JON POTEET, Author at Blackswan Cybersecurity

16th Annual Information Warfare Summit

by jdpoteet | Oct 11, 2023 | News

Blackswan CEO & UTSA Professor Mike Saylor to Speak at MSSP Alert Live 2023

by jdpoteet | Oct 5, 2023 | News

Blackswan CEO, Prof. Mike Saylor, to Present at 2023 MSSP Alert Live

by jdpoteet | Sep 29, 2023 | News

Penetration Testing 101

by jdpoteet | Sep 28, 2023 | Blogs

In a world driven by constantly growing technology, where cyber threats and data breaches are common, proactive security measures must be taken. Cybersecurity is a critical aspect that can deeply impact or cripple any company. As businesses rely on technology more and more to store, process, and transmit sensitive and important data, cyber threats continue to be more prominent. These situations can be detrimental and lead to financial losses, reputational harm, legal implications, etc. This is where methods such as penetration testing come in, a methodology involved with the red team of cybersecurity designed to assess the strength of an organization or operating system’s security infrastructure.

What is Penetration Testing? Often referred to as ethical hacking, Penetration Testing involves simulating real-world attacks on an organization’s digital infrastructure to identify
vulnerabilities, weaknesses, and potential entry points that malicious actors could exploit. To give a brief walkthrough of the process, penetration testers must first perform reconnaissance, in which they work to gather intel on the system/infrastructure they are trying to breach. This helps identify the organization’s digital footprint and identify potential vulnerabilities. Secondly, vulnerability tests should be performed to identify and prioritize major vulnerabilities that can potentially be helpful to an attacker. The ethical hackers must then step in the shoes of the attacker to try and exploit the system in a way that an attacker would. This involves gaining unauthorized access, privilege escalation, data manipulation, and anything else that can put a company’s data at risk. Lastly, a detailed report must be provided to the company including all of the vulnerabilities that were discovered, what they could potentially allow an attacker to do, and possible steps to address these security concerns. Organizations may efficiently resolve vulnerabilities and strengthen their security procedures following a fruitful penetration testing effort. Implementing corrective measures to repair found flaws, enhancing incident response capabilities, and fine-tuning overall security rules are all part of the recovery process. Regular testing enables a proactive strategy for cybersecurity, boosting resistance against online attacks. Organizations may continually strengthen their security posture, protecting their assets and preserving consumer confidence, by taking lessons from the results.

Penetration tests benefit companies in many different ways. It identifies vulnerabilities so a company can patch them before an attacker takes advantage of them. It can also save money by prioritizing security investments because once you know which parts of a security infrastructure are weak, time and money can be invested into those areas instead of
stronger ones that lack vulnerabilities. Another beneficial factor is a significantly faster incident response, because while assessing and testing the security the blue team will also find holes and potential inefficiency in their incident response plans allowing for improved coordination and refined management. There are also certain legal requirements mandating security checks on a company and penetration testing can sort of be the mock security assessment to ensure a company is ready for the check. Other benefits include continuous improvement, safeguarding reputation, customer trust, and many more factors that can only improve a company’s reputation and security.

There is also a lot to talk about regarding the future of penetration testing. As new resources start to come into play such as artificial intelligence and cloud computing, penetration
testers will need to come up with new methods and skills to test these systems. More automation to make certain processes easier and advanced tools will upscale testing efficiency and allow for more effective ways to test vulnerabilities. For example, AI can be used to make pen-testing tools that can identify complex patterns, analyze data in bigger bulks, and simulate stronger and more sophisticated attacks. The introduction of cloud computing will require adaptations to counteract the unique security problems associated with a cloud environment.

Essentially, to perform accurate and thorough security assessments as the cybersecurity environment changes, penetration testers will need to keep current on new
technologies, attack vectors, and regulatory requirements. To remain ahead of cyber threats and assure continual security practice development, collaboration and information exchange among ethical hackers and security experts will be essential in the future of penetration testing.

In the continually changing cybersecurity world of today, penetration testing is crucial. It gives businesses a proactive and regulated way to find weaknesses, evaluate their security
posture, and boost their overall resilience to online attacks. Ethical hackers offer useful information by simulating actual assaults, allowing businesses to prioritize security
expenditures, enhance incident response skills, and protect their priceless assets and client confidence. The future of penetration testing presents enormous promise for automation, AI-powered tools, and specialized knowledge to solve the shifting security concerns as technology develops and new threats appear. Penetration testing may help companies stay ahead of cybercriminals, successfully safeguard their digital infrastructure, and promote a culture of continuous improvement to ensure long-term security and success. Penetration testing is necessary for every security infrastructure.

Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution

by jdpoteet | Sep 28, 2023 | Threat Advisories

Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution

DOWNLOAD PDF

OVERVIEW
Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Google Chrome is a web browser used to access the internet. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLIGENCE

Google is aware that an exploit for vulnerability CVE-2023-5217 exists in the wild.

SYSTEMS AFFECTED:

Chrome versions prior to 117.0.5938.132 for Windows, Mac and Linux

RISK
Government:

Large and medium government entities: High
Small government entities: Medium

Businesses:

Large and medium business entities: High
Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY
Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Details of these vulnerabilities are as follows:

Tactic: Initial Access (TA0001)

Technique: Drive-By Compromise (T1189)

Heap buffer overflow in vp8 encoding in libvpx. (CVE-2023-5217)
Use after free in Extensions. (CVE-2023-51872)
Use after free Passwords. (CVE-2023-5186)

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

RECOMMENDATIONS
We recommend the following actions be taken:

Apply appropriate updates provided by Google to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
- Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
- Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
- Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
- Safeguard 9.1: Ensure Use of Only Fully Supported Browsers and Email Clients: Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and email clients provided through the vendor.
Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
- Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
- Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.

Restrict execution of code to a virtual environment on or in transit to an endpoint system. (M1048: Application Isolation and Sandboxing)
Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
- Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.

Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. (M1021: Restrict Web-Based Content)
- Safeguard 9.2: Use DNS Filtering Services: Use DNS filtering services on all enterprise assets to block access to known malicious domains.
- Safeguard 9.3: Maintain and Enforce Network-Based URL Filters: Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.
- Safeguard 9.6: Block Unnecessary File Types: Block unnecessary file types attempting to enter the enterprise’s email gateway.
Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources. Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources. (M1017: User Training)
- Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
- Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.