Greenbone AG

The Greenbone Security Manager in a Practical Test

Are there actually independent reviews of Greenbone solutions?
Of course – we are proud to present the latest report from a leading industry magazine: “IT-Administrator tried the system [solution from Greenbone] and was thrilled with its functionality”. (IT Administrator 01/2021)

In September 2020, the magazine IT-Administrator – a German professional journal for system and network administration – asked Greenbone if they could write a test report about a Greenbone appliance.

The report is currently published in the January issue of the magazine. Here you can read the detailed report.

In the test, IT-Administrator took a closer look at the GSM 150. The GSM 150 is a physical appliance designed for vulnerability management in small to medium-sized businesses, or organizations with medium-sized branch offices. It scans up to 500 IP addresses within 24 hours and can also be used as a sensor for larger appliances.

Everything that must be done in a standard deployment of a Greenbone Security Manager was tested: from the initial setup via the console, to configuring scans on the web interface, to evaluating a scan report.

For testing the vulnerability scans, IT-Administrator had prepared different target systems with different security status to examine the differences in the results. Authenticated scans were also part of the test.

Read the full article here (German only).

Contact Free Trial Buy Here Back to overview
/by
Greenbone AG

Direct Integration of Compliance Policies via the Greenbone Security Feed

With the help of compliance policies, a company can check whether all components integrated in the system meet the required specifications. The increasing digitalization and the associated growth of new technologies create opportunities, but also risks. For this reason, the demands on compliance are increasing as well. With GOS 20.08, all compliance policies were made available via the Greenbone Security Feed and four new compliance policies were added: TLS-Map, BSI TR-03116: Part 4, Huawei Datacom Product Security Configuration Audit Guide and Windows 10 Security Hardening.

Compliance policies for different industries

What is a compliance policy anyway?

In addition to legal requirements, companies and public authorities often have their own guidelines that must be met for the secure configuration of a system. The aim is to ensure the information security of the company or authority by guaranteeing the confidentiality, integrity, availability and authenticity of information.

All specifications and guidelines that are necessary for this are summarized in one document to form a policy.

Based on the individual criteria of the guidelines, Greenbone develops vulnerability tests – roughly speaking: one criterion results in one vulnerability test. Greenbone combines these tests into a scan configuration.

Such scan configurations, which reflect policies of companies or authorities, are called Compliance Policies.

Example: a company releases a security policy with the following requirements:

  • Version 2 of software A is installed on the target system
  • SSH is activated on the target system
  • Software B is not installed on the target system

Greenbone develops a vulnerability test for each of the requirements, which checks whether the respective condition is fulfilled.

The three tests are then combined into a compliance policy that a user of the Greenbone solutions can choose when performing a vulnerability test. During the scan, it is checked whether the conditions mentioned above are met on the target system.

New: distribution of compliance policies via the Greenbone Security Feed

Starting with GOS 20.08, all standard scan configurations, reports formats, port lists, and compliance policies of Greenbone are distributed via the Greenbone Security Feed.

Among other things, this allows the publication and distribution of scan configurations for current, hot vulnerability tests. In the past, these were published as XML files for manual download on the Greenbone download website and had to be imported by the users themselves – which was very tedious and left room for mistakes, making a quick application hardly possible.

But this is not the only advantage. It also makes troubleshooting much easier and faster for the customer: objects can be updated and, if necessary, fixed for all setups with a single feed update.

In addition to this innovation, the Greenbone Security Feed has been extended by some important compliance policies.

More Compliance Policies in the Greenbone Security Feed

Four new compliance policies were added to the Greenbone Security Feed in the 4th quarter 2020:

  • TLS-Map
  • BSI TR-03116: Part 4
  • Huawei Datacom Product Security Configuration Audit Guide
  • Windows 10 Security Hardening

About the Special Scan Configuration TLS-Map

Note: TLS-Map is a scan configuration for special scans that are different from vulnerability scans. For reasons of simplicity, this special scan configuration is listed in this article along with the compliance policies.

The special scan configuration TLS-Map is helpful wherever secure communication over the Internet is required. TLS – short for Transport Layer Security – is a protocol for the secure transmission of data on the Internet. It is the successor of SSL – Secure Sockets Layer – which is why both protocols are still often used synonymously today. However, all SSL versions and TLS versions prior to version 1.2 have been outdated since 2020 at the latest and are therefore insecure.

The largest area of application for TLS is data transfer via the World Wide Web (WWW), for example between a web browser as the client and a server such as www.greenbone.net. Other areas of application are in e-mail traffic and in the transfer of files via File Transport Protocol (FTP).

The special scan configuration TLS-Map checks whether the required TLS version is available on the target system and whether the required encryption algorithms – so-called ciphers – are offered.

About the Compliance Policy BSI TR-03116: Part 4

The Technical Guideline BSI TR-03116 Cryptographic Requirements for Federal Projects from the Federal Office for Information Security (BSI) is used for Federal Government projects. This means that if a federal project should be implemented, this guideline must be fulfilled. It consists of 5 parts in total:

  • Part 1: Telematic infrastructure
  • Part 2: Sovereign identification documents
  • Part 3: Intelligent measuring systems
  • Part 4: Communications procedures in applications
  • Part 5: Applications of the Secure Element API

The compliance policy, which Greenbone Network has developed accordingly, checks whether the contents of the fourth part of the policy are fulfilled. This part contains requirements for communication procedures.

The compliance policy BSI TR-03116: Part 4 in the Greenbone Security Feed tests the three main requirements – minimum TLS version as well as necessary and not legitimate ciphers – of the technical guideline.

About the Compliance Policy Huawei Datacom Product Security Configuration Audit Guide

Compliance policies for Huawei solutions have been part of the Greenbone Security Feed for quite some time.

Greenbone had already developed compliance policies for the following two solutions:

  • EulerOS: Linux operating system, based on CentOS
    Related compliance Policy: EulerOS Linux Security Configuration
  • GaussDB: database management system (DBMS)
    Related compliance policy: GaussDB 100 V300R001C00 Security Hardening Guide

With a compliance policy for Huawei Datacom, a product category that also includes routers and switches with their own operating system, a third compliance policy for solutions developed by Huawei is added now.

For all three products – Huawei Datacom, EulerOS and GaussDB – there are security configurations that were specified by Huawei. Based on these configurations, Greenbone has developed compliance policies which check the compliance with those security configurations. The different compliance policies are always applied if the corresponding solution is available on the target system.

For the Huawei Datacom operating system, Huawei distributes the Huawei Datacom Product Security Configuration Audit Guide. The associated, newly developed compliance policy tests, for example, whether the correct versions of SSH and SNMP are available on the target system.

About the Compliance Policy Windows 10 Security Hardening

The compliance policy Windows 10 Security Hardening includes vulnerability tests to evaluate the hardening of Windows 10 according to industry standards.

Among other things, the compliance policy checks different password specifications such as age, length and complexity of the password, specifications for the assignments of user rights, and requirements for different system devices.

Even faster integration of compliance policies with GOS 20.08

As digitalization continues, compliance requirements are growing in companies of all sizes and in all industries.

Through the direct integration of compliance policies via the Greenbone Security Feed and the inclusion of new compliance policies, the testing of target systems is even more efficient, easier and quicker, thus increasing the protection of the IT infrastructure without the need for special compliance know-how. Of course, we continue to work on new compliance policies on an ongoing basis. So be curious!

/by
Patricia Meibert

Responsible Disclosures sent to over 140 health care organizations in the US

Since we published our summarized findings about the data leaks related to unsecured PACS servers across the globe, one question remained when looking at the situation and the continued access we have to the majority of the systems we found and measured more than 3 months ago.

What else can we do to get as much systems as possible off the public Internet?

Within the software space, we have used responsible disclosures for some time (for example with D-Link earlier this year), so the idea was to apply the same logic.

Still, following that idea wasn’t easy and straight forward, as a couple of concerns had to be addressed.

  • What data shall we use to substantiate the fact that there is a data leak within the organization we address?
  • How do we identify the organization, the right contacts there?
  • What format and method of disclosure shall we use? And finally..
  • What should we say in the disclosure so that it is seen as an information and not as a threat?

We worked along the questions, with the help of friends, partners and valuable insights of security professionals across the globe (thanks to Troy Hunt for the presentation about the topic: https://www.troyhunt.com/fixing-data-breaches-part-3-the-ease-of-disclosure/)

What data to use?

Simple answer: as little as possible, a single data set should be enough, and even this one needs to obscured as we are likely to transmit the information via unsecured channels.

We decided to use a single, current date set from each system for each provider and note it down. No, nothing was downloaded & stored or copied and pasted from these PACS. We don’t want that. Pencil and Paper are our tools here.

How to identify the system owners?

No question, we were not supposed to contact any person within the data to find out about their healthcare provider: “Hey, we got your data from an unsecured system on the Internet can you name me your radiologist?” wouldn’t work well. As the information contained in the PACS also indicates the name of healthcare providers and of physicians, this was our starting point.

We used a list of sites, Google of course, but also:

So, all the work was done using OSINT.

What should be the format?

Letters, Faxes, Emails? We discussed about the pros and cons, and we decided to use Email as the format and method to transmit the responsible disclosure. Email is fast but it is also the main inroad for attack attempts like phishing, so we had to scale down from fancy HTML to plain text. Having the RFC style & format in mind, we drafted some initial versions and circulated them among capable advisers.

What should we say?

Emails talking about data leaks are very often received as threats, “do this, pay that or we will release ..:”. Formulating this email to avoid that specific effect was a bit of a challenge. We kept it as simple and short as possible, suggested actions instead of demanding them (which is anyway nothing we could possibly do). That one took us a bit of work.

Finalization and Concerns

Our full notes were then transferred into a consolidated list of details (already obscured), becoming the source for our little email campaign. As security researchers, we know that some recipients will totally misunderstand our intentions and “shoot the messenger”. That reaction happened in the past, too often.

We will keep you posted…

Below is the final text which we sent out the afternoon on DEC 10th, 2019.

Sent to: email address

Personal Health Information Data Leak – Responsible Disclosure

Attention to

__________

__________

With this email, we want to inform you about an identified data leak likely affecting your organization. A server storing medical information of patients affiliated with your organization, a PACS server (Picture Archiving and Communication System), is connected to the public Internet without any protection. We believe this server is affiliated with your organization, and is configured in a way that allows free access to Personal Health Information of patients being treated in your facilities. We work for a team of computer security researchers, and are bringing this matter to your attention through the principles of RESPONSIBLE DISCLOSURE so you may address the exposure and protect your organization and patients.

To substantiate the fact, please see the obscured details of one single data set of a patient below.

Exam date & hour: __________ (exact timing shortened, but available on the system)

Patient name: __________ (obscured for privacy concerns and clear text transmission)

Patient DoB: __________ (shortened to year, if in the system)

Patient ID: __________ (as it appears on the system)

Exam ID: __________ (if and as it appears on the system)

Physician’s name: __________ (obscured, if and as it appears on the system)

Organization’s name: __________ (as identified during our research)

The network address of this system is the following IP address (and tcp-port): __________

In September 2019, we have informed Government authorities across the globe about the systems we identified. You receive this email as part of our efforts to alert more than one hundred organizations in the US affected by that type of data leak. We would like to suggest to you to take the necessary measures to secure the named PACS system. Potential measures can be, among others:

  • Implement access control to the system
  • Verify unnecessary port forwards
  • Deploy VPN access

Please consult with your information security staff, your IT service provider and/or the relevant Government authorities in the US about the range and scope of measures possible in your specific setup.

Please note also:

  • We recently conducted and published a research about this type of data leak, which lead to this disclosure. More information can be found here [1] and here [2].
  • Our research paper describes ways how to verify this data leak for yourself [3].
  • This email is written in plain text and contains no attachments.
  • Should you require further information, please feel free to contact us. Within limits imposed by the situation, we will try to help. There is no demand for compensation related to this.
  • This is a responsible disclosure; again, there is no demand of compensation for it or any intent to publish the data or details of your organization.
  • This is not a cyber-attack, it is about systems connected to the public Internet without any protection at all, allowing uncontrolled access to personal health data.

With best regards

Greenbone AG
Dirk Schrader
(CISSP, CISM, ISO/IEC 27001 Practitioner)
Mobile: +49-
Office: +49-541-760278-0
http://www.greenbone.net/
Greenbone AG
Neumarkt 12
49074 Osnabrück, Germany
AG Osnabrück, HR B 202460
Managing Director: Dr. Jan-Oliver Wagner

[1] https://www.propublica.org/article/millions-of-americans-medical-images-and-data-are-available-on-the-internet

[2] https://www.warner.senate.gov/public/index.cfm/2019/9/warner-seeks-answers-in-light-of-negligent-cybersecurity-practices-by-health-care-company

[3] https://www.greenbone.net/wp-content/uploads/Confidential-patient-data-freely-accessible-on-the-internet_20190918.pdf

Contact Free Trial Buy Here Back to overview

 

/by
Patricia Meibert

5 reasons why telecoms providers should rely on sustainable cyber resilience

Companies from the IT and telecommunications sector, which are operating critical infrastructures, are top targets for hackers. They therefore need to be as secure as possible. This is where sustainable cyber resilience comes in.

Sustainable cyber resilience is a vital defence against cyberattacks. But what exactly does that mean?

It’s become clear that companies can no longer afford to take reactive measures to protect themselves from hackers. They must minimise their attack surface from the outset and, at the same time, ensure that their systems remain operational even in the event of a cyberattack. The sustainable cyber resilience concept goes one step further than IT security and includes both technological and strategic measures. On the technical side, it is necessary to identify and assess risks and close weak points. On the strategic side, business and IT departments must work closely together to make the resilience processes a top priority.

Here are Greenbone’ top five reasons why sustainable cyber resilience is essential for telecoms providers today:

1. Cyberattacks on telecoms companies are on the rise
Ponemon Institute estimates that nine out of ten critical infrastructures have suffered an attack over the past two years. The telecoms sector is particularly at risk, with attacks coming from all sides, including government agencies establishing covert surveillance and cyber criminals in search of highly valuable personal customer data. Indeed, especially with the introduction of 5G and suspicions (rightly or wrongly) surrounding the use of Huawei equipment, UK telecoms providers have been urged to strengthen their cyber security defences by the NCSC to fend off the growing number of attacks.

2. Telecommunications connect all critical infrastructure sectors
If the telecoms infrastructure fails, other critical sectors will also be affected. Many control systems in energy and water utilities can’t function if they can’t transmit or exchange data. The financial system would come to a standstill; so too would the healthcare system. A telecoms sector that is resistant to cyberattacks is absolutely vital to every walk of society.

3. The target area of telecoms infrastructures is becoming larger
As a result of digitisation, more and more telecoms services have shifted to IP networks. The classic fixed network has become obsolete. Telephony, internet, TV and video streaming are now all IP-based. As a result, communication networks and server systems are becoming increasingly unified. But this also means that hackers can cause massive damage by attacking the IP network. Furthermore, mobile is becoming increasingly important. Many IoT devices use mobile networks and, as a result, cybercriminals have more and more points of attack. The new 5G mobile communications standard will bring even more technical complexity and, with it, the need for new IT security requirements.

4. Nested responsibilities make security more difficult
Many different companies and subcontractors are often involved in telecoms infrastructures. Some of them are located in different countries. Whilst this makes it difficult to provide security it also means that it is all the more important to establish a uniform, consistent level of protection with a resilience concept.

5. The EU NIS Directive makes resilience building blocks mandatory
Since May 2018, critical infrastructure companies in the telecoms sector have been obliged to provide evidence of suitable technical and organisational measures to protect against cybercrime. This is prescribed by the EU NIS Directive. ISO 27001 certification provides a good blueprint for resilience. Among other items, it mandates vulnerability management, an important cornerstone of sustainable cyber resilience.

Minimising risks with sustainable resilience
It’s not for nothing that attacks on telecoms infrastructures are so popular with hackers. Here they find a growing, complex attack surface on which they can cause great damage. ICT companies should therefore do everything they can to make their systems sustainably resilient. For a comprehensive concept of Sustainable Cyber Resilience, ICT companies must take the appropriate technical and organisational measures.

This includes vulnerability management.

Contact Free Trial Buy Here Back to overview
/by