In response to the vulnerability tagged as CVE-2021-44228, known as “Log4Shell”, from Artica PFMS we confirm that Pandora FMS does not use this Apache log component and therefore it is not affected.
Discovered by the Alibaba security team, the problem refers to a case of remote execution of unauthenticated code (RCE) in any application that uses this open source utility and affects unpatched versions, from Apache Log4j 2.0-beta9 up to 2.14. 1.
It is true that if we used it, we would be compromised, but fortunately it is a dependency that is not necessary for the operation of our product.
In turn, we must also state that the Elasticsearch component for the log collection feature is potentially affected by CVE-2021-44228.
Recommended solution
There is, however, a solution recommended by the Elasticsearch developers:
1) You can upgrade to a JDK later than 8 to achieve at least partial mitigation.
2) Follow the Elasticsearch instructions from the developer and upgrade to Elasticsearch 6.8.21. or 7,16,1 superior.
Additional solution
In case you can’t update your version here we show you an additional method to solve the same problem:
Disable formatMessageLookup as follows:
Stop the Elasticsearch service.
Add -Dlog4j2.formatMsgNoLookups = true to the log4j part of /etc/elasticsearch/jvm.options
Restart the Elasticsearch service.
In the event of any other eventuality we will keep you informed.
About Version 2 Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About PandoraFMS
Pandora FMS is a flexible monitoring system, capable of monitoring devices, infrastructures, applications, services and business processes.
Of course, one of the things that Pandora FMS can control is the hard disks of your computers.
In recent years, the technological dependence of companies and society has only increased. Companies have increasingly invested in digitizing their processes and providing the best experience for customers, partners, suppliers, and employees.
The digital transformation process and new technologies such as Cloud, Big Data, Internet of Things, and 5G have brought an increase in cyber threats with them. And the migration to remote work models driven by the Covid-19 pandemic has made people and businesses even more vulnerable to malicious attacks. This makes the cybersecurity issue remain on the rise and the protection of this entire infrastructure is increasingly essential in organizations’ strategies.
Thus, as the end of the year approaches, security leaders are looking for the main information security market trends and the challenges that await them for 2022 to be prepared for this threat scenario. According to a Flexera study, cybersecurity will be the top IT initiative for half of the organizations surveyed.
Therefore, in times when data is considered the new oil, it is essential that organizations know the market trends and then outline their cybersecurity strategies to protect this very valuable asset and ensure the continuity of their business.
Next, we present 9 information security topics that will be highlighted in 2022, which should be considered by organizational leaders in their cybersecurity strategies.
1.Greater Coverage of Data Protection Laws
With the exponential growth of data volume, news on data leaks will become more and more frequent. Consequently, the demand for data security and privacy is sure to grow. To respond to this trend, governments tend to increase regulatory pressures through the publication of personal data protection laws. So much so that Gartner estimates the personal information of 75% of the world’s population will be covered by specific data protection laws by 2023. In 2021, China, Saudi Arabia, and Brazil were some of the countries that put specific data protection laws in force. Europe already regulated the transfer of personal data from European Union countries to non-member countries. On the other hand, the United States remains on the list of countries without a specific federal law to guarantee the protection of personal data, depending only on states like California, Colorado, and Virginia to legislate on the subject.
2.Remote Work Protection
Work environments have undergone the greatest transformation in recent decades. Dining rooms were adapted so that we could share workstations and accommodate a remote workforce. According to research by Tenable and Forrester, 74% of security leaders recognize that the remote work measures implemented as a result of the pandemic have left their infrastructure vulnerable to malicious attacks. And even with the end of the pandemic and the return to face-to-face work, the expectation is that there will be a hybrid work adoption. Also, according to the survey, 70% of organizations plan to have their employees work from home at least one day a week.
3.Cyber Awareness
It is jargon in the cybersecurity market that “it is impossible to invest in state-of-the-art security solutions without addressing the weakest link in this chain: people”. Furthermore, as security vendors develop new technologies to protect infrastructure, attackers devise methods to bypass them and carry out their malicious actions. According to Verizon’s Data Breach Investigations Report 2021, 85% of data leaks surveyed involved the human factor, with social engineering accounting for more than a third of those leaks. Phishing was present in 36% of data leaks surveyed by Verizon.
4.Talents Wanted
In recent years, we have seen an increase in the number of projects related to digital transformation and connected devices, as well as a migration to cloud-based environments. Additionally, the risk landscape includes cyberwars and attacks such as ransomware, which increasingly affect business continuity. However, security budgets have not kept up with this escalation. To adequately respond to these risks and ensure infrastructure protection, there is an increased demand for cybersecurity professionals. According to an Information Systems Security Association (ISSA) study, 57% of professionals surveyed said that the lack of cybersecurity talents had impacted their organizations in some way, while 10% recognized this impact as significant.
5.It is All About Connection
The development of 5G and the Internet of Things has led to a growth in the number of connected devices. These devices have enabled connectivity and have become increasingly essential in the daily lives of people and businesses. According to a Cisco report, the number of connected devices is expected to surpass 29 billion by 2023, resulting in a larger attack surface to be exploited by malicious attackers through vulnerabilities and malicious software. According to Gartner, by 2025, cyberattackers will turn Operational Technology (OT) environments into weapons to cause even human deaths. In this way, attacks on the so-called critical infrastructure, such as the generation and distribution of energy, water, and gas, can have serious impacts not only on organizations but also on governments and society.
6.Mobile Attacks
The spread of smartphones has made our personal and professional life easier, stimulating the development of a series of applications for communication, shopping, finance, and travel. In addition, the shift to remote work has led to increased use of mobile devices by employees, bringing benefits such as faster speed and productivity improvements. In 2020, the percentage of internet traffic through these devices surpassed that of desktop computers and laptops for the first time. Cybercriminals have taken advantage of these facts to increasingly use mobile devices as an attack vector.
7.(Even) More Ransomware
Each year, we have seen new records in ransomware-related numbers. And in 2021, that was no different. SonicWall recorded a 148% increase in attacks involving ransomware in 2021, reaching the number of 495 million attacks with this type of malicious software, which is expected to exceed 700 million by the end of the year. It is worth remembering that the techniques used in these pieces of software have also become more sophisticated, showing an evolution in cybercriminals’ planning and execution of this type of attack. Moreover, the Ransomware-as-a-Service models have allowed scaling the development of this type of malicious software, allowing criminals without programming knowledge to develop their own ransomware. In September 2021 alone, SonicWall’s malicious software detection tools discovered more than 370,000 new malware variants, with governments and critical infrastructure being a top target.
8.Social Freedom
In recent years, we have seen social media influencing important events in some way, such as Brexit and the Brazilian and American elections via the Cambridge Analytica scandal. And with new occurrences involving Facebook and its employees, we will continue to see increasing pressure on social media to perform proper controls on their users’ posts. These posts include the dissemination of fake news and crimes such as selling illegal items, financial scams, and child pornography. This will undoubtedly influence governments to regulate and establish better-defined controls on how content is published, including the verification of facts posted on social media and facilitating access by authorities to the respective sources.
9.Artificial Intelligence and Machine Learning for Cybersecurity
The elimination of the security perimeter and the migration to distributed work models, driven by the Covid-19 pandemic, made devices even more vulnerable to cyber threats. And with the increase in these threats, boosted by the lack of specialized security staff, it is essential to use tools based on Artificial Intelligence and Machine Learning to detect cybersecurity risks. Through the use of these technologies, one can analyze and recognize patterns for the prevention and adequate response to these threats. In this way, the cybersecurity process becomes much more proactive and effective.
You can see that 2022 will not be easy in terms of cybersecurity. With the trend of increasing attacks and scarce resources, security teams will have a tough mission to detect and adequately respond to the growing demands in the industry. Now, the question is not whether, but when organizations will suffer a cyberattack. Thus, adequately responding to cyber threats not only must be considered by the security teams but also be part of the business strategies.
About Version 2 Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About Senhasegura Senhasegura strive to ensure the sovereignty of companies over actions and privileged information. To this end, we work against data theft through traceability of administrator actions on networks, servers, databases and a multitude of devices. In addition, we pursue compliance with auditing requirements and the most demanding standards, including PCI DSS, Sarbanes-Oxley, ISO 27001 and HIPAA.
Similar to how software bugs are triaged for a severity level, so too are security vulnerabilities as they need to be assessed for impact and risk, which aids in vulnerability management. The forum of Incident Response and Security Teams (FIRST) is an international organization of trusted security scientists and computer researchers that have received the task of creating best practices and tools for incident responses teams, as well as standardizing security methodologies and policies. One of FIRST’s initiatives is the Special Interest Group (SIG) that is responsible for developing and maintaining the Common Vulnerability Scoring System (CVSS) specification to assist the security team to understand and prioritize the severity of a security vulnerability.
Scoring Vulnerabilities
CVSS is known as a standard measurement system for organizations, industries and governments that need consistent and accurate vulnerability impact scores. The quantitative model of CVSS ensures accurate and repeatable measurement while allowing users to see the core vulnerability features that were used to generate the scores. CVSS is normally used to prioritize vulnerability remediation activities and to calculate vulnerabilities discovered on one’s systems.
Challenges with CVSS
Missing Applicability Context
Vulnerability scores do not always count for the right context in which a vulnerable component is used by an organization. A Common Vulnerabilities and Exposures (CVE) system can factor in different variables when determining the score of an organization. However, in some cases others can affect the way in which a vulnerability is handled in spite of the score given to it by a CVE.
For instance, a high severity vulnerability that’s classified by the CVSS which was found in a component used for testing purposes, such as a test harness, might end up receiving little or no attention from security experts. One reason this can happen is that this component is used as a tool and is not in any way exposed in an interface accessible to the public.
Additionally, vulnerability scores do not extend their context to account for material consequences such as when a vulnerability applies to cars, utility grids and medical devices. Each firm would need to triage and account for specific implications based on relevance to the prevalence in the specific vulnerable components for their products.
Incorrect Scoring
A vulnerability score includes a wide range of major characteristics and without supporting information, proper guidance and experience, mistakes can easily be made. It’s not rare to find false positives in a CVE or inaccuracies in scores that are assigned to any of the metrics groups that introduces a risk of losing trust in a CVE or creating panic for organizations.
CVSS has a score range of 0-10 that ranks severity levels starting from low to high. Inaccuracies of variables may lead to a score that maps to an inaccurate CVSS level. CVSS v3.0 can be used for evaluating and communicating security vulnerability features and their impact. The security research team takes part in discovering new vulnerabilities across ecosystems. Additionally, they work to triage CVE scores to properly showcase severities to balance the scoring inaccuracy that’s made by other authorities that issue CVEs.
An organization database provides supporting metadata beyond the CVE details for each vulnerability. The security experts curate each vulnerability with information like details about the type of vulnerability or overview of the vulnerable components that are enriched with reference links and examples to commits, fixes or other matter related to vulnerability.
How CVSS Works
There are three versions in CVSS’s history, beginning from its first release in 2004 to the widespread adoption of CVSS v2.0 and to the present working specification of CVSS v3.0. The specification offers a structure that standardizes the way vulnerabilities are scored in a way that’s grouped to showcase individual areas of concerns.
The Metrics For A CVSS Score Are Allocated In Different Groups:
Base: Impact assessment and exploitability metrics that are not dependent on the times of a vulnerability or a user environment, such as the ease at which the vulnerability can be exploited. For instance, if a vulnerability component is denied total access because of a vulnerability, it will score a high availability impact.
CVSS base metrics are composed of exploitability and impact metric sub-groups and assess their applicability to a software component, which may impact other components (hardware, software or networking devices).
Temporal: This metric accounts for situations that affect a vulnerability score. For instance, if there is a known exploit for a vulnerability the score will increase. However, if there is a patch or fix available, the score will decrease.
The main purpose of the temporal score is to offer context according to the timing of a CVE severity. For example, if there are known public exploits for a security vulnerability, this raises the severity and criticality for the CVE because of the considerably easy access to resources for employing such attacks.
A complete CVSS score is calculated which includes the temporal score part based on the highest risk for a value and will only be included if there is temporal risk. Consequently, any temporal score values that are assigned will keep the overall CVSS score at the lease or lower than the overall score.
Environmental: This metric enables customizing the score to the impact for a user or company’s environment. For instance, if the organization values the availability that’s related to a vulnerable component, it may set a high level of availability requirement and increase the whole CVSS score.
In conclusion, the base metrics form the bases of a CVSS vector. If temporal or environmental metrics are available, they are incorporated into the whole CVSS score.
About Version 2 Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About VRX VRX is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.
Most of us have visited a hotel at some point in our lives. We arrive at reception, if we request a room, they give us a key; if we are going to visit a guest, they lead us to the waiting room as a visitor; if we are going to have dinner at their restaurant, they label us as a customer; or if we attend a conference on technology, we go to their conference room. It would not be the case that we would end up in the pool or enter the laundry room for a very important reason: we were assigned a role upon arrival.
Do you know what Role-Based Access Control or RBAC is?
In the field of computing too, since its inception, all this has been taken into account, but remember that the first machines were extremely expensive and limited, so we had to settle for simpler resources before Role-Based Access Control (RBAC) arrived.
Access Control List
In 1965, there was a timeshare operating system called Multics (created by Bell Laboratories and the Massachusetts Institute of Technology) which was the first to use access control lists (ACL). I wasn’t even born at that time so I will trust what Wikipedia has to say about this topic. What I do know, first-hand, is the filesystem access control list (filesystem ACL) that Netware Novell® used in the early 1990s and that I already told you about in a previous article on this blog.
But let’s go back to the access control list: What is an access control? This is the easiest thing to explain, it is nothing more and nothing less than a simple restriction on a user regarding a resource. Either by means of a password, a physical key or even your biometric values, such as a fingerprint, for example.
An access control list then is to write down each of the users who can access (explicitly allowed) or not (explicitly prohibited, under no circumstances) something. As you may imagine, this becomes tedious, constantly staying aware of noting the users one by one and also the processes of the operating system or the programs that run on it… You see, what a mess to write down all the entries, known as access control entries (ACEs).
Following the example of rights on files, directories and beyond (such as full resources: optical disks or entire “hard drives”), I came to work, last century, with Netware Novell®. This is a Filesystem ACL (Network File System access control list). Then came the millennium shock, the NFS ACL version 4 that picked up and expanded, in a standardized way, everything we had used since 1989 when RFC 1094 established the Network File System Protocol Specification. I think I have summarized a lot and should name, at least, the use that MS Windows® gives to ACLs through its Active Directory (AD), the Networking ACLs for the cases of network hardware (routers, hubs, etc.) and the implementations that some databases make.
All these technologies, and more, make use of the concept of access control lists, and as everything in life evolves, the concept of groups sharing some similarities emerged, and thus it was possible to save work by keeping the lists of access. Now imagine that you have one, or more access control lists, that only support groups. Well, in 1997 a man named John Barkley demonstrated that this type of list is equivalent to a minimum Role-Based Access Control, but RBAC at the end of the day, which brings us to the core of the issue…
Role-based access control RBAC
The concept of role in RBAC goes beyond permissions, it can also be well-defined skills. In addition, you may have several assigned roles, depending on the needs of the protagonist (user, software, hardware…). Going back to the billing department example. A salesperson, who already has a corresponding role as such, could also have a collection role to analyze customer payments and focus their sales on solvents. With roles this is relatively easy to do.
Benefits of RBAC
• First of all, RBAC dramatically reduces the risks of breaches and data leaks. If the roles were created and assigned rigorously, the return on investment of the work done in RBAC is guaranteed.
• Reduce costs by assigning more than one role to a user. It is unnecessary to buy new virtual computers if they can be shared with groups already created. Let Pandora FMS monitor and provide you with information to make decisions about redistributing the hourly load or, if necessary and only if necessary, acquire more resources.
• Federal, state, or local regulations on privacy or confidentiality can be required of companies, and RBACs can be a great help in meeting and enforcing those requirements.
• RBACs not only help efficiency in companies when new employees are hired, they also help when third parties perform security work, audits, etc. because beforehand, and without really knowing who will come, they will already have their work space well defined in one or more combined roles.
Disadvantages of RBAC
• The number of roles can grow dramatically. If a company has 5 departments and 20 functions, we can have up to a maximum of 100 roles.
• Complexity.Perhaps this is the most difficult part: identifying and assigning all the mechanisms established in the company and translating them into RBAC. This requires a lot of work.
• When someone needs to temporarily extend their permissions, RABCs can become a difficult chain to break. For this, Pandora FMS proposes an alternative that I explain in the next section.
RBAC Rules
To take full advantage of the RBAC model, developing the concept of roles and authorizations always comes first. It is important that identity management to be able to assign these roles is also done in a standardized way, for this the ISO/IEC 24760-1 standard of 2011 tries to deal with it.
There are three golden rules for RBACs that must be displayed according to their order in time and enforced in due course:
1. Role assignment:Someone may exercise a permission only if they have been assigned a role.
2. Role authorization:The active role of a person must be authorized for that person. Along with rule number one, this rule ensures that users can only assume the roles for which they are authorized.
3. Permission authorization:Someone can exercise a permission only if the permission is authorized for the person’s active role. Along with rules one and two, this rule ensures that users can only exercise the permissions for which they are authorized.
The Enterprise version of Pandora FMS has an ultra complete RBAC and authentication mechanisms such as LDAP or AD, as well as double authentication mechanisms with Google® Auth. In addition, with the tag system that Pandora FMS handles, you may combine RBAC with ABAC. The attribute-based access control is similar to RBAC but instead of roles, it is based on user attributes. In this case, assigned labels, although they could be other values such as location or years of experience within the company, for example.
But we leave that for another article…
Before finishing this article, remember Pandora FMS is a flexible monitoring software, capable of monitoring devices, infrastructures, applications, services and business processes.
Would you like to find out more about what Pandora FMS can offer you? Find out clicking here: https://pandorafms.com/
Also, remember that if your monitoring needs are more limited, you have Pandora FMS OpenSource version available. Learn more information here:
https://pandorafms.org/
Do not hesitate to send us your questions. Pandora FMS team will be happy to help you!
About Version 2 Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About PandoraFMS
Pandora FMS is a flexible monitoring system, capable of monitoring devices, infrastructures, applications, services and business processes.
Of course, one of the things that Pandora FMS can control is the hard disks of your computers.
