Vulnerability Intelligence Assessments

🚨Incoming: Key Insights from CISA's FY23 Risk and Vulnerability Assessment: Strengthening Critical Infrastructure Security🚨 As America's Cyber Defense Agency, CISA's FY23 Risk and Vulnerability Assessment (RVA) report, based on over 100 RVAs, provides essential insights into the cyber threats facing federal agencies and critical infrastructure. 🔑 Key Attack Vectors: 🔹Phishing & Default Credentials: "Assessors completed their most successful attacks via common methods, such as phishing, valid accounts, and default credentials," demonstrating the ongoing risk of fundamental cyber hygiene failures. 🔹Valid Accounts: "The number of valid accounts used in privilege escalation and lateral movement increased significantly," highlighting how attackers exploit identity mismanagement to gain deeper network access. 🔹Misconfigurations: "CISA assessment personnel used common vulnerabilities facilitated by shortcomings in secure-by-design and default principles and other misconfigurations to compromise systems." 🔐 Entities should implement mitigations-centered intrusion prevention, such as: 🔹Deploying a centralized cyber threat intelligence platform to monitor and log critical data and use the platform to detect and remediate abnormal behavior promptly. 🔹Implementing a secure network security architecture with multiple layers of protection—using next-generation firewalls, granular access controls, network segmentation, SIEM/SOAR, robust encryption, and secure communication. 🔹Enhanced protection mechanisms alongside strong credential policies, such as phishing-resistant MFA, to safeguard sensitive accounts. 📊 This report, based on over 100 assessments, closely aligns with NIST SP 800-207 on Zero Trust Architecture and CISA’s Zero Trust Maturity Model. The insights emphasize the importance of identity-centric security, segmentation, and least-privilege access—vital information for any cyber defender seeking to safeguard their environment against sophisticated threats. #cybersecurity #criticalInfrastructure #zerotrust #CISA #RiskManagement

Interesting new framework for vulnerability impact from Zoom, called VISS (Vulnerability Impact Scoring System). VISS departs from CVSS by focusing on demonstrated impact, not worst-case theoretical impact. VISS is also designed for use in bug bounty programs where it can be used to score reported vulnerabilities in services as well as software itself, making it much more appropriate for cloud-based or SAAS software. At a first-glance, it's much simpler to parse than CVSS with a focus on the typical CIA triad (Confidentiality, Integrity, Availability) mapped over a few dimensions like Platform and Data. Then aspects of SAAS systems like multi-tenancy and infrastructure layering are added into the mix so you can describe vulnerabilities like: "The attacker was able to compromise one sandbox layer but not manipulate underlying infrastructure", or "The attacker was able to read data from other tenants, but not manipulate it". I feel like I was able to understand the basic formula in a few minutes, so I really love the simplicity because that's key to these numbers remaining meaningful. #viss #zoom #cybersecurity #infosec #vulnerabilitymanagement https://lnkd.in/e3q-BVJJ

Last week, I also had the opportunity to present new work on valuing cyber vulnerabilities using asset pricing at University of Arizona's finance department, providing a new quantification of cyber costs. Cybersecurity threats continue to dominate the agendas of CEOs and global risk reports, yet many firms fail to adequately address their vulnerabilities. High-profile incidents, such as the 2024 breaches at CDK Global and AT&T, demonstrate the staggering impact cybersecurity failures can have. But what are the costs? We actually know very little about the costs because estimates are all over the place. In this new paper with Tim Liu and Erick Galinkin, we introduce a novel measure of cybersecurity exposures, leveraging data from Rapid7 to provide a *direct* assessment of vulnerabilities in the network infrastructure of Fortune 500 firms. Unlike traditional methods that rely on text analysis of financial statements or disclosures, this measure simulates port scan attacks to identify high-risk network ports exposed to the public internet. The new measure focuses on identifying accessible ports that are particularly vulnerable, such as Telnet, SMB, SSH, and RDP, using publicly available IP data. This approach mirrors hacker behavior by pinpointing weaknesses without breaching confidentiality. It offers a more granular, supply-side view of vulnerabilities, capturing risks that text-based analyses or breach disclosures might overlook. Key Findings 1) Financial Costs of Exposure: Firms with greater cybersecurity vulnerabilities underperform their low-exposure peers by 0.42% monthly in equal-weighted returns, translating to an $87 million monthly market value loss for the median firm. 2) Correlation with Breaches: High-exposure firms are significantly more likely to experience cybersecurity breaches, underscoring the real-world implications of these vulnerabilities. 3) Impact of Labor Shortages: Tight markets for cybersecurity talent exacerbate the financial and operational consequences of exposures, as firms struggle to address vulnerabilities effectively (e.g., see years of writing by Will Markow on this matter). 4) Managerial Inattention: Firms often address cybersecurity reactively, with breaches prompting improvements in board composition and reduced exposures. Firms that neglect vulnerabilities not only face operational risks, but also significant declines in shareholder value. Moreover, the findings suggest that a lack of specialized knowledge among investors and labor shortages allow cybersecurity weaknesses to persist unpriced. By offering a direct and scalable method to assess vulnerabilities, our paper sets a new standard for measuring cybersecurity risk and highlights the economic impact of neglecting this critical aspect of modern business. #Cybersecurity #RiskManagement #CorporateGovernance #AssetPricing #TechEconomics #CyberResilience

Risk and Vulnerability Assessment Cybersecurity and Infrastructure Security Agency (CISA) recently released their FY 2023 Risk and Vulnerability Assessment (RVA) Report. The report combines findings from 143 RVA's across multiple critical infrastructure sectors. They overlaid the RVA's to MITRE ATT&CK, ultimately mapping real world activities to 11 of the 14 tactics. The information is very useful, and can be used to mitigate organizational risk , implement mitigations and understand technical attack paths. Some key themes: - Valid accounts were the MOST successful attack technique, involved in 41% of successful attacks This aligns with other reports which emphasize the role of compromised credentials in data breaches/incidents and the importance of identity as the new perimeter. - Exploiting public facing applications and externally exposed remote services was a core focus on APT's - End of life software and unpatched systems were a key target - A lack of network segmentation and weaknesses in network topologies and tooling helped facilitate lateral movement - An insane 94.4% of assessed entities had DEFAULT passwords in place These along with many other key takeaways are in the report, which is well organized and actionable. Check it out! 👇 #cyber #ciso #zerotrust

What is important to you in vulnerability management - fixing every identified and validated vulnerability or remediating the most attention-needing ones that can get exploited by active attackers? Utilizing exploitation intelligence from sources like the Exploit Prediction Scoring System (EPSS) and CISA's Known Exploited Vulnerabilities (KEV) allows organizations to adopt a more nuanced approach to effective vulnerability management. EPSS provides predictive insights, offering probabilities of potential future exploits and helping to prioritize vulnerabilities based on their risk of being exploited. In contrast, CISA’s KEV catalog provides concrete data on vulnerabilities that are currently being actively exploited. By leveraging such sources in conjunction, organizations can effectively address immediate threats identified by CISA's KEV while also preparing for future risks as indicated by EPSS, thus creating a layered and forward-thinking vulnerability management defense strategy. #exploit #epss #cisa #kev

Frequently, I'm asked if there are earlier indicators that a vulnerability might be actively being exploited and be added to Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities (CISA KEV) catalog. Yes, there are many vulnerability intelligence sources that often have indicators of exploitation ahead of a KEV addition. Some of which are Commercial and others that are openly available OSINT sources. One of the many sources that does a decent job at catching early indicators that a vulnerability might land on CISA KEV is when a vulnerability has an associated GreyNoise Intelligence tag. GreyNoise Intelligence recently introduced a Tag dashboard where you can explore Greynoise Tag coverage and their are several charts including this one created by the GreyNoise team and boB Rudis that are freely available. There are 255 GreyNoise tags with a corresponding KEV entry which is roughly 25% of CISA KEV. GreyNoise tied or beat the KEV 62.83% of the time highlighting that GreyNoise tags are one of many early indicators that a vulnerability has a higher likelihood of being added to CISA KEV. Happy Holidays to Andrew Morris! 🎅 #cybersecurity #infosecurity #vulnerabilitymanagement #riskmanagement #threatintelligence