Views and announcements

Opinion: Best Practices in Identifying and Remediating Vulnerabilities

  •  - By Bryan Becker (WhiteHat Security) and Simon Whittaker (Vertical Structure)

    It’s in the nature of cybersecurity that every technology vendor and service provider is vulnerable to security breaches and attacks in some form. But whether it’s Microsoft, Google,  Amazon or Facebook, how organizations react to a problem can be just as important as the steps they take to prevent them.

    In the past decade, we have all seen dozens of tech giants fall victim to devastating data breaches and crippling vulnerabilities with cyberattacks becoming the fastest-growing crime in the U.S. In WhiteHat’s 2018 Application Security Statistics Report, we discovered:

         -      Windows of Exposure saw a 33 percent increase from last year

         -      Time to fix vulnerabilities saw a 2 percent increase

         -      Remediation rate for companies remained stagnant

    This data underlines how every organization can be affected by an outside adversary or data leak even with security barriers in place.

    In this article, we’ll take a closer look at how research partners Vertical Structure and WhiteHat Security worked together to identify and verify a vulnerability, and then notify and work with the vendor to quickly and effectively remediate the issue and protect customers.

    How the Vulnerability was Discovered

    In the fall of 2018, during a search on Shodan.io, software designed to monitor network security, a Vertical Structure employee discovered a pattern of unmarked files that looked out of place. After some investigating, the researcher found external hard drives that would leak information through specially crafted requests via an API but not through their web interface. Initial estimates showed that many terabytes of data were exposed.

    While Google had already indexed a number of these devices, Vertical Structure decided to investigate a bit further to find out what kind of information was being compromised.

    Vertical Structure was able to find about 13,000 spreadsheet files indexed, with 36 terabytes of data available. The number of files in the index from scanning totaled to 3,030,106.

    Within these files, there was a significant amount of files with sensitive financial information including card numbers and financial records. Vertical Structure was able to track down the source, a legacy Iomega storage product acquired by EMC and co-branded Lenovo-EMC in a joint venture.

    Verifying the Vulnerability

    After discovering the compromised Lenovo device, Vertical Structure contacted WhiteHat Security because of its world-renowned reputation in helping secure applications, to work together to verify the vulnerability found.

    Verifying vulnerabilities is a very important step in securing applications, networks and devices. After all, on an average day, WhiteHat scanners discover hundreds upon hundreds of new potential vulnerabilities. In order to protect organizations from a constant barrage of false positives, each and every one of the potential vulnerabilities is carefully assessed and verified by WhiteHat’s team of application security engineers at its Threat Research Center (TRC).

    Once Vertical Structure contacted WhiteHat, the company did an initial investigation to verify the information found was indeed an issue. After using the combination of WhiteHat’s machine learning-powered scanners and TRC, WhiteHat was able to confirm with Vertical Structure that the vulnerability was valid.

    Alerting Lenovo and Remediating the Issue

    The next step in Vertical Structure and WhiteHat’s process was alerting Lenovo of the problem. Once Lenovo confirmed there was an issue, the company quickly took action:

         1)      In discovering this vulnerability, Lenovo pulled three versions of its software out of retirement and brought them back so their customers could continue to utilize their technologies while they patched the vulnerability.

         2)      Lenovo then pulled old software from version control to investigate any other potential vulnerabilities to fix and release updates.

    Lenovo has also issued an advisory today: https://support.lenovo.com/us/en/product_security/LEN-25557


    How Organizations Can Learn from Lenovo

    Lenovo’s professional approach to vulnerability disclosure offers a good lesson for other organizations who experience similar challenges. Not only did they have a clearly stated vulnerability disclosure policy on their site with contact information, but they responded quickly and worked with WhiteHat and Vertical Structure to understand the nature of the problem and quickly resolve it.

    In sharing this story, both WhiteHat and Vertical Structure hope companies are inspired to always keep cybersecurity top of mind to keep up with the constant barrage of new vulnerabilities and exposures.

     

    About the author

    An article that is attributed to Sync NI Team has either involved multiple authors, written by a contributor or the main body of content is from a press release.

    Got a news-related tip you’d like to see covered on Sync NI? Email the editorial team for our consideration.

Share this story