Why is Greenbone not a security provider like any other? How did Greenbone come about and what impact does Greenbone’s long history have on the quality of its vulnerability scanners and the security of its customers? The new video “Demystify Greenbone” provides answers to these questions in an twelve-minute overview. It shows why experts need […]
“Support for early crisis detection” was the topic of a high-profile panel on the second day of this year’s PITS Congress. On stage: Greenbone CEO Jan-Oliver Wagner together with other experts from the Federal Criminal Police Office, the German Armed Forces, the Association of Municipal IT Service Providers VITAKO and the Federal Office for Information Security.
Once again this year, Behörden Spiegel organized its popular conference on Public IT Security (PITS). Hundreds of security experts gathered at the renowned Hotel Adlon in Berlin for two days of forums, presentations and an exhibition of IT security companies. In 2024, the motto of the event was “Security Performance Management” – and so it was only natural that Greenbone, as a leading provider of vulnerability management, was also invited (as in 2023), for example in the panel on early crisis detection, which Greenbone CEO Dr. Jan-Oliver Wagner opened with a keynote speech.
In his presentation, Jan-Oliver Wagner explained his view on strategic crisis detection, talking about the typical “earthquakes” and the two most important components: Knowing where vulnerabilities are, and providing technologies to address them.
Greenbone has built up this expertise over many years, also making it vailable to the public, in open source, always working together with important players on the market. For example, contacts with the German Federal Office for Information Security (BSI) were there right from the start: “The BSI already had the topic of vulnerability management on its radar when IT security was still limited to firewalls and antiviruses,” Wagner is praising the BSI, the German government’s central authority for IT security.
Today, the importance of two factors is clear: “Every organization must know how and where it is vulnerable, know its own response capabilities and has to keep working on improving them continuously. Cyber threats are like earthquakes. We can’t prevent them, we can only prepare for them and respond to them in the best possible way.”
According to Jan-Oliver Wagner’s definition, the constant cyber threat evolves into a veritable “crisis” when, for example, a threat “hits a society, economy or nation where many organizations have a lot of vulnerabilities and a low ability to react quickly. Speed is very important. You have to be faster than the attack happens.” The other participants on the panel also addressed this and used the term “getting ahead of the wave”.
The crisis is often already there long before it is mentioned in the news, individual organizations need to protect themselves and prepare themselves so that they can react to unknown situations on a daily basis. “A cyber nation supports organizations and the nation by providing the means to achieve this state,” says Jan-Oliver Wagner.
Major General Dr Michael Färber, Head of Planning and Digitalization, Cyber & Information Space Command, explained the Bundeswehr’s perspective: According to him, a crisis occurs when the measures and options for responding are no longer sufficient. “Then something develops into a crisis.”
From the perspective of small cities and similar local authorities, however, the picture is different, according to Katrin Giebel, Head of VITAKO, the Federal Association of Municipal IT Service Providers. “80 percent of administrative services take place at the municipal level. Riots would already occur when the vehicle registration is not available.” Cities and municipalities keep being hit hard by cyber attacks, and crises start much earlier here: “For us, threats are almost the same as a crisis.”
The BSI, on the other hand, defines a “crisis” as when an individual organization is unable or no longer able to solve a problem on its own. Dr Dirk Häger, Head of the Operational Cyber Security Department at the BSI: “As soon as two departments are affected, the crisis team convenes. For us, a crisis exists as soon as we cannot solve a problem with the standard organization.” This is giving a crucial role to those employees who decide whether to call together a meeting or not. “You just reach a point where you agree: now we need the crisis team.”
Something that Häger finds very frightening, however, is how long successful attacks continue to take place after crises have actually already been resolved, for example in view of the events surrounding the Log4j vulnerability. “We put a lot of effort into this, especially at the beginning. The Log4j crisis was over, but many organizations were still vulnerable and had inadequate response capabilities. But nobody investigates it anymore,” complains the head of department from the BSI.
Asked by moderator Dr. Eva-Charlotte Proll, editor-in-chief and publisher at Behörden Spiegel, what would help in view of these insights, he describes the typical procedure and decision-making process in the current, exemplary checkpoint incident: “Whether something is a crisis or not is expert knowledge. In this case, it was a flaw that was initiated and exploited by state actors.” Action was needed at the latest when the checkpoint backdoor was beginning to be exploited by other (non-state) attackers. Knowledge of this specific threat situation is also of key importance for those affected.
Also Jan Oliver Wagner once again emphasized the importance of the knowledge factor. Often the threat situation is not being discussed appropriately. At the beginning of 2024, for example, an important US authority (NIST) reduced the amount of information in its vulnerability database – a critical situation for every vulnerability management provider and their customers. Furthermore, the fact that NIST is still not defined as a critical infrastructure shows that action is needed.
The information provided by NIST is central to the National Cyber Defense Center’s ability to create a situational picture as well, agrees Färber. This also applies to cooperation with the industry: several large companies “boast that they can deliver exploit lists to their customers within five minutes. We can improve on that, too.”
Carsten Meywirth, Head of Department at the BKA, emphasized the differences between state and criminal attacks, also using the example of the supply chain attack on Solarwinds. Criminal attackers often have little interest in causing a crisis because too much media attention might jeopardize their potential financial returns. And security authorities need to stay ahead of the wave – which requires intelligence and the potential to disrupt the attackers’ infrastructure.
According to Major General Färber, Germany is always among the top 4 countries in terms of attacks. The USA is always in first place, but states like Germany end up in the attackers’ dragnets so massively simply because of their economy’s size. This is what makes outstanding international cooperation in investigating and hunting down perpetrators so important. “Especially the cooperation of Germany, the USA and the Netherlands is indeed very successful, but the data sprints with the Five Eyes countries (USA, UK, Australia, Canada and New Zealand) are also of fundamental importance, because that is where intelligence findings come to the table, are being shared and compared. “Successful identification of perpetrators is usually impossible without such alliances,” says Michael Färber. But Germany is well positioned with its relevant organizations: “We have significantly greater redundancy than others, and that is a major asset in this fight.” In the exemplary “Operation Endgame“, a cooperation between the security authorities and the private sector launched by the FBI, the full power of these structures is now becoming apparent. “We must and will continue to expand this.”
Getting ahead of the situation like this is still a dream of the future for the municipalities. They are heavily reliant on inter-federal support and a culture of cooperation in general. An up-to-date picture of the situation is “absolutely important” for them, Katrin Giebel from VITAKO reports. As a representative of the municipal IT service providers, she is very familiar with many critical situations and the needs of the municipalities – from staff shortages to a lack of expertise or an emergency number for IT crises that is still missing today. Such a hotline would not only be helpful, but it would also correspond to the definition from Wagner’s introductory presentation: “A cyber nation protects itself by helping companies to protect themselves.”
Even if the BSI does not see itself in a position to fulfil such a requirement on its own, this decentralized way of thinking has always been internalized. But whether the BSI should be developed into a central office in this sense is something that needs to be discussed first, explains Dirk Häger from the BSI. “But prevention is much more important. Anyone who puts an unsecured system online today will quickly be hacked. The threat is there. We must be able to fend it off. And that is exactly what prevention is.”
Wagner adds that information is key to this. And distributing information is definitely a task for the state, which is where he sees the existing organizations in the perfect role.
Winter is coming: The motto of House Stark from the series “Game of Thrones” indicates the approach of an undefined disaster. One could also surmise something similar when reading many articles that are intended to set the mood for the upcoming NIS2 Implementation Act (NIS2UmsuCG). Is NIS2 a roller of ice and fire that will bury the entire European IT landscape and from which only those who attend one of the countless webinars and follow all the advice can save themselves?
NIS2 as such is merely a directive issued by the EU. It is intended to ensure the IT security of operators of important and critical infrastructures, which may not yet be optimal, and to increase cyber resilience. Based on this directive, the member states are now called upon to create a corresponding law that transposes this directive into national law.
The NIS Directive was introduced by the EU back in 2016 to protect industries and service providers relevant to society from attacks in the cybersphere. This regulation contains binding requirements for the protection of IT structures in companies that operate as critical infrastructure (KRITIS) operators. These are companies that play an indispensable role within society because they operate in areas such as healthcare services, energy supply and transport. In other words, areas where deliberately caused disruptions or failures can lead to catastrophic situations – raise your hand if your household is equipped to survive a power outage lasting several days with all its consequences…
As digitalisation continues to advance, the EU had to create a follow-up regulation (NIS2), which on the one hand places stricter requirements on information security, but on the other hand also covers a larger group of companies that are “important” or “particularly important” for society. These companies are now required to fulfil certain standards in information security.
Although the NIS2 Directive was already adopted in December 2022, the member states have until 17 October 2024 to pass a corresponding implementing law. Germany will probably not make it by then. Nevertheless, there is no reason to sit back. The NIS2UmsuCG is coming, and with it increased demands on the IT security of many companies and institutions.
Companies from four groups are affected. Firstly, there are the particularly important organisations with 250 or more employees or an annual turnover of 50 million euros and a balance sheet total of 43 million euros or more. A company that fulfils these criteria and is active in one of the following sectors: energy, transport, finance/insurance, health, water/sewage, IT and telecommunications or space is particularly important.
In addition, there are the important organisations with 50 or more employees or a turnover of 10 million euros and a balance sheet total of 10 million euros. If a company fulfils these criteria and is active in one of the following sectors: postal/courier, chemicals, research, manufacturing (medical/diagnostics, IT, electrical, optical, mechanical engineering, automotive/parts, vehicle construction), digital services (marketplaces, search engines, social networks), food (wholesale, production, processing) or waste disposal (waste management), it is considered important.
In addition to particularly important and important facilities, there are also critical facilities, which continue to be defined by the KRITIS methodology. Federal facilities are also regulated.
In concrete terms, this means that all affected companies and institutions, regardless of whether they are “particularly important” or “important”, must fulfil a series of requirements and obligations that leave little room for interpretation and must therefore be strictly observed. Action must be taken in the following areas:
Affected companies are obliged to introduce comprehensive risk management. In addition to access control, multi-factor authentication and single sign-on (SSO), this also includes training and incident management as well as an ISMS and risk analyses. This also includes vulnerability management and the use of vulnerability and compliance scans.
All companies are obliged to report “significant security incidents”: these must be reported to the BSI reporting centre immediately, but within 24 hours at the latest. Further updates must be made within 72 hours and 30 days.
Companies are obliged to determine for themselves whether they are affected by the NIS2 legislation and to register themselves within a period of three months. Important: Nobody tells a company that it falls under the NIS2 regulation and must register. The responsibility lies solely with the individual companies and their directors.
It is not enough to simply take the specified precautions; appropriate evidence must also be provided. Important and particularly important facilities will be inspected by the BSI on a random basis, and appropriate documentation must be submitted. KRITIS facilities will be inspected on a regular basis every three years.
In future, it will no longer be possible to sweep security incidents under the carpet. The BSI will be authorised to issue instructions to inform customers about security incidents. The BSI will also be authorised to issue instructions on informing the public about security incidents.
Managing directors are obliged to approve risk management measures. Training on the topic will also become mandatory. Particularly serious: Managing directors are personally liable with their private assets for breaches of duty.
In the past, companies occasionally preferred to accept the vague possibility of a fine rather than making concrete investments in cyber security measures, as the fine seemed quite acceptable. NIS2 now counters this with new offences and in some cases drastically increased fines. This is further exacerbated by the personal liability of managing directors.
As can be seen, the expected NIS2 implementation law is a complex structure that covers many areas and whose requirements can rarely be covered by a single solution.
Continuously scan your IT systems for vulnerabilities. This will uncover, prioritise and document security gaps as quickly as possible. Thanks to regular scans and detailed reports, you create the basis for documenting the development of the security of your IT infrastructure. At the same time, you fulfil your obligation to provide evidence and are well prepared in the event of an audit.
On request, experts can take over the complete operation of vulnerability management in your company. This also includes services such as web application pentesting, which specifically identifies vulnerabilities in web applications. This covers an important area in the NIS2 catalogue of requirements and fulfils the requirements of § 30 (risk management measures).
There is no single, all-encompassing measure that will immediately make you fully NIS2-compliant. Rather, there are a number of different measures that, taken together, provide a good basis. One component of this is vulnerability management with Greenbone. If you keep this in mind and put the right building blocks in place in good time, you will be on the safe side as an IT manager. And winter can come.
On 19 and 20 June 2024, it’s all about the big picture: high-ranking IT specialists and decision-makers from politics, business and science will meet in Potsdam to provide an overview of “National Cybersecurity”. One of the biggest, widespread challenges is the rapid development of artificial intelligence (AI). Elmar Geese, CEO of Greenbone, will discuss its influence on IT security with Dr Christoph Bausewein (CrowdStrike), Dr Sven Herpig (Stiftung Neue Verantwortung) and Dr Kim Nguyen (Bundesdruckerei) on the podium.
The Potsdam Conference on National Cybersecurity will take place on 19 and 20 June 2024. Visit us at our stand at the conference!
Registration: https://hpi.de/das-hpi/bewerbung/2024/potsdam-cybersecurity-conference/
After experts noticed a rapid increase in cyberattacks on local authorities and government agencies in 2023, the horror stories don’t stop in 2024. The pressure to act is enormous, as the EU’s NIS2 Directive will come into force in October and makes risk and vulnerability management mandatory.
“The threat level is higher than ever,” said Claudia Plattner, President of the German Federal Office for Information Security (BSI), at Bitkom in early March. The question is not whether an attack will be successful, but only when. The BSI’s annual reports, for example the most recent report from 2023, also speak volumes in this regard. However, according to Plattner, it is striking how often local authorities, hospitals and other public institutions are at the centre of attacks. There is “not a problem with measures but with implementation in companies and authorities”, said Plattner. One thing is clear: vulnerability management such as Greenbone’s can provide protection and help to avoid the worst.
In view of the numerous serious security incidents, vulnerability management is becoming more important every year. Almost 70 new security vulnerabilities have been added every day in recent months. Some of them opened the door to attackers deep inside US authorities, as reported in the Greenbone Enterprise Blog:
According to the media, US authorities have been infiltrated by Chinese hacker groups such as the probably state-sponsored “Volt Typhoon” for years via serious security gaps. The fact that Volt Typhoon and similar groups are a major problem was even confirmed by Microsoft itself in a blog back in May 2023. But that’s not all: German media reported that Volt Typhoon is taking advantage of the abundant vulnerabilities in VPN gateways and routers from FortiNet, Ivanti, Netgear, Citrix and Cisco. These are currently considered to be particularly vulnerable.
The fact that the quasi-monopolist in Office, groupware, operating systems and various cloud services also had to admit in 2023 that it had the master key for large parts of its Microsoft cloud let stolen destroyed trust in the Redmond software manufacturer in many places. Anyone who has this key doesn’t need a backdoor for Microsoft systems any longer. Chinese hackers are also suspected in this case.
The supply chain for software manufacturers has been under particular scrutiny by manufacturers and users not only since log4j or the European Cyber Resilience Act. The recent example of the attack on the XZ compression algorithm in Linux also shows the vulnerability of manufacturers. In the case of the “#xzbackdoor”, a combination of pure coincidence and the activities of Andres Freund, a German developer of open source software for Microsoft with a strong focus on performance, prevented the worst from happening.
An abyss opened up here: It was only thanks to open source development and a joint effort by the community that it came to light that actors had been using changing fake names with various accounts for years with a high level of criminal energy and with methods that would otherwise be more likely to be used by secret services. With little or no user history, they used sophisticated social scams, exploited the notorious overload of operators and gained the trust of freelance developers. This enabled them to introduce malicious code into software almost unnoticed. In the end, it was only thanks to Freund’s interest in performance that the attack was discovered and the attempt to insert a backdoor into a tool failed.
US officials also see authorities and institutions as being particularly threatened in this case, even if the attack appears to be rather untargeted and designed for mass use. The issue is complex and far from over, let alone fully understood. One thing is certain: the usernames of the accounts used by the attackers were deliberately falsified. We will continue to report on this in the Greenbone blog.
Vulnerability management cannot prevent such attacks, but it provides indispensable services by proactively warning and alerting administrators as soon as such an attack becomes known – usually before an attacker has been able to compromise systems. In view of all the difficulties and dramatic incidents, it is not surprising that legislators have also recognised the magnitude of the problem and are declaring vulnerability management to be standard and best practice in more and more scenarios.
Laws and regulations such as the EU’s new NIS2 directive make the use of vulnerability management mandatory, including in the software supply chain. Even if NIS2 only actually applies to around 180,000 organisations and companies in the critical infrastructure (KRITIS) or “particularly important” or “significant” companies in Europe, the regulations are fundamentally sensible – and will be mandatory from October. The EU Commission emphasises that “operators of essential services” must “take appropriate security measures and inform the competent national authorities of serious incidents”. Important providers of digital services such as search engines, cloud computing services and online marketplaces must fulfil the security and notification requirements of the directive.”
The “Directive on measures for a high common level of cybersecurity across the Union (NIS2)” forces companies in the European Union to “implement a benchmark of minimum cybersecurity measures”, including risk management, training, policies and procedures, also and especially in cooperation with software suppliers. In Germany, the federal states are to define the exact implementation of the NIS2 regulations.
Do you have any questions about NIS2, the Cyber Resilience Act (CRA), vulnerability management in general or the security incidents described? Write to us! We look forward to working with you to find the right compliance solution and give your IT infrastructure the protection it needs in the face of today’s serious attacks.
To make our ecological progress even more sustainable, we keep up to date with regular internal training courses on energy efficiency. In this way, we are helping to make the world even “greener” outside of Greenbone.
It doesn’t get any greener? Not at all! We have just completed certification of our environmental management system in accordance with ISO 14001. And we have realised: There is always room for getting “greener” – you just have to be committed and willing to drive this commitment forward in measurable progress.
The international standard ISO 14001 defines requirements that companies can use to achieve environmental goals and fulfil legal obligations. Because the environmental niche is different for every organisation, the standard does not specify absolute values and targets, but it does emphasise integration into quality management, C-level responsibility for environmental management and the elimination of ambiguity regarding environmental targets.
Targets, objectives, key figures: A dry framework for green growth
The current German version of the standard, DIN EN ISO 14001:2015, places particular emphasis on “environmental performance improvement” and its measurement using appropriate indicators. The ecological objectives thus relate to the upstream and downstream environmental impact of products and services as well as the consideration of opportunities and risks in day-to-day business. The whole process is to be set up as part of a continuous improvement process (CIP) so that the effects of each new measure can be monitored and adapted accordingly. With this certification, we are proud to be able to announce another important step towards a company that is not only “green” on the outside, in the company logo, but also on the inside.
Back in autumn 2023, when the “Environmental Management System” was introduced, it was clear to us: we may not be able to save the world, but every step in this direction is important to us! So, step by step, we started by collecting all aspects that could have an impact on the environment. After ranking the factors and prioritising them, eleven areas emerged in which Greenbone can become ecologically effective and active: Starting with electricity consumption, cooling servers, heating offices and dispatching goods, through to waste separation and the energy efficiency of our appliances.
And again and again: measure…
As a company that emphasises the realisation and clear presentation of objectives, Greenbone is already certified according to ISO 9001:2015 (quality management) and ISO 27001:2017 (information security) as well as within the framework of TISAX for the Information Security Management System (ISMS). For ISO 14001, we have concretised our objectives in clearly defined key performance indicators (KPIs) in order to make them available for subsequent measurements. This allows us to readjust existing measures and introduce further improvements. What initially sounds dry is already bearing its first “green” fruits
To make our ecological progress even more sustainable, we keep up to date with regular internal training courses on energy efficiency. In this way, we are helping to make the world even “greener” outside of Greenbone.
Two security vulnerabilities in Sharepoint – both from last year – are currently causing trouble for Sharepoint administrators. Because attackers are increasingly exploiting a combination of the two vulnerabilities, the Cybersecurity Infrastructure Security Agency CISA is now also issuing a warning. Affected customers of the Greenbone Enterprise Feed have been warned since June 2023.
Remote Privilege Execution
The two vulnerabilities CVE-2023-29357 and CVE-2023-24955 together allow attackers to remotely gain administrator rights in a company’s SharePoint server. Details of the attack were published back in September 2023 at the Pwn2Own conference in Vancouver 2023 and can be found on the Singapore Starlabs blog, for example.
Massive attacks have now led to CISA recently issuing a warning about these vulnerabilities and including CVE-2023-29357 in its catalog of known exploited vulnerabilities. However, Greenbone has already had authenticated version checks for both CVEs since around June 2023 and an active check for CVE-2023-29357 since October 2023. Customers of the enterprise products have been receiving these CVEs as a threat for several months – in authenticated and unauthenticated scan mode.
Microsoft advises its customers on its website to update to the SharePoint Server 2019 version of June 13, 2023, (KB5002402), which fixes five critical vulnerabilities, including the first CVE mentioned by CISA. Furthermore, all administrators should install the antivirus software AMSI and activate Microsoft Defender in the SharePoint server. Otherwise, attackers could bypass authentication with fake authentication tokens and gain administrator rights.
Recognising and detecting vulnerabilities in the company at an early stage is important, as the many reports of damaging vulnerabilities show. Greenbone products can take on a lot of work here and ensure security – as a hardware- or as a virtual appliance. The Greenbone Enterprise Feed, which feeds all Greenbone security products, receives daily updates and therefore covers a high percentage of risks.
5 Known Juniper Junos Vulnerabilities Being Actively Exploited
CISA has added 5 CVEs relating to Juniper Junos (aka Junos OS), to its Known Exploited Vulnerabilities (KEV) catalog. The full exploit chain involves combining several lower-severity CVEs to achieve pre-authentication remote code execution (RCE). The 5 CVEs range in severity from CVSS 9.8 Critical to CVSS 5.3 Medium. Greenbone is equipped with vulnerability tests to identify affected systems.
Understanding the timeline of events should help network defenders grasp how rapidly cyber threats can escalate. In this case a proof-of-concept (PoC) was published just 8 days after the vendor Juniper released its security advisory. Security researchers observed active exploitation just 12 days after the disclosure. Still, it was not until several months later that CISA acknowledged active exploitation. Greenbone Enterprise vulnerability feed added detection tests [1][2] for all impacted versions of the two affected product lines (EX Series Series Ethernet Switches and SRX Series Series Services Gateways) on August 18, 2023, immediately after they were disclosed.
Here is a brief description of each CVE:
Understanding The Attack Trajectory
Several of the CVEs listed above are classified as Missing Authentication for Critical Function [CWE-306] vulnerabilities meaning that various functions of the J-Web device management web application do not implement proper authentication checks.
Here is a summary of how these vulnerabilities were chained together for unauthenticated RCE:
The J-Web application is written in PHP which, as the watchTowr researchers noted, is known for its usability at the cost of security. In the case of CVE-2023-36846, J-web’s `webauth_operation.php` file implemented a different method for authentication than the rest of the application. This file instead invokes the `sajax_handle_client_request()` function and submits the value of ‘false’ as the `doauth` parameter, resulting in no authentication being performed. The aforementioned `sajax_handle_client_request()` function is designed to execute J-web’s built-in functions by specifying them as a $_POST variable, including the `do_upload()` function, used to upload files.
CVE-2023-36845 is a vulnerability in the Junos web server that allows system environment variables to be set via the `name` field of an HTTP POST request when a`Content-Type: multipart/form-data` header is used. Two exploits matching the description of CVE-2023-36845 were previously disclosed for the GoAhead IoT web server and tracked as CVE-2017-17562 and CVE-2021-42342, indicating that the Junos web server likely implements the GoAhead proprietary web-server.
Executing the uploaded file is possible by setting the PHPRC environment variable, using it to load an unauthorized PHP configuration `php.ini` file also uploaded via CVE-2023-36846 that contains a malicious `auto_prepend_file` setting directing PHP to execute the first uploaded file every time a page is loaded. Here is the complete example chain
Mitigation Of Recent Juniper Junos Vulnerabilities
The 5 new CVEs affect Juniper Networks Junos OS on EX Series Series Ethernet Switches and SRX Series Series Services Gateways. Specifically Junos OS version 20.4 and prior, 21.1, 21.2, 21.3, 21.4, 22.1, 22.2, 22.3, 22.4 and 23.2 on the EX and SRX Series appliances.
The best mitigation option is to install the security patches to Junos OS. If you cannot install the official provided security patches, completely disabling the J-Web interface, or configuring firewalls with an accept list to restrict access to only trusted hosts can prevent exploitation. In general, strictly limiting access to critical servers and network appliances to only client IP addresses that require access can prevent exploitation of similar yet undiscovered remotely exploitable zero-day vulnerabilities.
Every year, IT and cyber security experts from public authorities, federal, state and local governments as well as the armed forces, police and intelligence services meet for the cyber security congress “Public IT Security” (PITS), initiated by Behoerdenspiegel. In 2023, the topic of vulnerabilities was once again at the top of the agenda.
This year, our CEO Dr. Jan-Oliver Wagner was invited as an expert to take part in the panel discussion “Putting a finger on a wound – managing or closing vulnerabilities?” Moderated by Katharina Sook Hee Koch from the Federal Office for Information Security (BSI), the panel included representatives from the German Informatics Society (Nikolas Becker, Head of Policy & Science), the Bundestag Committee on Digital Affairs (MdB Catarina dos Santos-Wintz, CDU/CSU), the BSI itself (Dr. Dirk Häger, Head of Department Operative Cyber Security) for an exchange of views. Dirk Kunze from the North Rhine-Westphalia State Criminal Police Office (Head of the Cybercrime/Cyber Investigations Department in the Research and Investigation Centre) was present on behalf of the executive.
from left: Catarina dos Santos-Wintz, Dirk Kunze, Katharina Sook Hee Koch, Dr. Dirk Häger, Dr. Jan Oliver Wagner, Nikolas Becker (Photo: Greenbone AG)
Should vulnerabilities be closed? By all means!
The debate quickly centered on the question of whether and how (quickly) vulnerabilities in software should be closed and/or whether this would impair the work of investigative authorities. There was great unanimity among those present that the security of citizens had the highest priority. Keeping vulnerabilities open, even for political reasons, is hardly an option, both for cost reasons (exploits are expensive) and in risk assessment.
On the contrary, open-source software should be strengthened and more rewards (bug bounties) should be offered to experts who actively search for vulnerabilities. The BSI is also firmly convinced: “Basically, vulnerabilities must be closed.” (Häger). In criminal practice, the topic apparently plays a subordinate role anyway: the police, according to the LKA in North Rhine-Westphalia, know of only a few cases where it could have helped to keep vulnerabilities open. However, open vulnerabilities are still seen as a possible element for investigations. But of course, the decision of the politicians will be followed.
Dr. Jan-Oliver Wagner: “Vulnerability management is becoming increasingly important!”
Greenbone CEO Wagner warns that the number of open vulnerabilities will increase rather than decrease in the coming years. This is despite the fact that good progress is being made with regard to security in software development. However, the regulations and thus the pressure on companies by the legislator are also becoming stricter – not necessarily a bad thing, but it does create a need for action: “The upcoming Common Security Advisory Framework (CSAF 2.0) and the EU’s Cyber Resilience Act (CRA), will significantly increase the number of known vulnerabilities.”
The CSAF makes it easier for manufacturers to report vulnerabilities, while the Cyber Resilience Act also brings responsibility to the hoover manufacturer, i.e. to all parts of the economy. If you don’t want to lose track of this, you need vulnerability management like Greenbone’s, explains Wagner. “Upcoming regulations bring the issue of vulnerabilities into all parts of the economy, as now every manufacturer is responsible for the security of the devices and their software, including, for example, manufacturers for hoover robots or other smart household appliances – For the entire life of the product!”
Vulnerability management is risk management
Vulnerability management today is pure risk management for the professional user, as it is already practiced in insurance companies – decisions are made about which vulnerabilities need to be closed and which can or must wait (triage).
This is exactly where our vulnerability management products come in – as a hardware or as a virtual appliance. Greenbone develops an open source vulnerability management and allows users to detect vulnerabilities in their own network infrastructure within a few steps. Our products generate reports with concrete instructions for action that you can implement immediately.
We work strictly according GDPR Compliance and offer an open source solution. This means best data protection compliance and is thus guaranteed free of backdoors.
The job to protect from cyberattacks by minimizing your attack surface demands three essential pillars:
Vulnerability Intelligence
Know everything about vulnerabilities and risks immediately.
Asset Intelligence
Scan all the TCP/IP protocols, dive deep into assets and use other sources of asset details.
Vulnerability Scanning
Create, deploy, and execute vulnerability tests fast and by priority.
Vulnerability Intelligence
Vulnerability Intelligence helps doing two jobs: First you must make a priority decision about what attack vectors you should address and which ones you accept. This decision is not easy and may have a far-reaching impact. Even worse, it has to be made under time pressure and with limited resources. In other words, this decision is (sometimes) a triage. The better the information about the vulnerability the better will be the decision. And the more evidence you get, the less personal educated guess you have to add. Once you decided which attack vectors to address, technical details about the vulnerability intelligence will help as a guide for an efficient remediation. Knowing how easy or complicated a remediation is supports you already during the priority decision.
Asset Intelligence
Asset Intelligence is about knowing as much as possible about the assets that you have to protect from cyber-attacks. It may sound strange but the first part of this is to know which assets you have. Networks can be pretty dynamic because your people are very dynamic about extending and connecting services and devices. Scanning for existence of and scanning into assets is equally important. Both builds your inventory which you will later compare with the incoming vulnerability intelligence on new attack vectors. There are expected details like product versions and there are unexpected details determined only when a security advisory is published. For the first case you build a database allowing quick offline scans upon new advisories. For the latter case you need the ability to use arbitrary TCP/IP protocols to collect the information that are required to determine the presence of a vulnerability. A special case are fictive assets represented by inventories or a Software Bill of Materials, representing for example devices that are subject to the EU Cyber Resilience Act.
Vulnerability Scanning
The art of Vulnerability Scanning begins with the creation of tests, usually derived from Vulnerability Intelligence, and verified thoroughly. The growing number of security advisories makes this also a business of priority decision about which advisories to address first. Learning about the asset inventories of our customer helps us to make this job even better for them. After rapid deployment of the tests the art of vulnerability scanning finishes with a fast, powerful, and easy to deploy set of scanners. In simple words those scanners compare the vulnerability intelligence with asset intelligence to list up the current attack surface. Scanning can be as simple a comparing a version number or as complex as a multi-stage exploit via TCP/IP. In the end of the day the result is a vulnerability status with high relevance and high quality of detection, and so will be your vulnerability remediation and vulnerability reporting.
