Security Boulevard

Redmond reboot redux: “Something has gone seriously wrong.” You can say that again, Microsoft.

The post Patch Tuesday not Done ’til LINUX Won’t Run? appeared first on Security Boulevard.

A survey of 300 application and software development, IT and security leaders finds nearly half (45%) working for organizations that, in the past year, have experienced a cybersecurity incident involving a third-party software-as-a-service (SaaS) application.

The post Survey Surfaces Growing SaaS Application Security Concerns appeared first on Security Boulevard.

In API security, organizations frequently encounter a tough decision: whether to opt for the flexibility and scalability of a SaaS solution or the data control and privacy of an on-premises deployment. Salt Security's hybrid deployment option provides a solution that combines the advantages of a SaaS solution with the assurance of data privacy, offering the best of both worlds for organizations.

The Challenges of Traditional Deployment Models

• SaaS: While SaaS solutions offer easy deployment, scalability, and access to the latest features, they can raise concerns about data privacy and compliance, especially for organizations handling sensitive information.
• On-Premises: On-premises deployments offer greater data control but require significant IT resources for maintenance, updates, and scaling.

Salt Security's Hybrid Deployment: A Balanced Approach

Salt Security's hybrid deployment option balances the advantages of SaaS and on-premises solutions. It combines a local, self-contained "edge" component called the Hybrid Server with the power of the Salt AI-infused platform.

• Data Privacy: The Hybrid Server processes API traffic locally, ensuring that sensitive data never leaves an organization's environment. Only aggregated metadata and malicious events are transmitted to the Salt cloud for further analysis and threat intelligence sharing.
• Scalability and Performance: The Hybrid Server can handle up to 9 billion API calls monthly, ensuring optimal performance even in high-traffic environments. It also seamlessly scales across multiple environments, data centers, and clouds.
• Ease of Management: Salt Security handles the maintenance, updates, and monitoring of the Hybrid Server, freeing up your IT resources and reducing operational overhead.
• Deep API Visibility and Posture Governance: The Hybrid Server model provides unparalleled visibility into all API traffic, enabling organizations to comprehensively understand their API landscape and identify potential security risks and compliance gaps. This deep visibility, coupled with Salt's AI-powered posture governance capabilities, allows organizations to proactively address vulnerabilities and ensure their APIs' integrity.
• Advanced Threat Protection: The Hybrid Server leverages Salt's cloud-based AI and ML engine to detect and prevent sophisticated API attacks in real time. This ensures you benefit from the latest threat intelligence and behavioral models, even with a local deployment.

Benefits of Salt Security's Hybrid Deployment

• Data Sovereignty: An organization's sensitive data remains within its infrastructure, ensuring compliance and mitigating privacy risks.
• Effortless Scalability: The Hybrid Server's capacity and adaptability ensure seamless performance, even as an organization's API ecosystem expands.
• Focus on What Matters: Salt Security takes care of the technicalities, allowing IT and security teams to concentrate on strategic security initiatives.
• Proactive Risk Mitigation: Gain a deep understanding of an organization's API landscape to identify and address vulnerabilities before they are exploited.
• Stay Ahead of the Threat Landscape: Benefit from real-time, AI-powered threat detection and prevention, even with a local deployment.

Conclusion

Salt Security offers a hybrid deployment option that provides a solution for organizations looking to balance SaaS's advantages with data privacy and control requirements. By merging local data processing with a cloud-based AI/ML platform, Salt Security delivers a robust and adaptable API security platform that can cater to any organization's needs.

If you want to learn more about Salt and how we can help you on your API Security journey through discovery, posture management, and run-time threat protection, please contact us, schedule a demo, or check out our website.

The post Hybrid API Security: The Best of Both Worlds appeared first on Security Boulevard.

After nearly three months, Linux kernel 6.9 has officially reached the end of life on August 2nd, 2024. If you are currently running this EOL kernel version, it’s time to consider upgrading to the latest Linux kernel 6.10 or a long-term support (LTS) version to maintain system security and stability. Greg Kroah-Hartman, a renowned Linux […]

The post Time to Upgrade: Linux Kernel 6.9 is End of Life appeared first on TuxCare.

The post Time to Upgrade: Linux Kernel 6.9 is End of Life appeared first on Security Boulevard.

SANTA CLARA, Calif., August 21, 2024 – We are thrilled to announce that NSFOCUS has been recognized for the fourth consecutive year in Gartner’s esteemed 2024 Market Guide for Security Threat Intelligence Products and Services. This accolade is a testament to our enduring commitment to delivering advanced threat intelligence solutions that safeguard our clients against […]

The post NSFOCUS Honored as a Representative Vendor in Gartner’s 2024 Market Guide for Security Threat Intelligence Products and Services appeared first on NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks..

The post NSFOCUS Honored as a Representative Vendor in Gartner’s 2024 Market Guide for Security Threat Intelligence Products and Services appeared first on Security Boulevard.

The Zenbleed vulnerability exploits a flaw in the speculative execution mechanism of AMD Zen 2 CPUs. It affects the entire Zen 2 range, even extending to AMD’s EPYC data center chips. As of July 2024, AMD has released several microcode updates to address the Zenbleed vulnerability. Some information found in this blog post has been […]

The post The Zenbleed Vulnerability: How to Protect Your Zen 2 CPUs appeared first on TuxCare.

The post The Zenbleed Vulnerability: How to Protect Your Zen 2 CPUs appeared first on Security Boulevard.

UK political donation sites are highly vulnerable to bot attacks and fraud, risking donor information and campaign funds.

The post Security Alert: U.K. Political Donation Sites at Risk appeared first on Security Boulevard.

Cybersecurity researchers at Sonar have recently uncovered Roundcube flaws pertaining to Webmail software. Threat actors can exploit these Webmail software security flaws to execute malicious JavaScript code and steal emails and passwords. In this article, we dive into details of the potential exploits and uncover the vulnerabilities involved. Let’s begin! Roundcube Flaws: Initial Discovery And […]

The post Alert: Roundcube Flaws Put User Emails And Passwords At Risk appeared first on TuxCare.

The post Alert: Roundcube Flaws Put User Emails And Passwords At Risk appeared first on Security Boulevard.

McAfee today added a tool to detect deep fakes to its portfolio that will initially be made available on PCs from Lenovo that are optimized to run artificial intelligence (AI) applications.

The post McAfee Unveils Tool to Identify Potential Deep Fakes appeared first on Security Boulevard.

After spending over 15 years in the cybersecurity field, working across various roles, and witnessing the evolution of cyber threats, I’ve developed a deep passion for protecting organizations from ever-evolving digital risks. My journey has taken me through the intricacies of threat detection, incident response, identity management, and cloud security. Recently, I decided to join …

Read More

The post Why I Joined Balbix: Embracing the AI-Powered Future of Cybersecurity appeared first on Security Boulevard.

Black Hat 2024 tackled global challenges, briefings that dived into the depths of emerging threats, and an undeniable focus on data breaches.

The post Black Hat USA 2024: Key Takeaways from the Premier Cybersecurity Event appeared first on Security Boulevard.

Authors/Presenters:Sen Deng, Mengyuan Li, Yining Tang, Shuai Wang, Shoumeng Yan, Yinqian Zhang

Many thanks to USENIX for publishing their outstanding USENIX Security ’23 Presenter’s content, and the organizations strong commitment to Open Access. Originating from the conference’s events situated at the Anaheim Marriott; and via the organizations YouTube channel.

Permalink

The post USENIX Security ’23 – CipherH: Automated Detection of Ciphertext Side-channel Vulnerabilities in Cryptographic Implementations appeared first on Security Boulevard.

Identities are both the weapons and the targets. Without vigilant protection and strategic oversight, identities can be gateways to your crown jewels.

The post Identity Crisis: Hidden Threats In Digital Infrastructure appeared first on Security Boulevard.

Managed Kubernetes is a service offered by cloud providers, such as Amazon Web Services (AWS), Microsoft Azure (Azure), and Google Cloud Platform (GCP) that simplifies the deployment, management, and scaling of Kubernetes clusters. These cloud providers each offer their own “flavor” of managed K8s: Microsoft’s Azure Kubernetes Service (AKS), Amazon Elastic Kubernetes Service (EKS), and Google Kubernetes Engine (GKE). All of these services provide powerful capabilities that make it easier to deploy Kubernetes. Fairwinds Managed Kubernetes-as-a-Service is a people-led offering that manages the entire underlying Kubernetes platform and all the third-party tooling organizations need to make the most of K8s’ powerful capabilities.

The post What You Get with AKS, EKS, GKE vs. Managed Kubernetes-as-a-Service appeared first on Security Boulevard.

via the respected Software Engineering expertise of Mikkel Noe-Nygaard and the lauded Software Engineering / Enterprise Agile Coaching work of Luxshan Ratnaravi at Comic Agilé!

Permalink

The post Comic Agilé – Mikkel Noe-Nygaard, Luxshan Ratnaravi – #304 – Fail Fast appeared first on Security Boulevard.

When it comes to on-premises database activity monitoring (DAM), security teams have consistently relied on agents to seamlessly track all incoming requests and outgoing responses within the databases. The agent-based approach effectively ensures independent monitoring of database activity, regardless of the specific database system and the database administrator (DBA). This results in a system that […]

The post Agentless is a DAM Better Option for Securing Cloud Data appeared first on Blog.

The post Agentless is a DAM Better Option for Securing Cloud Data appeared first on Security Boulevard.

Ignoring low-risk secrets in GitGuardian? This could be a costly mistake. Learn how to avoid the hidden dangers of prematurely closing incidents.

The post From False Positives to Potential Breaches: The Risks of Prematurely Closing Incidents appeared first on Security Boulevard.

Cary, North Carolina, 20th August 2024, CyberNewsWire

The post INE Security Alert: The Steep Cost of Neglecting Cybersecurity Training appeared first on Security Boulevard.

Authors/Presenters:Yoochan Lee and Jinhan Kwak, Junesoo Kang, Yuseok Jeon, Byoungyoung Lee

Many thanks to USENIX for publishing their outstanding USENIX Security ’23 Presenter’s content, and the organizations strong commitment to Open Access. Originating from the conference’s events situated at the Anaheim Marriott; and via the organizations YouTube channel.

Permalink

The post USENIX Security ’23 – Pspray: Timing Side-Channel Based Linux Kernel Heap Exploitation Technique appeared first on Security Boulevard.

This is the second post in a series on Identity-Driven Offensive Tradecraft, which is also the focus of the new course we will launch in October. In the previous post, I asked, “How does one discover and abuse new attack paths?” To start answering this question, I made two key arguments:

• Every Attack Path is identity-driven, meaning that it is motivated by, centered around, and strategically guided by the abuse of identity and access management (IAM)
• Every attack path must contain at least one attack vector that abuses a violation of the Clean Source Principle, which dictates that all security dependencies must be as trustworthy as the object being secured.
  To level set, an attack path can be defined as a chain of control relationships with at least one violation of the Clean Source Principle

In this post, I will share a framework I developed for discovering known and unknown attack paths.

Does Clean Source Violation Necessarily Introduce an Attack Vector?

We’ve already established that attack paths are a chain of control relationships with at least one Clean Source Principle violation, but is the opposite also true? Does every Clean Source violation necessarily create an attack path? Logic suggests the answer is “no”, but let’s see why.

The reason lies in the “control” definition. In our context, we define “control” as a relationship that can contribute to compromising the target resource or impacting its operability. I previously explained that I chose the words “contribute to compromising or impacting” rather than “compromise or impact” because we sometimes need to abuse more than one security dependency to fully compromise or impact the target. For example, if multi-factor authentication (MFA) is enforced on an account, we must abuse both authentication factors to gain control.

Therefore, the conclusion was that a set of one or multiple security dependencies can control a resource that depends on it. I’ll note that not every control prerequisite is necessarily a security dependency. For example, you need to establish a connection to a remote host/service to control it, but a network connection is not a security dependency and shouldn’t be a security boundary, at least not in $CurrentYear.

Attack Path Criteria

Two criteria determine whether a set of security dependencies violating the Clean Source Principle introduce an attack path:

• We know how to weaponize the security dependency set to control the dependent resource (or, in other words, we have an attack primitive for abusing it)
• We know that the security dependency set is present in the environment, and the target resource depends on it. To clarify this point, we may learn how to abuse a piece of technology to gain control of resources; however, it does not introduce an attack path if the technology is not used in the environment or the target resources don’t depend on it directly or transitively

I’m not adding the Clean Source violation as a criterion because it is implied and I’ll address it later.

Both criteria are binary, so we can represent security dependencies in a 2x2 matrix:

The top left quadrant is where we want to be: both criteria are met, so any Clean Source violation we identify is abusable. Paths BloodHound finds are in that quadrant — that’s the easy part. The challenge is bringing everything else into that quadrant. How do we achieve that?

Attack Path Discovery Framework Define Target

There are generally two approaches for discovering attack paths:

• Analyzing outbound control — This approach seeks to understand the attacker’s reach given an initial position. I would describe it as exploratory or opportunistic
• Analyzing inbound control — This approach seeks to understand the ways to reach a specific resource, backtracking from a given target. I would describe this approach as intentional or objective-oriented

The latter is more suitable for this framework but requires a well-defined target or targets. As attackers, we would derive that from our red team objectives. The former can also serve a purpose, especially earlier on, for gaining situational awareness.

Map Security Dependencies

Performing reconnaissance, enumeration, and discovery helps discover what is present in an environment and identify the target’s direct and transitive security dependencies. This activity represents an upward shift from the bottom quadrants to the top quadrants.

The bottom left quadrant represents known tradecraft, which is typically easier to discover. For example, we can run SharpHound and AzureHound to collect and ingest data into BloodHound. BloodHound can’t provide complete coverage of all known offensive tradecraft, so other enumeration tools and discovery techniques must be utilized.

The bottom right quadrant represents unknown tradecraft. It could be commodity, off-the-shelf technologies that we, as operators or as a community, don’t know how to abuse. It could also be proprietary/bespoke technologies for the target organization. Discovering those can be more challenging, as it requires more manual research and reconnaissance, which could involve scouring internal documentation and analyzing artifacts. Moving from the bottom right quadrant to the top right quadrant is essentially learning how things work, which is what hacking used to be all about.

Relying solely on existing tooling would completely ignore the bottom right quadrant and likely guarantee missing attack paths. Custom-built solutions and less commonly used technologies are typically more prone to vulnerabilities. Also, even if the target organization uses only stock technologies, we still need to learn how they are used to map their security dependencies. Remember that security dependencies are found not only in technology but also in people and processes, and those are almost always unique to the target organization.

Weaponize for Control

The second criterion is knowing how to abuse the security dependencies to gain control of the dependent resource. Learning or developing the required attack primitives represents a leftward shift from the right quadrants to the left quadrants.

When targeting commodity, off-the-shelf technology, if new attack primitives are required, it is achieved through security research and tradecraft development. However, there is a plethora of known attacks against stock technologies and because the criterion is “knowing” how to abuse security dependencies to gain control, it can also be achieved through learning (did I mention we are launching a new course about identity-driven offensive tradecraft?). The bottom right quadrant represents such activities because we learn and develop tradecraft while not knowing if it is present in the target environment.

When targeting internally developed solutions, security assessments, red team operations, and penetration testing help discover attack primitives for abusing the technology and, as I mentioned, the people and processes. The top right quadrant represents this activity because we know the people, processes, and technology are present in the target environment, and we develop the required attack primitives with a specific target in sight.

Identify Clean Source Violations

Now that we have a clear view of the target’s security dependencies and know how to abuse them to gain control, we need to identify Clean Source violations. Remember, security dependencies always exist, but without a Clean Source violation, they are not an attack path. There is nothing wrong with Domain Admins having admin access to a domain controller (DC); that is expected behavior.

We’re looking for a security dependency that is less trustworthy than the dependent resource, so the obvious next step is to assign a trustworthiness level to every node. We’ll keep it simple by using only three levels:

• More trustworthy than the target, marked in green
• Less trustworthy than the target, marked in red
• Same as the target, marked in purple

Let’s consider the following scenario:

The Production DB Server is the target. It has two security dependencies: the Domain Admins group and another dependency that we don’t know how to abuse. Because we don’t know how to abuse it, it does not meet the attack path criteria, so we can disregard it. The DA User is a member of the Domain Admins group and has a session on a compromised workstation.

Now, we can assign trustworthiness levels to the dependencies. The trustworthiness should be assigned based on the security controls enforced on the dependency. Domain Admins are more trustworthy than the target and can be marked green. In line with the Clean Source Principle, security best practices dictate that Domain Admins must use Privileged Access Workstations (PAW) because normal workstations lack the security controls required to protect privileged accounts. Therefore, the Compromised Workstation can be marked red.

What about the DA User? You could argue that it is missing a security control preventing it from establishing a session on a less trustworthy workstation, and therefore it is less trustworthy than the Domain Admins group. Members of the Domain Admins group should log into Privileged Access Workstations (PAW) only. It could also be that, despite that, the DA User is still more trustworthy than the target. Regardless, the Compromised Workstation is less trustworthy, and it is sufficient for introducing an attack path.

Conclusion

Attack paths must include at least one clean source violation that we know how to abuse. Discovering attack paths requires acquiring capabilities to identify and abuse security dependencies to gain control of the dependent resources. Ultimately, assigning trustworthiness levels relative to a well-defined target allows for pinpointing Clean Source violations and identifying attack paths.

In the next post, we will apply this framework to a broadly used technology to demonstrate it.

Navigating the Uncharted: A Framework for Attack Path Discovery was originally published in Posts By SpecterOps Team Members on Medium, where people are continuing the conversation by highlighting and responding to this story.

The post Navigating the Uncharted: A Framework for Attack Path Discovery appeared first on Security Boulevard.