Automated Vulnerability Scanning – It’s Critical to Know Your Weaknesses

Episode Resources:

• Resilience Cybersecurity & Data Privacy
• M-Trends 2022 – Mandiant Special Report – Mandiant
• Penetration Testing or Vulnerability Scanning? What’s the Difference? – The Hacker News
• Why is cybersecurity vital for small businesses? – IT Security Guru
• Zero Tolerance: More Zero-Days Exploited in 2021 Than Ever Before – Mandiant
• Over Half of Employees Don’t Adhere to Email Security Protocols – infosecurity Group

Episode Transcript

Brian: Hey, welcome to the Fearless Paranoia podcast where we are demystifying the exotic and crazy world of cybersecurity. I am Brian, the cybersecurity attorney.

Ryan: And I am Ryan, the cybersecurity specialist. 

Brian: And we’re here to break all this stuff down that’s going around in the world hopefully help you make some decisions help you understand what’s going on. If nothing else, as you might be able to tell, I sound like crap, my two-year-old has wonderfully brought home the panoply of exotic illnesses that exist in the giant petri dish that is known as preschool. And so I sound terrible, I feel fine, but I sound terrible. And this makes the ideal time for us to give the floor over to Ryan and talk about some interesting things going on in cybersecurity. Ryan’s been my best friend since 13 years old. And one of the funny things one of the interesting things, Ryan is how interested he is in everything that’s going on. And there is no one that I can think of better equipped to give us a review of the landscape, what interesting things are going on in the world of cybersecurity that those of us including myself, who aren’t deeply involved in working with cybersecurity, and quite frankly, you know, don’t understand and know the layout and the geography of the dark web. What keeps you interested, what have you seen recently that made you sit back and go, Wow.

Ryan: Brian, you hit on a couple of interesting ones there, I think the things that have really kind of intrigued me the most lately is been the shift in the workloads that are happening on that side of the fence, without even digging into things like the dark web, and that whole effectively, like a digital society that kind of exists there. The things that have kind of impressed me the most, that maybe were not as expected, or at least not as expected, as quickly as they occurred would be average adoption of the internet use. So just getting smartphones spread worldwide, getting people with different accounts with different companies, everybody’s got a digital presence, you’re spreading that information everywhere. One of the reasons cybersecurity exists as it does is because not just because of the threats, the vulnerabilities but because we took our lives, made them digital made that information about us digital, and then we threw it up into all these different companies and different services hands and effectively offered up heaps of data and started kind of a new era of big data. And with that, they found ways to monetize that data. And as soon as you put that level of financial interest behind it, you start to generate the activity to start to find its way into that equation.

Brian: Right. So obviously, we have this collection of data. Well, wherever it is online offline, and you have bad actors who are gonna want to get it because it as value. You mentioned that you were interested in this shift in the workload. What do you mean by that?

Ryan: The level of automation enhancements that have been seen, you know, 20 years ago, when you started hearing about hacking still, even right around 2000, it was still a pretty manual process. There were some people that had started automating some pieces of it. But for the most part, it was hands on keyboard hitting servers trying to find a way through the traffic was just much less intense and much less just kind of blatant or brazen that it is now right now, the amount of just automated scanning that occurs every day on the internet for things like vulnerabilities, things like exposed data, buckets, any sort of exposed service scanned all the way down to the port level. So I mean that that level of discovery and visibility is occurring in mass across the internet. So that kind of perimeter data collection, if you’re not doing that on your own for your business, your opponents already know more about your, your perimeter and your defenses then then you most likely do.

Brian: But one interesting thing about that, to me is I started blogging back in 2013. And I do remember that one of the big changes that took place was a shift towards opposition research, competitive research. And it started with just understanding and knowing what systems your competitors were on what social networks were they using, what tools were they using, then it went down into keyword research. I remember the time when reverse keyword research became the hot thing to do you find something that your competitors getting even the slightest traction, and you make sure to include that reverse keyword in your keyword to make sure that you are stealing their traffic that was you know, they’re all the rage in 2014 You know, and that was basic that was stuff that recreational blog, I mean, I wasn’t making any money blogging at that point. I’m still not but this was not professional writing. This was not Spotify podcast, you know, Joe Rogan level anything. So take that and then take it to the next unit profession over which is technology and the value of what you can find. I think what you said is perfect is reconnaissance. If there is something that can be found out about you and someone who wants to know about you, all that has to happen is for those two things to overlap slightly and everything about you is going to be known.

Brian:   You’re listening to the Fearless Paranoia podcast for more information on keeping yourself your family and your company protected against cyber threats, check out the Resilience Cybersecurity and Data Privacy blog. If you’re enjoying this podcast, please like and subscribe using any of your favorite podcast platforms.

Brian: There are plenty of people and plenty of businesses that might be able to argue that that’s not a big deal personally, anytime I hear someone claim that they have nothing to hide, my first reaction is to cough very loudly and then yell bullshit, because it doesn’t matter. But it is interesting, this notion that you better be scanning your own stuff. Because if you don’t, if you don’t, because regardless, whether you do or not people looking to get into your stuff are so do you know your own weaknesses?

Ryan: Yeah. And how do you go about getting that job done as is irrelevant, as long as you are getting it done, not just checking the box. But getting it done. Whether that, you know, if you have to pay for a managed service, if you’re smaller companies are meant to make more sense to just go with some sort of concierge service that will do some of the least basic level scanning, what you don’t want to get hit by is low hanging fruit. And that’s what a lot of those managed services will take care of is they’ll take care of the stuff that is being scanned for just actively every day on the internet, where you know, you’re gonna find it by just a matter of rotation within time, or they will find it well.

Brian: To just to jump on that to remember there is the natural truism, criminals are fundamentally lazy, they will do the least amount of work possible. The good news is the good news paradoxical good news is there are so many people in companies who are leaving information, low hanging fruit right there that all you really have to do to dramatically improve your security is to be slightly better than that, make yourself a little bit harder. And you will be one of those incredibly easy targets that packers stumble upon without even trying now, is that going to protect you from a deliberate targeted attack? Not necessarily. But I mean, unless you have very specific information, or are the target of a very specific person, you’re much more likely to be the victim of general cyberattack than a targeted one anyways.

Ryan: Yep, you’re absolutely right. For the most part, targeted cyberattacks come down to very, very specific use cases. One of the most widespread attacks lately don’t even just like initial attack vectors is ransomware. Ransomware has been a big topic for many years now, it’s just going to probably get, you know, it’s going to continue to be a larger problem going forward, especially as data becomes more important on the internet. Right now, there’s been a lot of additional engineering and research in the way of finding vulnerabilities zero days are popping up faster than people can deal with most of them, especially when you get into larger companies, big development companies, these are starting to pop up in software libraries now and you’re starting to really see open source get attacked a lot. And so they’re popping up all over, there’s a lot of people doing a lot of reverse engineering a software are finding ways to exploit that that was a very limited field years ago, in the last few years, that’s really picked up a lot. And because of that they’re turning vulnerability to exploit much faster. And most of these attackers have gotten together and really banded together solid operations where not only do they take exploit the vulnerability, take vulnerability, turn it into a piece of the attack chain and update their attack chain. So when they start scanning for new vulnerabilities, they turn automation on you and quickly use other tools through this new vulnerability to leverage that level of quick, effective and total control over a set of systems. And some groups are actually going as far as taking those completed attack chains and selling them as a service. So you’ve got people that barely understand what’s actually happening under the hood that are now drag race in this car that they barely know how to use out on the road and pointing it at corporate culture, because that’s where a lot of the money is pointing it at financial institutions, some of them go for smaller targets to try to stay off the radar. Some of them like to go for the big boys. It just, it all kind of depends, but well, and then they’ve identified a couple of major things. Again, a couple of the main weaknesses right now in our online culture nowadays, as far as initial compromise is your user base, I’m sorry for all the users out there everybody who’s joined to the Internet revolution in the last 27 years, the majority of you are sufficiently under trained and under equipped to handle a lot of the sophisticated social engineering that is going on nowadays. This isn’t just you know, we’ve gone past the point of like gullibility inefficient. These are well crafted, well engineered college and beyond level type phishing scams starting to occur nowadays to the point where they are extremely effective. And all it takes is one standard user compromise to really get a small foothold in the network. And from there it goes anywhere social engineering is a huge problem nowadays.

Brian:   You’re listening to the Fearless Paranoia podcast, we’re here to help make the complex language of cybersecurity understandable. So if there are topics or issues that you’d like Ryan and I to break down in an episode, send us an email at info@fearlessparanoia.com or reach out to us on Facebook or Twitter. For more information about today’s episode, be sure to check out Fearless Paranoia.com We’ll find a post for this episode containing links to all the sources research information that we have cited to you. And also check out our older posts and podcasts as well as additional helpful resources for learning about cybersecurity. Now, back to the show.

Brian: So we’ve talked a lot about kind of how the workload has shifted from that manual hacking you were talking about earlier to more of an automated setup. And how one of the biggest issues is that automated scanning for weaknesses and vulnerabilities. Is there any, you know, end in sight? Or is this something that we basically just have to accept that it’s hearing, it’s not going away,

Ryan: The kind of general level of automated scanning just continues to increase at a pretty good rate. So I’m kind of curious to see if anyone’s ever gonna find a way to try to do anything about that. The problem is, it’s just so distributed, and it’s so prevalent because of stuff like misconfigured IoT and stuff that it would be really hard to shut it all down without killing a lot of people’s toys worldwide and so hard to kind of deal with something like that.

Brian: Okay, well, I guess what he’s telling us is that we have to stay vigilant. That’s something pretty easy that we all do all the time. Right. Thank you for tuning into the Fearless Paranoia podcast. I hope for the love of God, that I will sound better than this in the near future. Not though for the next episode, because we have to record these back to back so please do tune in again, subscribe to us on your favorite podcast subscription channels, and we’ll see you next time.