Processing performance for foreign asset data has been improved.
A bug that could prevent the generation of some asset attribute reports has been resolved.
Fingerprint updates, including AIX OS and vCenter, Avaya, and Proofpoint appliances.
About Version 2 Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About runZero runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.
Email is one of the most valuable IT systems where organization share their plans, sensitive documents, chats….and even passwords.
UnderDefense, in cooperation with the Computer Emergency Response Team of Ukraine (CERT-UA) participated in a series of Incident Response cases in H1’2022 and noticed that Russian hackers and Ransomware groups shifted their focus to breaking into E-Mail Systems (primary on Exchange and Zimbra).
In this specific case, CrowdStrike EDR was in place and spotted an initial foothold but missed other critical backdoors and TTPs which were later disarmed by the UnderDefense 24×7 MDR/SOC Team. And the attacker was eventually kicked out of the network.
What You Will Learn
Risks for email system as document exchange and integral part of business workflow
Data theft via business email compromise in a targeted attack scenario
Recent technical vulnerabilities and risks
What data APT groups are hunting for in their targeted attack
Arsenal used in this case
Tools vs PPT
Case Details
BEC incident response playbook
Recommendations and takeaways
About Version 2 Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About UnderDefense
UnderDefense, a globally top-ranked firm by Gartner and Clutch, provides cyber resiliency consulting and technology-enabled services to anticipate, manage and defend against cyber threats. We empower clients to predict, prevent, detect, and respond to threats.
A bug that could prevent CrowdStrike tasks from processing has been resolved.
About Version 2 Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About runZero runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.
Amid the chaos on the world stage, the macroeconomic backdrop is full of uncertainties. But there is one thing we’re absolutely certain of: cybersecurity solutions will become much more prominent over the next few months and years as global cyberwarfare sets the stage for cybersecurity’s permanent elevation at both the national and corporate levels.
Companies and governments are being hacked mercilessly in 2022. Even cybersecurity giants such as Entrust are being breached. The firm revealed that parts of its system were hacked on June 18. Before that, Okta was hit, impacting more than 366 of its corporate customers.
That’s just scratching the surface amid a sea change where cybersecurity solutions go from “optional” to “necessary.” This shift is starting today, but it will play out over the next several years. As it does, global cybersecurity spending will substantially accelerate. So will the need to understand the Common Vulnerability Scoring System (CVSS).
Let’s explore how the scoring system works and even how it doesn’t work.
What Is CVSS
The Common Vulnerability Scoring System is a scoring system for vulnerabilities created by FIRST.org. CVSS communicates the severity of vulnerabilities through three top-level metrics: base, temporal, and environmental:
Base Metrics
On the base level, you’ll see a score that ranges from 0-10 (but can be modified by scores in the other categories). Base factors, in a nutshell, represent the characteristics of the vulnerability. Base CVSS scores are readily available, as enterprises can use them as a starting point to prioritize threats.
CVSS can create a pathway to accurate and consistent vulnerability scoring, which is why it’s used as the standard of measurement. Right now, CVSSv3.1 is used the most, although not everyone has kind things to say about it (we’ll get to that in a bit).
For now, let’s focus on how CVSS works, starting with its scoring methodology which runs from 0.0 to 10.0 in 0.1 increments.
As a system, the two most prevalent use cases are in 1) calculating and ranking threats based on severity of impact to your system environment, and 2) prioritizing which vulnerabilities to remediate first.
This is where it gets complex. For instance, CVSSv3.1 uses an “Access Vector” to represent vuln severity as a function of how difficult it is to connect to a system in a targeted environment.
Let’s unpack that by considering two situations: one in which many thousands are running that system through a network, and a second in which very few are running a system that requires physical adjacency to exploit. The second situation would score as less severe than the situation reliant on network access.
But there are many variables to consider. For example, the Access Vector variables include network, adjacent, local, and physical. And there are many more levels, which we will explore in future CVSS articles.
The important part to focus on is the permutations of scores. That is, is there a unique score for every possible variable combination? In short, no. There are roughly 101 values to map variable levels to, and more than 2,000 possible variables.
Further, CVSS base metrics comprise three subscores: exploitability, scope, and impact. Within these subscores are several more sub-components, which differ depending on the subscore. For instance, the “impact” score focuses on what outcome could be achieved by a successful exploit, and leverages confidentiality (how much data the attacker has access to), integrity (the ability of the attacker to edit data), and availability (whether it impacts use of systems for a large or small number of users).
Temporal Metrics
There are also “temporal” metrics that can change over time. As such, they’re intended to measure how exploitable a vulnerability is right now and the availability of remediating factors. As such, CVSS temporal metrics contain several sub-levels, including the following:
Exploit code maturity: how stable/mature is the code used to exploit a particular vulnerability.
Remediation level: how widely available are patches and other workarounds over time.
Report confidence: the validity of the vulnerability and its exploit.
Environmental Metrics
With environmental metrics, the score essentially modifies the base group depending on a particular enterprise’s characteristics that may increase or decrease the severity of a particular vulnerability. The sub-levels that make up the environmental group are as follows:
Modified base metrics: Organizations with compensating or mitigating controls are taken into consideration here. For example, is the vuln within a firewall-protected server? Is it within an unused, unconnected server? Or is it within an internet-connected server with public exposure? The latter is of the most severe consequence relative to the former two.
Security requirements: These measure an asset’s “business criticality” in terms such as “confidentiality,” “integrity,” and “availability.” Confidentiality refers to whether information can be hidden from unauthorized users. Integrity refers to an ability to protect information from being altered. Availability means how accessible information is to authorized users.
Acknowledging that we’re only scratching the surface of what CVSS is and how it’s used to prioritize exploits, we’d be remiss not to mention how limited the base score is in accounting for real-world exploits and other mitigating factors.
CVSS Criticisms
Common Vulnerability Scoring System criticisms generally comprise two groups, which include criticisms to CVSS as a risk-identifying method and criticisms to CVSS as a scoring system. Let’s get into some specific complaints…
The Attack Vector is not well-defined. For example, paradoxes arise when you consider the vulnerability state of a PDF, as it shows up as “local” if downloaded and opened in a browser, but shows up as “network” if it immediately opens in a browser.
The Attack Complexity criteria overlaps with the Temporal score. Changes over time are meant to be isolated by the Temporal score; however, the base score tends to evolve as an exploit moves from hypothesis to the real world. That’s only supposed to happen in the Temporal score.
The concept of “Scope” is confusing. This is because different equations are used depending on which Scope level is at risk.
“High” and “low” levels of granularity for Attack Complexity are insufficient. Compare that to CVSSv2, which had three levels of “Access Complexity.”
CVSSv3.1 consistently scores higher than version 2. This inflates the workload for admins.
These are just among some of the many criticisms of CVSS, but there are others to be found.
Perhaps the most important criticism lies in how scoring systems should make up how you prioritize threats but should not be the only part.
As such, many enterprises misuse CVSS as a ranking of risk. For example, CVSS fails to account for much of the context for vulnerabilities, such as how they can be chained, nor does it assess impact in a way that makes sense for how people might be affected by a vulnerability.
The Future of CVSS
Criticisms or not, dissent is what leads to improvements down the line, which we’ll very likely see in the next iteration of CVSS. However, from what I’ve been able to glean from my readings, CVSSv4 will likely not depart from predecessors in a meaningful way. That is, its core construction will remain in place, and many of its proposed changes mostly comprise the tweaking/adding of variables and their values.
As we head into the future, and as every datapoint and workflow in the world exists on a computer somewhere, securing those systems via cybersecurity solutions will become increasingly vital. In other words, a once-niche industry has blossomed into a burgeoning, $150-plus billion business that constitutes dozens of multi-billion-dollar companies.
To date, this industry has experienced astonishing growth. But it is nothing compared to what will come over the next decade.
The COVID-19 pandemic accelerated the global digital adoption. Such an acceleration sparked a surge in the volume of digital data and workflows in need of security. And in response to that surge, countries and companies alike significantly upped their spending on cybersecurity systems in 2021.
But the conflict in Eastern Europe has added a ton more fuel to the fire.
The reality is that the war between Russia and Ukraine (or, perhaps increasingly more accurately, the rest of the world) has emphasized that modern warfare is cyberwarfare.
And it will only escalate from here.
As it does, so will the need for education around scoring systems, and how to best use them in context with your enterprise’s specific environment. For instance, we use several scoring systems to set a baseline for criticality, but it’s important to consider how that score may change depending on your enterprise.
A lot of vulnerability management companies do not consider such context, and that’s a huge mistake. We’re hopeful that the next iteration of CVSS addresses such limitations… but even so, it will always remain important to a degree to consider specific contexts and adjust how your threats should be prioritized.
About Version 2 Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About Topia TOPIA is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.
August 16th 2022, Ghent (Belgium),– Today, Awingu (now part of Corel, home of Parallels) launches its new product release with Awingu version 5.3. As with every version, Awingu 5.3 brings enhancements in various domains:
Security: HTTP headers updates
Scaling: Installing against existing external database
Various UX enhancements
Security: HTTP headers updates
Awingu is a solution that helps customers enable a Zero Trust secure remote access, and we therefore care deeply about our customers’ security. In line with security best practices, we’ve made improvements for HTTP headers:
Firstly, administrators can enable HTTP Strict Transport Security (HSTS) headers. This way, Awingu ensures that its users are always connecting over HTTPS. By enabling HSTS, administrators no longer need to redirect users from http:// to https:// URLs.
Secondly, the Content-Security-Policy header (CSP) is applied. By using this response header administrators can control the resources the user agent is allowed to load.
Installing against an existing external database
To make the work of Awingu admins easier and to expand the database options, Awingu 5.3 introduces innovations with regards to using external databases.
Already before version 5.3, Awingu created a backup of the internal database on a daily basis and stored that backup on the appliance. As an admin, you can retrieve this backup and save it on another system via SFTP. Awingu enhances the use of external databases for this functionality: the existing ‘database backup and restore’ functionality has been updated to ‘environment backup and restore’. This means that it’s now also possible to install Awingu against an existing external database or install (new) Awingu environments from an existing backup.
This enhancement not only enables additional disaster recovery scenarios but also allows moving your Awingu environment to a different network or hypervisor. Furthermore, this enables you to duplicate environments for testing or validation.
Various UX enhancements
Awingu 5.3 adds capabilities to improve the user experience in the workspace.
Improved clipboard functionality
Many customers are using the clipboard in Awingu daily during their working hours. Awingu allows copying and pasting content between applications – however, users often experienced limitations (copy/paste between a streamed app and local device, not being able to use system copy/paste actions, etc.) We heard the requests for improving the clipboard functionality, and we listened to your feedback.
In Awingu 5.3, the clipboard functionality for Chromium-based browsers (such as Chrome and Edge) is refined:
Copy/paste actions from the context menu work as expected
Copy/paste actions from all formats between streamed apps are possible
Copy/pasting between a streamed app and the local device now works with more formats:
Firstly, administrators can enable HTTP Strict Transport Security (HSTS) headers. This way, Awingu ensures that its users are always connecting over HTTPS. By enabling HSTS, administrators no longer need to redirect users from http:// to https:// URLs.
Secondly, the Content-Security-Policy header (CSP) is applied. By using this response header administrators can control the resources the user agent is allowed to load.
File page improvements
We’ve extended the selection capabilities in the workspace. More specifically, two new actions have been added as file page improvements:
You can now select all files, bookmarks, shares, or applications.
You can now clear the whole selection.
The selection can also be modified using the Control and Shift keyboard keys, as is the default in e.g. Windows Explorer.
Support for mouse buttons 4 and 5
Several users have more than 3 mouse buttons, and use these to navigate (e.g. page forward/backward in browsers). The mouse buttons 4 and 5 (side buttons) can now be used within remote applications.
Mouse buttons 4 and 5 are often found on the left side of the mouse.
New Remote Application Helper
In Awingu 4.1, Awingu introduced the Remote Application Helper to support the use of Smartcards. In the version 5.3, there is a new version of the Remote Application Helper available which contains important bug fixes. If your users are working with Smartcards and thus need the RAH, it is recommended to uninstall the previous version of the RAH before installing the new one to keep on working smoothly in the workspace.
For more information about Awingu 5.3, please consult the latest admin guide.
About Version 2 Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About Awingu Awingu produces a browser-based Unified Workspace solution. It allows users to work and collaborate from virtually anywhere using any device compatible with HTML5 browsers. As a turnkey solution, Awingu offers businesses the ease and convenience of platform-independent mobility and offers everything you need to stay productive: legacy and cloud applications, documents and data. Awingu requires zero configuration and zero client software installation, making IT administration extremely simple.
