How can your organization become more Cyber Resilient? 

Image of skyscrapers in the city with people on the top of each building. Represents the infrastructure of a company and the need to keep it cyber resilient.
Image from Free Vectors via Vecteezy.com

Cyber Resilience is demonstrating to be a very important concept within organizations’ strategies. Keeping up with the increasing investment in security is demanding investment in new technologies that can defend organizations faster. Meterian is one of them. But what really is Cyber Resilience? What does it entail? And why is it so important?

What is Cyber Resilience?

Cyber Resilience is the ability to prepare for, respond to, and recover from cyber attacks. It involves a strategic view, addressing the life cycle of data when it is created, dispersed and stored. More importantly, a cyber resilient approach will incorporate the collaboration of people, processes and technology. Careful not to confuse this concept with cyber security, which is the action of preventing an attack from happening. On the other hand, Cyber resilience is more about being persistent in your defensive strategies, to produce a preventive and reactive defense against threats and vulnerabilities.

Cyber attacks are only on the rise! According to Forbes Insights survey more than 50% of surveyed organizations have experienced at least one cyber incident in the last three years and only 27% believe that their top management understands the difference between mitigating cyber risk and working towards a more organised cyber resilient strategy. Normally, hacked victims have a better idea of how to prevent attacks as they have learnt from previous incidents. But this is no excuse for organizations to wait until the worst! Here are some steps which can boost your cyber resilience!

Identify, Protect, Detect, Respond, Recovery 

  1. Identify

The first stage in adopting a cyber resilient strategy begins with the preparation and identification of the potential security risks within the framework of your organization. This involves spotting vital information and conducting assessments on vulnerabilities. Prioritising your most urgent issues will make you less appealing to attackers! Urgent issues might include securing your customers’ data such as financial credentials, passwords or emails.  Also, check how well do you understand the risks of each of the devices and digital assets identified in my company. 

What is sometimes overlooked, is the diversity needed within a team when understanding your organizations’ potential vulnerabilities. Accenture made a study which demonstrates how the immediate cybersecurity team only identified 64% of the breaches.  So involving groups beyond the cybersecurity team is vital to create a united front between IT and business. This will increase an organization’s resilience at all levels. Industry research supports this, highlighting how due to the variety of software services and devices used by users or staff, users must take responsibility to identify and act on risks. We need to make sure strong defence is across all user levels. After all, ‘Many Eyes Make All Bugs Shallow’

With identification, comes attention to detail. It is not enough to list ‘hacking’ as a risk, for this action could range from phishing to exploited databases. Without this attention to detail, organizations are vulnerable to more acute attacks. Checklists are useful practical tools to help identify the people, processes and technology within the organization needed to form an effective defense.  If you can identify these entities, then it’s easier to talk about the risks and do something about them. Review the NCSC Cloud Security Guidance which provides a framework of 14 cloud security principles for enterprises to evaluate the security of any cloud service.  The UK ICO provides a useful self-assessment checklist for SMEs to evaluate their data protection assurance. Discuss these lists with your teams to get visibility on what could be vulnerable to attacks and what the team can do to build an effective defense. 

2. Protect

Protection will help minimise chances of breaches succeeding. It will contain the impact of the attack. Develop safeguards for critical infrastructure and make sure to enforce regular checks to understand the strength of the organization’s cyber resilience. This will help keep good cyber hygiene within your organization.

People, process and technology are essential for this step. In particular, new technology solutions are important to protect infrastructure and assets. Continuously investing in upgrading and refining protective systems should become a normal cost of business. However, experts feel that these technologies are not being bought or implemented to the fullest extent. Maybe this is because cybersecurity technologies need to make business sense; they cannot work in isolation. Yet, there are many tools in place to help with the five NIST framework categories, meaning you don’t have to waste time with a platform that has things you don’t need. You can simply choose cyber security products customized to your business needs. 

Protection of the mobile workforce is also a crucial factor within cyber resilience. By controlling mobile access to the network, employees are restricted to sensitive corporate information. This ties in with monitoring and enforcing policy adherence, seeming as malicious insiders are one of the most frequent sources of cyber security breaches! There should also be regular staff training to avoid any human factors leading to an attack.

3.  Detect 

A rapid response to a cyber attack is crucial! The longer it takes the more cyber criminals can exploit your organization. For example, according to the 2019 Verizon Data Breach Investigations Report, the time of discovery tends to be months. Of course, it does depend on the type of attack in question. There is a difference between payment card compromises where discovery is based on the fraudulent use of the stolen data (taking weeks or months), and a stolen laptop. So be aware, slower detection will only make your systems more vulnerable. 

To avoid this time lag, there needs to be detection and response policies in place. These must be evaluated and updated frequently. New technologies and software are essential as we have to adapt to attackers becoming more advanced. Surprisingly, only 40% of companies are investing in areas such as AI, machine learning and automation to become more cyber resilient. Yet, we understand adopting new technology takes time. An organization will have to make sure new technology is implemented, setup and allocated accordingly to their employees. Then they can use it through training and the adoption of new policy definitions.

It might seem daunting, but if you find tools that are easy to use and set up, this will increase your organization’s agility to detect and mitigate risks faster.

4. Respond 

Create a response plan. This will help contain the impact of the attack once it has been detected. There should be a specific focus on: 

  • Who will be the single point of contact that takes on responsibility for the plan and for integrating incident-response efforts? This may be required across teams, business units and geographies, depending on the organization size and structure as well as the nature and consequence of the attack.
  • What will the incident response team look like? Which individuals are critical to involve and are there reasonable backup plans if an individual is unavailable?
  • How will relationships with key external stakeholders, such as law enforcement be maintained?
  • How will the organization work with external breach-remediation providers and experts?

These are all questions which should be coordinated amongst a Response Team, where roles should be assigned to competent members of your organization.

5. Recover 

Returning your organization back to normal after an attack can be tough. However, thinking ahead to these what-if incidents can make it easier to recover and get back to business as usual.  This is a good planning exercise for both organizations who have and haven’t suffered a cyber attack.

If your organization has suffered an attack: Was there anything missing that could have prevented the attack? What did you learn from the breach? What will you do differently next time? Or what is the organization in need of to resist a future attack? 

Having pre-defined strategies in place can help the recovery process.  For example, developing and implementing systems and plans to restore any lost data or disrupted services affected by the attack would help organizations recover systems as quickly as possible. This can be done through the use of backups, cloud storage and off-site archives. It is worrying that while most organizations perform regular backups, very few know exactly what it is they are backing up. Again, there is a need for prioritisation. What information being backed up is of most importance? And if a cyber attack occurs what information and services need to be restored first in order to return to normalcy? More importantly, this recovery plan needs to be re-evaluated and updated regularly. This will help meet any risk related aspects of an attack that an organization might encounter in the future. 

Image of work colleagues giving themselves a high five. Represents team work.
Image from Pexels.com

Put into Practice

Following these steps will help boost your cyber resilience. The combination of people, systems and technology collaborating together is vital to emphasize, as it shows a united IT and business front against cyber attacks. Yet, cyber resilience requires adaptability, so make sure complacency does not get in the way. 

  • Develop easily accessible quick-response guides for likely scenarios.
  • Establish processes for making major decisions, such as when to isolate compromised areas of the network.
  • Document response plans, update them regularly and make them available to the entire organization. 
  • Make sure all staff members understand their roles and responsibilities in the event of a cyber incident.
  • Train, practice, and run simulated breaches to develop response “muscle memory”, increase individuals’ awareness and fine-tune the organization’s response capabilities.

Be flexible, be proactive and cultivate cyber resilience.

How can your organization become more Cyber Resilient? 

Treasure your Ruby apps? Protect from unauthorised access immediately

5min read

Image of thief climbing out of laptop shining flashlight on Ruby icon, titled Vulnerability Focus: Ruby.

It’s that time of the week people. Meterian is back with information on a brand new set of vulnerabilities! We once again turn our heads to focus on two Ruby vulnerabilities. The first being found within the Ruby makandra consul gem, and the second being located within the Airbrake Ruby notifier 4.2.3. Both these open-source vulnerabilities are given a 9.8 severity score on NVD, so don’t waste any time –  read up, you could be affected!

  • CVE-2019-16377 The Ruby makandra consul gem for all versions prior to and including 1.0.2 has an Incorrect Access Control vulnerability. This can lead to unauthenticated access to certain controller actions.
  • CVE-2019-16060 The Airbrake Ruby notifier version 4.2.3 mishandles the blacklist_keys configuration option and may therefore may therefore disclose passwords to unauthorized actors.

CVE-2019-16377

Vulnerability Score: 9.8

Platform: Ruby

Component: consul gem

Affected Versions: <= 1.0.2

Yes, you heard right. A vulnerability has indeed been detected within the Ruby makandra consul gem for all versions prior to and including 1.0.2. It was discovered by Toby Craze (github id:kratob) on 23/09/19. We are afraid to be the bearer of bad news, but this serious security flaw will affect an unknown function of the component Access Control.

A little context: makandra has been working exclusively with Ruby on Rails since 2007. They are a team of Ruby developers and Linux system engineers based in Germany. Makandra are constantly using open-source software and security patches are applied to the systems they use on a weekly basis. During this time, it has successfully delivered more than 100 Rails projects on more than 90 servers, indicating the amount of users that are at risk of this security flaw. This security issue is located within the consul. For those who don’t know, the consul gem is an authorisation solution for Ruby on Rails and it uses scopes to control what a user can see or edit.

So what is the problem? When a controller has multiple power directives, the ‘:only’ and ‘:except’ of the last directive is applied to all directives. By sending a specially-crafted request, this can lead to an attacker gaining unauthorized access to certain controller actions. With the manipulation of an unknown input, comes a privilege escalation vulnerability. Unfortunately, the impact is negative on confidentiality, integrity and availability. Below is what the affected code would look like.

https://github.com/makandra/consul/issues/49

In this example of code, the powers ‘:foo’ and ‘:bar’ are only checked for the #index action. The other actions were left unprotected by powers checks.

The solution is simple. Upgrade to the latest version of the makandra consul gem (1.0.3. or later), which is available from the consul GIT Repository. or via rubygems. Act fast to get rid of this security bug from your codebases and apps! You could be affected!

CVE-2019-16060

Vulnerability Score: 9.8

Platform: Ruby

Component: airbrake-ruby gem

Affected Versions: 4.2.3

Attention Ruby users! The Airbrake Ruby notifier 4.2.3 has mishandled the blacklist_keys configuration option which could result in a very real threat of sensitive data being disclosed to unauthorized actors (e.g password or credentials dumping). What are blacklist_keys? This specifies which keys in the payload should be filtered. Before sending an error, filtered keys will be substituted with the [Filtered] label.

Image of computer, displaying a undisclosed User Name and Password credentials. They are being fished with by a hook. This symbolises the access to sensitive data.
Image from https://www.howtogeek.com/343947/how-to-check-if-your-password-has-been-stolen/

Airbrake is a plain Ruby notifier gem that is used for integrating apps with Airbrake; it is the leading exception reporting service which provides minimalist API, enabling the notifier to send any Ruby exception to the Airbrake dashboard.  An exception is an event occurring during the execution of a program that disrupts the normal flow of the program’s instructions.  When an uncaught exception occurs, Airbrake could potentially release data to the Airbrake server.

The Airbrake dashboard provides easy categorization, searching, and prioritization of exceptions so that when errors occur, your team can quickly determine the root cause – this allows users to easily review errors, tie an error to an individual piece of code, and trace the cause back to recent changes.

So, what is the problem you say? A data-breach vulnerability–this is due to the mishandling of the blacklist_keys configuration option–within Airbrake Ruby 4.2.3 prevents user data from being filtered prior to sending to Airbrake. In other words, the vulnerability allows a remote attacker to access sensitive information on a targeted system. This compromised data could be user passwords or card payment details, which means an app could leak them  unknowingly; if left untreated, this could very well be the fatal zero-day vulnerability for a business or organization. 

To fix this vulnerability, users must upgrade to 4.2.4 or after. But hurry, as you might be at risk of attackers leaking important confidential data!

That is it for this round folks! Make sure to spread the word on these critically-rated Ruby vulnerabilities in order to help the app sec community defend against unwanted exploits. But as you all know, open-source vulnerabilities are discovered daily, so you can expect us to be back with new vulnerabilities very soon!

Knowing is half the battle. The other half is doing. Let Meterian help your dev team stay in the know and on top of the latest updates to secure your apps continuously. Sign up here to download the Meterian client today.  You’ll get an instant analysis of your first project for free.  See the risks immediately and know which components to remove or upgrade to secure your app.

Treasure your Ruby apps? Protect from unauthorised access immediately

Vulnerability Focus: PHP

5min read

Image of thief climbing out of laptop shining flashlight on PHP icon, titled Vulnerability Focus: PHP.

Listen up, app sec community – Meterian has an exciting update! We have a new addition to our family of languages for which our vulnerability scanning solution operates on. Drumroll please… it’s PHP. This means another layer of defense for your apps’ open-source dependencies to  shield them against malicious exploits. To commemorate this special day, we have written on 2 high-priority PHP vulnerabilities which will undoubtedly make an interesting read!

  • CVE-2019-9081 A vulnerability in the Illuminate component of Laravel Framework 5.7.x. could result in a remote cyber attack impacting confidentiality, integrity and availability in the process of web development.
  • CVE-2019-14933 A CSRF vulnerability in the Bagisto framework v0.1.5 could lead to attackers removing or manipulating important functionalities which will cause mass denial of services within an application.

CVE-2019-9081 

Vulnerability Score: Critical––9.8 (CVSS v3.0)

Platform: PHP

Component: laravel/laravel

Affected versions: 5.7.0 – 5.7.27

Attention to all PHP programmers! Read up, this is important stuff. On the 24/02/19, a vulnerability was found in the Illuminate component of Laravel Framework 5.7.x., a PHP development framework based on PHP 7.1.3. The severity of the threat is understood when seeing that 107,933 live websites use Laravel. It is also said to be the most popular web app category in the United Kingdom. This demonstrates the scale of potentially affected users, and why action needs to be taken quickly to avoid security flaws. 

A graph depicting the rise in Laravel Usage Statistics. The statistics range from the years 2013-2019.
Laravel Usage Statistics: https://trends.builtwith.com/framework/Laravel

The vulnerability is related to the __destruct method of the PendingCommand class in PendingCommand.php. It is a deserialization RCE (Remote Code Execution) vulnerability originating from a laravel core package and has shown to be triggered as long as the deserialized content is controllable. The access vector was through the network.

So what is the threat? In regards to CWE-502, when developers place restrictions on ‘gadget chains’ and method invocations that can self-execute during the deserialization process, this can allow attackers to leverage them to make unauthorized actions. For example, generating a shell. Manipulation with an unknown input leads to a privilege escalation vulnerability (code execution). Therefore, this vulnerability could have a negative impact on confidentiality, integrity and availability. Even worse, an attack can be initiated remotely with no form of authentication needed for exploitation. 

It is suggested to upgrade the laravel framework to version 5.7.27 or higher as soon as possible. So don’t waste any time! Or risk being vulnerable to potential cyber attacks!

CVE-2019-14933

Vulnerability Score: High — 8.8 (CVSS v3.0)

Platform: PHP

Component: bagisto

Affected versions: 0.1.5

Bagisto is a tailored e-commerce framework designed on some of the hottest open-source technologies such as Laravel, a PHP framework.  It cuts down on the resources needed to deploy an e-commerce platform (i.e. building online stores or migrating from physical stores). 

Alas, we regret to be the bearer of bad news. Version 0.1.5 of Bagisto has been found to contain a cross-site request forgery (CSRF) vulnerability which could result in client side manipulation that forces end users to execute unwarranted commands on a web application for which they are currently authenticated.  It should be noted that this compromised version allows for CSRF attacks under certain conditions, such as admin Uniform Resource Identifiers (URIs).  This CSRF vulnerability manipulates authenticated users’ browsers to send forged HTTP requests, including cookie sessions to exposed web applications. 

Here is some background information on the nature of CSRF attacks. Unlike remote code execution or command injection attacks, CSRF attacks specifically target state-changing requests as opposed to misappropriation of restricted data. Nonetheless, unauthorised state-changing requests can be equally bad; with the help of social engineering tactics (i.e. sending unwarranted links via email or chat support), attackers may trick end users into executing unsanctioned commands of the attackers’ choice. A successful CSRF attack could lead to vexing situations whereby attackers coerce end users into performing fund transfers, email address changes, and so forth. Furthermore, CSRF attacks can go as far as compromising entire web application systems upon gaining access to an administrator account.

In this context, hackers can trick end users by sending requests (i.e phishing emails) to lure them to open and display some apparently innocuous content in a new tab on the browser, which in turn, prompts it to execute the hidden malicious script, than can operate on behalf of the user.

This is a graphic illustrating the play-by-plat on how attackers can exploit the vulnerability to perform CSRF and remove important functionalities, which could lead to denial of services and loss of data on an e-commerce platform.
How attackers can exploit Bagisto open-source vulnerability

 The graphic above illustrates the play-by-play on how attackers can exploit this vulnerability to perform CSRF and remove important functionalities, which could lead to denial of services and loss of data on an e-commerce platform. 

In Step 1, the user first logs into the Bagisto admin page panel and subsequently  accesses a seemingly innocuous website on another tab in the user’s browser. This website contains a malignant script (placed by the hacker), and the action of accessing this tab will lead to Step 3 where the script will be executed; the browser is instructed by said script to perform any possible harmful action on behalf of the user in Step 3. This course of user action culminates in Step 4 with the server executing the requested malicious actions, such as deleting data on the admin panel.

Nonetheless, affected users will be glad to know that all versions of Bagisto following v0.1.5 are untouched by this CSRF vulnerability. So, there you have it – update your application to the latest version of the Bagisto framework at the soonest to avoid further exposure!

Spread the word on these vulnerabilities and their fixes to help us improve application security all-around. In any case, you can certainly expect more engaging reads on PHP in the near future. Until then!

Knowing is half the battle. The other half is doing. Let Meterian help your dev team stay in the know and on top of the latest updates to secure your apps continuously.  Sign up here to download the Meterian client today.  You’ll get an instant analysis of your first project for free.  See the risks immediately and know which components to remove or upgrade to secure your app.

Vulnerability Focus: PHP