SecPro #52: Patching Issues, Detecting Broken Buckets, and Securing Your Websites
Happy birthday, SecPro! A whole year has passed since the SecPro started up in its infancy and grew to become a newsletter which 10,000 people read every week. It’s been quite a journey too – we’ve covered the Log4Shell crisis, the Russian-Ukrainian cyberwar as it broke, and a variety of malware and hacking gangs who were determined to overcome the cybersecurity world.
As a thanks for staying with us this long, fill in the survey below to claim your free Packt eBooks. We’ll make sure that new and exciting offers come your way over the next year, including sneak peeks at new publications that our team is working on.
Also, be ready to receive the first SecPro Super Issue of 2022 tomorrow, all about a piece of ransomware that we had covered briefly in the past. Surely there’s nothing better than pulling up a technical report on a Saturday afternoon with a cup of tea, right?
Cheers!
Austin Miller
Editor-in-Chief
Threat detection
Patching – Leaving the Door Wide Open
It’s Security 101: keep your systems updated with the latest security patches. As security professionals it’s probably the first piece of advice you ever gave. This was especially true for the Windows Operating System (OS) way back in time when cyber criminals were — depending on how you look at it — perhaps not as sophisticated, smart or just plain sneaky as they are today.
The attack vector was a big attack surface around the time of Windows Millennium Edition. Professionals were constantly emphasising the importance of keeping the OS patched with the latest Microsoft Updates. Of course, back in those days, the Apple Mac user base would look down in smug satisfaction with the belief that their chosen OS was ‘bullet proof’ giving them immunity from such trivialities as Security. That turned out to be a false sense of security, but let’s leave the whole Windows vs Mac debate for another time & place…
The only user group that could claim some kind of moral high ground were the users of
Linus Torvalds Operating System. Whilst Linux is by no means immune to the need of Patching, by its very nature is inherently more secure that the Operating Systems primarily aimed at the domestic market and its user base. The point I’m making, albeit rather long-winded way is that Patching has always been the first line of defence keeping systems secure.
The security landscape has evolved since those times, but the one constant that remains true is that Patching remains important, and the first line of defence. Now that we have established and understood the importance of keeping our systems Patched we’ll now look at some of the challenges we face. To put this into some context, around the time of Windows Millennium the Mitre ATT&CK database numbered around 1000 CVEs. As of 2021 this had grown to over 20,000. Clearly this presents a logistical nightmare for security teams in keeping up to date with the latest threats to our infrastructure, endpoints, devices & applications.
Vulnerability Management vs Vulnerability Patching
Understanding how vulnerability management differs from vulnerability patching is crucial in constructing and defining a policy to ensure we keep our critical operating systems, applications & infrastructure secured.
Vulnerability management
Vulnerability management is knowing what to patch, how to rollout updates, which patches to apply and in what order and when. Most enterprises lack a mature service catalogue, if at all. Who needs asset management, right?
Knowing what you are protecting then identifying the owners responsible for patching becomes the next obstacle. What should be a simple process is sometimes made difficult just by operational organisation & procedures. For example, consider a Windows Server VM running Active Directory & DNS Services but also provides radius for the enterprise Wi-Fi authentications. Here we have a typical use case of various teams having services running on a single server. Potentially the VM team would have an interest, equally so would the Windows Server Team and the Network team. Just to add into the mix the DNS service is being used for GSLB by the Citrix team.
So, in this example just who would be responsible for patching the server? Once we’ve decided who should be patching, we then have to juggle each part of the business needs for when to schedule the update. Then finally we need to put this through change management who insist that the patch is fully tested before rolling out into production. Scale this exponentially across a large estate and you see the challenge. Although, this team structure may not be applicable in small businesses that may not have such a developed organisational structure this is certainly a typical environment in large national or multinational enterprise with structured DevOps teams.
Vulnerability patching
Vulnerability patching on the other hand, as we have already stated, is challenged by not having full visibility into devices or applications. Patching is the actual process of updating vendor software, or hardware to fix identified flaws. Having a vulnerability scanner is essential to help us identify these flaws utilising frequent scans to help identify vulnerabilities. Options include online or on-premises solutions. Assisting with this are EDR solutions that can help us manage endpoints proactively. This should include all our systems, software, applications and network infrastructure. Gaps in visibility can occur when new servers, endpoints or devices are deployed which the scanner is not aware of. Making sure we don’t miss these should be included in the Vulnerability Management policy and within the patching policy.
Fortunately, many tools exist to help security teams apply patches such as Microsoft Systems Configuration Manager (SCCM) – since renamed Microsoft Endpoint Configuration Manager. Alongside this many organisations deploy WSUS which is the Windows Server Update Service. Assisting Network configurations Solar Winds NCM provides continuous monitoring and real-time change detection. Looking at Patching from a vendor agnostic viewpoint crucially Patching should be scheduled with High or Critical vulnerabilities Patched outside of regular schedules to ensure the best possible protection. Understanding the risk of applying the latest Patch as opposed to not doing so may involve discussions with various stakeholders, for example the Risk team, Networks or Security Operations and should be considered in the policy.
Summary
Patching is not just about applying the updates, the Vulnerability Management Policy is equally as important, if not more so. Without a clearly defined process, updating our systems can be confused, disjointed or mismanaged. This part of securing our systems is too important not to be considered a priority. As adversaries become more sophisticated, we must ensure that our Vulnerability Management and Vulnerability Patching processes and procedures are of the best possible standard. Organisational structures are a key factor in the process with smaller, more agile teams taking on the whole responsibility themselves. With larger, more fragmented organisations Patching becomes a major challenge. Despite being “Security 101”, it can quite easily become “Security 999”.
How to Detect AWS S3 Bucket Misconfiguration using Open-Source tools
Ever since the emergence of cloud computing, Cloud Services and their offerings have been increased exponentially overtime. Tech giants like Microsoft, AWS, and Google have provided the platform to build applications and services using their Cloud Infrastructure. Microsoft and AWS are competing with each other to become the market leader by providing number of services from IAAS, PAAS and SAAS to server less architecture etc.
Among the wide range of services provided by AWS, One of the major services used is S3 (Simple storage service).
What is AWS S3 and its purpose?
S3 stands for simple storage service. A flexible, scalable service offered by AWS to host the data for short term and long term goals.
S3 buckets can act as a back-end environment for hosting static websites and database just to store the media for applications to access it from cloud to avoid Infrastructure expenses. With increasing demand, AWS also started expanding their services horizontally and vertically scalable. Due to this S3 became part of the application ecosystem and also visible attack surface.
What are AWS S3 Bucket Misconfigurations?
S3 bucket creation process includes configuring bucket policies, IAM access, disclosing data to public, secure traffic, Transfer of data in case of DRS. If we do not give attention and overlook critical configuration, this might lead to misconfiguration and also a target for attackers to exploit and access the sensitive information.
According to statistics by security firm Sky-high Networks, 7% of all S3 buckets have unrestricted public access, and 35% are unencrypted.
By default when we create a S3 bucket, AWS create it as a private with a default admin role assigned to it with full access. Along with that it will create a narrow Access Control Lists (ACL) in a way that very limited users have access to the bucket.
Want to read the rest of the article? Click the link below!
Web Security
Tips for Purchasing and Installing an SSL Certificate
By Nazifa Alam
The Importance of SSL Certificates
An SSL (Secure Sockets Layer) certificate is highly important as it assures internet users that a given site is authentic and enabled with encrypted connection. The purpose behind an SSL certificate is to also confirm the ownership of the domain. These certificates are frequently used by e-commerce sites that require customers to provide their personal and financial details.
By securing the data that is transferred between the two parties, SSL encryption can serve as a method for preventing hackers from extracting and selling personal information such as bank details and personal details. SSL certificates provide trust among users by providing verification for websites which serve as e-commerce sites.
The information that SSL certificates help to secure include:
- Login details.
- Financial details
- PII (Personal Identifiable Information) including name, address, date of birth and telephone number.
- Medical records
- Legal documents
Different Types of SSL Certificates
The different types of SSL certificates can be divided into the following categories:
Validation Level – Domain Validation, Organisation Validation and Extended Validation.
Domains – Single Domain, Wildcard and Multi-Domain.
If you want to find out how to get the most out of your SSL certificates, click the link below!
This Week’s Tutorials & Explainers
Another week with Gartner’s Top Twelve and this one should be very relevant to your needs – the Cybersecurity Mesh. Click the link to read the article!
No news is good news, but we’ve rounded up the big events of the last week to send to you anyway. Check out the future of FIDO and other stories by clicking the link.
Secret Knowledge: Building Your Security Arsenal
Here’s another edition of Secret Knowledge, with plenty of tools to help you test and secure your infrastructure systems. All tools are chosen by our crack team of researchers on the most important metric of all – sounding a bit interesting.
Validating SSL Certificates
- certifi/python-certifi: (Python Distribution) A carefully curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts.
- sumanj/frankencert: Frankencert – Adversarial Testing of Certificate Validation in SSL/TLS Implementations
- spatie/ssl-certificate: A class to validate SSL certificates
Testing AWS S3 Bucket Misconfiguration
- Ebryx/S3Rec0n: A colorful cross-platform python script to test misconfigurations of AWS S3 buckets both through authenticated and unauthenticated checks!
- abuvanth/kicks3: S3 bucket finder from html,js and bucket misconfiguration testing tool
- VirtueSecurity/aws-extender-cli: AWS Extender CLI is a command-line script to test S3 buckets as well as Google Storage buckets and Azure Storage containers for common misconfiguration issues using the boto/boto3 SDK library.
Web Fuzzing Tools
- NESCAU-UFLA/FuzzingTool: Software for fuzzing, used on web application pentestings.
- phra/rustbuster: A Comprehensive Web Fuzzer and Content Discovery Tool
- CoolerVoid/0d1n: Tool for automating customized attacks against web applications. Fully made in C language with pthreads, it has fast performance.
- souvikinator/gofuzz: Fast as Flash Web URL Fuzzing tool written in golang.