tag:blogger.com,1999:blog-72476743906310559042024-03-28T04:16:59.015-07:00Eoin & The SecuritySecAppDev-DevAppSecEoin Kearyhttp://www.blogger.com/profile/17946046587245366946noreply@blogger.comBlogger50125tag:blogger.com,1999:blog-7247674390631055904.post-68350413689759749442022-08-04T06:32:00.001-07:002022-08-04T06:32:46.952-07:0020 years of Vulnerability Managment - Why we've failed and continue to do so.<h2 style="text-align: left;"><b><span style="font-family: arial; font-size: small;"><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://www.edgescan.com/platform/" imageanchor="1" style="margin-left: 1em; margin-right: 1em;" target="_blank"><img border="0" data-original-height="1000" data-original-width="3200" height="100" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXEDxz8arGgRjraHQoAVNVgg-LX3X0feSINkPZsm5UITdn6fJ5xsgkCsotxQlW8jOvYCGuSXpK88p5yDvulsZhLXwn4DezvtgSc6YOqo3wKMy_QE-upEp-SeAdfHsRjTuEODPxwTDH87tYjyUhzRvdFgJoD75eGDCQOf-VmZ9RBguuljrgTgIglyUAbA/s320/edgescan%20logo_left_used%20for%20labels.jpg" width="320" /></a></div><br /><div style="text-align: center;"><b><span style="font-family: arial; font-size: small;">Cyber Security: Keeping Pace with Change.</span></b></div></span></b></h2>
<p class="MsoNormal"><span style="font-family: arial;">Getting breached can really ruin your day. Actually it normally happens on a friday evening as you are about chill for the weekend. The cause of must breaches is not rocket science, its more to do with the poor approach we have accepted because we underestimate the threat actor. - An attacker does not scan your website/network once a quarter with a commercial or open source scanner or perform an annual penetration test against your systems to see if there is any low hanging fruit, so how do we expect to defend against such an advisory using that approach?</span></p><p class="MsoNormal"><span style="font-family: arial;">Systems change now more frequently than ever due to the ease of cloud deployments and the speed of software deployments due to iterative development techniques. The rate of change increase results in exposures quickly manifesting and the organisation not even being aware of the exposure in the first place. Many organisations dont know what they have exposed on the public Internet.</span></p><p class="MsoNormal"><span style="font-family: arial;">We need to keep pace with change be it in a cloud
environment, software deployed, new feature, network architecture change etc etc.<o:p></o:p></span></p><p class="MsoNormal"><span style="font-family: arial;"><i>The below applies across the full stack. From network and cloud environments to API's, Web applications and mobile apps.- it's all software!</i></span></p><p class="MsoNormal"><span style="font-family: arial;"><i>Lets talk about the root of all risk - Change. Risk is the probability of loss or injury. If the world was static and nothing changed we would not need to continuously assss risk. Change gives rise to risk.....</i></span></p>
<h2 style="text-align: center;"><span style="font-family: arial; font-size: small;"><b>Change occurs when</b>: </span></h2><p class="MsoNormal"><b style="font-family: arial; text-indent: -18pt;">A system does <u>not </u>change</b><span style="font-family: arial; text-indent: -18pt;">: </span><i style="font-family: arial; text-indent: -18pt;">Over time
critical vulnerabilities are discovered & p</i><i style="font-family: arial; text-indent: -18pt;">atches are released. "Yesterday I was secure,
Today I’ve a Critical Risk." - </i><i style="font-family: arial; text-indent: -18pt;">I did not change anything the world around me did.</i></p><p class="MsoNormal"><b style="font-family: arial; text-indent: -18pt;">A system changes: </b><i style="font-family: arial; text-indent: -18pt;">New features
deployed, new services exposed, larger attack surface, more exposed, more to
attack, more headaches. (obviously).</i></p><h2 style="text-align: center;"><span style="font-family: arial; font-size: small; text-indent: -18pt;"><span style="font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal;">We need to </span><b>Keep pace with change. (Keeping pace with potential risks).</b></span></h2><p class="MsoNormal"><span style="font-family: arial; text-indent: -18pt;">Traditional tool based/consultant based
approaches have failed to keep pace due to a lack in depth/coverage or frequency
of change detection. Scanners alone suffer from coverage, accuracy issues and some "poor sod" spending their days in validation </span><span style="font-family: arial;">purgatory. False positives are the "white noise" of vulnerability management.</span></p><p class="MsoNormal"></p><ul style="text-align: left;"><li><span style="font-family: arial;">Validation of severity and prioritization needs to be tasked somwhere in the management cycle. If not by the solution you are using, somwhere else. </span></li><li><span style="font-family: arial;"><a href="https://www.edgescan.com/platform/features-services/threat-intelligence-risk-based-prioritization/" target="_blank">Risk based vulnerabilty Intel </a>is key for priortization. Focus on what is activley exploited in the wild not all the vulnerabilities. All vulnerabilities are not created equal.</span><span style="font-family: arial;"> </span></li></ul><p></p>
<p class="MsoNormal"><i><span style="font-family: arial;">So what’s wrong? Why are up the creek without a paddle?
Systems still being breached by advanced attackers (AKA Finding exposed remote
login services with default credentials or unpatched systems or insecure code!!💀💀😀😎).<span style="mso-spacerun: yes;"> </span></span></i></p><p class="MsoNormal"><i><span style="font-family: arial;">Let’s look at current ways to dynamically
assess systems for cyber security.</span></i></p><h3 style="margin: 0cm; text-align: left;"><b><span style="font-family: Arial, sans-serif;">Penetration Test</span></b></h3><p style="margin: 0cm;"><u><span style="font-family: Arial, sans-serif;">Manual assessment of a system. Coupling of usage of automated tools,
scripts and expertise.</span></u><o:p></o:p></p><p style="margin: 0cm;"><br />
<b><span style="font-family: Arial, sans-serif;">Strengths</span></b><span style="font-family: Arial, sans-serif;">: Logical issues. Accurate / (should be) False
positive free. Complex exploits, Support.</span></p><p style="margin: 0cm;"><b><span style="font-family: Arial, sans-serif;">Weaknesses</span></b><span style="font-family: Arial, sans-serif;">: Not scalable, Expensive, Not on-demand, Does
not fit with DevOps etc. Point-in-time scan. No Metrics??<o:p></o:p></span></p><p style="margin: 0cm;"> </p><h3 style="margin: 0cm; text-align: left;"><b><span style="font-family: Arial, sans-serif;">Vulnerability Management</span></b></h3><p style="margin: 0cm;"><o:p></o:p></p><p style="margin: 0cm;"><u><span style="font-family: Arial, sans-serif;">Automation/Software testing software – scanners</span></u><o:p></o:p></p><p style="margin: 0cm;"><b><span style="font-family: Arial, sans-serif;"> </span></b></p><p style="margin: 0cm;"><b><span style="font-family: Arial, sans-serif;">Strengths</span></b><span style="font-family: Arial, sans-serif;">: Scale/Volume,
On-demand, DevOps<br />
<!--[endif]--><b><o:p></o:p></b></span></p><p style="margin: 0cm;"><b><span style="font-family: Arial, sans-serif;">Weaknesses</span></b><span style="font-family: Arial, sans-serif;">: Accuracy, Risk
Rating, Coverage, Depth (Logical vulnerabilities). Requires Expertise to
validate output. Metrics are poor, require multiple tools.</span></p><p style="margin: 0cm;"><b><span style="font-family: Arial, sans-serif;"> </span></b></p><h3 style="margin: 0cm; text-align: left;"><b><span style="font-family: Arial, sans-serif;">Hybrid /<a href="https://www.edgescan.com/platform/features-services/penetration-testing-as-a-service-ptaas/" target="_blank">PTaaS </a>(Penetration Testing as a Service)</span></b></h3><p style="margin: 0cm;"><u><span style="font-family: Arial, sans-serif;">Automation augmented with Expertise coupled with <a href="https://www.edgescan.com/platform/features-services/attack-surface-management/" target="_blank">Attack Surface Management</a></span></u><o:p></o:p></p><p style="margin: 0cm;"><span style="font-family: Arial, sans-serif;"><br />
<b>Strengths</b>: Complex issues, Logical exploits, False positive Free,
Scale/Volume, On-demand, DevOps, Accuracy, Coverage, Metrics, Support. Scale
via automation. Depth via expertise.</span></p><p style="margin: 0cm;"><b><span style="font-family: Arial, sans-serif;">Weaknesses: </span></b><span style="font-family: Arial, sans-serif;">Potentially more costly up front
than automation (but return on investment is high due to validated
vulnerability data being received, less false positives and better coverage.)</span><span style="font-size: 10pt;"><o:p></o:p></span></p><p><br /></p><div style="text-align: center;"> <b><span style="font-family: arial;">Why is traditional Vulnerability Management Failing – The
basics.</span></b></div><p></p><div><ul style="text-align: left;"><li><span style="font-family: arial;"><span style="font-family: arial;">Reliance on Software to test software (scanners) alone is folly! – <i>Scanners alone don’t work.</i></span></span></li></ul><span style="font-family: arial;"><ul style="text-align: left;"><li><span style="font-family: arial;">Automation accuracy is not a strong as human accuracy – <i>Our attackers are humans.</i></span></li></ul></span><span style="font-family: arial;"><ul style="text-align: left;"><li><span style="font-family: arial;">Scale vs Depth – Scanners do scale, Humans “do” depth. – <i>Our enemies do Depth every time and are focused.</i></span></li></ul></span><span style="font-family: arial;"><ul style="text-align: left;"><li><span style="font-family: arial;">Change is constant – Consultant based security does not keep pace with change. – <i>Our enemies love change.</i></span></li></ul></span>
<p style="text-align: center;"><span style="font-family: arial;"><b>What vulnerability management should look like…</b></span></p><p style="text-align: left;"></p><ul style="text-align: left;"><li><b style="font-family: arial; text-indent: -18pt;">On-demand</b><span style="font-family: arial; text-indent: -18pt;">: Assurance of coverage &
depth of testing on demand. – DevOps, Security Team, Deployment process</span></li></ul><ul style="text-align: left;"><li><b style="font-family: arial; text-indent: -18pt;">Continuous & Accurate</b><span style="font-family: arial; text-indent: -18pt;">: Continuous
assessments detecting and validating new vulnerabilities all the time.</span></li></ul><ul style="text-align: left;"><li><b style="font-family: arial; text-indent: -18pt;">Good for</b><span style="font-family: arial; text-indent: -18pt;">: Metrics, Risk lifecycle
tracking, TTR Metrics, Root Cause etc etc</span></li></ul><ul style="text-align: left;"><li><b style="font-family: arial; text-indent: -18pt;">Integration</b><span style="font-family: arial; text-indent: -18pt;">: Continuous flow of
validated</span><span style="font-family: arial; text-indent: -18pt;"> </span><span style="font-family: arial; text-indent: -18pt;">vulnerability intelligence
into your SoC/Bug Tracker/GRC systems – Situational awareness. Cloud <a href="https://www.edgescan.com/technology-integrations/" target="_blank">integrations </a>to keep pace with systems spinning up and flux.</span></li></ul><ul style="text-align: left;"><li><b style="font-family: arial; text-indent: -18pt;">Full stack</b><span style="font-family: arial; text-indent: -18pt;">: “Hackers don’t give a S*#t”.
Risk can be in web or hosting infrastructure, internal or external systems. Multiple
tools for the same purpose? Multiple data sets? No complete picture of risk. We
need risk convergence.</span></li></ul><ul style="text-align: left;"><li><span style="font-family: arial; text-indent: -18pt;"><b>Risk based</b>: We dont need to focus on all vulnerabilities. Even ordering by severity may not yield efficinet results. <a href="https://www.edgescan.com/platform/features-services/threat-intelligence-risk-based-prioritization/" target="_blank">Focus on what matters, focus on vulnerabilities activley known to be exploited in the wild.</a></span></li></ul>
<h3 style="text-align: center;"><b><span style="font-family: arial;">Shift Left?</span></b></h3><div><span style="font-family: arial; text-indent: -24px;">We talk alot about Shift Left, moving security practices closer to the developer which helps us catch vulnerabilities earlier in the lifecycle. This paradigm is designed to result in quicker bug detection, more efficiency, less potential impact to deployed live systems.</span></div><p class="MsoListParagraphCxSpFirst"><br /><span style="font-family: arial;"><b>Shift Left</b>: Enable & Assist developers build and deploy secure code & systems. Prevention. Catch Early, Dont deploy vulnerable systems. <br /><br /><b>Shift Right</b>: Detection, Vigilance, Detect currently unknown vulnerabilities. Detect “the next CVE” or "Log4shell"/Framework vulnerability and also mop-up anything that we missed in pre-prod.</span></p>
<p class="MsoNormal" style="text-align: center;"><i><span style="font-family: arial;">Even the Risk profile of a static system can change.
Today’s secure environment is at risk tomorrow via a vulnerability were not
aware of yet. - Fight the future.<o:p></o:p></span></i></p>
<p class="MsoNormal"><br /></p>
<p class="MsoNormal"><b><o:p><span style="font-family: arial;"> </span></o:p></b></p><div class="separator" style="clear: both; text-align: center;"><b><span style="font-family: arial;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0ETR2fhbL7Vyd-p0cfHztFghUqwSythHkFnLGslCHsEIERDS_AXg1gNYbZnkz6bniFmFmj80x2s4_KlGogYEB9b05A-RjC5uwBjnM4GI29Iir6N9aoAA2_x8Bbm42SpWVYn7GM_yBKqTt52sdxgPgpUKzL0Uk5QiqrdqrcUXAT-nJvan6rU8-2GiDQQ/s1629/lineout.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="312" data-original-width="1629" height="76" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0ETR2fhbL7Vyd-p0cfHztFghUqwSythHkFnLGslCHsEIERDS_AXg1gNYbZnkz6bniFmFmj80x2s4_KlGogYEB9b05A-RjC5uwBjnM4GI29Iir6N9aoAA2_x8Bbm42SpWVYn7GM_yBKqTt52sdxgPgpUKzL0Uk5QiqrdqrcUXAT-nJvan6rU8-2GiDQQ/w400-h76/lineout.png" width="400" /></a></span></b></div><b><span style="font-family: arial;"><br /></span></b><p></p>
<p class="MsoNormal"><b><o:p><span style="font-family: arial;"> </span></o:p></b></p>
<p class="MsoNormal"><o:p><span style="font-family: arial;"> </span></o:p></p>
<p class="MsoNormal"><o:p><span style="font-family: arial;"> </span></o:p></p></div>Eoin Kearyhttp://www.blogger.com/profile/17946046587245366946noreply@blogger.com0tag:blogger.com,1999:blog-7247674390631055904.post-74432820035352779402022-05-12T06:30:00.002-07:002022-05-12T09:29:19.021-07:00Five Ways You Can Make Your Vulnerability Management (VM) Program Smart Now<p> </p><h1><span lang="EN-US">Five Ways You Can Make Your Vulnerability Management (VM)
Program Smart Now<o:p></o:p></span></h1><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtZ1iDLwy7O87KtSmSlF7cHgujKh4jEUA-_JfOlLznha5nxxAgIl4uV2Dpra50fRZ3qt-583MFDx68HjRSBCasVV7MwZ-Fxbx9kEyv1doryQZ06m-egnwdG_I_7JAdZeqbBtftrgs4EwT6Ps-hBWKPL00rt1YMN3WuHfagAlRNerAIvL2Q_SqeNEODHA/s1240/SMARTframework.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="626" data-original-width="1240" height="162" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtZ1iDLwy7O87KtSmSlF7cHgujKh4jEUA-_JfOlLznha5nxxAgIl4uV2Dpra50fRZ3qt-583MFDx68HjRSBCasVV7MwZ-Fxbx9kEyv1doryQZ06m-egnwdG_I_7JAdZeqbBtftrgs4EwT6Ps-hBWKPL00rt1YMN3WuHfagAlRNerAIvL2Q_SqeNEODHA/s320/SMARTframework.png" width="320" /></a></div><br /><span lang="EN-US"><br /></span></div>
<p class="MsoNormal"><span lang="EN-US">So you are convinced that your need to
adopt a “Smart” Vulnerability Management (VM) approach but you are not quite
sure how to get started or even what to shoot for. Here are Five Very Important
Steps you need to take to bring on the <i style="mso-bidi-font-style: normal;">“Smart”.</i><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<h2><span lang="EN-US">Number 1 - Understand Business Goals and Then Automate
Ranked Alerts<o:p></o:p></span></h2>
<p class="MsoNormal"><span lang="EN-US">Yes, take a step back and think
holistically how your business runs and what business processes are most
critical to achieving your enterprise goals. Talk to your business line leaders
and operational staff. Hit the whiteboard and talk through “what if” scenarios.
Rank all of your business concerns as it pertains to any potential exposures to
your attack surface. Then take on a Smart VM Platform that enables you to rank
and automate each alert type across each IT layer so you receive automated
business-ranked alerts. This is all done in the set-up stage. This is
necessary. This is not sufficient – read on.<i style="mso-bidi-font-style: normal;"><o:p></o:p></i></span></p>
<h2><span color="windowtext" face=""Calibri",sans-serif" lang="EN-US" style="font-size: 12pt; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><o:p> </o:p></span></h2>
<h2><span lang="EN-US">Number 2 - Make Sure its 100% Accurate<o:p></o:p></span></h2>
<p class="MsoNormal"><span lang="EN-US">Want to ensure your get zero confidence
from your support team when you present alerts – send them the automated alerts
with no validation and let them spend days chasing false positives. You need to
get Smart about the burden of noise generated by automated alerts. You need to
adopt a Platform that integrates security specialists that rule our false
positives BEFORE they are presented. In 2022, running your VM program virtually
false-positive free is doable. VM with virtual 100% accuracy IS smart.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><span style="mso-tab-count: 1;"> </span><o:p></o:p></span></p>
<h2><span lang="EN-US">Number 3 - Don’t Waste Anyone’s Time – Give them the Whole
Snapshot and Show Them Clearly What Matters Most<o:p></o:p></span></h2>
<p class="MsoNormal"><span lang="EN-US">It’s easy to follow the typical IT stack
layered specialist approach. One automated scanning tool for web applications. One
tool for API scanning, One tool for network and devices. One ad hoc request for
a pen test. For the past 10 years, most global enterprises have taken on the
layered point-solution approach and then spent mountains of times hobbling
together fractured intelligence reports across the attack surface. In 2022,
that is no longer acceptable, nor is it Smart VM. There are full stack VM
platforms that present your security posture in one snapshot. <span style="mso-spacerun: yes;"> </span>They are pre-built to provide one single
touchstone of truth that shows your security team AND your operational support
team what issues need resolving now. Can we agree to buck the point solution
tradition and take on Smart Full Stack VM now?<o:p></o:p></span></p>
<h3><span lang="EN-US"><o:p> </o:p></span></h3>
<h2><span lang="EN-US">Number 4 - Understand Your Operational Support’s Daily
Workflow (DO NOT INTERUPT IT) and Become a Part of It<o:p></o:p></span></h2>
<p class="MsoNormal"><span lang="EN-US">The vernacular of “Smart” typically places
a high emphasis on the Intelligence it produces but when we run a VM Program –
we have a higher standard. We have to make the enterprise resilient itself. We
have to continuously ensure that the important vulnerabilities are remediated
in a timely manner. And the way we do that is take Smart approaches when
integrating with support staff’s daily workflow. And this can be as simple as
asking the support team how they like to take in their ticket information for
seamless resolution. To achieve that seamless workflow integration in 2022
there are Smart VM platforms that integrate with whatever system your support
team uses. And like the alert engine – it’s all automated. It’s all Smart.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<h2><span lang="EN-US">Number 5 - Don’t Be An Alert Engine – Be a Remediation
Engine<o:p></o:p></span></h2>
<p class="MsoNormal"><span lang="EN-US">Congrats if you have completed <span style="mso-spacerun: yes;"> </span>the above Four Steps. Now here’s a challenge.
On the one side you have continuous, ranked business-intelligent alerts and on
the other side you have IT Operational Support staff that are not security
experts but who are required to remediate the issue. So how to you get Security
Specialist Remediation guidance into the hands of the IT Support staff? Good
news once again is that there are Smart VM Platforms that can integrate
Security Specialist Validation not only to rule out false positives but to
provide timely, contextualized guidance on how to resolve that pressing issue
at hand. With a Smart approach, that guidance and be integrated into the
ticketing system for easy access or can be just a phone call away for verbal
step-by-step specific remediation guidance. And you get bonus Smart points when
you adopt <i style="mso-bidi-font-style: normal;">proactive</i> security
specialist guidance when bad programming patterns are noted and best practice
guidance is deployed before a vulnerability is actually picked up.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-family: "Times New Roman",serif; mso-fareast-font-family: "Times New Roman";"><o:p> </o:p></span></p>
<h2><span lang="EN-US" style="mso-fareast-font-family: "Times New Roman";">Be
Smart, Be Bold<o:p></o:p></span></h2>
<p class="MsoNormal"><span lang="EN-US" style="font-family: "Times New Roman",serif; mso-fareast-font-family: "Times New Roman";">If you take these Five Significant
Steps to Smart VM, we allow you to walk with a bit of swagger. For if you now
have delivered to your company a proactive, continuous and business-intelligent
remediation machine and you have a resilient enterprise to show for it – your
Smart VM Program entitles you to bragging rights. If you don’t have your Smart
VM swagger yet, let’s talk.<o:p></o:p></span></p>Eoin Kearyhttp://www.blogger.com/profile/17946046587245366946noreply@blogger.com0tag:blogger.com,1999:blog-7247674390631055904.post-81634479334520997432021-09-02T08:23:00.005-07:002021-09-02T08:25:20.134-07:00Edgescan and Huawei - Cybersecurity - Irish Times Article and Panel Discussion<div><span style="font-family: arial;"><div class="separator" style="clear: both; text-align: center;"><a href="https://lh3.googleusercontent.com/-RWbZxGHGqe4/YTDsYSzzL7I/AAAAAAAACrk/TG1xOIsXy_Y4zMAkpA1XSVl4GaVbozAhgCLcBGAsYHQ/image.png" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="704" data-original-width="1251" height="225" src="https://lh3.googleusercontent.com/-RWbZxGHGqe4/YTDsYSzzL7I/AAAAAAAACrk/TG1xOIsXy_Y4zMAkpA1XSVl4GaVbozAhgCLcBGAsYHQ/w400-h225/image.png" width="400" /></a></div><br /><br /></span></div><span style="font-family: arial;">I recently was interviewed by the Irish times on why is everything getting hacked and how can we change the game....</span><div><span style="font-family: arial;"><br /></span></div><div><span style="font-family: arial;"><br /></span></div><div><span style="font-family: arial;"><br /></span></div><div><a href="https://www.irishtimes.com/special-reports/cybersecurity-focus/criminals-have-an-inbuilt-advantage-in-the-great-cyber-arms-race-1.4651078" target="_blank"><span style="font-family: arial;">https://www.irishtimes.com/special-reports/cybersecurity-focus/criminals-have-an-inbuilt-advantage-in-the-great-cyber-arms-race-1.4651078</span></a></div><div><span style="font-family: arial;"><br /></span></div><div><span style="font-family: arial;"><br /></span></div><div><span style="font-family: arial;"><br /></span></div><div><span style="font-family: arial;"> A recording of the Panel with Andy Purdy, CSO of Huawei North America.</span></div><div><span style="font-family: arial;"><br /></span></div><div><a href="https://www.youtube.com/watch?v=cQJ1uSQ4IEk&t=33s" target="_blank"><span style="font-family: arial;">https://www.youtube.com/watch?v=cQJ1uSQ4IEk&t=33s</span></a></div><div><span style="font-family: arial;"><br /></span></div><div><span style="font-family: arial;"><br /></span></div><div><span style="font-family: arial;"><br /></span></div><div><span style="font-family: arial;"><br /></span></div><div><span style="font-family: arial;">Both are decent and worth a listen.</span></div><div><span style="font-family: arial;"><br /></span></div>Eoin Kearyhttp://www.blogger.com/profile/17946046587245366946noreply@blogger.com0tag:blogger.com,1999:blog-7247674390631055904.post-6710609872014682182021-08-25T05:41:00.002-07:002021-08-25T05:48:46.142-07:00Attack Surface Management - What's old is new again!!<p><span style="font-family: arial;"> </span></p><p><span style="font-family: arial;"><br /></span></p><p><span style="font-family: arial;"></span></p><div class="separator" style="clear: both; text-align: center;"><span style="font-family: arial;"><a href="https://1.bp.blogspot.com/-XFDaVhzxlCA/YSY575k0HGI/AAAAAAAACrE/ziXL42xZyLwQuIR5RXdMvXy65z-fYi8jQCLcBGAsYHQ/s1323/ASM-Capture.PNG" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="343" data-original-width="1323" height="104" src="https://1.bp.blogspot.com/-XFDaVhzxlCA/YSY575k0HGI/AAAAAAAACrE/ziXL42xZyLwQuIR5RXdMvXy65z-fYi8jQCLcBGAsYHQ/w400-h104/ASM-Capture.PNG" width="400" /></a></span></div><span style="font-family: arial;"><br /><br /></span><p></p><p><span style="font-family: arial;"><br /></span></p><p><span style="font-family: arial;"><br /></span></p><p><span style="font-family: arial;">Attack Surface Management (ASM), a new sexy approach to cyber security visibility. </span></p><p><span style="font-family: arial;"></span></p><blockquote><span style="font-family: arial;">"How about we try to see what systems are exposed to the public Internet so we can make sure they are being secured."</span></blockquote><p></p><p><span style="font-family: arial;">ASM is not Vulnerability management (detection of cyber security weaknesses) but rather takes a step back to answer the question, "What do I need to secure?" but is can also help identify the SBoM (Software Bill of Materials) across deployed systems.</span></p><p><span style="font-family: arial;">Attack Surface Management (ASM)
which provides you the ability to see all services exposed to
the public internet across your global estate. As new systems
are deployed, decommissioned or a system changes, ASM can inform you of the event. This is done in real-time and on a continuous basis in most cases.</span></p><p><span style="font-family: arial;">I wrote a bog in <a href="https://ekeary.blogspot.com/2018/03/visibility-is-key-when-defending.html" target="_blank">2018 </a> when we first introduced Edgescan's ASM solution which has evolved since by including both API discovery and multi-region monitoring.</span></p><p><span style="font-family: arial;"><a href="https://www.edgescan.com/services/api-security-testing/" target="_blank">API discovery</a> locates exposed API endpoints using multilayered probing techniques. In many cases organizations simply don't know what API's they have exposed this can be due to poor asset management or the fact that some web application frameworks deploy an API by default.</span></p><p><span style="font-family: arial;"><a href="https://info.edgescan.com/hubfs/Datasheets/Attack%20Surface%20Management%20Datasheet.pdf" target="_blank">Multi-Region monitoring</a>: performs ASM from different source IP's globally to help you understand if there are any Geo-related traffic controls you may not see by scanning from a single Geo-IP.</span></p><p><span style="font-family: arial;">The value of ASM is to provide real-time information as systems change and to help identify and alert you of items which may require attention such as exposed services, insecure protocols, rogue deployments, outdated software and so on.</span></p><p><span style="font-family: arial;"><b>Features we employ in edgescan ASM are as follows:</b></span></p><p></p><ul style="text-align: left;"><li><span style="font-family: arial;"><b>Fast </b>network host discovery and asynchronous port scanning across the whole global perimeter. </span><span style="font-family: arial;">Allowing the identification of networking devices, platforms, operating systems, databases and
applications.</span></li></ul><ul style="text-align: left;"><li><span style="font-family: arial;"><b>Mapping </b>and indexable results which help determine which service ports are present and listening for transactions. The can result in detecting exposed ports, vulnerable services or misconfigured firewalls.</span></li></ul><ul style="text-align: left;"><li><span style="font-family: arial;"><b>Customizable </b>scan profiling – to help us be specific about the services and systems you care about, say a random high port system or specific service in a specific region.</span></li></ul><ul style="text-align: left;"><li><span style="font-family: arial;"><b>Service Detection</b> – Discovery of exposed services based on response fingerprints and identifiers. Resulting in discovery of older or deprecated exposed systems. Coupled with continuous vulnerability management this is very effective of rapid detection of weaknesses due to Vulnerable and outdated software.</span></li></ul><ul style="text-align: left;"><li><span style="font-family: arial;"><b>On demand</b> live retests on exposed ports. As you close off exposures you may want on-demand probing to ensure you have fixed the exposure.</span></li></ul><ul style="text-align: left;"><li><span style="font-family: arial;"><b>Historical </b>host information for point in time reads of endpoints. Detailing a history of historical discoveries can assist with incident reporting and root cause analysis.</span></li></ul><ul style="text-align: left;"><li><span style="font-family: arial;"><b>Detection </b>of misconfigured ACL's or Firewall rules leading to service exposure resulting in weakness.</span></li></ul><ul style="text-align: left;"><li><span style="font-family: arial;"><b>Customizable </b>targeted alerting, which notifies you automatically of any potential exposures
(e-mail, webhook, SMS) in real time.</span></li></ul><ul style="text-align: left;"><li><span style="font-family: arial;"><b>IoT detection; </b>as we know lots of vulnerable IoT deployed out there, much of it connected to corporate networks and much of it with little or no security controls enabled.</span></li></ul><ul style="text-align: left;"><li><span style="font-family: arial;"><b>API Discovery</b>: Continuous <a href="https://info.edgescan.com/apitestingjourney" target="_blank">API detection</a> to ensure you know what API's are exposed to the public Internet. This can detect rogue, legacy deployments or <a href="https://www.edgescan.com/wp-content/uploads/2020/01/Edgescan-API-Discovery-2020.pdf" target="_blank">Shadow, Lost, Forgotten and legacy assets</a> as they occur.</span></li></ul><div></div><p></p><p><span style="font-family: arial;"><br /></span></p><p><span style="font-family: arial;"></span></p><blockquote><blockquote><span style="font-family: arial;">...We have observed very effective cyber security programs when ASM is coupled with continuous full stack vulnerability management, in particular if the newly discovered assets via ASM are automatically assessed for vulnerabilities. In effect ASM and vulnerability management working together...resulting in rapid vulnerability detection and response....</span></blockquote></blockquote><p></p><p><span style="font-family: arial;">For real precision and fidelity, ASM combined with fullstack vulnerability coverage is required. ASM is not an application security or a network security solution but a <b>full stack visibility</b>.....</span></p><p><span style="font-family: arial;">Edgescan ASM is in many cases included as a feature and is available with Edgescan's Vulnerability Intelligence Service. More at <a href="https://www.edgescan.com">www.edgescan.com</a></span></p><p><span style="font-family: arial;"><br /></span></p><p><span style="font-family: arial;"><br /></span></p><p><span style="font-family: arial;"><br /></span></p><p><span style="font-family: arial;"><br /></span></p><p><span style="font-family: arial;"><br /></span></p><p><span style="font-family: arial;"><br /></span></p><p><span style="font-family: arial;"><br /></span></p>Eoin Kearyhttp://www.blogger.com/profile/17946046587245366946noreply@blogger.com0tag:blogger.com,1999:blog-7247674390631055904.post-54036266219799250062021-06-15T02:48:00.001-07:002021-06-15T02:50:07.074-07:00Edgescan, why we do what we do.....<p><span style="font-family: arial;"> </span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-_5PljmpLJ4c/YLigrULHKlI/AAAAAAAACng/PtCxjttHnacJgB-SYPLVOiJH4sQ_Tx-pQCLcBGAsYHQ/s1629/lineout.png" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: arial;"><img border="0" data-original-height="312" data-original-width="1629" height="122" src="https://1.bp.blogspot.com/-_5PljmpLJ4c/YLigrULHKlI/AAAAAAAACng/PtCxjttHnacJgB-SYPLVOiJH4sQ_Tx-pQCLcBGAsYHQ/w640-h122/lineout.png" width="640" /></span></a></div><span style="font-family: arial;"><br />The cyber security industry is full of solutions to make you more secure. Some are unproven and other approaches work if deployed properly. Our industry is very fragmented. for example a recent "Cyber Defense" award I noticed has 195 categories! </span><p></p><p><span style="font-family: arial;"><i>I suppose we need to ask ourselves as companies from time to time why we do what we do? </i></span></p><p><span style="font-family: arial;">So, the following post is, I guess, the reason we developed Edgescan and why we believe its a decent solution to help organizations improve and be more resilient in relation to cyber security and system protection....</span></p><p><br /></p><p><span style="font-family: arial;"><b>Vulnerability scanning alone did not work.</b></span></p><p><span style="font-family: arial;">The idea of software testing software for vulnerabilities is a good one but both sides of the equation may have bugs. Bugs in one side (The target) may result in vulnerabilities, whilst bugs on the other side (Scanner) may result in false negatives and false positives. </span></p><p><span style="font-family: arial;"><b>Accuracy</b>: To that end we built edgescan as a combination of automation to discover vulnerabilities at scale but when certain types of potential vulnerability are discovered it informs a human to validate and triage the issue. The result of this is to ensure we have no false positives and the discovered issues are risk rate appropriately.</span></p><p><span style="font-family: arial;"><b>Coverage</b>: The human element of edgescan makes sure the assessments are getting the coverage they need to be successful. Even in functional unit or system testing when developing software 100% coverage is extremely hard to achieve. It requires following every logical flow of code in an application which could be hundreds or thousands of permutations. To make this challenge even more complex different technologies require different types of automation be they API's javascript-heavy frameworks or generic n-tier applications.</span></p><p><br /></p><p><b style="font-family: arial;">Splitting vulnerability management into Silos of network and application vulnerability intelligence is not intelligent.</b></p><p><span style="font-family: arial;">When defending the enterprise we need full stack visibility. Why? "<b>Hackers don't give a S*it</b>". We need to understand what risks and blind spots are present and make sure we have nothing exposed which can be used against us.</span></p><p><span style="font-family: arial;">Combining network, host and web application vulnerability in a single view provides this. Even better is its validated and provides a <b>single source of truth</b>. Full stack visibility provides the ability to <b>prioritize mitigation</b> across the entire tech stack rather than using different sources of vulnerability data from different providers.</span></p><p><span style="font-family: arial;"><br /></span></p><p><span style="font-family: arial;"><b>Accuracy and "noise suppression" would help people move more efficiently and quickly</b></span></p><p><span style="font-family: arial;">Most folks would agree, receiving a feed of accurate and triaged vulnerability intel helps make decisions very quickly. It helps with priority and answering the questions regarding "<b>Which vulns should we fix today</b>?" Removing false positives and appropriate or custom risk rating is what we call "<b>Noise suppression</b>" it cuts through the noise to help organizations be more effective. Also when vulnerability data is used to kick off an automated process it better be accurate!!!</span></p><h4 style="text-align: left;"><span style="font-family: arial;"><b>Traditional penetration testing was not scalable and "clunky"</b></span></h4><p><span style="font-family: arial;">Traditional penetration testing requires contracts, is not immediate and results in a PDF as the output. It is slow, clunky and expensive. Delivering penetration testing via the same portal as vulnerability management allows you to go deep and get a complete picture. Having penetration testing via the portal provides the ability to retest mitigated vulnerabilities <b>on demand</b> also rather than waiting for a consultant and can be <b>invoked via automation</b>. </span></p><p><span style="font-family: arial;"></span></p><h4><span style="font-family: arial;">Metrics and trending data is required for measuring improvement.</span></h4><div><span style="font-family: arial;">The idea of having a extensible platform with the ability to extract and view validated/accurate vulnerability data on demand and integrate to any other ticketing or GRC system was important. This helps with vulnerability lifecycle management and development pipeline integration.</span></div><h4 style="text-align: left;"><span style="font-family: arial;"><b>Bugbounties are good but are a compliance and GDPR risk and not very controllable.</b></span></h4><p><span style="background-color: white; color: #16161d; font-family: arial; letter-spacing: 0.25px;">Bug bounty platforms use NDAs to trade bounty hunter silence for the possibility of a payout. If this NDA is broken there is no real recourse. Suing a bounty hunter in a third world country wont pay your GDPR fine!!</span></p><p><span style="background-color: white;"><span style="color: #16161d; font-family: arial;"><span style="letter-spacing: 0.25px;">Bug bounty platforms may violate California and federal labor law, and the EU’s General Data Protection Regulation (GDPR). - Your vulnerability data (and possibly client PII is on random laptops of bounty hunters globally. no governance, possibly no encryption. Do your clients understand their data could be on a random hunters laptop in say Pakistan?</span></span></span></p><p><span style="font-size: x-small;"><span style="background-color: white;"><span style="color: #16161d; font-family: arial;"><span style="letter-spacing: 0.25px;">Good article here: </span></span></span><span style="font-family: arial;"><a href="https://www.csoonline.com/article/3535888/bug-bounty-platforms-buy-researcher-silence-violate-labor-laws-critics-say.html" target="_blank">https://www.csoonline.com/article/3535888/bug-bounty-platforms-buy-researcher-silence-violate-labor-laws-critics-say.html</a></span></span></p><p><span style="font-family: arial;"></span></p><p><b style="font-family: arial;">Attack Surface Management (ASM) & API discovery is important</b></p><p><span style="font-family: arial;">We built ASM and API discovery in 2017 believing visibility is super important. Being informed in real-time of exposures of rogue deployments as they happen is key to continuous resilience. We cant secure what we cant see.</span></p><p><span style="font-family: arial; font-size: small;">More here: </span></p><p><a href="https://info.edgescan.com/hubfs/Datasheets/Attack%20Surface%20Management%20Datasheet.pdf " style="font-family: arial;" target="_blank"><span style="font-size: x-small;">https://info.edgescan.com/hubfs/Datasheets/Attack%20Surface%20Management%20Datasheet.pdf </span></a></p><p><a href="https://www.edgescan.com/services/api-security-testing/" target="_blank"><span style="font-family: arial; font-size: x-small;">https://www.edgescan.com/services/api-security-testing/</span></a></p><h4 style="text-align: left;"><span style="font-family: arial;"><b>Support for technical staff is important</b></span></h4><p><span style="font-family: arial;">We decided to deliver support to our clients. <b>We don't expect our clients to be cyber security experts.</b> Everyone in the Edgescan team is a seasoned penetration tester due to our <b>internal rotation</b> on a monthly basis of teams from Edgescan support to consultancy, SAST, Software security and stuff not suitable for a SaaS which our clients require.</span></p><h4 style="text-align: left;"><br /></h4><p><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://1.bp.blogspot.com/-UnqXXbGufls/YMh2g28T1RI/AAAAAAAACns/SWd1RgdTMH8W0DJwDV9QuupvsVC36W6-ACLcBGAsYHQ/s1965/validator%2Bvs%2Bfalse%2Bpositive.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="1965" data-original-width="1384" height="400" src="https://1.bp.blogspot.com/-UnqXXbGufls/YMh2g28T1RI/AAAAAAAACns/SWd1RgdTMH8W0DJwDV9QuupvsVC36W6-ACLcBGAsYHQ/w281-h400/validator%2Bvs%2Bfalse%2Bpositive.jpg" width="281" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;"><i><span style="font-family: arial;">Validator v False Positive</span></i></td></tr></tbody></table><br /><span style="font-family: arial;"><br /></span></p><p><span style="font-family: arial;"><b>Be Safe,</b></span></p><p><span style="font-family: arial;"><b>- ek</b></span></p><p><span style="font-family: arial;"> </span></p>Eoin Kearyhttp://www.blogger.com/profile/17946046587245366946noreply@blogger.com0tag:blogger.com,1999:blog-7247674390631055904.post-49031550567543611872021-05-25T02:35:00.019-07:002021-05-26T02:15:20.398-07:00HSE Hack - What should we do now......personal opinion<h3 style="text-align: left;"><span style="font-family: arial;">What I would do to make the HSE a more resilient organization from a cyber standpoint......</span></h3><h3 style="text-align: left;"><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-avSKD5Se2AI/YKzFL9m8xHI/AAAAAAAACnU/9EGCeE4vNMUmS_RipHu0uk0xQG-p9wELgCLcBGAsYHQ/s2243/edgescan-logo-1-hi-res.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1039" data-original-width="2243" src="https://1.bp.blogspot.com/-avSKD5Se2AI/YKzFL9m8xHI/AAAAAAAACnU/9EGCeE4vNMUmS_RipHu0uk0xQG-p9wELgCLcBGAsYHQ/s320/edgescan-logo-1-hi-res.png" width="320" /></a></div><br /><span style="font-family: arial;"><br /></span></h3><h4 style="text-align: left;"><span style="font-family: arial;">This is somewhat an open letter to my government on how to secure *our* data. I do not cover compliance or certification but more practical "Must-have" items.</span></h4><h3 style="text-align: left;"><span style="font-family: arial;">Awareness & Resilience (and budget)</span></h3><div><span style="font-family: arial;">Folks who write the cheques need to understand the value and importance of cyber security. Its not a "Tax" or an "Insurance" its a process to which we try to help ensure we are somewhat resilient to breach. Breach is 9 times out of 10 more expensive than multiple years of cyber spend.</span></div><div><span style="font-family: arial;"><br /></span></div><div><span style="font-family: arial;">Embrace cyber security! "Hackers don't give a shit" and if you are weak you will be hit. Cyber-Resilience and awareness may not prevent breach but it may limit the extent of the breach and enable us to act in a timely manner before the genie is out of the bottle. </span></div><div><span style="font-family: arial;"><br /></span></div><div><span style="font-family: arial;">Investment in cyber security is paramount due to the potential losses due to fraud and breach recovery. Compliance is not security, focus needs to be on practical technical controls and a technical framework.</span></div><div><span style="font-family: arial;"><br /></span></div><div><span style="font-family: arial;"><h3 style="font-family: "Times New Roman";"><span style="font-family: arial;">Asset Management and Attack surface Management - Identify and prioritize - Risk </span></h3><p style="font-family: "Times New Roman";"><span style="font-family: arial;">Maintain a list of what assets you have (Data and systems), What's the bill of materials for your network or system? </span></p><p style="font-family: "Times New Roman";"><span style="font-family: arial;"><i><b>We cant secure what we cant measure</b></i>. Tracking of system resilience is of key importance. Deploy continuous monitoring and management of your external Internet facing estate. This will help detect weaknesses and exposures as they arise. Real-time attack surface management is a simple but very effective solution to understand what can be hacked at any point in time.</span></p><p style="font-family: "Times New Roman";"><span style="font-family: arial;">Establish an asset register and an IT BOM (Bill of materials). <b>Identify critical assets</b> (Systems and Data). Layer <b>stronger controls</b> around such systems. Perform threat modeling exercises surrounding critical systems to <b>identify cyber chokepoints and audit points</b> to detect malice.</span></p></span></div><h3 style="text-align: left;"><span style="font-family: arial;">Threat Awareness - Intelligence</span></h3><p><span style="font-family: arial;">Deploy a solution to monitor lateral movement, brute forcing and typical indicators of compromise (IoC) traffic and artefacts. Threat awareness is important to both help detect post breach activities and also internal threats and weakness. <b>Early detection</b> is important in terms of limiting breach.</span></p><h3 style="text-align: left;"><span style="font-family: arial;">Processing of logs. Maintaining of logs. Tracking what's important.</span></h3><p><span style="font-family: arial;">Ensure we are auditing transactions, traffic and events on core systems. Such audit logs need to be consolidated and monitored for anomalies. Log scraping looking for errors and non standard events would be a great start. Logging non-idempotent transactions, authentication between users and systems and between systems themselves.</span></p><h3 style="text-align: left;"><span style="font-family: arial;">Vulnerability Management</span></h3><p><span style="font-family: arial;"><b>Detect weaknesses as they occur</b>. Patching, web application and API weaknesses. Exposed remote access services, administration consoles, weak cryptography all need to be tracked continuously. Key to this solution to be effective is accuracy. Solutions with guaranteed accuracy are preferred resulting in a reduction of "white-noise" so we can focus on real issues. The majority of ransomware leverages CVE's to exploit target systems. Full stack <b>Vulnerability management makes systems more resilient to such attacks.</b></span></p><p><span style="font-family: arial;"><b>Focus on a risk based approach </b>to patching and addressing weakness. "<i>All vulnerabilities are not created equal</i>." <b>focus on what matters; </b>critical systems and data first, moving down the list.</span></p><h3 style="text-align: left;"><span style="font-family: arial;">Penetration testing</span></h3><div><span style="font-family: arial;">Hackers manually probe systems and they are expert operators. Using software alone to assess security is never going to work. To level the playing field we need to fight fire with fire. Todays cybercrime consists of working professionals and industrialized capability. We need to be the same. Penetration testing consists of manual "deep dive" assessments using human intelligence simulating a determined attacker. Generally more effective in uncovering weakness but it is expensive and not as scalable.</span></div><h3 style="text-align: left;"><span style="font-family: arial;">Metrics & Measure improvement</span></h3><p><span style="font-family: arial;">Record improvement. What's difficult what's taking a long time. What cyber security activities are taking a long time and are challenging. Which systems cause the most cyber security effort. Which systems are historically more problematic and require the most attention.</span></p><p><span style="font-family: arial;">Which layer (network or application) has the highest risk density and where to we focus our efforts. Examine vulnerability types; be they patching, developer or architecture related. figure out the root cause to focus on training, nd awareness in order to prevent such bugs and errors which manifest as weaknesses.</span></p><h3 style="text-align: left;"><span style="font-family: arial;">Patch</span></h3><p><span style="font-family: arial;">Every year 1000's of <a href="https://cve.mitre.org/" target="_blank">CVE </a>(Common Vulnerabilities and Exposures) are discovered. Systems previously thought secure today suffer from a critical risk tomorrow. Constant tracking is required, constant vulnerability management to detect, risk based parching is required. Establish a patching programme. Use automation if possible.</span></p><h3 style="text-align: left;"><span style="font-family: arial;">Email and Internet Browsing Security</span></h3><p><span style="font-family: arial;">Locking down email systems, deploying an email security service to help minimize exposure. Locking down users browsing access to a whitelist of legitimate sites.</span></p><h3 style="text-align: left;"><span style="font-family: arial;">Data Encryption and secure Storage</span></h3><div><span style="font-family: arial;">Data which is critical to the business, sensitive in nature of contains PII needs to be encrypted with a suitable key management solution in place. Passwords should be stored in an un-recoverable way (Salted-hashed).</span></div><h3 style="text-align: left;"><span style="font-family: arial;">Backup Frequently</span></h3><p><span style="font-family: arial;">Backing up of data and systems is undervalued and paramount to restoring after a breach. The frequency of backup has a bearing on loss. More frequent backups = Less window of exposure. Try to deploy a Realtime backup solution if possible. The backups should be stored in a secure part of the network which requires authentication etc. to limit the chance of malware affecting backup repositories.</span></p><h3 style="text-align: left;"><span style="font-family: arial;">Authentication and Limitation & Zero Trust</span></h3><p><span style="font-family: arial;">Enable multifactor authentication (MFA) for critical systems. Be it certificate based combined with password or other means. Ensure system-to-system authentication is also enabled, adopt a "Zero trust model". IP limit traffic between systems from a architectural standpoint in order to make a network more hierarchical and less "flat". This can limit the spread of infection.</span></p><p><span style="font-family: arial;"><br /></span></p><p><span style="font-family: arial;">The extent of this problem is only growing based on the statistics we produce every year alongside other organizations. </span></p><p><span style="font-family: arial;">More statistics can be found here including the Verizon DBIR and Edgescan Vulnerability Stats Report 2021.....</span></p><p><a href="https://www.edgescan.com/company/blog/" target="_blank"><span style="font-family: arial;">https://www.edgescan.com/company/blog/</span></a></p><p><span style="font-family: arial;"><br /></span></p><p><span style="font-family: arial;"><br /></span></p><p><span style="font-family: arial;"><br /></span></p><p><span style="font-family: arial;"><br /></span></p><p><br /></p>Eoin Kearyhttp://www.blogger.com/profile/17946046587245366946noreply@blogger.com0tag:blogger.com,1999:blog-7247674390631055904.post-71617092685033792492021-05-18T07:11:00.008-07:002021-05-19T02:44:43.604-07:00<h1 style="text-align: left;"><span style="font-family: arial;">The HSE Data Breach and the State of Irish Cyber Security</span></h1><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-1RTMFHIrOeo/YKPMi2XgaKI/AAAAAAAACnA/B3sJMjm6i9cSR24L08S1rafNDATiLnRJgCLcBGAsYHQ/s1920/http---hitwallpaper.com-wp-content-uploads-2013-07-Futurescape.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1080" data-original-width="1920" height="225" src="https://1.bp.blogspot.com/-1RTMFHIrOeo/YKPMi2XgaKI/AAAAAAAACnA/B3sJMjm6i9cSR24L08S1rafNDATiLnRJgCLcBGAsYHQ/w400-h225/http---hitwallpaper.com-wp-content-uploads-2013-07-Futurescape.jpg" width="400" /></a></div><br /><p style="text-align: left;"><span style="font-family: arial;"><span color="rgba(0, 0, 0, 0.9)" face="-apple-system, system-ui, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", "Fira Sans", Ubuntu, Oxygen, "Oxygen Sans", Cantarell, "Droid Sans", "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Lucida Grande", Helvetica, Arial, sans-serif" style="background-color: white; font-size: 16px; white-space: pre-wrap;">Many years ago, shortly after I founded the Irish chapter of OWASP ( </span><a href="http://www.owasp.org" style="font-size: 16px; white-space: pre-wrap;">http://www.owasp.org</a><span color="rgba(0, 0, 0, 0.9)" face="-apple-system, system-ui, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", "Fira Sans", Ubuntu, Oxygen, "Oxygen Sans", Cantarell, "Droid Sans", "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Lucida Grande", Helvetica, Arial, sans-serif" style="background-color: white; font-size: 16px; white-space: pre-wrap;"> ) (in 2007??) we were delivering free application and software development classes to anyone who wanted them. It was a local low key affair but every class we delivered was "sold out". We have 60-80 folks mostly developers willing to spend 4-5 hours on learning the fundamentals of secure application development and testing.</span></span></p><p style="background: rgb(255, 255, 255); border: 0px; box-sizing: inherit; color: rgba(0, 0, 0, 0.9); counter-reset: list-1 0 list-2 0 list-3 0 list-4 0 list-5 0 list-6 0 list-7 0 list-8 0 list-9 0; cursor: text; font-family: -apple-system, system-ui, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", "Fira Sans", Ubuntu, Oxygen, "Oxygen Sans", Cantarell, "Droid Sans", "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Lucida Grande", Helvetica, Arial, sans-serif; font-size: 16px; line-height: 1.5; margin: 0px; padding: 0px; vertical-align: baseline; white-space: pre-wrap;"><br /></p><p style="background: rgb(255, 255, 255); border: 0px; box-sizing: inherit; color: rgba(0, 0, 0, 0.9); counter-reset: list-1 0 list-2 0 list-3 0 list-4 0 list-5 0 list-6 0 list-7 0 list-8 0 list-9 0; cursor: text; font-size: 16px; line-height: 1.5; margin: 0px; padding: 0px; vertical-align: baseline; white-space: pre-wrap;"><span face="-apple-system, system-ui, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", "Fira Sans", Ubuntu, Oxygen, "Oxygen Sans", Cantarell, "Droid Sans", "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Lucida Grande", Helvetica, Arial, sans-serif">I</span><span style="font-family: arial;"> suppose we felt cyber security was an important issue because that's what we did. At the time many folks in business felt cyber security was an overhead or a "tax" and did not give it much time.</span></p><p style="background: rgb(255, 255, 255); border: 0px; box-sizing: inherit; color: rgba(0, 0, 0, 0.9); counter-reset: list-1 0 list-2 0 list-3 0 list-4 0 list-5 0 list-6 0 list-7 0 list-8 0 list-9 0; cursor: text; font-size: 16px; line-height: 1.5; margin: 0px; padding: 0px; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: arial;"><br style="box-sizing: inherit;" /></span></p><p style="background: rgb(255, 255, 255); border: 0px; box-sizing: inherit; color: rgba(0, 0, 0, 0.9); counter-reset: list-1 0 list-2 0 list-3 0 list-4 0 list-5 0 list-6 0 list-7 0 list-8 0 list-9 0; cursor: text; font-size: 16px; line-height: 1.5; margin: 0px; padding: 0px; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: arial;">A few years later (late 2010) when the the foundation of the NCSC (National Cyber Security Centre) was announced, a few of us (local OWASP Ireland leaders) wrote a number of emails to the Irish government offering free cyber security training. As we were working for a non profit (501.3c) charity (OWASP ) we thought we could to this locally and "move the dial". The result was.....nothing. <i><b>We got no response</b></i>.</span></p><p style="background: rgb(255, 255, 255); border: 0px; box-sizing: inherit; color: rgba(0, 0, 0, 0.9); counter-reset: list-1 0 list-2 0 list-3 0 list-4 0 list-5 0 list-6 0 list-7 0 list-8 0 list-9 0; cursor: text; font-family: -apple-system, system-ui, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", "Fira Sans", Ubuntu, Oxygen, "Oxygen Sans", Cantarell, "Droid Sans", "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Lucida Grande", Helvetica, Arial, sans-serif; font-size: 16px; line-height: 1.5; margin: 0px; padding: 0px; vertical-align: baseline; white-space: pre-wrap;"><br style="box-sizing: inherit;" /></p><p style="background: rgb(255, 255, 255); border: 0px; box-sizing: inherit; color: rgba(0, 0, 0, 0.9); counter-reset: list-1 0 list-2 0 list-3 0 list-4 0 list-5 0 list-6 0 list-7 0 list-8 0 list-9 0; cursor: text; font-size: 16px; line-height: 1.5; margin: 0px; padding: 0px; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: arial;">Since then I've always wanted Ireland to have a "Kite mark" regarding cyber security and secure application development. This is something I've proposed to many "talking heads " in government and industry over the years but everyone likes to talk but few actually do. </span></p><p style="background: rgb(255, 255, 255); border: 0px; box-sizing: inherit; color: rgba(0, 0, 0, 0.9); counter-reset: list-1 0 list-2 0 list-3 0 list-4 0 list-5 0 list-6 0 list-7 0 list-8 0 list-9 0; cursor: text; font-size: 16px; line-height: 1.5; margin: 0px; padding: 0px; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: arial;"><br /></span></p><p style="background: rgb(255, 255, 255); border: 0px; box-sizing: inherit; color: rgba(0, 0, 0, 0.9); counter-reset: list-1 0 list-2 0 list-3 0 list-4 0 list-5 0 list-6 0 list-7 0 list-8 0 list-9 0; cursor: text; font-size: 16px; line-height: 1.5; margin: 0px; padding: 0px; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: arial;">This could be free or tax deductible for employers and be of massive benefit.</span></p><p style="background: rgb(255, 255, 255); border: 0px; box-sizing: inherit; color: rgba(0, 0, 0, 0.9); counter-reset: list-1 0 list-2 0 list-3 0 list-4 0 list-5 0 list-6 0 list-7 0 list-8 0 list-9 0; cursor: text; font-size: 16px; line-height: 1.5; margin: 0px; padding: 0px; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: arial;"><br /></span></p><p style="background: rgb(255, 255, 255); border: 0px; box-sizing: inherit; color: rgba(0, 0, 0, 0.9); counter-reset: list-1 0 list-2 0 list-3 0 list-4 0 list-5 0 list-6 0 list-7 0 list-8 0 list-9 0; cursor: text; font-size: 16px; line-height: 1.5; margin: 0px; padding: 0px; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: arial;"><br /></span></p><p style="background: rgb(255, 255, 255); border: 0px; box-sizing: inherit; color: rgba(0, 0, 0, 0.9); counter-reset: list-1 0 list-2 0 list-3 0 list-4 0 list-5 0 list-6 0 list-7 0 list-8 0 list-9 0; cursor: text; font-size: 16px; line-height: 1.5; margin: 0px; padding: 0px; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: arial;">In 2018 myself, Tony Clarke (CISO Marken) and David Cahill (AIB) had the idea of reigniting this idea...<i><b>again no response</b></i>. We also wrote an open letter to the government discussing the partnership model....as follows...</span></p><span><a name='more'></a></span><p style="background: rgb(255, 255, 255); border: 0px; box-sizing: inherit; color: rgba(0, 0, 0, 0.9); counter-reset: list-1 0 list-2 0 list-3 0 list-4 0 list-5 0 list-6 0 list-7 0 list-8 0 list-9 0; cursor: text; font-family: -apple-system, system-ui, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", "Fira Sans", Ubuntu, Oxygen, "Oxygen Sans", Cantarell, "Droid Sans", "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Lucida Grande", Helvetica, Arial, sans-serif; font-size: 16px; line-height: 1.5; margin: 0px; padding: 0px; vertical-align: baseline; white-space: pre-wrap;"><br /></p><p class="MsoNormal" style="line-height: normal; margin-bottom: 0cm;"><b><u><span style="font-family: Arial, sans-serif;">Ireland as a Cybersecurity
“Powerhouse”:</span></u></b><span style="font-family: "Times New Roman", serif; font-size: 13.5pt;"><o:p></o:p></span></p><p class="MsoNormal" style="background: white; line-height: normal; margin-bottom: 0cm; vertical-align: baseline;"><span style="font-family: "Segoe UI",sans-serif; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-IE;"> </span></p><p class="MsoNormal" style="line-height: normal; margin-bottom: 0cm;"><b><span style="font-family: Arial, sans-serif;">Local advantage:</span></b><span style="font-family: "Times New Roman", serif; font-size: 13.5pt;"><o:p></o:p></span></p><p class="MsoNormal" style="line-height: normal; margin-bottom: 0cm;"><span style="font-family: Arial, sans-serif;">Cybersecurity is a large commercial
opportunity for “Ireland Inc.” given the indigenous companies established in
the republic who have significant intellectual property and export capability. </span><span style="font-family: "Times New Roman", serif; font-size: 13.5pt;"><o:p></o:p></span></p><p class="MsoNormal" style="line-height: normal; margin-bottom: 0cm;"><span style="font-family: Arial, sans-serif;">The start-up community coupled with
established exporting cyber security companies e.g. <a href="https://www.blogger.com/blog/post/edit/7247674390631055904/7161709268503379249"><span style="color: blue;">Daon</span></a>, <a href="https://www.blogger.com/blog/post/edit/7247674390631055904/7161709268503379249"><span style="color: blue;">PixAlert</span></a>, <a href="https://www.blogger.com/blog/post/edit/7247674390631055904/7161709268503379249"><span style="color: blue;">NetFort</span></a>, <a href="https://www.blogger.com/blog/post/edit/7247674390631055904/7161709268503379249"><span style="color: blue;">Adaptive Mobile</span></a> & <a href="https://www.blogger.com/blog/post/edit/7247674390631055904/7161709268503379249"><span style="color: blue;">edgescan </span></a>but to name a few have been very
successful in exporting and delivering solutions in the cyber security space
for a number of years. Highlighting Ireland’s commitment to a culture of cyber security
similar to Israel, Estonia model.</span><span style="font-family: "Times New Roman", serif; font-size: 13.5pt;"><o:p></o:p></span></p><p class="MsoNormal" style="line-height: normal; margin-bottom: 0cm;"><span style="font-family: "Times New Roman", serif; font-size: 13.5pt;"> </span><b><span style="font-family: Arial, sans-serif;">FDI Advantage:</span></b></p><p class="MsoNormal" style="line-height: normal; margin-bottom: 0cm;"><span style="font-family: Arial, sans-serif;">Having a skilled technical
community is part of the attraction of foreign direct investment. </span><span style="font-family: Arial, sans-serif;">Having a technical community which is
well versed in the issues of cyber security is an additional advantage.
Software developers, architects, DevOps staff who are trained and “Get”
security and compliance requirements are a valuable resource in the global tech
market and make Ireland a more attractive place in terms of the modern
“knowledge economy”.</span></p><p class="MsoNormal" style="line-height: normal; margin-bottom: 0cm;"><span style="font-family: "Times New Roman", serif; font-size: 13.5pt;"> </span></p><p class="MsoNormal" style="background: white; line-height: normal; margin-bottom: 0cm; vertical-align: baseline;"><span style="font-family: "Segoe UI",sans-serif; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-IE;"> </span></p><p class="MsoNormal" style="line-height: normal; margin-bottom: 0cm;"><b><span style="font-family: Arial, sans-serif;">Leveraging Local Talent.</span></b><span style="font-family: "Times New Roman", serif; font-size: 13.5pt;"><o:p></o:p></span></p><p class="MsoNormal" style="line-height: normal; margin-bottom: 0cm;"><span style="font-family: Arial, sans-serif;">Ireland has a number of significant
groups and individuals in the cyber security space. </span><span style="font-family: Arial, sans-serif;">Some are globally recognized and respected.
Groups such as the IISF, OWASP, ISACA have thriving communities wherein active
knowledge sharing and networking activities </span><span style="font-family: Arial, sans-serif;">occur on a regular basis. It is our
belief that such community members most of which are </span><span style="font-family: Arial, sans-serif;">volunteers are willing, available and
able to work with the government in advancing the </span><span style="font-family: Arial, sans-serif;">cyber security agenda in the republic.</span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"><br /></span></p><p style="background: rgb(255, 255, 255); border: 0px; box-sizing: inherit; color: rgba(0, 0, 0, 0.9); counter-reset: list-1 0 list-2 0 list-3 0 list-4 0 list-5 0 list-6 0 list-7 0 list-8 0 list-9 0; cursor: text; font-family: -apple-system, system-ui, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", "Fira Sans", Ubuntu, Oxygen, "Oxygen Sans", Cantarell, "Droid Sans", "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Lucida Grande", Helvetica, Arial, sans-serif; font-size: 16px; line-height: 1.5; margin: 0px; padding: 0px; vertical-align: baseline; white-space: pre-wrap;"><b style="font-weight: normal;"><br /><br /></b></p><p style="margin: 0cm;"><b><span style="font-family: Arial, sans-serif; font-size: 11pt;">Suggested Ideas for partnership:</span></b><span style="font-size: 13.5pt;"><o:p></o:p></span></p><p style="background: white; box-sizing: inherit; color: rgba(0, 0, 0, 0.9); counter-reset: list-1 0 list-2 0 list-3 0 list-4 0 list-5 0 list-6 0 list-7 0 list-8 0 list-9 0; cursor: text; margin: 0cm; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "Segoe UI",sans-serif;"> </span></p><p role="presentation" style="margin-bottom: 0cm; margin-left: 36.0pt; margin-right: 0cm; margin-top: 0cm; mso-list: l0 level1 lfo1; tab-stops: list 36.0pt; text-indent: -18.0pt; vertical-align: baseline;"><!--[if !supportLists]--><span style="font-family: Symbol; font-size: 10pt;">·<span style="font-family: "Times New Roman"; font-size: 7pt; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal;">
</span></span><!--[endif]--><span style="font-family: Arial, sans-serif; font-size: 11pt;">Tax-deductible Security awareness training (free/Non-profit) -
technical and executive <o:p></o:p></span></p><p role="presentation" style="margin-bottom: 0cm; margin-left: 36.0pt; margin-right: 0cm; margin-top: 0cm; mso-list: l0 level1 lfo1; tab-stops: list 36.0pt; text-indent: -18.0pt; vertical-align: baseline;"><!--[if !supportLists]--><span style="font-family: Symbol; font-size: 10pt;">·<span style="font-family: "Times New Roman"; font-size: 7pt; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal;">
</span></span><!--[endif]--><span style="font-family: Arial, sans-serif; font-size: 11pt;">awareness.<o:p></o:p></span></p><p role="presentation" style="margin-bottom: 0cm; margin-left: 36.0pt; margin-right: 0cm; margin-top: 0cm; mso-list: l0 level1 lfo1; tab-stops: list 36.0pt; text-indent: -18.0pt; vertical-align: baseline;"><!--[if !supportLists]--><span style="font-family: Symbol; font-size: 10pt;">·<span style="font-family: "Times New Roman"; font-size: 7pt; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal;">
</span></span><!--[endif]--><span style="font-family: Arial, sans-serif; font-size: 11pt;">National Cyber Security Strategy review and maintenance.<o:p></o:p></span></p><p role="presentation" style="margin-bottom: 0cm; margin-left: 36.0pt; margin-right: 0cm; margin-top: 0cm; mso-list: l0 level1 lfo1; tab-stops: list 36.0pt; text-indent: -18.0pt; vertical-align: baseline;"><!--[if !supportLists]--><span style="font-family: Symbol; font-size: 10pt;">·<span style="font-family: "Times New Roman"; font-size: 7pt; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal;">
</span></span><!--[endif]--><span style="font-family: Arial, sans-serif; font-size: 11pt;">National Cyber Security “Quality Mark / Kite-mark”.<o:p></o:p></span></p><p role="presentation" style="margin-bottom: 0cm; margin-left: 36.0pt; margin-right: 0cm; margin-top: 0cm; mso-list: l0 level1 lfo1; tab-stops: list 36.0pt; text-indent: -18.0pt; vertical-align: baseline;"><!--[if !supportLists]--><span style="font-family: Symbol; font-size: 10pt;">·<span style="font-family: "Times New Roman"; font-size: 7pt; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal;">
</span></span><!--[endif]--><span style="font-family: Arial, sans-serif; font-size: 11pt;">Liaison with FDI organizations & indigenous companies in
relation to upskilling and support of Cyber Security Strategy.<o:p></o:p></span></p><p role="presentation" style="margin-bottom: 0cm; margin-left: 36.0pt; margin-right: 0cm; margin-top: 0cm; mso-list: l0 level1 lfo1; tab-stops: list 36.0pt; text-indent: -18.0pt; vertical-align: baseline;"><!--[if !supportLists]--><span style="font-family: Symbol; font-size: 10pt;">·<span style="font-family: "Times New Roman"; font-size: 7pt; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal;">
</span></span><!--[endif]--><span style="font-family: Arial, sans-serif; font-size: 11pt;">Establishing a Government-Private sector cybersecurity working
group.<o:p></o:p></span></p><p role="presentation" style="margin-bottom: 0cm; margin-left: 36.0pt; margin-right: 0cm; margin-top: 0cm; mso-list: l0 level1 lfo1; tab-stops: list 36.0pt; text-indent: -18.0pt; vertical-align: baseline;"><!--[if !supportLists]--><span style="font-family: Symbol; font-size: 10pt;">·<span style="font-family: "Times New Roman"; font-size: 7pt; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal;">
</span></span><!--[endif]--><span style="font-family: Arial, sans-serif; font-size: 11pt;">Tax- deductible Vulnerability management services programme for
businesses.<o:p></o:p></span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
</p><p role="presentation" style="margin-bottom: 0cm; margin-left: 36.0pt; margin-right: 0cm; margin-top: 0cm; mso-list: l0 level1 lfo1; tab-stops: list 36.0pt; text-indent: -18.0pt; vertical-align: baseline;"><!--[if !supportLists]--><span style="font-family: Symbol; font-size: 10pt;">·<span style="font-family: "Times New Roman"; font-size: 7pt; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal;">
</span></span><!--[endif]--><span style="font-family: Arial, sans-serif; font-size: 11pt;">An Irish “Cyber Essentials” Programme. (<a href="https://www.cyberessentials.ncsc.gov.uk/"><span style="color: #1155cc;">https://www.cyberessentials.ncsc.gov.uk/</span></a>) and setting
up a database of “Certified” companies.<o:p></o:p></span></p><div><span style="font-family: Arial;"><span><!--more--></span><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span></div><div><span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span></div><div><span style="font-size: 14.6667px; white-space: pre-wrap;"><span style="font-family: arial;">Anyways looking back at this, there is still a chance to push this agenda ahead. The writing in on the wall. maybe it can move from an idea to a reality. </span></span></div><div><span style="font-family: arial;"><br /></span></div><div><span style="font-family: arial;"><b>What Y'all think?? Is it time.</b></span></div><div><br /></div><div><span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span></div><div><span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span></div>Eoin Kearyhttp://www.blogger.com/profile/17946046587245366946noreply@blogger.com4tag:blogger.com,1999:blog-7247674390631055904.post-59624476042283296782021-03-30T12:44:00.009-07:002021-03-31T03:40:55.067-07:00BBQ Cyber Security Thoughts......<h1 style="text-align: left;"><span style="font-family: arial;">BBQ Cyber Security Thoughts......</span></h1><p>During lockdown, I've taken to standing over the BBQ staring at the temperature gauge, lifting the lid occasionally and slow cooking various meats. Given the lockdown situation this provided a focal point for the day; something to attend to for the afternoon. </p><p>When standing there in a mindful stasis things go through your head, these are some of mine...</p><p><br /></p><p></p><ul style="text-align: left;"><li>"Software testing Software, who thought that would work?"</li></ul><ul style="text-align: left;"><li>"Using systems with potential vulnerabilities to discover potential vulnerabilities in systems"</li></ul><ul style="text-align: left;"><li>"Shift Left would make more sense if development was linear"</li></ul><ul style="text-align: left;"><li>"The reliance on automation to defend against a human adversary, sounds fair.....💀"</li></ul><ul style="text-align: left;"><li>"We cant improve what we cant measure; We cant secure what we cant see."</li></ul><ul style="text-align: left;"><li>"We accept false positives in scanners (Software getting it wrong) but we don't accept vulnerabilities (Software getting it wrong)." - Software testing software.</li></ul><ul style="text-align: left;"><li>"The DevSecOps elephant in the room is "Validation"</li><li><p class="MsoNormal"><span lang="EN-GB">"Change
gives rise to Risk. </span>Change
occurs when a system does <b>not </b>change & When a system changes (duh!!)….Over
time critical vulnerabilities are discovered. Patches are released. Yesterday I
was secure, Today I’ve a Critical Risk. Need to patch/Redeploy. Also....when a
system changes: New features deployed, new services exposed, larger attack
surface, more exposed, more to attack, more headaches this also gives risk to risk."</p></li><li><p class="MsoNormal">"Scale vs Depth – Scanners do scale, Humans “do” depth. – Our enemies "do" depth every time and are focused."</p></li><li><div><div>"Automation accuracy is not a strong as human accuracy – Our attackers are humans."</div></div></li></ul><ul style="text-align: left;"><li>"Shift Left, Shift Right, Not just pushing left, need to push both directions. Eg A System is live, nothing changes but might be vulnerable tomorrow." </li></ul><ul style="text-align: left;"><li>Shift Left: Prevention. Catch Early. Shift Right: Detection, Vigilance</li></ul><ul style="text-align: left;"><li>Shift Left: Enable & Assist developers build and deploy secure code & systems. Shift Right: Detect “the next CVE” and also mop-up anything that we missed in pre-prod.</li></ul><ul style="text-align: left;"><li>We’re protecting our systems against breach by humans, not scanners right!!</li></ul><br /><br /><p></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://lh3.googleusercontent.com/-FEhYItjMNVg/YGN-4HQnmMI/AAAAAAAAClc/yR82QQmEDAUJs3lZUJ7am_lB5ANLFg6NwCLcBGAsYHQ/image.png" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="900" data-original-width="675" height="400" src="https://lh3.googleusercontent.com/-FEhYItjMNVg/YGN-4HQnmMI/AAAAAAAAClc/yR82QQmEDAUJs3lZUJ7am_lB5ANLFg6NwCLcBGAsYHQ/w300-h400/image.png" width="300" /></a></div><br /><br /><p></p><p><br /></p><p><br /></p><p><br /></p>Eoin Kearyhttp://www.blogger.com/profile/17946046587245366946noreply@blogger.com0Timbuktu, Mali16.7665887 -3.0025615-11.543645136178846 -38.1588115 45.076822536178845 32.1536885tag:blogger.com,1999:blog-7247674390631055904.post-6663716988050005132021-03-10T01:46:00.002-08:002021-09-02T08:27:54.571-07:00Edgescan Weasel - Our new Web Security Scanning Tech <p><span style="font-family: arial;"> </span></p><h1 style="text-align: left;"><span style="font-family: arial;">Web Application Scanning...Evolution</span></h1><p class="MsoPlainText"><span style="font-family: arial;">For the past 24 months <a href="https://www.edgescan.com/" target="_blank">Edgescan </a>has been developing a new Web Scanning engine, namely "<i>Weasel</i>". Its a core component to the edgescan SaaS web security aspect of the service. We built it for many reasons:</span></p><p class="MsoPlainText"></p><ul style="text-align: left;"><li><span style="font-family: arial;">Faster Assessment speed.</span></li><li><span style="font-family: arial;">Increased coverage.</span></li><li><span style="font-family: arial;">Better Accuracy.</span></li><li><span style="font-family: arial;">More user control and configuration.</span></li><li><span style="font-family: arial;">Improved API support and navigation.</span></li><li><span style="font-family: arial;">More metrics.</span></li><li><span style="font-family: arial;">Javascript/Single-Page-Application (SPA) improvement.</span></li><li><span style="font-family: arial;">Improved content discovery.</span></li><li><span style="font-family: arial;">Dynamic Learning</span></li></ul><p></p><p class="MsoPlainText"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-RcQrpZCG-dk/YEiU565SeKI/AAAAAAAACj0/TuH4LZgb7hYFkPHTT-a6PoM6TjA_WX5AgCLcBGAsYHQ/s1109/The%2Breal%2BGhostbusters.jpg" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="1109" data-original-width="801" height="320" src="https://1.bp.blogspot.com/-RcQrpZCG-dk/YEiU565SeKI/AAAAAAAACj0/TuH4LZgb7hYFkPHTT-a6PoM6TjA_WX5AgCLcBGAsYHQ/s320/The%2Breal%2BGhostbusters.jpg" /></a></div><span style="font-family: arial;">A cool thing about weasel is it has a dedicated team
that not only consists of developers but also analysts and researchers. This was exciting as some of our penetration testers trained and pushed the engine and our developers implement ongoing changes. Developing a web scanning engine is certainly a treadmill and a never-ending process. Change is good, and to change often is to live well.</span><p></p>
<p class="MsoPlainText"><span style="font-family: arial;"><b>Dynamic Learning </b>- Once aspect that is exciting for us is the idea of continuously integrated test cases; ensuring as new
vulnerabilities are discovered they are included in our scanning without the
need for client interaction or lengthy delays between version releases, while
also ensuring known vulnerability test cases are up to date proof of concept's
as research is discovered. - Keeping pace with change.</span></p>
<p class="MsoPlainText"><span style="font-family: arial;"><b>Scalability </b>- In some cases clients have hundreds or thousands of web-layer targets. Weasel provides the ability to deliver a policy based service per
application ensuring bandwidth throttling, schedule window scanning while also
delivering both finesse and precision ensuring high quality advanced proof of
concepts reflecting in cleaner intel delivered to the client.<o:p></o:p></span></p><p class="MsoPlainText"><span style="font-family: arial;"><b>Advanced automated content discovery</b> - SPA indexing,
development, configuration, backup file endpoint discovery. Time after time with internal and external testing we
have discovered sensitive content leading to critical risk vulnerabilities
which is continuously added to our checks resulting in automated detection.</span></p><p class="MsoPlainText"><span style="font-family: arial;"><b>Better Accuracy</b> - Our engine uses both dynamic and static vectors to find vulnerabilities. We've worked hard on defining powerful testing vectors in order to test for vulnerabilities more efficiently but also to delivery coverage in a shorter timeframe. Of course, as ever, all findings are validated via the Edgescan core technology and expert validation in addition if required also.</span></p><p class="MsoPlainText"><span style="font-family: arial;"><b>API discovery and assessment</b>: Weasel automatically searches for API manifest/Swagger files in order to detect unknown API's. API detection is a little more involved than just swagger file detection as is discussed <a href="https://www.edgescan.com/services/api-security-testing/" target="_blank">here</a> but once a manifest is discovered edgescan parses the file to understand how to use and navigate the API and hence test it.</span></p><p class="MsoPlainText"><span style="font-family: arial;">With the introduction of our new Weasel scanning engine coupled with Edgescans fullstack coverage were pretty excited that we are leading the market in relation to continuous vulnerability intelligence. </span></p><p class="MsoPlainText"><span style="font-family: arial;">There is lots more to discuss at a later date.....</span></p><p class="MsoPlainText"><span style="font-family: arial;">Edgescan Review:</span></p><p class="MsoPlainText"><span style="font-family: arial;"><a href="https://www.itsecurityguru.org/2021/04/21/product-review-edgescan-makes-fullstack-vulnerability-management-easy/">https://www.itsecurityguru.org/2021/04/21/product-review-edgescan-makes-fullstack-vulnerability-management-easy/</a></span></p><p class="MsoPlainText"><span style="font-family: arial;"><br /></span></p><p class="MsoPlainText"><span style="font-family: arial;"><br /><br /></span></p><p class="MsoPlainText"><span style="font-family: arial;"><br /></span></p><p class="MsoPlainText"><o:p></o:p></p>Eoin Kearyhttp://www.blogger.com/profile/17946046587245366946noreply@blogger.com0tag:blogger.com,1999:blog-7247674390631055904.post-177218301877312392020-09-09T05:56:00.006-07:002020-09-09T05:57:33.978-07:00Application Security Validation Pitfalls, False Positives and Misconceptions<p><span style="font-family: arial;">I recently did a webinar with one of our senior security warriors, James Mullen discussing where automated validation works and where it doesn't. </span></p><p><span style="font-family: arial;">We also discussed false positives in both technical and logical vulnerabilities. </span></p><p><span style="font-family: arial;">This is worth tuning into if you want to understand the constraints of automation, where is falls down and why we think reliance on automation alone for vulnerability management is a poor idea, we currently still need "the Human Element".</span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://www.bigmarker.com/edgescan/VALIDATION-Mr-Vulnerability-False-Positive-Validator" target="_blank"><span style="font-family: arial;"><img border="0" data-original-height="993" data-original-width="1965" src="https://1.bp.blogspot.com/-3yDclWt0y-o/X1jQiNB8-rI/AAAAAAAACdM/RZzXsiVeUto2kA8ku_w6YsCdGsNtl-mHQCLcBGAsYHQ/s320/webinar-validation-sept2020.PNG" width="320" /></span></a></div><span style="font-family: arial;"><br /></span><p><span style="font-family: arial;">Check it out if you want to learn more..</span></p>Eoin Kearyhttp://www.blogger.com/profile/17946046587245366946noreply@blogger.com0tag:blogger.com,1999:blog-7247674390631055904.post-74947956089794295972020-09-01T03:18:00.001-07:002020-09-01T03:59:02.699-07:00<p><span style="font-family: arial;"> </span></p><p class="MsoNormal"><b><span style="font-family: arial;"></span></b></p><div class="separator" style="clear: both; text-align: center;"><b><span style="font-family: arial;"><a href="https://1.bp.blogspot.com/-YtOQsz83HlA/X04exltN7jI/AAAAAAAACdA/0VphWPU61dAqbpRrYaaaugzzqsjKOLZSQCPcBGAYYCw/s600/IMG_3694.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="400" data-original-width="600" height="205" src="https://1.bp.blogspot.com/-YtOQsz83HlA/X04exltN7jI/AAAAAAAACdA/0VphWPU61dAqbpRrYaaaugzzqsjKOLZSQCPcBGAYYCw/w307-h205/IMG_3694.JPG" width="307" /></a></span></b></div><b><span style="font-family: arial;"><br /></span></b><h1 style="text-align: left;"><b><span style="font-family: arial;">What’s the worst that can happen…..An Ode to Risk</span></b></h1><p></p>
<p class="MsoNormal"><span style="background: white; color: #222222;"><span style="font-family: arial;">Risk a widely used word in many walks of life but do we
understand what it means…<o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="font-family: arial;">“<b><i><span style="background: white; color: #222222;">Risk</span></i></b><i><span style="background: white; color: #222222;"> involves uncertainty
about the effects/implications of an activity with respect to something that human’s
value (such as health, well-being, wealth, property or the environment), often
focusing on negative, undesirable consequences</span></i><span style="background: white; color: #222222;">.”<o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="background: white; color: #222222;"><span style="font-family: arial;">Cyber security often talks about risk.... </span></span></p><p class="MsoNormal"><span style="background: white; color: #222222;"><span style="font-family: arial;">A high-risk
vulnerability or the risk of an event occurring. </span></span><span style="background-color: white; color: #222222; font-family: arial;">So, risk is related to statistical occurrence of an event and
the negative outcome….</span><span style="background-color: white; color: #222222; font-family: arial;">We often talk about likelihood and impact. The chance of
something happening and the effect the of it happening.</span></p>
<p class="MsoNormal"><span style="background: white;"><span style="font-family: arial;"><span style="color: #222222;">As CISO’s or cyber security professionals we try to first
address items with the highest risk or combination of likelihood and impact we
call this prioritization. <o:p></o:p></span></span></span></p>
<p class="MsoNormal"><span style="background: white;"><span style="font-family: arial;"><span style="color: #222222;">The reason we need to prioritize is because we can’t fix all
the issues and </span><i style="color: #222222;"><b>not every vulnerability is created equal</b></i><span style="color: #222222;"><b>.</b> We all have
limited capacity, budget and resources we need to do the best we can with what
we have.<o:p></o:p></span></span></span></p>
<p class="MsoNormal"><span style="background: white; color: #222222;"><span style="font-family: arial;">We try to discover risks via reviews of designs, procedures,
technical system reviews and testing. Some of these activities are up-front and
others are reoccurring in order to keep pace with change in our environments we
control and the environments we don’t [control].<o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="background: white; color: #222222;"><span style="font-family: arial;">Keeping pace with risk is hard, we simply don’t have the
man-power or budget to focus deeply on all risks to the business. Again, we
need to focus on risks which are impactful or have a high chance of occurring. <o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="background: white; color: #222222;"><span style="font-family: arial;">Automation is good for scale and frequency (keeping pace); we
can use automation to detect vulnerabilities but its weak at determining actual
risk (and alone is prone to false positives). The determination of risk is
contextual, based on what the likelihood is, the impact to the systems in
question and ultimately the business impact. <o:p></o:p></span></span></p>
<p class="MsoNormal"><i><span style="background: white; color: #222222;"><span style="font-family: arial;"></span></span></i></p><blockquote><i><span style="font-family: arial;">Automation is not good at context. Risk is all about context.
Without context we can’t determine priority. Without priority we can’t focus on
what matters to the business.</span></i></blockquote><i><span style="font-family: arial;"><o:p></o:p></span></i><p></p>
<p class="MsoNormal"><span style="background: white; color: #222222;"><span style="font-family: arial;">In order to move the cybersecurity dial, improve resilience,
detect threats and weakness I believe a combination of automation and human
intelligence is required. </span></span></p><p class="MsoNormal"><span style="background: white; color: #222222;"><span style="font-family: arial;"></span></span></p><blockquote><span style="font-family: arial;">At edgescan our mantra is “<i>let’s automate like
crazy, but never at the cost of accuracy”</i>.</span></blockquote><span style="font-family: arial;"><o:p></o:p></span><p></p>
<p class="MsoNormal"><span style="background: white; color: #222222;"><span style="font-family: arial;">Accuracy is the combination of a few things…1. No false
positives, 2. Appropriate risk rating & 3. Depth of coverage.<o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="background: white;"><span style="font-family: arial;"><span style="color: #222222;">Combining both of these aspects results in reliable </span><i style="color: #222222;">vulnerability
intelligence</i></span></span></p><p class="MsoNormal"><span style="background-color: white; color: #222222; font-family: arial; font-style: italic;">Vulnerability intelligence is actionable, </span><span style="background-color: white; color: #222222; font-family: arial; font-style: italic;">prioritized</span><span style="background-color: white; color: #222222; font-family: arial; font-style: italic;"> and
helps focus on what matters. – a core aspect of the edgescan approach.</span></p>
<p class="MsoNormal"><span style="background: white; color: #222222;"><o:p><span style="font-family: arial;"> </span></o:p></span></p>
<p class="MsoNormal"><span style="background: white; color: #222222;"><o:p><span style="font-family: arial;"> </span></o:p></span></p>
<p class="MsoNormal"><span style="background: white; color: #222222;"><o:p><span style="font-family: arial;"> </span></o:p></span></p>
<p class="MsoNormal"><o:p><span style="font-family: arial;"> </span></o:p></p>Eoin Kearyhttp://www.blogger.com/profile/17946046587245366946noreply@blogger.com0tag:blogger.com,1999:blog-7247674390631055904.post-74521784050117364582020-05-28T04:26:00.002-07:002020-05-28T04:38:57.885-07:00Edgescan inclusion in the Verizon DBiR<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span> </span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-ImMBLXnZ7Hk/Xs-UsUF8nrI/AAAAAAAACZ8/ClryrouRMY8PMdk7bseh15kvOHlRzi1OgCLcBGAsYHQ/s1600/DBIR2020.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em; text-align: left;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><img border="0" data-original-height="1415" data-original-width="1600" height="281" src="https://1.bp.blogspot.com/-ImMBLXnZ7Hk/Xs-UsUF8nrI/AAAAAAAACZ8/ClryrouRMY8PMdk7bseh15kvOHlRzi1OgCLcBGAsYHQ/s320/DBIR2020.PNG" width="320" /></span></a></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span> <span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span> <span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span> <span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span> <span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span> <span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span> <span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span> <span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span> <span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span><span style="font-family: "arial" , "helvetica" , sans-serif;">For the third year running </span><a href="http://www.edgescan.com/" target="_blank">Edgescan </a><span style="font-family: "arial" , "helvetica" , sans-serif;">contributed to the </span><a href="https://enterprise.verizon.com/resources/reports/2020-data-breach-investigations-report.pdf" target="_blank">Verizon DBiR</a><span style="font-family: "arial" , "helvetica" , sans-serif;">. The DBiR is recognized as the defacto cyber report which casts a wide net across all types of cyber security and breaches, this includes vulnerability management in both infrastructure and applications.</span></span><br />
<a href="https://www.blogger.com/blogger.g?blogID=7247674390631055904" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=7247674390631055904" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=7247674390631055904" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=7247674390631055904" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=7247674390631055904" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span> <span style="font-family: "arial" , "helvetica" , sans-serif;">Edgescan vulnerability data is curated and validated, sanitized and reflects tens of thousands of assessments we deliver globally across the full stack to our clients.</span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span> <span lang="EN-US"><span style="font-family: "arial" , "helvetica" , sans-serif;">As stated by Gabriel Basset of Verizon "<i>I think there’s a positive story around how vulnerability scanning, patching, and filtering are preventing exploiting vulns from being the easiest way to cause a breach but that asset management is needed to identify and patch unpatched systems...</i>"</span></span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span lang="EN-US"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span></span> <span lang="EN-US"><span style="font-family: "arial" , "helvetica" , sans-serif;">A few things that stand out to me in the report are as follows:</span></span><a href="https://1.bp.blogspot.com/-7GT2ktBwRIc/Xs-VQVidj_I/AAAAAAAACaM/Fxo9rkmcIE8ZE1F5QOouqksUN9Kzk2mXACLcBGAsYHQ/s1600/Summary-DBiR2020.PNG" imageanchor="1" style="clear: left; display: inline !important; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="813" data-original-width="1541" height="336" src="https://1.bp.blogspot.com/-7GT2ktBwRIc/Xs-VQVidj_I/AAAAAAAACaM/Fxo9rkmcIE8ZE1F5QOouqksUN9Kzk2mXACLcBGAsYHQ/s640/Summary-DBiR2020.PNG" width="640" /></a></span><br />
<span lang="EN-US"><span style="font-family: "arial" , "helvetica" , sans-serif;">Nearly half of breaches involved Hacking and 70% of breaches were external threat actors. To me this makes sense as in our experience most large enterprises have at lease one critical vulnerability living in their estate and the majority of risk (<a href="https://www.edgescan.com/edgescans-2020-vulnerability-stats-report-released/" target="_blank">as per our research</a>) is in the web layer/Layer 7 - Web sites, Applications and API's.</span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span> <span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span> <span style="font-family: "arial" , "helvetica" , sans-serif;">Of a 977 breach sample-space the majority of threat actors were associated with organized crime. These folks are professional, determined ha</span><span style="font-family: "arial" , "helvetica" , sans-serif;">ckers. Its how they make their living. They don't care where the vulnerability resides in the stack. An automated approach to vulnerability management alone wont ensure your defense.</span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span> </span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-KyaF9eHOg-s/Xs-V6vi6xiI/AAAAAAAACaY/R8LEypMyw0oAPyy3ZrFLcKJa_mzlg3IDwCLcBGAsYHQ/s1600/Threat-Actors-DBiR2020.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em; text-align: left;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><img border="0" data-original-height="834" data-original-width="1258" height="422" src="https://1.bp.blogspot.com/-KyaF9eHOg-s/Xs-V6vi6xiI/AAAAAAAACaY/R8LEypMyw0oAPyy3ZrFLcKJa_mzlg3IDwCLcBGAsYHQ/s640/Threat-Actors-DBiR2020.PNG" width="640" /></span></a><span style="clear: left; color: black; float: left; font-family: "arial" , "helvetica" , sans-serif; margin-bottom: 1em; margin-right: 1em; text-align: left;"><b>Using software/tools alone to defend against experienced humans wont result in robust security. </b><br /><br />This is the case in particular when the people we are trying to defend against actors who are very skilled and determined, professional blackhat folks, if you will.<br /><br />Human Error was cited to be a significant contribution to system insecurity and breach in the 2020 DBiR report.<br /><br />Misconfiguration taking the prize for main contributor;</span><span style="clear: left; color: black; float: left; font-family: "arial" , "helvetica" , sans-serif; margin-bottom: 1em; margin-right: 1em; text-align: left;"> "<i>They are now equally as common as Social breaches and more common than Malware, and are truly ubiquitous across all industries.</i>" according to the report authors.</span></div>
<div>
<span style="color: black; font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<br />
<br />
<br />
<br />
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span> </span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-GCzueMTlXvI/Xs-fDlp-jBI/AAAAAAAACak/2WJu1Y9m-XInK7WTYYYcS254DV9yxYNyQCLcBGAsYHQ/s1600/error-DBiR-2020.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"></a></div>
<div style="text-align: left;">
<a href="https://1.bp.blogspot.com/-GCzueMTlXvI/Xs-fDlp-jBI/AAAAAAAACak/2WJu1Y9m-XInK7WTYYYcS254DV9yxYNyQCLcBGAsYHQ/s1600/error-DBiR-2020.PNG" imageanchor="1" style="clear: left; display: inline !important; margin-bottom: 1em; margin-right: 1em;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><img border="0" data-original-height="726" data-original-width="1011" height="458" src="https://1.bp.blogspot.com/-GCzueMTlXvI/Xs-fDlp-jBI/AAAAAAAACak/2WJu1Y9m-XInK7WTYYYcS254DV9yxYNyQCLcBGAsYHQ/s640/error-DBiR-2020.PNG" width="640" /></span></a></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">What we see in Edgescan is pretty much aligned with this metric. Misconfigurations are a common vulnerability and not going away anytime soon. Insecure deployments, misconfigured frameworks, directory listing, data exposure via errors all cousins and steadily increasing over the past number of years.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span> <span style="font-family: "arial" , "helvetica" , sans-serif;">The concept of continuous assessment, profiling and validation is key to detecting such issues. Generally they are not difficult to detect or fix but if we don't know about them we're leaving the door open for someone else to use.</span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
</span> <span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span></div>
Eoin Kearyhttp://www.blogger.com/profile/17946046587245366946noreply@blogger.com0tag:blogger.com,1999:blog-7247674390631055904.post-82172034352555500412020-04-08T06:13:00.003-07:002020-04-08T06:14:51.348-07:00API Detection and Assessment: What they don't tell you in class...<br />
<div class="MsoNormal">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><b>API’s</b><span style="mso-spacerun: yes;"> </span>(<b>Application
Programming Interfaces</b>) are backend services<span style="mso-spacerun: yes;"> </span>which expose an interface which can be used
to connect to and transact or read/write information to and from a backend
system. The are super useful and a great architecture decision delivering
flexibility and extensibility of a service.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , "helvetica" , sans-serif;">API’s deliver functionality once the client service knows
how to “talk” to the API. API’s generally sit behind a HTTP port and can’t be
“seen” unlike a website but they may deliver an equal level of value and
functionality to the requesting client.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Many websites may use an API but the User does not invoke
the API directly but rather the Website /App is a proxy for the API. API’s are not
built to be human readable, like a website, but rather machine readable.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , "helvetica" , sans-serif;">There are two challenges relating to API security
assessment:<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , "helvetica" , sans-serif;">1. <b>API Discovery</b>: Do we have an inventory of all
API’s deployed on the public Internet.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , "helvetica" , sans-serif;">You may have API’s hosted on systems behind HTTP ports but
are undiscovered. They may be well known but they may also be old or
development deployments which are forgotten about. We can’t secure what we don’t
know about. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><b>Adequate assessment</b> involves coverage of entire
corporate ranges (CIDR ranges), large lists of IP’s, domain names (FQDN’s) and
using a multi-layer probing methodology detailed below:<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<i><span style="font-family: "arial" , "helvetica" , sans-serif;">API discovery is a combination of both host layer and web
layer investigation. Some are easier to discover than others.<o:p></o:p></span></i></div>
<div class="MsoNormal">
<i><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></i></div>
<div class="MsoNormal">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><b>Discovering API artifacts</b>: </span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Discovery of API’s may
require multiple layers of probing. If we don’t know how to invoke a given API.
API identification across may levels is required to accurately provide a confidence
interval of if an API is present or not.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div style="border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-element: para-border-div; padding: 1.0pt 4.0pt 1.0pt 4.0pt;">
<div class="MsoNormal" style="border: none; mso-border-alt: solid windowtext .5pt; mso-padding-alt: 1.0pt 4.0pt 1.0pt 4.0pt; padding: 0cm;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><b>Detection probes (in
edgescan) include</b>: • Known API format requests • HTTP status type checks •
TLS Certificate checks • API format Requests (SOAP/JSON etc) • Standard and
Non-Standard API indicators • Manifest file detection • Hostname checks • Cert
common name checks • Common API routes detection • API description files
(Swagger/WADL) • SOAP protocol detection • JSON/XML response analysis • API
endpoints Metadata detection • API routes in HTTP attributes • Cookie based API
detection<o:p></o:p></span></div>
</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><b>2</b>. <b>API Assessment:</b> Keeping pace with change
and development.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Assessment of API’s can be difficult as the assessment
methodology requires knowledge of how to communicate and invoke the API. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><i>Running a simple web scanner against an API simply does not
work</i>. A scanner would just hit an initial URL and not know how to invoke or
traverse the various API calls. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><b>Good API assessment</b> should have the ability to read/ingest
descriptor files in order to understand how to communicate and invoke the API. </span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Once this is done a scanner can assess the API method calls. </span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , "helvetica" , sans-serif;">As the development
team alter and change the API the assessment technology can read the newly
updated descriptor file and assess the API including new changes. – Keeping pace
with change.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Assessment of vulnerabilities specific to API’s is also
important. <b>Items discussed in the OWASP API Top 10 are an important aspect
to true API specific testing.</b></span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><b><br /></b></span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><b>Devops</b>: In a DevOps environment the descriptor file
can be used to determine change/deltas since the last deployment of the API and
only assess the changes saving valuable time in a fast DevOps environment - Iterative testing when frequent change occurs.</span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://landing.edgescan.com/hubfs/BCC032%20API%20Journey%20Brochure_ceWEB2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="800" data-original-width="566" height="320" src="https://landing.edgescan.com/hubfs/BCC032%20API%20Journey%20Brochure_ceWEB2.png" width="226" /></a></div>
<div class="MsoNormal" style="text-align: center;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="MsoNormal" style="text-align: center;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="MsoNormal" style="text-align: center;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">For more on edgescan's API services see:</span></div>
<div class="MsoNormal" style="text-align: center;">
<a href="https://landing.edgescan.com/apitestingjourney"><span style="font-family: "arial" , "helvetica" , sans-serif;">https://landing.edgescan.com/apitestingjourney</span></a></div>
<div class="MsoNormal">
<br /></div>
Eoin Kearyhttp://www.blogger.com/profile/17946046587245366946noreply@blogger.com0tag:blogger.com,1999:blog-7247674390631055904.post-37178946638709359792019-10-09T03:05:00.000-07:002019-10-09T03:05:45.907-07:00Vulnerability Management in 3 weeks<br />
<h2>
<span style="font-family: Arial, Helvetica, sans-serif;">Making a "dent" in the Universe....</span></h2>
<span style="font-family: Arial, Helvetica, sans-serif;">We like to think we "move the dial" and have a positive impact for our clients at edgescan. Our combination of technology and expertise helps our clients very quickly prioritize and focus on vulnerabilities which matter. </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Realistically as a managed vulnerability intelligence service we do the "heavy lifting" so our partners and clients can work on remediation and improvement coupled with on-going situational awareness.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">We put together a short video to explain this a little better, Hope you like it.</span><br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe width="320" height="266" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/WlNI-osFaAA/0.jpg" src="https://www.youtube.com/embed/WlNI-osFaAA?feature=player_embedded" frameborder="0" allowfullscreen></iframe></div>
<br />Eoin Kearyhttp://www.blogger.com/profile/17946046587245366946noreply@blogger.com0tag:blogger.com,1999:blog-7247674390631055904.post-50049549606728311992019-09-03T04:04:00.001-07:002019-09-03T04:05:44.718-07:00Vulnerability Management Automation = Good or Bad and for Whom?<h2>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Vulnerability Management Automation = Good or Bad and for Whom?</span></h2>
<div>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Do we believe "highly automated security services" are a good thing? Where does automation work and where does it fall short?</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div>
<h3>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">The Good:</span></h3>
</div>
<div>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><b>Scale</b></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><b><br /></b></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Security Automation can deliver thousands of assessments, on-demand and scale to extremely large estates which require vulnerability management on a regular basis.</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">"Low hanging fruit" can be easily detected but at times Risk can be inaccurate which affects prioritization. </span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Automation still needs to be tuned such that its production safe and does not negatively affect the asset being assessed. </span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Automation can be challenging in relation to authenticated assessments and even more so when multi-factor authentication is used by the asset.</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><b>Metrics</b></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><b><br /></b></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Frequent or on-demand assessments via automation can assist in the provision of ongoing metrics. </span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">We can measure TTR (Time To Remediation), Identify most common vulnerabilities, Assist with Root-cause analysis to help focus on prevention. </span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">The caveat is that is automation delivers inaccurate results metrics will suffer and prioritization will also be less effective (More on this below).</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><b>Visibility</b></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><b><br /></b></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Automation used for asset profiling on a continuous basis is very effective. </span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Detection of change on an on-going basis delivers visibility, assuming you are profiling an organisations entire estate with no blind-spots. </span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Asset visibility is still a simple but undervalued aspect of cyber security and vulnerability management; If its not on the "Radar" we don't know about it.</span><br />
<br /></div>
<div>
<h3>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">The Bad:</span></h3>
</div>
<div>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><b>Accuracy</b></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><b><br /></b></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Automation is still not very good at delivering accurate results. This can be via false positives, False negatives or Risk Context which does not help with vulnerability prioritization or time wasted in validating issues highlighted by the automated system.</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">When I say "Risk Context" were talking about the fact that a vulnerability does exist but is it truly exploitable? and what is the business risk of the discovered issue?</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Risk Context is core to vulnerability prioritization which affects effort spent which affects focus on what matters and ultimately the effectiveness of a vulnerability management program.</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">We did a <a href="https://www.surveymonkey.com/stories/SM-ZFKRYMCV/" target="_blank">survey </a>over the summer at Information Security Europe where we got 300 people to respond (Thanks!). 60% of respondents said they spend on average over 3 hours per day validating vulnerabilities. Lets consider this for a minute:</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">On a 7.5 hour day that 40% (3 hours) of a staff members time validating false positives!</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">On a salary of €50K per year that's €20K per year making sure the tools used by the organisation used to detect vulnerabilities are real!!</span><br />
<br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"> - <i>I'm sure the 40% could be better spent training technical staff on preventative measures, secure coding, SDLC security improvement etc?</i></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><b>Asymmetric Warfare: Using Automation Alone</b></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Its got to be considered that reliance on tools/automation alone to defend against experienced skilled attackers is a loosing battle. Automation just wont win. Humans are by nature curious and can find the most obscure issue which could result in a vulnerability. Many exploitable vulnerabilities are in relation to issues automation just cant detect very well. </span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Issues such as Business Logic and Authorization issues are not suited for detection via automation because automation does not have intelligence or is context-aware.</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Automation may find *some* issues quickly but humans are capable of detecting and exploiting complex attacks based on breaking a systems logic albeit more slowly.</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Human speed is not conducive to keeping pace with software development and its expensive (but less expensive than a breach). We can't rely on humans to defend our systems anymore. Penetration testing/Bug</span><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">bounty alone wont secure the internet, its too slow (but coverage is deep) and too expensive (consultants and bug bounty's cost $$$).</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">To keep pace with change we need a combination of both. Technology which augments human expertise, removes the boring & repetitive tasks, provides us with scale but expertise is used when required. (sound familiar? *cough* edgescan *cough*).....</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><b>Business logic / Complex logic:</b></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><b><br /></b></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Automation for speed, Humans for depth. We need to combine both to effectively provide adequate assessment coverage. Automation is great a discovering "Technical Issues" but woeful at "Logical" vulnerability detection. Attackers take time to do both and that's why we see a continuous increase in breaches in the news on a daily basis.</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">So the bottom line is "</span><i style="font-family: Arial, Helvetica, sans-serif;"><b>When using Automation alone to defend against a human adversary the human will always win</b></i><span style="font-family: "arial" , "helvetica" , sans-serif;"> ", did you ever see the Terminator movies, yes the human folks prevail in the end....</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div style="margin-left: 1em; margin-right: 1em;">
<img alt="Image result for terminator crushed" height="119" src="https://thumbs.gfycat.com/MiniatureDeterminedAsiaticlesserfreshwaterclam-size_restricted.gif" width="200" /></div>
<br />
<div>
<br />
<br />
<br /></div>
<div>
<br />
<br />
<br />
<br /></div>
<br />Eoin Kearyhttp://www.blogger.com/profile/17946046587245366946noreply@blogger.com0tag:blogger.com,1999:blog-7247674390631055904.post-42931259059135399442019-02-13T07:03:00.003-08:002019-02-20T07:12:01.650-08:002019 edgescan vulnerability Stats report<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
</span><br />
<h2>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Measure, so we can improve.</span></h2>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Its been a while since I've blogged anything due to lack of anything meaningful to say or the fact that few people actually want to listen :) but anyways... I've been working on the 2019 edgescan Vulnerability Stats report which always gives me joy as I find it very interesting to see a real picture of the vulnerability landscape based on the clients we humbly serve via our edgescan SaaS.</span></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Currently we assess thousands of web applications and hundreds of thousands of endpoints, all under continuous/on-demand cyber security assessment. </span></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Industries such as finance, government, media, pharma, retail, energy, legal all served by our SaaS but the result makes for some good reading when you look into the statistics of vulnerability.</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
</span><br />
<h3>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">App layer is where the risk lives:</span></span></h3>
<h3>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">In 2018 we discovered that on average, 19% of all vulnerabilities
were associated with (Layer 7) web applications, API’s, etc., and
81% were network vulnerabilities.</span></h3>
<div>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">The Risk Density is still high and has not changed significantly from
last years report. </span></div>
<div>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Even though we find more vulnerabilities in the Infrastructure layer the
risk is certainly living in the application layer. This is due to the “snowflake
effect”; every application is unique, developed in a stand alone fashion
and serves a unique purpose as opposed to infrastructure which is
commoditised and much more uniform.</span></div>
<div>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Change and uniqueness certainly introduces additional risk.
Internal, non public application layer security is worse; 24.9% of all
discovered vulnerabilities are High or Critical Risk.</span></div>
<div>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-mocsqVB65jg/XGP8ovWvvwI/AAAAAAAACP4/Y-idHAUf6iMjVCY1fbFI395WYgp9IJx7QCLcBGAs/s1600/2019vulnstats-density.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><img border="0" data-original-height="1006" data-original-width="1600" height="401" src="https://1.bp.blogspot.com/-mocsqVB65jg/XGP8ovWvvwI/AAAAAAAACP4/Y-idHAUf6iMjVCY1fbFI395WYgp9IJx7QCLcBGAs/s640/2019vulnstats-density.PNG" width="640" /></span></a></div>
<h3>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
"Zeroday" Vulnerabilities are a myth for most part:</span></h3>
<div>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Most of the vulnerabilities discovered are from between 2011 and 2015. Believe it or not, the majority of vulnerabilities discovered out there are between four and seven years old. According the the Verizon DBiR (2018) the majority of breaches are also as a result of exploitation of old, known vulnerabilities!!</span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-nMWcGiOpSaA/XGP93A9gSUI/AAAAAAAACQE/HXHp2jSUKnkLa4Z0ykQoQpUezAzwsDn6wCLcBGAs/s1600/2018vulnstats-CVE-external.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="337" data-original-width="1195" height="179" src="https://1.bp.blogspot.com/-nMWcGiOpSaA/XGP93A9gSUI/AAAAAAAACQE/HXHp2jSUKnkLa4Z0ykQoQpUezAzwsDn6wCLcBGAs/s640/2018vulnstats-CVE-external.PNG" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-XSHswbb8Mfg/XGP944Hlz2I/AAAAAAAACQI/BsafhICDAyU_z_Uu3k_-6pIj6hcS1VM2gCLcBGAs/s1600/2019vulnstats-cve-chart.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="625" data-original-width="1245" height="320" src="https://4.bp.blogspot.com/-XSHswbb8Mfg/XGP944Hlz2I/AAAAAAAACQI/BsafhICDAyU_z_Uu3k_-6pIj6hcS1VM2gCLcBGAs/s640/2019vulnstats-cve-chart.PNG" width="640" /></a></div>
<div>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span></div>
<br />
<div>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<br />
<h3>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Vulnerability Taxonomy</span></h3>
</div>
<div>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">The most common issues relate to client-side security such as XSS and JavaScript Injection attacks. Vulnerable components are also significantly high as 12.35% followed by weak authentication at 9.25% of all discovered vulnerabilities.</span></div>
<div>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-ni_qU26Fsm0/XGQvI8XyQjI/AAAAAAAACQU/zAOqzBwgTBQCTwPM38SQPFxDMW4EC_p3ACLcBGAs/s1600/2019vulnstats-webapp.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="1214" height="640" src="https://2.bp.blogspot.com/-ni_qU26Fsm0/XGQvI8XyQjI/AAAAAAAACQU/zAOqzBwgTBQCTwPM38SQPFxDMW4EC_p3ACLcBGAs/s640/2019vulnstats-webapp.PNG" width="485" /></a></div>
<h3>
<br /><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">2018's most common Infrastructure Vulnerabilities</span></h3>
<div>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">No surprise SSL/TLS issues top the chart as the most common discovered vulnerability in 2018. In recent years SSL /TLS has taken a battering, with many implementation and design weaknesses exposed. SMB security issues were also very common. What is worrisome here is a decent amount of the SMB issues discovered were in relation to CVE2017-0144, CVE-2017-0145 (EternalBlue/NotPetya/Wannacry) malware.</span></div>
<div>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-_nyca36OABs/XGQvLygidII/AAAAAAAACQY/Ls2JnRm-Kj8p8IfwVggLz23AMZXI6bz4wCLcBGAs/s1600/2019vulnstats-infra.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1544" data-original-width="1479" height="640" src="https://2.bp.blogspot.com/-_nyca36OABs/XGQvLygidII/AAAAAAAACQY/Ls2JnRm-Kj8p8IfwVggLz23AMZXI6bz4wCLcBGAs/s640/2019vulnstats-infra.PNG" width="612" /></a></div>
<div>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><b>More deeper detail about the above and other issues shall be discussed in the forthcoming 2019 Vulnerability Stats Report - Coming soon!</b></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><b><br /></b></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><b>Update: you can download the report here:</b></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><a href="https://www.edgescan.com/company/vulnerability-stats/">https://www.edgescan.com/company/vulnerability-stats/</a></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><b><br /></b></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><b>Media Coverage:</b></span><br />
<span style="font-family: helvetica neue, arial, helvetica, sans-serif;"><a href="https://www.infosecurity-magazine.com/news/web-application-security/">https://www.infosecurity-magazine.com/news/web-application-security/</a></span><br />
<span style="font-family: helvetica neue, arial, helvetica, sans-serif;"><a href="https://www.scmagazineuk.com/80-enterprise-systems-feature-unpatched-cve-vulnerabilities/article/1526226">https://www.scmagazineuk.com/80-enterprise-systems-feature-unpatched-cve-vulnerabilities/article/1526226</a></span><br />
<span style="font-family: helvetica neue, arial, helvetica, sans-serif;"><br /></span>
<span style="font-family: helvetica neue, arial, helvetica, sans-serif;"><br /></span>
<span style="font-family: helvetica neue, arial, helvetica, sans-serif;"><b><br /></b></span></div>
Eoin Kearyhttp://www.blogger.com/profile/17946046587245366946noreply@blogger.com0tag:blogger.com,1999:blog-7247674390631055904.post-13115433347069505262018-07-23T03:00:00.000-07:002018-07-23T03:10:32.218-07:0010 Rules for Vulnerability Management<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<br />
<div style="text-align: center;">
<b><span style="font-family: "arial" , "helvetica" , sans-serif;">Rules for Vulnerability Management</span></b></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<b><span style="font-family: "arial" , "helvetica" , sans-serif;">Below is a list of items and requirements based on client discussions in the case of delivering decent vulnerability management to clients both big and small. </span></b><br />
<b><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></b>
<b><span style="font-family: "arial" , "helvetica" , sans-serif;">From Visibility to API integration, from Validation to Developer support the items below are what you should consider when deploying a vulnerability management program.</span></b><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">1. Coverage is king, Both depth, Breadth and Frequency. Both authenticated and public.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">2. Full stack vulnerability intelligence is key as "Hackers don't give a Shit" where your vulnerability is at.</span><br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">2. Keeping pace with development. As change occurs, vulnerability management should detect and assess the changes. DevSecOps / Development pipeline Integration is required.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">3. False Positives are an evil waste of time even if handled by automation. - Validation is important.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">4. False Negatives are evil-er. - Scanner tuning is important so we don't miss anything.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">5. Situational Awareness is required. Alerting and custom events are key to knowing what matters & when.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">6. API's are expected and required so we can automate, invoke, integrate & consume</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">7. Visibility is key - Asset profiling is paramount. Whats my attack surface?</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">8. Developer support is paramount. Vulnerability management is as much about mitigation as it is discovery.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">9. Vulnerability Metrics are required to help improvement: Peer relativity, Time-to-fix, Vulnerabilities by type, layer, risk are all important.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">10. Asset Categorization, Tagging, Vulnerability Risk Acceptance and Retesting on demand are required.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-TGcSv_jWiiU/VscxOGKogTI/AAAAAAAAB3M/FyoEJMlSc6sMZsI9MKIyNfdLKI0Ix-yfACPcBGAYYCw/s1600/edgescan-banner.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="64" data-original-width="512" height="40" src="https://1.bp.blogspot.com/-TGcSv_jWiiU/VscxOGKogTI/AAAAAAAAB3M/FyoEJMlSc6sMZsI9MKIyNfdLKI0Ix-yfACPcBGAYYCw/s320/edgescan-banner.png" width="320" /></a></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<br />
<div style="text-align: center;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><a href="https://youtu.be/am3jfXyTmGI" target="_blank">edgescan in 30 seconds</a></span></div>
Eoin Kearyhttp://www.blogger.com/profile/17946046587245366946noreply@blogger.com0tag:blogger.com,1999:blog-7247674390631055904.post-43673192560240447402018-05-03T04:46:00.000-07:002018-05-03T04:46:38.440-07:00Coupling Breadth with Depth - Bugbounty and edgescan<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<div style="line-height: 16.5pt; margin-bottom: 11.25pt; margin-left: 0cm; margin-right: 0cm; margin-top: 11.25pt;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-1wCks9UFJ4Y/Wur2Z7NLL3I/AAAAAAAACNs/um8UwymO8xswmm-kvDGKIpAHrC5komW4ACLcBGAs/s1600/Bounty-Hunters-Featured-Image.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="545" data-original-width="1280" height="170" src="https://2.bp.blogspot.com/-1wCks9UFJ4Y/Wur2Z7NLL3I/AAAAAAAACNs/um8UwymO8xswmm-kvDGKIpAHrC5komW4ACLcBGAs/s400/Bounty-Hunters-Featured-Image.jpeg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<span style="font-family: Arial, Helvetica, sans-serif;">Some edgescan clients, large and small use bug bounties
and our fullstack vulnerability SaaS service combined: </span></div>
<div style="line-height: 16.5pt; margin-bottom: 11.25pt; margin-left: 0cm; margin-right: 0cm; margin-top: 11.25pt;">
<span style="font-family: Arial, Helvetica, sans-serif;">The big players in the bug bounty market are Bugcrowd and HackerOne and Synack and many larger enterprises run their own programs.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><b><br /></b></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><b>Breath and Depth</b>:</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">Bugbounty for depth, <a href="https://www.edgescan.com/" target="_blank">edgescan </a>for breadth and
continuous assessment where and <a href="https://edgescan.com/index.php#solutions" target="_blank">edgescan Advanced license </a>is not used</span></div>
<div style="line-height: 16.5pt; margin-bottom: 11.25pt; margin-left: 0cm; margin-right: 0cm; margin-top: 11.25pt;">
<span style="background-color: rgba(255, 255, 255, 0);"><b><span style="font-family: Arial, Helvetica, sans-serif;">Budget and Cost:</span></b></span><br />
<span style="background-color: rgba(255, 255, 255, 0);"><span style="font-family: Arial, Helvetica, sans-serif;">To
reduce the escalating cost and effort of implementing multiple tools or
programs for our clients, a joint integration between Bugbounty dashboards and edgescan’s
fullstack SaaS may bring together the scale and efficiency of vulnerability
management web & host application scanning with the expertise of the
penetration-testing community via a bugbounty in one simple solution.</span></span></div>
<div style="line-height: 16.5pt; margin-bottom: 11.25pt; margin-left: 0cm; margin-right: 0cm; margin-top: 11.25pt;">
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="background-color: rgba(255, 255, 255, 0);"><b>Reducing duplication, validation and payouts:</b></span></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="background-color: rgba(255, 255, 255, 0);">Joint
customers of Bugbounty programs and edgescan will be able to eliminate
discovered & validated vulnerabilities by edgescan from their list of offered
bug bounties and focus Bounty programs on critical vulnerabilities that require
manual testing, effectively reducing the cost of vulnerability discovery and
penetration testing.</span><o:p></o:p></span></div>
<div style="line-height: 16.5pt; margin-bottom: 11.25pt; margin-left: 0cm; margin-right: 0cm; margin-top: 11.25pt;">
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="background-color: rgba(255, 255, 255, 0);"><b>Integration and Correlation:</b></span></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="background-color: rgba(255, 255, 255, 0);"><br /></span></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="background-color: rgba(255, 255, 255, 0);">We
have a strong API platform which easily works in terms of consolidation
between bounty programs and validated vulnerabilities discovered by the edgescan SaaS.</span><o:p></o:p></span><br />
<span style="background-color: rgba(255, 255, 255, 0); font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="background-color: rgba(255, 255, 255, 0); font-family: Arial, Helvetica, sans-serif;"><b>Check out our Rich API documentation here:</b></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<a href="https://s3-eu-west-1.amazonaws.com/live-cdn-content/docs/advanced-api-guide-latest.pdf" target="_blank"><span style="font-family: Arial, Helvetica, sans-serif;">Advanced API Guide</span></a><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<a href="https://s3-eu-west-1.amazonaws.com/live-cdn-content/docs/api-guide-latest.pdf" target="_blank"><span style="font-family: Arial, Helvetica, sans-serif;">API Guide</span></a><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="background-color: rgba(255, 255, 255, 0); font-family: Arial, Helvetica, sans-serif;"></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><a href="https://s3-eu-west-1.amazonaws.com/live-cdn-content/docs/events-api-guide-latest.pdf" target="_blank">edgescan "Events" Configuration Guide</a></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">FYI: See how we stand up to other testing services via <a href="https://www.gartner.com/reviews/market/application-security-testing/compare/edgescan-vs-whitehat-security-vs-qualys" target="_blank">Gartner's Peer insights portal</a> of moderated reviews.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">-Till next time, -ek</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<br />Eoin Kearyhttp://www.blogger.com/profile/17946046587245366946noreply@blogger.com0tag:blogger.com,1999:blog-7247674390631055904.post-71612203047443029182018-04-11T05:03:00.000-07:002018-04-11T05:03:17.573-07:00Client-Side Runtime Application Security Defence<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-R1y6Ajp0CVE/Ws33ABQF8MI/AAAAAAAACNI/ijjDqRRCkQ45ultB3vBej9KfdrW-Ik_uQCLcBGAs/s1600/knight.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="edgescan vulnerability management" border="0" data-original-height="1165" data-original-width="1585" height="235" src="https://2.bp.blogspot.com/-R1y6Ajp0CVE/Ws33ABQF8MI/AAAAAAAACNI/ijjDqRRCkQ45ultB3vBej9KfdrW-Ik_uQCLcBGAs/s320/knight.png" title="edgescan vulnerability management" width="320" /></a></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;">At <a href="https://www.edgescan.com/" target="_blank">edgescan</a> we have built a <a href="https://www.gartner.com/reviews/market/application-security-testing/vendor/edgescan" target="_blank">pretty good</a> continuous fullstack vulnerability management platform and have a list of very interesting clients across many verticals such as media, gaming, medical sciences, finance, cloud etc.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">We do a good job of finding, validating and risk assessing vulnerabilities across the full stack and helping our clients manage and protect their systems from a security breach and reduce Bugbounty costs...</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">More Here: <a href="http://www.edgescan.com/">www.edgescan.com</a></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span><b><span style="font-family: "arial" , "helvetica" , sans-serif;">An elephant in the room:</span></b><br />
<div class="separator" style="clear: both; text-align: right;">
<b><span style="font-family: "arial" , "helvetica" , sans-serif;"><a href="https://1.bp.blogspot.com/-iFivKf36cK8/Ws34PoiJP8I/AAAAAAAACNY/1JFVyJ69kqQXtFnYSSJrUHEmV7ZTh9A-wCLcBGAs/s1600/elephant-pic.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="edgescan elephant" border="0" data-original-height="361" data-original-width="630" height="183" src="https://1.bp.blogspot.com/-iFivKf36cK8/Ws34PoiJP8I/AAAAAAAACNY/1JFVyJ69kqQXtFnYSSJrUHEmV7ZTh9A-wCLcBGAs/s320/elephant-pic.jpg" title="edgescan elephant" width="320" /></a></span></b></div>
<br />
<b><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></b>
<b><span style="font-family: "arial" , "helvetica" , sans-serif;">Client Security</span></b><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">One important part of security is a difficult "nut to crack" is client side security: </span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">We don't know </span><br />
<ul>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">if a user is patched;</span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">using an old insecure browser;</span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">is infected or compromised </span></li>
</ul>
<div style="text-align: center;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><i><b>We have not way of knowing the "health of our users" whom use our web applications. </b></i></span></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">A common vector of attack is not to attack a system or service but to attack users given they are generally less secure.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">To that end the product development team have built "edge-guard' which in effect detects client-side threats and anomalies.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Many variants of malware use HTML rewriting / webinjects to redirect and steal credentials or other data by rewriting the browser pages displayed to a client.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">Examples such as </span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><a href="https://blog.sucuri.net/2015/11/jquery-min-php-malware-affects-thousands-of-websites.html" target="_blank">JQuery Rewriting</a></span><br />
<a href="http://news.softpedia.com/news/mosquito-exploit-stealing-legitimate-traffic-from-wordpress-and-joomla-websites-503647.shtml" target="_blank"><span style="font-family: "arial" , "helvetica" , sans-serif;">Mosquito</span></a><br />
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">edge-guard detects client side attacks within the browser or DOM and can inform you if your client is infected and a possible risk to your business. </span><span style="font-family: "arial" , "helvetica" , sans-serif;">Attacks such as</span><br />
<br />
<ul>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">HTML rewriting,</span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">Form re-direction,</span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">Link spoofing,</span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">XHR DOM exfiltration, and</span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">DOM/Reflected XSS</span></li>
</ul>
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">can be detected by notifying the monitoring service and its users intelligence such as</span><br />
<ul>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">Type of infection, </span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">IP of client, </span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">time stamp, </span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">location of incident in application (page in application).</span></li>
</ul>
<div>
<span style="font-family: arial, helvetica, sans-serif;"><b>You can get a reference implementation here:</b></span></div>
<div>
<span style="font-family: arial, helvetica, sans-serif;"><br /></span></div>
<div>
<span style="font-family: arial, helvetica, sans-serif;"><a href="https://github.com/BCCRiskAdvisory/edgeguard">https://github.com/BCCRiskAdvisory/edgeguard</a></span></div>
<div>
<br /></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><b>A video explaining the overall solution is here:</b></span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<iframe width="320" height="266" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/GkpIsSxPpp0/0.jpg" src="https://www.youtube.com/embed/GkpIsSxPpp0?feature=player_embedded" frameborder="0" allowfullscreen></iframe></div>
<div>
<br /></div>
<div style="text-align: center;">
<span style="font-family: Arial, Helvetica, sans-serif;"><b><br /></b></span></div>
<div style="text-align: center;">
<span style="font-family: Arial, Helvetica, sans-serif;"><b><a href="https://www.rsaconference.com/events/us18/expo-sponsors/exhibitor-list/4977-edgescan%E2%84%A2" target="_blank">Meet us at RSA 2018 in San Francisco </a></b></span></div>
<div style="text-align: center;">
<span style="color: #0000ee; font-family: Arial, Helvetica, sans-serif;"><b><u><br /></u></b></span><span style="font-family: Arial, Helvetica, sans-serif;"><b><a href="https://www.rsaconference.com/events/us18/expo-sponsors/exhibitor-list/4977-edgescan%E2%84%A2" target="_blank"></a></b></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Arial, Helvetica, sans-serif;"><b><a href="https://2.bp.blogspot.com/-ibR8F9CTrPE/Ws330ny1c-I/AAAAAAAACNQ/TBJst0NMdmYke-x6kcHgvBMT8MxXkY19gCLcBGAs/s1600/RSA-Conference-2018-San-Francisco-horizontal-small.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="edgescan RSA" border="0" data-original-height="13" data-original-width="273" src="https://2.bp.blogspot.com/-ibR8F9CTrPE/Ws330ny1c-I/AAAAAAAACNQ/TBJst0NMdmYke-x6kcHgvBMT8MxXkY19gCLcBGAs/s1600/RSA-Conference-2018-San-Francisco-horizontal-small.jpg" title="edgescan RSA" /></a></b></span></div>
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
Eoin Kearyhttp://www.blogger.com/profile/17946046587245366946noreply@blogger.com0tag:blogger.com,1999:blog-7247674390631055904.post-26514670652042464752018-04-05T03:43:00.000-07:002018-06-08T04:53:23.774-07:00RSA San Francisco 2018 - What to expect (from edgescan)<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-8itqtPgVnlA/WsXmPcI2qUI/AAAAAAAACMA/MKbZppcprJkb600HwG2zoEMHK6N6OdrwwCLcBGAs/s1600/RSA-2018.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><img border="0" data-original-height="281" data-original-width="500" height="223" src="https://4.bp.blogspot.com/-8itqtPgVnlA/WsXmPcI2qUI/AAAAAAAACMA/MKbZppcprJkb600HwG2zoEMHK6N6OdrwwCLcBGAs/s400/RSA-2018.png" width="400" /></span></a></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">So here we are again, RSA 2018 in San Francisco, but to be honest its edgescans first time to attend as a vendor. The last time I was there was in 2014 teach 400 developers on secure application development with <a href="https://twitter.com/manicode" target="_blank">Jim manico</a>. Funnily enough things have not changed so much, the slides are <a href="https://www.slideshare.net/eoinkeary/owasp-free-training-sf2014-keary-and-manico" target="_blank">here</a></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">So what will the <a href="https://www.rsaconference.com/events/us18/expo-sponsors/exhibitor-list/4977-edgescan%E2%84%A2" target="_blank">edgescan </a>team be doing on our first foray into RSA as a <a href="https://www.rsaconference.com/events/us18/expo-sponsors/exhibitor-list/4977-edgescan%E2%84%A2" target="_blank">vendor</a>?</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Apart from numerous meetings with clients, partners and media we are also flying to Irish flag and attending an "<a href="http://emergebizactivities.idaireland.com/RSA2018" target="_blank">Irish Night</a>" hosted by Enterprise Ireland and the IDA. Feel Free to pop along for a pint and to meet some of the edgescan senior team.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Personally I have a slight reservation regarding the event and industry as a whole....</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><b>The problems have not changed since 2014, vulnerabilities are similar/the same and the most common vulnerabilities <a href="https://www.edgescan.com/wp-content/uploads/2018/05/edgescan-stats-report-2018.pdf" target="_blank">discovered</a> by our edgescan SaaS are still older variants.</b></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Many of the solutions being proposed are not solving the issue and not making even a dent in the metrics we see every day.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">We seem to continue to propose new types of solutions for the same problem but non of them appear to make a large impact. - Can anyone disagree that cyber security issues are now more commonplace and destructive than ever? </span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><b>Whats old is new.... </b></span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><b><a href="https://4.bp.blogspot.com/-a8zssBFi0CY/WszoOFHe8XI/AAAAAAAACM4/g-c08Y1qI3cvETHdIEBpReIyV_v4sXXngCLcBGAs/s1600/1462742258%2B%25281%2529.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" data-original-height="1200" data-original-width="1600" height="150" src="https://4.bp.blogspot.com/-a8zssBFi0CY/WszoOFHe8XI/AAAAAAAACM4/g-c08Y1qI3cvETHdIEBpReIyV_v4sXXngCLcBGAs/s200/1462742258%2B%25281%2529.jpg" width="200" /></a></b></span></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><b></b></span></div>
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">At RSA, we hope to get the opportunity to explain how we can "put a dent" in the problem with fullstack vulnerability management. We've been talking about the items below since <a href="http://ekeary.blogspot.ie/2016/04/web-application-security-for-cisos-6.html" target="_blank">2016 or before </a></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><a href="https://www.edgescan.com/" target="_blank">edgescan </a>have focused on using tried and trusted techniques albeit automation combined with human expertise and orchestrated to help scalability without sacrificing accuracy or coverage.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Simple things like <a href="http://ekeary.blogspot.ie/2018/03/visibility-is-key-when-defending.html" target="_blank">Visibility of a users cyber-estate</a> are now "cool", even though we had the technology for years in some form or another.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Metrics and measurement is another weakness which, again we have the technology but its only being addressed now. - "<i>We cant improve what we can measure</i>".</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Delivering Penetration test reports to clients is an old tradition but needs to be replaced with API integration, Vulnerability feeds and connectivity into an organisations bug and risk tracking platforms. - New idea? I don't think so.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">So given as an industry we have not embraced the basics (above) why to we gravitate to other unproven solutions? I understand it keeps the industry buoyant and innovation is great, believe me we innovate and spend hundreds of thousands on innovation every year but lets focus on solutions that actually move the dial a little in favor of cyber security resilience and robustness.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://edgescan.com/assets/docs/reports/edgescan-stats-report-2018.pdf" target="_blank"><img alt="edgescan Vulnerability Statistics Report" border="0" data-original-height="267" data-original-width="708" height="120" src="https://4.bp.blogspot.com/-3tpZj3rbRkU/WsX7i_5CFTI/AAAAAAAACMU/jZQSUWnyn8UckYsc_uFp0SetDUOGvkLZQCLcBGAs/s320/edgescan%2BAdvert-2018.png" title="edgescan Vulnerability Statistics Report" width="320" /></a></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://www.gartner.com/reviews/market/application-security-testing/vendor/edgescan" target="_blank"><img alt="edgescan gartner" border="0" data-original-height="117" data-original-width="779" height="48" src="https://2.bp.blogspot.com/-wyythmbKVio/WsX7T6VUwMI/AAAAAAAACMQ/QGtdY37aytAaPvFf-wLGu6FegS8sGRuygCLcBGAs/s320/5-star.png" title="edgescan gartner" width="320" /></a></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<br />
<br />Eoin Kearyhttp://www.blogger.com/profile/17946046587245366946noreply@blogger.com0tag:blogger.com,1999:blog-7247674390631055904.post-8008525841342464162018-03-28T03:38:00.001-07:002018-03-28T03:38:38.911-07:00Visibility is Key when defending the enterprise - HIDE & Seek<br />
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><b>Enterprise cyber security can be daunting with so many systems to consider both internally and public Internet facing.</b></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><b><br /></b></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><b>Something which on the surface seems simple is asset profiling and system visibility. - Knowing what we have to secure is a good step in the right direction.</b></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><b style="mso-bidi-font-weight: normal;">Visibility</b> is of
paramount importance. It helps us understand what we have to secure. </span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">In our
experience, as an organization grows towards enterprise level visibility reduces. - More systems to secure, both physical and virtual and more change/flux occurring more frequently.</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">The ability to understand what systems and services (assets) are enabled and
exposed to both internal users and the public Internet is key given we cannot
secure assets we are not aware of. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">Having visibility of your estate is important
given many of such assets contain sensitive organizational data or are ingress points to such data and systems and require an
adequate level of security management applied to them.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">A common challenge when organizations grow is the ability to
have an asset register and asset inventory, bill-of components and categorization of assets used by the organization.</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">Understanding of the purpose and criticality of an organizations assets drives
the level of security which must be applied to a given asset; <i style="mso-bidi-font-style: normal;">a risk based approach</i>. </span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><i style="mso-bidi-font-style: normal;"><br /></i></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><b><i style="mso-bidi-font-style: normal;">Without visibility of one’s estate applying adequate cyber security measures can
be an impossible task</i>.</b><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="color: blue; font-family: Arial, Helvetica, sans-serif;"><b>6 Key requirements for continuous asset profiling:</b></span></div>
<div class="MsoNormal">
<span style="color: blue; font-family: Arial, Helvetica, sans-serif;"><b><br /></b></span></div>
<div class="MsoNormal">
</div>
<ol>
<li><span style="color: blue; font-family: Arial, Helvetica, sans-serif;"><b>Live intelligence delivered to the correct locations in a timely manner is a requirement for continuous asset profiling.</b></span></li>
<li><span style="color: blue; font-family: Arial, Helvetica, sans-serif;"><b>Custom event alerting when something of interest is discovered</b></span></li>
<li><span style="color: blue; font-family: Arial, Helvetica, sans-serif;"><b>Frequent updates to information</b></span></li>
<li><span style="color: blue; font-family: Arial, Helvetica, sans-serif;"><b>Continuous profiling across individual systems and CIDR ranges</b></span></li>
<li><span style="color: blue; font-family: Arial, Helvetica, sans-serif;"><b>Ability to Search and filter for specific attributes</b></span></li>
<li><span style="color: blue; font-family: Arial, Helvetica, sans-serif;"><b>Ability to automatically add and profile new hosts as they are deployed</b></span></li>
</ol>
<br />
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">Lets look into each of these requirements in more detail:</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><b>At edgescan we have been delivering and evolving HIDE (Host Index Discovery and Enumeration) since 2015 to address such requirements......</b></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">1. <b>Live feeds</b> are important such that you have operational intelligence as changes occur. Once an event occurs we care about who we need to inform. Sending event information via email, SMS, Slack, WebHook or API is important as we need to post the information to the correct dashboard so we are made aware of the event in a timely manner.</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">2. <b>Custom Alerting</b> is important such that your enterprise may have particular event types which are deemed worth reporting. Examples of such could be:</span></div>
<div class="MsoNormal">
</div>
<ul>
<li><span style="font-family: Arial, Helvetica, sans-serif;">A new server / IP goes live since the last profile cycle.</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">A service or IP appears to be non responsive.</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">A new service or firewall change has occurred on any asset profiled.</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">An asset tagged with a specific profile undergoes a defined profile change.</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">A specific port is exposed to the public Internet which should not be exposed.</span></li>
</ul>
<br />
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">3. </span><span style="font-family: Arial, Helvetica, sans-serif;"><b>Frequent updates</b> to the asset profile are important. This in effect translates to the frequency your assets are being profiled and across which protocols. The more frequent the better. </span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">4. </span><b style="font-family: Arial, Helvetica, sans-serif;">Continuous profiling across individual systems and CIDR ranges </b></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">Continuous profiling to constantly detect change coupled with CIDR (IP Range) assessment detects any change to any IP within an enterprise IP range. This approach (as opposed to only assessing specific IP addresses) helps with discovery of new hosts, rogue deployments, possibly data ex-filtration points as the profiling covers both "Live" IP's and Unused IP's which may become live over time.</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">5. </span><b style="font-family: Arial, Helvetica, sans-serif;">Ability to Search and filter for specific attributes</b></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">The ability to search profiling results via an API or console in seconds. Searching and filtering by protocol/port, operating system,IP address, DNS, Tag, Status etc to provide operational intelligence in seconds. We've encountered many valuable use cases where organizations need to understand if a specific attribute is present across an enterprise estate quickly in order to determine if they have to react quickly.</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">6. </span><b style="font-family: Arial, Helvetica, sans-serif;">Ability to automatically add and profile new hosts as they are deployed</b></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">If continuous asset profiling is across IP ranges/CIDR blocks we want newly deployed systems to be automatically included in the profile assessment. This feature is also very effective in the case of Cloud deployments where systems are spun-up and torn-down on a frequent basis. </span><span style="font-family: Arial, Helvetica, sans-serif;">This keeps pace with change and constant dynamic flux.</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><a href="https://www.edgescan.com/" target="_blank">edgescan.com</a> clients enjoy all of the above features via the edgescan vulnerability management portal and also via the edgescan API.</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-7RA21hg4E1w/WrttXg4VUwI/AAAAAAAACLw/aqwg7_jgcgYOM5g4jcOmFJPFgyGzhOj-gCLcBGAs/s1600/HIDE-2018.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="626" data-original-width="1267" height="197" src="https://1.bp.blogspot.com/-7RA21hg4E1w/WrttXg4VUwI/AAAAAAAACLw/aqwg7_jgcgYOM5g4jcOmFJPFgyGzhOj-gCLcBGAs/s400/HIDE-2018.png" width="400" /></a></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<br />
<br />
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><b>Example API calls such as:</b></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal" style="text-align: center;">
<b><span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;">List all systems which are "Alive" and have ports 22,80 & 443 open</span></b></div>
<div class="MsoNormal" style="text-align: center;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal" style="text-align: center;">
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"> /#/hosts?c%5Bstatus%5D=alive&c%5Bopen_port_any%5D=t:22,t:80,t:443&s%5Blocation%5D=desc</span></div>
<div class="MsoNormal" style="text-align: center;">
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"><br /></span></div>
<div class="MsoNormal" style="text-align: center;">
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"><b>List all systems which are "Alive" and have a DNS name like "edge"</b></span></div>
<div class="MsoNormal" style="text-align: center;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal" style="text-align: center;">
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;">/#/hosts?c%5Bstatus%5D=alive&c%5Bhostname_like%5D=edge&s%5Blocation%5D=desc</span></div>
<div class="MsoNormal" style="text-align: center;">
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"><br /></span></div>
<div class="MsoNormal" style="text-align: center;">
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"><b>List all systems which are tagged with the tag "Critical-asset"</b></span></div>
<div class="MsoNormal" style="text-align: center;">
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"><br /></span></div>
<div class="MsoNormal" style="text-align: center;">
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;">/#/hosts?c%5Basset_tagged_any%5D=Critical-Asset&s%5Blocation%5D=desc</span></div>
<div class="MsoNormal" style="text-align: center;">
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"><br /></span></div>
<div class="MsoNormal" style="text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Providing the ability to consume this information via a Restful API gives one the ability to develop automation, reporting and integration to other systems on an ongoing basis.</span></div>
<div class="MsoNormal" style="text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal" style="text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">We think our HIDE feature in edgescan is pretty cool. Let me know if you would like to see a live version or trial edgescan!!</span></div>
<div class="MsoNormal" style="text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal" style="text-align: center;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<br />Eoin Kearyhttp://www.blogger.com/profile/17946046587245366946noreply@blogger.com0tag:blogger.com,1999:blog-7247674390631055904.post-65373704162937482362018-01-30T08:29:00.000-08:002018-06-08T04:49:37.653-07:002018 Vulnerability Stats Report - Simple things make the difference.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-rQYYlFWf3qQ/WmjUl8PJ9dI/AAAAAAAACIY/cNpwFd1Z1G46dCQcVfZ3pw1GjseH5HNBgCLcBGAs/s1600/Vuln-stats-2018-cover.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="574" data-original-width="882" height="260" src="https://4.bp.blogspot.com/-rQYYlFWf3qQ/WmjUl8PJ9dI/AAAAAAAACIY/cNpwFd1Z1G46dCQcVfZ3pw1GjseH5HNBgCLcBGAs/s400/Vuln-stats-2018-cover.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
We finally finished off the 2018 edgescan Vulnerability Stats report this week.<br />
Overall things have not changed too much but we did a little more digging into the vulnerability data we harvested over the 12 months to December 2017.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
To that end we did some PCI compliance comparison (given that edgescan is a certified PCI ASV) service in addition to the awesome full stack vulnerability intelligence solution it always has been.<br />
<b><br /></b>
<b>How to improve security in a dramatic fashion? Whats the biggest quick win to improve your security posture you ask?</b><br />
<b><br /></b>
<b>All vulnerabilities are not created equal.</b><br />
We need to look at vulnerability management in a pragmatic way. Its not possible to be vulnerability-free and 100% secure, but we can aim for removing any issues which may give rise to a breach of client or organisational data. So, lets mitigate the highest risks first and not sweat about the small stuff.<br />
<blockquote class="tr_bq">
Risk is not linear and reducing vulnerability count does not necessarily translate to significant risk reduction.</blockquote>
<br />
If we look at vulnerabilities from a risk-based pragmatic approach the following items should be examined (assuming you wish to keep your estate secure):<br />
<br />
<b>APPLICATION LAYER RISK DENSITY</b><br />
In 2017 we discovered that on average, 27% of all vulnerabilities
were associated with web applications and 73% were network
vulnerabilities....<b>BUT</b><br />
<b>The majority of critical and high risk issues were firms situated on the application layer.</b><br />
<br />
So...<br />
<br />
<ul>
<li><b>Network</b>: More noise, more vulnerabilities, less risk.</li>
<li><b>Web/<a href="https://en.wikipedia.org/wiki/OSI_model#Layer_7:_Application_Layer" target="_blank">Layer 7</a></b>: Fewer overall vulnerabilities, higher risk. Most of the weaknesses which could result in a breach are living here.</li>
</ul>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-9KhacIS3zOc/Wmm3lgn_-vI/AAAAAAAACIo/_NM8RgQyPOQ_2MFjidm4l8ef2F4Lo3iEQCLcBGAs/s1600/Risk-Density-Stats-2018.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="367" data-original-width="537" height="218" src="https://1.bp.blogspot.com/-9KhacIS3zOc/Wmm3lgn_-vI/AAAAAAAACIo/_NM8RgQyPOQ_2MFjidm4l8ef2F4Lo3iEQCLcBGAs/s320/Risk-Density-Stats-2018.png" width="320" /></a></div>
<span style="color: red;"><br /></span>
This is due to each application being uniquely
developed (hosting environments are homogeneous in comparison) and apparent
difficulties in managing component version
control and patching of third party libraries.<br />
<br />
<b>COMPLIANCE AND PCI DSS</b><br />
<b><br /></b>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-iDqdC8-TxRU/Wmm4Ty_FpJI/AAAAAAAACIw/L7qmJtu6LsUr1ZJeZxy9KfO4z-PlRbA2gCLcBGAs/s1600/PCI-View-Stats-2018.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="245" data-original-width="548" height="178" src="https://1.bp.blogspot.com/-iDqdC8-TxRU/Wmm4Ty_FpJI/AAAAAAAACIw/L7qmJtu6LsUr1ZJeZxy9KfO4z-PlRbA2gCLcBGAs/s400/PCI-View-Stats-2018.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b>Fullstack Cyber Security View:</b></div>
18% of all vulnerabilities discovered in edgescan had a CVSS v2 score of 4.0 or more.- This is a PCI fail .<br />
<b>Host/Server View:</b><br />
13% of all vulnerabilities in the network layer had a CVSS v2 score of 4.0 or more. - Also PCI DSS fail<br />
<b>Network/Host View:</b><br />
32% of ALL vulnerabilities in the web application layer (Layer 7) has a score of 4.0 or more - Also a PCI DSS fail.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-WE-vsoVOlVc/Wmm7J0KLEeI/AAAAAAAACJI/K8xMdBzd3nwtH72mejMQ-0JHcV3ciKuXgCLcBGAs/s1600/patches.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="219" data-original-width="230" height="190" src="https://4.bp.blogspot.com/-WE-vsoVOlVc/Wmm7J0KLEeI/AAAAAAAACJI/K8xMdBzd3nwtH72mejMQ-0JHcV3ciKuXgCLcBGAs/s200/patches.jpg" width="200" /></a></div>
<b>CVE LANDSCAPE</b><br />
<b><br /></b>
Finally we are still finding a non trivial amount of old vulnerabilities on live Internet facing systems.<br />
People discuss the importance of <a href="https://en.wikipedia.org/wiki/Zero-day_(computing)" target="_blank">Zerodays </a>but the root cause of many breaches is exploitation of unpatched systems. Don't worry about Zerodays, focus on patching your current stuff.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-zfwlu4iDjHE/Wmm6K6V09hI/AAAAAAAACI8/UHi2Hs-lrFELqcDa5cSr3iuD7t7X49B7wCLcBGAs/s1600/CVE-Age-2018.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="326" data-original-width="568" height="227" src="https://3.bp.blogspot.com/-zfwlu4iDjHE/Wmm6K6V09hI/AAAAAAAACI8/UHi2Hs-lrFELqcDa5cSr3iuD7t7X49B7wCLcBGAs/s400/CVE-Age-2018.png" width="400" /></a></div>
<br />
In 2017 edgescan found systems without patches for vulnerabilities dating back to 1999.<br />
The most common CVE was from 2004. To see more read the edgescan report <a href="https://www.edgescan.com/company/resources/" target="_blank">here</a><br />
<br />
<br />
<br />
<br />
<br />
<br />Eoin Kearyhttp://www.blogger.com/profile/17946046587245366946noreply@blogger.com0tag:blogger.com,1999:blog-7247674390631055904.post-25054036011278403972018-01-24T04:00:00.001-08:002018-01-24T04:00:44.125-08:00<h2>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Vulnerability Management: False Positives, False Negatives, Technical, Logical Vulnerabilities and Human Error</span></h2>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">At edgescan, we have delivered thousands of assessments over the past years and one topic which is both a commonly known weakness but also a source of concern is <i>Accuracy of assessment</i></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">- The challenge being (human & technical);</span><br />
<br />
<ul>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">Can the technology detect security weaknesses report accurate findings ? </span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">Can the technology avoid reporting issues that are not real? - "False Positives"</span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">Can the technology miss critical issues and simply not report the weakness - "False Negatives"</span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">In addition, once an issue is reported shall the human dismiss the issue as a "False positive" because they misunderstand or cannot reproduce the issue, resulting in a "False negative"</span></li>
</ul>
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">The majority of commercial and open source vulnerability scanning tools can not provide reliable results and require significant human validation which can also fail (as above).</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<br />
<h4>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Simple Vectors:</span></h4>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Most tools can accurately discover simple vulnerabilities sending a tainted request and analyzing the response. If the response is one of a number of typical expected responses signifying a vulnerability it is marked by the scanner as a vulnerable issue. - <i>This assumes the scanner actually gets to scan the vulnerable parameter by virtue of knowing it exists in the first place......</i></span><br />
<h4>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Crawling/Coverage Challenge:</span></h4>
<span style="font-family: "arial" , "helvetica" , sans-serif;">A scanner discovers an applications layout by Crawling/Spidering the site looking for <i>Href </i>and Links to other pages and invocations of <i>HTTP </i>methods. - Many scanners don't crawl applications very well and don't map the entire site. The is more and more the case not we have heavily front-loaded JavaScript-driven web applications / One-Page apps. - Poor crawling results in less than optimal coverage. <i>The results in parts of a web application not being tested properly, if at all and leading us into the territory of "False Negatives".</i></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Example issues:</span><br />
<div style="direction: ltr; margin-bottom: 0pt; margin-left: 0in; margin-top: 0pt; unicode-bidi: embed; word-break: normal;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><b>CSRF Tokens Preventing Crawling</b>: </span><span style="font-size: 10pt;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Cross-Site-Request Forgery tokens need to
be resent with every request. If the token is not valid the application may
invalidate the session. Tokens can be embedded in the HTML and not
automatically used by the scanner. This results in the scanner not crawling or
testing the site adequately.</span></span></div>
<div style="direction: ltr; margin-bottom: 0pt; margin-left: 0in; margin-top: 0pt; unicode-bidi: embed; word-break: normal;">
<span style="font-size: 10pt;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span></div>
<div style="direction: ltr; margin-bottom: 0pt; margin-left: 0in; margin-top: 0pt; unicode-bidi: embed; word-break: normal;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><b>DOM Security Vulnerabilities</b>: </span><span style="font-size: 10pt;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Client-Side security issues which do not
generate HTTP requests may go undiscovered due to tools only testing the
application via sending and receiving HTTP requests. DOM (Document Object
Model) vulnerabilities may go undiscovered as the tool does not process client
side scripts.</span></span></div>
<div style="direction: ltr; margin-bottom: 0pt; margin-left: 0in; margin-top: 0pt; unicode-bidi: embed; word-break: normal;">
<span style="font-size: 10pt;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span></div>
<div style="direction: ltr; margin-bottom: 0pt; margin-left: 0in; margin-top: 0pt; unicode-bidi: embed; word-break: normal;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><b>Dynamically Generated Requests</b>: </span><span style="font-size: 10pt;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Contemporary applications may dynamically
generate HTTP requests via JavaScript functions and tools which crawl
applications to establish site maps may not detect such dynamic links and
requests.</span></span></div>
<div style="direction: ltr; margin-bottom: 0pt; margin-left: 0in; margin-top: 0pt; unicode-bidi: embed; word-break: normal;">
<span style="font-size: 10pt;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span></div>
<div style="direction: ltr; margin-bottom: 0pt; margin-left: 0in; margin-top: 0pt; unicode-bidi: embed; word-break: normal;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><b>Recursive Links - Limiting Repetitive Functionality</b>: </span><span style="font-size: 10pt;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Applications with recursive links may
result in 1000’s of unnecessary requests. An example of this could be a
calendar control or search result function. This may result in 1000’s of extra
requests being sent to the application with little value to be yielded.</span></span></div>
<div style="direction: ltr; margin-bottom: 0pt; margin-left: 0in; margin-top: 0pt; unicode-bidi: embed; word-break: normal;">
<span style="font-size: 10pt; font-style: italic;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Example:</span></span></div>
<div style="direction: ltr; margin-bottom: 0pt; margin-left: 0in; margin-top: 0pt; unicode-bidi: embed; word-break: normal;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: 10pt; font-style: italic;">/Item/5/view , </span><span style="font-size: 10pt; font-style: italic;">/Item/6/view, </span><span style="font-size: 13.3333px; font-style: italic;">/Item/7/view,..,..</span></span></div>
<br />
<b><span style="font-family: "arial" , "helvetica" , sans-serif;">Interpretation of results:</span></b><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">This challenge can be both as a result of human error or automation. Tools can misinterpret results by claiming there is a security issue when there is not (False Positive) or by not applying an appropriate request to detect a vulnerability (False negative). Humans can get it wrong also (as above).</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<br />
<div style="direction: ltr; margin-bottom: 0pt; margin-left: 0in; margin-top: 0pt; unicode-bidi: embed; word-break: normal;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div style="direction: ltr; margin-bottom: 0pt; margin-left: 0in; margin-top: 0pt; unicode-bidi: embed; word-break: normal;">
<br /></div>
<div style="direction: ltr; margin-bottom: 0pt; margin-left: 0in; margin-top: 0pt; unicode-bidi: embed; word-break: normal;">
<span style="font-size: 10pt;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span></div>
<div style="direction: ltr; margin-bottom: 0pt; margin-left: 0in; margin-top: 0pt; unicode-bidi: embed; word-break: normal;">
<span style="font-family: "calibri"; font-size: 10pt;"><br /></span></div>
Eoin Kearyhttp://www.blogger.com/profile/17946046587245366946noreply@blogger.com0tag:blogger.com,1999:blog-7247674390631055904.post-79571280363482247232017-02-01T03:45:00.001-08:002017-09-06T04:52:24.267-07:00edgescan & GDPR: Improving compliance and reducing the cost of cybersecurity<div class="MsoNormal">
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: "arial" , "helvetica" , sans-serif; margin-left: 1em; margin-right: 1em;"></span></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-5rFaq63vv2s/WJDAbJ1udxI/AAAAAAAAB88/xk5SenFcS4MYvbh2thmpsginrJUFfwrRwCLcB/s1600/Knight-EU.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="172" src="https://2.bp.blogspot.com/-5rFaq63vv2s/WJDAbJ1udxI/AAAAAAAAB88/xk5SenFcS4MYvbh2thmpsginrJUFfwrRwCLcB/s320/Knight-EU.png" width="320" /></a></div>
<div class="MsoNormal">
<b><span lang="EN-IE"><span style="font-family: "arial" , "helvetica" , sans-serif;">Navigating
GDPR from a cyber security perspective…..</span></span></b></div>
<div class="MsoNormal">
<span lang="EN-IE"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span>
<br />
<div style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; color: rgba(0, 0, 0, 0.7); font-stretch: inherit; font-variant-numeric: inherit; line-height: 32px; margin-bottom: 3.2rem; margin-top: 3.2rem; outline: 0px; padding: 0px; vertical-align: baseline;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; color: rgba(0, 0, 0, 0.7); font-stretch: inherit; font-variant-numeric: inherit; line-height: 32px; margin-bottom: 3.2rem; margin-top: 3.2rem; outline: 0px; padding: 0px; vertical-align: baseline;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Update - September 2017</span></div>
<div style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; color: rgba(0, 0, 0, 0.7); font-stretch: inherit; font-variant-numeric: inherit; line-height: 32px; margin-bottom: 3.2rem; margin-top: 3.2rem; outline: 0px; padding: 0px; vertical-align: baseline;">
<strong style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; color: rgba(0, 0, 0, 0.85); font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: small;">Some people still don't know where to start with GDPR. Here are some simple key points to kick you off....</span></strong></div>
<ul>
<li><span style="font-family: Arial, Helvetica, sans-serif;">Identify the personal data you collect and where data is stored - Is it stored appropriately how are you protecting the data from a cyber standpoint? Are your applications secure, regularly tested, designed with security in mind? Can you prove this?</span></li>
</ul>
<ul>
<li><span style="font-family: Arial, Helvetica, sans-serif;">Review your internal policies including a review of security breach response policy. - Incident response, DR and BCP. What happens if something goes badly wrong. Whats happens in the event of a breach? Do I have mitigation controls and notification procedures in place?</span></li>
</ul>
<ul>
<li><span style="font-family: Arial, Helvetica, sans-serif;">Review the type of data processing carried out, identify the legal basis for the processing and document it. - do you need all that client data you possess and do you have a legal basis for storing client data.</span></li>
</ul>
<ul>
<li><span style="font-family: Arial, Helvetica, sans-serif;">Review how you handle all applicable client's rights, including the deletion of personal data, right to be forgotten (RTBF).</span></li>
</ul>
<ul>
<li><span style="font-family: Arial, Helvetica, sans-serif;">Review if and how you seek, obtain and record client consent and whether any changes are needed. - Do clients know you are storing their data and what you are using it for? Have they consented to what you are doing? Can you prove this?</span></li>
</ul>
<ul>
<li><span style="font-family: Arial, Helvetica, sans-serif;">Review your external privacy policies and EULA's and do a refresh with necessary changes for transparency and relevancy.</span></li>
</ul>
<ul>
<li><span style="font-family: Arial, Helvetica, sans-serif;">Review and update your processor/subprocessor, third party agreements. Third party risk for up/down stream processors of your clients data. - <em style="border: 0px; font-stretch: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">You can outsource the service but not the risk. </em><span style="font-style: inherit; font-variant-caps: inherit; font-variant-ligatures: inherit; font-weight: inherit;">Do you know if your B2B partners are secure, store your client data properly and don't use it for any other reason other than what is agreed? Do they have a policy to reflect this and how is it policed? How often do they get technical security assessments of the systems used to process your clients data? How do they demonstrate this?</span></span></li>
</ul>
<ul>
<li><span style="font-family: Arial, Helvetica, sans-serif;">Review the lawful basis for the transfer of personal data outside the EU. If you transfer data outside of the EU are you permitted to do so by the data owner (client)?</span></li>
</ul>
<ul style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; font-stretch: inherit; font-variant-numeric: inherit; line-height: 32px; list-style-image: initial; list-style-position: initial; margin: 0px 0px 3.2rem; outline: 0px; padding: 0px; vertical-align: baseline;">
</ul>
</div>
<div class="MsoNormal">
<h3>
<span lang="EN-IE"><span style="font-family: "arial" , "helvetica" , sans-serif;">Cyber-security, GDPR, Articles and Controls:</span></span></h3>
<span lang="EN-IE"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span>
<span lang="EN-IE"><span style="font-family: "arial" , "helvetica" , sans-serif;">The new General Data Protection Regulation (GDPR) is set to
replace the Data Protection Directive 95/46/ec which is enforceable as of May
25, 2018. The GDPR is directly applicable in each member state and will lead to
a greater degree of data protection harmonization across EU nations.<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span lang="EN-IE"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span></div>
<div class="MsoNormal">
<span lang="EN-IE"><span style="font-family: "arial" , "helvetica" , sans-serif;">The GDPR does suggest actions to take in order to be compliant such as a process
for regularly testing, assessing and evaluating the effectiveness of technical
and organizational measures for ensuring the security of the processing. <o:p></o:p></span></span></div>
<div class="MsoNormal">
<span lang="EN-IE"><span style="font-family: "arial" , "helvetica" , sans-serif;">From a cybersecurity standpoint this covers aspects such as technical assessment,
patching and maintenance, vulnerability management, threat detection
/prevention, asset and service profiling & visibility and overall better
governance of an organisations digital estate and technical controls.</span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><a href="https://3.bp.blogspot.com/-1CslIrU49LA/WJHIOtMu97I/AAAAAAAAB-A/8p4WFDscypc4zR-Ep6AcYbAXDsmwJYXYACLcB/s1600/edgescan-icon.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://3.bp.blogspot.com/-1CslIrU49LA/WJHIOtMu97I/AAAAAAAAB-A/8p4WFDscypc4zR-Ep6AcYbAXDsmwJYXYACLcB/s1600/edgescan-icon.png" /></a></span></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><o:p></o:p></span><br />
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal" style="margin-left: 36.0pt; mso-list: l2 level1 lfo1; tab-stops: list 36.0pt; text-indent: -18.0pt;">
<!--[if !supportLists]--><span style="font-family: "arial" , "helvetica" , sans-serif;">•<span style="font-size: 7pt; font-stretch: normal; font-variant-numeric: normal; line-height: normal;">
</span><!--[endif]--><b><span lang="EN-IE">EU GDPR – </span></b><span lang="EN-IE">Article
32, Security of Processing</span><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: 72.0pt; mso-list: l2 level2 lfo1; tab-stops: list 72.0pt; text-indent: -18.0pt;">
<!--[if !supportLists]--><span style="font-family: "arial" , "helvetica" , sans-serif;">•<span style="font-size: 7pt; font-stretch: normal; font-variant-numeric: normal; line-height: normal;">
</span><!--[endif]--><span lang="EN-IE">Taking
into account the state of the art, the costs of implementation and the nature,
scope, context and purposes of processing as well as the risk of varying
likelihood and severity for the rights and freedoms of natural persons, <b>the controller and the processor shall implement appropriate technical
and organisational measures to ensure a level of security appropriate to the
risk</b>, including inter alia as appropriate:</span><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: 36.0pt;">
<br /></div>
<div class="MsoNormal" style="margin-left: 36.0pt;">
<i><span lang="EN-IE" style="color: grey; mso-ansi-language: EN-IE; mso-themecolor: background1; mso-themeshade: 128;"><span style="font-family: "arial" , "helvetica" , sans-serif;">GDPR in effect is mandating that
appropriate technical security controls are required amongst other equally
important controls (citizen access and control of their data) to ensure a level
of security based on the data and risk/impact of disclosure of such
information. <o:p></o:p></span></span></i></div>
<div class="MsoNormal" style="margin-left: 36.0pt;">
<i><span lang="EN-IE" style="color: grey; mso-ansi-language: EN-IE; mso-themecolor: background1; mso-themeshade: 128;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span></i></div>
<div class="MsoNormal" style="margin-left: 36.0pt;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><i><span lang="EN-IE" style="color: grey; mso-ansi-language: EN-IE; mso-themecolor: background1; mso-themeshade: 128;">“</span></i><b><span lang="EN-IE">to ensure a level of
security appropriate to the risk” </span></b><i><span lang="EN-IE" style="color: grey; mso-ansi-language: EN-IE; mso-themecolor: background1; mso-themeshade: 128;">is an important aspect which should
be considered. Given that a firm may be custodians of a users financial or
Personal Identifiable Information (PII) there is a duty of care to protect the data and
ensure proper authorisation and security controls surround it. </span></i></span></div>
<div class="MsoNormal" style="margin-left: 36.0pt;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><i><span lang="EN-IE" style="color: grey; mso-ansi-language: EN-IE; mso-themecolor: background1; mso-themeshade: 128;"><br /></span></i></span></div>
<div class="MsoNormal" style="margin-left: 36.0pt;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><i><span lang="EN-IE" style="color: grey; mso-ansi-language: EN-IE; mso-themecolor: background1; mso-themeshade: 128;">From a technical
standpoint security assessments and vulnerability management are some of the
tools used to help maintain that level of assurance……<o:p></o:p></span></i></span></div>
<div class="MsoNormal" style="margin-left: 36.0pt;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><i><span lang="EN-IE" style="color: grey; mso-ansi-language: EN-IE; mso-themecolor: background1; mso-themeshade: 128;"><br /></span></i></span></div>
<div class="MsoNormal" style="margin-left: 36.0pt;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><i><span lang="EN-IE" style="color: grey; mso-ansi-language: EN-IE; mso-themecolor: background1; mso-themeshade: 128;">edgescan provides continuous
assessment of technical systems in order to help discover vulnerabilities which
may lead to breach. <b>The “win” in using edgescan is you have an auditable
history of all assessments and individual vulnerability history to demonstrate
the vulnerability lifecycle to easily demonstrate compliance and continuous
improvement.</b></span></i><span lang="EN-IE"> </span><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: 36.0pt;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><i><span lang="EN-IE" style="color: grey; mso-ansi-language: EN-IE; mso-themecolor: background1; mso-themeshade: 128;"><br /></span></i></span></div>
<div class="MsoNormal" style="margin-left: 36.0pt;">
<i><span lang="EN-IE" style="color: grey; mso-ansi-language: EN-IE; mso-themecolor: background1; mso-themeshade: 128;"><span style="font-family: "arial" , "helvetica" , sans-serif;">The idea of a single or bi-annual
assessment is becoming non-sustainable given the rate of change of systems in
particularly cloud based deployments. </span></span></i></div>
<div class="MsoNormal" style="margin-left: 36.0pt;">
<i><span lang="EN-IE" style="color: grey; mso-ansi-language: EN-IE; mso-themecolor: background1; mso-themeshade: 128;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span></i></div>
<div class="MsoNormal" style="margin-left: 36.0pt;">
<i><span lang="EN-IE"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="color: grey;">The ability to continually assess
security posture on an ongoing basis and exploiting a combination of automation
and human intelligence is taking traction globally resulting in cost reduction
and increasing rigor depending on the vendor used.<o:p></o:p></span></span></span></i></div>
<div class="MsoNormal" style="margin-left: 36.0pt;">
<i><span lang="EN-IE" style="color: grey; mso-ansi-language: EN-IE; mso-themecolor: background1; mso-themeshade: 128;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span></i></div>
<div class="MsoNormal" style="margin-left: 36.0pt;">
<i><span lang="EN-IE" style="color: grey; mso-ansi-language: EN-IE; mso-themecolor: background1; mso-themeshade: 128;"><span style="font-family: "arial" , "helvetica" , sans-serif;">There is a trend in the industry to
move towards Managed Security Services Providers (MSSP) and leveraging experts
who deliver services such as vulnerability management on a fulltime basis. <b>An
MSSP should address requirements where you don’t have in-house expertise.</b><o:p></o:p></span></span></i></div>
<div class="MsoNormal" style="margin-left: 36.0pt;">
<i><span lang="EN-IE" style="color: grey; mso-ansi-language: EN-IE; mso-themecolor: background1; mso-themeshade: 128;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><b><br /></b></span></span></i></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-1CslIrU49LA/WJHIOtMu97I/AAAAAAAAB-A/GERoPCqGMD0OIOZ8fqiZaKuCDyldFyz0gCEw/s1600/edgescan-icon.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://2.bp.blogspot.com/-1CslIrU49LA/WJHIOtMu97I/AAAAAAAAB-A/GERoPCqGMD0OIOZ8fqiZaKuCDyldFyz0gCEw/s1600/edgescan-icon.png" /></a></div>
<div class="MsoNormal" style="margin-left: 36.0pt;">
<br /></div>
<div class="MsoNormal">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><b><span lang="EN-IE">EU </span></b><b><span lang="EN-IE">GDPR - Recitals of Interest<o:p></o:p></span></b></span></div>
<div class="MsoNormal" style="margin-left: 54.0pt; mso-list: l0 level1 lfo2; tab-stops: list 54.0pt; text-indent: -18.0pt;">
<!--[if !supportLists]--><span style="font-family: "arial" , "helvetica" , sans-serif;">•<span style="font-size: 7pt; font-stretch: normal; font-variant-numeric: normal; line-height: normal;"> <b>
</b></span><!--[endif]--><span lang="EN-IE"><b>Recital
(78)</b> The protection of the rights and freedoms of natural persons with regard
to the processing of personal data require that <b>appropriate technical and
organisational measures</b> be taken to ensure that the requirements of this regulation are met. </span><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: 54.0pt; mso-list: l0 level1 lfo2; tab-stops: list 54.0pt; text-indent: -18.0pt;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span lang="EN-IE"><br /></span></span></div>
<div class="MsoNormal" style="margin-left: 36.0pt;">
<i><span lang="EN-IE" style="color: grey; mso-ansi-language: EN-IE; mso-themecolor: background1; mso-themeshade: 128;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Appropriate technical measures are
easily confirmed and identified using edgescan as a complete security history
can be reviewed for any period of time on an on-going basis.<o:p></o:p></span></span></i></div>
<div class="MsoNormal" style="margin-left: 36.0pt;">
<i><span lang="EN-IE" style="color: grey; mso-ansi-language: EN-IE; mso-themecolor: background1; mso-themeshade: 128;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span></i></div>
<div class="MsoNormal" style="margin-left: 36.0pt;">
<i><span lang="EN-IE" style="color: grey; mso-ansi-language: EN-IE; mso-themecolor: background1; mso-themeshade: 128;"><span style="font-family: "arial" , "helvetica" , sans-serif;">In the case of a reasonable fast
moving technical environment which undergoes change on a frequent basis e.g
Cloud environment, Agile system development methodologies an annual or a
bi-annual security assessment to help ensure the security of the systems in scope
may seem like a reasonable approach but the risk is the rate of change of the
environment and the resulting window of exposure due to the infrequency of technical
security assessment. <o:p></o:p></span></span></i></div>
<div class="MsoNormal" style="margin-left: 36.0pt;">
<i style="font-family: Arial, Helvetica, sans-serif;"><span lang="EN-IE" style="color: grey; mso-ansi-language: EN-IE; mso-themecolor: background1; mso-themeshade: 128;"><br /></span></i></div>
<div class="MsoNormal" style="margin-left: 36.0pt;">
<i style="font-family: Arial, Helvetica, sans-serif;"><span lang="EN-IE" style="color: grey; mso-ansi-language: EN-IE; mso-themecolor: background1; mso-themeshade: 128;">Continuous assessment as per the
edgescan service helps you maintain constant vigilance in order to assist with
GDPR compliance.</span></i></div>
<div class="MsoNormal" style="margin-left: 36.0pt;">
<i style="font-family: Arial, Helvetica, sans-serif;"><span lang="EN-IE" style="color: grey; mso-ansi-language: EN-IE; mso-themecolor: background1; mso-themeshade: 128;"><br /></span></i></div>
<div class="MsoNormal" style="margin-left: 54.0pt; mso-list: l0 level1 lfo2; tab-stops: list 54.0pt; text-indent: -18.0pt;">
<!--[if !supportLists]--><span style="font-family: "arial" , "helvetica" , sans-serif;">•<span style="font-size: 7pt; font-stretch: normal; font-variant-numeric: normal; line-height: normal;">
</span><!--[endif]--><span lang="EN-IE">In
order to be able to <b>demonstrate compliance </b>with this Regulation, the
controller should adopt internal policies <b>and implement measures</b> which meet in
particular the <b>principles of data protection by design and data protection
by default</b>.....</span><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: 36.0pt;">
<i><span lang="EN-IE" style="color: grey; mso-ansi-language: EN-IE; mso-themecolor: background1; mso-themeshade: 128;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span></i></div>
<div class="MsoNormal" style="margin-left: 36.0pt;">
<i><span lang="EN-IE" style="color: grey; mso-ansi-language: EN-IE; mso-themecolor: background1; mso-themeshade: 128;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Demonstrating compliance in relation to cyber
security is easily delivered as the edgescan portal delivers a complete history
of all vulnerabilities (web & infrastructure) discovered and closed over the entire licensing period. </span></span></i></div>
<div class="MsoNormal" style="margin-left: 36.0pt;">
<i><span lang="EN-IE" style="color: grey; mso-ansi-language: EN-IE; mso-themecolor: background1; mso-themeshade: 128;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span></i></div>
<div class="MsoNormal" style="margin-left: 36.0pt;">
<i><span lang="EN-IE" style="color: grey; mso-ansi-language: EN-IE; mso-themecolor: background1; mso-themeshade: 128;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Many of our clients in highly regulated industries use edgescan to demonstrate
to external auditor’s constant assessment approach they have adopted to cyber
security.<o:p></o:p></span></span></i></div>
<div class="MsoNormal" style="margin-left: 36.0pt;">
<i><span lang="EN-IE" style="color: grey; mso-ansi-language: EN-IE; mso-themecolor: background1; mso-themeshade: 128;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span></i></div>
<div class="MsoNormal" style="margin-left: 36.0pt;">
<i><span lang="EN-IE" style="color: grey; mso-ansi-language: EN-IE; mso-themecolor: background1; mso-themeshade: 128;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Data Protection by default can be assessed in both pre-production environments and deployed production systems. Using edgescan to detect and mitigate vulnerabilities (via WAF integration) is core to being able to demonstrate compliance.</span></span></i></div>
<div class="MsoNormal" style="margin-left: 36.0pt;">
<br /></div>
<div class="MsoNormal" style="margin-left: 36.0pt;">
<i><span lang="EN-IE" style="color: grey; mso-ansi-language: EN-IE; mso-themecolor: background1; mso-themeshade: 128;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span></i></div>
<div class="MsoNormal" style="margin-left: 54.0pt; mso-list: l0 level1 lfo2; tab-stops: list 54.0pt; text-indent: -18.0pt;">
<!--[if !supportLists]--><span style="font-family: "arial" , "helvetica" , sans-serif;">•<span style="font-size: 7pt; font-stretch: normal; font-variant-numeric: normal; line-height: normal;">
</span><!--[endif]--><span lang="EN-IE">Such
measures could consist, inter alia, of <b>minimising</b> the processing of
personal data, <b>pseudonymising</b> personal data as soon as possible, <b>transparency</b>
with regard to the functions and processing of personal data, enabling the <b>data
subject to monitor</b> the data processing, enabling the controller to <b>create
and improve security features</b>. </span><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: 36.0pt;">
<i><span lang="EN-IE" style="color: grey; mso-ansi-language: EN-IE; mso-themecolor: background1; mso-themeshade: 128;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span></i></div>
<div class="MsoNormal" style="margin-left: 36.0pt;">
<i><span lang="EN-IE" style="color: grey; mso-ansi-language: EN-IE; mso-themecolor: background1; mso-themeshade: 128;"><span style="font-family: "arial" , "helvetica" , sans-serif;">“<b>You can’t improve what you can’t
measure</b>”; edgescan gives our clients the ability to continuously improve by
tracking security posture at any point in time. The metrics supplied by
edgescan let our clients easily focus on what is the most common vulnerability,
the root cause and identify quick wins in a clear and easy fashion.<o:p></o:p></span></span></i></div>
<div class="MsoNormal" style="margin-left: 36.0pt;">
<br /></div>
<div class="MsoNormal" style="margin-left: 54.0pt; mso-list: l0 level1 lfo2; tab-stops: list 54.0pt; text-indent: -18.0pt;">
<!--[if !supportLists]--><span style="font-family: "arial" , "helvetica" , sans-serif;">•<span style="font-size: 7pt; font-stretch: normal; font-variant-numeric: normal; line-height: normal;">
</span><!--[endif]--><span lang="EN-IE">When
developing, designing, selecting and using applications, services and products
that are based on the processing of personal data or process personal data to
fulfil their task, <b>producers of the products, services and applications</b>
should be encouraged to take into account the right to data protection when
developing and designing such products, services and applications and, with due
regard to the state of the art, to make sure that controllers and processors
are able to fulfil their data protection obligations. <b>The principles of data
protection by design and by default should also be taken into consideration in
the context of public tenders</b>.</span><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: 54.0pt; mso-list: l0 level1 lfo2; tab-stops: list 54.0pt; text-indent: -18.0pt;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span lang="EN-IE"><br /></span></span></div>
<div class="MsoNormal" style="margin-left: 36.0pt;">
<i><span lang="EN-IE" style="color: grey; mso-ansi-language: EN-IE; mso-themecolor: background1; mso-themeshade: 128;"><span style="font-family: "arial" , "helvetica" , sans-serif;">In pre-production environments
edgescan gives our clients the ability to assess the security of a solution
quickly and on-demand. This assists with detection of cyber security issues
before a system is deployed to production, resulting in a “secure by default”
posture. <o:p></o:p></span></span></i></div>
<div class="MsoNormal" style="margin-left: 54.0pt;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><a href="https://2.bp.blogspot.com/-1CslIrU49LA/WJHIOtMu97I/AAAAAAAAB-A/GERoPCqGMD0OIOZ8fqiZaKuCDyldFyz0gCEw/s1600/edgescan-icon.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://2.bp.blogspot.com/-1CslIrU49LA/WJHIOtMu97I/AAAAAAAAB-A/GERoPCqGMD0OIOZ8fqiZaKuCDyldFyz0gCEw/s1600/edgescan-icon.png" /></a></span></div>
<br />
<div class="MsoNormal" style="margin-left: 54.0pt; mso-list: l0 level1 lfo2; tab-stops: list 54.0pt; text-indent: -18.0pt;">
<!--[if !supportLists]--><span style="font-family: "arial" , "helvetica" , sans-serif;">•<span style="font-size: 7pt; font-stretch: normal; font-variant-numeric: normal; line-height: normal;"> <b>
</b></span><!--[endif]--><span lang="EN-IE"><b>Recital
(49) </b>The processing of personal data to the <b>extent strictly necessary </b>and
<b>proportionate</b> for the purposes of <b>ensuring network and information
security</b>, i.e. the ability of a network or an information system to resist,
at a given level of confidence, accidental events or unlawful or malicious
actions that compromise the availability, authenticity, integrity and
confidentiality of stored or transmitted personal data, and the security of the
related services offered by, or accessible via, those networks and systems, by
public authorities, by computer emergency response teams (CERTs), computer security
incident response teams (CSIRTs), by providers of electronic communications
networks and services and by providers of security technologies and services,
constitutes a legitimate interest of the data controller concerned. </span><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: 54.0pt; mso-list: l0 level1 lfo2; tab-stops: list 54.0pt; text-indent: -18.0pt;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span lang="EN-IE"><br /></span></span></div>
<div class="MsoNormal" style="margin-left: 54.0pt; mso-list: l0 level1 lfo2; tab-stops: list 54.0pt; text-indent: -18.0pt;">
<!--[if !supportLists]--><span style="font-family: "arial" , "helvetica" , sans-serif;">•<span style="font-size: 7pt; font-stretch: normal; font-variant-numeric: normal; line-height: normal;">
</span><!--[endif]--><span lang="EN-IE">This
could, for example, include preventing unauthorised access to electronic
communications networks and malicious code distribution and stopping ‘denial of
service’ attacks and damage to computer and electronic communication systems.</span><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: 36.0pt;">
<i><span lang="EN-IE" style="color: grey; mso-ansi-language: EN-IE; mso-themecolor: background1; mso-themeshade: 128;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span></i></div>
<div class="MsoNormal" style="margin-left: 36.0pt;">
<i><span lang="EN-IE" style="color: grey; mso-ansi-language: EN-IE; mso-themecolor: background1; mso-themeshade: 128;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Detecting weaknesses of the
security posture in an ever-changing environment is core to what edgescan
provides. Our fullstack approach to security gives our users visibility of both
web application and supporting host/cloud security.<o:p></o:p></span></span></i></div>
<div class="MsoNormal" style="margin-left: 36.0pt;">
<i><span lang="EN-IE" style="color: grey; mso-ansi-language: EN-IE; mso-themecolor: background1; mso-themeshade: 128;"><span style="font-family: "arial" , "helvetica" , sans-serif;">As new deployments and features are
delivered edgescan automatically assesses the security posture of the deployment and associated subsystems.<o:p></o:p></span></span></i></div>
<div class="MsoNormal" style="margin-left: 36.0pt;">
<i><span lang="EN-IE" style="color: grey; mso-ansi-language: EN-IE; mso-themecolor: background1; mso-themeshade: 128;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span></i></div>
<div class="MsoNormal" style="margin-left: 36.0pt;">
<i><span lang="EN-IE" style="color: grey; mso-ansi-language: EN-IE; mso-themecolor: background1; mso-themeshade: 128;"><span style="font-family: "arial" , "helvetica" , sans-serif;">This approach including validation
of all discovered vulnerabilities by our experts in effect removes the need for
expensive consulting firms and also improve security resilience on an ongoing
basis.<o:p></o:p></span></span></i></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-1CslIrU49LA/WJHIOtMu97I/AAAAAAAAB-A/GERoPCqGMD0OIOZ8fqiZaKuCDyldFyz0gCEw/s1600/edgescan-icon.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://2.bp.blogspot.com/-1CslIrU49LA/WJHIOtMu97I/AAAAAAAAB-A/GERoPCqGMD0OIOZ8fqiZaKuCDyldFyz0gCEw/s1600/edgescan-icon.png" /></a></div>
<div class="MsoNormal" style="margin-left: 36.0pt;">
<br /></div>
<div class="MsoNormal" style="margin-left: 36.0pt; mso-list: l3 level1 lfo3; tab-stops: list 36.0pt; text-indent: -18.0pt;">
<!--[if !supportLists]--><span style="font-family: "arial" , "helvetica" , sans-serif;">•<span style="font-size: 7pt; font-stretch: normal; font-variant-numeric: normal; line-height: normal;"> </span></span><b><span style="font-family: "arial" , "helvetica" , sans-serif;">Recital</span><span style="font-family: "arial" , "helvetica" , sans-serif;"> </span></b><span style="font-family: "arial" , "helvetica" , sans-serif; text-indent: -18pt;"><b>(81)</b>
To ensure compliance with the requirements of this Regulation in respect of the
processing to be carried out by the processor on behalf of the controller, when
entrusting a processor with processing activities, the </span><b style="font-family: Arial, Helvetica, sans-serif; text-indent: -18pt;">controller should use
only processors providing sufficient guarantees</b><span style="font-family: "arial" , "helvetica" , sans-serif; text-indent: -18pt;">, in particular in terms of
expert knowledge, reliability and resources, to implement technical and
organisational measures which will meet the requirements of this Regulation,
including for the </span><b style="font-family: Arial, Helvetica, sans-serif; text-indent: -18pt;">security of processing</b><span style="font-family: "arial" , "helvetica" , sans-serif; text-indent: -18pt;">. The adherence of the processor
to an </span><b style="font-family: Arial, Helvetica, sans-serif; text-indent: -18pt;">approved code of conduct or an approved certification</b><span style="font-family: "arial" , "helvetica" , sans-serif; text-indent: -18pt;"> mechanism
may be used as an element to </span><b style="font-family: Arial, Helvetica, sans-serif; text-indent: -18pt;">demonstrate compliance</b><span style="font-family: "arial" , "helvetica" , sans-serif; text-indent: -18pt;"> with the obligations
of the controller.</span></div>
<div class="MsoNormal" style="margin-left: 36.0pt;">
<i><span lang="EN-IE" style="color: grey; mso-ansi-language: EN-IE; mso-themecolor: background1; mso-themeshade: 128;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span></i></div>
<div class="MsoNormal" style="margin-left: 36.0pt;">
<i><span lang="EN-IE" style="color: grey; mso-ansi-language: EN-IE; mso-themecolor: background1; mso-themeshade: 128;"><span style="font-family: "arial" , "helvetica" , sans-serif;">edgescan’s continuous and on demand
fullstack approach provides sufficient guarantees that your systems are
constantly being assessed for security weaknesses. Provision of historical
assessment frequency, vulnerability data and proof of continuous improvement
and vigilance is what is required to be GDPR compliant. You can easily
demonstrate compliance with</span></span></i></div>
<div class="MsoNormal" style="margin-left: 54.0pt;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><a href="https://2.bp.blogspot.com/-1CslIrU49LA/WJHIOtMu97I/AAAAAAAAB-A/GERoPCqGMD0OIOZ8fqiZaKuCDyldFyz0gCEw/s1600/edgescan-icon.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://2.bp.blogspot.com/-1CslIrU49LA/WJHIOtMu97I/AAAAAAAAB-A/GERoPCqGMD0OIOZ8fqiZaKuCDyldFyz0gCEw/s1600/edgescan-icon.png" /></a></span></div>
<br />
<div class="MsoNormal" style="margin-left: 36.0pt; mso-list: l1 level1 lfo4; tab-stops: list 36.0pt; text-indent: -18.0pt;">
<!--[if !supportLists]--><span style="font-family: "arial" , "helvetica" , sans-serif;">•<span style="font-size: 7pt; font-stretch: normal; font-variant-numeric: normal; line-height: normal;"> <b> </b></span></span><b><span style="font-family: "arial" , "helvetica" , sans-serif;">Recital</span><span style="font-family: "arial" , "helvetica" , sans-serif;"> </span></b><span style="font-family: "arial" , "helvetica" , sans-serif; text-indent: -18pt;"><b>(83)</b>
In order to maintain security and to prevent processing in infringement of this
Regulation, the controller or processor should </span><b style="font-family: Arial, Helvetica, sans-serif; text-indent: -18pt;">evaluate the risks</b><span style="font-family: "arial" , "helvetica" , sans-serif; text-indent: -18pt;">
inherent in the processing and implement measures to mitigate those risks, </span><b style="font-family: Arial, Helvetica, sans-serif; text-indent: -18pt;">such
as encryption</b><span style="font-family: "arial" , "helvetica" , sans-serif; text-indent: -18pt;">.</span></div>
<div class="MsoNormal" style="margin-left: 36.0pt; mso-list: l1 level1 lfo4; tab-stops: list 36.0pt; text-indent: -18.0pt;">
<!--[if !supportLists]--><span style="font-family: "arial" , "helvetica" , sans-serif;">•<span style="font-size: 7pt; font-stretch: normal; font-variant-numeric: normal; line-height: normal;">
</span><!--[endif]--><span lang="EN-IE">Those
measures should ensure an appropriate level of security, including
confidentiality, taking into account the state of the art and the costs of
implementation in relation to the risks and the nature of the personal data to
be protected. </span><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: 36.0pt; mso-list: l1 level1 lfo4; tab-stops: list 36.0pt; text-indent: -18.0pt;">
<!--[if !supportLists]--><span style="font-family: "arial" , "helvetica" , sans-serif;">•<span style="font-size: 7pt; font-stretch: normal; font-variant-numeric: normal; line-height: normal;">
</span><!--[endif]--><span lang="EN-IE">In
<b>assessing data security risk</b>, consideration should be given to the risks
that are presented by personal data processing, such as <b>accidental or
unlawful destruction, loss, alteration, unauthorised disclosure of, or access
to, personal data transmitted, stored or otherwise processed which may in
particular lead to physical, material or non-material damage</b>.</span><o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal" style="margin-left: 36.0pt;">
<i><span lang="EN-IE"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="color: grey;">edgescan detects weaknesses in cyber security posture so you can quickly address issues as they are found. Via
our API, alerting or integration you can easily and quickly understand risks by
priority easily evaluate potential impacts and prevent the destructive forces
of being hacked and associated fines of being non-GDPR compliant.<o:p></o:p></span></span></span></i></div>
<div class="MsoNormal" style="margin-left: 36.0pt;">
<i><span lang="EN-IE" style="color: grey; mso-ansi-language: EN-IE; mso-themecolor: background1; mso-themeshade: 128;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span></i></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="MsoNormal" style="margin-left: 36.0pt;">
<i><span lang="EN-IE" style="color: grey; mso-ansi-language: EN-IE; mso-themecolor: background1; mso-themeshade: 128;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span></i></div>
<div class="MsoNormal" style="text-align: center;">
<o:p><span style="font-family: "arial" , "helvetica" , sans-serif;">Want to know more:</span></o:p></div>
<div class="MsoNormal" style="text-align: center;">
<o:p><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></o:p></div>
<div class="MsoNormal" style="text-align: center;">
<o:p><span style="font-family: "arial" , "helvetica" , sans-serif;">edgescan: <a href="http://www.edgescan.com/">edgescan.com</a></span></o:p></div>
<div class="MsoNormal" style="text-align: center;">
<o:p><span style="font-family: "arial" , "helvetica" , sans-serif;">Client reviews: <a href="https://www.gartner.com/reviews/market/application-security-testing/vendor/edgescan" target="_blank">Gartner Peer Insights</a></span></o:p></div>
<div class="MsoNormal" style="text-align: center;">
<o:p><span style="font-family: "arial" , "helvetica" , sans-serif;">GDPR Document: <a href="http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf" target="_blank">EU GDPR</a></span></o:p></div>
<div class="MsoNormal">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span><o:p><span style="font-family: "arial" , "helvetica" , sans-serif;"></span></o:p></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><a href="https://3.bp.blogspot.com/-4Z562_HVFtw/WJHF6WWPj1I/AAAAAAAAB9o/tdMaE79VSRcj2aGYF83Qttme3RvJD_MJACLcB/s1600/Licenses.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="352" src="https://3.bp.blogspot.com/-4Z562_HVFtw/WJHF6WWPj1I/AAAAAAAAB9o/tdMaE79VSRcj2aGYF83Qttme3RvJD_MJACLcB/s640/Licenses.png" width="640" /></a></span></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="MsoNormal" style="margin-left: 54.0pt;">
<br /></div>
<br />
<div class="MsoNormal">
<br /></div>
</div>
Eoin Kearyhttp://www.blogger.com/profile/17946046587245366946noreply@blogger.com0tag:blogger.com,1999:blog-7247674390631055904.post-61706045588143001112016-09-19T12:36:00.001-07:002016-09-19T12:36:18.483-07:00Examiner ArticleA short article by <span style="background-color: white; font-family: "PT Sans", sans-serif; font-size: 14px; font-weight: 700;">Trish Dromey </span><span style="background-color: white; font-family: "PT Sans", sans-serif; font-size: 14px;">on how/why edgescan and what's next</span><br />
<span style="background-color: white; font-family: "PT Sans", sans-serif; font-size: 14px;"><br /></span>
<span style="background-color: white; font-family: "PT Sans", sans-serif; font-size: 14px;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-TGcSv_jWiiU/VscxOGKogTI/AAAAAAAAB3M/FyoEJMlSc6sEUgv9bdBx8uBxP3bxfnsFACPcB/s1600/edgescan-banner.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="40" src="https://3.bp.blogspot.com/-TGcSv_jWiiU/VscxOGKogTI/AAAAAAAAB3M/FyoEJMlSc6sEUgv9bdBx8uBxP3bxfnsFACPcB/s320/edgescan-banner.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://www.irishexaminer.com/business/edgescan-on-the-hunt-for-cyber-crooks-247-421686.html" target="_blank">24/7 Security</a></div>
<span style="background-color: white; font-family: "PT Sans", sans-serif; font-size: 14px;"><br /></span>Eoin Kearyhttp://www.blogger.com/profile/17946046587245366946noreply@blogger.com0