How do we patch the right things? - Josh Bressers - PSW #840
Aug 22, 2024
auto_awesome
Josh Bressers, a knowledgeable figure in vulnerabilities and exploits, dives into the complexities of patch management. He discusses the limitations of tools like MITRE ATT&CK and CVSS in accurately prioritizing vulnerabilities. The conversation emphasizes the importance of context in patching decisions and addresses the challenges of tracking incidents that lack CVEs. Bressers shares insights on the balance between urgent patches and asset criticality, highlighting personal anecdotes that shed light on navigating the evolving cybersecurity landscape.
Organizations must prioritize patches based on nuanced risk assessments, going beyond just CVSS scores which may not reflect true vulnerabilities.
The ransomware attack in Flint, Michigan showcases the vulnerability of municipal infrastructures to cyber threats amid existing crises.
Research on MyFair Classic chips reveals critical vulnerabilities, highlighting the importance of securing widely used access control systems.
Effective vulnerability management necessitates prioritizing impacts and accessibility, especially for critical systems like Open BMC that manage server operations.
Robust password management practices are essential, particularly regarding .env files to prevent credential leaks and exploitation.
The growing reliance on cloud-native applications increases the urgency for effective secrets management to mitigate risks associated with embedded credentials.
Deep dives
Prioritizing Patching and Remediation
The discussion emphasizes the importance of prioritizing patches and remediation efforts in cybersecurity. It draws on various frameworks and tools that assist in determining which vulnerabilities need immediate attention, including MITRE ATT&CK, CVSS, EPSS, and SysaCav. The conversation reveals that simply relying on a CVSS score may not be sufficient, as environmental and organizational factors play a significant role in assessing the true risk posed by a vulnerability. There is a call for organizations to develop a more nuanced understanding of risk, beyond just the metrics provided by these tools.
Ransomware Attack in Flint, Michigan
Flint, Michigan faced a ransomware attack amidst ongoing struggles with its water supply issues, resulting in significant challenges for its residents. The attack has rendered many services inoperable, forcing the city to revert to cash and checks for transactions, impacting daily life and operations. This incident highlights the vulnerability of municipal infrastructures to cyber threats, especially in areas already facing hardships. The situation demonstrates that even cities grappling with fundamental crisis can overwhelm cyber attacks, compounding their troubles.
Security Vulnerabilities in My Fair Classic Chips
Recent research has uncovered critical vulnerabilities in MyFair Classic chips, particularly affecting knockoff versions in use. These vulnerabilities allow attackers to potentially gain access to all user-defined keys simply by obtaining one compromised card for a short duration. The implications of this research raise questions about the security of widely used identification systems, particularly in contexts such as hotels and public venues where access control is crucial. The research has led to tools being integrated intoProxmark3 to exploit these vulnerabilities, highlighting the need for heightened awareness regarding card security.
Challenges of Managing Open BMC Security
A critical vulnerability has been discovered in Open BMC, which manages server baseboard operations. Exploiting this vulnerability could grant attackers the highest level of privilege within the system, elevating risks significantly. The article discusses how effective vulnerability management requires organizations to prioritize scenarios based on impact and accessibility. It raises concerns that vulnerabilities in this essential management layer are not as widely recognized as they should be, potentially putting many focused systems at risk.
Flaws in Popular Password Management Practices
The discussion underscores the significance of adopting robust password management practices, emphasizing that .env files, often used for storing credentials, can lead to leaks if not properly secured. Attackers are increasingly exploiting these oversights by enumerating accessible URLs for sensitive data, ultimately holding organizations hostage. It illustrates the necessity to shift towards more secure models such as Secrets Vault, which entails additional architectural considerations but ultimately improves security postures. Organizations are urged to act preemptively to mitigate the risks associated with credential leaks and subsequent exploits.
Understanding the Implications of Multi-Factor Authentication
Microsoft's enforcement of multi-factor authentication (MFA) is part of a broader trend aimed at enhancing user security across platforms. The article outlines how using an MFA can prevent unauthorized access, yet highlights the inconvenience it presents in scenarios like travel where network connectivity may be limited. The conversation also indicates that while MFA disruptions increase security, reliance solely on traditional methods like SMS verification can perpetuate vulnerabilities. Organizations are encouraged to adopt more robust and convenient MFA solutions, such as authentication apps, to safeguard user data effectively.
The Future of Secrets Management
The increasing prevalence of cloud-native applications and microservices emphasizes the need for effective secrets management. The need for secret management systems has become more urgent as organizations recognize the risks associated with embedded credentials in application code. Various options exist for managing secrets securely, including commercial solutions and open-source tools. Organizations must balance the convenience of using environment files against the security risks of doing so as they look to tighten access across their varied digital environments.
Breach Data's Role in Cybersecurity
The alarming number of organizations facing data breaches reveals the ongoing threat landscape, with ransomware attacks being the most common form of exploit. The article draws attention to the lasting repercussions of breaches, including financial losses and damage to reputation. Organizations are encouraged to bolster their cybersecurity posture through proactive measures and incident response planning. Ultimately, knowledge of breaches should drive security policy and investment in resilience measures as a core component of organizational strategy.
The Complexity of Mainframe Security
Mainframes continue to play a significant role in processing data for many organizations, despite being overlooked in modern cybersecurity conversations. The article presents insights into the vulnerabilities associated with mainframes, including outdated access control mechanisms and weak security practices. Readers are cautioned about the threats posed by ineffective security implementations, especially as older technologies persist in organizations. A renewed focus on mainframe security is warranted as businesses seek to safeguard these critical infrastructures from emerging vulnerabilities.
Radical Changes in Wireless Security Practices
The evolution of wireless technologies has, unfortunately, outpaced corresponding security measures, leading to various vulnerabilities. The article highlights the need for organizations to reevaluate their approach to wireless networks, specifically using tools like Kismet for security assessments. Kismet serves as a comprehensive wireless analysis tool, enabling security professionals to identify potential risks associated with their networks. With wireless networks being integral to operations, it becomes imperative for organizations to adopt proactive security strategies to mitigate risks effectively.
Innovations in User Experience for Security Solutions
With the growing reliance on digital platforms, improving the user experience for security solutions is essential for enhancing compliance and protection. The article discusses how security vendors are innovating user experiences to facilitate better interactions with their tools. As cybersecurity solutions become increasingly complex, usability remains paramount in ensuring that organizations effectively address and manage threats. Organizations should prioritize tools that offer seamless user experiences while maintaining robust security features to foster an environment of proactive cybersecurity.
Every week here on the show we talk about vulnerabilities and exploits. Typically we recommend that organizations remediate these vulnerabilities in some way. But how? And more importantly, which ones? Some tools we have to help us are actually not all that helpful at time, such as:
Mitre Att&ck - Don't get me wrong, this is a great project and Adam and team is doing a great job. However, its not a complete picture as we can't possibly know about every attack vector (or can we?). People seem to think if they cover everything in the framework they will be secure. You can't cover everything in the framework because each technique can be utilized by an attack in a hundred different ways.
CVSS - Anyone can apply a score, but who is correct? Good that we have a way to score things, but then people will just use this as a basis for what they patch and what they do not. Also, chaining vulnerabilities is a thing, but we seem to lack any way to assign a score to multiple vulnerabilities at once (different from a technique). Also, some things don't get a CVE, how are you tracking, assessing risk, and patching these?
CISA KEV - Again, love the project and Tod is doing amazing work. However, what about things that do not get a CVE? Also, how do you track every incident of an attacker doing something in the wild? Also, there is frequency, just because something got exploited once, does that mean you need to patch it right away? How are we tracking how often something is exploited as it is not just a binary "yes, its exploited" or "no, it is not".
EPSS - I do like the concept and Wade and Jay are doing amazing work. However, there seems to be a "gut reaction" thing going on where we do see things being exploited, but the EPSS score is low. How can we get better at predicting? We certainly have enough data, but are we collecting the right data to support a model that can tell us what the attackers will do next?
This week: YAVD: Yet Another Vulnerable Driver, why bring your own when one already exists, backdoors in MIFARE Classic, wireless hacking tips, AMD sinkclose vulnerability will keep running, you down with SLDP yea you know me, Phrack!, IoTGoats, Pixel vulnerabilities, leaking variables, a DEF CON talk that was not cancelled, Telnet is still a thing, More CNAs, and the last thing Flint Michigan needed was a ransomware attack!