The Data Security Maturity Model ditches application, network, and device silos when it comes to architecting a data security strategy.

RSA CONFERENCE 2023 – San Francisco – The coalition behind the Data Security Maturity Model has issued a second iteration of the framework, aimed at making it easier for businesses to protect data from leaks.

The coalition, created by Cyberhaven last summer, is led by Sounil Yu, CISO at JupiterOne and includes a range of security leaders from a range of companies, including Boston Scientific, Caterpillar Financial, Fleet, Flexport, Motorola Mobility, Twilio, VillageMD, and others.

During a panel at RSA Conference 2023, entitled Comprehensive Cyber Capabilities Framework: A Tech Tree for Cybersecurity, coalition members laid out a vision for the next generation of data security.

"The ability to protect any type of data across devices, applications, and cloud assets is essential if organizations are to take advantage of the power of modern collaboration and digital transformation without exposing their data to external threats, insider threats, or simple mistakes by well-intentioned users," the coalition said in a statement.

The DSMM aligns to the NIST Cybersecurity Framework and the Cyber Defense Matrix, and to enable a data-centric view, it defines five key functions:

*   **Identify & Classify:** Find and classify all data covered by the data security program.
*   **Protect:** Minimize the exposure of sensitive data by controlling how it is accessed, used, and retained.
*   **Detect:** Collect and analyze data risk to identify data-related security events or policy violations that were not stopped by the "Protect" function.
*   **Respond:** Establish immediate, short-term actions to be taken upon detection of a potential incident.
*   **Recover & Improve**: Determine actions needed to not only restore normal operations (as they pertain specifically to data), but also to build back stronger.

In its second iteration released this week, the maturity model refines each of these pillars to take into account more granular context, such as what server infrastructure is being used, how much is in the cloud, privacy regulations, how employees and others use the data, and how applications, APIs, and non-human endpoints use it, and more — in order to gain a fuller picture of an organization's data footprint.

**The Data & Digital Transformation Problem**

Richard Rushing, panelist and CISO of Motorola Mobility, tells Dark Reading that a new framework approach was needed given that, in the age of digital transformation, getting arms around all of the data being generated at any given point within an organization simply can't be accomplished by looking at protection in a siloed way. The old concept of seeing data in the context of devices, applications, or the network, needed to be traded for a focus on the data itself, wherever it goes within an organization.

"If you think about what security is enabling, it's the use of data, and ubiquitous access to it," he says. "It's necessary to connect to the network to use the data that's in the network to make better decisions for the business or make better decisions for your customers. But data is found in different places, sometimes it's at rest, and sometimes it's in transit."

He adds that the problem is — quite literally — growing, also necessitating a rethink of protection architecture.

"Data is on a logarithmic curve; for every amount of data that I have next year, it's probably 2.5 times more than the amount of data I had this year," he says. "We're data hoarders, for lack of a better term; no one wants to get rid of people's information who have signed up to websites and forums and everything else, so we have this enormous data sprawl. That, in turn, leaves behind security blind spots."

Further adding to the challenge is the fact that some data is of course more sensitive than other information, and some information doesn't need protecting at all, Rushing points out. And there's dynamism in terms of defining appropriate security levels as data ages.

He uses a product launch to illustrate his point. "With a product release, we start off with a situation where no one knows about it, everything's embargoed, and you're protecting this important intellectual property," he explains. "And the next thing you know, it's released for public consumption. And it's suddenly not top secret anymore, in fact, you want the whole world to know about it."

Rushing says that the framework is meant to tame some of this chaos, and that it can be tailored to large enterprises and small-to-midsized businesses alike. It allows organizations to focus in on a number of practice areas, too — including risk-based decision prioritization, collaboration, continuous education, risk management for vendors and third parties, compliance, being transparent, and incident response and how to recover data.

"I don't want to say it's one size fits all, but it's very close to one size fits all," he explains. "The controls are going to be different depending on the environments, but the approach is meant to be flexible enough to accommodate that."

He says that the framework is a living architecture that the coalition plans to refine and evolve over time. However, the time to make the switch to thinking about things in a data-centric kind of way should start now.

"If you don't start \[or\] you don't think about this, you're going to get hit in the next 6, 12, 18 months in some way, shape, or form," he warns. "It's not like the Internet is becoming a safer neighborhood and data is the new oil that's going to drive business and attackers alike."

CISOs Rethink Data Security With Info-Centric Framework

**SAN FRANCISCO****,** **April 25, 2023** **/PRNewswire/ --** BlackBerry Limited (NYSE: BB; TSX: BB) and Solutions Granted today announced an extended partnership, naming the leading cybersecurity services provider a Master Managed Security Services Provider (MSSP), enabling it to better scale and meet the growing demand for cybersecurity services among small and medium-sized businesses (SMBs).

"Solutions Granted has been honored as BlackBerry MSSP Partner of the Year for North America for five consecutive years and we're excited to take our partnership to the next level by crowning them as our top Master MSSP," said Adam Enterkin, Chief Revenue Officer, Americas, BlackBerry Cybersecurity. "BlackBerry is dedicated to increasing its focus on MSSP partners to ensure they're set up for success. Endpoints are proliferating, and so are the cyberattacks against them. Our extended partnership with Solutions Granted will help hundreds of small and mid-size businesses continuously adapt to an ever-changing threat landscape."

As a 'Master MSSP', Solutions Granted will be better positioned to help its own partners to deliver Managed Detection and Response (MDR) and other Managed Security Services to their mid-market and SMB clients.  In partnership with BlackBerry and heavily leveraging the Cylance® AI-powered portfolio, Solutions Granted helps thousands of clients secure their environments and prevent attacks. By working with Solutions Granted, MSSPs and managed service providers (MSPs) can offer industry leading managed security, without making the significant investment of building out their own security operations center (SOC).

CylanceENDPOINT™ is among the solutions it helps managed service providers (MSPs) deploy to clients, either as individual managed services or integrated into a SOC-as-a-service offering.

"BlackBerry's support for our business model provides the flexibility we need to continue to meet customer demand and provide the best possible product support for their business needs," said Michael E. Crean, Chief Executive Officer, Solutions Granted. "We value the investment BlackBerry is making in our partnership and know this will go a long way in setting up our customers for success."

To learn more about BlackBerry MSSP Partners, visit blackberry.com/us/en/partners/mssp-partners.

**About BlackBerry**

BlackBerry (NYSE: BB; TSX: BB) provides intelligent security software and services to enterprises and governments around the world.  The company secures more than 500M endpoints including over 215M vehicles.  Based in Waterloo, Ontario, the company leverages AI and machine learning to deliver innovative solutions in the areas of cybersecurity, safety and data privacy solutions, and is a leader in the areas of endpoint management, endpoint security, encryption, and embedded systems.  BlackBerry's vision is clear - to secure a connected future you can trust.

BlackBerry. Intelligent Security. Everywhere. 

For more information, visit BlackBerry.com and follow @BlackBerry.

_Trademarks, including but not limited to BLACKBERRY and EMBLEM Design are the trademarks or registered trademarks of BlackBerry Limited, and the exclusive rights to such trademarks are expressly reserved.  All other trademarks are the property of their respective owners.  BlackBerry is not responsible for any third-party products or services._

**About Solutions Granted Inc.**

Solutions Granted is a Master Managed Security Services Provider (Master MSSP). They offer cybersecurity solutions to North American MSPs and MSSPs and are committed to delivering solutions without requiring minimums, commitments, or long-term contracts. They proudly offer many security layers as well as a 24x7 U.S.-based Security Operations Center (SOC). Over the past several years, Solutions Granted has emerged as a clear leader in the channel, by winning countless awards including the CRN Security 100 list, Top 100 MSSP List, Top Global MSSP List, and BlackBerry MSSP Partner of the Year. Learn more at https://www.SolutionsGranted.com.

BlackBerry Extends Partnership With Managed Security Services Provider (MSSP) to Ensure SMBs are Set Up for Cyber Success

CISOs and cybersecurity teams will play a key role in hardening artificial intelligence and machine learning systems.

RSA CONFERENCE 2023 – San Francisco – As enterprises and government agencies increasingly weave artificial intelligence (AI) and machine learning (ML) into their broader set of systems, they'll need to account for a range of risk resilience issues that start with cybersecurity concerns but spread far beyond those. 

A panel on April 24 at RSA Conference 2023 composed of distinguished AI and security researchers examined the problem space of AI resilience, which includes weighty issues like adversarial AI attacks, AI bias, and ethical application of AI modeling.

Cybersecurity professionals need to start to tackling these issues both within their organizations and as collaborators with government and industry groups, panelists noted.

"Many organizations will look to integrate AI/ML capabilities of their core business functions, but in doing so will increase their own attack surface," explained panel moderator Bryan Vorndran, assistant director at the FBI Cyber Division. "Attacks can occur in every stage of the AI and ML development and deployment cycle, models, training data, and APIs can be targeted."

The good news is that there is time to ramp up into these efforts if the community begins work now.

"We have a really unique opportunity here as a community," said Neil Serebryany, CEO of CalypsoAI. "We're aware of the fact that there is a threat, we're seeing early incidents of this threat, and the threat is not full-blown yet."

The 'yet' is the operative word, he emphasized, and his fellow panelists agree. The field of risk management is in a place with AI similar to where cybersecurity was with the Internet in the 1980s, said Bob Lawton, chief of missions capabilities for the Office of the Director of National Intelligence Science and Technology Group.

"Imagine if it's 1985 and you knew the challenges that we were going to face in the cyber domain now, what would we as a community, as an industry do differently 35 years ago, and that's exactly where we're at with AI right now," said Lawton. "We have the time and space to get it right."

Specifically when it comes to direct attacks against AI systems by adversaries, the threats are still very rudimentary, but that's only because the attackers are only putting the work they need to in order to achieve their objectives right now, said Christina Liaghati, AI strategy execution and operations manager for MITRE Corporation.

"I think we're going to see many more of the malicious actors having a higher level of sophistication of these attacks, but right now they don't have to, which I think is what's really interesting about this space," she told the audience.

Nevertheless, she warned that organizations can't treat the risks lightly. The interest of threat actors to increase their sophistication and knowledge of AI models will only keep growing as it is embedded into systems they can profitably attack. And this is just as true of smaller organizations using simple ML models in financial systems as it would be for government agencies using it in an intelligence capacity.

**Everyone Is at Risk**

"If you're deploying AI in any environment where any actor might want to misuse or evade or attack that system, your system is vulnerable," she said. "So, it's not just super advanced tech giants or anybody that's deploying AI in a massive way. If your system is in any kind of consequential environment and then you incorporate AI and machine learning into that broader system of systems context, you could be exposing it in new ways that you're probably not thinking about or necessarily prepared for."

The challenge with AI for many cybersecurity executives is that addressing these risks will require they and their teams gain a whole new set of knowledge and parlance around AI and data science.

"I don't think that AI assurance at its core is a traditional infosec problem," Serebryany said. "It's a machine learning problem that we're trying to figure out how to translate into the infosec community."

For example, hardening the models requires understanding of key data science metrics like recall precision accuracy and F1 scores, he said.

"So I think it's kind of incumbent upon us to be able to figure out how to take these underlying ML concepts and research and translate the parlance, the concepts and the standard operating procedures within a soft context that makes sense within the infosec community," he said.

At the same time, Liaghati said to not discount the security basics as AI/ML models and systems will be deployed in the context of other systems for which security teams have decades of experience managing risk. The principles of data security, application security, and network security are still extremely relevant, as are standard risk management and OpSec best practices.

"So many of those are just good practices. It's not just a big, fancy adversarial layer or being able to patch a data set. It's not necessarily that complicated," she says. "Many of the ways that you can mitigate these threats are just thinking about the amount of information that you're putting out within public domain on what models you're using, what data you're using, where it's coming from, \[and\] what the broader system context looks like around that AI system.

AI Experts: Account for AI/ML Resilience & Risk While There's Still Time

**AUSTIN, Texas – April 25, 2023 –** Global security leader Forcepoint today extended the depth and breadth of its Data-first SASE (Secure Access Service Edge) offering with the launch of Forcepoint Data Security Everywhere. Forcepoint is simplifying enterprise DLP management across cloud, web and private apps and streamlining compliance wherever hybrid workers store, access and use confidential information.

The company is also bringing to market Forcepoint ONE Insights thatenables users to quickly visualize and quantify the financial value of security efficacy delivered by Forcepoint solutions. Forcepoint ONE Insights’ visualization console presents key performance indicators such as adoption, data and threat protection, policy violations, performance, and risk.

“Data isn’t the new oil; it is the new air. Literally everything runs on data today and our lives and livelihoods depend on it. Before today, securing data required a mishmash of point solutions. Forcepoint is taking the lead in solving this problem with Forcepoint Data Security Everywhere,” said Manny Rivelo, CEO of Forcepoint. “We’re deliveringenterprise-wide data security plus the power and flexibility of Forcepoint ONE SSE to keep data safe at all times, even after it is accessed.Comprehensive data security is a critical capability within our Data-first SASE solution, providing the visibility and control organizations need to protect their data and simplify Zero Trust security.”

In two years, humanity's collective data will reach 175 billion terabytes -- the number 175 followed by 21 zeros. This data includes everything that powers business and consumers’ day-to-day lives. It is accessed and used by hybrid workforces on corporate endpoints and personal devices such as phones and tablets to do their jobs. Forcepoint Data Security Everywhere is a direct response to the reality that business productivity depends upon people having the ability to safely and efficiently use data anywhere.

By connecting Forcepoint Enterprise DLP to the Forcepoint ONE Security Service Edge (SSE) platform, customers can extend a new or existing enterprise DLP policy, including its advanced classifiers, data fingerprinting, and enforcement settings, to the web and cloud. A unified security policy from Forcepoint protects sensitive data across all channels, including endpoints, websites, cloud services, networks, email and private apps.Forcepoint’s data-first approach goes far beyond basic data protection that is often built into SASE solutions. By classifying data and organizing it into different groups rather than relying on hardcoded patterns, Forcepoint data security policies can be written once and enforced everywhere to automatically handle new instances and types of sensitive data.This end-to-end enforcement is ideal for organizations with cloud-based applications or distributed workforces.

**Key Benefits of Enforcing Data Security Everywhere**

*   Adds Forcepoint ONE SSE channels to Forcepoint Enterprise DLP, protecting data across any website, cloud application, and web-based private applications. 
*   Applies new or existing DLP policies across CASB, SWG, and ZTNA channels. 
*   Simplifies DLP management by leveraging over 1,600 out-of-the-box classifiers, policies and templates enabling granular enforcement for files.
*   Gives security operations center (SOC) and IT teams complete incident reporting and forensic information from a single management console.

Forcepoint Data Security Everywhere is immediately available direct from Forcepoint and through the company’s global network of channel partners.

**AI-powered Data Visualization with Forcepoint ONE Insights**

Further extending the value-added capabilities of Forcepoint ONE, in late Q2 2023 the company will unveil Forcepoint ONE Insights, formerly code-named Symphony, which provides economic value and advanced security analytics for real-time insights into an organization's security status.

Forcepoint ONE Insights technology, included with all Forcepoint ONE subscriptions, uses machine learning and artificial intelligence to analyze security data from multiple sources, such as network traffic, endpoint devices, and cloud applications. Using the at-a-glance visualization, security teams can identify potential threats more quickly, reducing the risk of data breaches. They can also see in real-time dashboards showing the economic value and ROI of their use of Forcepoint ONE.

**Meet Forcepoint Experts at RSA 2023**

During the week of RSA, April 25-27, the company will provide hands-on opportunities with Forcepoint Data Security Everywhere and Forcepoint ONE Insights at the Forcepoint Experience Center on the fourth floor of the St. Regis San Francisco. Organizations that want to learn more and get demos can request a meeting.

**Additional information**

*   Read the Data Security Everywhere blog \[link\]
*   Read the Forcepoint Insights blog \[link\]
*   Learn about Data-first SASE
*   Learn about Forcepoint ONE, FlexEdge Secure SD-WAN

**About Forcepoint**

Forcepoint simplifies security for global businesses and governments. Forcepoint’s all-in-one, truly cloud-native platform makes it easy to adopt Zero Trust and prevent the theft or loss of sensitive data and intellectual property no matter where people are working. Based in Austin, Texas, Forcepoint creates safe, trusted environments for customers and their employees in more than 150 countries. Engage with Forcepoint on www.forcepoint.com, Twitter, and LinkedIn.

Forcepoint Delivers Data Security Everywhere, Extending DLP Policies From Endpoints to the Cloud

Full packet capture and log monitoring directly on SASE nodes maintains enterprise-grade security, no matter where the data originates.

**SAN FRANCISCO** **— April 24, 2023 —** NetWitness, a globally trusted provider of threat detection and response technology and incident response services, today announced  the launch of direct Secure Access Service Edge (SASE) packet integrations with several market-leading SASE vendors, including Palo Alto Networks (NASDAQ: PANW), Broadcom, a Symantec company (NASDAQ: AVGO), and Netskope. The new integrations enable NetWitness to deliver unparalleled network visibility across the enterprise. The news comes on day one of RSA Conference 2023, where NetWitness will be demonstrating the technology at booth number 5744.

With hybrid/remote work environments becoming ever more common, SASE is the gold standard network technology that enables modern workforces to interact with corporate resources wherever they are - securely.  By performing full packet capture and log monitoring directly on SASE nodes and combining them with all on-prem, cloud, and SaaS sources, NetWitness can maintain enterprise-grade network security, no matter where the data originates. Featuring better security, including encryption and Zero-Trust access, SASE offers major benefits to today’s distributed organizations. 

“I certainly think companies want to be proactive with their network security, but until now it’s been very difficult to do,” said Ken Naumann, CEO of NetWitness. “The landscape has gotten exponentially more complex over the years with hybrid work and third-party cloud providers. Data is now originating from, well, everywhere. Examining those data logs after the fact is like closing the barn door after the horse has already left the stable. You’re losing if you’re not doing it in real time - when it actually matters.”

Network edge security has historically created numerous blind spots for important security technologies that perform threat analysis, detection, and response. Traditional network and security architectures were not designed for the new work environment, where data and traffic come from all over the globe and hundreds, if not thousands, of different devices. This has led to visibility issues for network managers, who have traditionally relied on VPN and proxies to solve the problem. Unfortunately, routing everything to specific points increases difficulty and network costs, and presents a massive scaling issue.

NetWitness’s integrations overcome these issues and restore full visibility to critical SASE data. A SASE architecture converges networking and security functions in the cloud to securely connect users, things, and applications and deliver an exceptional experience, anywhere.  

In 2019, Gartner announced SASE as the future state of network security. Since then, the SASE landscape has evolved quickly, with SASE networking and security components being delivered from a single vendor as a way to create seamless, secure access that extends across on-premises to the cloud.  

For more information, visit www.NetWitness.com or visit booth 5744 at RSA Conference. 

**About NetWitness**

NetWitness provides comprehensive and highly scalable threat detection and response capabilities for organizations around the world. The NetWitness Platform delivers complete visibility combined with applied threat intelligence and user behavior analytics to detect, prioritize, investigate threats, and automate response. This empowers security analysts to be more efficient and stay ahead of business-impacting threats. For more information, visit netwitness.com.

NetWitness Partners With Palo Alto Networks, Broadcom to Launch SASE Packet Integrations at RSA Conference 2023

Integration of AI can lead to reduction of up to 90% in meantime to resolve security incidents.

**TAMPA, Fla. – April 24, 2023 –** ReliaQuest, a force multiplier of security operations, today announced the introduction of powerful artificial intelligence (AI) capabilities to its GreyMatter Intelligent Analysis solution, delivering meaningful insights on emerging security incidents within seconds. With this feature, security teams can easily make sense of threats and take action, enhancing their efficiency.  

ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints. On average, GreyMatter customers see up to a 70% reduction in alert noise in the first year.  

GreyMatter Intelligent Analysis was introduced in July 2022 as part of the security operations platform. The new AI features enable security analysts to automate security operations and workflows. Updates to the solution include: 

*   Augment investigations – get answers faster: Pairs automation with generative AI capabilities to help analysts gain clarity quicker. Capabilities that augment investigations include dynamic and automated enrichment of alerts, deeper context from historical incident data and external sources such as threat and vulnerability feeds and recommend action prompts.  

*   Assist analysts – focus on investigations, not documentation: GreyMatter Intelligent Analysis takes the pain of low-brain, high-time tasks out of security operations. The solution assists with key tasks including automated ticket summaries, interactive AI assistants for quicker search and threat hunting hypothesis.  

*   Automate actions – smarter and faster response actions: With the continued training of the generative AI and Machine Learning models with real-world cyber security data and fine-tuning by analysts and customers, GreyMatter Intelligent Analysis can automate investigations, response actions and alert escalations.  

“Generative AI is a genuine game changer and important step to help ReliaQuest’s, mission to Make Security Possible. Since inception, ReliaQuest GreyMatter has been using AI/ML to automate tasks across the detection, investigation, and response workflow, helping customers realize better and faster security outcomes. With updates to GreyMatter Intelligent Analysis, our 700+ global customers will have automation capabilities with generative AI to further reduce response time by up to 90% in multiple scenarios and help security analysts get answers faster than ever before,” said Brian Murphy, Founder and CEO at ReliaQuest.   

“We work with ReliaQuest as our security partner because of their innovative and unique approach to solving challenges faced by security teams around the world. Generative AI has the potential to disrupt security operations and we’re thrilled to be working with ReliaQuest to bring AI to the SOC. Their practical approach, based on years of managing security operations, places them in a unique position and we’re glad to be partnering with them on this journey,” said Dannie Combs, Senior Vice President and Chief Information Security Officer at Donnelley Financial Solutions. 

ReliaQuest has over 15 years of curated security incident response data with trillions of signals from across some of the world’s leading organizations. Pairing this with its team of over 400 security professionals gives ReliaQuest the unique opportunity to train its AI/ML models with real-world data and fine-tune them with human expertise. GreyMatter is used by some of the leading Fortune 500 companies.  

Currently in early release with select customers, generative AI with GreyMatter Intelligent Analysis will reach general availability in the second half of 2023. For more information about ReliaQuest, please visit www.reliaquest.com  

**About ReliaQuest** 

ReliaQuest is the force multiplier of security operations. Our security operations platform, GreyMatter, automates detection, investigation and response across cloud, endpoint, and on-premises tools and applications. GreyMatter is cloud native, built on an open XDR architecture and delivered as a service any time of the day, anywhere in the world. With over 700 customers worldwide and 1,200 teammates working across six global operating centers, ReliaQuest is driving outcomes for the most trusted enterprise brands in the world. ReliaQuest is a private company headquartered in Tampa, Fla., with multiple global locations. For more information, visit www.reliaquest.com.

ReliaQuest Adds AI Capabilities to GreyMatter Intelligent Analysis

Ultimately, AI will protect the enterprise, but it's up to the cybersecurity community to protect "good" AI in order to get there, RSA's Rohit Ghai says.

Threat actors armed with artificial intelligence (AI) tools like ChatGPT can pass the bar exam, ace an Advanced Placement biology course, and even create polymorphic malware. It's up to the cybersecurity community to put AI to work to combat it.

RSA CEO Rohit Ghai used the opening keynote of this year's RSAC in San Francisco, Calif. to call on the cybersecurity community to use AI as a tool to work on the side of "good." First, that means putting it to work on solving cybersecurity's "identity crisis," he said.

To demonstrate, Rhai called up onto the screen a ChatGPT avatar, one he called "GoodGPT."

"Calling it 'good' is somehow personally comforting to me," he added. He then asked it basic cybersecurity questions.

While "GoodGPT" spat out a sequence of words culled from a veritable ocean of available cybersecurity data, he went on to explain there are critical cybersecurity applications for AI far beyond simple language learning, and it starts with identity management.

"Without AI, zero trust has zero chance," Ghai said. "Identity is the most attacked part of the attack surface."

It's no big secret the security operations center (SOC) is overwhelmed. In fact, Ghai said the industry average timeframe to identify and remediate an attack is about 277 days. But with AI, it's possible to manage access in the most granular terms, in real time, and at the data level, creating a framework that is truly based on the principle of least privilege.

"We need solutions that ensure identity throughout the user lifecycle," he added.

During this year's RSA, Ghai said there are at least 10 vendors selling AI-powered cybersecurity solutions positioned as a tool that will help human cybersecurity professionals. Ghai characterized the current pitch as AI-as-a-copilot. But that framing belies the reality, he warned.

"The copilot description sugarcoats a truth," Ghai said. "Over time many jobs will disappear."

The role of humans, he explained, will evolve into creating algorithms to ask important questions, along with supervising AI's activities and handling exceptions.

"It's humans who will ask those questions which have never been asked before," he said.

Ultimately, humans and enterprises will have to rely on AI to protect them.

"And the cybersecurity community can protect 'good' AI," Ghai added.

'Good' AI Is the Only Path to True Zero-Trust Architecture

PWS Personal Weather Station Dashboard (PWS_Dashboard) LTS December 2020 (2012_lts) allows remote code execution by injecting PHP code into settings.php. Attacks can use the PWS_printfile.php, PWS_frame_text.php, PWS_listfile.php, PWS_winter.php, and PWS_easyweathersetup.php endpoints. A contributing factor is a hardcoded login password of support, which is not documented. (This is not the same as the documented setup password, which is 12345.) The issue was fixed in late 2022.

Some weeks ago now, my good friend Mikbrosim, and I were sitting a sunday evening looking for something we could hack. After searching the internet for a while, I found some really old looking site. The site had some webcam, of what looked like a private backyard (publicly exposed of course), and some sort of weather dashboard. Looking around on the site a bit, it seemed really odd, and broken; however nothing was to be found, and we obviously didn’t want to pentest something we didn’t have permissions to. Suddenly I found at the bottom a “Template by PWS\_Dashboard”, link that linked directly to the source code! Score! So we quickly downloaded the source down, and started having a look.

**Stage 1. Recon**

So firstly we wanted to find out, what this actually was, and who used it? It seemed to be a “Personal Weather Station Dashboard”, used by hobby meteorologists, or just people that wanted to get information about weather near them. This would be done by having your own weatherstation, and then you could upload to the dashboard and see the data, it’s probably also possible to use some other peoples data, and just display this. Regardless, the weatherstations are very expensive, wouldn’t be good if people came in and totally bricked them by running shady code on your server.

The site had the following text

    Downloads: Click here to download the latest full version .
    All published updates up to **March 28, 2022** are included in the download.
    New in this update: Multi (4) language setup and compatabillity tested with PHP 8.1.4
    

That lead us to believe, that even though this software was very old-looking, it was still being used, and maintained by some hobby developers. They even have a forum over at https://www.weather-watch.com/smf/index.php/board,77.0.html which is pretty active. It wasn’t possible for us to get a good estimate, of how many servers were running this software, shodan only gave us a handful, but a simple google dork, yielded in the ballpark of around 60-70 users. Now imagine if every one of these users were running a setup with a custom camera and a 200$ weather station. That’s a lot of damage (Potentially 12k USD). While that’s interesting and all, you’re probably here for the technical write-up, not these shenanigans, so let’s dive in.

**Stage 2. Code analysis**

We’d like to say that we did something extremely smart, and that this was a very difficult vulnerability to find, but it was a giant pool of poor authentication, and bad access management. Users got to have a bit too much fun on other peoples sites. We opened it up, and to our surprise (not) it was PHP. With a bit to look through. 

Now we went ahead and tried getting a local environment to work, so that we had something to test on. To do this we ran a few commands, this was kind of dependent on which dependencies we were missing individually, specifically I ran:

    sudo apt install php-curl
    sudo apt install php-simplexml
    php -S localhost:8899
    

and the site was running on my localhost. Upon visiting the URL we saw, that the setup process had now begun, along with some information about what dependencies were missing, this is how we found out which packages to install. We got it working reasonably quickly, so there was no reason for us to set up a docker instance. Following the setup manual, we find that the default password is set as 12345, however it’s quite explicitly stated, that this is a weak password, and that it should be changed. For the sake of the write-up, we change the password to 0dayR3S4RCH!. This will probably be important later;) Now we want to find out which attack surfaces there are, this could be input fields, places with database interactions, or GET and POST request handling. We started by just playing a bit around with the website, seeing if we can find something odd.

**Vulnerability 1 - Bad hash**

At the endpoint http://localhost:8899/PWS\_easyweathersetup.php we have a log-in page, now we could of-course try just enumerating weak PWS\_Dashboard servers and trying the default password here, and it’s probably not unrealistic, that we’ll get through on atleast one poorly configured server, but that’s not fun. The log-in part of this endpoint looks like:

    if (isset($_POST['submit_pwd']))
         {  if (isset($_POST['passwd']) ) {$pass = $_POST['passwd']; } else {$pass = '';} 
            if ($pass != $password) 
                 {  showForm('<b style="color: red;">A valid password needs to be entered</b>');   
                    exit;}
            } 
    elseif (!isset($_POST['submit']) )
         {  showForm('PWS_Dashboard setup (version 2012_lts)'); 
            exit; }
    if (isset($_REQUEST['lang']) )
         {  $setup_lang = substr(trim($_REQUEST['lang']).'  ',0,2);}
    else {  $setup_lang = 'en';}
    

We see that if the POST parameter submit_pwd is set, then it checks for the parameter passwd, it wants this pass to be equal to password, which is the correct password. Now we’re not really PHP programmers, so we couldn’t see anything too horrendous about this. We however now have a few pieces of interesting information, we know that the programmer used submit_pwd, for submitting log-ins and passwd for password parameters. We try grepping for these.

We have four files with submit\_pwd, looking through, we quickly see something that should probably not have been added to the code.

    # PWS_winter.php - omitted for brevity
    if (isset($_POST['submit_pwd']))
         {  if (isset($_REQUEST['passwd']) ) {$pass = $_REQUEST['passwd']; } else {$pass = '';}
            if ($pass != $password && !password_verify($pass, '$2y$10$S1K2rXeaAihG2Ro2lBxh2e7UfMXht3RkocukvxKRzDFXqx4dJND5i') )
                 {  echo $html;
                    showForm('<b style="color: red;">We need a valid password</b>');
                    exit;}
            }
    

We see that it checks if we’re trying to submit password, it first checks if our parameter matches the password, set originally, and then it checks if your password matches the hash that obviously has been hardcoded into the code. This means that if we manage to bruteforce this hash and insert that as a request we’d have a line that says:

    if (true && !true){ exit; }
    

This will never exit. If we manage to get the plaintext value for the hash, we’ll be allowed in to the PWS\_winter.php site, but why is that interesting? Well for starters we have a line that says:

    <input type="hidden" style="padding: 0px; border: 0px; margin: 0px;" name="passwd" value="'.$password.'">';
    

And the $password parameter hasn’t been overwritten. For some reason this is on the site? Logging in would leak the real password. We originally tried bruteforcing it, but then we thought, meh it’s probably in rockyou.txt.

We figured out it was a bcrypt hash, which we also could find out by running the hashid command on the file containing the hash. Then we ran the corresponding hashcat command. hashcat -m 3200 -a 0 hash rockyou.txt.

After just 8 minutes on a quite weak Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz we have the password, which is the password support

    $2y$10$S1K2rXeaAihG2Ro2lBxh2e7UfMXht3RkocukvxKRzDFXqx4dJND5i:support
    
    Session..........: hashcat
    Status...........: Cracked
    Hash.Mode........: 3200 (bcrypt $2*$, Blowfish (Unix))
    Hash.Target......: $2y$10$S1K2rXeaAihG2Ro2lBxh2e7UfMXht3RkocukvxKRzDFX...dJND5i
    Time.Started.....: Tue Nov  8 17:09:10 2022 (8 mins, 0 secs)
    Time.Estimated...: Tue Nov  8 17:17:10 2022 (0 secs)
    

And truth be told, logging into the PWS\_winter.php site, yields the password. 

This is a pretty good find, and it’s not depicted anywhere in the installation guide or documentation, that this should be changed. Meaning this will be default on all instances of PWS\_Dashboard, unless someone found this themselves, changed it, and never bothered telling anyone. That’s one vulnerability. A few to go.

**Vulnerability 2 - Limited file read**

Another interesting vulnerability is located in the endpoint /PWS\_listfile.php

    if (isset ($_REQUEST['file'])) {$file   = trim($_REQUEST['file']);}
    if (isset ($_REQUEST['type']))
         {  $in     = trim($_REQUEST['type']);
            if (in_array ($in,$types) ) {$type = $in;} }
    if (strpos($file,'settings.php') || strpos($file,'twitter_keys.php'))
         {  if (!array_key_exists('pw',$_REQUEST) ) {die ('Security error');}
            include 'PWS_settings.php';
            $pw     = trim($_REQUEST['pw']);
            if ($pw <> $password && !password_verify($pw, '$2y$10$S1K2rXeaAihG2Ro2lBxh2e7UfMXht3RkocukvxKRzDFXqx4dJND5i')) {die ('Security error');}
    } // check validity request
    $string = file_get_contents ($file);
    

This takes a file parameter in the GET request, and then it takes a file, we can’t read the twitter\_keys.php file or the settings.php file, unless we give the hashed password, support. Then we can. This will again leak the real password.

However without the password, the user can read all files on the system, that the process can. That means leaking /etc/passwd, and all the other very interesting files. Keep in mind that this is not LFI, because it’s file\_get\_contents, which doesn’t include anything, simply reads the file, so this would be classified as directory traversal. That’s the second vulnerability, onto the third.

**Vulnerability 3 - Full file read (pt. 1)**

A couple of days after we initially finished looking at the library, Mikbrosim found another file read, in the endpoint called /PWS_frame_text.php:

    if (isset ($_REQUEST['showtext']) && $_REQUEST['showtext'] <> '' )
         {  $link   = trim($_REQUEST['showtext']); }
    
    if (isset ($_REQUEST['type']) && $_REQUEST['type'] <> '' )
         {  $param  = trim($_REQUEST['type']);
            if ($param <> 'url') {$param = 'file';}
            $type   = $param;}
    
    if ($type == 'url')    #     'https://tgftp.nws.noaa.gov/data/raw/cd/cdus41.klwx.cli.bwi.txt';
          { $ch             = curl_init();
            curl_setopt($ch, CURLOPT_URL,$link);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
            curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
            curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
            curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
            curl_setopt($ch, CURLOPT_CONNECTTIMEOUT,10); // connection timeout
            curl_setopt($ch, CURLOPT_TIMEOUT,20);        // data timeout 30 seconds
            $result = curl_exec ($ch);
            $info   = curl_getinfo($ch);
            $error  = curl_error($ch);
            curl_close ($ch);    }
    else {  $result         = file_get_contents ( $link);}
    

We can use this to arbitrary file read, because this doesn’t check if we’ve set a password.

**Vulnerability 4 - Full File Read (pt. 2)**

We found another full file read in the PWS_printfile.php endpoint, that just allows for printing arbitrary files.

    if (isset ($_REQUEST['file']) )  // we need to now the link to the file
         {  $file   = trim($_REQUEST['file']);}
    else {  $file   = $livedata;}
    #
    if (!file_exists ($file) )
         {  echo __LINE__.' no file '.$file.' found'; return;}
    else {  $data = file_get_contents ($file);
            if ($data  == false)
                 {  echo __LINE__.' no file or empty file '.$file.' found'; return;}
    }   // eo check file exists and is usable
    #
    if (isset ($_REQUEST['showall']) )
         {  $used_only = false; }
    

This means we can give it a parameter, file, which just will read the file we give it, eg. localhost:8899/PWS_printfile.php?file=/etc/passwd

**Vulnerability 5 - Remote Code Execution**

Now we want to take this, and turn it into something more powerful. Quite quickly we see that the settings.php endpoint is vulnerable. We can also edit this file, because we’re now admin, and we can now change the settings. The reason that we can inject PHP directly into this file, is because there’s no input parsing:

           $stationlocation = "A city in Belgium";
                     $email = "someone@dot.com";
                   $twitter = "pwsweather";
                  $facebook = "pwsweather";
            $solve_problem1 = "not_used";
            $solve_problem2 = "not_used";
                        $TZ = "Europe/Brussels";
    

It’s rather trivial to get code execution here, by just simply changing the settings, our input will be injected directly into the settings.php file: 

We start (Yellow) by adding a double-quote, and a semi-colon, this is done to end the line in proper PHP fashion, now we can just execute some arbitrary PHP command (Blue), and to end the line (Red), we add a hashtag, because this is how you comment in PHP. We can see this does infact, execute remote code. 

And quite quickly one can get proper full fletched remote code execution. Which could allow us to take control of servers running this software, and run commands on their systems. This could lead to backdoors, ransomware attacks etc. 

To visualize, these are sites, I assume to be vulnerable (of course without testing, but looking at the software version). (57 servers). 

This is quite bad.

**Stage 3. Responsible disclosure**

We started by filing a CVE request to MITRE. In which we disclosed all of the vulnerabilities above. Then we sent mr. Kuil, the main developer of PWS\_Dashboard a mail, revolving these vulnerabilities, with some advice on how these could be fixed, along with the same technical description we sent mitre, so that he could reproduce, and check that these issues are indeed present.

    What can you do, to fix this?
    First, let's start by acknowledging, that it's simply not secure to have this "support" password. Even changing it for a stronger password, will at some point, theoretically allow for access to the panel. Best bet, would be to remove this part of the code, and only rely on the password set by the configurer.
    
    The password currently in the settings, set by the configurer, should also not be shown in plaintext. (...)
    
    You cannot have the function PWS_frame_text.php, show text for files without authentication, this also allows for information disclosure. Same applies for PWS_listfile.php
    
    In the settings page, the following PHP could be applied to all fields, to input sanitize. However some alternative method should probably be applied to the password, as to avoid weak passwords being used. Something like this might help input sanitize, however it's probably not perfect, and just an example:
    
    $result = preg_replace("/[^a-zA-Z0-9]+/", "", $s);
    (...)
    

We created a mini-timeline:

Conclusion, we managed to get the issue largely fixed, within a day, and the maintainer was very professional in handling the issue. Our correspondance was mainly messages through the forum for PWS\_Dashboard, where we told him what to fix, and gave him concrete advices on how to do so.

CVE-2022-45291: PWS_Dashboard - CVE-2022-45291: "badweather"

Video explanation of the Jaguar Tooth vulnerabilities with Matt Olney, J.J. Cummings and Hazel Burton.

Tuesday, April 25, 2023 13:04

Cisco and Talos are continuing to track and research a series of ongoing cyber attacks and espionage targeting out-of-date and unpatched network hardware.

In this video, Hazel Burton interviews Matt Olney and J.J. Cummings from Talos to discuss the “Jaguar Tooth” campaign the U.K. government and other global intelligence agencies recently disclosed. J.J. and Matt were at the forefront of Talos’ research into these campaigns and have spent years providing advice to customers and users about the importance of network hygiene and resilience on the perimeter.

Jaguar Tooth is an example of a much broader trend of sophisticated adversaries targeting networking infrastructure to advance espionage objectives or pre-position for future destructive activity.

“What happened in this case, is that we had a series of incidents that we worked...and put some pieces together. What we were seeing multiple threat actors in sustained campaigns going after router infrastructure in a similar way,” Olney says in the video. “They were targeting different devices, but they were most successful in out-of-date hardware and end-of-life software.”

Watch the video above to learn more about Talos’ research into these campaigns, advice on steps to take if you believe you could be the target of one of these attacks, and a broader overview of the importance of network hygiene.

Organizations that fail to update their hardware and software will both be more likely to be a victim of unpatched security vulnerabilities but also will have fewer tools to combat adversaries. Cisco customers can check their version of software to see if any known vulnerabilities exist in it here. You can learn more about Cisco Trustworthy Technologies here. Several related resources, tools, and services can be found at The Trust Center here.

Video: Everything you need to know about ongoing state-sponsored attacks targeting network infrastructure across the globe

WordPress Shield Security Smart Bot Blocking and Intrusion Prevention plugin versions 17.0.17 and below suffer from cross site scripting and missing authorization vulnerabilities.

    Affected Plugin: Shield Security – Smart Bot Blocking & Intrusion Prevention Plugin Slug: wp-simple-firewallAffected Versions: <= 17.0.17CVE ID: CVE-2023-0992 CVSS Score: 7.2 (High)CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N Researcher/s: Ramuel Gall Fully Patched Version: 17.0.18The Shield Security plugin for WordPress is vulnerable to stored Cross-Site Scripting in versions up to, and including, 17.0.17 via the 'User-Agent' header. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.Description: Shield Security <= 17.0.17 - Missing Authorization Affected Plugin: Shield Security – Smart Bot Blocking & Intrusion Prevention Plugin Slug: wp-simple-firewallAffected Versions: <= 17.0.17CVE ID: CVE-2023-0993 CVSS Score: 4.3 (Medium)CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Researcher/s: Ramuel Gall Fully Patched Version: 17.0.18The Shield Security plugin for WordPress is vulnerable to Missing Authorization on the 'theme-plugin-file' AJAX action in versions up to, and including, 17.0.17. This allows authenticated attackers to add arbitrary audit log entries indicating that a theme or plugin has been edited, and is also a vector for Cross-Site Scripting via CVE-2023-0992.Vulnerability AnalysisThe Shield Security plugin includes a number of features, including an audit log that records certain types of suspicious activity, such as plugin and theme installation, modification, post deletion, and other types of activity that might impact the site. While most of these events require authentication or higher privileges in order to trigger, we found that certain events could be triggered by unauthenticated users. In particular, failed attempts to authenticate using application passwords, new user registrations, and spam activity are among the actions recorded for unauthenticated users.The audit log records metadata about the client that performed the logged activity, including the client’s User-Agent, which can be accessed by clicking the “Meta” tag icon on an audit log entry. Unfortunately, the metadata was not escaped when it was output. While most of the metadata collected about a request has a very strict format and can only be spoofed to a limited extent, User-Agent strings are alphanumeric, and we were able to inject a script in an iframe in the User-Agent header that fired when an administrator viewed an event entry:shieldalert-1024x454 While this exploit does technically require user interaction, it can be considered “Passive” user interaction, that is, it does not require tricking the administrator into performing any actions they might not have performed otherwise. Depending on the payload used, an attacker could use the script executing in the administrator’s browser to create a new administrator account under their control. Additionally, this exploit can be automated, and can be exploited by unauthenticated attackers via a variety of vectors, at least one of which is likely to be present in most common site configurations. As such it earns its High severity rating.The second vulnerability was much lower in severity and consisted of a missing authorization check on the ‘edit-theme-plugin-file’ AJAX action, which is used to record edits to plugin or theme files. The primary consequence of this is that an authenticated attacker can spoof an audit log entry indicating that any file belonging to any plugin or theme on the site was edited. While this is primarily a nuisance, since it can be used to create audit log entries it is yet another vector to exploit the aforementioned Cross-Site Scripting vulnerability.Disclosure TimelineMarch 20, 2023 – Wordfence Premium, Care, and Response users receive a firewall rule to provide protection against any exploits that may target this vulnerability. We responsibly disclose the plugin to the developer, who responds quickly and releases a patch in version 17.0.18.April 19, 2023 – The firewall rule becomes available to all Wordfence users.ConclusionIn today’s post, we detailed a High Severity Cross-Site Scripting vulnerability in Shield Security. We also detailed a lower-severity issue allowing authenticated attackers to spoof audit log entries indicating that plugin and theme files had been edited. These vulnerabilities have been fully patched in version 17.0.18.Wordfence Premium, Care, and Response users received a firewall rule to protect against any exploits targeting this vulnerability on March 20, 2023. Sites still using the free version of Wordfence received the same protection on April 19, 2023.If you know a friend or colleague who is using the Shield Security plugin on their site, we highly recommend forwarding this advisory to them as the Cross-Site Scripting vulnerability can allow Unauthenticated attackers to execute malicious JavaScript in an administrator’s browser, which can lead to site takeover.If you are a security researcher, you can responsibly disclose your finds to us and obtain a CVE ID and get your name on the Wordfence Intelligence leaderboard. Thanks to Paul Goodchild from Shield Security for patching the issue quickly.

Tag

#intel