Professional Documents
Culture Documents
issue 67
Reducing risk
Table of contents
page 04 Cooking up secure code: A page 41 Review: ThreadFix 3.0
foolproof recipe for open source
page 53 Which cybersecurity failures
page 07 Hardware security: Emerging cost companies the most
attacks and protection and which defenses have the
mechanisms highest ROI?
page 35 Three places for early warning page 79 State-backed hacking, cyber
of ransomware and breaches deterrence, and the need for
that aren’t the dark web international norms
page 38 The lifecycle of a eureka page 83 DaaS, BYOD, leasing and buying:
moment in cybersecurity Which is better for cybersecurity?
code: A foolproof
recipe for open Open source code is distinct from custom
code, however, in that its vulnerabilities –
source and many exploits for them – are published
online, making it a particularly attractive
author_ StevenZimmerman, Open target for malicious actors.
Source Strategist, Checkmarx
05 steven zimmerman insecuremag.com | issue 67
But the widespread use of open source code has them, or the various iterations and forks which they
consequences. As with custom or home-grown code, have experienced. While they might share similar
open source libraries can contain vulnerabilities, purpose or functionality, these components might
and those vulnerabilities may be exploited by contain slight changes that reflect the needs or
cybercriminals as attack vectors to gain access to preferences of the people who influenced their
networks, intercept sensitive data, and influence or evolution. A good example of this is the difference
impede an application’s functionality. Open source between Red Hat Enterprise Linux and Ubuntu. In
code is distinct from custom code, however, in that practice, these slight differences can add up to create
its vulnerabilities – and many exploits for them – are a significant impact on functionality, compatibility,
published online, making it a particularly attractive and security, and thus must be considered when
target for malicious actors. researching which “recipe” to follow.
the responsibility to identify and fix vulnerabilities within the same software project.
falls on the developers. This is much easier said
than done, as it is one thing to bear the burden SCA solutions help developers by detecting open
of identifying and resolving these vulnerabilities source components, giving insights into any
by developing a new component version, and it is associated vulnerabilities, and providing actionable
another to communicate the need to address the information around risk and remediation.
vulnerabilities to everyone using the vulnerable
component version. Getting this done efficiently They also need to work well with other
ultimately comes down to having the right “appliances,” such as other security, development,
equipment on hand. and issue management tools. With the right SCA
tool on hand, developers leveraging open source
code can be sure that the software they ship will be
Applications must be reviewed, then much more secure.
reviewed again to ensure that nothing has
been missed. Cooking up a masterpiece
The equipment in a developer’s software “kitchen” Even if a developer follows all best practices,
is a key factor in whether or not the code they vulnerabilities can persist, or new vulnerabilities
produce is secure and of high quality. When may emerge for previously released software.
open source code is in use, software composition
analysis (SCA) tools are preferred for this. By following the advice laid out above, developers
using open source code have a greater chance
SCA refers to the process of analyzing software, to be able to approach the challenge with a
detecting the open source components within fresh perspective and understanding, increasing
and identifying associated risks, including their open source security and serving software
security risks and license risks. Security risk masterpieces in no time.
refers to vulnerabilities that can be tracked in
publicly available databases such as the National
Vulnerability Database (NVD) or discovered by
private security research teams. License risk can
be a function of unfavorable license requirements
associated with a particular component, the failure
to comply with license requirements, or conflicts
between unique licenses for different components
07 mirko zorz insecuremag.com | issue 67
Jauregui says she’s always been interested “Hardware can sometimes be considered its own
in hardware. She started out as an electrical level of security because it often requires physical
engineering major but switched to computer presence in order to access or modify specific fuses,
science halfway through university, and ultimately jumpers, locks, etc.,” Jauregui explained. This is
applied to be an Intel intern in Mexico. why hardware is also used as a root of trust.
“After attending my first hackathon — where I actually She advises IT security specialists to be aware
met my husband — I’ve continued to explore my of firmware’s importance as an asset to their
love for all things hardware, firmware, and security organization’s threat model, to make sure that
to this day, and have been a part of various research the firmware on company devices is consistently
teams at Intel ever since,” she added. She’s currently updated, and to set up automated security
a security researcher for Intel’s PSG (Programmable validation tools that can scan for configuration
Solutions Group) organization. anomalies within their platform and evaluate
security-sensitive bits within their firmware.
What do we talk about when we talk about
hardware security?
Every hardware device has firmware – a
Computer systems – a category that these days tempting attack vector for many hackers.
includes everything from phones and laptops to
wireless thermostats and other “smart” home
appliances – are a combination of many hardware “Additionally, Confidential Computing has emerged
components (a processor, memory, i/o peripherals, as a key strategy for helping to secure data in use,”
etc.) that together with firmware and software are she noted. “It uses hardware memory protections
capable of delivering services and enabling the to better isolate sensitive data payloads. This
connected data-centric world we live in. represents a fundamental shift in how computation
is done at the hardware level and will change how
Hardware-based security typically refers to the vendors can structure their application programs.”
defenses that help protect against vulnerabilities
targeting these devices, and its main focus it to Finally, the COVID-19 pandemic has somewhat
make sure that the different hardware components disrupted the hardware supply chain and has
working together are architected, implemented, brought to the fore another challenge.
and configured correctly.
“Because a computing system is typically
composed of multiple components from different
09 mirko zorz insecuremag.com | issue 67
manufacturers, each with its own level of scrutiny depth look at the threat model, secure boot, chain
in relation to potential supply chain attacks, it’s of trust, and the SW stack leading up to defense-in-
challenging to verify the integrity across all stages depth for embedded systems. It also examines the
of its lifecycle,” Jauregui explained. different security building blocks available in Intel
Architecture (IA) based IoT platforms and breaks
“This is why it is critical for companies to work down some the misconceptions of the Internet of
together on a validation and attestation solution Things,” she added.
for hardware and firmware that can be conducted
prior to integration into a larger system. If the “This book explores the challenges to secure these
industry as a whole comes together, we can create devices and provides suggestions to make them
more measures to help protect a product through more immune to different threats originating from
its entire lifecycle.” within and outside the network.”
The proliferation of Internet of Things devices “Learn by doing. And if you want someone to
and embedded systems and our reliance on lead you through it, go take a class! I recommend
them should make the security of these systems hardware security classes by Joe FitzPatrick
extremely important. and Joe Grand, as they are brilliant hardware
researchers and excellent teachers,” she concluded.
As they commonly rely on systems on chips
(SoCs) – integrated circuits that consolidate the
components of a computer or other electronic
system on a single microchip – securing these
devices is a different proposition than securing
“classic” computer systems, especially if they rely
on low-end SoCs.
The shared responsibility in security is closely Today, CISOs are also focused on protecting a highly
tied to how employees at all levels perceive the distributed workforce and customers - in offices,
importance of security. If this is ingrained within at home or a mix of both – and meeting the new
the culture, they will have the abilities and tools to security challenges and threats that come along
protect themselves. This is, of course, easier said with this hybrid environment. That’s why it’s more
than done. important than ever for other C-suite executives to
help promote and drive the organization’s security
Creating and maintaining a security culture is a culture, especially through communications, training
never-ending and constantly evolving mission and enforcement of best practices.
and influencing people’s behavior is often the
most challenging part of the effort. People have While CISOs continue to spearhead the
become numb to the security threats they face, development of the organization’s security program
and although they understand the potential risks, and define the security mission and culture, other
they don’t do anything about it. For example, C-suite executives can vocally support these
recent research revealed that 92 percent of UK programs to ensure their integrity throughout the
workers know that using the same password over whole process, from vision and development to
and over is risky, but 64 percent of the respondents implementation and ongoing enforcement.
do it anyway. So, how do we get through that
dissonance and get people engaged in security? The participation of the C-suite can also help
CISOs focus on the most important security issues
and adjust the program to ensure it is aligned
with broader business plans and strategies,
thereby helping to get broader support without
compromising security.
12 gerald beuchelt insecuremag.com | issue 67
One likely companion for this type of cross- Security-conscious C-suite executives will be
department alignment is the Chief Operating Officer able to step in to support the CISO’s mission that
(COO). As this role typically reports directly to the security needs to be a top priority.
CEO and is considered to be second in the chain
of command, the COO will be able to provide the Think security-first
authority needed to advocate for security and how
it can impact employees, customers, products and Having model behavior fed from the very top
ultimately the business. This means a good COO will help to underline an organization’s collective
today needs to encourage a business culture that commitment to cybersecurity. In doing so,
supports security efforts thoroughly, while also employees are empowered by a sense of shared
ensuring security is prioritized at a tactical level. responsibility around their role in keeping a
company’s corporate data secure.
The COO can better incorporate input from To this end, it’s crucial that the C-suite of modern
the board, which is vital to ensuring the CISO companies are trailblazers of security, particularly
understands the company’s risk tolerance which in the current landscape.
will directly impact innovation and revenue.
The techniques employed by cybercriminals are
becoming more and more sophisticated, and the
However, the COO is not the only one that needs to risk of data breaches and stolen information being
serve as a security advocate. All C-level executives offered for sale on the dark web has never been
have a critical role to play in establishing a strong higher.
security culture. Because of their connections to
different stakeholders, they will be able to share As the pandemic continues to influence
diverse insights. developments in information security, senior
leadership, middle management and junior
For example, the COO can better incorporate input staff members must all work together towards a
from the board, which is vital to ensuring the CISO collective aim of securing their workplace.
understands the company’s risk tolerance which
will directly impact innovation and revenue. Fostering a culture of security awareness is by
no means an easy feat, but the long-term gains
The Chief Financial Officer (CFO) could share outweigh any teething issues and will serve to
insights into the spending priorities and various make businesses watertight in the midst of a
obligations needed to protect financial systems growing threat landscape.
and the Chief Human Resources Manager (CHRM)
could get valuable data from employees. The CHRM
is instrumental when driving the development of
the security culture; their level of engagement often
determines the overall success of developing a
successful security-conscious culture.
13 tonimir kisasondi insecuremag.com | issue 67
Scanning targets can be added manually or New websites or assets for scanning can be added
through a discovery feature that will try to find directly or imported via a CSV or a TXT file. Sites can
them by matching the domain from your email, be organized in Groups, which helps with internal
websites, reverse IP lookups and other methods. organization or per project / per department
This is a useful feature if other methods of asset organization.
management are not used in your organization and
you can’t find your assets.
adding websites
for scanning
One feature we quite liked is the support for Scan policies can be customized and tuned in a
uploading the “sitemap” or specific request variety of ways, from the languages that are used in
information into Netsparker before scanning. This the application (ASP/ASP.NET, PHP, Ruby, Java, Perl,
feature can be used to import a Postman collection Python, Node.js and Other) , to database servers
or an OpenAPI file to facilitate scanning and improve (Microsoft SQL server, MySQL, Oracle, PostgreSQL,
detection capabilities for complex applications or Microsoft Access and Others), to the standard choice
APIs. Other formats such as CSV, JSON, WADL, WSDL of Windows or Linux based OSes. Scan optimizations
and others are also supported. should improve the detection capability of the tool,
shorten scanning times, and give us a glimpse where
For the red team, loading links and information the tool should perform best.
from Fiddler, Burp or ZAP session files is supported,
which is useful if you want to expand your automated
scanning toolbox. One limitation we encountered is Scan policies can be customized and tuned in a
the inability to point to an URL containing an OpenAPI variety of ways, from the languages that are used
definition – a capability that would be extremely in the application, to database servers, to the
useful for automated and scheduled scanning standard choice of Windows or Linux based OSes.
workflows for APIs that have Swagger web UIs.
17 tonimir kisasondi insecuremag.com | issue 67
integration options
18 tonimir kisasondi insecuremag.com | issue 67
One really well-implemented feature is the Netsparker has the support for classic form-based
support for logging into the testing application, login, but 2FA-based login flows that require TOTP or
as the inability to hold a session and scan from an HOTP are also supported. This is a great feature, as
authenticated context in the application can lead to you can add the OTP seed and define the period in
a bad scanning performance. Netsparker, and you are all set to scan OTP protected
logins. No more shimming and adding code to bypass
the 2FA method in order to scan the application.
authentication
methods
custom scripting
workflow for
authentication
If we had to nitpick, we might point out that it Certificate and OAuth2-based authentication is also
would be great if Netsparker also supported U2F / supported, which makes it easy to authenticate
FIDO2 implementations (by software emulating the to almost any enterprise application. The login /
CTAP1 / CTAP2 protocol), since that would cover the logout flow is also verified and supported through
most secure 2FA implementations. a custom dialog, where you can verify that the
supplied credentials work, and you can configure
In addition to form-based authentication, Basic how to retain the session.
NTLM/Kerberos, Header based (for JWTs), Client
login verification
helper
20 tonimir kisasondi insecuremag.com | issue 67
One interesting point for vulnerability detection On the negative side, no vulnerabilities in
is that Netsparker uses an engine that tries to WebSocket-based communications were
verify if the vulnerability is exploitable and will found, and neither was the API endpoint that
try to create a “proof” of vulnerability, which implemented insecure YAML deserialization with
reduces false positives. pyYAML. By reviewing the Netsparker knowledge
base, we also found that there is no support for
websockets and deserialization vulnerabilities.
In short, everything from DVWA was detected,
except broken client-side security, which by That’s certainly not a dealbreaker, but something
definition is almost impossible to detect with that needs to be taken into account. This also
security scanning if custom rules aren’t written. reinforces the need to use a SAST-based scanner
So, from a “classic” application point of view, the (even if just a free, open-source one) in the
coverage is excellent, even the out-of-date software application security scanning stack, to improve
versions were flagged correctly. Therefore, for test coverage in addition to other, manual based
normal, classic stateful applications, written in a security review processes.
relatively new language, it works great.
Reporting capability
From a modern JavaScript-heavy single page
application point of view, Netsparker correctly Multiple levels of detail (from extensive, executive
discovered the backend API interface from the user summary, to PCI-DSS level) are supported, both in
interface, and detected a decently complex SQL a PDF or HTML export option. One nice feature we
injection vulnerability, where it was not enough to found is the ability to create F5 and ModSecurity
trigger a ‘ or 1=1 type of vector but to adjust the rules for virtual patching. Also, scanned and
vector to properly escape the initial query. crawled URLs can be exported from the reporting
section, so it’s easy to review if your scanner hit any
Netsparker correctly detected a stored XSS specific endpoints.
vulnerability in the reviews section of the Juice
Shop product screen. The vulnerable application Instead of describing the reports, we decided to
section is a JavaScript-heavy frontend, with a export a few and attach them to this review for your
RESTful API in the backend that facilitates the enjoyment and assessment. All of them have been
vulnerability. Even the DOM-based XSS vulnerability submitted to VirusTotal for our more cautious readers.
was detected, although the specific vulnerable
endpoint was marked as the search API and not
the sink that is the entry point for DOM XSS. On
the positive side, the vulnerability was marked as
“Possible” and a manual security review would
find the vulnerable sink.
21 tonimir kisasondi insecuremag.com | issue 67
scan results
dashboard
Netsparker’s reporting capabilities satisfy our Taking into account the fact that this is an
requirements: the reports contain everything a automated scanner that relies on “black
security or AppSec engineer or a developer needs. boxing” a deployed application without any
instrumentalization on the deployed environment
Since Netsparker integrates with JIRA and other or source code scanning, we think it is very
ticketing systems, the general vulnerability accurate, though it could be improved (e.g., by
management workflow for most teams will be adding the capability of detecting deserialization
supported. For lone security teams, or where modern vulnerabilities). Following the review, Netsparker
workflows aren’t integrated, Netsparker also has an has confirmed that adding the capability of
internal issue tracking system that will let the user detecting deserialization vulnerabilities is included
track the status of each found issue and run rescans in the product development plans.
against specific findings to see if mitigations were
properly implemented. So even if you don’t have other Nevertheless, we can highly recommend
methods of triage or processes set up as part of a Netsparker.
SDLC, you can manage everything through Netsparker.
Verdict
Security
world
malicious attack and up to $871k for one involving This is another threat that is likely higher risk in the
credential theft. current environment. The coronavirus pandemic
has placed millions of people under financial
Unlike many other common attacks, insider attacks pressure, with many furloughed or facing job
are rarely a smash-and-grab. The longer a threat insecurity. What once seemed an unimaginable
goes undetected, the more damage it can do to decision, may now feel like a quick solution.
your organization. The better you understand your
people – their motivations, and their relationship Negligence
with your data and networks – the earlier you can
detect and contain potential threats. Negligence is the most common cause of insider
threats, costing organizations an average of $4.58
Insiders’ drivers million per year.
Insider threats can be loosely split into two Such a threat usually results from poor security
categories – negligent and malicious. Within those hygiene – a failure to properly log in/out of corporate
categories are a range of potential drivers. systems, writing down or reusing passwords, using
unauthorized devices or applications, and a failure
As the mechanics of an attack can differ to protect company data.
significantly depending on its motives, gaining a
thorough understanding of these drivers can be Negligent insiders are often repeat offenders
the difference between a potential threat and a who may skirt round security for greater speed,
successful breach. increased productivity or just convenience.
Financial gain is perhaps the most common driver A distracted employee could fall into the
for the malicious insider. Employees across all “negligent” category. However, it is worth
levels are aware that corporate data and sensitive highlighting separately as this type of threat can be
information has value. harder to spot.
To an employee with access to your data, allowing Where negligent employees may raise red flags
it to fall into the wrong hands can seem like by regularly ignoring security best practices, the
minimal risk for significant reward. distracted insider may be a model employee until
the moment they make a mistake.
Negligence is the most common cause of The risk of distraction is potentially higher right
insider threats, costing organizations an now, with most employees working remotely, many
average of $4.58 million per year. for the first time, often interchanging between work
and personal applications. Outside of the formal
office environment and distracted by home life,
they may have different work patterns, be more
relaxed and inclined to click on malicious links or
bypass formal security conventions.
33 adenike cosgrove insecuremag.com | issue 67
Some malicious insiders have no interest in personal Just as they affect method, motives also dictate
gain. Their sole driver is harming your organization. the appropriate response. An effective deterrent
against negligence is unlikely to deter a committed
The headlines are full of stories about the and sophisticated insider intent on causing harm to
devastating impact of data breaches. For anyone your organization.
wishing to damage an organization’s reputation or
revenues, there is no better way in the digital world That said, the foundation for any defense is
than by leaking sensitive customer data. comprehensive controls. You must have total
visibility of your networks – who is using them
and what data they are accessing. These controls
Just as they affect method, motives also should be leveraged to limit sensitive information
dictate the appropriate response. to only the most privileged users and to strictly
limit the transfer of data from company systems.
Insiders with this motivation will usually have a With this broad base in place, you can now
grievance against your business. They may have add further layers to counter specific threats.
been looked over for a pay rise or promotion, or To protect against disgruntled employees, for
recently subject to disciplinary action. example, additional protections could include
filters on company communications to flag high-
Espionage and sabotage risk vocabulary, and specific controls applied to
high-risk individuals, such as those who have been
Malicious insiders do not always work alone. In disciplined or are soon to be leaving the company.
some cases, they may be passing information to a
third-party such as a competitor or a nation-state. Finally, any successful defense against insider
threats should have your people at its heart.
Such cases tend to fall under espionage or
sabotage. This could mean a competitor recruiting You must create a strong security culture. This
a plant in your organization to syphon out means all users must be aware of how their behavior
intellectual property, R&D, or customer information can unintentionally put your organization at risk.
to gain an edge, or a nation-state looking for All must know how to spot early signs of potential
government secrets or classified information to threats, whatever the cause. And all must be aware
destabilize another. of the severe consequences of intentionally putting
your organization in harm’s way.
Cases like these are on the increase in recent years.
Hackers and plants from Russia, China, and North
Korea are regularly implicated in cases of corporate
and state-sponsored insider attacks against
Western organizations.
34 insecuremag.com | issue 67
35 max henderson insecuremag.com | issue 67
For better or worse, a lot of cybercrime sleuthing 1_Public sources and Good Samaritans
and forecasting tends to focus on various
underground sites and forums across the deep Sometimes the biggest risks and clues are hiding in
and dark web corners. Whenever a report cites plain sight, making it crucial not to overlook less-
passwords, contraband or fraud kits trafficked notorious places and people bringing important
in these underground dens, it makes elusive things to light. Today the forces of social media
fraudsters and extortion players sound tangible. and cloud sync-and-share everywhere mean
People instinctively want to infiltrate these spaces confidential slide decks, C-level cell phone
to see if their own company and data are up for numbers and sensitive databases can hit the public
sale. For time-strapped security professionals, web far too easily. A few configuration swipes on a
however, the underground’s rapidly multiplying smartphone can be all that stands between sharing
corridors are difficult to navigate and correlate at something with a work colleague or with anyone
36 max henderson insecuremag.com | issue 67
with a search engine. In Verizon’s latest Data Breach At the same time, layered product fatigue promotes
Investigations Report (DBIR), “misconfiguration” and reliance on security tools’ pre-configured alert
“misdelivery” errors jumped dramatically as breach categories and arbitrary contextualizing, subtly
factors, now second only to phishing and credential tipping time-strapped administrators to look
theft on the leader board. for reassuring “green light” indicators, before
darting to the next dashboard. “What”, exactly was
Fortunately, the security community is full of Good detected? Even if it was labeled “low” severity or
Samaritans reaching out when they see personal or nuisance activity, does that label change based
customer data in harm’s way. But are you making it on what else is being seen on the network? Driving
easy for them to find you and are you prepared to interoperability between tools often trades depth
act on these discoveries? Many companies do not of analysis for speed, burying clues in the process.
have clear, publicly-available contact information
and processes for handing security issues and Ransomware attacks are a great example: A
vulnerabilities, which hobbles good faith actors trying company typically calls in incident response once
to make secure, responsible contact – sometimes an attacker has detonated their ransomware
until it is too late. Get ahead of any gaps here by payload and taken infected machines hostage. Yet,
establishing dedicated, continuously monitored the scrambling of data and locking of screens often
channels for you to collect and vet inbound tips and happens only after a seasoned ransomware gang
concerns. has gained a foothold in networks for a while and
first spent time mapping the size and composition
2_Subtle notes in the 24x7 concert of deployed of devices to make sure they hijack every visible
security tools device and back-up mechanism.
number of privileged accounts changing? Who uses the highest associated risk (e.g., close proximity
the accounts? Do their logins and behavior match to “crown jewel” data or everyday applications
to their role, time zones and workday routines? All offering wide lateral movement if compromised).
things being equal, anomalies with privileged users Confirm norms and roles for these third-party
demand urgent attention. services and accounts, so logging and monitoring
tools can flag deviations immediately, which are
often crucial early signs that a third-party might be
Pinpointing the specific roads business employed in an attack.
partners have into your environment yields
invaluable awareness. In addition to serving as a practical early warning
outpost, monitoring of third parties yields
awareness and influence cybersecurity leaders
3_Intersections of third-party risk can use to force wider, strategic conversations in
business about risk tolerance and the criticality
The rise and dynamism of third-party developers, of these relationships. In addition to weighing the
resellers, smart building owners and other partners criticality versus risk aspects of these relationships,
dramatically affects security and compliance inside those watching the third-party touch points are
and outside a company’s walls. According to recent well positioned to advocate for security terms in
Deloitte enterprise risk management research, partner relationships, such as requiring partners to
“information security” and “cyber risk” topped meet thresholds like multi-factor authentication for
respondents’ lists of issues driving budget for accounts touching their customers.
greater third-party oversight.
Conclusion
A company may integrate third-party code in its
web site or business applications – meaning when Cybersecurity is a constant struggle of measure-
that code is compromised, intruders have an versus-countermeasure and the desire to peer
express lane into the network. Network and cloud into attackers’ next move is relentless. While
access granted to remote contractors could be exotic malware and infamous crime rings
compromised, giving criminals the camouflage of capture attention and deserve recognition, these
previously approved devices and usernames for threats must still discover and exploit the same
entry. vulnerabilities, business churn and network blind
spots others have to.
Pinpointing the specific roads business partners
have into your environment yields invaluable Taking stock of a few underutilized, high-yield data
awareness. Take stock of the partners your sources already in your environment is a powerful
organization relies on, concentrating on those with way to keep perspective and view all risks on the
same plane. This helps keep things in perspective
and frame effective decisions about where and
Taking stock of a few underutilized, high-yield how to prioritize finite resources and test incident
data sources already in your environment is response readiness.
a powerful way to keep perspective and view
all risks on the same plane.
38 lior yaari insecuremag.com | issue 67
The lifecycle of a
eureka moment in
cybersecurity
It takes more than a single eureka moment to attract with them. To do this well, I’ve had to develop an
investor backing, especially in a notoriously high- internal seismometer for industry pain points and
stakes and competitive industry like cybersecurity. potential competitors, play matchmaker between
tech geniuses and industry decision-makers, and peer
While every seed-stage investor has their respective down complex roadmaps to find the optimal point of
strategies for vetting raw ideas, my experience of convergence for good tech and good business.
the investment due diligence process involves a
veritable ringer of rapid-fire, back-to-back meetings Along the way, I’ve gained a unique perspective
with cybersecurity specialists and potential on the set of necessary qualities for a good idea
customers, as well as rigorous market scoping by to turn into a successful startup with significant
analysts and researchers. market traction.
Do I have a strong core value proposition? reduced margins. Moreover, it’s critical to factor in
the maintenance cost and “tech debt” of solutions
The cybersecurity industry is saturated with features that are environment-dependent on account of
passing themselves off as platforms. While the integrations with other tools or difficult deployments.
accumulated value of a solution’s features may be
high, its core value must resonate with customers I’ve come across many pitches that fail to do this,
above all else. More pitches than I wish to count and entrepreneurs who forget that such an omission
have left me scratching my head over a proposed can both limit their customer pool and eventually
solution’s ultimate purpose. Product pitches must incur tremendous costs for integrations that are
lead with and focus on the solution’s core value destined to lose value over time.
proposition, and this proposition must be able to
hold its own and sell itself. What is my product experience like for
customers?
It’s critical to factor in the maintenance cost and A solution’s viability and success lie in so much
“tech debt” of solutions that are environment- more than its outcome. Both investors and
dependent on account of integrations with customers require complete transparency over
other tools or difficult deployments. the ease-of use of a product in order for it to move
forward in the pipeline. Frictionless and resource-
light deployments are absolutely key and should
Consider a browser security plugin with extensive always mind the realities of inter-departmental
features that include XSS mitigation, malicious politics. Remember, the requirement of additional
website blocking, employee activity logging and hires for a company to use your product is a hidden
download inspections. This product proposition cost that will ultimately reduce your margins.
may be built on many nice-to-have features but,
without a strong core feature, it doesn’t add up to a Moreover, it can be very difficult for companies to
strong product that customers will be willing to buy. rope in the necessary stakeholders across their
Add-on features, should they need to be discussed, organization to help your solution succeed. Finally,
ought to be mentioned as secondary or additional requiring hard-to-come-by resources for a POC,
points of value. such as sensitive data, may set up your solution for
failure if customers are reluctant to relinquish the
necessary assets.
From the moment your idea raises funds, your
solution will be running against the clock What is my solution’s time-to-value?
to provide its promised value, successfully
interact with the market and adapt itself Successfully discussing a core value must
where necessary. eventually give way to achieving it. Satisfaction
with a solution will always ultimately boil down
to deliverables. From the moment your idea raises
What is my solution’s path to scalability? funds, your solution will be running against the
clock to provide its promised value, successfully
Solutions must be scalable in order to reach as many interact with the market and adapt itself where
customers as possible and avoid price hikes with necessary.
40 lior yaari insecuremag.com | issue 67
The ability to demonstrate strong initial performance Unless an idea breaks completely new ground
will draw in sought-after design partners and allow or looks to secure new tech, it’s likely to be an
you to begin selling earlier. Not only are these sales improvement to an already existing solution. In
necessary bolsters to your follow-on rounds, they order to succeed at this, however, it’s critical to
also pave the way for future upsells to customers. understand the failures and drawbacks of existing
It’s critical, where POCs are involved, that the beta solutions before embarking on building your own.
news about negligent secure practices that led have an established vulnerability management
to breaches in high-profile organizations, have program and have identified challenges in data
pushed organizations to take security practices management and collaboration between teams.
more seriously and to adopt a continuous
vulnerability management process, which moves ThreadFix enables organizations to:
security tests and controls into earlier stages of
the software development lifecycle and becomes a ❒ Consolidate test results by de-duplicating and
default prerequisite in the product requirements. merging imported results from more than 40
commercial and open source dynamic (DAST),
Security teams have a wide choice of vulnerability static (SAST), Software Composition Analysis (SCA)
assessment tools, from static code analyzers (SAST) tools, and interactive (IAST) application scanning
to dynamic ones (DAST). Most of these tools can be tools. ThreadFix can track manual findings and
used to complement each other and give a wider observations from code-reviews, threat modelling
view on the potential vulnerabilities found in the and penetration tests. Normalization and merging
tested applications and infrastructure. of test results between various types of tools is
done by a patented technology called Hybrid
How to prioritize and follow up on findings of Analysis Mapping. It also enables the correlation of
complementary vulnerability scanners? A lot found vulnerabilities at the network infrastructure
of data is generated during the vulnerability and application level.
assessment process and most of it should be ❒ Improve vulnerability management by
double-checked to pinpoint only meaningful integrating ThreadFix with various defect/bug
findings. Viewing a 100+ page PDF report or trackers (Jira, Azure DevOps Server, IBM Rational
tracking the remediation status in a spreadsheet ClearQuest, etc.) and developer tools. This
that takes an eternity to load can only result in removes the friction between software developers,
headaches. A manual vulnerability management system operations and security teams, and
process also prevents us from tracking defined helps decrease the time spent on coordinating
performance indicators and from achieving and fixing prioritized vulnerabilities. As software
efficient collaboration. development and system operations teams
resolve found deficiencies, ThreadFix detects
This is a review of ThreadFix 3.0, a vulnerability these changes, enabling the security team to
management platform that helps organizations perform follow-up testing to confirm that these
overcome these challenges and manage risky security holes have been closed.
applications and infrastructure efficiently and in ❒ Schedule orchestrated scans with remote
alignment with the agile development processes. scanners. After the scan is finished the report is
merged and becomes visible in ThreadFix.
ThreadFix vulnerability resolution platform ❒ Prioritize risk decisions. ThreadFix reporting
and analytics capabilities enable organizations
ThreadFix is a software vulnerability aggregation to quickly identify vulnerability trends and make
and management system that can schedule informed remediation decisions based on current
vulnerability scans, organize and merge aggregated vulnerability data. It gives visibility into how
vulnerability reports, and integrate with popular quickly the found vulnerabilities are resolved
security and software development tools. It and supports reporting functions that provide
addresses the problems of organizations that security managers with up-to-date metrics
43 toni grzinic insecuremag.com | issue 67
figure 2. using
infrastructure filters
can come handy when
prioritizing specific
remediation actions
By clicking on a host you can view vulnerabilities user friendly, and the vulnerability mappings
details and audit them (Figure 3), and you can filter work pretty well. Filters are well covered in
vulnerabilities by their severity and status (Open, every infrastructure page, and we can stack
Closed, Mitigated, Accepted risk, False Positive). vulnerabilities or inspect recurring ones.
This workflow for auditing infrastructure is very
figure 4. applications
portfolio
Applications can be connected with a Git repository, you need a re-scan or a manual check after fixing
which can be used for static code analysis. an issue in the application. ThreadFix also allows
you to define the penetration testing team that
The uploading and parsing of vulnerability scans can collaborate on findings within the chosen
reports went without a hiccup. You can request a application. After the pen test is done, you can see
service engagement, which comes handy when the results under Assessments (Figure 5).
figure 5. summary of
a manual penetration
test
ThreadFix offers unlimited search, filter and pivot vulnerabilities. Another interesting policy is the
options for application vulnerability reports. Pivot time-to-remediate policy. The concept is simple:
options allow you to narrow down interesting you define a desired fix deadline for a severity level
vulnerabilities but also hunt for potential false and ThreadFix sets a custom reminder that notifies
positives when comparing various tools (e.g., when your team about it.
you pivot by severity and scanner type). You can
search reports by vulnerabilities, scanner, tags, CVE, A nice feature that improves collaboration
paths affected, status, date range of scan, and more. between users is commenting and tagging
ThreadFix also offers to save and export complex vulnerabilities in the remediation process. You
filters, which can be handy when you get back to a can filter vulnerabilities that have a comment
specific application report after some time. and continue tracking their progress. This
feature can be used during penetration testing
Saved filters can be also used as a baseline for engagements when multiple people work on the
custom policies in ThreadFix. Policies are calls same application and record their progress but is
to action for your team, they usually compare also useful in the remediation phase (see Figure
the current remediation status against a desired 7). While commenting, you can attach various
baseline. Filter policy is a simple rule-based files to the comment to clarify the vulnerability.
filter that shows a Pass or Fail indicator in the Mature security teams that have established roles
application dashboard if the application meets and a vulnerability management procedure will
or fails to meet the defined requirements. For find tagging and commenting useful for pushing
example, filter policy defines that, to pass, an collaboration efforts while prioritizing next actions
application should have no critical or high and tracking current actions.
ThreadFix maintains a link to the issue created status of associated defects and updates that status
in the external defect tracking system, allowing in ThreadFix so that when development teams fix
security analysts to see developers’ progress in defects, security analysts can see their action and
solving the reported vulnerabilities (see Figure later check if the fix is working.
10). In addition, ThreadFix periodically checks the
51 toni grzinic insecuremag.com | issue 67
figure 10.
vulnerability contains
the issue status
that is monitored
regularly
On specific events, you can schedule remote tool that helps you to track and drive changes to
scanning and report found vulnerabilities back meet the compliance or certification requirements.
to the security team. Using the API you can also
administer and provision ThreadFix more easily. CISOs will find ThreadFix analytics options useful
because they enable identifying risk patterns in
Conclusion the scanned applications and infrastructure and a
better estimate of risk levels and activities related
to reducing risk. ThreadFix gives CISOs and other
After adopting ThreadFix, you will say managers a valuable perspective into their
goodbye to tracking scan results and software development lifecycle process and
managing vulnerabilities via spreadsheets. enables them to identify and measure segments
that can be improved.
ThreadFix is a helpful and mature tool for ThreadFix “humanizes” the security process with
vulnerability management. It bridges a lot of its collaboration features. Finding vulnerabilities
gaps between various teams, including those is only one piece of the puzzle: remediation
between the security and application developer efforts are always the hardest and the most time-
team(s). Application management enables users to consuming piece. ThreadFix is not only used as a
merge and manage vulnerabilities and track their vulnerability unification and analytics platform but
remediation actions. also as a collaboration platform where different
teams and perspectives meet and engage in
After adopting ThreadFix, you will say goodbye solving organizations deficiencies faster and better
to tracking scan results and managing than before.
vulnerabilities via spreadsheets. ThreadFix
supports industry standard vulnerability scanners
with vulnerability merging technology that works
well. In addition to that, most vulnerability
scanners can be directly orchestrated through
ThreadFix, and it also allows you to automate a lot
of workflows with the API functionalities. ThreadFix
enables you to drill down in every vulnerable
aspect of your application without losing sight
of the big picture that is delivered by the useful
analytic charts and trendlines.
“In the past, the only way to aggregate and share “The security of the system comes from the
information about cyber attacks was through requirement that the keys from all the participants
a trusted third party,” explained the students, are needed in order to unlock any of the data.
economists, cryptography and internet policy Participants guarantee their own security by
experts who worked on this project under the agreeing to unlock only the result using their
auspices of MIT’s Computer Science and Artificial privately held key.”
Intelligence Lab (CSAIL).
The cost of cybersecurity failures
But that third party could be breached, the data
stolen and disclosed. The data could also be The researchers recruited seven large companies
accidentally disclosed. For these reasons, companies that had a high level of security sophistication and
often refused to participate in such schemes and a CISO to test out the platform, i.e., to contribute
share information about their losses. encrypted information about their network defenses
and a list of all monetary losses from cyber attacks
SCRAM (Secure Cyber Risk Aggregation and and their associated defensive failures over a two-
Measurement) has, according to its creators, solved year period.
that longstanding cyber-security problem.
average percent
adoption by security
control
55 zeljka zorz insecuremag.com | issue 67
“Firms of this size would have the technological Plans for the future
expertise and resources to nominate people on
their team to work with us to design the appropriate “These results provide a compelling proof-of-
questions and to perform the internal data concept for how cyber intrusion data can be
collection,” the scientists explained the rationale shared. Our next step will be to increase the
behind their decision to focus on larger companies. number of incidents in future rounds to produce
more robust estimates, more complex analyses,
SCRAM returned information about adopted and more generalizable results,” the scientists
defenses and pointed out which security failures noted.
cost companies the most money:
“With a larger data sample, we will also be able
❒ Failure to prevent malware (and especially to explore loss distribution approaches that cover
ransomware) attacks by relying mostly on anti- both the frequency and severity of losses. A larger
malware software, regular backups and reminding sample size will also reduce the chance of outliers
employees not to click on suspicious emails or single incidents leaking the magnitude of an
❒ Despite all of the companies saying that they individual event.”
blocked access to unauthorized ports, attacks
involving attackers accessing and communicating In the meantime, though, they’ve been able to
over these ports brought about high losses, demonstrate to companies that sensitive cyber
meaning those defenses weren’t air-tight or were attack data can be shared and used without being
being neglected actually being disclosed.
❒ Failure to perform inventory and control of
hardware assets “What this effectively means is that new
❒ Failure to perform effective log management and cryptographic platforms such as SCRAM can gain
implement ML/AI-powered automated analysis access to previously ‘untouchable’ data that can
to identify security incidents as they happen (or then be used to inform market participants and
even to predict and prevent them) meet important challenges,” they added.
Industry
news
The Fox Shield suite is designed to help platforms AutoSec arrives at a critical time for the industry:
detect, respond, and recover from cyber attacks in modern vehicle architecture is more vulnerable
real time. The system’s cyber resilience capabilities than ever before. OEMs and Tier 1s are grappling
can be integrated into ground, air, and space with the new ISO/ SAE 21434 standard as well
vehicles to protect our warfighters and platforms as UNECE WP.29 regulation and cybersecurity
from cyber attacks designed to access and degrade teams are struggling to coordinate and effectively
mission capabilities. communicate responsibility.
“Cyber protection was not necessarily a mission- This cybersecurity hub is the first of its kind and
critical capability when some of these platforms gives users unparalleled transparency into the
were first developed. That’s why we designed the Fox entire cybersecurity lifecycle, enabling streamlined
Shield cyber resilience system to be easily integrated management of each phase–risk assessment,
into new and legacy platforms,” said Michael Weber, planning, policy creation and enforcement–with
technical manager for FAST Labs’ Cyber Technology just a few clicks.
group at BAE Systems.
Raytheon Intelligence & Space provides development, testing and security via its advanced
a virtualized environment to evaluate analysis features.
and reduce cyber threats
“The complexity of cyber threats that organizations
DejaVM enables system-level cyber testing without face continues to escalate, demanding more
requiring access to the limited number of highly sophisticated solutions to evaluate and reduce
specialized physical hardware assets. The tool threats to those missions,” said John DeSimone,
creates an emulation environment that virtualizes vice president of Cybersecurity, Training and
complex systems to support automated cyber Services at RI&S. “This robust virtual environment
testing. DejaVM focuses on improving software helps our customers do exactly that.”
57 industry news insecuremag.com | issue 67
Cyborg Security’s HUNTR platform has been Equipped with cloud-based APIs, Sigma systems
developed by a world class team of threat hunting bring issuance to the cloud without additional
experts to deliver advanced threat hunting and hardware — enabling instant printing for both
detection content, empowering organizations to move physical IDs, badges and payment cards.
beyond reactive security, to proactive threat hunting.
Sigma systems are trusted IoT devices that help
The platform provides advanced and contextualized ensure organizations and their data are safe with
threat hunting and detection packages containing an intelligent network and building connectivity
behaviorally based threat hunting content, threat for ultimate enterprise protection.
emulation, and detailed runbooks, supplying
organizations what they need to evolve their security
analysts into skilled hunters.
The digital identity is also matched to the recent By unifying the security lifecycle into a single
behavior of the device and the known behavior of solution, SnapAttack enables red and blue
the account. teams to work together, emulating attacks
from intelligence data, sharing insights of
malicious behavior, and developing vendor-
agnostic behavioral detection analytics to stop
advanced adversaries.
Masergy extends the value of Masergy dual-link redundancy, load balancing, and
SD-WAN Secure to home and mobile users dynamic traffic steering capabilities.
Masergy announced SD-WAN Work From Businesses of all sizes use Masergy’s SD-WAN to
Anywhere solutions. The new offerings extend provide secure and reliable cloud application
the value of Masergy’s Managed SD-WAN Secure performance to office employees, and now their
solutions to the remote workforce, supporting users at home or on the go have access to the
their network connections with built-in security, same level of security and performance.
60 industry news insecuremag.com | issue 67
Splunk helps security teams modernize Led by new, cloud-centric updates to Splunk
and unify their security operations in Enterprise Security, Splunk Mission Control and
the cloud the newly announced Splunk Mission Control Plug-
In Framework, Splunk’s security operations suite
Splunk announced a series of new product enables Splunk customers to secure their cloud
innovations designed to help security teams journey and solve their toughest cloud security
around the world modernize and unify their challenges with data.
security operations in the cloud.
61 industry news insecuremag.com | issue 67
Checkmarx provides
automated security scans
within GitHub repositories
Checkmarx announced a
new GitHub Action to bring
comprehensive, automated static
and open source security testing
to developers. Checkmarx’s
new GitHub Action integrates
the company’s application
security testing (AST) solutions
– Checkmarx SAST (CxSAST)
and Checkmarx SCA (CxSCA)
– directly with GitHub code
scanning, giving developers more
flexibility and power to work with
their preferred tools of choice
to secure proprietary and open
Shujinko AuditX: source code.
Sitting in the midst of an unstable economy, a internally designed tools, create security challenges
continued public health emergency, and facing for organizations of all sizes.
an uptick in successful cyber attacks, CISOs find
themselves needing to enhance their cybersecurity The first step to determining the “quick wins”
posture while remaining within increasingly for 2021 lies in reviewing the current IT stack for
scrutinized budgets. areas that have become too costly to support.
For example, as workforce members moved off-
Senior leadership recognizes the value of premises during the current public health crisis,
cybersecurity but understanding how to best many organizations found that their technology
allocate financial resources poses an issue for debt made this shift difficult. With workers no
IT professionals and executive teams. As part longer accessing resources from inside the
of justifying a 2021 cybersecurity budget, CISOs organization’s network, organizations with rigid
need to focus on quick wins, cost-effective SaaS technology stacks struggled to pivot their work
solutions, and effective ROI predictions. models.
Finding the “quick wins” for your Going forward, remote work appears to be one way
2021 cybersecurity budget through the current health and economic crises.
Even major technology leaders who traditionally
Cybersecurity, particularly with organizations relied on in-person workforces have moved to
suffering from technology debt, can be time- remote models through mid-2021, with Salesforce
consuming. Legacy technologies, including the most recent to announce this decision.
64 karen walsh insecuremag.com | issue 67
Looking for gaps in security, therefore, should be the cybersecurity budget plan needs to include the fast
first step in any budget analysis. As part of this gap wins that SaaS-delivered solutions provide.
analysis, CISOs can look in the following areas:
SaaS security solutions offer two distinct budget
❒ VPN and data encryption wins for CISOs. First, they offer rapid integration into
❒ Data and user access the organization’s IT stack. In some cases, CISOs
❒ Cloud infrastructure security can get a SaaS tool deployed within a few weeks, in
other cases within a few months. Deployment time
Each of these areas can provide quick wins if done depends on the complexity of the problem being
correctly because as organizations accelerate their solved, the type of integrations necessary, and the
digital transformation strategies to match these new enterprise’s size. However, in the same way that
workplace situations, they can now leverage cloud- agile organizations leverage cloud-based business
native security solutions. applications, security teams can leverage rapid
deployment of cloud-based security solutions.
Adopting SaaS security solutions for
accelerating security and year-over-year value The second value that SaaS security solutions
offer is YoY savings. Subscription models offer
The SaaS-delivered security solution market budget conscious organizations several distinct
exploded over the last five to ten years. As value propositions. First, the organization can
organizations moved their mission-critical business reduce hardware maintenance costs, including
operations to the cloud, cybercriminals focused their operational costs, upgrade costs, software costs, and
activities on these resources. servicing costs. Second, SaaS solutions often enable
companies to focus on their highest risk assets
and then increase their usage in the future. Third,
SaaS security solutions offer two distinct budget they allow organizations to pivot more effectively
wins for CISOs. because the reduced up-front capital outlay reduces
the commitment to the project.
Interestingly, a CNBC article from July 14, 2020 Applying a dollar value to these during the budget
noted that for the first half of 2020, the number justification process might feel difficult, but the right
of reported data breaches dropped by 33%. key performance indicators (KPIs) can help establish
Meanwhile, another CNBC article from July 29, baseline cost savings estimates.
2020 notes that during the first quarter, large scale
data breaches increased by 273% compared to Choosing the KPIs for effective ROI predictions
the same time period in 2019. Although the data
appears conflicting, the Identity Theft Research During an economic downturn, justifying the
Center research that informed the July 14th article cybersecurity budget requests might be increasingly
specifically notes, “This is not expected to be a difficult. Most cybersecurity ROI predictions rely
long-term trend as threat actors are likely to return on risk evaluations and applying probability of a
to more traditional attack patterns to replace and data breach to projected cost of a data breach.
update identity information needed to commit As organizations look to reduce costs to maintain
future identity and financial crimes.” In short, financially viable, a “what if” approach may not be as
rapidly closing security gaps as part of a 2021 appealing.
65 karen walsh insecuremag.com | issue 67
Although CISOs may not want to reduce their As organizations start looking toward their 2021
number of team members, they may not want to roadmap, CISOs will increasingly need to be specific
add additional ones, or they may be seeking to about not only the costs associated with purchases
optimize the team they have. but also the cost savings that those purchases
provide from both data incident risk and operational
cost perspective.
Bringing this data together shows the value of SaaS-
based solutions that reduce the number of false
positives:
66 interview: shailesh athalye insecuremag.com | issue 67
network were utterly ineffective in protecting these 2_Assesses vulnerabilities, malware and security
remote endpoints, due to the sheer volume of configurations on remote hosts such as Microsoft
remote hosts connecting over VPNs. What would Office, the Google Suite of products, VPN software
happen when those remote computers needed and conferencing solutions such as Zoom or
to be updated? It would be impractical to deliver Webex.
thousands of security updates, malware updates
via the VPN, over limited bandwidth. 3_Detects malicious files and processes often
missed because a company’s anti-virus tools are
Architecturally superior cloud security solutions only pushed to remote computers connected to the
like Qualys are well positioned to address the VPN.
need for protecting remote computers as we could
connect directly to the cloud over the internet 4_Prioritizes patches by correlating them with
without the need to route a large volume of traffic vulnerabilities as well as applying patches directly
through the VPN gateways. from the solution vendor’s content delivery
networks via the internet, without putting pressure
We’re pleased with the reception the offer has on the VPN and available bandwidth due to the size
garnered, and we have had more than 700 of the patches.
companies registering for the offer. And we didn’t
stop there – as we realized we could give customers Not only does Qualys address remote endpoint
additional protections by adding the ability to issues, but we do so with one solution providing a
detect malware – and that is the piece that we’ve continuous and integrated view of remote endpoint
recently announced. inventory, critical vulnerabilities, misconfigurations
and now malware to speed remediation while
Powered by the Qualys Platform and Cloud Agent, enabling remote patching. This functionality is
malware detection uses file reputation and threat seamlessly integrated into one solution.
classification to detect known malicious files on
endpoints, servers, and cloud workloads. As a
result, security practitioners can respond more The Qualys Remote Endpoint Protection
quickly to malware on employees’ systems. service is extremely easy to enable for
customers who already have deployed the
_ What makes Qualys Remote Endpoint lightweight Qualys Cloud Agents.
Protection unique?
In general, cloud-based security services have an This approach is a first in the industry as previously
advantage as they connect directly to the cloud over companies would cobble together a solution for
the internet without routing a large volume of traffic detecting vulnerabilities, one for patching and
through the VPN gateways for assessing vulnerabilities another for malware detection. While it did the job,
and for applying patches. What’s unique about the it was complicated, clunky and the data was not
Remote Endpoint Protection Offering is that it: consolidated for a true picture of the risk.
_ What does the process of integrating Qualys _ How can security teams leverage the features of
Remote Endpoint Protection into an existing Qualys Remote Endpoint Protection?
security architecture look like?
The Qualys Remote Endpoint Protection service is
Remote Endpoint Protection is easily enabled through extremely easy to enable for customers who already
the Qualys Cloud Platform and Cloud Agent. And like have deployed the lightweight Qualys Cloud Agents.
all Qualys Apps, it is self-updating, centrally managed Once the customer signs up for the service, their existing
and tightly integrated with other apps in the platform. subscription will have workflows and capabilities
The Cloud Agent continuously communicates and enabled for remote endpoint security assessment and
syncs-up collected data with the Qualys platform patching. The free, updated, Qualys Remote Endpoint
including pushing the latest vulnerability signatures Protection offer allows security teams to leverage the
and vendor patches. All of which, it does without the lightweight Qualys Cloud Agent to:
need for a VPN and or internal network bandwidth.
❒ Identify and inventory all remote endpoints
Qualys applications cover a broad swath of including hardware and the applications they are
functionality in areas such as IT asset management, running in real time
IT security, web app security and compliance ❒ Ensure remote systems are secure with a real-time
monitoring. All apps are based on the same platform, view of all critical vulnerabilities, malware and
share a common UI, feed off of the same scanners misconfigurations impacting the OS and applications
and agents, access the same collected data, and ❒ Decrease remediation response time by
leverage the same user permissions. This lowers the automatically correlating required patches with
complexity of usage while maintaining a high level of identified vulnerabilities, and prioritizing detected
access control throughout the organization. malware
❒ Deliver patches and respond to malware from the
cloud within hours with one click, and all without
using the limited bandwidth available on VPN
gateways
inventory of
collaboration tools
across remote
endpoints
69 interview: shailesh athalye insecuremag.com | issue 67
collaborationtools
asset tag
vulnerability
management
70 interview: shailesh athalye insecuremag.com | issue 67
security hygiene
Qualys Malware Detection, integrated with the known malicious files on remote endpoints. As a
Remote Endpoint Protection offering and powered result, organizations can respond more quickly to
by the Qualys Platform and Cloud Agent, uses malware ultimately increasing their overall security
file reputation and threat classification to detect posture.
71 interview: shailesh athalye insecuremag.com | issue 67
detection
In summary, with recent remote endpoint surge, The patches are delivered securely and directly
attack surface of the organizations has expanded from vendors’ websites and content delivery
beyond just “crown jewels”, as weak remote hosts networks to ensure there is little to no impact
can compromise the security of the organizations on internet connectivity or the bandwidth of the
and could result in a data breach. organization.
Qualys Remote Endpoint Protection allows security The Malware Detection capability integrated in
teams to gain instant and continuous visibility remote endpoint protection detects malware
of remote hosts in terms of their vulnerabilities, missed by anti-virus and classifies malware into
correlated patches, malware, security hygiene threat categories and malware families to prioritize
issues. Security teams will be able to prioritize incident response.
missing patches for critical vulnerabilities and
deploy them directly from the cloud.
72 interview: christopher gates insecuremag.com | issue 67
“For someone like myself who has been focused Also, there is a large, hundreds-of-millions-of-dollars
on cybersecurity at MDMs for over 12 years, this industry of companies who “re-enable” consumed
is excellent progress as it will force MDMs to take medical disposables. This usually requires some
security seriously or be pushed out of the market fairly sophisticated reverse-engineering to return the
by competitors who do take it seriously. Positive device to its factory default condition.
pressure from MDMs is driving cybersecurity forward
more than any other activity,” he told (IN)SECURE Lastly, the medical device industry, when grouped
Magazine. together with the healthcare delivery organizations,
constitutes part of critical national infrastructure.
Gates is a principal security architect at Velentium Other industries in that class (such as nuclear
and one of the authors of the recently released power plants) have experienced very directed and
Medical Device Cybersecurity for Engineers and sophisticated attacks targeting safety backups
Manufacturers, a comprehensive guide to medical in their facilities. These attacks seem to be initial
device secure lifecycle management, aimed at testing of a cyber weapon that may be used later.
engineers, managers, and regulatory specialists.
While these are clearly nation-state level attacks,
In this interview, he shares his knowledge regarding you have to wonder if these same actors have been
the cybersecurity mistakes most often made by exploring medical devices as a way to inhibit our
manufacturers, on who is targeting medical devices medical response in an emergency. I’m speculating:
(and why), his view on medical device cybersecurity we have no evidence that this has happened. But
standards and initiatives, and more. then again, if it has happened there likely wouldn’t
be any evidence, as we haven’t been designing
[Answers have been edited for clarity.] medical devices and infrastructure with the ability
to detect potential cybersecurity events until very
_ Are attackers targeting medical devices with a recently.
purpose other than to use them as a way into a
healthcare organization’s network? _ What are the most often exploited vulnerabilities
in medical devices?
The easy answer to this is “yes,” since many MDMs
in the medical device industry perform “competitive It won’t come as a surprise to anyone in security
analysis” on their competitors’ products. It is much when I say “the easiest vulnerabilities to exploit.” An
easier and cheaper for them to have a security attacker is going to start with the obvious ones, and
researcher spend a few hours extracting an then increasingly get more sophisticated. Mistakes
algorithm from a device for analysis than to spend made by developers include:
months or even years of R&D work to pioneer a new
algorithm from scratch. Unsecured firmware updating
(e.g., one impacting every device in the world). All or end-user expects it to be. No communications
firmware update methods have at least three very medium is inherently secure; it’s what you do at the
common potential design vulnerabilities. They are: application level that makes it secure.
❒ Exposure of the binary executable (i.e., it isn’t Bluetooth Low Energy (BLE) is an excellent example
encrypted) of this. Immediately following a pairing (or re-
❒ Corrupting the binary executable with added code pairing), a device should always, always perform
(i.e., there isn’t an integrity check) a challenge-response process (which utilizes
❒ A rollback attack which downgrades the version cryptographic primitives) to confirm it has paired
of firmware to a version with known exploitable with the correct device.
vulnerabilities (there isn’t metadata conveying the
version information). I remember attending an on-stage presentation of
a new class II medical device with a BLE interface.
Overlooking physical attacks From the audience, I immediately started to explore
the device with my smartphone. This device had
Physical attack can be mounted: no authentication (or authorization), so I was able
to perform all operations exposed on the BLE
❒ Through an unsecured JTAG/SWD debugging port connection. I was engrossed in this interface when
❒ Via side-channel (power monitoring, timing, etc.) I suddenly realized there was some commotion
exploits to expose the values of cryptographic keys on stage as they couldn’t get their demonstration
❒ By sniffing internal busses, such as SPI and I2C to work: I had accidentally taken over the only
❒ Exploiting flash memory external to the connection the device supported. (I then quickly
microcontroller (a $20 cable can get it to dump all terminated the connection to let them continue with
of its contents) the presentation.)
of MDMs need to understand and accept is that devices in the field, up through and after end-of-
their developers have probably never been trained life
in cybersecurity. Most developers have limited ❒ Create and maintain Software Bills of Materials
knowledge of how to incorporate cybersecurity into (SBOMs) for all products, including legacy
the development lifecycle, where to invest time products. Doing this work now will help them stay
and effort into securing a device, what artifacts ahead of regulation and save them money in the
are needed for premarket submission, and how long run.
to proper utilize cryptography. Without knowing
the details, many managers assume that security
is being adequately included somewhere in their Until very recently, cybersecurity was not
company’s development lifecycle; most are wrong. part of traditional engineering or software
development curriculum. Most developers
To produce secure products, MDMs must follow a need additional training in cybersecurity.
secure “total product life cycle,” which starts on the
first day of development and ends years after the
product’s end of life or end of support. They must avoid mistakes like:
_ What about the developers? Any advice on skills _ What cybersecurity legislation/regulation
they should acquire or brush up on? must companies manufacturing medical devices
abide by?
First, I’d like to take some pressure off developers
by saying that it’s unreasonable to expect that they It depends on the markets you intend to sell
have some intrinsic knowledge of how to implement into. While the US has had the Food and Drug
cybersecurity in a product. Until very recently, Administration (FDA) refining its medical device
cybersecurity was not part of traditional engineering cybersecurity position since 2005, others are more
or software development curriculum. Most recent entrants into this type of regulation, including
developers need additional training in cybersecurity. Japan, China, Germany, Singapore, South Korea,
Australia, Canada, France, Saudi Arabia, and the
And it’s not only the developers. More than likely, greater EU.
project management has done them a huge
disservice by creating a system-level security While all of these regulations have the same goal
requirement that says something like, “Prevent of securing medical devices, how they get there is
ransomware attacks.” What is the development team anything but harmonized among them. Even the
supposed to do with that requirement? How is it level of abstraction varies, with some focused on
actionable? processes while others on technical activities.
_ What are some good standards for mandate from Congress to enforce security in
manufacturers to follow if they want to get medical devices.
cybersecurity right?
Also, many working groups of highly talented
The Association for the Advancement of Medical people are working on ways to improve the security
Instrumentation’s standards are excellent. posture of devices, such as the NTIA SBOM effort to
I recommend AAMI TIR57: 2016 and AAMI TIR97: 2019. improve the transparency of software “ingredients”
in a medical device, allowing end-users to quickly
Also very good is the Healthcare & Public Health assess their risk level when new vulnerabilities are
Sector Coordinating Council’s (HPH SCC) Joint discovered.
Security Plan. And, to a lesser extent, the NIST Cyber
Security Framework. Semiconductor manufacturers continue to give
us great mitigation tools in hardware, such as side-
The work being done at the US Department of channel protections, cryptographic accelerators,
Commerce / NTIA on SBOM definition for vulnerability virtualized security cores. Trustzone is a great
management and postmarket surveillance is very example.
good as well, and worth following.
And at the application level, we’ll continue to
_ What initiatives exist to promote medical device see more and better packaged tools, such as
cybersecurity? cryptographic libraries and processes, to help
developers avoid cryptography mistakes. Also, we’ll
Notable initiatives I’m familiar with include, first, the see more and better process tools to automate the
aforementioned NTIA work on SBOMs, now in its application of security controls to a design.
second year. There are also several excellent working HDOs and other medical device purchasers are
groups at HSCC, including the Legacy Medical better informed than ever before about embedded
Device group and the Security Contract Language cybersecurity features and best practices. That
for Healthcare Delivery Organizations group. I’d also trend will continue and will further accelerate
point to numerous working groups in the H-ISAC demand for better-secured products.
Information Sharing and Analysis Organization
(ISAO), including the Securing the Medical Device I hope to see some effort at harmonization between
Lifecycle group. all the federal, state, and foreign regulations that
have been recently released with those currently
And I have to include the FDA itself here, which is under consideration.
in the process of revising its 2018 premarket draft
guidance; we hope to see the results of that effort in One thing is certain: legacy medical devices that
early 2021. can’t be secured will only go away when we can
replace them with new medical devices that are
_ What changes do you expect to see in the secure by design. Bringing new devices to market
medical devices cybersecurity field in the next 3-5 takes a long time. There’s lots of great innovation
years? underway, but really, we’re just getting started!
contested by Russia and China, so it is not global “First, they send a clear signal to China and the
and only applies to the signatories. world on where the United States stands in terms
of how governmental resources in cyberspace
should be used by responsible state actors. That is,
States are left to their own devices when it in order to maintain fair and free trade in a global
comes to devising a cyber deterrence strategy. competitive environment, a nation’s intelligence
services should not be engaged in stealing
corporate secrets and then handing those secrets
Dr. Yannakogeorgos, who’s a professor and faculty over to companies for their competitive advantage
lead for a graduate degree program in Global in global trade,” he explained.
Security, Conflict, and Cybercrime at the NYU
School of Professional Studies Center for Global “Second, making clear attribution statements helps
Affairs, believes this treaty could be both a good build a framework within which the United States
model text on which nations around the world can can work with our partners and allies on countering
harmonize their own domestic criminal codes, as threats. This includes joint declarations with allies
well as the means to begin the lengthy diplomatic or multilateral declarations where the sources of
negotiations with Russia and China to develop an threats and the technical nature of the infrastructure
international criminal law for cyber. used in cyber espionage are declared.”
The problem of attack attribution and various researchers proposed the creation of
an independent, global organization that would
The issue of how cyber attack attribution should be investigate and publicly attribute major cyber
handled and confirmed also deserves to be addressed. attacks – though they admitted that, in some cases,
decisive attribution may be impossible.
Dr. Yannakogeorgos says that, while attribution
of cyber attacks is definitely not as clear-cut as More recently, Kristen Eichensehr, a Professor
seeing smoke coming out of a gun in the real world, of Law at the University of Virginia School of
with the robust law enforcement, public private Law with expertise in cybersecurity issues and
partnerships, cyber threat intelligence firms, and cyber law, argued that “states should establish
information sharing via ISACs, the US has come an international law requirement that public
a long way in terms of not only figuring out who attributions must include sufficient evidence to
conducted criminal activity in cyberspace, but enable crosschecking or corroboration of the
arresting global networks of cyber criminals as well. accusations” – and not just by allies.
Granted, things get trickier when these actors are “In the realm of nation-state use of cyber, there
working for or on behalf of a nation-state. have been dialogues within the United Nations for
“If these activities are part of a covert operation, nearly two decades. The most recent manifestation
is the UN Group of Governmental Experts that have
discussed norms of responsible state behavior
In the realm of nation-state use of cyber, and issued non-binding statements to guide
there have been dialogues within the United nations as they develop cyber capabilities,” Dr.
Nations for nearly two decades. Yannakogeorgos pointed out.
“However, at least within the United States, we’ve And while articulating and agreeing to specific norms
developed a very robust analytic framework for will no doubt be a difficult task, he says that their
attribution that can eliminate reasonable doubt implementation by signatories will be even harder.
amongst friends and allies and can send a clear signal
to planners on the opposing side. Such analytic “It’s one thing to say that ‘states will not target each
frameworks could become norms themselves to help other’s critical infrastructure in cyberspace during
raise the evidentiary standard for attribution of cyber peacetime’ and another to not have a public reaction
activities to specific nation states.” to states that are alleged to have not only targeted
critical infrastructure but actually caused digital
A few years ago, Paul Nicholas (at the time the damage as a result of that targeting,” he concluded.
director of Microsoft’s Global Security Strategy)
82 insecuremag.com | issue 67
83 apu pavithran insecuremag.com | issue 67
As more businesses are forced to operate at a approved apps, and accessing sensitive data.
distance, hackers are taking advantage of weak
links in their networks. At the same time, the crisis Another bonus is that DaaS can offer analytical
has meant many enterprises have had to cut their insights about hardware, such as device location
budgets, and so risk compromising cybersecurity and condition. With this information, enterprises
when opting for more cost-effective measures. can be alerted if tech is stolen, missing or
outdated and a threat to overall cybersecurity.
Not to mention, a smart way to boost the level of
For many enterprises, DaaS is attractive protection given by DaaS models is to integrate it
because it allows them to acquire technology with Unified Endpoint Management (UEM). UEM
without having to outright buy, set up, and helps businesses organize and control internet-
manage it enabled devices from a single interface and uses
mobile threat detection to identify and thwart
vulnerabilities or attacks among devices.
Currently, Device-as-Service (DaaS), Bring-Your-Own-
Device (BYOD) and leasing/buying are some of the Nonetheless, to effectively utilize DaaS, enterprises
most popular hardware options. To determine which have to determine their own relevant security
is most appropriate for your business cybersecurity principles before adopting the model. They
needs, here are the pros and cons of each: then need to have an in-depth understanding
of how these principles are applied throughout
Device-as-a-Service (DaaS) DaaS services and how the level of assurance
enacts them. Assuming that DaaS completely
DaaS models are when an organization distributes removes enterprises from being involved in device
hardware like computers, tablets, and phones to cybersecurity would be unwise.
employees with preconfigured and customized
services and software. For many enterprises, DaaS
is attractive because it allows them to acquire Although BYOD is favorable among
technology without having to outright buy, set up, employees – who can use devices that
and manage it – therefore saving time and money in they are more familiar with – enterprises
the long run. Because of DaaS’ growing popularity, essentially lose control and visibility of how
65 percent of major PC manufacturers now offer data is transmitted, stored, and processed.
DaaS capabilities, including Apple and HP.
That said, buying hardware has a noticeable end of contracts or when disposing of them, so
downside where equipment becomes obsolete enterprises don’t have to be concerned about
once new versions are released. 73 percent of unauthorized access.
senior leaders from enterprises actually agree
that an abundance of outdated equipment leaves Putting cybersecurity front-and-center
companies vulnerable to data security breaches.
Considering that, on average, a product cycle takes DaaS, BYOD, and leasing/buying all have their own
only 12 to 24 months, and there are thousands unique benefits when it comes to cybersecurity.
of hardware manufacturers at work, devices can Despite all the perks, it has to be acknowledged
swiftly become outdated. that BYOD and leasing pose the biggest obstacles
for enterprises because they take cybersecurity
monitoring and control out of companies’ hands.
Despite all the perks, it has to be
acknowledged that BYOD and leasing pose Nevertheless, for all the options mentioned, UEM
the biggest obstacles for enterprises because is a valuable way to bridge gaps and empower
they take cybersecurity monitoring and businesses to be in control of cybersecurity, while
control out of companies’ hands. still being agile.