Remembering the Vulnerabilities of 2014

With the New Year celebrations safely behind us, it’s time to look forward and plan for 2015. Before we can do that, however, we need to spend a few minutes to remember the vulnerabilities of 2014 and what we can take away from these.
Every year there are several zero-days and tons of undisclosed vulnerabilities fixed by software vendors. This year was a little different:
- The total number of disclosed vulnerabilities per year almost hit 10,000. Because of this, the maintainers of the CVE database announced that the CVE syntax would be modified, which now allows up to 10 million vulnerabilities to be assigned identifiers annually.
- Major “named” vulnerabilities like Heartbleed, Shellshock, Poodle, and WinShock were disclosed and became widely known within the security industry. These vulnerabilities were notable for their severe impact, widespread attack surface, and difficulty in patching.
- There was an increase in amplification distributed denial-of-service (DDoS) attacks. These attacks are used to create high volumes of traffic used in denial of service attacks. It exploits weakness in network protocols to “elicit” large volumes of response packets which can be “redirected” to a victim to cause denial of service against them.
- Some good news – there were no Java zero-days in 2014! However, that doesn’t mean that Java vulnerabilities weren’t exploited. They are still being actively exploited by exploit kits. Users still running older versions of Java should upgrade.
- For Adobe products, it was a mixed story. Overall, the number of vulnerabilities in Adobe products declined from 2013. However, the number of vulnerabilities in Adobe Flash went up from 56 to 76. Vulnerabilities in Acrobat/Reader went down by almost 30%.
- There were a lot of vulnerabilities found in OpenSSL, not just Heartbleed. In 2014, 24 vulnerabilities were found – which equaled the number from the previous three years combined.
With the above events in mind, what should be some of our key takeaways from all this?
- Even old applications can still have uncovered vulnerabilities, as we saw with Heartbleed and Shellshock.
- Open source software is said to be inherently more secure, as it goes through more reviewers (and thus, more opportunities for any vulnerabilities to be spotted). However, that is not necessarily the case, as OpenSSL and Bash showed.
- The CVSS score is not a be-all-and-end-all for vulnerability severity. After all, Heartbleed only received a CVSS score of 5.0! Assess the impact of vulnerabilities depending on your organization’s situation and applications. Add salt to the (CVSS) score!
- Upgrade older versions as soon as possible. Patch as soon as your situation allows it.
- Continuously review your security posture and plan your investments in information security tools and practices accordingly. Employee coaching is a key part in securing a company’s information. At the same time, ensure that you make the best use of your security solutions – e.g. by configuring them properly, tuning them to your requirements etc.
- Implement a lowest privilege access policy. Many exploits today obtain the privileges of the logged in user; a lowest privilege access policy would help mitigate the damage from these exploits.
There were some other things in 2014 that were not unexpected, but still significant.
- There were eight zero-days in Internet Explorer and four in Adobe Acrobat/Reader. There are alternative browsers and PDF readers available; consider your options.
- For web servers, zero-days were found in both Apache Struts and WordPress (as well as WordPress plugins). What’s clear aside from server software, added plugins have to be considered a possible source of risk as well.
No matter how many zero-days or Heartbleed/Shellshock-type vulnerabilities we may see, we should never forget that the fundamental vulnerabilities in web applications such as SQL Injection, Cross Site Scripting (XSS), broken authentication etc. are still very prevalent. They are, quite often, the reason behind the big data breaches that occur.
Also, we should never forget the best practices on controlling access to data, encrypting it as much as we can, ensuring right security products are in place shielding quickly against vulnerabilities.

All the best,
Frederick
Technical Lead Nordics
https://www.linkedin.com/profile/view?id=203862061

Frederick Wennmark - Trend Micro

Four steps

In today’s world of frequent targeted attacks – when breaches are a matter of when and not if – a carefully crafted strategy to respond to targeted attacks must be part and parcel of the larger defense strategy. This can be the difference between a minor nuisance and a major breach that could spell the demise of an organization.
The SANS Institute provides some guidelines to organizations on how they should react to incidents. Broadly speaking, however, the response can be divided into four steps:

  • Prepare
  • Respond
  • Restore
  • Learn

 

All the best,
Frederick
Technical Lead Nordics
https://www.linkedin.com/profile/view?id=203862061

Frederick Wennmark - Trend Micro

2015 Predictions: The Invisible Becomes Visible

These are the trends that we think will shape 2015:

– More cybercriminals will turn to darknets and exclusive-access forums to share and sell crime ware.
– Increased cyber activity will translate to better, bigger, and more successful hacking tools and attempts.
– Exploit kits will target Android, as mobile vulnerabilities play a bigger role in device infection.
– Targeted attacks will become as prevalent as cybercrime.
– New mobile payment methods will introduce new threats.
– We will see more attempts to exploit vulnerabilities in open source apps.
– Technological diversity will save IoE/IoT devices from mass attacks but the same won’t be true for the data they process.
– More severe online banking and other financially motivated threats will surface.

More details about these predictions can be found at Trend Micro Security Predictions for 2015 and Beyond.

All the best,
Frederick
Technical Lead Nordics
https://www.linkedin.com/profile/view?id=203862061

Frederick Wennmark - Trend Micro

Server admins, start your Windows Update….Now!

Microsoft may have an issue of massive problem on its hands with a critical patch issued via Windows Update today.

The patch in question is MS14-066, or otherwise known as the cryptically named “Vulnerability in Schannel Could Allow Remote Code Execution,” which affects Windows Server 2003/2008/2012, Vista, 7, 8, 8.1 and Windows RT.

You know what’s really a pain? It affects everything running a modern version of Windows, meaning we all will need to patch a lot of machines as soon as possible. Microsoft also says that there is no workaround or ways to mitigate the attack, other than via a patch.

Trend Micro Deep Security customers with Virtual Patching is of course protected. If you can’t run Windows Update right now you can use our DPI rules release even before Microsoft announced the vulnerability publicly.

All the best,
Frederick
Technical Lead Nordics
https://www.linkedin.com/profile/view?id=203862061

Frederick Wennmark - Trend Micro

Attackers Exploit Drupal Vulnerability

Problem:

A mass, automated attack has potentially compromised a vulnerability that exists in the majority of all websites that run the popular Drupal content management system.

More than 1 million websites use Drupal. The risk now is that attackers have likely already exploited hundreds of thousands of sites that still have the Drupal flaw, which allows attackers to inject SQL code into a site and seize control of it.

Solution:
Organizations with Trend Micro Deep Security installed using the IPS module are safe. The General SQL Injection rule stops this attack.

image001

All the best,
Frederick
Technical Lead Nordics
https://www.linkedin.com/profile/view?id=203862061

Frederick Wennmark - Trend Micro