Palo Alto Networks Unit 42 is proud to announce that four of our researchers were named to the Microsoft Security Response Center (MSRC) “Top 100 Security Researchers List” for 2018. This is the third year Unit 42 researchers have been included in this prestigious list, which is announced every year at Black Hat. This year’s Unit 42 winners are:
Rank
Name
10
Gal De Leon
13
Hui Gao
73
Tao Yan
79
Jin Chen
Palo Alto Networks is a regular contributor to vulnerability research in Microsoft, Adobe, Apple, Android and other ecosystems. By proactively identifying vulnerabilities, developing protections for our customers, and sharing them with Microsoft for patching, we are removing weapons used by attackers that compromise enterprise, government and service provider networks.
Below is the full list of this year’s top 100. To better understand how this recognition is both important and an honor, this posting by Phillip Misner of the MSRC gives you an idea of what’s behind the program.
The dream of a cloud-enabled operational technology, or OT, environment is becoming a reality thanks to daily innovations in technology, which have the potential of turning legacy control systems into integrated IIoT instances. These changes are happening at a fast pace, and are often extraordinary in scale. Large scale ICS SCADA systems, such as those found in oil and gas are evolving; however, one thing remains constant: poor security.
Why Security Is a Challenge
As IT security professionals know, security must adapt to an ever-changing threat landscape. A fluid model does not play well with most current ICS and SCADA systems. These systems depend on availability first, making the application of security measures challenging to implement and even harder to maintain. For OT operators, security must support a model that allows technicians to connect devices first to configure and fine-tune them, and then later lock them down. There must be enough security in place to protect both the business and the process control environment from attacks, but with just enough protection that it neither overcomplicates the automation groups workflows nor stops, blocks or disrupts production.
Purpose-built and expensive to update or replace, these systems and networks do not conform to the equipment lifecycle of an IT network. The majority of oil and gas field networks and remote process control networks are archaic, but also happen to be the systems we take for granted on a daily basis. Attackers know that, when and if these systems fail, they can affect our daily lives.
What’s Next?
It is time we change our beliefs on what a secure network looks like and how it should work? As organizations adopt cloud-based infrastructures and other IIoT technologies, security does not have to be an afterthought. Our Security Operating Platform secures control system networks in several ways, including automatically preventing new and unknown threats, providing virtual network segmentation and offering role-based network access.
In recent research, Palo Alto Networks found attackers were targeting home routers to take control and use them for attacks against other websites that can bring them down. Here we explain this type of attack and what you should do.
Why should I care, what can it do to me?
These attacks could affect you in two ways:
They can slow down or disrupt your internet connection,
They can also make you an unwitting participant in attacks against other websites.
What causes this kind of attack?
Weak passwords and out-of-date software can both enable attackers to take complete control of your home router.
How can I prevent it?
Attackers target home routers like this by targeting default passwords and out-of-date software on the routers. An easy thing you can do is restart your router once a week (typically by unplugging it).
You can also stay safe by changing the password on your router and updating the software. If you’re not sure how to do this, contact your Internet Service Provider (ISP) that gave you the router for help.
How does it work?
When devices (in this case, the routers) are under someone else’s control like this, the collection is referred to as a “botnet”, a network (-net) of remotely controlled systems or devices (bot-).
When attackers have complete control of your home router, they can install attack software that they control, turning the device into a “bot”. Attacks can make all the controlled routers in a botnet do anything they want, including sending huge amounts of data to try and bring websites down.
These kinds of attacks are called “Distributed Denial of Service” or “DDoS” attacks. Attackers use them to take down websites for several reasons:
Personal or political reasons
To blackmail websites to pay money or face attack
To act as a diversion for other more serious attacks
Simply to create mischief
About
Threat Briefs are meant to help busy people understand real-world threats and how they can prevent them in their lives.
They’re put together by Palo Alto Networks Unit 42 threat research team and are meant for you to read and share with your family, friends, and coworkers so you can all be safer and get on with the business of your digital life.
Got a topic you want us to write about for you, your friends, or your family? Email us at u42comms@paloaltonetworks.com.
The vulnerability management process has traditionally been supported by a finely balanced ecosystem, which includes such stakeholders as security researchers, enterprises, and vendors. At the crux of this ecosystem is the Common Vulnerabilities and Exposures (CVE) identification system. In order to be assigned an ID, vulnerabilities have to fulfill certain criteria. In recent times, these criteria have become problematic as they exclude vulnerabilities in certain categories of IT services that are becoming more and more common.
This is the first in a series of blogposts that will explore the challenges and opportunities in enterprise vulnerability management in relation to the increasing adoption of cloud services.
Common Vulnerabilities and Exposures
CVE® is a list of entries, each containing an identification number, a description, and at least one public reference for publicly known cybersecurity vulnerabilities[1].
CVEs are identifiers for security vulnerabilities that are—or are expected to become—public. Traditionally, they are assigned by one of two entities: The CNA (CVE Numbering Authority) that exists specifically for that piece of software (e.g. Microsoft, which covers Microsoft software) or a CNA that has been given coverage of said software (e.g. The Debian Project, Distributed Weakness Filing Project, and Red Hat all cover Open Source software to varying degrees). These CVEs are then published in the MITRE CVE database. Finally, they are consumed and republished by other organizations, often with additional information such as workarounds or fixes which makes tracking and remediating those vulnerabilities possible.
Customers of companies or organizations that are CNAs for their own products can be reasonably assured that CVE IDs are assigned to historical, current and future vulnerabilities found in those products.
CVE and Vulnerability Management
The CVE system is the linchpin of the vulnerability management process, as its widespread use and adoption allows different services and business processes to interoperate. The system provides a way for specific vulnerabilities to be tracked via the assignment of IDs. Enterprises, security researchers, penetration testers, software providers and even vulnerability scanning tools all use CVE IDs to track vulnerabilities in products. These IDs also allow important information regarding a vulnerability to be associated with it such as workarounds, vulnerable software versions, and Common Vulnerability Scoring System (CVSS) scores. Without the CVE system, it becomes difficult to track vulnerabilities in a way that allows the different stakeholders and their tools to interoperate.
The decision to assign an ID to a vulnerability is governed by the Inclusion Rules. In order to assign a CVE ID to a vulnerability, the assigner has to take the vulnerability through the Inclusion Rules. Generally, only a vulnerability that fulfills all five criteria will be assigned an ID. For example, one of the Inclusion rules, INC3, states that a vulnerability should only be assigned a CVE ID if it is customer-controlled or customer-installable. A vulnerability in a Customer Relationship Management (CRM) software that is installed on a server owned and managed by an enterprise fulfills that requirement.
INC3, as it is currently worded, is problematic for a world that is increasingly dominated by cloud services. In the past, this inclusion rule has worked well for the IT industry as most enterprise IT services have generally been provisioned with infrastructure owned by the enterprise. However, with the proliferation of cloud services, this particular rule has created a growing gap for enterprise vulnerability management. This is because cloud services, as we currently understand them, are not customer controlled. As a result, vulnerabilities in cloud services are generally not assigned CVE IDs. Information such as workarounds, affected software or hardware versions, proof of concepts, references and patches are not available as this information is normally associated to a CVE ID. Without the support of the CVE system, it becomes difficult, if not impossible, to track and manage vulnerabilities.
Conclusion
The Cloud Security Alliance and the CVE board are currently exploring solutions to this problem.
One of the first tasks is to obtain industry feedback regarding a possible modification of INC3 to take into account vulnerabilities that are not customer-controlled. Such a change would officially put cloud service vulnerabilities in the scope of the CVE system. This would not only allow vulnerabilities to be properly tracked, it would also enable important information to be associated with a service vulnerability.
Please let us know what you think about a change to INC3 and the resulting impact on the vulnerability management ecosystem in the comment section below or you can also email us.
Stay tuned for our next blog post where we will explore the impacts that the current Inclusion Rules have on enterprise vulnerability management.
When the general public thinks about today’s exciting technological breakthroughs, the imagery that springs to mind is unlikely to be a crowded pigpen in China or yam fields in the farmland of Nigeria. Yet, rural areas are the frontlines for some of the most important gains technology is enabling in modern society. The growing imprint of technology-driven advancements on the agriculture industry and in rural areas, generally, is one of the tech field’s most promising success stories.
Digital transformation is making its mark on the agriculture industry, with the Internet of Things, blockchain, robotics and drones among the technological forces that are helping to offset modern obstacles with which previous generations of farmers did not have to overcome. In the not-so-distant-past, farmers fretted about the weather, pests and their equipment – and that was about it. Today’s farmers must contend with a range of more sophisticated challenges, such as market volatility, international trade friction, serious labor shortages, borrowing costs and capital availability, and an increasingly complex regulatory environment.
Amid these challenges, in an industry known for razor-thin margins between success and failure, enabling even a 5% increase in yield can make a dramatic difference. Technological innovation increasingly is the path to swinging that equation in farmers’ favor by equipping them with an expanded set of solutions to their challenges. At the same time, for these innovations to serve their important purpose, it is imperative for security professionals to support suppliers’ and distributors’ assurance that these technologies are being deployed safely and securely throughout the supply chain.
Technology enabling a global bounty The recent Forbes AgTech Summit underscored how key industry advancements – such as more reliable pathogen detection, autonomous wheelbarrows and analytics software that allows farmers to more accurately predict crop conditions – are capable of improving profitability for farmers and providing a more robust global bounty that will be increasingly critical as population growth, climate change and soil degradation put strain on the world’s food supply.
Much of the technological progress that is recalibrating the way food is being grown and distributed is attributable to automation. The implications of automation can cut in both directions, often driving improved business outcomes while, in some cases, imperiling job security for current workers. The net impact of automation, though, tilts heavily in a favorable direction when it comes to the agriculture industry. In many countries, including the United States, agriculture workers are in short supply, not because automation has put them out of work, but because of a range of factors that include urbanization and more stringent enforcement of immigration laws. Automation is a potent force in counteracting that labor shortage, producing driver-less tractors and more efficiently planting and harvesting to maintain productivity and prevent wasting crops while people around the world go hungry.
It is not just automation that is serving as a new catalyst for farmers and food producers; a variety of emerging technologies are modernizing business models in rural areas around the world. From a Chinese tech giant deploying AI-powered pig-tracking systems, to a growing number of blockchain implementations that will allow food to be tracked globally throughout the supply chain, more efficiently addressing customer risk, it is encouraging to see technology deployed so creatively in an industry that affects all of us on a daily basis.
The ability to more effectively address food security is especially notable, with blockchain and IoT technology allowing inspectors and consumers to become aware of potential hazards in more timely fashion and avert potential health crises. Dubai has shown leadership in this regard, moving to put in place a food monitoring system that will make its reported $200 billion of annual food imports safer and more secure for its residents.
Life-saving health measures Agriculture is not the only cornerstone of rural life that is being enhanced by technological innovation. Medical drones in Africa deliver life-saving supplies that are not readily available in local clinics, such as blood, medicine and emergency vaccines. In China this year, a logistics firm initiated delivery of goods to sparsely populated areas that will rely on larger drones transporting products to warehouses and smaller drones connecting rural residents with final deliveries. As with all technological innovations, organizations must deploy the needed safeguards and controls to keep pace with the deployment of these new technologies, with drones in particular posing several legal and security considerations. Organizations must determine their appetite for added risks and liabilities introduced by a drone program, as well as how to meet the related compliance requirements on an ongoing basis.
Undeniably, however, these are significant opportunities for residents of rural areas that would not have been possible as recently as five years ago. Even as global population trends reflect increasing urbanization, the capabilities that are being developed will ensure farmers and rural residents stand to benefit from technological innovations that are taking root every bit as much as city-dwellers. As digital transformation spreads beyond our urban hubs to rural fields throughout the globe, it us up to the security community to perform the due diligence necessary to enable these advancements to truly blossom.
Editor’s note:This article originally published in CSO.
Matt Loeb, CGEIT, CAE, FASAE, Chief Executive Officer, ISACA
