Ivanti Blog: Posts by

Managing Security Threats Using a Risk-Based Approach

Thu, 19 May 2022 09:23:07 Z

Since the pandemic began its felt like life has been viewed through the lens of continual risk management, “Should I go to the store/pub/shops/cinema”. What’s the risk? What’s the value of taking the risk, how do I mitigate as much of the risk as possible?

With the covid rules relaxing in Australia live in-person conferences are now rolling out so it was with excited anticipation I recently attended the CISO Sydney event to talk about risk!

The topic was not covid risk unsurprisingly but rather: ‘Gain Compliance Using a Risk-Based Approach with Less Effort’. In this blog I’m going to detail how you can achieve this.

Addressing the Skills Shortage with Automation

We have a massive shortage of cyber security professionals in Australia, it’s estimated we need 18,000 in the next four years! For those looking it’s tough to find new hires, it’s also a competitive market so holding onto the skills you have is a challenge, plus they are expensive resources so most organisations can’t afford nearly as many as they need.

So, the logical approach is to do more with less, a topic that really resonated with the conference attendees as we discussed how to prioritise their vulnerability management (VM) programs.

Most of the CISO’s in the audience advised they used one or more VM scanners to identify all the weaknesses in their environment, the challenge came in trying to respond to what was found. The common story being the list gets longer every month and the team can’t keep up, and the work is not that rewarding. It’s a common theme resulting from the impact of covid on the workforce, that unhappy workers tend to find interesting work elsewhere if you can’t satisfy their needs.

What’s the Vulnerability Challenge?

There are 250k vulnerabilities in the National Vulnerability Database (NVD). What’s actually important is how these can be exploited:

Less than 20% of those are actually weaponised and could be used to breach your organisation.
Less than 3% use remote code execution (RCE) and privilege escalation (PE) exploits which are the really dangerous ones, 80% of all breaches use these types of attacks.
If ransomware is your biggest fear only 255 CVEs relate to its use, are you sure you know which they are?

So what’s the takeaway from all these facts and figures?

Well, the problem is if you don’t focus in the right area, you can spend a lot of time, resources and money remediating vulnerabilities that your organisation is very unlikely to be breached by, and you won’t reduce your attack surface significantly.

Apply a Risk-Based Lens to the Problem

Risk Based Vulnerability Management (RBVM) was the number two security project for 2021 based on Gartner insights, with the point being to “focus on vulnerabilities that are actually exploitable”.

Below I have included some data from a customer we’ve recently worked with.

The top analysis shows data that comes from their VM scanner, it illustrates that they had over 27,000 Critical and High severity items to resolve, an insurmountable task for their security team, the reports to the Senior Executives were worse every month and people were burnt out with no progress being made.

Compare this to the results when they used a risk-based approach to prioritise based on those that were weaponised, had RCE/PE exploits, were trending, or, had ransomware exposure. The customer could focus on the Critical and High 6,240 items that were their biggest risk. This meant a huge 75% reduction in their workload, so they could focus on reducing the actual attack surface of the organisation which made a significant impact.

Is Ransomware our Biggest Threat?

At the CISO conference one of the topics spoken about by the Minister for Home Affairs Karen Andrews and the head of the Australian Cyber Security Centre (ACSC) was the threat ransomware poses. This was detailed in a report available on the ACSC website: 2021 Trends show increased globalised threat of Ransomware.

If you look at your VM data through this risk-based lens and you can prioritise based on threat, you can gain visibility into exactly where you are vulnerable to ransomware attacks and should focus effort to improve your security posture.

In this example the security team can provide visibility to their executive team to illustrate the limited exposure they have to ransomware attacks. Of the 10,000 vulnerabilities in the environment across 7,000 devices, only 206 devices and 21 vulnerabilities need attention. It’s also possible to see in green the stats the team achieved to improve protection against ransomware.

Our Prioritisation Offer to You

If you are struggling in a world of too many vulnerabilities and prioritisation with an ability to automate workflows, assignment and service ticket integration doesn’t meet your requirements while your attack surface continues to expand then please get in touch. The only solution isn’t to increase the size of your security team.

Ivanti has proven with customers worldwide that we can help reduce cyber risks with less manual effort.

Provide the Ivanti team an output from any vulnerability management tool and within a few hours we can show you how we can prioritise it, giving you three key outcomes:

Reduce your workload by up to 80% by focusing on risk
Reduce the cost to deliver your vulnerability management program through risk-based prioritisation
Reduce your attack surface faster to reduce the risk of breaches and ransomware infections

Securing End-of-Life Windows Platforms

Tue, 15 Oct 2019 19:38:52 Z

In the ever-evolving world of technology, Windows platforms are released, heavily adopted, and customized. Business is built around them—and then they go end of life (EOL).

We witnessed it with Windows XP and 2003 in 2014, and as the merry-go-round continues, Windows 7 and 2008 will reach EOL in January 2020.

When support ends, cyber adversaries will target these platforms. As with Windows XP, there is buzz in the security media that attackers are already storing their zero-day attacks and getting malware ready. Attackers will target Windows 7 betting that organizations have unpatched vulnerabilities they can take advantage of.

What does end of life mean?

In three simple statements it means:

No technical support
No software updates
No security updates

To avoid security risks, Microsoft recommends customers upgrade to Windows 10 and Server 2016.

“I need to keep Windows 7 / Server 2008. What can I do?”

If you are using Windows 7 Professional or Enterprise or a server 2008 platform, you can purchase extended support from Microsoft through January 2023. This will get you security updates, but at a cost of between $25 & $50 per device in year 1, doubling each year until 2023.

There is no substitute for patching

The reality is there is no substitute for patching operating systems. It’s listed in the Australia Cyber Security Centre (ACSC) top 4 cyber threat mitigation strategies for a reason. No cyber security professional would recommend not extending support and those key security patches. However, for some organizations it’s just not financially viable.

Alternatives or additions to extended support

Due to the significant risk and focus for attackers that an out-of-support platform brings, many will look to bolster the security around these devices.

Delivering a defense-in-depth set of controls to these devices will allow an organization to increase the security posture of these devices and reduce the risk they pose to the wider enterprise.

Ivanti is in a unique position to assist our customers with this, delivering the remaining three of the ACSC top 4 controls from the ‘Security Controls’ platform.

Application whitelisting

Ivanti® Application Control provides a simple-to-deploy, low-management-overhead approach to application whitelisting, enabling organizations to ensure that only IT-approved software and content is ever allowed to run, thus thwarting file-based attacks and many attacks that are file-less originated.

This is achieved using Trusted Ownership—a unique approach to application whitelisting employed only by Ivanti. The basic premise is that the Microsoft NTFS owner of a file is checked at run time. If the file was placed on the disk by a trusted user then the file can execute, otherwise it’s blocked by default. This means any software delivered as part of the SOE/Gold build or delivered by SCCM / Ivanti Endpoint Manager can run by default, with no lists to manage.

This approach provides such a low cost of ownership that customers with fewer than 2,500 managed endpoints tell us they can manage it with a quarter of an FTE. (References available upon request.)

Third-party application patching

All endpoints have third-party applications installed—some as middleware, some as applications within their own right. Many of these applications contain most of the vulnerabilities identified in software. Reports show that’s up to 86%.

Ivanti’s patching is market leading and mature, and it features the largest catalog of more than 100 vendors whose patches you can simply click and deploy from our agentless patch platform. Deploy patches regardless of whether machines are in the network or outside. Automate the deployment and reporting of critical patches within the ACSC-specified guidelines of 48 hours.

Removing administrator privileges

There are many reasons why users have administrator privileges. For many organizations, end-of-support platforms have likely been whittled down to only those machines that are stuck there. Ensuring that users only have the minimum privileges they need on these devices—and no more—is key.

Using Application Control, IT can elevate individual applications, control panel applets, or services as required. By leaving the logged-on session running as a standard user, the lowest level of privileges is available to the exploit in the event the machine is compromised.

How Ivanti helped a customer succeed

Over the years, Ivanti has assisted many customers who find themselves in the difficult position of needing to manage out-of-support platforms. For example, one customer in the ANZ region was a large government department with a highly sensitive application that ran on Windows XP only.

There was no way to migrate the application off XP prior to the end of support, and the customer wasn’t able to invest in the extended support. Using Ivanti Application Control, they were able to roll out whitelisting to the devices in days, on their own, and secure the devices, with confidence that users couldn’t run any software other than the solitary line-of-business application left on the platform.

After this project, the customer saw so much value and simplicity in the solution that they rolled it out to the supported production fleet to improve their security and ACSC compliance.

Read the data sheet on Ivanti Application Control for Windows Servers. You can also request a demo on our application control capabilities.

Are You Ready for the New WannaCry? You Better Be!

Wed, 15 May 2019 18:30:01 Z

After the carnage and financial damage caused by WannaCry in 2017, here we go again, and the threat's name is BlueKeep. Krebs on Security documented BlueKeep here. On May 14th, Microsoft released fixes for a critical Remote Code Execution vulnerability, CVE-2019-0708, identified and reported to Microsoft by the UK’s National Cyber Security Centre.

This vulnerability is wormable, meaning it’s a pre-authentication and requires no user interaction and can jump from vulnerable machine to vulnerable machine. It is inherent in the RDP (terminal services) protocol and only affects Windows XP, 7, 2003, 2008 and 2008 r2. Modern operating systems are unaffected.

This vulnerability was seen as so severe, Microsoft took the uncommon step of releasing patches for unsupported operating systems.

Unlike WannaCry, this threat is seen as extremely easy to exploit. It took a leaked NSA tool to exploit the WannaCry vulnerability, whereas the fear with this one is that it will be much easier to take advantage of.

With a patch now available you can bet there are cyber adversaries out there reverse engineering the patch while I write this blog, getting ready to exploit organizations and individuals alike.

Globally there are around 35% of Windows workstations running on affected Operating Systems.

It’s much harder to ascertain from a server OS standpoint what the exposure size is, as most servers are not internet-facing to get these stats. If the customers I speak to on a daily basis are anything to go by, there are still many pockets of these 2003 and 2008/r2 servers around.

Many of these older servers are Citrix server-based computing environments which will all be running RDS. I was listening to my favorite cyber security podcast last week (Darknet Diaries), and the host was talking to a penetration tester who did internal pen tests. He said when he is in an environment and he finds Citrix, that becomes his primary target. It’s a hub of applications, tools and privileges. If you have one of these legacy environments, make sure it’s patched!

A Rapid7 blog showed how internet scanning engine Binary Edge identified 16 million endpoints publicly available on port 3389 and 3388 typically reserved for RDP. With 67,338 endpoints internet facing for RDP as of July 2017. It’s not clear what OS these exposed servers were running.

So what’s the answer? You better get patching, ASAP!

With the latest versions of MS SCCM not supporting Windows XP and Server 2003, the job is going to be more difficult. Does this mean manual patching? Not necessarily.

Ivanti Security Controls provides our customers the ability to patch both XP and Server 2003, in an automated approach with complete visibility to status. Know if you are exposed rather than waiting on manual analysis and reports you don’t trust 100%.