Tag Archive for: IT security

Markus Feilner

“Vulnerability management is becoming increasingly important” – Greenbone CEO Dr. Jan-Oliver Wagner at PITS Congress

Every year, IT and cyber security experts from public authorities, federal, state and local governments as well as the armed forces, police and intelligence services meet for the cyber security congress “Public IT Security” (PITS), initiated by Behoerdenspiegel. In 2023, the topic of vulnerabilities was once again at the top of the agenda.

This year, our CEO Dr. Jan-Oliver Wagner was invited as an expert to take part in the panel discussion “Putting a finger on a wound – managing or closing vulnerabilities?” Moderated by Katharina Sook Hee Koch from the Federal Office for Information Security (BSI), the panel included representatives from the German Informatics Society (Nikolas Becker, Head of Policy & Science), the Bundestag Committee on Digital Affairs (MdB Catarina dos Santos-Wintz, CDU/CSU), the BSI itself (Dr. Dirk Häger, Head of Department Operative Cyber Security) for an exchange of views. Dirk Kunze from the North Rhine-Westphalia State Criminal Police Office (Head of the Cybercrime/Cyber Investigations Department in the Research and Investigation Centre) was present on behalf of the executive.

from left: Catarina dos Santos-Wintz, Dirk Kunze, Katharina Sook Hee Koch, Dr. Dirk Häger, Dr. Jan Oliver Wagner, Nikolas Becker (Photo: Greenbone AG)

Should vulnerabilities be closed? By all means!

The debate quickly centered on the question of whether and how (quickly) vulnerabilities in software should be closed and/or whether this would impair the work of investigative authorities. There was great unanimity among those present that the security of citizens had the highest priority. Keeping vulnerabilities open, even for political reasons, is hardly an option, both for cost reasons (exploits are expensive) and in risk assessment.

On the contrary, open-source software should be strengthened and more rewards (bug bounties) should be offered to experts who actively search for vulnerabilities. The BSI is also firmly convinced: “Basically, vulnerabilities must be closed.” (Häger). In criminal practice, the topic apparently plays a subordinate role anyway: the police, according to the LKA in North Rhine-Westphalia, know of only a few cases where it could have helped to keep vulnerabilities open. However, open vulnerabilities are still seen as a possible element for investigations. But of course, the decision of the politicians will be followed.

Dr. Jan-Oliver Wagner: “Vulnerability management is becoming increasingly important!”

Greenbone CEO Wagner warns that the number of open vulnerabilities will increase rather than decrease in the coming years. This is despite the fact that good progress is being made with regard to security in software development. However, the regulations and thus the pressure on companies by the legislator are also becoming stricter – not necessarily a bad thing, but it does create a need for action: “The upcoming Common Security Advisory Framework (CSAF 2.0) and the EU’s Cyber Resilience Act (CRA), will significantly increase the number of known vulnerabilities.”

The CSAF makes it easier for manufacturers to report vulnerabilities, while the Cyber Resilience Act also brings responsibility to the hoover manufacturer, i.e. to all parts of the economy. If you don’t want to lose track of this, you need vulnerability management like Greenbone’s, explains Wagner. “Upcoming regulations bring the issue of vulnerabilities into all parts of the economy, as now every manufacturer is responsible for the security of the devices and their software, including, for example, manufacturers for hoover robots or other smart household appliances – For the entire life of the product!”

Vulnerability management is risk management

Vulnerability management today is pure risk management for the professional user, as it is already practiced in insurance companies – decisions are made about which vulnerabilities need to be closed and which can or must wait (triage).

This is exactly where our vulnerability management products come in – as a hardware or virtual appliance or in the Greenbone Cloud Service. Greenbone develops an open source vulnerability management and allows users to detect vulnerabilities in their own network infrastructure within a few steps. Our products generate reports with concrete instructions for action that you can implement immediately.

We work strictly according GDPR Compliance and offer an open source solution. This means best data protection compliance and is thus guaranteed free of backdoors.


Contact Free Trial Buy Here Back to Overview

/by
Jan-Oliver Wagner

Cyber attacks are like earth quakes

Earth quakes and cyber attacks have much in common. First: The forces are outside of our control and we can not prevent them to happen.

Second: We are not helplessly at the mercy. We can install early warning, minimize destructive effect and recover quickly. But only if we act BEFORE it happens.

Sure, earth quakes are about human live and cyber attacks are so far usually not. Yet I think this comparison is important in order to make it easier to understand the significance of cyber attacks the the options for action.

Of course there are also differences and the most striking one to me is the average frequency of occurence. This vivid direct comparison shows the parallels:

We have no technology to prevent them to happen, but… Earth quake Cyber Attack
We have prognosis models where they happen most likely Tectonic models Vulnerability intelligence

We have sensors that provide early warnings shortly before it happens

(sometimes they fail though with false positive and false negatives)

 Seismographs Vulnerability scanning and threat intelligence
We have a scale to compare events about potential damage

Richter magnitude scale: Ranges from 1.0 to 9.9

  • Sometimes the effect is just shaking indoor objects and sometimes it is collapse of buildings

Severity Score: Ranges from 0.1 to 10.0

  • Sometimes you have some extra network load and sometimes a remote administrative exploit.
…you can do something to minimize negative impact:
Make you infrastructure stable against this type of force

Obligatory architecture designs

  • Overview and controlling of compliance

Obligatory security policies

  • detection and limitation of attack surface:
  • Vulnerability testing and remediation
  • Vulnerability management and compliance
Have trained teams ready to help recover quickly when it happens
  • Central command center and
  • distributed on-site medical and repair teams
  • Processes and and regular trainings thereof
  • Security operation center and distributed system administrator
  • Dev-ops or suppliers for operational support
  • Processes and and regular trainings thereof
Make all people aware on how to save their lives best when it happens
  • Understandable training materials and
  • regular awareness trainings
  • Understandable training materials and
  • regular awareness trainings


Contact Free Trial Buy Here Back to Overview

/by
Markus Feilner

Master’s thesis: Automated vulnerability detection and response in the network perimeter

The long-standing cooperation between Greenbone AG and the University of Osnabrück has once again resulted in a successful master’s thesis.

Under the title “Development of an Automated Network Perimeter Threat Prevention System (DETERRERS)”, Nikolas Wintering wrote his master’s thesis in the Mathematics, Physics, and Computer Science working group of the Department of Mathematics/Computer Science at the University of Osnabrück, developing a system for automated threat prevention at the network perimeter of a university campus network.

Particularly at risk: universities

Universities are vibrant centers of information exchange and collaboration; with their numerous hosts and a multitude of services, they offer a large attack surface for cyber threats. It is therefore enormously important for educational institutions to identify vulnerable points and automatically isolate them from the internet.

Automated vulnerability management

By automating the interactions between administrators, vulnerability scanners, and perimeter firewalls, administrators are thus supported in their work, and the university IT network is protected. Part of the system developed in the master’s thesis is also the automation of the risk assessment of the vulnerability scan results and the generation of host-based firewall configurations.

“Through the use of DETERRERS and the associated adaptation of the release processes, the security in the university network could be massively improved with very little additional effort for administrators. With the automated mitigation, it is also possible to react to new threats at short notice and thus quickly close a potential new attack surface without long manual runtimes.”
Eric Lanfer, M. Sc. (Osnabrück Computing Center, Networks Group)

Practical application and a free demonstrator

Based on a practical application in a campus network, Wintering evaluates how the risk assessment works, how the attack surface is reduced, and what effects the system has on the work of administrators. In the process, a demonstrator was also created, whose source code and functionality can be viewed and tested by interested parties on GitHub. In the long term, a continuation as an open-source project is planned.

“This is a very successful work with clear added value for practice. Making efficient security mechanisms usable in everyday life is often a big challenge, and this master’s thesis makes very convincing contributions to this.”
Prof. Dr. rer. nat. Nils Aschenbruck (University of Osnabrück, Institute of Computer Science, Distributed Systems Group)

Greenbone: experts for universities and more

Greenbone has been supplying numerous customers in the university environment with vulnerability management products for many years. Thanks to this extensive experience, we have always been able to identify and collect industry-specific requirements and incorporate them into the further development of our products.

The University of Osnabrück uses the Greenbone Enterprise Appliance 450, and we very much welcome the fact that this solution has now become part of a master’s thesis. We congratulate Nikolas Wintering on this successful scientific evaluation.


Contact Free Trial Buy Here Back to Overview

/by
Britta Zurborn

PITS 2023 Public IT Security

20 – 21 September 2023 | Berlin.

This year we are participating in Germany’s specialist congress for IT and cyber security for the state and administration.

Dr. Jan-Oliver Wagner, Greenbone, will speak together with

Dr. Dirk Häger, Head of Operational Cybersecurity Department, Federal Office for Information Security
Carsten Meywirth, Head of Cybercrime Department, Federal Criminal Police Office
Nikolas Becker, Head of Policy & Science, German Informatics Society and
Catarina dos Santos-Wintz, Member of the German Bundestag (CDU/CSU) and member of the Committee for Digital Affairs

on: 21.09.2023
at: 9:20 am

in the main program about the topic: Putting a finger in the wound – managing or closing vulnerabilities?

Visit us in our lounge at stand 43 and exchange views with our experts on vulnerability management and cyber security.

More: https://www.public-it-security.de/anmeldung/


Contact Free Trial Buy Here Back to Overview

/by
Elmar Geese

Cyber Resilience Act makes vulnerability management mandatory

We live and work in the digital world. The issue of cybersecurity therefore affects us all – both companies and government administrations, as well as each and every one of us. This applies not only to our own direct use of digital systems, but also – sometimes even in particular – where others provide us with digitalized services that are sometimes desirable, but also irreplaceable. It becomes existential at the latest where we depend on critical infrastructure: Water, electricity, health, security and some more.

As technical networking increase, nearly every digital device becomes a potential gateway for cyberattacks. Cybersecurity is therefore a technical, social and consumer issue.

The German government sensibly relies on (quote from the coalition agreement of the SPD, Bündnis 90 / Die Grünen and the FDP) “effective vulnerability management, with the aim of closing security gaps”. To establish a general resilience against cyber-attacks in Europe, the EU has launched the Cyber Resilience Act (CRA)

Cyber Resilience Act makes vulnerability management mandatory

In the Cyber Resilience Act (CRA), the EU member states have agreed on a common position – this was announced by the Council of the EU in a press release at the end of July and reports optimistically:
“An agreement that advances EU’s commitment towards a safe and secure digital single market. IoT and other connected objects need to come with a baseline level of cybersecurity when they are sold in the EU, ensuring that businesses and consumers are effectively protected against cyber threats. This is an important milestone for the Spanish presidency, and we hope to bring forward negotiations with the Parliament as much as possible.”
(https://www.consilium.europa.eu/en/press/press-releases/2023/07/19/cyber-resilience-act-member-states-agree-common-position-on-security-requirements-for-digital-products/)

The CRA is intended to anchor digital security sustainably in Europe through common cybersecurity standards for networked devices and services. Thus, the CRA not only has a high impact on the manufacturers of digital devices, the EU is also creating a new, norm-setting standard. As an IT security company, we have been supporting our customers in achieving the best possible security standard for 15 years. We see the new standardization by the CRA as an opportunity and are happy to help our customers to use it for even more security.

Continuously demonstrate safety

The new CRA regulations on vulnerability handling and detection, which are intended to “ensure the cybersecurity of digital products … and regulate obligations of economic operators such as importers or distributors with regard to these procedures”, pose challenges for many companies. Using tools such as Greenbone’s vulnerability management makes it much easier to comply with the new requirements. This also goes as far as checking whether suppliers, for example, meet the required and assured safety standards.

More responsibility

Companies are called upon by the CRA to carry out regular, permanent and sustainable vulnerability analyses and to have external audits carried out for products classified as “critical”. This can be especially difficult for older products. Greenbone also helps because we can examine such products, which are often imperfectly documented, even while they are in operation.

Where our customers already do this regularly, they are able to act quickly and gain valuable time to mitigate potential risks.

Become active now

The CRA introduces rules to protect digital products that were not previously covered by law, so companies face new and major challenges that affect the entire supply chain.

We can help you meet the requirements. the Greenbone Vulnerability Management product series, the Greenbone Enterprise Appliances enable compliance with the CRA – on premise or from the cloud. Our experts will be happy to advise you.


Contact Free Trial Buy Here Back to Overview

/by
Elmar Geese

OSB Alliance study on the use of open source software: What about security?

For this study commissioned by the OSB Alliance, Dr. Mark Ohm investigated how the security of open source and proprietary software can be evaluated and improved in perspective.

The development of information technology in the last decades is remarkable: The path begins with helpful support functions in computational and data-heavy processes and leads us to the dominant technology of the present and future, without which nothing works. In the process, attention is increasingly shifting from the devices we need to use this technology to the software we use to benefit from the devices and its risks.
Complex software systems that increasingly intervene in our society – that’s what we call digitalisation. Whether we are talking about industrial applications, social media or artificial intelligence, there is always software behind it. And this brings the security and trustworthiness of software systems, on which we are increasingly dependent, to the fore.

The role of security in software development

Well over 90% of all software contains open source – including proprietary products. The security of open source therefore concerns all software producers and users today. If we want security, we have to be able to check it. Software development is evolving, tools are integrating more and more protection mechanisms, and the ability to check for vulnerabilities is improving. At the same time, the number of vulnerabilities and attacks is also increasing.

New risks are emerging, and we have no choice but to face them. We have implemented many protective mechanisms for this at Greenbone, and integrated them into our certified security management. Also because, as a provider of security products, we deal with vulnerabilities more intensively than other companies, we have a special motivation and expertise in this area. We also know that not all risks can be discovered and eliminated during software development, but that software and systems must also be monitored and tested during operation. That is what we are here for with our products.

Our role in improving security

We want to make the IT world safer. We would like to contribute to this with our products, but also with the support of this study.

Please find the complete study here.


Contact Free Trial Buy Here Back to Overview

/by
Markus Feilner

Federal, state and EU governments invest millions in cybersecurity funding

Starting in 2024, the EU plans to spend one billion euros on the “Cybersolidarity Act”, and North Rhine-Westphalia is funding institutions that invest in IT security and hazard prevention with more than 70 million euros: Anyone who has not yet put the topic of vulnerability management on their agenda should do so as soon as possible – and take advantage of the funding that has been made available.

The EU will invest massively in vulnerability management: According to a DPA report, the Commission wants to “establish national and cross-border security centres across the EU” that will use artificial intelligence (AI) and data analysis to detect and report cyber threats and incidents in a timely manner.”
A “European Cybersolidarity Act” is to be, achieved to “strengthen the EU’s capabilities for effective operational cooperation, solidarity and resilience”, concretely this means “creating a secure digital environment for citizens and businesses and protecting critical facilities and essential services such as hospitals and public utilities.”

Concrete plans

The law provides for a cyber emergency mechanism, preparedness measures, the creation of a new EU cyber security reserve and financial support for mutual administrative assistance, as well as the creation of an “EU Cyber Security Skills Academy” (on the EU’s Digital Skills & Jobs platform). Two thirds of the 1.1 billion will be financed through the “Digital Europe” programme.

70 million in funding from NRW

However, the increasing attacks on critical infrastructures, authorities and companies are not leaving the governments of the federal states idle. The federal state of North Rhine-Westphalia, for example, is setting a good example: the black-green state government under Science Minister Brandes (CDU) is now concretely offering to support day-care centres, schools and universities not only with energy prices, but also with 77 million euros in cybersecurity in the same package. According to dpa, this includes many different aspects, from IT systems such as firewalls or two-factor authentication to emergency power generators and locking systems, but also “more personnel” in the field of cybersecurity. Existing funding pots for IT security, for example digital-sicher.nrw, remain unaffected.

Funding from the federal government and other states

The federal government is also currently providing support for security-conscious entrepreneurs and managers: the BMWK is currently setting up a transfer office for IT security in the economy, whose funding office is to provide targeted support for small and medium-sized enterprises. In Bavaria, which is dominated by the election campaign, information can be found at Bayern Innovativ or at the IT Security Cluster. Hesse boasts of offering a “nationwide unique support for small and medium-sized enterprises against cyber attacks”, and in Baden-Württemberg, they not only support AI cybersecurity projects, but in January they also launched half a million euros in funding for SMEs that want to invest in cybersecurity.

Greenbone’ support for cybersecurity

We at Greenbone have created a solution with the Greenbone Enterprise Appliances that closes this gap and ensures cybersecurity. Potential vulnerabilities are found before they are exploited. The vast majority of vulnerabilities that lead to damage in IT infrastructures are not new, but have been known for more than a year. What is often missing are solutions that offer active security by detecting such vulnerabilities before they are exploited by attackers, prioritising them and making suggestions for their elimination. This is exactly what Greenbone has been doing very successfully for over 10 years.

The Greenbone Enterprise Appliances offer solutions for different needs, adaptable to the individual company size in the form of a hardware solution, a virtual solution or a cloud solution as a managed service. In addition, the package includes an all-round service from support with the application for funding and implementation to data analysis and remediation of vulnerabilities. Find out more about Greenbone’s cybersecurity here.


Contact Free Trial Buy Here Back to Overview

/by
Markus Feilner

BSI warns: Log4J remains a problem

Even more than two years after the first problems with Log4j became known, many scenarios are apparently still running unpatched versions of the logging library.

Greenbone’s products help – especially in detecting outdated software.

No one should take Log4j lightly as a done deal just because the vulnerability (CVE 2021-44228) has actually been fixed for a year and a half. That is the conclusion of an event at the end of March in which the German Federal Office for Information Security (BSI) issued an urgent warning. The vulnerability affected Log4j versions 2.0 to 2.14.1 and allowed attackers to execute their own programme code on target systems and compromise third-party servers. Greenbone’s products have detected the Log4j vulnerabilities since December 2021 and can therefore warn administrators.

Under the title “Log4j & Consequences” in the series “BuntesBugBounty“, the BSI spoke with Christian Grobmeier from the Log4j team and Brian Behlendorf from the Open Source Security Foundation (OpenSSF). Shockingly, more than a third of the downloads on the Log4j website still add up to outdated versions that do not contain the important patch – it can be assumed that numerous systems in companies are still vulnerable.

This is mainly due to third-party software that Log4j embeds or integrates via software distribution – which is not at all surprising to Grobmeier, because that is how the supply chain works with open-source software. According to the Log4J developer, nothing can be changed in the near future.

This is also confirmed by the Open SSF: for Behlendorf, only stricter liability for software producers could be helpful, as is already being considered in the USA. Without fundamentally new approaches, the problems are unlikely to change.

Those who nevertheless want to protect themselves permanently against attacks on known vulnerabilities that have already been patched should take a look at Greenbone’s products. Only professional vulnerability management gives administrators an overview of outdated software versions and unpatched gaps in the company’s systems – and thus creates the basis for further security measures.

The development of vulnerability tests is a key activity at Greenbone and a continuous process that ensures the high quality of the products and thus the high benefit for customers. Security checks are carried out every day and vulnerability tests are developed and integrated into the products daily as well, prioritized by the security situation. In the case of critical security warnings, as with Log4j, Greenbone reports on the current status, the facts and how to deal with them, for example in the blog posts about Log4j.


Contact Free Trial Buy Here Back to Overview

/by
Markus Feilner

Orange Security Report: Many old vulnerabilities still open

According to the latest study by Orange Security, 13 percent of the vulnerabilities found in today’s corporate networks were already known in 2012, and almost half of all gaps are more than five years old – and the trend is increasing. Professional vulnerability management such as the Greenbone product family can provide a remedy.

The Orange Security Navigator takes a look at the current threat situation on many pages every year. In the latest edition, the security software manufacturer comes to astonishing insights regarding the age of vulnerabilities in companies. The oldest risks have existed for 20 years or more, writes Orange, and patching is also taking longer and longer.

Even recently, problems that were actually fixed long ago filled the headlines: A security hole in VMWare’s ESXi server, which had been closed for years, was actively exploited by attackers. According to the German Federal Office for Information Security (BSI), thousands of servers were infected with ransomware and encrypted – details here in the Greenbone blog.

Orange Security can also sing from the same song: “Our pentesters find vulnerabilities that were first identified in 2010 (…) [and] problems whose causes go back to 1999. (…) This is a very worrying result.” In the case of the ESXi incident, the vulnerability had already been closed by the manufacturer in February 2021, but not all users had applied the necessary updates – which is exactly where Greenbone’s products help by actively scanning your systems for known, open vulnerabilities.

This is becoming increasingly important because, even according to Orange, more and more critical gaps are sometimes open for six months or longer, In recent years, the average time to a fix has increased by 241 percent. While patching of serious vulnerabilities is on average one-third faster than for less critical threats, the maximum time required to apply a patch is a concern: “Whether critical or not, some patches take years to apply.

Only one-fifth of all vulnerabilities found are fixed in less than 30 days, the study explains, while 80% remain open for more than a month. On average, it takes a full 215 days for gaps to be closed. Of the vulnerabilities waiting 1000 days for a patch, 16% were classified as severe, with three-quarters of medium threat, it said. In the case of the ESXi vulnerability, there has been an alert for two years, a high-risk classification and also a patch to fix it. Despite this, a large number of organizations have been successfully attacked by exploiting the vulnerability.

The problem is well known: Calls for vulnerability and patch management from data protection regulators, for example, are a regular occurrence. “I look at the topic of information security with concern. On the one hand, many organizations still haven’t done their homework to eliminate known vulnerabilities in IT systems – the data breach reports show us how such vulnerabilities are exploited again and again, and often data can be leaked.” Marit Hansen, Schleswig-Holstein State Commissioner for Data Protection, February 2022.

When it comes to cybersecurity, companies face major challenges, she said: More than 22 vulnerabilities with CVE are published every day, with an average CVSS score of 7 or more, she said. Without professional vulnerability management, this can no longer be handled, Orange also explains.

This makes the early detection and recording of vulnerabilities in the company all the more important. Greenbone products can take a lot of the work out of this and provide security – as a hardware or virtual appliance or as a cloud service. The Greenbone Enterprise Feed, from which all Greenbone security products are fed, receives daily updates and thus covers a high percentage of risks. Our security experts have been researching the topic for over 10 years, so we can detect risks even in grown structures.

Vulnerability management is an indispensable part of IT security. It can find risks and provides valuable information on how to eliminate them. However, there is no such thing as one hundred percent security, and there is no single measure that is sufficient to achieve the maximum level of security – vulnerability management is an important building block. Only the totality of the systems deployed, together with comprehensive data protection and cyber security concepts, is the best possible security.


Contact Free Trial Buy Here Back to Overview

/by
Elmar Geese

Follina (CVE-2022-30190): Greenbone’s Feeds Offer Protection

Once again, a flaw has surfaced in Microsoft Office that allows attackers to remotely execute malicious code on the systems of attacked users using manipulated documents. Known as Follina, CVE-2022-30190 has been known for years, but Microsoft has not fixed it to date. Greenbone has added an appropriate vulnerability test to their feeds to detect the new Follina vulnerability in Microsoft Office.

Follina Requires Immediate Action

The CVE named “Follina” is critical and requires immediate action: just opening Microsoft Word documents can give attackers access to your resources. Because a flaw in Microsoft Office allows attackers to download templates from the Internet via ms-msdt:-URI handler at the first click, attackers can create manipulated documents that, in the worst case, can take over entire client systems or spy on credentials.

According to Microsoft, the “protected view” offers protection. However, because users can deactivate this with just one click, the US manufacturer advises deactivating the entire URL handler via a registry entry. As of today, all Office versions seem to be affected.

Greenbone Enterprise Feed Helps and Protects

The Greenbone Enterprise Feed and the Greenbone Community Feed now contain an authenticated check for Microsoft’s proposed workaround, helping you to protect yourself from the impact of the vulnerability. Our development team is monitoring the release of Microsoft patches and recommendations for further coverage. We will inform about updates here on the blog.

Securing IT Networks for the Long Term

If you want to know which systems in your network are (still) vulnerable to vulnerabilities – including the critical vulnerability associated with CVE-2022-30190– our vulnerability management helps you. It applies to systems that definitely need to be patched or otherwise protected. Depending on the type of systems and vulnerability, they can be found better or worse. Detection is also constantly improving and being updated. New gaps are found. Therefore, there may always be more systems with vulnerabilities in the network. Thus, it is worthwhile to regularly update and scan all systems. For this purpose, Greenbone’s vulnerability management offers appropriate automation functions.

Vulnerability management is an indispensable part of IT security. It can find risks and provides valuable information on how to eliminate them. However, no single measure, including vulnerability management, offers 100 % security. To make a system secure, many systems are used, which in their entirety should provide the best possible security.

Contact Free Trial Buy Here Back to Overview
/by