Tenable, the cyberexposure company, has announced that Tenable Research has discovered several zero-day vulnerabilities in the PremiSys access control system developed by IDenticard. When exploited, the most severe vulnerability would give an attacker unfettered access to the badge system database, allowing him/her to covertly enter buildings by creating fraudulent badges and disabling building locks. According to its website, IDenticard has tens of thousands of customers around the world, including Fortune 500 companies, K-12 schools, universities, medical centres and government agencies.
Today’s modern enterprise has an extremely complex digital infrastructure comprised of both traditional and modern assets — from workstations and on-premises servers to building security systems and smart devices. This level of complexity has made it increasingly difficult for security teams to establish secure networks in dynamic enterprise environments. The PremiSys zero-days are a stark reminder that the mass adoption of emerging technologies has quickly blurred the lines between physical and digital security. This discovery comes just a few months after Tenable Research found another zero-day flaw — dubbed Peekaboo — in global video surveillance software.
PremiSys technology allows customers to grant and restrict access to doors, lockdown facilities and view integrated video. Once exploited, the most severe flaw would give cybercriminals administrator access to the entire badge system database via the PremiSys Windows Communication Foundation (WCF) service endpoint. Using the administrator privileges, attackers can perform a variety of actions like downloading the full contents of the system database, modifying its contents or deleting users.
“The digital era has brought the cyber and physical worlds together thanks, in part, to the adoption of IoT. An organisation’s security purview is no longer confined by a firewall, subnets, or physical perimeter — it’s now boundary-less. This makes it critically important for security teams to have complete visibility into where they are exposed and to what extent,” said Renaud Deraison, Co-founder and Chief Technology Officer, Tenable.
“Unfortunately, many manufacturers in the new world of IoT don’t always understand the risks of unpatched software, leaving consumers and enterprises vulnerable to a cyberattack. In this case, organisations that use PremiSys for access control are at a huge risk as patches are not available. Beyond this particular issue, the security industry needs to have a wider dialogue about embedded systems and their maintainability over time. The complexity of the digital infrastructure is increasing and so is its maintenance. We need vendors to be committed to delivering security patches in a timely manner and in a fully automated way. Tenable Research is committed to cooperating with willing vendors on coordinated disclosures to help ensure consumers and organisations alike are secure. Industry collaboration is key to helping customers manage, measure and reduce their exposure.”
Intelligent CIO Europe caught up with Gavin Millard, Vice President of Intelligence, Tenable to hear his views on the risks posed to businesses as a result of poor cyberhygiene:
Current cybersecurity risks facing enterprises and how these are being tackled
One of the biggest problems faced by organisations is basic cyberhygiene. If you consider some of the big breaches, they’re always said to be sophisticated threat actors, nation-state and really advanced. I think that’s a get-out. A lot of the issues organisations are facing are simple foundational things that they’re not doing well such as patching. If you think about the way that an attacker gets in, they’re taking advantage of known vulnerabilities to deploy code. Of all the big breaches, they are very rarely nation-state, they are very rarely advanced, they’re just persistent. Any network that is broken into is done by finding the right flaw to take advantage of and this isn’t done by a complex attack, it’s usually a lack of a patch.
The evolving threat landscape
There are two main themes resulting from developments over time, one being the number of assets we’re trying to manage is ever increasing and the amount of these assets is expanding exponentially. The problem with those assets is that they’re also changing type. If you look back a few years ago, people were dealing with static and accessible physical assets. Nowadays, we’re moving to ephemeral and immutable assets. Everyone is going through the Digital Transformation process and pushing things into the cloud – which is a good thing – but it means that their attack surface is increasing and the amount of available assets to target is increasing. Irrelevant of type, the amount of vulnerabilities that are being disclosed every day is increasing. This year, the amount of vulnerabilities is expected to grow to around 52% in comparison to last year.
Another thing to consider is that many organisations are utilising Machine Learning (ML) and Artificial Intelligence (AI) and doing some really clever things with it. If cybercrime is a multi-billion-dollar industry, we must believe that they are making those same investments. So, leveraging ML and AI to automate flaws in people’s environments. Attackers are going to get smarter, but so are defenders. As an example – we are building ML models to predict the vulnerabilities that attackers are going to use. We’ve got PhD Data Scientists working on this right now, allowing them to predict which vulnerabilities attackers use. If we can predict this, irrelevant of their method, we can close that attack surface down. Defence and attack are going to increase in speed and volume.
Prioritising patching vulnerabilities
Not every vulnerability is the same and the ones that get noticed are the ones that have a catchy name and logo. They’re not always the scariest vulnerabilities out there. The vulnerabilities that need to be patched are those that attackers are actually using. We need to take a more threat-centric approach to vulnerabilities. I don’t care about the 15,000 vulnerabilities that were disclosed last year, I care about the 7% that actually had exploits available for them. I care about the assets of the 7% of those 15,000 vulnerabilities that are Internet-facing. They’re the things we need to be patching. You can’t patch everything, so let’s make sure we patch the right things.
Greatest emerging threats
I think the greatest threat is the money. The biggest issue that faces cybersecurity today isn’t the latest vulnerability, it’s the fact that cybercriminals can monetise. Compared to 20 years ago, cybercriminals of today can make millions from cyberattacks. Criminals are involved in attacking organisations through IT because it’s massively profitable. As long as it continues to be easy for cybercriminals to break in and monetise the attack, it’s just going to increase.
Combatting the cybersecurity issue and reaching a final solution
We can combat the cybersecurity issue today. The biggest threat in IT security isn’t ATP, it’s apathy. People aren’t taking the right steps to solve this issue. Take WannaCry as an example, it was a massive vulnerability threat and Microsoft warned people before it came into effect. A month later, WannaCry hit and people were surprised. Systems weren’t patched properly and the vulnerability targeted these systems. We know the answer, we’re just not doing it.
Educating the end-user on potential threats to allow them to contribute to solving the issue
We must question whose fault it is if, for example, an end-user clicked on a phishing email. I think end-user education is really important but you’re not going to be able to identify a really clever phishing email. I’ve been in this industry for 20 years and sometimes even I’m not sure. What needs to happen in the industry is that everyone accepts these foundational controls and takes cybersecurity seriously, otherwise it’s just going to continue. We should be making it difficult for cybercriminals to monetise and until we do, they’ll just keep breeding.
Top tips for securing an enterprise
My top three tips are the same ones I’ve been giving for 15 years: patch your systems; have good passwords; and reduce your attack surface. These are the cyber essentials.
Tenable’s customer satisfaction
We’re focused on solving one problem; vulnerability. Most vendors in this industry try and go inch-deep, mile-wide. We are 100% focused on fixing the vulnerability issue and we invest all of our resources into doing so. This problem has been around since IT began and has not yet been solved. We have the answer and we are executing on that and our customers love that they’re with us on this journey. Tenable is laser-focused on execution; on solving the vulnerability problem.
Tenable’s future in the next year
Tenable is really focused on quantifying organisations’ risk and really making that easy. If you don’t know what your risk exposure is, it’s really hard to address it. We’re also focused on measuring – how well are you doing things – because you can’t improve what you can’t measure. In the coming months, we’re going to enable all our customers to benchmark themselves. That benchmarking enables you to make decisions.
Advice to up and coming CISOs
It’s really easy nowadays to fall for the marketing jargon that surrounds cybersecurity. Don’t buy into the hype; focus on the foundation. Measure your effectiveness and make sure you’re implementing those controls effectively.