But what about those medium and low vulnerabilities!?

welcome everybody to our session but what about those medium and low vulnerabilities welcome to b-side san antonio my pleasure to introduce dr nikki robinson she's a senior site for security engineer by day with xla and she's also an adjunct professor at capital technology university in the evenings her main passions include vulnerability management continuous monitoring and improving iet and security relationships she loves to blend academic research real life technical experience and leadership principles into presentations she also holds multiple industry certifications including cissp and ceh i also just had the pleasure of talking to her about the dc area and all the good food out there so let's go ahead and turn it on over great thank you so much yeah we were

just uh chatting about uh crabs over here in maryland so we were uh all right we were talking about those let me share my presentation real quick all right so um thank you first of all thank you everybody for uh for coming to the session um uh as mentioned i'm gonna be specifically speaking about low and medium vulnerabilities a little bit about vulnerability chaining some complexity issues some things like that so thank you for joining me and of course thank you for besides satx for having me uh happy to be here for sure so i actually just recently switched jobs i am actually a security architect with ibm now um still an adjunct professor teaching

everything from quantitative methods to incident response and everything in between i do hold a doctorate of science in cyber security which is what uh we'll get into a little bit but what got me really really excited about this topic um and and why i've spent so much time researching it i'm also working on a phd in human factors uh and i've done some other research where i'm kind of blending cyber security and human factors and and trying to solve some problems there and then as well as some industry certifications as well uh quick disclaimer all thoughts feelings views expressed in this presentation are my own uh they do not reflect my employer employers um i do these talks and i do this research

just because i love it and i love to share kind of what i've found or problems i'm seeing in the industry and uh so that's that and then um so quick run down of the agenda what kind of what i want to cover here uh we're going to kind of cover cvss scoring so the common vulnerability scoring system uh talk about vulnerability scoring uh then we're going to talk about some medium vulnerabilities some low vulnerabilities as well as vulnerability chaining and then hopefully some actionable items that you know if you aren't aware of this or you know maybe you're learning about it uh some things that you could kind of take back to your own organization

take back to your own team and maybe do some investigation so um i know this is a lot on one slide i tried to break this down but i felt like it was really important when we're talking about how vulnerabilities are scored to really dig deep into how cvss scores vulnerabilities um and i wanted to mention that you know when i was doing this research um with my doctorate of science uh so i got really interested in how low and medium vulnerabilities um maybe how they interact what is vulnerability chaining how are they scored uh how how did we come to the conclusion that these vulnerabilities are scored as low and medium that that really made me interested uh mostly

because at the time uh where i was working we didn't really have a lot of time to work on low and medium vulnerabilities and as i talk with other people and i work on other teams i'm starting to find that that's kind of a similar pattern you know whether it's in the public sector um or private sector i i think sometimes it can be really challenging depending on the size of your team especially small to medium-sized businesses might have a more difficult time getting to these low and medium vulnerabilities so i wanted to start by kind of breaking down the cvss cvss scoring um so this is how for the most part we score vulnerabilities and how we see them

in our products so like if you're using tenable or qualis any vulnerability scanning and reporting software you're probably going to be based off of the cvss scores and typically you'll see a cvss 2.0 and a 3.0 score i'll get into that a little bit more as well but basically right now the standard is 3.0 or excuse me 3.1 they're on now but 3.0 is where a lot of the scoring comes from so the cvss scoring is broken down into three groups you can see here the basic metric group the temporal metric group and the environmental group these three groups are then broken down into several other subcategories each one of these categories is looked at and evaluated and they're

all brought together to bring up that vulnerability score that you would see whether it's a 5.4 or 9.8 which would be a critical um so all of these things make up the cvss score i felt like it was really important to bring that up because when i started um you know asking questions about low and medium vulnerabilities i was like don't worry about those i was like well now i need to really understand why they're scored low and then should i be concerned about them because i started looking at uh let's take for example an ssl certificate vulnerability a lot of them are scored as low uh but you could have maybe you know 10 20 30 ssl vulnerabilities

scored as low and if you don't start to fix them they could start to pile up um so i i started really looking into those and even i don't know if anybody remembers in january 2017 spectre meltdown when that vulnerability came out there were actually a lot of vulnerabilities attached to that kind of family of vulnerabilities and a lot of them were scored as low and medium and that also sort of peaked my interest because even if they are scored lower these vulnerabilities still can be exploited and some of them are actively being exploited in the wild um their their scores may change as they're exploited in the wild but you know if you aren't taking a look

at them or or maybe you don't have time to look at them it's possible that they could still be exploited um so now that we've kind of covered vulnerability scoring a little bit i wanted to talk about some specific examples of medium and low vulnerabilities and sort of highlight why they're so important um or at least just to look at um so the first one that i picked i wanted to pick some newer vulnerabilities that were released and of course if you have any questions i included references here to both the nvd the national vulnerability database where the vulnerabilities are housed as well as the actual advisories that give more information on the vulnerabilities so the first one here this was released

i believe in february or march might have been april of this year this is cve 2021-2164 this is ultimately was scored as a medium this vulnerability specifically in jenkins dashboard and this is the it's the improper neutralization of input during web page generalization which leads to a cross-site scripting vulnerability so ultimately was scored as a medium and there's a couple of reasons why the first is that vendors when they're submitting these vulnerabilities or you know these known vulnerabilities they can include as much information as they want or as little information as they want so depending on how much information they want to give to to industry and to those working on the vulnerabilities that may change the

score of the vulnerability as well as how much information is available for this particular vulnerability and i'm not calling out any type of software i'm just saying for the specific vulnerability there is one small paragraph that's included on the website so it is difficult to get uh how much information is is really available about this one um just kind of what we know is kind of a short blurb on the website but basically this is exploitable with view and configure permissions so what i thought was interesting about this you would as an attacker you would have to have view and configure permissions to to exploit this vulnerability however if this was on a public-facing web server and let's say any user that

logs in or creates an account has view permissions they would be able to exploit this vulnerability now there may be other controls in place that might mitigate this which would be great um maybe there aren't maybe because it was scored as a medium which is sort of what i'm getting at maybe because it was scored as a medium maybe it doesn't have to be remediated for you know 90 days um sometimes different vulnerability management programs you know they might have you know you've got 30 days to fix critical 60 to fix highs and you've got 90 days to fix lows and mediums or something like that um hopefully they're not waiting 30 days to fix

criticals but it's possible so it's possible in the 90 days that this vulnerability has been sitting out there if there were other priorities other projects other resources other other things that were more important than this that maybe it's still unremediated you know we're in june now if it came out in april maybe it's still sitting there unremediated and it could be exploited depending on you know the setup of of a company or anything but uh someone could you know run a scan a malicious attacker could run a scan to see if this vulnerability exists and possibly exploit it and if they're able to get in with this cross-site scripting vulnerability they may be able to leverage other

vulnerabilities once they get in to potentially elevate privileges or you know hopefully not full system compromise but who knows and we'll get a little bit more into that once i talk about vulnerability chaining so for my second vulnerability i wanted to talk about talk about a low vulnerability so this is cve 2021-2308 uh scored as a 2.7 which is pretty low um again the re references are down in the bottom if you wanted to take a look uh the interesting thing about this vulnerability this is in my sequel server also in oracle mysql and can be seen in netapp software because it may have a mysql backing so the interesting thing about this vulnerability is that

it's not just one vulnerability it could possibly be one vulnerability in multiple products again if a the patch is applied on you know either netapp or in oracle mysql it's very possible that it would resolve this vulnerability as well um but if this vulnerability is sitting out there uh on a mysql server the implication is that you know a it it's easily exploitable but mostly because an attacker would have to have highly privileged access anyway so that sort of negates it right it's like well they'd have to have highly privileged access they may have already escalated privileges they may already have access to other things so why would i worry about this and that's partially true maybe there

are other things that are more important but the concern is if this vulnerability is hanging out let's say you had a malicious insider someone who already had access to the system and this vulnerability is hanging out it's possible that they could exploit this and use this to their advantage or let's say they were maybe they were let go maybe a disgruntled employee and they knew that these vulnerabilities existed because the mediums and lows are not uh resolved they could use their insider knowledge to potentially get in steal information especially in a sql server or sql database uh who knows what what information you might have in there uh so it's one of those things that's more

about trying to bring awareness to this that in the grand scheme of things when you're looking at a thousand vulnerabilities it's it's more pertinent to focus on the criticals and highs but it doesn't mean that we don't look at the mediums and lows it's that you know we need to bring context to what we're looking at and to really understand what these vulnerabilities mean and again there's there's good information out there on this vulnerability uh again it's a like a paragraph or two paragraphs uh so you don't necessarily have that depth of understanding and knowledge um just out there to understand kind of what this vulnerability might mean to your environment um and it's really important to

kind of when you see vulnerabilities like this that might be affected in multiple products uh what are the implications so what does that mean for me if i if i'm not looking at mediums and lows if i don't have time to or if you know we we have a longer uh timeline that we remediate vulnerabilities what does it mean for my environment where are my critical assets what am i concerned with uh you know the first question here what privileges do my users have and that blends back into that last vulnerability we looked at where if i'm concerned about how many people have administrative access do they have local access do they have application access

do they have sql access um you know so understanding you know your identity and access management policies and who actually has access to these systems i think is really important when you're looking at vulnerabilities because if you don't have time to remediate them but you understand the structure you have in place maybe maybe you use micro uh segmentation for your network um maybe you have a zero or you're implementing a zero trust architecture things like that um so you maybe you have other compensating controls in place uh that would make these vulnerabilities at least null and void which is great but it's something to consider right um and then what access does the attacker gain through the vulnerability

so if the attacker let's say in the first medium vulnerability we talked about in that first scenario let's say they got access to my jenkins server um maybe that's bad maybe it's not depends on my environment and maybe it depends on what jenkins server they got access to you know maybe i have a test dev environment that's available for my admins uh that's you know i'm not as concerned about but maybe they are able to leverage that to get into production systems if they are connected somehow um so that's where that consideration comes in of what what is that where what servers are actually connected to what servers what databases are connected how would someone be able to to traverse

through my network um and then of course do i have mitigating controls in place or could i implement mitigating controls so that you know let's say i've got a thousand low vulnerabilities i don't have time to look at all of those if i see you know as i mentioned in the beginning if i see a number of them are ssl vulnerabilities and i can fix a lot of them with one certificate or maybe one change to an ssl certificate uh that might be you know getting the biggest bang for my buck maybe i can fix this with one thing so it's sort of about you know kind of taking this as a whole um and sort of understanding what the

implications are by leaving those low and medium vulnerabilities open in your network what it might mean to you or to your environment so here we're going to talk about vulnerability chaining so this is sort of where what i'm getting at by leaving low and medium vulnerabilities unexplored or maybe not looking at them as heavily so vulnerability chaining cvss has a they have a really great uh paragraph they have a really great section about vulnerability chaining in their user guide uh the nist 853 r5 now uh has a nice little section on vulnerability chaining as well but i've seen it be called a number of different things daisy chaining vulnerability linking so the idea behind vulnerability

chaining is that you're using multiple vulnerabilities during a single attack but really using low and medium vulnerabilities or lower scored vulnerabilities uh to create a critical attack this is a common tactic uh apt groups i think she moon and a bunch of other ones uh they've been known to use these techniques um and we know that hackers will try uh you know they're gonna try any method they can to get in and if they have to leverage multiple vulnerabilities then that's what they'll do to to you know get into the systems um so part of the problem that i see and why i got so interested in studying this in the first place is that vulnerability chaining is an

optional metric for cvss analysts when they submit these vulnerabilities they have the option to add how this vulnerability you know how one vulnerability could be used with multiple vulnerabilities but it's not a formal metric it's not a requirement and i started to see that as a potential issue because if we don't know how vulnerabilities could be linked or could be leveraged especially if you don't you know go really really in depth uh in vulnerabilities in your vulnerability management program it could be a gap that is left open um you know that that maybe could be concerning especially for certain systems that you may want to protect your critical assets you know anything that has your business proprietary data or

uh you know pii things like that that you might want to uh just maybe take a double double look at and of course this might include vulnerabilities or other products so just like we saw in that vulnerability that was scored as a low it is possible that that vulnerability is affected in multiple types of software so it went from my sequel to being oracle see oracle mysu mysql as well as netapp because that product that application could be used in multiple ways so to me it's more about just kind of having that awareness like being aware that this is a problem and that attackers apt groups are leveraging this all the time you know they they

they want to get into our systems and they're going to use any way possible and uh this is certainly a well-documented way that they get in um i wanted to include some specific examples of vulnerability chaining since we talked about it sort of theoretically uh sql injection leading to a cross-site scripting buffer overflow leading to local admin privileges um you know the idea here is that we if a sql injection which i've seen is scored as a low or a medium and we're not remediating that for whatever reason even if it's on our system for 30 days or 40 days something like that it's something that could be leveraged um you know if we are focusing on this critical vmware

vulnerability or this critical net scale or vulnerability something like that and we're missing sql injection or cross-site scripting vulnerabilities we're potentially missing some of the other very uh possible and you know known ways that attackers might be trying to get into our systems spear phishing email to download malware um which could lead to privilege escalation i don't know where we've seen that before um but you know spear phishing and phishing emails are used i mean all the time to try to download malware or you know get you to click on anything um and then of course a vpn vulnerability that could give access to other network devices uh which could lead to a remote code

execution and a lot of these vulnerabilities that we're talking about sql injection cross-site scripting remote code execution injection these are all always on the os top 10 and so i think it's really important especially if they are scored lower and maybe we're missing them because we're just not looking at them that it could be another way that attackers are you know leveraging and working to try to make their way into our systems all right so all right i've given you a ton of information right we talked about some specific vulnerability examples we talked about vulnerability chaining and what it means and then we talked about some very specific examples of how vulnerability chaining is used actively in the wild

so what do i do now what do i do with this information um i think the biggest thing and i mentioned this a little bit but to add context to vulnerabilities you know don't just take them at what the score says don't just take them at you know it's this says it's uh you know i just need to apply this patch you know sometimes it's apply a patch and a registry key you know sometimes it's apply a patch and it's a secure configuration setting um so adding context to kind of what you're looking at you know doing that additional research because i know it's helped me a lot to really understand what those vulnerabilities mean

and then of course consider the implications in your organization specifically there's a lot of really great general information out there you know nist has a lot of great guides there's the rmf there's the cf csf um you know we've got the miter attack framework so we can start to understand pathing and traversal from attackers um there's a lot of really great uh general information out there but i think you have to really you know at some point think subjectively and think about how does this affect my system architecture how does my network look um and so to kind of get a better picture of that you know just to really see what you have and then figure out where your greatest

risks are because maybe it isn't low and medium vulnerabilities maybe you aren't at the end of the day concerned about them but it's important to look at them and see how they might affect your environment um and of course what tools do you have um do you already have this capability available there are some tools out there like i know tenable vpr it's their vulnerability priority rating or ranking can be used to try to help give like heat maps and try to help you understand a bit more about risk in your environment and there's some other tools out there that are doing that as well and then what's the maturity level of your vulnerability management program

so where are you at is it really just hey we can only fix the criticals and highs right now that's okay so then it's like how do we mature our program how can we get to that point where i can start to consider low and medium vulnerabilities and how they might be you know affecting my environment so it's it's kind of doing some road mapping thinking about your your maturity model and your how you can actually get there so maybe having a vulnerability management expert come in or a consultant or you know just talking with someone who maybe has you know some really great vulnerability knowledge about how you can mature your program how you can kind of get to that

place where you can start to look at vulnerabilities with more more context uh and and understanding how they affect your organization um and learning about vulnerabilities i uh i i joked before i i got on this call but i'm like always out here banging my drum for low medium vulnerabilities because i think it's at least important to understand that uh they can be exploited and some of them are actively exploited in the wild um that'll that shocks some people that they're like oh i didn't know i thought if they were scored as low that maybe people weren't even looking at them which unfortunately is not the case uh so i always say go out and do

research there's a lot of great information available from cvss from you know the mitre attack framework and uh so you can sort of start to to gain that deeper knowledge and that uh better understanding about how vulnerabilities affect your environment um and i think that takes me right to i think i've got five minutes left um so uh i wanted to put my linkedin up there uh seriously reach out to me on linkedin uh i really mean that genuinely if you have questions and i can't answer them in this session uh please reach out to me because i'm happy to talk more about this um and happy to bore anyone for hours on end if you want to talk about vulnerability

chaining or low and medium vulnerabilities and that will wrap it up for me thank you guys thank you everybody for coming um and i don't know if we have any questions thanks nikki uh not necessarily a question but there's a comment um compliance bangs that drum with you oh compliance banks that drum with me that's great i i'm always happy to have anybody else out there that's that's banging a drum to um yeah compliance is compliance is tricky too um and certainly uh it's one of those things that you know from the security engineering and architecture space it's like how do we help people um understand the importance of it and the complexity of it without

you know kind of turning people off and making sure people understand that like hey this really is important and i want to help you fix this that's the other thing too [Music] i don't see any other questions i do have one myself though sure you know speak speaking of vulnerability management and um would you say it would be better for an organization to kind of outsource that to maybe prevent any biases for their their posture and their their technology i think it depends on the industry because you when you're outsourced yeah i guess it really depends because um you if you don't have a vulnerability management expert or someone that's you know really like deep in the weeds

on vulnerabilities then yes i think absolutely there's a lot of great uh companies out there and and you know contractors that are trying to solve this problem too um so yeah if if if outsourcing is an option um especially if you're a small to medium business and you kind of need to you know get your feet wet with this and just try to figure out like what kind of where you're at um you could hire like a v cisso or someone for like six months and have them come in and just be like can you help me understand this uh so you can do it on like a contractual basis instead of hiring someone you know

full-time with benefits and everything like that you could hire someone part-time to kind of come in and you know and then if you decide that you need more help you could always leverage that into you know a full-time position or something like that great well great talk thank you so much yeah thank you for having me

do

[Music]

do

[Music]

[Music] you