Tag Archive for: Greenbone

Andreas Bergler

… and Action! Greenbone at the it-sa Expo&Congress

Next week, it-sa, one of the largest platforms for IT security solutions, will kick off. On the opening day, October 22, 2024, from 11:00 a.m., Greenbone’s CEO Dr. Jan-Oliver Wagner will show how companies can remain capable of managing crisis situations. With the “Action” in Forum 6-B “Be secure and stay secure” he shows ways out of the growing threats posed by cyber risks. It is not for nothing that his overview of the possibilities and potential of vulnerability management is not called a “lecture”, but “action”: action is needed!

Take Action!

In times when ransomware gangs are trying to extort tens of millions of dollars, it’s essential for companies and organizations to act as early as possible to ensure the security of their IT systems, data and business operations. Every investment in cyber security pays off many times over when the acquisition costs of a corresponding proactive solution are compared with the costs incurred by a security breach – the costs of paying ransom are devastating. As with any calculation of interest and compound interest: the earlier the investment, the more it pays off. 

Greenbone’s solutions start at the earliest possible point in the history of cyber risks: the proactive detection of security vulnerabilities in your own IT infrastructure. Proactive vulnerability management goes hand in hand with a well-founded security strategy. Security intelligence is continuously provided, systems are monitored and results are compared and matched to known vulnerabilities.

Gaining a Knowledge Advantage

Because criminals make their attacks on their victims’ networks as impactful and widespread as possible in order to maximize their profits, IT managers should make it as difficult as possible in return. Vulnerability management offers companies a decisive advantage in the race against potential attackers. Vulnerabilities are often exploited before they are publicly announced, but once they are known, the race between attacker and the attacked enters the hot phase: attack vectors should be closed faster than cybercriminals can exploit them.

Manage Risks

To prevent the security risk from escalating, Greenbone solutions now access over 180,000 automated vulnerability tests. This reduces the potential attack surface by 99% compared to companies that do not use vulnerability management. These immense opportunities for risk minimization require prudent security management. The more vulnerabilities get uncovered, the more pressing the need for action becomes. Which IT systems require immediate help? Which assets and interaction paths in the company are particularly critical and which security measures should be prioritized? 

Only those who have plausible answers to these questions will be able to keep the overall risk of cyber attacks as low as possible in the long term. Jan-Oliver Wagner will identify top priorities and how a corresponding “triage” can be practiced among data and systems in day-to-day operations in the it-sa action “Be secure and stay secure”. Join us!

Visit us at our booth 6-346 or make an appointment right away and get your free ticket to the trade show. We look forward to your visit!

Make an appointment!

Contact Test Now Buy Here Back to Overview

/by
Markus Feilner

NIS2: Implementation Delayed but Stay on Course

While the German government has yet to implement the necessary adjustments for the NIS2 directive, organizations shouldn’t lose momentum. Although the enforcement is now expected in Spring 2025 instead of October 2024, the core requirements remain unchanged. While there remains a lot of work for companies, especially operators of critical infrastructure, most of it is clear and well-defined. Organizations must still focus on robust vulnerability management, such as that offered by Greenbone.

Missed Deadlines and the Need for Action

Initially, Germany was supposed to introduce the NIS2 compliance law by October 17, 2024, but the latest drafts failed to gain approval, and even the Ministry of the Interior does not anticipate a timely implementation. If the parliamentary process proceeds swiftly, the law could take effect by Q1 2025, the Ministry announced.

A recent study by techconsult (only in German), commissioned by Plusnet, reveals that while 67% of companies expect cyberattacks to increase, many of them still lack full compliance. NIS2 mandates robust security measures, regular risk assessments and rapid response to incidents. Organizations must report security breaches within 24 hours and deploy advanced detection systems, especially those already covered under the previous NIS1 framework.

Increased Security Budgets and Challenges

84% of organizations plan to increase their security spending, with larger enterprises projecting up to a 12% rise. Yet only 29% have fully implemented the necessary measures, citing workforce shortages and lack of awareness as key obstacles. The upcoming NIS2 directive presents not only a compliance challenge but also an opportunity to strengthen cyber resilience and gain customer trust. Therefore, 34% of organizations will invest in vulnerability management in the future.

Despite clear directives from the EU, political delays are undermining the urgency. The Bundesrechnungshof and other institutions have criticized the proposed exemptions for government agencies, which could weaken overall cybersecurity efforts. Meanwhile, the healthcare sector faces its own set of challenges, with some facilities granted extended transition periods until 2030.

Invest now to Stay Ahead

Latest since the NIS2 regulations impend, businesses are aware of the risks and are willing to invest in their security infrastructure. As government action lags, companies must take proactive measures. Effective vulnerability management solutions, like those provided by Greenbone, are critical to maintaining compliance and security.

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

September 2024 Threat Tracking: Speed Before Safety?

A 2023 World Economic Forum report surveyed 151 global organizational leaders and found that 93% of cyber leaders and 86% business leaders believe a catastrophic cyber event is likely within the next two years. Still, many software vendors prioritize rapid development and product innovation above security. This month, CISA’s Director Jen Easterly stated software vendors “are building problems that open the doors for villains” and that “we don’t have a cyber security problem – we have a software quality problem”. Downstream, customers benefit from innovative software solutions, but are also exposed to the risks from poorly written software applications; financially motivated ransomware attacks, wiper malware, nation-state espionage and data theft, costly downtime, reputational damage and even insolvency.

However astute, the Director’s position glosses over the true cyber risk landscape. For example, as identified by Bruce Schneier back in 1999; IT complexity increases the probability of human error leading to misconfigurations [1][2][3]. Greenbone identifies both known software vulnerabilities and misconfigurations with industry leading vulnerability test coverage and compliance tests attesting CIS controls and other standards such as the BSI basic controls for Microsoft Office.

At the end of the day, organizations hold responsibility to their stakeholders, customers and the general public. They need to stay focused and protect themselves with fundamental IT security activities including Vulnerability Management. In September 2024’s Threat Tracking blog post, we review the most pressing new developments in the enterprise cybersecurity landscape threatening SMEs and large organizations alike.

SonicOS Exploited in Akira Ransomware Campaigns

CVE-2024-40766 (CVSS 10 Critical) impacting SonicWall’s flagship OS SonicOS, has been identified as a known vector for campaigns distributing Akira ransomware. Akira, originally written in C++, has been active since early 2023. A second Rust-based version became the dominant strain in the second half of 2023. The primary group behind Akira is believed to stem from the dissolved Conti ransomware gang. Akira is now operated as a Ransomware as a Service (RaaS) leveraging a double extortion tactic against targets in Germany and across the EU, North America, and Australia. As of January 2024, Akira had compromised over 250 businesses and critical infrastructure entities, extorting over 42 million US-Dollar.

Akira’s tactics include exploiting known vulnerabilities for initial access such as:

Greenbone includes tests to identify SonicWall devices vulnerable to CVE-2024-40766 [1][2] and all other vulnerabilities exploited by the Akira ransomware gang for initial access.

Urgent Patch for Veeam Backup and Restoration

Ransomware is the apex cyber threat, especially in healthcare. The US Human and Healthcare Services (HHS) reports that large breaches increased by 256% and ransomware incidents by 264% over the past five years. Organizations have responded with more proactive cybersecurity measures to prevent initial access and more robust incident response and recovery, including more robust backup solutions. Backup systems are thus a prime target for ransomware operators.

Veeam is a leading vendor of enterprise backup solutions globally and promotes its products as a viable safeguard against ransomware attacks. CVE-2024-40711 (CVSS 10 Critical), a recently disclosed vulnerability in Veeam Backup and Recovery is especially perilous since it could allow hackers to target the last line of protection against ransomware – backups. The vulnerability was discovered and responsibly reported by Florian Hauser of CODE WHITE GmbH, a German cybersecurity research company. Unauthorized Remote Code Execution (RCE) via CVE-2024-40711 was quickly verified by security researchers within 24 hours of the disclosure, and proof-of-concept code is now publicly available online, compounding the risk.

Veeam Backup & Replication version 12.1.2.172 and all earlier v12 builds are vulnerable and customers need to patch affected instances with urgency. Greenbone can detect CVE-2024-40711 in Veeam Backup and Restoration allowing IT security teams to stay one step ahead of ransomware gangs.

Blast-RADIUS Highlights a 20 Year old MD5 Collision Attack

RADIUS is a powerful and flexible authentication, authorization, and accounting (AAA) protocol used in enterprise environments to validate user-supplied credentials against a central authentication service such as Active Directory (AD), LDAP, or VPN services. Dubbed BlastRADIUS, CVE-2024-3596 is a newly disclosed attack against the UDP implementation of RADIUS, accompanied by a dedicated website, research paper, and attack details. Proof-of-concept code is also available from a secondary source.

Blast-RADIUS is an Adversary in The Middle (AiTM) attack that exploits a chosen-prefix collision weakness in MD5 originally identified in 2004 and improved in 2009. The researchers exponentially reduced the time required to spoof MD5 collisions and released their improved version of hashclash. The attack can allow an active AiTM positioned between a RADIUS client and a RADIUS server to trick the client into honoring a forged Access-Accept response despite the RADIUS server issuing a Access-Reject response. This is accomplished by computing an MD5 collision between the expected Access-Reject and a forged Access-Accept response allowing an attacker to approve login requests.

Greenbone can detect a wide array vulnerable RADIUS implementations in enterprise networking devices such as F5 BIG-IP [1], Fortinet FortiAuthenticator [2] and FortiOS [3], Palo Alto PAN-OS [4], Aruba CX Switches [5] and ClearPass Policy Manager [6], and on the OS level in Oracle Linux [7][8], SUSE [9][10][11], OpenSUSE [12][13], Red Had [14][15], Fedora [16][17], Amazon [18], Alma [19][20], and Rocky Linux [21][22] among others.

Urgent: CVE-2024-27348 in Apache HugeGraph-Server

CVE-2024-27348 (CVSS 9.8 Critical) is a RCE vulnerability in the open-source Apache HugeGraph-Server that affects all versions of 1.0 before 1.3.0 in Java8 and Java11. HugeGraph-Server provides an API interface used to store, query, and analyze complex relationships between data points and is commonly used for analyzing data from social networks, recommendation systems and for fraud detection.

CVE-2024-27348 allows attackers to bypass the sandbox restrictions within the Gremlin query language by exploiting inadequate Java reflection filtering. An attacker can leverage the vulnerability by crafting malicious Gremlin scripts and submitting them via API to the HugeGraph /gremlin endpoint to execute arbitrary commands. The vulnerability can be exploited via remote, adjacent, or local access to the API and can enable privilege escalation.

It is being actively exploited in hacking campaigns. Proof-of-concept exploit code [1][2][3] and an in-depth technical analysis are publicly available giving cyber criminals a head start in developing attacks. Greenbone includes an active check and version detection test to identify vulnerable instances of Apache HugeGraph-Server. Users are advised to update to the latest version.

Ivanti has Been an Open Door for Attackers in 2024

Our blog has covered vulnerabilities in Invati products several times this year [1][2][3]. September 2024 was another hot month for weaknesses in Ivanti products. Ivanti finally patched CVE-2024-29847 (CVSS 9.8 Critical), a RCE vulnerability impacting Ivanti Endpoint Manager (EPM), first reported in May 2024. Proof-of-concept exploit code and a technical description are now publicly available, increasing the threat. Although there is no evidence of active exploitation yet, this CVE should be considered high priority and patched with urgency.

However, in September 2024, CISA also identified a staggering four new vulnerabilities in Ivanti products being actively exploited in the wild. Greenbone can detect all of these new additions to CISA KEV and previous vulnerabilities in Ivanti products. Here are the details:

Summary

In this month’s Threat Tracking blog, we highlighted major cybersecurity developments including critical vulnerabilities such as CVE-2024-40766 exploited by Akira ransomware, CVE-2024-40711 impacting Veeam Backup and the newly disclosed Blast-RADIUS attack that could impact enterprise AAA. Proactive cybersecurity activities such as continuous vulnerability management and compliance attestation help to mitigate risks from ransomware, wiper malware, and espionage campaigns, allowing defenders to close security gaps before adversaries can exploit them.

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

August 2024 Threat Tracking: Threats on the Rise

The cybersecurity risk environment has been red hot through the first half of 2024. Critical vulnerabilities in even the most critical technologies are perpetually open to cyber attacks, and defenders face the continuous struggle to identify and remediate these relentlessly emerging security gaps. Large organizations are being targeted by sophisticated “big game hunting” campaigns by ransomware gangs seeking to hit the ransomware jackpot. The largest ransomware payout ever was reported in August – 75 million Dollar to the Dark Angels gang. Small and medium sized enterprises are targeted on a daily basis by automated “mass exploitation” attacks, also often seeking to deliver ransomware [1][2][3].

A quick look at CISA’s Top Routinely Exploited Vulnerabilities shows us that even though cyber criminals can turn new CVE (Common Vulnerabilities and Exposures) information into exploit code in a matter of days or even hours, older vulnerabilities from years past are still on their radar.

In this month’s Threat Tracking blog post, we will point out some of the top cybersecurity risks to enterprise cybersecurity, highlighting vulnerabilities recently reported as actively exploited and other critical vulnerabilities in enterprise IT products.

The BSI Improves LibreOffice’s Mitigation of Human Error

OpenSource Security on behalf of the German Federal Office for Information Security (BSI) recently identified a secure-by-design flaw in LibreOffice. Tracked as CVE-2024-6472 (CVSS 7.8 High), it was found that users could enable unsigned macros embedded in LibreOffice documents, overriding the “high security mode” setting. While exploitation requires human interaction, the weakness addresses a false sense of security, that unsigned macros could not be executed when “high security mode” enabled.

KeyTrap: DoS Attack Against DNSSEC

In February 2024, academics at the German National Research Center for Applied Cybersecurity (ATHENE) in Darmstadt disclosed “the worst attack on DNS ever discovered”. According to German researchers, a single packet can cause a “Denial of Service” (DoS) by exhausting a DNSSEC-validating DNS resolver. Dubbed “KeyTrap”, attackers can exploit the weakness to prevent clients using a compromised DNS server from accessing the internet or local network resources. The culprit is a design flaw in the current DNSSEC specification [RFC-9364] that dates back more than 20 years [RFC-3833].

Published in February 2024 and tracked as CVE-2023-50387 (CVSS 7.5 High), exploitation of the vulnerability is considered trivial and proof-of-concept code is available on GitHub. The availability of exploit code means that low skilled criminals can easily launch attacks. Greenbone can identify systems with vulnerable DNS applications impacted by CVE-2023-50387 with local security checks (LSC) for all operating systems.

CVE-2024-23897 in Jenkins Used to Breach Indian Bank

CVE-2024-23897 (CVSS 9.8 Critical) in Jenkins (versions 2.441 and LTS 2.426.2 and earlier) is being actively exploited and used in ransomware campaigns including one against the National Payments Corporation of India (NPCI). Jenkins is an open-source automation server used primarily for continuous integration (CI) and continuous delivery (CD) in software development operations (DevOps).

The Command Line Interface (CLI) in affected versions of Jenkins contains a path traversal vulnerability [CWE-35] caused by a feature that replaces the @-character followed by a file path with the file’s actual contents. This allows attackers to read the contents of sensitive files including those that provide unauthorized access and subsequent code execution. CVE-2024-23897 and its use in ransomware attacks follows a joint CISA and FBI alert for software vendors to address path traversal vulnerabilities [CWE-35] in their products. Greenbone includes an active check [1] and two version detection tests [2][3] for identifying vulnerable versions of Jenkins on Windows and Linux.

2 New Actively Exploited CVEs in String of Apache OFBiz Flaws

Apache OFBiz (Open For Business) is a popular open-source enterprise resource planning (ERP) and e-commerce software suite developed by the Apache Software Foundation. In August 2024, CISA alerted the cybersecurity community to active exploitation of Apache OFBiz via CVE-2024-38856 (CVSS 9.8 Critical) affecting versions before 18.12.13. CVE-2024-38856 is a path traversal vulnerability [CWE-35] that affects OFBiz’s “override view” functionality allowing unauthenticated attackers Remote Code Execution (RCE) on the affected system.

CVE-2024-38856 is a bypass of a previously patched vulnerability, CVE-2024-36104, just published in June 2024, indicating that the initial fix did not fully remediate the problem. This also builds upon another 2024 vulnerability in OFBiz, CVE-2024-32113 (CVSS 9.8 Critical), which was also being actively exploited to distribute Mirai botnet. Finally, in early September 2024, two new critical severity CVEs, CVE-2024-45507 and CVE-2024-45195 (CVSS 9.8 Critical) were added to the list of threats impacting current versions of OFBiz.

Due to the notice of active exploitation and Proof-of-Concept (PoC) exploits being readily available for CVE-2024-38856 [1][2] and CVE-2024-32113 [1][2] affected users need to patch urgently. Greenbone can detect all aforementioned CVEs in Apache OFBiz with both active and version checks.

CVE-2022-0185 in the Linux Kernel Actively Exploited

CVE-2022-0185 (CVSS 8.4 High), an heap-based buffer overflow vulnerability in the Linux kernel, was added to CISA KEV in August 2024. Publicly available PoC-exploit-code and detailed technical descriptions of the vulnerability have contributed to the increase in cyber attacks exploiting CVE-2022-0185.

In CVE-2022-0185 in Linux’s “legacy_parse_param()” function within the Filesystem Context functionality the length of supplied parameters is not being properly verified. This flaw allows an unprivileged local user to escalate their privileges to the root user.

Greenbone could detect CVE-2022-0185 since it was disclosed in early 2022 via vulnerability test modules covering a wide set of Linux distributions including Red Hat, Ubuntu, SuSE, Amazon Linux, Rocky Linux, Fedora, Oracle Linux and Enterprise products such as IBM Spectrum Protect Plus.

New VoIP and PBX Vulnerabilities

A handful of CVEs were published in August 2024 impacting enterprise voice communication systems. The vulnerabilities were disclosed in Cisco’s small business VOIP systems and Asterisk, a popular open-source PBX branch system. Let’s dig into the specifics:

Cisco Small Business IP Phones Offer RCE and DoS

Three high severity vulnerabilities were disclosed that impact the web-management console of Cisco Small Business SPA300 Series and SPA500 Series IP Phones. While underscoring the importance of not exposing management consoles to the internet, these vulnerabilities also represent a vector for an insider or dormant attacker who has already gained access to an organization’s network to pivot their attacks to higher value assets and disrupt business operations.

Greenbone includes detection for all newly disclosed CVEs in Cisco Small Business IP Phone. Here is a brief technical description of each:

  • CVE-2024-20454 and CVE-2024-20450 (CVSS 9.8 Critical): An unauthenticated, remote attacker could execute arbitrary commands on the underlying operating system with root privileges because incoming HTTP packets are not properly checked for size, which could result in a buffer overflow.
  • CVE-2024-20451 (CVSS 7.5 High): An unauthenticated, remote attacker could cause an affected device to reload unexpectedly causing a Denial of Service because HTTP packets are not properly checked for size.

CVE-2024-42365 in Asterisk PBX Telephony Toolkit

Asterisk is an open-source private branch exchange (PBX) and telephony toolkit. PBX is a system used to manage internal and external call routing and can use traditional phone lines (analog or digital) or VoIP (IP PBX). CVE-2024-42365, published in August 2024, impacts versions of asterisk before 18.24.2, 20.9.2 and 21.4.2 and certified-asterisk versions 18.9-cert11 and 20.7-cert2. An exploit module has also been published for the Metasploit attack framework adding to the risk, however, active exploitation in the wild has not yet been observed.

Greenbone can detect CVE-2024-42365 via network scans. Here is a brief technical description of the vulnerability:

  • CVE-2024-42365 (CVSS 8.8 High): An AMI user with “write=originate” may change all configuration files in the “/etc/asterisk/” directory. This occurs because they are able to curl remote files and write them to disk but are also able to append to existing files using the FILE function inside the SET application. This issue may result in privilege escalation, Remote Code Execution or blind server-side request forgery with arbitrary protocols.

Browsers: Perpetual Cybersecurity Threats

CVE-2024-7971 and CVE-2024-7965, two new CVSS 8.8 High severity vulnerabilities in the Chrome browser, are being actively exploited for RCE. Either CVE can be triggered when victims are tricked into simply visiting a malicious web page. Google acknowledges that exploit code is publicly available, giving even low skilled cyber criminals the ability to launch attacks. Google Chrome has seen a steady stream of new vulnerabilities and active exploitation in recent years. A quick inspection of Mozilla Firefox shows a similar continuous stream of critical and high severity CVEs; seven Critical and six High severity vulnerabilities were disclosed in Firefox during August 2024, although active exploitation of these has not been reported.

The continuous onslaught of vulnerabilities in major browsers underscores the need for diligence to ensure that updates are applied as soon as they become available. Due to Chrome’s high market share of over 65% (over 70% considering Chromium-based Microsoft Edge) its vulnerabilities receive increased attention from cyber criminals. Considering the high number of severe vulnerabilities impacting Chromium’s V8 engine (more than 40 so far in 2024), Google Workspace admins might consider disabling V8 for all users in their organization to increase security. Other options for hardening browser security in high-risk scenarios include using remote browser isolation, network segmentation and booting from secure baseline images to ensure endpoints are not compromised.

Greenbone includes active authenticated vulnerability tests to identify vulnerable versions of browsers for Linux, Windows and macOS.

Summary

New critical and remotely exploitable vulnerabilities are being disclosed at record shattering rates amidst a red hot cyber risk environment. Asking IT security teams to manually track newly exposed vulnerabilities in addition to applying patches imposes an impossible burden and risks leaving critical vulnerabilities undetected and exposed. Vulnerability management is considered a fundamental cybersecurity activity; defenders of large, medium and small organizations need to employ tools such as Greenbone to automatically seek and report vulnerabilities across an organization’s IT infrastructure. 

Conducting automated network vulnerability scans and authenticated scans of each system’s host attack surface can dramatically reduce the workload on defenders, automatically providing them with a list of remediation tasks that is sortable according to threat severity.

Contact Test Now Buy Here Back to Overview

/by
Greenbone AG

Greenbone Enterprise Products Lead all Network Vulnerability Scanners

OpenVAS began in 2005 when Nessus transitioned from open source to a proprietary license. Two companies, Intevation and DN Systems adopted the existing project and began evolving and maintaining it under a GPL v2.0 license. Since then, OpenVAS has evolved into Greenbone, the most widely-used and applauded open-source vulnerability scanner and vulnerability management solution in the world. We are proud to offer Greenbone as both a free Community Edition for developers and also as a range of enterprise products featuring our Greenbone Enterprise Feed to serve the public sector and private enterprises alike.

As the “old-dog” on the block, Greenbone is hip to the marketing games that cybersecurity vendors like to play. However, our own goals remain steadfast – to share the truth about our product and industry leading vulnerability test coverage. So, when we reviewed a recent 2024 network vulnerability scanner benchmark report published by a competitor, we were a little shocked to say the least.

As the most recognized open-source vulnerability scanner, it makes sense that Greenbone was included in the competition for top dog. However, while we are honored to be part of the test, some facts made us scratch our heads. You might say we have a “bone to pick” about the results. Let’s jump into the details.

What the 2024 Benchmark Results Found

The 2024 benchmark test conducted by Pentest-Tools ranked leading vulnerability scanners according to two factors: Detection Availability (the CVEs each scanner has detection tests for) and Detection Accuracy (how effective their detection tests are).

The benchmark pitted our free Community Edition of Greenbone and the Greenbone Community Feed against the enterprise products of other vendors: Qualys, Rapid7, Tenable, Nuclei, Nmap, and Pentest-Tools’ own product. The report ranked Greenbone 5th in Detection Availability and roughly tied for 4th place in Detection Accuracy. Not bad for going up against titans of the cybersecurity industry.

The only problem is, as mentioned above, Greenbone has an enterprise product too, and when the results are recalculated using our Greenbone Enterprise Feed, the findings are starkly different – Greenbone wins hands down.

Here is What we Found

Bar chart from the 2024 benchmark for network vulnerability scanners: Greenbone Enterprise achieves the highest values with 78% availability and 61% accuracy

 

Our Enterprise Feed Detection Availability Leads the Pack

According to our own internal findings, which can be verified using our SecInfo Portal, the Greenbone Enterprise Feed has detection tests for 129 of the 164 CVEs included in the test. This means our Enterprise product’s Detection Availability is a staggering 70.5% higher than reported, placing us heads and tails above the rest.

To be clear, the Greenbone Enterprise Feed tests aren’t something we added on after the fact. Greenbone updates both our Community and Enterprise Feeds on a daily basis and we are often the first to release vulnerability tests when a CVE is published. A review of our vulnerability test coverage shows they have been available from day one.

Our Detection Accuracy was far Underrated

And another thing. Greenbone isn’t like those other scanners. The way Greenbone is designed gives it strong industry leading advantages. For example, our scanner can be controlled via API allowing users to develop their own custom tools and control all the features of Greenbone in any way they like. Secondly, our Quality of Detection (QoD) ranking doesn’t even exist on most other vulnerability scanners.

The report author made it clear they simply used the default configuration for each scanner. However, without applying Greenbone’s QoD filter properly, the benchmark test failed to fairly assess Greenbone’s true CVE detection rate. Applying these findings Greenbone again comes out ahead of the pack, detecting an estimated 112 out of the 164 CVEs.

Summary

While we were honored that our Greenbone Community Edition ranked 5th in Detection Availability and tied for 4th in Detection Accuracy in a recently published network vulnerability scanner benchmark, these results fail to consider the true power of the Greenbone Enterprise Feed. It stands to reason that our Enterprise product should be in the running. Afterall, the benchmark included enterprise offerings from other vendors.

When recalculated using the Enterprise Feed, Greenbone’s Detection Availability leaps to 129 of the 164 CVEs on the test, 70.5% above what was reported. Also, using the default settings fails to account for Greenbone’s Quality of Detection (QoD) feature. When adjusted for these oversights, Greenbone ranks at the forefront of the competition. As the most used open-source vulnerability scanner in the world, Greenbone continues to lead in vulnerability coverage, timely publication of vulnerability tests, and truly enterprise grade features such as a flexible API architecture, advanced filtering, and Quality of Detection scores.

Contact Test Now Buy Here Back to Overview

/by
Markus Feilner

#nis2know: BSI launches NIS2 vulnerability test

The German implementation of the EU’s NIS2 directive is becoming more and more defined: End of July, the NIS2 Implementation Act passed the German government’s cabinet, a final decision in the Bundestag is imminent. For all companies and authorities wondering whether this concerns them, the BSI has now launched a comprehensive website with an impact assessment and valuable information under the catchy hashtag #nis2know.

Even if the Bundestag resolution is not yet passed and thus the originally planned date in October will perhaps not be feasible anymore, companies must prepare now, the Federal Office for Information Security (BSI) demands. The BSI is therefore providing companies and organizations of all kinds with an eight-part questionnaire (in German only) to help IT managers and managers find out whether the strict regulations of NIS2 also apply to them. For all companies and organizations that fall under the NIS2 regulation, the BSI also provides further assistance and answers to the question of what they can do now in advance of NIS2 coming into force.

High need, high demand

Demand appears to be high, with both BSI head Claudia Plattner and Federal CIO Markus Richter reporting success in the form of several thousand hits in the first few days (for example on LinkedIn: Plattner, Richter). The NIS2 vulnerability test can be found directly on the BSI website. Here you will find “specific questions based on the directive to classify your company”. The questions are “kept short and precise and are explained in more detail in small print if necessary”. Anyone filling out the BSI’s questionnaire will know within minutes whether their company or organization is affected by NIS2.

In the questions, the respondent must address whether their company is the operator of a critical facility, a provider of publicly accessible telecommunications services or public telecommunications networks, a qualified trust service provider, a top-level domain name registry or a DNS service provider. Even if the company is a non-qualified trust service provider or offers goods and services that fall under one of the types of facilities specified in Annex 1 or 2 of the NIS 2 Directive, it is affected by the NIS 2 regulations.

Anybody who can answer all questions with “No” is not affected by NIS2. For everyone else, however, the BSI offers extensive help and research options on what to do now. A FAQ list explains in detail in nine questions the current status, whether you should wait or already start preparing. Links to sources and contacts can be found here, as well as further information for the impact checks and explanations of terms (for example: What does “important”, “essential” and “particularly important” mean in the context of NIS2?) Also very important are the sections that explain which obligations and evidence affected companies must provide when and where, as well as the still unanswered discussion as to when NIS2 becomes binding.

The BSI’s wealth of information also includes support services for businesses, as well as clear instructions for the next steps and basic explanations on critical infrastructures (KRITIS) in general.

Take action now, despite waiting for the Bundestag

The national implementation of the European NIS2 Directive, which has been the subject of heated debate in some quarters, was recently delayed due to major differences of opinion between the parties involved, meaning that the previously expected date had to be postponed. The Federal Ministry of the Interior had already confirmed weeks ago that it would not come into force in October.

Irrespective of the wait for the Bundestag, those affected should take action now, writes the BSI: responsible persons and teams must be appointed, roles and tasks must be defined, but also an inventory is to be taken and processes are to be set up for continuous improvement. Preparing for the upcoming reporting obligation should be a top priority.

Extensive information also from Greenbone

Greenbone has also devoted numerous blog posts and guides to the topic of NIS2 in recent months, from the Cyber Resilience Act and the threat situation for municipalities to effective measures and basically everything what is needed to know about NIS2 right now.

Contact Test Now Buy Here Back to Overview

/by
Markus Feilner

Medium-sized companies are increasingly investing in vulnerability management

Ransomware, phishing, denial of service attacks: according to a recent study, 84 per cent of the companies surveyed are concerned about the security of their IT systems and see a further increase in the threat situation. For good reason, as companies are also concerned about outdated code, data theft by employees, inadequate protection of company […]

Read more
/by
Markus Feilner

Vulnerability scanner Notus supports Amazon Linux

Most virtual servers in the Amazon Elastic Compute Cloud EC2 run a version of Linux that has been specially customised for the needs of the cloud. The latest generation of scanners from Greenbone has also been available for the Amazon Web Services operating system for a few weeks now. Over 1,900 additional, customised tests for the latest versions of Amazon Linux (Linux 2 and Linux 2023) have been integrated in recent months, explains Julio Saldana, Product Owner at Greenbone.

Significantly better performance thanks to Notus

Greenbone has been supplementing its vulnerability management with the Notus scan engine since 2022. The innovations in the architecture are primarily aimed at significantly increasing the performance of the security checks. Described as a “milestone” by Greenbone CIO Elmar Geese, the new scanner generation works in two parts: A generator queries the extensive software version data from the company’s servers and saves it in a handy Json format. Because this no longer happens at runtime, but in the background, the actual scanner (the second part of Notus) can simply read and synchronise the data from the Json files in parallel. Waiting times are eliminated. “This is much more efficient, requires fewer processes, less overhead and less memory,” explain the Greenbone developers.

Amazon Linux

Amazon Linux is a fork of Red Hat Linux sources that Amazon has been using and customising since 2011 to meet the needs of its cloud customers. It is largely binary-compatible with Red Hat, initially based on Fedora and later on CentOS. Amazon Linux was followed by Amazon Linux 2, and the latest version is now available as Amazon Linux 2023. The manufacturer plans to release a new version every two years. The version history of the official documentation also includes a feature comparison, as the differences are significant: Amazon Linux 2023 is the first version to also use Systemd, for example. Greenbone’s vulnerability scan was also available on Amazon Linux from the very beginning.

Contact Test Now Buy Here Back to Overview

/by
Elmar Geese

AI and cybersecurity: The promise of artificial intelligence

,

How is artificial intelligence (AI) changing the cybersecurity landscape? Will AI make the cyber world more secure or less secure? I was able to explore these questions at the panel discussion during the “Potsdam Conference for National Cybersecurity 2024” together with Prof. Dr. Sandra Wachter, Dr. Kim Nguyen, Dr. Sven Herpig. Does AI deliver what it promises today? And what does the future look like with AI?

Four experts discuss the opportunities and risks of artificial intelligence in cybersecurity during a panel at the 2024 Potsdam Conference on National Cybersecurity at the Hasso Plattner Institute.
Cybersecurity is already difficult enough for many companies and institutions. Will the addition of artificial intelligence (AI) now make it even more dangerous for them or will AI help to better protect IT systems? What do we know? And what risks are we looking at here? Economic opportunities and social risks are the focus of both public attention and currently planned legislation. The EU law on artificial intelligence expresses many of the hopes and fears associated with AI.

Hopes and fears

We hope that many previously unresolved technical challenges can be overcome. Business and production processes should be accelerated, and machines should be able to handle increasingly complex tasks autonomously. AI can also offer unique protection in the military sector, saving many lives, for example in the form of AI-supported defense systems such as the Iron Dome.

On the other, darker side of AI are threats such as mass manipulation through deepfakes, sophisticated phishing attacks or simply the fear of job losses that goes hand in hand with any technical innovation. More and more chatbots are replacing service employees, image generators are replacing photographers and graphic designers, text generators are replacing journalists and authors, and generated music is replacing musicians and composers. In almost every profession, there is a fear of being affected sooner or later. This even applies to the IT sector, where a rich choice of jobs was previously perceived as a certainty. These fears are often very justified, but sometimes they are not.

In the area of cyber security, however, it is not yet clear to what extent autonomous AI can create more security and replace the urgently needed security experts or existing solutions. This applies to both attackers and defenders. Of course, the unfair distribution of tasks remains: While defenders want (and need) to close as many security gaps as possible, a single vulnerability is enough for the attackers to launch a successful attack. Fortunately, defenders can fall back on tools and mechanisms that automate a lot of work, even today. Without this automation, the defenders are lost. Unfortunately, AI does not yet help well enough. This is demonstrated by the ever-increasing damage caused by conventional cyber attacks, even though there are supposedly already plenty of AI defenses. On the other hand, there is the assumption that attackers are becoming ever more powerful and threatening thanks to AI.

For more cyber security, we need to take a closer look. We need a clearer view of the facts.

Where do we stand today?

So far, we know nothing about technical cyber attacks generated by artificial intelligence. There are currently no relevant, verifiable cases, only theoretically constructed scenarios. This may change, but as things stand today, this is the case. We don’t know of any AI that could currently generate sufficiently sophisticated attacks. What we do know is that phishing is very easy to implement with generative language models and that these spam and phishing emails appear to us to be more skillful, at least anecdotally. Whether this causes more damage than the already considerable damage, on the other hand, is not known. It is already terrible enough today, even without AI. However, we know that phishing is only ever the first step in accessing a vulnerability.

Elmar Geese, Greenbone board member, speaks at the 2024 Potsdam Conference on National Cybersecurity at the Hasso Plattner Institute about the opportunities and risks of artificial intelligence in cybersecurity.

Member of the Greenbone Board Elmar Geese at the Potsdam Conference for national cybersecurity at Hasso-Plattner-Institute (HPI), picture: Nicole Krüger

How can we protect ourselves?

The good news is that an exploited vulnerability can almost always be found and fixed beforehand. Then even the best attack created with generative AI would come to nothing. And that’s how it has to be done. Because whether I am under threat from a conventional attack today or an AI in my network the day after tomorrow, a vulnerability in the software or in the security configuration will always be necessary for an attack to succeed. Two strategies then offer the best protection: firstly, being prepared for the worst-case scenario, for example through backups together with the ability to restore systems in a timely manner. The second is to look for the gaps yourself every day and close them before they can be exploited. Simple rule of thumb: every gap that exists can and will be exploited. 

Role and characteristics of AI

AI systems are themselves very good targets for attacks. Just like the internet, they were not designed with “security by design” in mind. AI systems are just software and hardware, just like any other target. Only in contrast to AI systems, conventional IT systems, whose functionality can be more or less understood with sufficient effort, can be repaired in a manner comparable to surgical interventions. They can be “patched”. This does not work with AI. If a language model does not know what to do, it does not produce a status or even an error message, it “hallucinates”. However, hallucinating is just a fancy term for lying, guessing, inventing something or doing strange things. Such an error cannot be patched, but requires the system to be retrained, for example, without being able to clearly identify the cause of the error.

If it is very obvious and an AI thinks dogs are fish, for example, it is easy to at least recognize the error. However, if it has to state a probability as to whether it has detected a dangerous or harmless anomaly on an X-ray image, for example, it becomes more difficult. It is not uncommon for AI products to be discontinued because the error cannot be corrected. A prominent first example was Tay, a chatbot launched unsuccessfully twice by Microsoft, which was discontinued even faster the second time than the first.

What we can learn from this: lower the bar, focus on trivial AI functions and then it will work. That’s why many AI applications that are coming onto the market today are here to stay. They are useful little helpers that speed up processes and provide convenience. Perhaps they will soon be able to drive cars really well and safely. Or maybe not.

The future with AI

Many AI applications today are anecdotally impressive. However, they can only be created for use in critical fields with a great deal of effort and specialization. The Iron Dome only works because it is the result of well over ten years of development work. Today, it recognizes missiles with a probability of 99% and can shoot them down – and not inadvertently civilian objects – before they cause any damage. For this reason, AI is mostly used to support existing systems and not autonomously. Even if, as the advertising promises, they can formulate emails better than we can or want to ourselves, nobody today wants to hand over their own emails, chat inboxes and other communication channels to an AI that takes care of the correspondence and only informs us of important matters with summaries.

Will that happen in the near future? Probably not. Will it happen at some point? We don’t know. When the time perhaps comes, our bots will be writing messages to each other, our combat robots will be fighting our wars against each other, and AI cyber attackers and defenders will be competing against each other. When they realize that what they are doing is pointless, they might ask themselves what kind of beings they are hiring to do it. Then perhaps they will simply stop, set up communication lines, leave our galaxy and leave us helpless. At least we’ll still have our AI act and can continue to regulate “weak AI” that hasn’t made it away.

Contact Test Now Buy Here Back to Overview

/by
Greenbone AG

Vulnerability management in 12 minutes

Why is Greenbone not a security provider like any other? How did Greenbone come about and what impact does Greenbone’s long history have on the quality of its vulnerability scanners and the security of its customers? The new video “Demystify Greenbone” provides answers to these questions in an twelve-minute overview. It shows why experts need […]

Read more
/by