top of page
Writer's pictureNat Shere

Covering Your Assets

Updated: Sep 14, 2021

Security professionals dislike surprises.


With a recent client, we were helping the security team identify Internet accessible hosts and servers. At the last minute, we added an additional subnet that the security manager didn’t think was necessary. This subnet only had a single host, he assured us. As it turned out, it had more than one. A lot more. Surprise!


In an ideal world, IT teams work seamlessly with security. When a new server is commissioned or an existing server is migrated, an appropriate ticket is submitted to security, who validates security software, verifies network and data flows, and updates their asset lists and risk registers accordingly. Sometimes, though, reality intervenes. Tickets get lost in the shuffle. Servers are configured and forgotten. Asset lists become outdated. The coffee maker breaks. And then… Surprise!


Asset management is the foundation for everything else, which is one reason why nearly every compliance standard lists it near the beginning. Cybersecurity Insiders detail how strong asset management enables vulnerability management, security controls gap analysis, network data flows, and risk management. Without asset management, though, the rest of the security program is simply guesswork, at best.


On the other hand, weak asset management often leads to breaches as hackers target unprotected hosts and devices that are not properly secured or segmented. We saw this when hackers exfiltrated data from a casino by first breaching the Internet connected fish tank in the casino lobby. Moreover, with the move towards more remote work as a result of the pandemic, as discussed by Dark Reading, users are utilizing their own Wifi connected printers, fax machines, and other home devices for office work, causing a massive asset and data management headache.


Finally, if we as security professionals don’t perform robust asset management, then the attackers will do it for us. In a whitehat example, FireEye documented one of their recent Red Team assessments, where after getting initial access to the internal network through a phishing attack, they proceeded to enumerate the entire internal network architecture, allowing subsequent exploits and data exfiltration.


Fortunately, asset management doesn’t have to be hard. It just has to be planned. While there are advanced software and tools that can be utilized, the simplest method is a simple ping scan across network subnets on a regular basis. After that, incorporate port scanning for new services and even vulnerability scanning for a full picture.


Hopefully then, the only surprise for the security team will be their new coffee maker. Surprise!



Security News


With the pandemic and more remote workers comes increased attacks against the software and networks that make that remote work possible. The latest examples include:


  • Three known vulnerabilities and a 0-day are being targeted on Pulse Secure VPNs. The 0-day is a new issue discovered this past month that allows an unauthenticated attacker to perform arbitrary file execution. A patch to fix the issue is expected in May, 2021.

  • Three 0-day issues were exploited in SonicWall’s email security tool. Patches have been released for the issues identified, but researchers have already found evidence of hackers exploiting these vulnerabilities to install malicious code, access files and emails, and move laterally within internal networks.

  • Dark Reading reports additional attacks against Oracle WebLogic (targeting the remote code execution vulnerability CVE-2020-14882), Microsoft Exchange Servers, and other VPN solutions.

  • Moreover, with all the news about ransomware attacks, it is easy to forget that the FBI’s report on Internet crime detailed that the financial cost of ransomware is easily dwarfed by business email compromises.

Finally, as if Microsoft Exchange hasn’t been hammered enough this year, the NSA discovered four additional vulnerabilities affecting the software. All of the flaws allow remote code execution and customers are encouraged to patch immediately. As of this report, there aren’t any indications that these issues are being actively exploited yet.

13 views0 comments

Comments


Commenting has been turned off.
bottom of page