Visa has invested heavily in data analytics and artificial intelligence over the past five years to secure the movement of money and keep fraud rates low.

As more financial transactions move online, organizations are faced with the challenge of ensuring payment methods are safe, secure, and private, as well as being able to differentiate between legitimate customer behavior and fraudulent activities. For Visa, advanced analytics and artificial intelligence plays a significant role.  

The shift to digital commerce – driven partly by pandemic-related lockdowns and restrictions but also because organizations are introducing new offerings as part of their digital transformation initiatives – have transformed how money moves around the world, says Dustin White, chief risk data officer at Visa. Individuals increasingly rely on new tools to send money to other individuals or to pay for goods and services from retailers and other types of sellers. There are new payment schemes, such as buy-now-pay-later, tap-to-pay, and no-touch payments, and they bring different challenges and risks than traditional face-to-face transactions, he says.

"To say the task of securing the global movement of money is complex would be an understatement, particularly now," wrote Visa’s chief risk officer Paul Fabara in a recent blog post.

E-commerce volume on Visa’s network has grown by more than 50% since late 2019, and peer-to-peer payments on Visa’s network have more than doubled, the company says. Even as shoppers returned to stores in 2021, online trends held steady as shoppers "still shopped with fervor online," according to Digital Commerce 360’s analysis of Commerce Department data.

Criminals go where the money is; they have noticed the e-commerce shift and increased use of digital payments. However, even though the attack surface has increased, fraud rates on Visa’s networks remain at historic lows, White says. Fraud rates are currently at about 7 cents per $100 in transactions, despite over 2 million daily attempts by fraudsters. White credits Visa’s hefty investments in advanced analytics and artificial intelligence (AI) for keeping fraud low.

**Digging Deep in the Data Reservoir**  
Visa has invested $9 billion in cybersecurity over the past five years, with $500 million specifically on data analytics and AI capabilities. The company has 60 petabytes (1 petabyte is 1,000 terabytes) of data and has embedded AI and analytics in more than 60 different services to spot and block fraud on its networks.

*   The Visa Advanced Authorization (VAA) score uses AI and machine-learning techniques to determine whether a transaction is legitimate or fraudulent within 300 milliseconds, White says. VAA alone prevented $26 billion worth of fraud in 2021.
*   The company analyzes data to look for "common patterns" of behavior associated with legitimate transactions and to identify fraud. For example, insights such as a customer applying for credit copy and pasted in the Social Security number rather than typing in the digits could indicate that the personal data being used may be stolen.
*   Visa Behavioral Analytics has analyzed more than 400 million authentication requests against 12 million unique devices over the past two years to detect account takeovers and bot-based attacks, White says.
*   Visa Account Intelligence uses AI and machine learning to detect fraud before it starts. In one case, Visa Account Intelligence helped prevent $2.2 billion in potential client fraud.

**Enhancing Capabilities With AI**  
False declines, or when a transaction doesn’t go through because of a mistake, can also be costly. About 89% of customers will cut back on using that item – a credential or a particular payment method – after a false decline, which would result in lost revenue streams for providers and merchants, White says. Visa applies deep-learning techniques to reduce false declines by as much as 30%, the company says.

Security analysts use natural processing to uncover cyberattacks and insider threats and apply machine-learning models to predict and fix most likely points of network vulnerability. Vulnerability testing has saved approximately $31 million in prevented fraud in fiscal year 2021.

Visa’s investments in AI match overall activity in the financial-services sector. Financial institutions have spent more than $217 billion on AI applications to help prevent fraud and assess risk, according to the Preventing Financial Crimes Playbook. Those figures are from 2020, and the pace of investments has continued to grow since. Banks are aware of the benefits of using AI, as shown in a recent UBS Evidence Lab report, where 75% of respondents at banks with over $100 billion in assets said they’re implementing AI strategies.

White cautions against treating AI as the end-all to fix everything and advocates a multilayered approach. Visa still maintains Cyber Fusion Centers staffed with analysts to handle continuous security monitor, incident response investigation, and threat intelligence. Machine learning is the most beneficial when it is implemented to improve existing tools and processes or deployed to address a specific situation. 

"No one solution is going to thwart all of the attacks on infrastructure," White says.

A Peek into Visa's AI Tools Against Fraud

The startup is the latest company to try to solve the problem of organizing and sharing secrets.

Secrets management continues to be an ongoing challenge in application security, as developers struggle to organize secrets used in source code and manage distributed systems and infrastructure.

The latest startup to address this space is Doppler, whose platform helps developers securely store, transmit, and audit secrets. The Doppler platform syncs secrets across devices, environments, and team members so that developers don't wind up sharing secrets on insecure platforms (such as Slack or email) or including them within .git and .zip files. The platform can also handle secrets rotation, and it sends developers alerts over Slack and Microsoft Teams to inform them when the secrets are changed.

Secrets refer to sensitive pieces of data, such as tokens, encryption keys, API keys, and digital certificates. A survey by 1Password last year found that 65% of companies juggle more than 500 secrets, and 18% said they have "more than they can count."

The secrets are scattered across source code, container and infrastructure images, and configuration files. Over 6 million secrets were detected in scans of public GitHub repositories in 2021, according to GitGuardian's State of Secrets Sprawl 2022 report.

Adversaries routinely attempt to intercept these secrets in order to gain access to cloud environments, help with lateral movement, and access data in applications. Earlier this month, GitHub said adversaries were able to download private data from some organizations using Heroku and Travis-CI after stealing a handful of OAuth tokens used by those two platforms. Last year, attackers compromised Codecov and stole secrets belonging to Codecov's customers. Those secrets were then used to compromise the customers.

1Password estimates the cost of a company losing control of its secrets at $1.2 million per year.

**Security Management Is Key**  
Enterprises need processes in place to handle secrets management, such as inventorying what secrets they have, controlling access, sharing secrets safely with collaborators, and promptly revoking those secrets when they are exposed. It also needs to be scalable, considering the sheer number of secrets developers are using, and not time-intensive.

In the same 1Password survey, DevOps and IT workers said they spend an average of 25 minutes each day managing secrets – which the company estimated to add up to an annual payroll expense of roughly $8.5 billion.

Secrets management is shaping up to be a fairly crowded market. HashiCorp Vault offers a vault for teams to securely store tokens, passwords, certificates, and encryption keys. 1Password acquired SecretHub last year, which was the basis for its 1Password Secrets Automation service. Cloud giants Amazon Web Services and Google Cloud offer AWS Secrets Manager and Secrets Manager, respectively. GitHub, GitLab, and Atlassian all offer various levels of secrets-scanning tools for their code repositories.

Then there's Doppler, which recently raised $20 million as part of a series A funding round.

"The ability to securely store, transmit and audit secrets has never been more critical as one minor error can lead to catastrophic results," said Murat Bicer, a general partner at CRV (which led the funding round), in a statement. "In a world where putting a single space in the wrong place can literally take down a company's entire website, Doppler makes it easy to prevent leaks and outages with their developer focused approach."

Doppler Takes on Secrets Management

The war in Ukraine appears to have triggered a change in mission for the APT known as Bronze President (aka Mustang Panda).

China's tacit support for Russia's war in Ukraine apparently doesn't preclude likely China-backed cyber actors from mounting espionage campaigns on the Russian military.

Researchers from Secureworks' Counter Threat Unit this week said they recently discovered malware that suggests the advanced persistent threat (APT) known as Bronze President (aka Mustang Panda) is now targeting Russian military personnel and officials. The security vendor described the effort as an example of how political changes can push countries into new territory for surreptitious information-gathering efforts, even against friends and allies.

**Cyberespionage Campaign Delivers PlugX**  
According to the report, the heavily obfuscated malicious executable being used in the campaign is designed to appear as a Russian-language PDF document pertaining to Russia's 56th Blagoveshchenskiy Red Banner Border Guard Detachment (which is deployed near Russia's border with China). The file is designed so that default Windows settings do not display its .exe extension, Secureworks said.

Secureworks also explained that the executable file displays a decoy document written in English, though the filename itself is in Russian. The document appears to be legitimate and contains data pertaining to asylum applications and migratory pressure in the three countries that border Belarus — Poland, Lithuania, and Latvia. The content also includes commentary on European Union sanctions against Belarus for its role in the war in Ukraine.

When executed, the file downloads three additional files from a staging server. One of them is a legitimate signed file from Global Graphics Software, a UK-based firm. The file uses DLL search-order hijacking to import an updated version of PlugX, a remote-access Trojan (RAT) that has been previously associated with Bronze President.

"DLL search-order hijacking has been around for years," says Mike McLellan, director of intelligence at Secureworks. "It's a well-known technique by threat actors in which they maliciously use a legitimate executable file, often from a well-known vendor, together with a malicious library file (DLL), to load and execute an encrypted malware payload."

Threat actors use the technique because it ensures that the malicious payload file on a compromised system is never sitting around on disk in a manner that scanners and anti-malware can detect.

"This technique has been a staple of several China-nexus threat groups for many years," McLellan says.

As part of the attack chain, the threat actors have also included a ping command that adds a significant delay before executing the legitimate signed file, Secureworks said — a generic evasion technique to introduce a time lag while files are downloaded to the victim.

The staging server that Secureworks observed the threat actor using in the current campaign hosts a domain that Proofpoint earlier this year linked to a PlugX campaign against diplomatic entities in Europe. The security vendor determined that campaign to be motivated by matters related to the war in Ukraine as well. The same domain has also been linked to Bronze President attacks in 2020 that Secureworks observed against the Vatican.

**A New Set of Victims for Bronze Panda**  
Bronze President is a threat group that has been active since at least 2018, according to the researchers. Secureworks and others have assessed the group as being China-based and likely sponsored by — or operating with the knowledge of — the Chinese government. The group has been associated with numerous attacks on nongovernmental organizations and others, mostly in Asia but to some extent in other countries. Last year, for example, researchers from McAfee spotted the threat actor conducting a major cyber espionage operation targeting telecommunication companies in the US, Asia, and Europe.

The latest campaign represents a departure from the usual for the group, since it targets Russian entities, according to McLellan: "This is substantially different to what we have seen over the past two years where Bronze President has been about 90% focused on Myanmar and Vietnam. We believe they still have a mission in the Asia region, but this has been a bit of a departure for them."

Chinese APT Bronze President Mounts Spy Campaign on Russian Military

Acquisition expands security software-as-a-service capabilities.

Cloudflare Flags Largest HTTPS DDoS Attack It's Ever Recorded

This scale of this month's encrypted DDoS attack over HTTPS suggests a well-resourced operation, analysts say.

April 29, 2022

This scale of this month's encrypted DDoS attack over HTTPS suggests a well-resourced operation, analysts say.

by Dark Reading Staff, Dark Reading

April 29, 2022

1 min read

Article

Explainable AI for Fraud Prevention

As the use of AI- and ML-driven decision-making draws transparency concerns, the need increases for explainability, especially when machine learning models appear in high-risk environments.

April 28, 2022

As the use of AI- and ML-driven decision-making draws transparency concerns, the need increases for explainability, especially when machine learning models appear in high-risk environments.

by David Utassy, Data Scientist, SEON

April 28, 2022

4 min read

Article

Tenable Acquires External Attack Surface Management Vendor for $44.5M

Acquisition will add Internet-facing attack surface mapping and monitoring to Tenable's internal asset management products.

April 26, 2022

Acquisition will add Internet-facing attack surface mapping and monitoring to Tenable's internal asset management products.

by Dark Reading Staff, Dark Reading

April 26, 2022

1 min read

Article

API Attacks Soar Amid the Growing Application Surface Area

With Web application programming interface (API) traffic growing quickly, the average cloud-focused company sees three times more attacks.

April 26, 2022

With Web application programming interface (API) traffic growing quickly, the average cloud-focused company sees three times more attacks.

by Robert Lemos, Contributing Writer

April 26, 2022

5 min read

Article

Ukraine Invasion Driving DDoS Attacks to All-Time Highs

Unprecedented numbers of DDoS attacks since February are the result of hacktivists' cyberwar against Russian state interests, researchers say.

April 25, 2022

Unprecedented numbers of DDoS attacks since February are the result of hacktivists' cyberwar against Russian state interests, researchers say.

by Dark Reading Staff, Dark Reading

April 25, 2022

2 min read

Article

Sophos Buys Alert-Monitoring Automation Vendor

Acquisition of cloud-based alert security company will help Sophos automate tasks bogging down security teams, the company says.

April 22, 2022

Acquisition of cloud-based alert security company will help Sophos automate tasks bogging down security teams, the company says.

by Dark Reading Staff, Dark Reading

April 22, 2022

1 min read

Article

Devo Acquires Threat Hunting Company Kognos

Acquisition will blend autonomous threat hunting with cloud-native security analytics for automating security tasks.

April 21, 2022

Acquisition will blend autonomous threat hunting with cloud-native security analytics for automating security tasks.

by Dark Reading Staff, Dark Reading

April 21, 2022

1 min read

Article

Okta Wraps Up Lapsus$ Investigation, Pledges More Third-Party Controls

Companies must enforce more security on their own third-party providers and retain the ability to conduct independent investigations, experts say.

April 20, 2022

Companies must enforce more security on their own third-party providers and retain the ability to conduct independent investigations, experts say.

by Robert Lemos, Contributing Writer

April 20, 2022

5 min read

Article

Security-as-Code Gains More Support, but Still Nascent

Google and other firms are adding security configuration to software so cloud applications and services have well-defined security settings — a key component of DevSecOps.

April 18, 2022

Google and other firms are adding security configuration to software so cloud applications and services have well-defined security settings — a key component of DevSecOps.

by Robert Lemos, Contributing Writer

April 18, 2022

5 min read

Article

CISA Alert on ICS, SCADA Devices Highlights Growing Enterprise IoT Security Risks

Omdia Senior Analyst Hollie Hennessy says the new threat to multiple ICS and SCADA devices underscores the importance of a rapid response to IoT and OT security risks.

April 15, 2022

Omdia Senior Analyst Hollie Hennessy says the new threat to multiple ICS and SCADA devices underscores the importance of a rapid response to IoT and OT security risks.

by Hollie Hennessy, Senior Analyst, IoT Cybersecurity, Omdia

April 15, 2022

3 min read

Article

How IP Data Can Help Security Professionals Protect Their Networks

Beefing up security requires a combination of forensic efforts and proactive mitigation. IP context aids both.

April 05, 2022

Beefing up security requires a combination of forensic efforts and proactive mitigation. IP context aids both.

by Jonathan Tomek, VP of Research and Development, Digital Envoy

April 05, 2022

5 min read

Article

Will the Biggest Clouds Win? Lessons From Google's Mandiant Buy

Google eventually won out in the competition for Mandiant, but Microsoft's interest underscores the trend in consolidation of security services into large cloud providers, experts say.

March 21, 2022

Google eventually won out in the competition for Mandiant, but Microsoft's interest underscores the trend in consolidation of security services into large cloud providers, experts say.

by Robert Lemos, Contributing Writer

March 21, 2022

5 min read

Article

Cut Down on Alert Overload and Leverage Layered Security Measures

Feeling overwhelmed by the number of alerts? It doesn't have to be that way.

March 17, 2022

Feeling overwhelmed by the number of alerts? It doesn't have to be that way.

by Jason Manar, Chief Information Security Officer, Kaseya

March 17, 2022

4 min read

Article

VPNs Give Russians an End Run Around Censorship

As the invasion of Ukraine continues, Russian citizens have turned to virtual private networks — boosting demand for the software by 27x — to circumvent the government's blocks on social media and news sites critical of the war.

March 16, 2022

As the invasion of Ukraine continues, Russian citizens have turned to virtual private networks — boosting demand for the software by 27x — to circumvent the government's blocks on social media and news sites critical of the war.

by Robert Lemos, Contributing Writer

March 16, 2022

4 min read

Article

How Enterprises Can Get Used to Deploying AI for Security

It's important to take a "trust journey" to see how AI technology can benefit an organization's cybersecurity.

March 11, 2022

It's important to take a "trust journey" to see how AI technology can benefit an organization's cybersecurity.

by Fahmida Y. Rashid, Features Editor, Dark Reading

March 11, 2022

4 min read

Article

Synopsys to Acquire WhiteHat Security from NTT

Internet-facing zero-day vulnerabilities were the most commonly used types of bugs in 2021 attacks, according to the international Joint Cybersecurity Advisory (JCSA).

Log4Shell, despite being disclosed only at the end of the year, topped 2021's list of most-exploited vulnerabilities, according to the Cybersecurity and Infrastructure Agency (CISA). The agency compiled the findings along with the cybersecurity agencies of Australia, Canada, New Zealand, and the United Kingdom. 

"Globally in 2021, malicious cyberactors targeted Internet-facing systems, such as email servers and virtual private network (VPN) servers, with exploits of newly disclosed vulnerabilities," CISA reported in its announcement of the findings.  "For most of the top exploited vulnerabilities, researchers or other actors released proof-of-concept (PoC) code within two weeks of the vulnerability’s disclosure, likely facilitating exploitation by a broader range of malicious actors." 

The top most commonly exploited vulnerabilities, according to CISA, include Log4Shell, which affects Apache’s Log4j library, and the ProxyLogon and ProxyShell vulnerabilities, which are bugs in Microsoft Exchange email servers.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

CISA: Log4Shell Was the Most-Exploited Vulnerability in 2021

The four-year-old firm, started by two industry veterans, focuses on gaining visibility into Internet-facing services as more companies seek insight into what attackers see.

Vulnerability and cybersecurity assessment firm Tenable announced on Tuesday plans to acquire 4-year-old startup Bit Discovery, becoming the latest company to acquire an attack-surface management business in the past year.

With the $44.5 million deal, Tenable aims to strengthen its capabilities for gathering external information on networks and deliver to customers more visibility into their digital footprints. Visibility is key, as misconfigured and vulnerable assets are a significant security weakness for most companies. Tenable intends to integrate the technology into all of its products, including its Nessus vulnerability scanning platform, and use the technology to augment its ability to analyze internal networks.

Acquiring Bit Discovery's technology gives Tenable and its customers an attacker's eye view of company networks, says Glen Pendley, chief technology officer at Tenable.

"Visibility is  literally the first step in every single cybersecurity framework," he says. "When you look at our acquisitions and strategy ... over the last few years, we are getting a bigger breadth of coverage over the attack surface. This is the biggest part of the attack surface that Tenable has yet to get visibility of."

The acquisition is the latest industry move to underscore the importance of the technologies and services that deliver attack surface management (ASM) capabilities. This month, Google announced it would buy Mandiant, which had previously acquired Intrigue, an ASM startup, in August 2021. In February, cybersecurity automation firm Darktrace announced it would acquire ASM firm Cybersprint for nearly $54 million. And in November, cyber-risk firm Team Cymru stated it would purchase Amplicy, a 2-year-old startup company focused on attack surface discovery for an undisclosed amount.

**ASM on the Rise  
**The interest is unsurprising. Business intelligence firm Gartner named ASM as the top trend in security and risk management for 2022, breaking down the technologies into three areas: cyber asset ASM, external ASM, and digital risk protection services (DRPS). Bit Discovery falls squarely in the external attack surface management (EASM) segment.

Companies should know all of the assets visible to attackers from the Internet, Gartner stated in the March announcement of its top 7 security and risk-management trends.

"Risks associated with the use of cyber-physical systems and IoT, open-source code, cloud applications, complex digital supply chains, social media and more have brought organizations’ exposed surfaces outside of a set of controllable assets," the firm stated. "Organizations must look beyond traditional approaches to security monitoring, detection and response to manage a wider set of security exposures."

Part of the growing importance of ASM is because companies are getting better about doing the basics. Businesses are paying more attention to common points of entry, such as remote desktop protocol (RDP) servers and virtual private network (VPN) appliances, but need to look beyond securing the front door, says Jeremiah Grossman, CEO of Bit Discovery.

"We got away with not knowing all of our assets for a long time in infosec because everything was just that insecure," he says. "But now the main front doors are getting sufficiently hardened, so the adversaries are looking for secondary and tertiary ways in."

Team Cymru, a cybersecurity risk firm, estimates that 60% of breaches start with the compromise of an exposed, unmanaged asset with an unpatched vulnerability. In addition, the company's research found that three-quarters of midsize to large companies have to rely on spreadsheets to track assets. Those companies were not ready for the shift to cloud infrastructure and employees working from home, says Lewis Henderson, a senior product manager at Team Cymru.

"The last two years have thrust organizations to expand far beyond their already eroded borders — \[basically\] digital transformation on steroids," he says. "When those organizations went to lean on their security vendors to understand what external assets, risks, vulnerabilities and threats they had, they were left totally exposed and on their own to figure it out."

EASM firms evolved to fill the gaps, he says.

**Four Years, $45 Million  
**Bit Discovery launched in March 2018 with $2.7 million in funding, upon the merger with OutsideIntel, a startup founded by Robert Hansen, a cybersecurity veteran who had discovered vulnerabilities under the handle "RSnake" and had previously worked with Grossman at WhiteHat Security. Last June, Bit Discovery gained another $4 million in investment during a Series B round of funding.

Grossman estimates that about half of breaches are enabled by a vulnerable asset that the company previously did not know about. He pointed to the massive data breach as Equifax as an example of the hazards.

"Nothing is more embarrassing than getting exploited by an asset that you didn't know you owned," he says. "That was the case with Equifax. Yes, they didn't patch the \[Apache\] Struts vuln, but they would have if they knew the asset existed."

While the deal must still weather the closing process, Tenable expects to complete the acquisition this quarter and integrate Bit Discovery’s external ASM technology across its other products and services. In the end, the company wants to provide businesses with ways to get meaningful visibility into the state of their security, both on the internal network and from an external view, says Tenable's Pendley.

"We want to reduce noise," he says. "That has been a problem in this space forever, and it's something we can improve."

Tenable's Bit Discovery Buy Underscores Demand for Deeper Visibility of IT Assets

The Stormous ransomware group is offering purportedly stolen Coca-Cola data for sale on its leak site, but the soda giant hasn't confirmed that the heist happened.

The Russian-speaking ransomware group Stormous is claiming to have stolen 161GB of data from Coca-Cola -- and it's offering to sell the supposed cache for 1.65 Bitcoin (about $64,000).

But when asked for confirmation of the breach by Dark Reading, Coca Cola’s global vice president of external and financial communications, Scott Leith, provided the following statement: “We are aware of this matter and are investigating to determine the validity of the claim. We are coordinating with law enforcement."

According to Chris Morgan, senior cyberthreat intelligence analyst at Digital Shadows, "There are screenshots reportedly highlighting documents taken from Coca Cola's network. However, these cannot be independently verified. Some researchers have suggested that many of their attacks are either a scam or the group is exaggerating their claims. This is not uncommon for cybercriminal groups, who often embellish the details of their activity in order to coerce victims into paying a ransom."

He also told Dark Reading, "It is also realistically possible that Stormous may be involved in 'scavenger operations,' which indicates a cybercriminal actor attempting to extort companies whose data had been breached by another threat actor in a previous attack."

John Bambenek, principal threat hunter at Netenrich, notes that the comparatively small ransom demand is also perplexing.

“Stormous has had a history of making headlines of stealing large amounts of data from its ransomware victims,” he said via email. “However, with the very low amount they are requesting for the dump from Coca-Cola, I’m somewhat suspect that they have truly valuable information and certainly they aren’t selling it exclusively to anyone. From Stormous’ description, it doesn’t seem like the most valuable trade secrets are in the dump file (or that Stormous can’t tell if they are there).”

Bambeneck added, “What’s important for any organization in this kind of position is to rapidly assess what information was taken and what its value is to inform decision makers in situations like this where days of analysis just aren’t in the cards.”

For its part, Stormous has previously been linked with Russia, according to researchers, and has breached data from Ukrainian companies in the past.

“With the ongoing hostilities between Russia and Ukraine, and with America supporting Ukraine in their defense, it is not surprising that pro-Russian groups have decided to target American organizations for attack,” said Erich Kron, security awareness advocate with KnowBe4, in a statement about the reports.

Coca-Cola Investigates Data-Theft Claims After Ransomware Attack

What 5,800+ pentests show us: Companies have been struggling with the same known and preventable security bugs year over year. Bandwidth stands at the heart of the problem.

Cybercrime can cause major disruption when it comes to the sustainability and long-term success of companies. Teams want to have robust security but often struggle to meet that objective. It's crucial for security professionals to leverage insights into emerging trends in cybersecurity to pinpoint which vulnerabilities put organizations at the greatest risk, and Cobalt's "State of Pentesting" reports explore how to achieve efficiency to strengthen security.

The "State of Pentesting 2022" surveyed 602 cybersecurity and software development professionals and analyzed data from 2,380 pentests conducted over the course of 2021 to pull key insights that are relevant to security and development teams when it comes to fixing vulnerabilities.

As a result of the data collected, the top five most common vulnerability categories outlined in this year's "State of Pentesting" report include:

1.  Server Security Misconfigurations
2.  Cross-Site Scripting (XSS)
3.  Broken Access Control
4.  Sensitive Data Exposure
5.  Authentication and Sessions

Surprisingly — yet predictably — these vulnerability categories have stayed at the top of the list for at least the last five years in a row. They're also recognizable to those who are familiar with OWASP Top 10 list for Web Application Security Risks.

The majority of these findings are connected to missing configurations, outdated software, and a lack of access management controls — all common and easily preventable security flaws. So, what's holding companies back from preventing well-known security flaws? Why does this come as a surprise?

Because these flaws are common and appear to be less of a major threat, they are often overlooked as teams deal with talent shortages and increased workload. Standing alone, these issues might not cause a lot of concern, but they can build up to create more critical situations that are difficult to tackle and remediate.

Security and development teams need access to more resources and talent to prevent and fix common vulnerabilities in the future. Talent shortages have impacted security programs as teams are struggling to maintain security standards and vulnerabilities are more likely to go undetected and unremedied.

Findings from the "State of Pentesting 2022" point to key strategies organizations can implement for vulnerability management and retention.

1\. **Focus on learning:** Provide the right security training and resources with teams such as the OWASP Top 10 list and the "State of Pentesting" reports_._

2\. **Review your security configurations:** Consistently monitoring access/user matrixes, SSL certificates, software versions, and security headers can help with the top vulnerabilities we see each year. 

3\. **Clearly communicate risk:** It's important to show leadership and team members how insufficient resources and open vulnerabilities of all types can turn into much bigger security problems for the broader organization.

4\. **Outsource to agile vendors:** Find vendors who help you to achieve your security goals, integrate well with your systems, and create the right efficiencies to bring to your workflows.

Security and development teams have clearly been struggling with the same vulnerabilities for five years in a row, and although this can come as a surprise, there are steps teams can take to break the trend.

In addition to these tips for vulnerability management and retention, security assessments like pentesting can be a useful additional resource for development teams to patch vulnerabilities and remediate risk. Pentesting can help defend organizations against vulnerabilities that disrupt the organizational flow, reputation, financial circumstances, and more.  

**About the Author**

    

  
Jay Paz is Cobalt's Senior Director of Delivery. He has more than 12 years of experience in information security and 19+ years of information technology experience, including system analysis, design, and implementation for enterprise-level solutions. At Cobalt, he lays the groundwork for innovation and scale as he oversees operations and day to-day management for Cobalt's pentester community.

5-Year Vulnerability Trends Are Both Surprising and Sadly Predictable

Here's how to reduce security risk and gain the benefits of open source software.

Security has long been a point of concern in the open source community. If not managed carefully, the same openness that allows innovative code contributions from global users can also present vulnerable attack surfaces for malicious actors. In fact, when asked about roadblocks preventing their organizations' use of open source, respondents to Anaconda’s 2021 State of Data Science report cited "Fear of CVEs, potential exposures, or risks" (41%) and "Open source software is deemed insecure, so it's not allowed," (26%) among other concerns.

Yet open source drives innovation, and there are ways to dramatically decrease the potential risks that arise from the use of open source software. This is why many organizations take a “best of both worlds” approach, adopting open source while prioritizing security measures.

If you think of open source security as a spectrum, with “no security controls” on one end and “locked-down controls” on the other, technically advanced organizations tend to fall somewhere in the middle. Here are some lessons you can learn from their approaches.

**1\. Everyone Should Be Involved  
**Setting up open source security parameters should not be left solely up to the IT and data science teams. To be successful, you need buy-in from the whole organization, including executive leadership. Together, leaders must consider the tradeoffs of security risks and innovation rewards, and create a framework to define an acceptable level of risk for using open source software.

In creating security frameworks across organizations, preventative and containment-based perspectives are necessary. Since open source projects are open to globally dispersed contributors, the code doesn’t have the same level of built-in security as private vendor applications. For that reason, you need to have a proactive approach to security, setting clear risk parameters and pre-emptively implementing safeguards in the event of a breach. A key aspect of the latter component is the idea of a software bill of materials (SBOM), which lists the origin of all the code running in each application or package. With an SBOM in place, when an incident like last year’s Log4j incident occurs, you can quickly identify which areas of your infrastructure are impacted.

**2\. Take a Nuanced Approach  
**If the security framework is a hard-and-fast set of nonspecific rules, you’ll likely run into two problems. First, you risk security becoming an exercise of box-checking, where practitioners aren’t necessarily thinking critically about their actions and are just crossing items off a security checklist. Second, you’ll likely miss out on the best innovation open source has to offer.

Of course, there are a few areas where you want to be very firm in your security protocols, such as implementing access controls and firewalls and using only repositories that have been built on or are being mirrored from a secure environment.

However, there are other areas where you can introduce some nuance, such as parameters around acceptable CVE scores. For example, there are tens of thousands of open source packages in the Python realm alone. If you set automated filters that allow your data scientists to use only packages with a CVE score of 6 or lower, you could miss out on a package with key functionality that has a score of 7 but whose vulnerability would not be exposed in your particular use case.

Another approach is to establish different risk tolerance levels in development and production environments. This gives developers and data scientists more freedom to explore packages in the dev environment, which can be separated behind a firewall. Then, when it comes time to move workflows into production, you can enforce stricter security protocols. If a given package doesn’t meet those requirements, it’s an opportunity to explore whether to introduce more nuance into the rules.

**3\. Give Back to the Open Source Community  
**It might be tempting to think that forking an open source project and bringing the fork inhouse would help mitigate security issues by giving you tighter control over the code distribution. However, that path has several downsides, as noted in a recent memorandum from the Department of Defense. These include increased support risk (due to the loss of several pairs of eyes checking over code), decreased access to community-driven innovations, and increased code maintenance costs.

Instead of forking a project, many industry leaders work closely with the open source community to help surface, mitigate, and patch vulnerabilities when needed. Most projects rely on volunteer effort, and any resource contributions (including developer time, monetary support, and in-kind donations like server space) will benefit everyone who uses a project.

**Conclusion**Security is a journey, and everyone progresses at a different pace. It’s important to implement systems and strategies that work for your industry, resource level, and expertise. At the same time, it’s worthwhile to continually refine your security posture and adopt more sophisticated practices. The cyber threat landscape is ever evolving, so it’s incumbent on us as technologists to evolve and adapt so that we can stay protected, secure, and one step ahead.

How Industry Leaders Should Approach Open Source Security

Four months after the Log4Shell vulnerability was disclosed, most affected open source components remain unpatched, and companies continue to use vulnerable versions of the logging tool.

Attackers who want to exploit the critical remote code execution vulnerability disclosed in the Apache Log4j logging tool over four months ago still have a vast array of targets to go after.

In a recent scan using the Shodan search engine, Rezilion found more than 90,000 Internet-exposed servers containing a vulnerable version of the software. The security vendor believes the number represents only a small fraction of available attacker targets because it only considers publicly facing servers running open source software. If internal network servers and servers running proprietary applications are factored in, the total number of vulnerable targets is likely much higher, Rezilion said.

A Rezilion report this week that summarized the results of its study pointed to other data points that appear to bolster the company's conclusion.

Among them is data from a Google open source scanning service called Open Source Insights, which showed that just 7,140 Java packages out of a total of 17,840 affected packages have been patched for Log4Shell since the flaw was disclosed. Another data point from Sonatype found that as of Apr. 20, 2022, some 36% of Log4j versions being actively downloaded from the Maven Central Java application repository were still vulnerable to Log4Shell — a number that has remained largely unchanged since February.

"Similar to other historic high-profile vulnerabilities, even though four months have passed, there is still a huge attack surface that is vulnerable to Log4Shell," says Yotam Perkal, director of vulnerability research at Rezilion. "The 90,000 publicly accessible vulnerable servers are probably only the tip of the iceberg in terms of actual vulnerable attack surface."

The Apache Foundation disclosed the Log4Shell vulnerability (CVE-2021-44228) along with an updated and fixed version of the software on Dec. 9, 2021. The flaw is present in virtually every Java application environment, is considered trivially easy to exploit, and gives attackers a way to gain complete control over vulnerable systems. Many security experts consider the flaw to be one of the most dangerous to be disclosed in recent memory, and they have urged organizations to install the updated and fixed version of the software as soon as possible.

Despite the high concerns, there have been very few publicly reported instances of the flaw being exploited in a major breach. However, there are considerable fears that in many cases attackers may have already quietly exploited the flaw to gain access to enterprise networks and are waiting for an opportune moment to strike.

Security experts have pointed to the ubiquity of the flaw and the difficulty involved in detecting it — Java files containing the flaw can sometimes be buried deep inside applications — as potential reasons for the slow remediation pace so far.

Rezilion said one issue is that many people are unwittingly using software that relies on vulnerable versions of Log4j either because they don't have visibility into their software components or are using vulnerable third-party software. The Log4j flaw has also proven to be challenging to detect in production environments.

**Tip of the Iceberg?**  
Perkal says that the 90,000 vulnerable servers that Rezilion found via a Shodan search contained open source components with obsolete — and therefore potentially vulnerable — versions of Log4j; components with up-to-date Log4j versions that contained evidence of use of previous, potential vulnerable versions; and public-facing Minecraft servers with vulnerable Log4j versions.

"There are probably a lot of servers running these applications on internal networks and hence not visible publicly through Shodan," Perkal says. "We must assume that there are also proprietary applications as well as commercial products still running vulnerable versions of Log4j."

Significantly, all the exposed open source components contained a significant number of additional vulnerabilities that were unrelated to Log4j. On average, half of the vulnerabilities were disclosed prior to 2020 but were still present in the "latest" version of the open source components, he says. Rezilion's analysis showed that in many cases when open source components were patched, it took more than 100 days for the patched version to become available via platforms like Docker Hub.

Nicolai Thorndahl, head of professional services at Logpoint, says flaw detection continues to be a challenge for many organizations because while Log4j is used for logging in many applications, the providers of software don't always disclose its presence in software notes. "So, many companies don't actually know if it is being used in their system or not," Thorndahl says.

Often, many applications are using old versions of Log4j that are no longer being supported and are vulnerable. "Very few, if any, companies have a \[configuration management database\] so detailed that it would show where they are using Log4j," he says.

Thorndahl expects there will be more attacks exploiting the flaw, even though there have been very few so far.

"Most likely what we will see down the line, maybe four months, maybe a year, as we have seen before, is that incidents will be disclosed \[where\] companies detected they have been breached and the Log4j vulnerability was used and they probably had access for a long period of time," he says.

Source

DARKReading