sure that cybersecurity is consistent across all areas of the business.

Conclusion

Cyber risk touches every area of a modern business and the importance of the CISO and InfoSec Team is growing. Regardless of how these roles evolve in one organization versus another, CISOs will always have to go back to the same basic question: what do we need to prioritize to help keep our particular business secure and thriving? To learn more about what CISOs can do today to keep their businesses secure and thriving, see part four of our series: What CISOs Can Do Today, coming next week.

View the full report that outlines what’s ahead for CISO leaders.

Source: https://www.securityroundtable.org/top-5-priorities-of-the-ciso-of-tomorrow/

Posted on

Archetypes of the Modern CISO

As described in part one of this series, the role of the modern CISO has changed significantly over the past few years. CISOs have higher visibility and accountability than ever before, which has moved them from back-of-the-house operations into a key public-facing role.

This changing dynamic requires new attributes for successful CISOs in terms of competencies, experience, traits, and drivers. Among other things, CISOs need to be strategic outside-the-box thinkers with deep technical experiences who are also flexible, learning agile, intellectually curious, action-oriented, agents of change and seekers of roles that have high levels of visibility and accountability.

Whew!

My colleague at Korn Ferry, Aileen Alexander and Paul Calatayud from Palo Alto Networks have both used the word “Herculean” to characterize the complete slate of tasks required to succeed as a CISO today, and that is certainly an apt description. We have also defined three emerging archetypes of backgrounds for today’s—and tomorrow’s—cybersecurity leaders:

1. The techie-turned-executive. This is the most common background, with about half of information security leaders fitting into this category. Korn Ferry describes this individual as a technical master who works with the CIO, has a hands-on approach during a crisis and is a driver of enterprise security architecture. Increasingly, even if these individuals come up through the traditional technology ranks, they are required to broaden their approach and look beyond technology and more closely at the corporation, its people, customers and suppliers.

2. The enterprise security and risk-focused leader:  This individual is a “big picture” leader who aligns information security with corporate business strategy and transforms the security function to meet the environment. These leaders are emerging in the financial services industry, where issues around sensitive information and compliance have forced cybersecurity functions to be more highly focused on risk management. In fact, Korn Ferry has also found that the financial services sector is where there is a more frequent shift in CISOs reporting to the chief risk officer instead of the CIO.

3. The Washington/cyber and physical security blend leader. This is a mission-driven leader who understands macro geopolitical and threat trends. This person has access to intelligence due to relationships and credibility. While less technical, he or she is able to “connect the dots” across security silos and is “Washington” savvy on a regulatory front. Again, these leaders are emerging in financial services, for much the same reasons those organizations are also turning to leaders focused on enterprise security and risk.

While these archetypes will continue to define most CISOs, because of digitization and evolving cyber risks, new responsibilities and priorities are emerging that impact the scope of the CISO role, regardless of their background. The CISO is inevitably becoming a crucial part of the executive team, and the roles and responsibilities of the information security team are growing as well. What does that mean for the next generation of CISOs? See part three of our series next week, the Top 5 Priorities of The CISO of Tomorrow.

View the full report that outlines what’s ahead for CISO leaders.

Source: https://www.securityroundtable.org/ciso-archetypes/

English
English
Exit mobile version