Low Risk Findings

“If a window in a building is broken and is left unrepaired, all the rest of the windows will soon be broken” -James Q. Wilson and George L. Kelling

Are low risk pentest/audit findings worth the effort?

After all, they take time for the security engineer to discover, to validate, and to report and explain. Then, they take time for the client to analyze, research, and discuss, often with a team of managers and executives.

All of which results in dozens, if not scores, of man-hours simply for a list of findings that are risk accepted 99% of the time.

And yet, as meaningless as it can feel, this process carries tremendous value for two reasons:

1. Helping the client understand the potential impact of even low risk findings (when coupled together).
2. Demonstrating how security is a priority for the client

Chaining Low Risk Findings

In penetration test reports, risk ratings are usually assigned based on the individual finding and not how the finding might be used in conjunction with other findings - kind of like nutrition facts for one serving of ice cream as opposed to the entire pint, plus the bag of potato chips, family size M&Ms, and 6 pack of Coke. (A good report should discuss how a finding can link to other issues, but the risk rating will still always be singular.)

As a result, many report readers don't always fully grasp how risky low risk findings can truly be. Allow me to present an exploit scenario, using only low to medium risk findings:

• User clicks on an phishing link in an email that managed to escape the spam filters. Because there is no URL whitelisting on the corporate device (low risk finding!), the user navigates to the malicious page without issue.
• The malicious page downloads malware to the user's workstation. Because the anti-virus solution is kept one version behind so that all updates (including rule signatures) can be thoroughly tested before being pushed out (low risk finding!), the malware is not detected.
• The user fails to notify the security team of what happened. Partly this is because the user isn't sure themselves and partly because they don't know exactly how to notify security for an issue like this (low risk finding!).
• The malware captures the user's credentials the next time they authenticate to a cloud service and send those credentials to a remote server (low risk data exfiltration finding!).
• The hacker then navigates to the same cloud service from a remote IP address (low risk geo-blocking finding!).
• Using the stolen credentials, the hacker authenticates to the cloud service and discovers there is no MFA requirement (often considered a Low to Medium risk when passwords are suitably complex).
• Even though the hacker is authenticated at the same time as the user from a different place (low risk session control finding!), the hacker is able to use the application without issue and calmly navigates around, discovering sensitive data and functionality (low risk missing anomaly detection finding!).
• Finally, the hacker exfiltrates sensitive data from the cloud service (another low risk data exfiltration finding!).

Individually, each issue is a low risk issue - like one serving of ice cream. But, when combined all together, they become a huge health risk.

By the way, if this exploit scenario sounds familiar, it is. This is the Snowflake breach from June.

Security is a Priority

Employees get their priority cues from management/executives.

If employees see management focusing solely on critical risk issues and ignoring the rest, they will get the message that security is only a priority if it is a critical issue. Everything else can be safely ignored. Then, not unlike the broken window theory, suddenly small risks are cropping up everywhere and being ignored. Moreover, often serious risks are subsequently downplayed or explained away, so they can be “safely” ignored as well.

On the other hand, if employees see management taking every identified issue seriously, even if it is ultimately risk accepted, then they will take every security issue seriously as well. Even if an issue isn't fixed right away, it will be analyzed, researched, and discussed. As a result, low risk issues and simple deviations from best practices are more likely to get slowly resolved or mitigated over time.

Ultimately then, low risk issues are important and are worth the time and effort spent on them. Even just by taking them seriously and discussing them in earnest, we demonstrate that security is a priority in our organization, making it more likely that risk will be remediated and a security culture will thrive.

Security News

• After the city of Columbus, Ohio, experienced a ransomware attack in July and disclosed the event, it sued a researcher who claims the breach was bigger than the city let on.
• A security researcher named "Ynwarcs" has published analysis of a proof-of-concept exploit code for a critical zero-click vulnerability in Windows TCP/IP.
• California state legislature passed a bill that will require Internet browsers and mobile operating systems to let users opt out of the sale or sharing of their personal information.
• The project, ElectionGuard, checks the integrity of the hardware and processes of each part of an election, allowing any participant — from voters to election administrators to interested third party observers — to verify the ballots and the final tally of in-person voting.
• Vendors of mercenary spyware tools used by nation-states to track citizens and enemies have gotten savvy about evading efforts to limit their use.
• U.S. Offers $10 Million for Info on Russian Cadet Blizzard Hackers Behind Major Attacks.
• An ongoing malicious campaign that employs phony call centers has been found to trick victims into downloading malware capable of data exfiltration as well as deploying ransomware on infected systems.
• Threat actors affiliated with North Korea have been observed leveraging LinkedIn as a way to target developers as part of a fake job recruiting operation.
• Google has released its monthly security updates for the Android operating system to address a known security flaw that it said has come under active exploitation in the wild.
• Oil service giant Halliburton told U.S. federal regulators Tuesday that hackers stole data after the firm acknowledged "unauthorized activity" on its networks in late August.
• Progress Software released an urgent patch Thursday to fix a critical vulnerability that hackers could exploit to launch remote attacks.
• Physical security biz Verkada has agreed to cough up $2.95 million following an investigation by the US Federal Trade Commission (FTC) – but the payment won’t make good its past security failings, including a blunder that led to CCTV footage being snooped on by miscreants.
• Zyxel has released security updates to address a critical vulnerability impacting multiple models of its business routers, potentially allowing unauthenticated attackers to perform OS command injection

Until next time,

The Craft Compliance Team