eSecurityPlanet

How To Use Nmap for Vulnerability Scanning: Complete Tutorial

Chad Kime — Fri, 14 Jul 2023 09:20:00 +0000

eSecurity Planet may receive a commission from vendor links. Our recommendations are independent of any commissions, and we only recommend solutions we have personally used or researched and meet our standards for inclusion.

The powerful open-source tool Nmap scans the ports of network devices and probes website domains for known vulnerabilities. Since both internal security teams and malicious hackers can use Nmap, internal security teams should make sure to perform the scan first!

To become familiar with Nmap as a basic tool to detect basic vulnerabilities this article will cover:

Getting Started with Nmap
Nmap Vulnerability Scanning
Vuln vs Vulners vs Vulscan
How Do Attackers Use Nmap?
Pros and Cons of Using Nmap
Nmap Vulnerability Scanner Alternatives
Bottom Line: Use Nmap for Inexpensive, Effective Vulnerability Scanning

Getting Started with Nmap

Nmap, or network map, provides open-source and free capabilities for auditing IT infrastructure, such as port scanning, host discovery, or device identification across a network. Both pen testers and threat actors use Nmap to collect information about their target, and Nmap has been recognized by CISA as an important free tool for network security.

Installing Nmap

Nmap began as a Linux utility, but it’s now available for all major operating systems, including Windows or macOS. Nmap comes pre-installed on several versions of Linux including Kali Linux. Other Linux systems users can use the command “apt-get install Nmap” to install it.

Users of all operating systems can download Nmap as well as the ZeNmap graphical user interface (GUI) front-end for Nmap. Those that prefer to use github can clone the official git repository using this command:

git clone https://github.com/Nmap/Nmap.git

After installing Nmap, users can use the command line or ZeNmap to execute simple commands to map the local domain, scan ports on a host, and detect operating system versions running on hosts.

Many open source software packages have been infected with malware. To verify that the specific download of Nmap matches the intended contents, an organization can compare the download against the signature records maintained by Nmap.

Built-in Nmap Scripts

Running basic functions can be tedious. Users increase the capabilities of Nmap by running built-in Nmap scripts. These scripts should be periodically updated by running this command:

sudo Nmap --script-updatedb

An overview of basic commands and example scripts can be found in Nmap: Pen Testing Product Overview and Analysis.

Using Custom Nmap Scripts

Advanced users may prefer to combine multiple lines of instructions or more complex commands using the Python language and the Python-Nmap package. Advanced users can also use the Nmap Scripting Engine (NSE) to enable network discovery, vulnerability detection (e.g., backdoor), and even specific exploits using the Lua programming language. These scripts are .nse files and will typically contain comments for end users and code instructions for the machines.

Nmap Vulnerability Scanning

Nmap’s vulnerability scanning capabilities rely upon the vulnerability-detecting scripts categorized under “vuln” for vulnerability or custom scripts. Users can run built-in scripts individually or collectively using the “vuln” command. In addition, users can also download custom scripts such as Vulscan or Vulners.

As with any penetration testing or vulnerability scan, users must keep in mind that these invasive scans should only be performed with permission. Even scanning a system without permission could lead to attempts to impose fines or jail time depending upon the jurisdiction. For more information, a user can investigate regulations such as those found in the US (The Computer Fraud and Abuse Act), England (Computer Misuse Act 1990), India (Information Technology Act Sec. 43 and 66), Japan (The Act on the Prohibition of Unauthorised Computer Access), and many other countries.

Specific Nmap Vulnerability Scans

Nmap scripts contain well over 100 specific scans for vulnerabilities that can be run against domains or against specific host IP addresses. A comprehensive list of scanned vulnerabilities can be found on the Nmap website.

Application Scans: Run Nmap against a target domain (ex: esecurityplanet.com) to check websites for vulnerabilities such as:

http-csrf: Detect Cross-Site Request Forgery (CSRF) vulnerabilities by entering the command: Nmap -sV –script http-csrf
http-sherlock: Check if the “shellshock” vulnerability can be exploited in web applications by entering the command: Nmap -sV –script http-sherlock

IT Host Scans: Run Nmap against a target IP address (ex: 166.96.06.4) to check for host vulnerabilities such as:

dns-update: Attempt to perform a dynamic domain name service (DNS) update without authentication by entering the command: Nmap -sU -p 53 –script=dns-update –script-args=dns-update.hostname=foo.example.com,dns-update.ip=192.0.2.1
smb-vuln-cve-2017-7494: Check if target IP address are vulnerable to the arbitrary shared library load vulnerability by using a script such as: Nmap –script smb-vuln-cve-2017-7494 -p 445

Government advocated Nmap scripts will sometimes be released or promoted on official websites to help organizations address specific vulnerabilities. For example, the UK government maintains an open-source GitHub repository to help organizations scan networks for the Exim MTA vulnerability as part of the Scanning Made Easy project from the National Cyber Security Centre (NCSC) and its i100 industry partnership.

The repository provides a collection of officially promoted Nmap scripts to users, such as sysadmins, for detecting system vulnerabilities. The initial UK script focuses on the Exim message transfer agent (MTA) remote code execution vulnerabilities CVE-2020-28017 through CVE-2020-28026, also known as 21Nails.

The script contains information on:

How it checks for the presence of the vulnerability
Why the check is not intrusive
Why there may be false positives and false negatives

How to Use Vuln

Nmap can scan a target domain or IP address for all vulnerabilities in the default script library for the “vuln” category with the appropriately named Vuln command:

sudo Nmap --script vuln  -v

Note that the command may require “sudo” in Linux to run the command as a super user or as the Linux equivalent of an administrator. In most cases, elevated privileges will be required to run the more invasive and probing commands for Nmap. The -v, or verbosity, flag will provide extensive information about the tests run and their results.

Running these commands can be dangerous because of invasive and disruptive aspects of specific vulnerability scans. Instead of simply obtaining information, certain scans attempt to verify a vulnerability by attempting to exploit the vulnerability. In some cases, a successful exploitation will result in changes to the service or even crashing the service, website, or operating system.

A subset of the vulnerability scans can be performed using wildcards or asterisks (*) to run multiple scripts with similar names simultaneously. For example, adding the wildcard after the http command (http*) will run all vulnerability scans that start with “http” against a targeted domain.

When using any of the bulk scans, the results can become overwhelming and some users will want to exclude low CVSS score vulnerabilities. To only show vulnerabilities within a certain range add the following flag to the command where “x.x” is the CVSS score (ex: 6.5).

--script-args=mincvss=x.x

The complete command to exclude vulnerabilities below 6.5 would be:

Nmap --script vuln --script-args mincvss=6.5

Results of the scan can be exported in various file formats by adding flags followed by the file name in the command. This export will make it easier to share information or make the vulnerabilities available for other software.

Two common examples of the complete command are:

XML File: Nmap –script vuln -oX file.xml
Browser Friendly XML File: Nmap –script vuln –webxml -oX file.xml

Of course, the basic set of vulnerability scans may not be sufficient for some users because it only examines a limited, although important, set of vulnerabilities. Advanced users may download custom scripts such as Vulscan or Vulners to access a larger database of vulnerabilities.

How to Use Vulscan

To use the NSE script Vulscan, a user must first clone the software from the github repository using the git command:

sudo git clone https://github.com/scipag/vulscan

The user may need to make a soft link to the NSE scripts directory by executing the following command:

sudo ln -s pwd /scipag_vulscan /usr/share/Nmap/scripts/vulscan

In this case, /usr/share/Nmap/scripts/vulscan is the presumed directory for Nmap scripts on the user’s machine, but this directory may be adjusted as necessary. Once the directory is known to Nmap, Vulscan is available to be called by the –script flag to run additional vulnerability checks using the following syntax:

sudo Nmap -sV --script=vulscan/vulscan.nse

Vulscan can be run to detect IT vulnerabilities against an IP address in the network or software vulnerabilities against a host name (ex: esecurityplanet.com). Vulscan will run non-invasive tests for all applicable vulnerabilities against the target. The results will display the port followed by limited information on the specific CVEs discovered.

How to Use Vulners

Vulners will typically be included in the standard Nmap NSE scripts, but a user can also clone the NSE script for Vulners from its github repository using the git command:

sudo git clone https://github.com/vulnersCom/Nmap-vulners.git /usr/share/Nmap/scripts/vulners

The file directory /usr/share/Nmap/scripts/vulscan is the presumed directory for Nmap scripts on the user’s machine, but this directory may be adjusted as necessary. Once cloned, Vulners is available to be called by the –script flag using the following syntax:

sudo Nmap -sV --script Nmap-vulners/vulners.nse

Users can target specific ports on an IP address by adding -p<#> (ex: -p80 to target port 80) at the end of the command line. The results will display the discovered CVEs and will link to the Vulners website for more information.

Vuln vs Vulners vs Vulscan

	Vuln	Vulners	Vulscan
Included Nmap scripts	Yes	Yes	No
Sends CPE data outside of the organization	No	Yes*	No
Requires download of vulnerability database	No, but limited CVEs	No*	Yes
Confidence	High	Depends	Depends
Potentially Disruptive	Yes	No	No
When to Use	Thorough accurate scan of key vulnerabilities	In depth scan, no concern for sending out CPE Data	More in-depth scan and a desire not to release CPE data

*Vulners has the option to download and use a local database.

Vuln and Vulners are included in the basic NSE script database and will be updated when updating all scripts for Nmap. Vulscan is not included in the basic script set and must be downloaded and updated separately.

Vulners sends common platform enumeration (CPE) information received from port scans to vulners.com using the site’s API to actively download the latest common vulnerabilities and exposures (CVE) information from the site’s database. Vulners also requires internet access to reach the external databases of vulnerabilities.

This information sharing of vulnerabilities may not be appropriate for organizations deeply concerned about the secrecy of their environment. There is an option with Vulscan to use a local database, but this generally removes the advantage of using Vulscan’s fully updated database.

Vuln and Vulscan do not send CPE information outside of the scanned organization and use locally stored vulnerability databases.

The advantage of sending the CPE information is that Vulners hosts a fully updated set of CVEs. Vuln only detects 150 top vulnerabilities for systems and Vulscan uses an offline copy of vulnerability databases.

Vuln can risk disruption because Vuln tests for the presence of some vulnerabilities by attempting to verify exploitation and disruption or corruption of that service. However, the active probing will increase confidence and reduce the chance of a false positive.

Vulners and Vulscan avoid the risk of disruption because they do not attempt to verify or exploit vulnerabilities. The confidence in both of these tools depends upon the accuracy and precision of the detection capabilities of the specific version of Nmap. Both of these tools may also be confused by non-standard, custom, or patched builds of specific services, which may lead to more false positives.

Of the three tools, the Vuln category of scripts can immediately produce highly accurate scans for a limited set of important vulnerabilities. However, while the number of vulnerabilities is small, the in-depth probing of the vulnerability can take 3-4 times longer than Vulners or Vulscan.

While both of the manually downloaded vulnerability scanners will enjoy a much more extensive and robust selection of CVEs to detect, Vulners will typically be the most updated scan since IT teams may forget to manually update Vulscan databases. But for more secretive organizations that need to avoid releasing CPE information, Vulscan’s use of a local database may be the best choice among the Nmap options.

How Do Attackers Use Nmap?

Attackers use Nmap to scan large networks quickly by using raw IP packets to identify available hosts and services on the network and determine their vulnerabilities. Hackers and pen testers typically add specific options to cover their tracks.

Decoy scans add the -D option flag (Nmap -p 123 -D decoyIP targetIP), to hide the attacking IP address and send source-spoofed packets to the target in addition to the scanning machine packets. The additional packets make port scan detection harder for defenders.

Attackers can also run zombie scans, also known as idle scans. This side-channel attack attempts to send forged SYN packets to the target using the IP address of the “zombie” endpoint on the network. This method attempts to fool the intrusion detection system (IDS) into mistaking the innocent zombie computer for the attacker. A more thorough review of Nmap attacks can be found in the Nmap Ultimate Guide: Pentest Product Review and Analysis.

Do Host Systems Detect Nmap Scans?

SIEM tools, firewalls, and other defensive tools, can receive alerts from systems and the scanned system will log the successful TCP requests from the many Nmap port scans. More sophisticated IDS/IDP tools might also detect malformed TCP requests, such as the Nmap stealthy requests that do not complete a TCP connection. Disruptive scans that cause system or service failure will definitely be detected by systems as well as by affected users.

Pros and Cons of Using Nmap

Nmap provides powerful vulnerability capabilities and should be under consideration for use within most organizations. However, there are many reasons why Nmap is not used universally.

Pros: Reasons to Use Nmap

Open source and free so great for hackers, students, and all organizations
Quick scans provide a fast look at potential vulnerabilities
Lightweight TCP scans do not consume enormous network bandwidth and can escape some network security tools
A hacker preview for organizations checking their internal systems
Scriptable scans enable an organization to create repeatable vulnerability scans usable by non-technical users and for hackers to embed Nmap commands and scans into malware

Cons: Reasons Not to Use Nmap

Less user friendly than commercial tools with more advanced GUIs
Easy to make mistakes with command line entries
Lack of programmers in an organization’s IT staff to create custom scripts or understand Nmap scripts
Less formal support than commercial tools
Limited vulnerability scans through the basic vuln command

Nmap Vulnerability Scanner Alternatives

Nmap remains a popular tool among many, but it certainly is not the only vulnerability scanner available. Open-source vulnerability scanner options for applications include OSV-Scanner or OWASP Zed Attack Proxy (ZAP) and for infrastructure include CloudSploit or OpenVAS.

There are many commercially available vulnerability scanners as well. The best vulnerability scanners for applications or infrastructure include Invicti, Tenable.io, ManageEngine’s Vulnerability Manager Plus, as well as others listed below:

1 Intruder

Visit website

Intruder is the top-rated vulnerability scanner. It saves you time by helping prioritize the most critical vulnerabilities, to avoid exposing your systems. Intruder has direct integrations with cloud providers and runs thousands of thorough checks. It will proactively scan your systems for new threats, such as Spring4Shell, giving you peace of mind. Intruder makes it easy to find and fix issues such as misconfigurations, missing patches, application bugs, and more. Try a 14-day free trial.

Learn more about Intruder

Bottom Line: Use Nmap for Inexpensive, Effective Vulnerability Scanning

Nmap provides a no-cost option to detect vulnerabilities, double-check the results of commercial vulnerability scanners, or provide an effective sneak peek at the way a hacker might view opportunities in the organization’s infrastructure. Everyone, even an organization selecting to use a commercial vulnerability scanner, should consider using Nmap as a vulnerability scanning tool in their arsenal.

Malicious Microsoft Drivers Could Number in the Thousands: Cisco Talos

Jeff Goldman — Thu, 13 Jul 2023 20:35:32 +0000

After Microsoft warned earlier this week that some drivers certified by the Windows Hardware Developer Program (MWHDP) are being leveraged maliciously, a Cisco Talos security researcher said the number of malicious drivers could number in the thousands.

Talos researcher Chris Neal discussed how the security problem evolved in a blog post.

“Starting in Windows Vista 64-bit, to combat the threat of malicious drivers, Microsoft began to require kernel-mode drivers to be digitally signed with a certificate from a verified certificate authority,” Neal wrote. “Without signature enforcement, malicious drivers would be extremely difficult to defend against as they can easily evade anti-malware software and endpoint detection.”

Beginning with Windows 10 version 1607, Neal said, Microsoft has required kernel-mode drivers to be signed by its Developer Portal. “This process is intended to ensure that drivers meet Microsoft’s requirements and security standards,” he wrote.

Still, there are exceptions – most notably, one for drivers signed with certificates that expired or were issued prior to July 29, 2015.

If a newly compiled driver is signed with non-revoked certificates that were issued before that date, it won’t be blocked. “As a result, multiple open source tools have been developed to exploit this loophole,” Neal wrote.

And while Sophos reported that it had uncovered more than 100 malicious drivers, Neal said Cisco Talos “has observed multiple threat actors taking advantage of the aforementioned Windows policy loophole to deploy thousands of malicious, signed drivers without submitting them to Microsoft for verification.”

Forged Timestamps

Neal said that two timestamp forging tools that are popular ways of developing game cheats are now being used by threat actors. The tools are FuckCertVerifyTimeValidity, which was launched in 2018; and HookSignTool, available since 2019.

“To successfully forge a signature, HookSignTool and FuckCertVerifyTimeValidity require a non-revoked code signing certificate that expired or was issued before July 29, 2015, along with the private key and password,” Neal wrote. “During our research, we identified a PFX file hosted on GitHub in a fork of FuckCertVerifyTimeValidity that contained more than a dozen expired code signing certificates frequently used with both tools to forge signatures.”

Both tools present a serious threat, Neal said, since malicious drivers can give attackers kernel-level access to a system.

“Microsoft, in response to our notification, has blocked all certificates discussed in this blog post,” he noted.

A Real-World Example

In a separate blog post, Neal described one example of the threat, a malicious driver named RedDriver that’s been active since at least 2021. “Bypassing the driver signature enforcement policies by using HookSignTool allows a threat actor to deploy drivers that would otherwise be blocked from running,” he wrote. “RedDriver is a real-world example of this tool being effectively used in a malicious context.”

“During our research into HookSignTool, Cisco Talos observed the deployment of an undocumented malicious driver utilizing stolen certificates to forge signature timestamps, effectively bypassing driver signature enforcement policies within Windows … RedDriver is a critical component of a multi-stage infection chain that ultimately hijacks browser traffic and redirects it to localhost (127.0.0.1),” Neal wrote.

“As of publication time, the end goal of this browser traffic redirection is unclear,” he added. “However, regardless of intent, this is a significant threat to any system infected with RedDriver, as this allows all traffic through the browser to be tampered with.”

Defending Against Signed Drivers

Neal recommended blocking the certificates in question, “as malicious drivers are difficult to detect heuristically and are most effectively blocked based on file hashes or the certificates used to sign them. Comparing the signature timestamp to the compilation date of a driver can sometimes be an effective means of detecting instances of timestamp forging. However, it is important to note that compilation dates can be altered to match signature timestamps.”

KnowBe4 data-driven defense evangelist Roger Grimes told eSecurity Planet by email that an even greater threat could be presented if an attacker were to create something highly wormable. “A wormable exploit using a bogus signing certificate could cause a lot of problems,” he said.

The good news, Grimes said, is that all of this is preventable. “Microsoft provides several ways, such as Windows Defender Application Control, to prevent unwanted installing of drivers and software,” he said. “Customers just have to research how they work and enable them. Then this entire threat is gone.”

Black Hat AI Tools Fuel Rise in Business Email Compromise (BEC) Attacks

Maine Basan — Thu, 13 Jul 2023 16:06:17 +0000

ChatGPT and other generative AI tools have been used by cybercriminals to create convincing spoofing emails, resulting in a dramatic rise in business email compromise (BEC) attacks. Now security researchers have discovered a black hat generative AI tool called WormGPT that has none of the ethical restrictions of tools like ChatGPT, making it even easier for hackers to craft cyber attacks based on AI tools.

SlashNext conducted research on the use of generative AI tools by malicious actors in collaboration with Daniel Kelley, a former black hat computer hacker and expert on cybercriminal tactics. They found a tool called WormGPT “through a prominent online forum that’s often associated with cybercrime,” Kelley wrote in a blog post. “This tool presents itself as a blackhat alternative to GPT models, designed specifically for malicious activities.”

The security researchers tested WormGPT to see how it would perform in BEC attacks. In one experiment, they asked WormGPT “to generate an email intended to pressure an unsuspecting account manager into paying a fraudulent invoice.”

“The results were unsettling,” Kelley wrote. “WormGPT produced an email that was not only remarkably persuasive but also strategically cunning, showcasing its potential for sophisticated phishing and BEC attacks” (screenshot below).

Kelley said WormGPT is similar to ChatGPT “but has no ethical boundaries or limitations. This experiment underscores the significant threat posed by generative AI technologies like WormGPT, even in the hands of novice cybercriminals.”

Just last week, Acronis reported that AI tools like ChatGPT have been behind a 464% increase in phishing attacks this year.

Also read: ChatGPT Security and Privacy Issues Remain in GPT-4

WormGPT and Generative AI Hacking Uses

WormGPT is based on the GPTJ language and provides unlimited character support, chat memory retention, and code formatting capabilities. The tool aims to be an unregulated alternative to ChatGPT, assuring that illegal activities can be done without being traced. WormGPT can be used for “everything blackhat related,” its developer claimed in the cybercrime forum.

Beyond WormGPT, Kelley and the SlashNext team discovered a number of concerning discussion threads while investigating cybercrime forums:

Use of custom modules as unethical ChatGPT substitutes. The forums contain marketing of ChatGPT-like custom modules, which are expressly promoted as black hat alternatives. These modules are marketed as having no ethical bounds or limitations, giving hackers unrestricted ability to use AI for illegal activities.
Refining phishing or BEC attack emails using generative AI. One discussion included a suggestion to write emails in the hackers’ local language, translate them, and then use interfaces like ChatGPT to increase their complexity and formality. Cybercriminals now have the power to easily automate the creation of compelling fake emails customized for specific targets, reducing the chances of being flagged and boosting the success rates of malicious attacks. The accessibility of generative AI technology empowers attackers to execute sophisticated BEC attacks even with limited skills.
Promotion of jailbreaks for AI platforms. Cybercrime forums also contain a number of discussions centered on “jailbreaks” for AI platforms such as ChatGPT. These jailbreaks include carefully created instructions designed to trick AI systems into creating output that might divulge sensitive information, generate inappropriate material, or run malicious code.

While the specific sources and training methods weren’t disclosed, WormGPT was reportedly trained on diverse datasets, including malware-related information. The ability of AI tools to create more natural and tactically clever emails has made BEC attacks more effective, raising worries about the tools’ potential for supporting sophisticated phishing and spoofing attacks.

Some security researchers worry about the possibility of an AI-powered worm utilizing the capabilities of a large language model (LLM) to generate zero-day exploits on-demand. Within seconds, such a worm might test and experiment with thousands of different attack methods. Unlike traditional worms, it could constantly look for new vulnerabilities.

Such a never-ending hunt for exploits could leave system administrators with little to no time to fix vulnerabilities and keep their systems secure, leaving a wide range of systems vulnerable to exploitation, causing widespread and significant damage. The speed, adaptability, and persistence of an AI-powered worm increased the need for a vigilant, proactive approach to cybersecurity defenses.

Also read: AI Will Save Security – And Eliminate Jobs

Countering AI-Driven BEC Attacks

To counter the growing threat of AI-driven BEC attacks, organizations need to consider a number of security defenses:

Implementing specialized BEC training programs
Using email verification methods such as DMARC that detect external emails impersonating internal executives or vendors
Email systems such as gateways should be capable of detecting potentially malicious communications, such as URLs, attachments and keywords linked with BEC attacks

Over the years, cybercriminals have continuously evolved their tactics, and the advent of OpenAI’s ChatGPT, an advanced AI model capable of generating human-like text, has transformed the landscape of business email compromise (BEC) attacks.And now the rise of unregulated AI technologies leaves organizations more vulnerable to BEC attacks.

To avoid the potentially catastrophic effects caused by the unrestrained use of AI tools for BEC attacks, timely discovery, quick response, and coordinated mitigation techniques are necessary. Efforts should concentrate on creating advanced security measures, promoting collaboration between cybersecurity and AI groups, and creating strong legal and regulatory frameworks to control and guarantee the responsible and ethical application of AI in the digital sphere.

The post Black Hat AI Tools Fuel Rise in Business Email Compromise (BEC) Attacks appeared first on eSecurityPlanet.

	Risk or Compliance Scoring	Automation	Advanced Data Governance and Security Capabilities	CIEM Capabilities	Pricing
Palo Alto Networks Prisma Cloud	Yes	Yes	Yes	Yes	Dependent upon selected partner and other factors; starting at $18,000 for a 12-month 100 credit subscription through AWS Marketplace.
Check Point CloudGuard Cloud Security Posture Management	Yes	Yes	Yes	Yes	Dependent upon selected partner and other factors; starting at $625 per month for 25 assets through AWS Marketplace.
Lacework	Yes	Yes	Limited	Yes	Dependent upon selected partner and other factors; starting at $1,500 per month plus $0.01 usage fee per Enterprise Cloud Security Platform unit used.
CrowdStrike Falcon Cloud Security	Yes	Yes	Yes	Yes	Dependent upon selected partner and other factors; starting at $14.88 for a 12-month subscription through AWS Marketplace.
Cyscale	Yes	Yes	Yes	Yes	Dependent upon selected partner and other factors; Pro plan starts at $10,000 for a 12-month subscription through Azure Marketplace.
Trend Micro Trend Cloud One Conformity	Yes	Yes	Limited	Limited	The Cloud First plan, offered directly through Trend Micro, is $217 per month per account, billed annually for users with 26 to 50 accounts.
Ermetic	Limited	Yes	Limited	Yes	Dependent upon selected partner and other factors; Commercial plan starts at $28,000 for a 12-month subscription through AWS Marketplace.

Microsoft Patch Tuesday Addresses 130 Flaws – Including Unpatched RomCom Exploit

Jeff Goldman — Wed, 12 Jul 2023 18:01:18 +0000

Microsoft’s Patch Tuesday for July 2023 includes nine critical flaws, and five are actively being exploited. Notably, one of those five remains unpatched at this point.

“While some Patch Tuesdays focus on fixes for minor bugs or issues with features, these patches almost purely focus on security-related issues,” Cloud Range vice president of technology Tom Marsland said by email. “They should be pushed to vulnerable machines immediately.”

The July 2023 fixes include updates for 130 vulnerabilities, a significant increase from last month’s total of 78. Here are the details.

See the Top Patch Management Tools

Malicious Drivers Addressed by Advisory

Microsoft also released a pair of advisories. The first, ADV230001, warns that drivers certified by Microsoft’s Windows Hardware Developer Program (MWHDP) are being used maliciously by attackers who have gained admin privileges on compromised systems. The issue was first discovered by Sophos researchers on February 9.

“Microsoft has completed its investigation and determined that the activity was limited to the abuse of several developer program accounts and that no Microsoft account compromise has been identified,” Microsoft said. “We’ve suspended the partners’ seller accounts and implemented blocking detections for all the reported malicious drivers to help protect customers from this threat.”

In a blog post, SophosLabs principal researcher Andrew Brandt reported that the advisory was published following a Sophos research discovery of more than 100 malicious drivers that had been digitally signed by Microsoft and others, dating as far back as April 2021.

The second advisory, ADV230002, notes that Trend Micro released a patch in March for CVE-2023-28005, a secure boot bypass vulnerability in Trend Micro Endpoint Encryption Full Disk Encryption. “Subsequently Microsoft has released the July Windows security updates to block the vulnerable UEFI modules by using the DBX (UEFI Secure Boot Forbidden Signature Database) disallow list,” Microsoft said.

Actively Exploited Flaws

Microsoft identified five vulnerabilities that are being actively exploited:

CVE-2023-32046, an elevation of privilege vulnerability in Windows MSHTML with a CVSS score of 7.8
CVE-2023-32049, a security feature bypass vulnerability in Windows SmartScreen with a CVSS score of 8.8
CVE-2023-36874, an elevation of privilege vulnerability in the Windows Error Reporting Service with a CVSS score of 7.8
CVE-2023-36884, a remote code execution vulnerability in Office and Windows HTML with a CVSS score of 8.3
CVE-2023-35311, a security feature bypass vulnerability in Microsoft Outlook with a CVSS score of 8.8

Ivanti vice president of security products Chris Goettl said by email that CVE-2023-32046 could be leveraged in a variety of ways, including email and web-based attacks. “If exploited, the attacker would gain the rights of the user that is running the affected application, so running least privilege would help to mitigate the impact of this vulnerability and force the attacker to take additional steps to take full control of the target system,” he wrote.

Action1 vice president of vulnerability and threat research Mike Walters observed in a blog post that CVE-2023-35311 requires user interaction but not elevated privileges. “It’s important to note that this vulnerability specifically allows bypassing Microsoft Outlook security features and does not enable remote code execution or privilege escalation,” he wrote. “Therefore, attackers are likely to combine it with other exploits for a comprehensive attack.”

CVE-2023-36874, Walters noted, can be exploited locally with low complexity and without requiring elevated privileges or user interaction. “To exploit this vulnerability, an attacker needs to gain access to the system using other exploits or harvested credentials,” he wrote. “The compromised user account must have the ability to create folders and performance traces on the computer, which is typically available to normal users by default.”

Unpatched RomCom Office Exploit

In an unusual move, CVE-2023-36884 was announced with no patch yet available.

“Microsoft is investigating reports of a series of remote code execution vulnerabilities impacting Windows and Office products,” Microsoft said. “Microsoft is aware of targeted attacks that attempt to exploit these vulnerabilities by using specially-crafted Microsoft Office documents.”

“Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers,” the company added. “This might include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.”

A separate Microsoft blog post links CVE-2023-36884 to a phishing campaign by a Russian hacker group named Storm-0978 or RomCom, which has been “targeting defense and government entities in Europe and North America” by “using lures related to the Ukrainian World Congress.” The campaign was first detected in June 2023.

Microsoft Defender for Office 365 protects users from attachments designed to exploit CVE-2023-36884. Microsoft said organizations who cannot that don’t have those protections can set the registry key FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION to avoid exploitation.

“Please note that while these registry settings would mitigate exploitation of this issue, it could affect regular functionality for certain use cases related to these applications,” the company added.

Rapid7 lead software engineer Adam Barnett told eSecurity Planet that a patch could be issued as part of next month’s Patch Tuesday, but admins should be alert for a potential earlier fix.

“Microsoft Office is deployed just about everywhere, and this threat actor is making waves; admins should be ready for an out-of-cycle security update for CVE-2023-26884,” Barnett said.

Remote Desktop Flaw

Cyolo head of research Dor Dali highlighted CVE-2023-35332, a security feature bypass flaw in Windows Remote Desktop Protocol with a CVSS score of 6.8. The issue is linked to the fact that the RDP Gateway enforces the use of Datagram Transport Layer Security (DTLS) version 1.0, which has been deprecated since March 2021 due to known flaws.

“This vulnerability not only presents a substantial security risk, but also a significant compliance issue,” Dali said by email. “The use of deprecated and outdated security protocols, such as DTLS 1.0, may lead to non-compliance with industry standards and regulations – like SOC2, FEDRAMP, PCI, HIPAA, and others.”

If it’s not possible to apply Microsoft’s update, Dali recommends simply disabling UDP support in the RDP Gateway. “This prevents the establishment of the secondary channel over UDP, eliminating the use of the deprecated DTLS 1.0 and thereby mitigating the vulnerability – a necessary step that could potentially impact performance, but that will ensure security and compliance until the server can be updated,” he said.

Also read: Secure Access for Remote Workers: RDP, VPN & VDI

The post Microsoft Patch Tuesday Addresses 130 Flaws – Including Unpatched RomCom Exploit appeared first on eSecurityPlanet.

How to Enhance IAM by Adding Layers of Zero Trust

Jenna Phipps — Tue, 11 Jul 2023 16:34:16 +0000

As credential attacks become more sophisticated, identity and access management solutions need to become more innovative. Zero trust concepts — assuming no user can be trusted until fully verified — should be applied to both users and devices to help protect sensitive company and customer information.

This guide to zero trust and IAM breaks down these terms, why they’re important, and how they might work together in IT environments. We’ll look at Kolide — this article’s sponsor and a provider of device trust solutions — as one way to increase trust in users accessing applications and IT systems.

Understanding Zero Trust and IAM

To understand how zero trust and IAM can work together, it’s best to understand how they work on their own.

Zero trust is an approach to infrastructure security that never automatically trusts a user before verifying their identity and authorization. Zero trust also doesn’t restrict security to the network perimeter, since plenty of threats can slip through a firewall and move laterally through an organization’s network. Stopping lateral movement and attack escalation is one of the key benefits of zero trust.
IAM manages both users’ identities and their rights to access company applications and other systems. An IAM tool compares access attempts against stored credentials to determine if a user is who they say they are. It then provides access according to predefined access policies.

Zero trust only permits a user or device once it has proven itself compliant with all of an enterprise’s predefined policies. IAM enforces identity and access management policies. Basically, IAM is a component of zero trust security, but it isn’t everything. The two are not interchangeable, but IAM helps organizations standardize and verify user identities.

Keep in mind that zero trust cannot be achieved by purchasing a single product, and it takes time to implement a comprehensive architecture. However, some vendors offer pieces of the zero trust puzzle, helping employees achieve compliance with their organization’s security goals.

Read more about the challenges of zero trust.

Adding Zero Trust to IAM

To implement zero trust concepts within your company’s identity and access management, your IT and security teams must rethink each sector of your IT infrastructure. Examples include network access controls, biometrics, and device security.

While no single vendor can give your business an all-encompassing zero trust solution, there are providers who offer specific products to address facets of zero trust. Kolide is one such provider. It’s a security tool that integrates with Okta and focuses on the device part of zero trust. Just because a business decides to trust a device doesn’t mean it’s trustworthy. Kolide authenticates devices as they log into Okta. If a given device doesn’t meet a certain set of activated policies, the device is blocked.

Typically, a zero trust architecture gives IT teams hiccups because every blocked device or user, every set of failed credentials that possibly indicates a breach, must then be routed through them. This often looks like a deluge of support tickets that IT admins must manually sort through. Kolide decreases the manual load on IT teams by providing self-service options for users when a device is blocked.

A security or IT team member has already set a policy to block any devices with insecure browsers. When a user tries to log into Okta and pass the Kolide verification, they’re blocked because their Google Chrome is out of date.

Kolide is designed to help user devices become compliant and to reduce the manual burden on IT teams. Therefore, users aren’t just hung out to dry when their device is blocked. Instead, they have the immediate option to fix the issue. Kolide provides a list of remediation instructions, which users can access simply by clicking the “Details” button (screenshot below).

Image credit: Kolide

Rather than immediately blocking devices without providing further information, Kolide is intended to show users how to make their devices compliant. If the device is the problem and the issue isn’t identified and fixed, users will continue running into roadblocks when they attempt to access necessary applications. But with software that educates users and tells them why a device has been blocked, employees are able to more quickly solve expired licenses or software updates. And by self-servicing the problem, users reduce the load on IT teams.

By focusing on device vulnerabilities, Kolide can identify issues like Mac computers with bad batteries and Microsoft product installations with falsified or expired licenses. Some of these might just be an update that fell through the cracks, but some could be an unauthorized user from outside the organization.

Image credit: Kolide

Kolide specifically focuses on the devices attempting to access business services. While a user’s identity might be verifiable, their device’s security could have vulnerabilities or might already be compromised. Kolide doesn’t automatically trust devices until they demonstrate compliance with its policies, which users can configure in accordance with their business’s security strategy.

Going Beyond Identity Management

Although IAM plays a critical role in security infrastructure, its drawback is limited focus, according to Nick Fitzsimmons, VP of Marketing at Kolide. IAM mainly just verifies the user’s identity.

“But that’s only half the battle,” Fitzsimmons said. “A legitimate user can still do a lot of damage if their device is infected with malware. What makes Kolide different from those tools, and other endpoint security tools, is that we can check virtually anything about a device’s posture, and restrict access based on that.”

Additionally, all users must have Kolide on their phone or laptop to authenticate their connection. Threat actors aren’t able to use stolen credentials to log into applications using Kolide.

Compliance-based device authorization is just one example of developing zero trust strategies within a business IT system. Integrating “never trust, always verify” policies within your identity and access management solution — in this case, Okta — helps teams avoid issues that standard IAM might not be able to solve.

Zero trust applies to every sector of your IT infrastructure. It’s not a set-and-forget solution, but it gives businesses a clearer view of their user and device access attempts and the vulnerabilities that plague them.

Learn more about implementing a zero trust infrastructure.

Zero Trust Builds a Granular Security Infrastructure

In cybersecurity, granularity simply means detail and specificity. In other words, can our organization build such specific policies, unique to our needs and security requirements, that we successfully protect our applications and data?

Zero trust builds additional context for identity and access management. For example, Kolide’s approach to policy customization lets teams create very specific rules. Kolide then has context for users’ devices, can determine whether that device complies with predetermined policies, and can block a device if it seems to pose a threat. This is all based on the access criteria that’s important to an individual organization. Zero trust should be customizable.

According to Fitzsimmons, there are two major challenges for businesses to develop zero trust within an existing IAM framework. “The first is that they need to provide real-time device posture at the point of authentication that can align with industry standards and internal policies,” Fitzsimmons said. “This has to be cross-platform and able to go deeper than the basics like hard drive encryption and firewall status.

“The second is that they can’t simply leave users blocked without the context and agency to unblock themselves. This creates the IT bottleneck that often leads to failed Zero Trust implementations.”

It’s critical for users to take on some responsibility for the role they play in zero trust, not least because that helps IT teams focus on their roles within the organization.

Is a granular security infrastructure difficult to implement? It can be. IT and security teams aren’t always used to this level of detail. And zero trust is a relatively new approach to cybersecurity. But it’s worthwhile, especially for enterprises that want to take their protective measures into their own hands.

Bottom Line: Zero Trust and IAM for Enterprises

Keep in mind that device compliance is only one aspect of zero trust. To compile a full zero trust architecture, your organization will have to strategically choose solutions that address zero trust and IAM, integrate well with each other, and make sense for your security requirements. A financial services firm will have different security policies than a locally based nonprofit. However, they can both benefit from a zero trust approach to identity management — it just might look different.

Don’t be discouraged if it takes your IT and security teams a significant amount of time to deploy zero trust concepts, even if you already use an IAM solution. IAM is just one component of zero trust, but it’s a good start. Tools like Kolide can help businesses develop a comprehensive security infrastructure, but don’t be afraid when that process takes time. It’s still one of the best choices you can make for your business’s overall cyber protection.

The post How to Enhance IAM by Adding Layers of Zero Trust appeared first on eSecurityPlanet.

12 Types of Vulnerability Scans & When to Run Each

Maine Basan — Fri, 07 Jul 2023 22:16:15 +0000

Vulnerability scanning is critically important for identifying security flaws in hardware and software, but vulnerability scanning types are as varied as the IT environments they’re designed to protect.

In this article, we’ll delve into various types of vulnerability scans, explore their benefits, outline the ideal scenarios for running each type, and list the best vulnerability scanning tool to use for each type of scan. By understanding these distinctions, you can improve your overall cybersecurity defenses and harden your systems against potential threats.

See The Best Vulnerability Scanner Tools

Jump ahead to:

Host-based Scanning
Port Scanning
Web Application Vulnerability Scanning
Network Vulnerability Scanning
Database Scanning
Source Code Scanning
Cloud Vulnerability Scanning
Internal Scanning
External Scanning
Assessment Scanning
Discovery Scanning
Compliance Scanning
What’s the Difference Between Authenticated & Unauthenticated Vulnerability Scans?
Choosing Which Type of Vulnerability Scan to Run
Bottom Line: Types of Vulnerability Scans

Host-based Scans

Host-based vulnerability scanning is aimed at evaluating vulnerabilities on specific hosts within an organization’s network. These scans can be agent server-based, in which an agent is deployed on the target host; agentless, in which no agent is required; or standalone, in which the scanning capabilities are self-contained.

Agent-Server: The scanner installs agent software on the target host in an agent-server architecture. The agent gathers information and connects with a central server, which manages and analyzes vulnerability data. The agent does the vulnerability scan and sends the results to a central server for analysis and remediation. In general, agents collect data in real time and transmit it to a central management system. One disadvantage of agent-server scanning is that the agents are bound to specific operating systems.
Agentless: Agentless scanners do not require any software to be installed on the target machine. Instead, they collect information through network protocols and remote interactions. To centrally launch vulnerability scans or establish an automatic schedule, this approach requires administrator-credentialed access. Agentless scanning does not require the same operating system-specific requirements as agents. This allows for the scanning of more network-connected systems and resources, but the evaluations require consistent network connectivity and may not be as thorough as with agents.
Standalone: Standalone scanners are self-contained applications that run on the system being scanned. They examine the host’s system and apps for weaknesses. This scan does not use any network connections and is the most time-consuming of the host-based vulnerability scans. It is necessary to install a scanner on each host that will be checked. Most enterprises that manage hundreds, if not thousands, of endpoints will discover that standalone tools are not practical.

Benefits of Host-based Scans

Identifies vulnerabilities in the operating system, software, and settings of the host
Provides visibility into the security status of specific network hosts
Assists with patch management and quick vulnerability repair
Aids in the detection of illegal program installs or modifications to settings
Contributes to the overall security of hosts by minimizing the attack surface

When to Run a Host-based Scan

When thorough information on the host’s setup, patches, and software is necessary
When assessing the security of individual network systems or servers, and organizations with a complicated network infrastructure with a high number of individual hosts

Best Tool to Use

Tenable Vulnerability Management (formerly Tenable.io) provides enterprises with a comprehensive and fast solution for assessing vulnerabilities at the host level. Tenable.io’s host-based scanning works by deploying lightweight software agents on specific hosts throughout the network. These agents gather data on the host’s operating system, installed software, settings, and other pertinent information. This data is subsequently transmitted to the Tenable.io platform for analysis and vulnerability assessment.

Tenable.io is a popular option for enterprises looking for comprehensive host-based scanning solutions due to its agent-based approach, continuous monitoring, asset management features, integration capabilities, and vast vulnerability knowledgebase.

Pricing: Tenable Vulnerability Management costs $2,275 a year for 65 assets, with discounts for multi-year contracts.

Port Scans

Port scanning sends network queries to different ports on a target device or network. The scanner detects which ports are open, closed, or filtered by analyzing the results. Open ports may suggest possible vulnerabilities or network-accessible services.

Benefits of Port Scanning

Detects open ports and services on target computers, revealing potential attack vectors
Identifies misconfigurations and services that may be exposed to exploitation
Assists in network mapping and understanding the network infrastructure’s topology
Detects illegitimate or unfamiliar services on network devices
Closes unnecessary open ports and services to help with security hardening

When to Run a Port Scan

When businesses want to know how vulnerable their network is to outside attacks
Useful for locating open ports, services, and other points of entry that attackers may use
It is advised as the first step in evaluating the security of network equipment and systems

Best Tool to Use for Port Scans

Nmap Security Scanner communicates directly with the host’s operating system to collect information on open ports and services, after which it applies techniques such as TCP connect scanning, SYN scanning, UDP scanning, and more. Each approach employs a different strategy to ascertain the state of the target ports (open, closed, or filtered).

Because of its versatility, extensive features, active development, scripting support, and cross-platform compatibility, Nmap’s host-based scanning for port scans is highly respected. These features make Nmap a popular port scanning tool among network administrators, security experts, and amateurs.

Nmap is free and open source for end users, but there’s also a paid license for OEM redistribution.

Also read: Nmap Vulnerability Scanning Made Easy: Tutorial

Web Application Scans

Web application scanners are used to identify vulnerabilities in web applications. These scanners frequently probe software to map its structure and discover potential attack vectors. These scanners automate the process of scanning web applications, evaluating the application’s code, configuration, and functioning to find security flaws. Web application scanners simulate many attack scenarios to discover common vulnerabilities, such as cross-site scripting (XSS), SQL injection, cross-site request forgery (CSRF), and weak authentication systems. They utilize techniques such as crawling the application to identify all available pages, sending input data to forms, and reviewing server responses for potential vulnerabilities. Web app canners typically use predefined vulnerability signatures or patterns to detect existing vulnerabilities.

Benefits of Web Application Scans

Detects web application-specific vulnerabilities such as SQL injection, XSS, and insecure authentication
Aids in the discovery of security holes that might result in unauthorized data access or alteration
Assists in maintaining compliance with standards and regulations
By detecting code flaws and vulnerabilities in online applications, it contributes to secure development standards
Reduces the likelihood of breaches and safeguards critical user data

When to Run a Web Application Scan

Ideal for use by organizations with web apps, websites, or other online services
When reviewing the security of online applications and finding vulnerabilities such as XSS, SQL injection, or improper authentication
For web-based systems, it’s recommended throughout the development phase or as part of ongoing security audits

Best Tool to Use

Invicti applies an automated scanning technique to identify vulnerabilities in web applications. It discovers and evaluates all aspects of an online application, including its pages, inputs, and functions, using a combination of crawling and scanning approaches. The scanning engine of Invicti can identify a wide range of online application vulnerabilities, such as SQL injection, XSS, and remote code execution, among others.

The platform’s automated scanning, deep scanning capabilities, business logic testing, and powerful reporting capabilities make it a top choice for enterprises looking for dependable and quick web application security evaluations.

Invict does not publish pricing information, but the price for each plan can be obtained by contacting the vendor.

Also read:

Network Vulnerability Scans

Network vulnerability scanners detect vulnerabilities by scanning for known flaws, incorrect settings, and out-of-date software versions. To find vulnerabilities throughout the network, these scanners frequently use techniques such as port scanning, network mapping, and service identification. It also examines network infrastructure, including routers, switches, firewalls, and other devices.

Benefits of Network Vulnerability Scanning

Detects flaws in network infrastructure components such as routers, switches, and firewalls
Aids in the detection of misconfigurations, insufficient encryption algorithms, and out-of-date software versions
Aids in the maintenance of a secure and robust network environment
Supports risk management and vulnerability prioritization based on criticality
Assists in meeting security standards and regulatory obligations

When to Run a Network Vulnerability Scan

When safeguarding the network perimeter, preventing illegal access, and evaluating network device security
Appropriate for enterprises looking to analyze the overall security of their network architecture
Effective for detecting vulnerabilities in network equipment
Recommended as part of routine security evaluations or while making network upgrades

Best Tool to Use

Microsoft Defender for Endpoint (formerly known as Microsoft Defender Advanced Threat Protection) is gaining traction as a vulnerability management scanning tool, especially for remote work and work from home scenarios. Within its security suite, it provides complete network vulnerability detection capabilities and operates solely through agent-based deployment. Microsoft Defender for Endpoint captures and analyzes network traffic data, such as network flows, protocols, and communication patterns, by deploying network sensors.

Microsoft Defender for Endpoint offers a number of benefits for network vulnerability scanning. Features include seamless interaction with Microsoft threat intelligence, behavior-based detection techniques, endpoint protection correlation, and centralized management. These capabilities enable enterprises to discover and resolve network vulnerabilities proactively, strengthen their security posture, and reduce possible threats.

Microsoft offers a three-month free trial for users to test out Microsoft Defender for Endpoint. Additionally, the Microsoft 365 E5 subscription includes Microsoft Defender for Endpoint Plan P2, which costs $57 per user per month. Contact Microsoft sales for detailed price information on different plans.

See the Best Enterprise Vulnerability Scanners

Database Scans

Database scanners are used to evaluate the security of database systems. They examine database setup, access controls, and stored data for vulnerabilities such as insecure permissions, injection problems, or unsafe settings. These scanners frequently provide information for securing databases and safeguarding sensitive data.

Benefits of Database Scanning

Detects database-specific vulnerabilities such as insufficient access controls, injection problems, and misconfigurations
Aids in the protection of sensitive data from illegal access or disclosure
Assists in ensuring that data protection rules are followed
Improves performance by detecting database-related problems
Improves overall database security and integrity

When to Run a Database Scan

When evaluating database management systems (DBMS), safeguarding databases, and protecting sensitive data from unwanted access
Useful for organizations that use databases to maintain sensitive information
Useful for finding database-specific vulnerabilities, misconfigurations, and lax access constraints
Recommended for enterprises that prioritize data storage security and must comply with industry laws

Best Tool to Use

Imperva’s Scuba Database Vulnerability Scanner can detect hidden security issues inside your databases that may be missed by routine monitoring or manual assessments. Scuba is intended to scan enterprise databases for potential security vulnerabilities and misconfigurations, such as in Oracle, Microsoft SQL Server, SAP Sybase, IBM DB2, and MySQL. Following the completion of the scan, Scuba provides information and solutions on how to fix the detected concerns. This then assists database administrators and security teams in efficiently prioritizing and mitigating threats. Scuba is available for a variety of operating systems, including Windows, Mac, and Linux (both x32 and x64).

One notable advantage of Scuba is that it is available as a free tool, making it accessible to businesses with limited budgets or those looking for a cost-effective alternative.

Also read: 7 Database Security Best Practices: Database Security Guide

Source Code Scans

Early in the development cycle, source code should be checked for security vulnerabilities to identify possible issues before they become too costly to fix. Source code scanners examine software applications’ source code for security flaws, coding mistakes, and vulnerabilities. They look for possible vulnerabilities such as input validation errors, improper coding practices, and known susceptible libraries in the codebase. During the software development lifecycle, source code scanners assist developers in identifying and correcting vulnerabilities.

Benefits of Source Code Scanning

Detects security flaws and vulnerabilities in software application source code
Helps in the detection and correction of code problems early in the development lifecycle
Supports secure coding methods and industry standards conformance
Assists in lowering the risk of application vulnerabilities
Contributes to the overall security and reliability of software programs

When to Run a Source Code Scan

Most appropriate for use during the software development lifecycle to ensure code quality and security, detect vulnerabilities in source code and prevent security issues in production
Ideal for firms that develop their own software applications
Useful for examining source code for vulnerabilities and potential security flaws

Best Tool to Use

Snyk scans the source code of software projects for potential vulnerabilities and security flaws. It examines the dependencies and libraries used in a project by scanning code sources, including Git repositories and package manifests. Snyk contains a large collection of security advisories and vulnerability information that is constantly updated, allowing it to reliably discover problematic dependencies. Snyk interfaces easily with CI/CD pipelines, enabling automatic security scanning throughout the software development lifecycle. It is compatible with common development tools and processes such as GitHub, Bitbucket, Jenkins, and others.

Snyk offers a free version with limited tests per month. Unlimited testing features can be availed in their Team plan starting at $52 per contributing developer per month.

See the Top Application Security Tools & Software

Cloud Vulnerability Scans

Cloud vulnerability scanners evaluate the security of cloud environments such as IaaS, PaaS, and SaaS installations. They offer insights and ideas for improving cloud deployment security. These scanners investigate cloud setups, access restrictions, and services to detect misconfigurations, poor security practices, and cloud-specific vulnerabilities.

Benefits of Cloud Vulnerability Scanning

Identifies cloud-specific vulnerabilities such as misconfigurations, lax access constraints, and insecure services
Assists in maintaining a secure and compliant cloud infrastructure
Maintains visibility and control over cloud assets
Implements cloud security best practices and regulatory requirements
Lowers the likelihood of illegal access, data breaches, or cloud-related risks

When to Run a Cloud Vulnerability Scan

When checking the security of cloud-based servers, storage, and applications, as well as assuring adequate cloud resource configuration
Ideal for businesses that use cloud infrastructure and services
Useful for evaluating the security of cloud resources, settings, and permissions
Recommended for enterprises using cloud technologies to guarantee proper cloud configuration and administration

Best Tool to Use

Wiz is a cloud-native security platform that makes use of cloud-native technologies and APIs to enable seamless integration and comprehensive scanning capabilities. It was recognized as the second easiest-to-use vulnerability scanner platform on G2.

Wiz is optimized for cloud environments and has extensive features for cloud security. It is capable of handling large-scale cloud infrastructures, making it appropriate for enterprises with complicated and broad cloud installations. Wiz also automates vulnerability screening and provides continuous monitoring, allowing security teams to keep up with new threats and security issues in real time. These characteristics allow enterprises to effectively scan and monitor cloud resources, keeping up with changing cloud environments.

Wiz does not list pricing on their website but you may contact the vendor for a custom quotation.

Also read:

Internal Scans

Internal scans are designed to identify vulnerabilities in an organization’s internal network. They inspect systems, servers, workstations, and databases for security flaws that may lie within network borders. These scans are performed from within the network by looking for flaws such as privilege escalation vulnerabilities. Internal scans are particularly beneficial for mapping employee permissions and identifying potential weaknesses to an insider attack.

Benefits of Internal Scanning

Identifies internal network vulnerabilities such as systems, servers, and workstations
Maintains a secure internal environment and mitigates internal dangers
Detects potential security flaws that might be exploited by insiders
Helps enforce internal security rules and regulations
Provides visibility into the internal network’s overall security posture

When to Run an Internal Scan

To identify weaknesses that may not be apparent from the outside while examining the security of internal network infrastructure
Useful for firms who wish to assess the security of their internal network
Useful for finding internal infrastructure vulnerabilities and misconfigurations
Recommended as a preventative strategy to address security concerns within an organization’s network perimeter

Best Tool to Use

OpenVAS is a popular open-source vulnerability scanner for internal vulnerability scanning. It locates and identifies the assets within your internal network that require scanning. It can detect all the devices and systems on an internal network by scanning a range of IP addresses or specified network segments. It then scans the scanned systems and devices for known vulnerabilities, misconfigurations, weak passwords, and other security concerns.

OpenVAS makes use of a large number of plugins, also known as Network Vulnerability Tests (NVTs), that are continuously updated. These plugins include tests for a variety of vulnerabilities, exploits, and security flaws. The plugins are used by OpenVAS to scan and analyze internal network components, discovering potential vulnerabilities and producing thorough reports.

OpenVAS also features configuration auditing tools and a capability to generate thorough reports following the scan that highlight the vulnerabilities and misconfigurations detected during the evaluation.

OpenVAS is a free open-source program.

See the Best Open-Source Vulnerability Scanners

External Scans

External scans identify vulnerabilities in an organization’s internet-facing assets. These scans target internet-accessible services, apps, portals, and websites to detect any flaws that external attackers may exploit. They examine all internet-facing assets, such as employee login pages, remote access ports, and business websites. These scans help companies understand their internet vulnerabilities and how they might be exploited to obtain access to their network.

Benefits of External Scanning

Detects vulnerabilities in internet-facing components such as apps, websites, and portals
Detects potential entry points for external attackers
Helps maintain a secure perimeter and protection against external dangers
Helps meet compliance requirements for external security evaluations
Reduces the danger of unauthorized access, data breaches, or external-facing system exploitation

When to Run an External Scan

Recommended when analyzing and blocking unwanted access to publicly accessible systems, websites, and network services
Suitable for enterprises that need to assess the security of their network from the outside
Useful for discovering vulnerabilities that external attackers may exploit
Recommended to use as part of standard security evaluations or to meet external regulations or requirements

Best Tool to Use

Many vulnerability scanners are designed to just scan for internal vulnerabilities, but Rapidfire Vulnerability Scanner is built to search for both internal and external vulnerabilities.

Rapidfire focuses on identifying security flaws in systems and devices accessible from beyond a network’s perimeter. It searches for possible vulnerabilities in publicly available IP addresses, domains, and internet-facing assets. To find vulnerabilities, the scanner applies a number of approaches, including scans for missing patches, unsafe settings, weak passwords, known attacks, and other security flaws. It makes use of vulnerability databases and constantly updated signatures to ensure that vulnerabilities are correctly identified. Reports provide precise insights into vulnerabilities, allowing security teams to efficiently prioritize and resolve concerns.

RapidFire Tools doesn’t post pricing information, but interested customers may request a quote.

Assessment Scans

Vulnerability assessments entail a thorough examination of a company’s systems, networks, applications, and infrastructure. These evaluations seek to identify vulnerabilities, evaluate risks, and make suggestions for risk mitigation. They can identify particular flaws or holes that might be exploited by attackers to undermine system security. Vulnerability assessment scans often comprise scanning the target environment using automated tools for known vulnerabilities, misconfigurations, weak passwords, and other security concerns. The scan results offer a full report on the vulnerabilities discovered, their severity, and potential consequences.

Benefits of Assessment Scanning

Provides a thorough examination of vulnerabilities in systems, networks, and
applications
Aids with assessing an organization’s overall security posture
Prioritizes vulnerabilities based on severity and probable effect
Assists in making educated judgments about risk reduction and remedial initiatives
Helps meet security standards and regulatory obligations

When to Run an Assessment Scan

Relevant for enterprises looking for a full assessment of their entire security posture
Useful for doing comprehensive vulnerability assessments across many systems, networks, and applications
Recommended on a regular basis or whenever a complete examination of an organization’s security is necessary

Best Tool to Use

Rapid7 Nexpose is a vulnerability management solution with extensive assessment scanning capabilities. It provides complete vulnerability assessments, risk prioritization, and remedy advice. Nexpose is well-known for its simplicity of use and interoperability with other security solutions. Users may undertake rapid evaluations of their environment and any security risks by sorting asset information.

Rapid7 offers both free and paid plans for Nexpose. Contact the vendor for specific pricing information.

Also read: 7 Steps of the Vulnerability Assessment Process Explained

Discovery Scans

While an assessment scan is focused on a specific system or network, a discovery scan is focused on the identification and inventorying of assets within a network environment. Its goal is to map the network and identify the devices, systems, applications, and services that exist on it.

A discovery scan’s primary goal is to offer an accurate and up-to-date inventory of assets, including IP addresses, operating systems, installed applications, and other pertinent information. It aids in the understanding of network topology, the detection of illegal devices or rogue systems, and asset management. Discovery scans are less invasive than vulnerability assessment scans and are used to obtain information about the network architecture.

Benefits of Discovery Scanning

Helps manage overall risk and security governance
Identifies and makes inventories of assets in the network environment
Assists in maintaining visibility and control over an organization’s infrastructure
Helps in the detection of illegal devices or rogue systems
Assists in network management and understanding the range of vulnerability evaluations

When to Run a Discovery Scan

Recommended when keeping an up-to-date list of connected devices, detecting illegal or rogue devices, and guaranteeing network visibility
Suitable for enterprises that need to discover network-connected devices or systems
Useful for network inventory management, detecting illegal devices, and monitoring network changes
Recommended for use during the initial deployment of a vulnerability management program or as part of continuous network monitoring efforts

Best Tool to Use

Because of its user-friendly design and enhanced network mapping features, Zenmap, a graphical interface for Nmap, stands out as an outstanding option for doing network discovery scans.

Zenmap makes network scanning and viewing easier with a user-friendly design. Zenmap lets users save frequently used scans as profiles, allowing them to be performed repeatedly without the need for manual setup.

Users can construct Nmap command lines interactively using Zenmap’s command creator function. Zenmap maintains a searchable database that records scan findings, allowing for simple information access and retrieval.

Zenmap is a free open-source application.

See the Top IT Asset Management (ITAM) Tools for Security

Compliance Scanning

Compliance scans compare an organization’s systems and networks to regulations, standards, and best practices. These scans ensure that security policies and settings are in accordance with the appropriate compliance frameworks, assisting enterprises in meeting regulatory obligations.

Benefits of Compliance Scans

Contribute to meeting regulatory and industry standards
Identify vulnerabilities and flaws that might lead to compliance violations
Assists with the deployment of security controls in order to achieve compliance
Helps with paperwork and reporting for compliance audits
Assists in the maintenance of a secure and compliant environment

When to Run a Compliance Scan

Useful for assuring adherence to specific security needs and checking compliance with industry or regulatory norms
When meeting compliance regulations such as PCI DSS, HIPAA, or GDPR

Best Tool to Use

OpenSCAP is an open-source platform that analyzes system security compliance and assures adherence to security standards. The scanner includes a comprehensive set of tools for scanning online applications, network infrastructure, databases, and hosts. Unlike other scanners, OpenSCAP compares the device to the SCAP standard rather than checking for Common Vulnerabilities and Exposures (CVEs).

To assess system compliance, OpenSCAP employs a mix of specified security content and scanning algorithms. It offers a security policy library known as SCAP (Security Content Automation Protocol) content, which comprises security baselines, configuration rules, and vulnerability tests. Compliance scans may be planned and done automatically using OpenSCAP’s automation features, minimizing manual work and enhancing operational efficiency.

OpenSCAP is a free, open-source project and is continually enhanced, updated, and evaluated by a diverse group of contributors, assuring the availability of current security material and continued development.

See the Top Governance, Risk and Compliance (GRC) Tools

What’s the Difference Between Authenticated & Unauthenticated Vulnerability Scans?

There are two primary approaches to vulnerability scanning: authenticated and unauthenticated scans. Here are key differences between the two.

Authenticated Scans:
- Allow users to log in to the target system or network using valid credentials
- Provides a thorough evaluation of configuration, fixes, and software
- With preset scan settings and credentials, tools such as Nmap, Nessus, or OpenVAS can be utilized
- Accessing restricted regions provides more accurate and thorough findings
- These tools are useful for doing detailed evaluations, finding misconfigurations, and ensuring compliance with security requirements
Unauthenticated Scans:
- Instead of relying on credentials, unauthenticated scans leverage external data and probes
- Scan open ports, services, and online applications for vulnerabilities
- Commonly used tools include Nmap, Nikto, and ZAP
- Provides a quick and straightforward approach to find vulnerabilities
- These tools are useful for doing broad assessments, assessing security posture, and finding exposed or vulnerable services

A thorough vulnerability scanning approach should include both authenticated and unauthenticated scans. This provides larger coverage and better insights on a system’s or network’s strengths and shortcomings. Comparing the outcomes of both categories aids in identifying disparities and areas that require more research or correction. Including both authorized and unauthenticated scans improves overall security awareness and preparation.

Also read: Penetration Testing vs Vulnerability Scanning: What’s the Difference?

Choosing Which Type of Vulnerability Scan to Run

When evaluating vulnerabilities on specific hosts inside the network, use host-based scanning.
When discovering open ports and services on network systems or devices, perform a port scan.
When finding and resolving vulnerabilities in web applications, websites, and related services, do a web application vulnerability scan.
Run a network vulnerability scan while evaluating an infrastructure’s overall security.
Run a database scan to find issues with database settings and systems.
Run source code scanning to look for any potential weaknesses in software programs.
Run a cloud vulnerability scan to assess the security of cloud resources.
When looking for internal vulnerabilities of a network environment, do an internal scan.
Run an external scan to assess your vulnerabilities from outside the network.
Run an assessment scan to obtain a thorough evaluation of the condition of your security.
Run a discovery scanning procedure to learn what devices or systems are connected to the network.
Run a compliance scan to ensure that a certain set of industry standards, rules, or laws is being followed.

Here are some guidelines for choosing a vulnerability scanning tool:

The vulnerability scanner should ideally be simple to set up and use. It is essential to have a visual dashboard that clearly displays the location, nature, and severity of a detected threat.
The scanner should be sufficiently automated and notify you of discovered vulnerabilities in real time.
To eliminate false positives, it should validate an identified vulnerability. Reduced false positives are critical for avoiding time waste.
The scanner must be able to present its findings with thorough analysis. Visual graphs are quite useful.
Make sure available support options meet your needs.

Bottom Line: Types of Vulnerability Scans

Vulnerability scanning is a critically important part of cybersecurity risk management, allowing organizations to find and fix flaws in their systems, networks, and applications through a range of vulnerability scan types. To keep your systems and data safe, vulnerability scanning should be a component of a thorough vulnerability management program that includes frequent scans and timely repair of discovered vulnerabilities. Staying on top of vulnerabilities is as difficult as it is important and requires organizational commitment.

Read next:

The post 12 Types of Vulnerability Scans & When to Run Each appeared first on eSecurityPlanet.

How To Tell If You’ve Been DDoSed: 5 Signs of a DDoS Attack

Kihara Kimachia — Fri, 07 Jul 2023 11:40:41 +0000

Mention the acronym DDoS to a web admin and they’ll likely break out in a cold sweat. DDoS, or Distributed Denial of Service attacks, are some of the most malicious and difficult-to-stop network attacks that can be launched against a website or any other DDoS-susceptible service, such as a SaaS platform. These attacks occur when multiple compromised systems send a flood of requests to targeted servers to overwhelm and crash it.

So how can you tell if your organization is under a DDoS attack — rather than experiencing a viral surge in website traffic — and are there early warning signs that can help you respond to DDoS attacks faster?

If you’re experiencing a DDoS attack, see How to Stop DDoS Attacks in Three Stages.

What are Common Signs of a DDoS Attack?

If you suspect you might be experiencing a DDoS attack, there are a number of signs you can look for. Here are five of the most common signs of a DDoS attack:

1. Unexplained spikes in web traffic

One of the most common signs of a DDoS attack is an unexplained spike in web traffic. This can be detected by monitoring your website’s server logs or using a web analytics tool. If you see a sudden increase in traffic from a specific location or IP address, it may be an indication that your site is under attack.

2. Slow loading times for your website

Another common sign of a DDoS attack is slow loading times for your website. This is caused by the attacker flooding your server with requests, which can overload the system and cause it to slow down. If you notice that your site is taking longer than usual to load, it may be due to a DDoS attack.

3. Unexplained errors, timeouts, and complete inaccessibility

A DDoS attack may also be characterized by unexplained errors or timeouts. This happens when the attacker sends so many requests to your server that it can no longer handle them all, resulting in errors or timeouts for users trying to access your site, perhaps resulting in HTTP 503 Service Unavailable error codes. If you notice that users see errors or timeouts when trying to access your site, it may be due to a DDoS attack. In some cases, a DDoS attack can render your website completely inaccessible.

4. Decreased performance for other services on the same network

If you notice that other services on the same network as your website are experiencing a performance hit, it may be an indication that your site is under attack. This is because the attacker’s requests can consume all of the bandwidth on the network, causing other services to slow down or become unavailable.

5. Increased CPU or memory usage on your server

A surge in server CPU or memory usage may signal that your site is under attack. This happens because the attacker’s requests can consume all of the resources on your server, causing it to slow down or become unresponsive.

How Can You Tell If You’ve Been DDoSed?

Unfortunately, the typical signs mentioned above can also be caused by other issues, some of them good. For example, if you are experiencing a sudden spike in web traffic and your site is slow to load, it could be due to increased legitimate user traffic such as a marketing campaign going viral or a mention on a popular website or social media profile.

If your server is struggling to keep up with a surge in legitimate traffic, it can lead to increased CPU or memory usage and other errors.

So how can you be sure that you’ve been DDoSed?

Determining if Traffic is a DDoS Attack or Legitimate

Determining if traffic is a DDoS attack or legitimate can be tricky. However, DDoS protection platforms typically offer web analytics tools to help you identify whether or not the traffic is coming from a DDoS attack. These tools check to see if a specific traffic source continues to query a particular set of data long after the Time To Live (TTL) for a site has elapsed. This is the time frame you set for your site to discard held data and free up resources. If that’s the case, you’re likely looking at a DDoS attack, since a legitimate source would no longer be generating traffic at that point.

Popular DDoS Web Analytics Tools

Some popular DDoS web analytics tools include:

CloudFlare Web Application Firewall
Sucuri Website Firewall
Azure Web Application Firewall
AWS WAF
Imperva

Early Warning Signs of a DDoS Attack

Having tools like web application firewalls and monitoring services in place are your best defense against a DDoS attack. They’ll be able to tell the difference between, say, a DDoS attacker probing your defenses with test traffic and something more benign, like a misconfigured load balancer that might be overwhelming your resources.

Being able to spot a DDoS attack as early as possible is critically important for an organization whose business depends on the availability of its website. There are a wide range of DDoS services to consider; see our guides to the Best DDoS Protection Services and the Best Bot Protection Solutions.

How Long Do DDoS Attacks Usually Last?

DDoS attacks can last anywhere from a few minutes to several days, depending on the complexity and intensity of the attack. In most cases, an attacker will use automated software to flood your site with requests until it becomes overloaded and stops responding.

While a typical DDoS attack can last 1-2 days, Qrator Labs reports that the mean attack is a little over 6 minutes, with shorter burst attacks often used to test an organization’s defenses.

How to Stop a DDoS Attack

If you suspect that your site is under attack, the first thing you should do is contact your hosting provider for help. They may be able to implement network-level protections or other measures to mitigate the attack and help restore your site to normal functioning.

In addition to notifying your ISP, you can take several other steps to stop an ongoing DDoS attack:

Seek professional DDoS help: One of the best ways to stop a DDoS attack is to work with a professional service provider specializing in mitigating and stopping these attacks. These companies can help you quickly identify the source of an attack, implement protection measures, and restore your website to normal functioning as soon as possible. Depending on the severity of the attack, you may also need to involve law enforcement to investigate the attack and identify any potential culprits.
Attack characterization: In addition to identifying the source of an attack, a DDoS mitigation service can help you understand how the attackers are targeting your site and how they’re compromising its resources. This information is crucial for developing effective defenses against future attacks and preventing your site from becoming a repeated target.
Attack traceback: In some cases, it may be possible to identify the source of a DDoS attack even if you cannot stop it in real time. Attack traceback is the process of attempting to locate the origin of an attack by analyzing traffic patterns and identifying any unusual or suspicious behavior.
Attack tolerance and mitigation: It is also possible your site may be targeted by a DDoS attack that’s too intense or complex to stop in real time. In this situation, you will need to develop strategies for how your team and the hosting provider can work together to minimize damages and keep the site online until the attack subsides. This may involve implementing traffic throttling or DNS redirection to keep your site up and running while mitigating the effects of the attack.

Also read: DDoS Myths: Blackholing and Outsourcing Won’t Stop Everything

How to Prevent DDoS Attacks

The best way to deal with DDoS attacks on your online properties is to ensure they never happen in the first place. Here are a few steps you can take to help protect your website from DDoS attacks.

Install Web Application Firewalls (WAFs) and Anti-Bot Filters

One of the best ways to protect your website from DDoS attacks is to install a web application firewall (WAF). A WAF is software code that sits between your website and the internet and filters incoming traffic for malicious activity. There are many different WAFs available, so be sure to do some research to find one that fits your needs.

In addition to a WAF, you should also consider installing an anti-bot filter. This will help block bots from accessing your website, which is often used in DDoS attacks.

Consider Using a Content Delivery Network (CDN)

Another key component for keeping your website safe from DDoS attacks is a content delivery network (CDN). A CDN works by distributing your website’s static assets — such as images, videos, and scripts — across servers worldwide. This makes it more difficult for attackers to target specific servers or overwhelm the bandwidth of a particular host.

In addition, using a CDN can also improve the performance of your website for visitors around the world by reducing latency.

Regularly Update Software, Plugins and Scripts on Your Site

One of the best ways to prevent DDoS attacks is to keep your website’s software and plugins up-to-date. By keeping all of your site’s software up to date with the latest security patches, you can help ensure that any potential vulnerabilities are addressed before they can be exploited by attackers.

Perform Regular Security Audits of Your Website

Another key step in protecting your website from DDoS attacks is to perform regular security audits. These audits will help you identify any potential weaknesses or vulnerabilities in your site’s infrastructure, such as unpatched software, weak passwords, misconfigurations, and open ports that could be used by attackers to launch an attack.

Purchase Extra DDoS Protection

If you’re worried about being hit by a DDoS attack, one option is to purchase extra protection from a provider like Cloudflare or Imperva. These services offer additional layers of protection against DDoS attacks, including filtering out malicious traffic and providing extra bandwidth capacity during an attack. While these services can be expensive, they provide peace of mind for businesses that are concerned about being targeted by DDoS attacks.

Create a DDoS Playbook

In addition to taking proactive measures to prevent DDoS attacks, it’s also important to have an incident response plan in place for how you’ll respond if an attack does occur. This plan is often referred to as a “DDoS playbook.” Your playbook should outline the steps you’ll take during and after an attack, including who will be responsible for each task. Having a plan in place ahead of time will help ensure that you’re prepared if an attack does occur.

Implement Regular Monitoring and Reporting

To help detect DDoS attacks as they’re happening, implement regular monitoring and reporting on your site’s traffic, performance, and security. You can use the specialized web analytics tools and services mentioned earlier. However, tracking traffic spikes and traffic behavior can also be done with simple free tools such as Google Analytics, or by tracking how your server’s CPU, memory, and bandwidth are being used from within your web hosting panel.

Further reading: How to Prevent DDoS Attacks: 5 Steps for DDoS Prevention

Bottom Line: Detecting DDoS Attacks

DDoS attacks remain one of the most damaging cyber attacks, and their prevalence and severity continue to grow. If you haven’t taken steps to protect your website or application from DDoS attacks, now is the time to start, and lining up a DDoS response service could be an effective first step.

DDoS prevention involves a combination of measures. When planned well, these help prevent the worst outcomes of a DDoS attack and keep your website running even as some elements are disrupted. For organizations that depend on their websites for survival, effective DDoS preparation shouldn’t be optional.

Penetration Testing vs Vulnerability Scanning: What’s the Difference?

Chad Kime — Thu, 06 Jul 2023 15:45:00 +0000

In short, a vulnerability scan (VulScan) finds possible problems while penetration tests (PenTest) validate if problems can be exploited.

While an organization can use one or the other as an effective tool to improve security, the most mature organizations use vulnerability scans in combination with penetration tests to maximize their security benefits. The table below summarizes the main points of this article. Each issue will be explored in depth before we arrive at recommendations based on our analysis.

Vulnerability Scans vs Penetration Tests
	Vulnerability Scans	Penetration Tests
When to Use	To scan infrastructure and discover known vulnerabilities	To explore discovered vulnerabilities to verify if they can be exploited and what damage could result from the exploitation or to discover non-vulnerability exposures in key systems
How to Use	Primarily tool-based, can be automated	Primarily hacker-based, with tools used when needed
Popularity	Less popular with IT professionals, but more popular with organizations due to less invasive and easier to execute nature	Less popular with organizations due to cost and difficulty to scope, but more popular with IT pros because hacking is seen as cooler
Frequency	Most perform quarterly vulscans, with additional scans after significant infrastructure changes	Most perform annual pentests for external penetration tests
Internal or External	Tends to be Internal	Tends to be External
Time to Conduct	Usually takes hours, but can be days for larger infrastructures	Usually takes weeks, but could take months for comprehensive testing
False Positives	Occur regularly; may also find true positives with negligible associated risk	Essentially zero false positives since the penetration testing results verify exploitation risk
Comprehensiveness	Scans all applicable infrastructure, only limited by scanning tool capabilities	Tends to be limited in scope due to budgets, time constraints, and capabilities
Minimum Requirement	Patching, but depends upon compliance regulations	External tests, but depends upon compliance regulations
Operations Disruptions	Possible network bandwidth issues or system instabilities can be caused by vulscans	Possible data corruption or operations disruptions can occur from certain types of pentests
How to Handle Overload	Known vulnerability exclusions; CSV Ranking or Risk Ranking	Rolling or Partial Testing
Costs	Moderate to low; cost of tools and IT Security time to install, configure, maintain, use, and analyze	High, typically requires outside vendors with highly trained penetration testing professionals
Benefits	Identifies vulnerabilities to be validated, categorized, prioritized, and mitigated	Verifies if vulnerabilities can be exploited and risk of damage before malicious attackers can cause damage

To ensure a common frame of reference, let’s start with a recap of the basic definition for both concepts critical to network security.

What is a Vulnerability Scan?

A vulnerability scan, or vulscan, performs a systematic check of IT systems to look for known security holes. There are two types of vulnerability scans.

IT infrastructure vulnerability scans will be performed by IT or cybersecurity teams to inspect internal IT systems using admin-level permissions for known vulnerabilities in:

Internal networking equipment, such as switches and routers
File servers
Network access storage (NAS) devices
Individual computers
Peripheral devices like printers and scanners
Internet of Things (IoT) devices connected to the network, such as security cameras, TVs, etc.
Critical applications and internal processes, such as Active Directory (AD); Domain Name System (DNS); and accounting, banking, or operations management software

Application or website vulnerability scans will be performed by development operations (DevOps) or development security operations (DevSecOps) programmers to scan software libraries, application programming interfaces (APIs), and supply chain components for known vulnerabilities.

What is a Penetration Test?

Penetration tests, or PenTests, probe systems for weaknesses to determine if they can be exploited. The common black box penetration test scans the external IT infrastructure of the organization such as firewalls, web servers, web applications, gateways, and VPN servers. These tests are performed without any advanced knowledge of its systems, but different penetration tests use credentials, test physical security, involve social engineering, phishing attacks, dropped USB drive attacks, test system volume capacity limits, and more.

Bounties can be considered a form of penetration testing that incentivises non-contracted ethical hackers with payment after finding a flaw instead of through a contract agreed upon in advance. However, bounties can be unpredictable and, while very useful, bounties should not be relied upon to replace formal penetration tests.

When to Use Vulnerability Scans and Pentests

The simplified justification to pick between vulscans and pentests can be expressed as:

Vulnerability Scans: To scan infrastructure and discover known vulnerabilities
Penetration Tests: To explore discovered vulnerabilities to verify if they can be exploited and what damage could result from the exploitation or to discover non-vulnerability exposures in key systems

To elaborate, vulnerability scans use commercial or open source tools that can be used by less experienced IT or security personnel to perform periodic, automated or on-demand testing. These tests can be performed quickly and inexpensively to detect known vulnerabilities.

However, vulnerability scanning tools cannot determine how easily the detected vulnerability can be exploited or how much damage can result from the exploitation of the vulnerability. Human expertise, often in the form of penetration testing, needs to be performed to verify the exploitability of the detected vulnerability and the extent of the potential damage.

Penetration testing can also discover additional flaws that might expose the organization to risk that cannot be detected by vulnerability scans. For example, pentests can discover weak passwords, gaps in security, or other security weaknesses that come from inadequate security architecture.

How to Use Vulnerability Scans and Pentests

Vulnerability scans are primarily tool-based, so a security team will often acquire and configure the tool for internal use. For organizations with more limited resources, vulnerability scanning can be included in the offerings of managed IT service providers (MSPs) and managed IT security service providers (MSSPs) or even through a vulnerability management as a service (VMaaS).

Penetration tests can be performed by internal teams who pick up breach and attack simulation (BAS) tools. However, internal teams can lack the expertise to thoroughly test systems and will be tempted by conflicts of interest to hide potential flaws in IT setup from management. Instead, organizations will typically engage third-party penetration testing vendors or MSSPs with pentesting expertise for the relevant assets to be tested (applications, websites, firewalls, containers, etc.).

Pentest vendors can retain experienced ethical hackers that the average organization cannot afford. These hackers use their experience to rapidly assess systems, target the most likely vulnerabilities to be exploited, and use hacking tools when needed.

Popularity of Vulnerability Scans and Pentests

The relative popularity of vulnerability scans and penetration tests is quite interesting because the popularity among professionals is inverse to the actual usage and demand. Among IT and security professionals, vulnerability scans tend to be less popular than penetration tests because they are not as technologically interesting as hacking — it seems more like homework. However, vulnerability scans tend to be less invasive, less expensive, and easier to execute which makes them much more frequently used among organizations.

The popularity for penetration testing, also known as red team exercises, can be measured by the higher demand and number of classes and certifications devoted to red team techniques when compared to defensive blue team techniques. This popularity also is skewed by the reality that a penetration tester only needs to find one way in to be successful and a blue team defender needs to be skilled against every possible red team tactic. IT teams just don’t feel like they can win on defense, so hacking just seems like more fun.

However, penetration tests cost much more money and can be hard to scope and understand for an organization. These factors lead some organizations to focus on vulnerability scans for everyday needs and to avoid penetration testing unless required by a compliance standard.

Frequency of Vulnerability Scans and Pentests

Most organizations perform vulnerability scans at least quarterly, with additional scans performed after significant changes to IT infrastructure or application updates. More aggressive organizations can scan monthly, weekly, or even continuously. After mitigation of discovered vulnerabilities, a rescan or penetration test will be required to validate the fix.

Compliance standards often define the frequency of vulscans and pentests. The PCI Data Security Standard (PCI DSS) requires vulnerability testing to be conducted at least quarterly and after every significant change to IT infrastructure, security tools, or applications. Recent research by Veracode finds that more frequent vulnerability scanning has reduced the typical number of vulnerabilities by two-thirds and decreased the time to fix vulnerabilities by more than 30%.

Many organizations never perform a penetration test, and of those that do, many only perform annual external penetration tests. More sophisticated organizations perform tests more frequently, such as 2-4 tests per year and also add pentests after significant infrastructure changes (especially for internet-accessible systems or after fixing previously discovered issues).

Are Vulnerability Scans or Pentests Internal or External?

Vulnerability scanning tools can be applied to external systems or even to systems that an organization does not control. However, vulnerability tools do not attempt to be stealthy and tend to be used primarily on internal systems.

Penetration tests tend to be performed on externally accessible assets from the point of view of a cyberattacker. However, penetration tests can also be performed internally without credentials to simulate attackers obtaining compromised low-access credentials (gray-box pentest) or with full credentials for more thorough testing (white-box pentest).

Also read: 7 Types of Penetration Testing: Guide to Pentest Methods & Types

Time Needed to Conduct Vulnerability Scans and Pentests

Vulnerability scans usually take a few hours, but the total time will vary greatly on the number of systems scanned and the type of systems scanned. Large systems can take days to complete a scan and vulscans can take only a few minutes for simple scans of a small office.

As with vulscans, penetration test durations will be highly variable and dependent on the number of systems tested and the type of pentests required. A typical test usually takes weeks to complete, but could take several months for comprehensive testing, especially for multi-national, multi-office organizations seeking social engineering, physical security tests, and other time-consuming pentests.

Do Vulnerability Scans and Pentests Generate False Positives?

Vulnerability scanning often will detect vulnerabilities that will be determined to be false positives. The scans may also locate true positives with negligible associated risk. Regardless, each vulnerability finding must be verified and either mitigated or flagged to be ignored.

Low-end pentests that only use off-the-shelf software will produce the same false positives that plague vulscans. Effective penetration tests usually generate zero false positives since the penetration testing results verifies exploitation risk by proving the hacker can access protected data or create operational disruption.

Naturally, after considering false positives, one must consider if false negatives are possible. Both forms of testing will only report on vulnerabilities found, but will not report that other assets pass without vulnerabilities. In the strict sense of the definition, no false negatives are generally produced, because neither testing procedure creates “all-clear” reports on systems on which no flaws were detected.

However, both forms of testing can overlook vulnerabilities. Vulnerability scans will always miss vulnerabilities not yet entered into their databases or on assets that are not scanned. Assets can be missed either because the tool is not capable of scanning an asset class (such as Kubernetes containers) or because the asset list simply was not updated prior to the scan.

Penetration tests tend to be narrow in scope and generally cannot test all systems or for all possible vulnerabilities. Even the most experienced pentester cannot know all possible vulnerabilities, and most organizations do not have the budget or time to test all possible systems. Pentesters make choices to focus on the most likely vulnerable systems and the most likely vulnerabilities.

Comprehensiveness of Vulnerability Scans and Pentests

Vulnerability scans target all applicable infrastructure and tend to only be limited by the scanning tool’s capabilities. Most can scan for tens of thousands of vulnerabilities, but a security team must also recognize that vulnerability tools can only scan for vulnerabilities that are known and already programmed into the scanner and on a device detected for scanning.

This limitation is neither unusual nor problematic as long as the security team recognizes that even scanned systems cannot be assumed to be vulnerability-free. The IT and security teams must also be sure to update the tool to scan all of the available assets so that no scannable asset is simply overlooked.

Many vulnerability scanners are also specialized by asset class. For example, some can only scan applications or websites and others can only scan Windows and macOS operating systems. Less common asset classes such as networking equipment, peripheral devices (printers, external hard drives, etc.), internet of things (IoT), industrial control systems (ICS), and industrial or operating technology (OT) often require specialized vulnerability scanning tools or manual investigation.

Penetration testing tends to be limited in scope due to budgets, time constraints, and tester capabilities. Pentests not only test known vulnerabilities, but can also discover unknown vulnerabilities, security gaps, and security weaknesses that technically are not vulnerabilities (just poor security architecture). However, while they may probe deeper than vulscans, pentests tend not to be as comprehensive and will be focused around the pentester’s expertise or the systems the organization can afford to test.

Minimum Requirement Vulnerability Scans and Pentests

The minimum level of vulnerability scanning is equivalent to patch management and examines traditional IT systems (servers, workstations, and laptops) for unpatched systems. For penetration tests, the minimum level tends to be external pentests on internet-accessible systems.

However, in both minimal cases, organizations must recognize that these minimum-requirement tests will likely leave the organization exposed to risk. Most organizations pursue minimum testing to minimize expenses, but even these minimums depend upon the specific compliance regulations.

However, this will likely be an evolving condition over the next few years. New York State already requires both penetration testing and vulnerability assessments for its financial institutions, and both PCI DSS and the National Institute of Standards and Technology (NIST) cybersecurity framework (800-115) have vulnerability scans as basic requirements.

Some vendors and consultants offer low-cost automated pentesting; however, these tests often prove ineffectual and produce similar results to vulnerability scans. These minimal approaches can catch easy-to-find and well-known vulnerabilities, but will not typically be rigorous enough to satisfy most compliance requirements.

Also read: What Is a Pentest Framework? Top 7 Frameworks Explained

Operations Disruptions from Vulnerability Scans and Pentests

Vulnerability scans probe each device port by port to test for known vulnerabilities, which can cause possible network bandwidth issues and even system instability. More sophisticated tests probe network equipment and check for misconfigurations, which will place even more demands on systems.

Most organizations schedule vulnerability scans for off-hours to minimize operations disruptions and may even exclude certain systems known to be sensitive to scanning. An organization with automated vulnerability scanning capabilities can also perform scans every time a new device is connected to the network; that also allows future vulnerability scans to be incremental and focus on specific vulnerabilities or devices that have not been scanned within the last month or quarter.

Penetration testing can also cause operations disruptions with certain types of tests. However, penetration testers will typically recognize how much disruption might be caused and can prepare the organization in advance for recovery. For disastrously disruptive tests that might cause data loss or full operations failure, an organization might create a test environment for hackers to probe so that a successful hack does not affect operations.

Penetration testing will often be thought of as an exercise to break into the systems to steal data. While valid, this definition ignores other forms of penetration testing such as volume capacity tests for infrastructure, such as when testing for distributed denial of service (DDoS) resilience.

How to Handle Overload From Vulnerability Scans and Pentests

Many organizations that need to perform vulnerability scans or penetration tests can become overwhelmed by the results because of resource constraints (budget, staffing, etc.).

With vulnerability scanning, overwhelm can often be controlled by ignoring known vulnerabilities or through filtering vulnerabilities using CVSS or risk-based ranking. Likewise, penetration testing overwhelm may be controlled by rolling or partial pentesting.

For example, vulscans of healthcare facilities notoriously find many issues, since many medical imaging devices run on operating systems that no longer receive updates (see Three Ways to Protect Unfixable Security Risks). Instead of producing the same list of vulnerabilities with each scan, the organization can exclude the devices with known vulnerabilities from regular scans to focus on fresh issues.

Scans also often overwhelm an organization with vulnerabilities with low Common Vulnerability Scoring System (CVSS) ratings that either cannot cause significant damage or are difficult to exploit. To avoid overload, an organization might choose to ignore scans below a selected ranking or to filter vulnerabilities in vulnerability management software to focus on high-priority vulnerabilities.

Risk-based filtering is similar to CVSS filtering, but instead of focusing on the vulnerability, the organization focuses on the importance of the asset and the likelihood of exploitation. For example, an organization might ignore a high-ranking data exfiltration vulnerability in a server that contains publicly available marketing materials in favor of focusing on a lower-ranking privilege escalation vulnerability in the credit card payment database due to the potential damage to the organization.

Penetration testing limitations will often focus on specific types of tests or specific systems in a given time period and leave other testing for later.

While organizations can use all of these techniques to limit scope and scale, they also need to recognize that such limitations might leave the organization exposed to potential attack via ignored systems or vulnerabilities.

Of course, service providers can provide another option for organizations that can obtain additional resources through outsourcing. A wide variety of MSPs, MSSPs, or even Vulnerability Management as a Service (VMaaS) providers can enable organizations to deal with overwhelm without remaining exposed to higher risk of attack.

Costs of Vulnerability Scans and Penetration Tests

Vulnerability scans tend to be moderate to low-cost options, with the expenditure primarily based on the cost of tools. However, organizations should also account for the time for IT or security teams to install, configure, maintain and use the tool as well as to analyze the results.

Penetration tests tend to be higher in cost because they typically require outside vendors with highly trained penetration testing professionals. Fortunately, pentest costs can be controlled by organizations through preparation and scope control.

Benefits of Vulnerability Scans and Penetration Tests

Vulnerability scans and penetration tests both provide high value to any organization.

Vulscans identify vulnerabilities to be validated, categorized, prioritized, and mitigated. Automated tools can allow for quick and continuous identification of systems and services at risk to help organizations reduce opportunities for attacker exploitation.

Penetration testing verifies if vulnerabilities can be exploited and checks for other security gaps that might risk data exploitation or system damage. Effective pentests help organizations further harden systems and minimize opportunities for malicious attackers to cause damage.

Bottom Line: For Best Results, Use Both Vulscans and Pentests

When an IT team struggles to keep up with its workload, vulnerability scans and penetration tests seem like more trouble than they’re worth, especially if there’s robust perimeter security in place. However, with a single bad click, an attacker could be inside the organization and exploiting any available weaknesses.

By using both vulscans and pentesting, an organization can catch more oversights, mistakes, and security gaps. Organizations that really want to avoid the headaches, risks, and consequences of a breach will run both penetration testing and vulnerability scanning on a regular basis. Given the high cost of a data breach, prevention is money well spent.

Further reading:

The post Penetration Testing vs Vulnerability Scanning: What’s the Difference? appeared first on eSecurityPlanet.

8 Best Password Managers for Business & Enterprises in 2023

Kaye Timonera — Thu, 06 Jul 2023 11:50:00 +0000

Passwords are often a prime target for cyber attackers, making password management software an essential tool for companies to secure their passwords and sensitive information.

A password manager can reduce the risk of data breaches by ensuring that employees are using strong, unique passwords for each account. Password managers can also simplify the process of managing and changing passwords, making it easier for employees to follow best practices for password security.

We’ve analyzed the market to come up with this in-depth guide to the best password managers, followed by buying considerations for those considering a password management solution.

Here are the 8 best password managers for business and enterprises in 2023:

1Password: Best user interface
BitWarden: Best free password management
NordPass: Best for consumers
Enpass: Best free basic features
RoboForm: Best management features
Keeper: Best security features
LogMeOnce: Best cross platform password manager
Dashlane: Best add-on features
Password Boss: Best for reducing security breaches
Features, benefits & buying considerations

Top password manager software comparison

	Free Trial	Customer Support	Passkey	Cloud syncing	Browser Extension	Secure Sharing	Pricing
1Password	Yes	Yes	Yes	Yes	Yes	Yes	$2.99 – $19.95/month
BitWarden	Yes – 7 days	Yes	Yes	Yes – Microsoft Azure Cloud	Yes	Yes	$10 – $40/year
Nordpass	Yes – 30 days	Yes	Yes	Yes	Yes	Yes	Custom pricing
Enpass	Yes	Yes	Yes	No	Yes	Yes	$1.99 – $9.99/month
RoboForm	Yes	Yes	No	Yes	Yes – Except Firefox	Yes	$35.80 – $179/year
Keeper	Yes	Yes	Yes	Yes	Yes	Yes	$24 – $58/year
LogMeOnce	Yes – 7 days	Yes	Yes	Yes	Yes	Yes	$2.50 – $4.99/month
Dashlane	Yes – 30 days	Yes	Yes	Yes	Yes	Yes	$2.75 – $5/year
Password Boss	Yes	Yes	No	Yes	Yes	Yes	$1.53 – $3/year

1Password

Best user interface

1password has a well-designed and intuitive user interface that simplifies the process of creating and managing complex passwords. It has an app with a sleek and modern design that is both aesthetically pleasing and easy to navigate, making it accessible to users of all levels of technological expertise. 1Password stands out from its competitors with its unique features: travel mode, watch tower, and Secret Key. 1Password is launching its passkey feature this summer. With this innovative update, you’ll have simple access to all of your accounts wherever you are as long as you have your phone nearby. The 1Password software on your phone will provide login authentication clearance through the use of your biometrics, whether you are connecting into an app on a smart TV or accessing your accounts on a new PC.

Pricing

1Password offers subscription-based pricing for its Personal/Family and Business plans. The Personal/Family plans are priced at $2.99/month for 1 user and $4.99month for 5 users, with access to limited or all features depending on the plan selected. The Teams plan starts at $19.95 for up to 10 users, while the Business plan starts at $7.99/month per user.

Features

Passkey support
Secure travel mode
Encrypted sharing
Unlimited devices
Password and username generator
Secrets Automation

Pros

Ease of usage
Checks compromised passwords
Live chat support
Travel mode
Secure password sharing
Advanced security measures
Compatible with latest OSes and browsers
WebDev Integrations

Cons

Limited free trial

See our 1Password comparisons:

BitWarden

Best free password management

Bitwarden is a cloud-based service that offers browser extensions, mobile apps, and desktop applications for various platforms. This password manager uses end-to-end encryption to ensure that only the user can access their stored data, and also provides features such as 2FA, secure password generation, and secure password sharing passwords with family members and team members. Bitwarden simplifies the authentication process by allowing you to login to your Bitwarden Vault using passkeys. The security vault is accessed by being authenticated by trusted devices, fingerprint or facial recognition, hardware security keys, and FIDO2 WebAuthn Certified Authenticators. In other words, Bitwarden simply interacts with current Single Sign-On (SSO) systems, making password management and account security easier.

Pricing

Bitwarden offers both a free version and a premium version. You will get basic features such as password storage, autofill, and syncing across two devices for the free version. You will have access to more features with their $10/year premium version for individuals and $40/year for family plans with up to 6 users. Bitwarden also offers enterprise plans for businesses with pricing based on the number of users and features needed.

Features

Passkey support
Open source
Self-hosted option
Cross platform compatibility
Autofill feature
Keyboard extension

Pros

Advanced security features
Excellent free plan
Extensive customization options
Self-hosting capabilities
Intuitive and user-friendly interface
Affordable premium options

Cons

Interface design is not the best
Autofill feature may not always work smoothly
Premium users only get 1GB of encrypted storage

Also read: Bitwarden vs LastPass: Compare Top Password Managers

Nordpass

Best for consumers

NordPass offers a comprehensive password management solution that empowers you to safely store and access a wide range of sensitive information, including passwords, payment details, notes, and other important and personal data. In addition, NordPress protects your data using a “future-proof” encryption technology that surpasses the industry-standard 256 bit AES encryption. NordPass also offers a convenient Security Key to simplify your account access. This physical key is easily plugged into your laptop or PC, providing an extra layer of security. NordPass will also soon introduce a passkey feature, eliminating the hassle of remembering numerous passwords for different accounts. When logging into your accounts across multiple devices, passkeys offer several benefits, you will receive a notification promoting you to authorize the login by using your biometrics that you’ve set.

Pricing

NordPass offers a subscription-based service, with different pricing tiers depending on the number of devices you want to use and the length of your subscription. They offer monthly, yearly, and 2-year plans with discounts for longer commitment. NordPass also offers a free version but with limited features and a 30-day money back guarantee for their paid plans. Individual and family pricing ranges from free to $3.69 a month, while business pricing starts at $3.59/user/month.

Features

Unlimited password storage
Autosave and autofill
Password generator
Advanced encryption: XChaCha encryption
Biometric authentication/Passkey
Security Key
Multi-device sync
Secure sharing
Password health
Two-factor authentication

Pros

Strong security
User-friendly
Unlimited password storage
Multi-device sync
Secure sharing
Browser extension

Cons

Limited features for free version
One account per free plan

Enpass

Best free basic features

Enpass is a password management tool that offers several unique features, including a desktop version where you can save unlimited items, vaults, and sync through all your computers. In addition, they offer subscriptions and a one-time purchase for a lifetime use. For improved password security, Epass adds a passkey function. You can create a special passkey so you don’t have to remember different passwords. While offering quick access across devices, it also encrypts your data to further increase security.

Pricing

Enpass is offering an individual plan of $1.99 a month or $23.99 annually, a family plan of $2.99 a month for the first year and then $47.99 a year. They also have business plans such as a Starter plan of $9.99 per month with up to 10 users, a Standard plan of $2.99 per user per month, and an Enterprise plan of $3.99 per user per month.

Features

Passkey support
Local storage data
Cross-platform availability
One-time payment
Multiple vaults
Password audit
Secure sharing

Pros

Multi-platform support
Uses AES-256 Encryption
Local storage
Generates strong passwords
Generous free features

Cons

Difficult to use for those who are not familiar with how password managers work
Limited autofill
User interface could be better
No cloud syncing

RoboForm

Best management features

RoboForm has been a leading password manager for over two decades, known for its robust security features that safeguard users’ sensitive information. This password manager has top-notch features like limitless password storage and a 2FA, and a comprehensive password protection against unauthorized access. Its intuitive user interface is user-friendly and straightforward, making it an ideal choice for both tech savvy and novice users.

Pricing

RoboForm offers a free plan for one user with access to limited features as well as three premium plans for individuals: a 1-year plan for $35.80, a 3-year plan for $107.40, and a 5-year plan for $179. All individual plans provide access to all features and allow five users per account. For business, there is a five-user account plan available for $3.35 per user per month that is billed annually which also provides access to all features.

Features

Passkey support
Autofill login details
Captures your web login details
Multi-device and website sync
Offline access
Organizes your passwords
User-friendly
CSV import and export
Generates unique passwords
Strong encryption
Stores passwords, web applications, notes, and contacts

Pros

Secure sharing
Convenience
Strong security
Multiple device synchronization and compatibility
Uses time-based one-time password (TOPT) apps

Cons

Synchronization challenges
One user is allowed for the free version

Keeper

Best security features

Keeper offers the most advanced password management features for both individual users and businesses. It has robust security measures since they use a 256-bit AES with PBKDF2 encryption, 2FA, and zero-knowledge security feature. Its intuitive user interface and seamless integration with popular platforms and applications make it effortless to manage passwords across multiple devices and platforms.

In addition to its robust password management capabilities, Keeper provides the convenience of passkey authentication for your accounts. Currently, Keeper is offering passkey authentication as a browser extension and it will soon be available for Android and iOS devices.

Pricing

Keeper offers a Personal Plan at $24.49 a year for one user and access to limited features, and a Family Plan for $52.49 a year for five users and access to all features. For businesses, there is a Starter Plan for $24 per user per year with a minimum of five users and access to most features, a Business Plan for $45 per user per year with access to all features, and an Enterprise Plan with customized pricing depending on the number of users and features needed.

Features

Passkey support
Password audit
Security incident checker
Breach watch
Encrypted messaging app (Keeper mobile app)
Password recovery
Autofill
One-time sharing
Encrypted file sharing
Emergency access
Offline access

Pros

Customizable policies
Role-based access control
Secure file storage
Identity and access management
Secure chat
Secure digital wallet

Cons

Free trial limitations
It can get expensive

LogMeOnce

Best cross-platform password manager

LogMeOnce offers a unique feature where you don’t need to remember a master password. You can use a PIN, biometric, or photo login to access your password vault. Even though it is a “passwordless” password manager, it is rich with security features such as storing and syncing passwords and credit cards across devices with end-to-end encryption, as well as additional features such as cyber threat monitoring and password auditing.

LogMeOnce has been offering passwordless/passkey management since 2011, making it easier for anyone to log in to their online accounts. By eliminating the need to remember complex passwords, LogMeOnce empowers users with a seamless and secure authentication experience.

Pricing

LogMeOnce offers a range of pricing options for Password Management, Identity Protection, and Cloud Encryption services. The Premium Free Plan for Password Management allows for unlimited passwords, access to their platform and 2FA. The Family Plan costs $4.99 per month and accommodates up to 6 users with additional features. Business and enterprise owners can opt for the Professional Plan at $2.50 per month, providing access to most features, while the Ultimate Plan at $3.25 per month offers additional features including anti-theft protection.

Features

Biometrics login/Passkey
MFA
Single sign on
User management
Mobile authentication
Access controls/permissions
Knowledge-based authentication

Pros

Pin, Photo, and Biometric Authentications
Unlimited device synchronization on all plans
Decent free version
Multiple login options
Family plan has its own management dashboard
Password encryption

Cons

Dashboard needs improvement

Dashlane

Best add-on features

Dashlane offers an expansive free plan with limitless password storage and live chat support. This comprehensive tool boasts a number of strong features to ensure the safety of user data. Alongside managing passwords, dashlane also offers advanced security options such as a built-in VPN and a security dashboard that warns users about potential data breaches. Dashlane is the first password manager to support them. However, not all websites and apps currently support passkeys for login, limiting their widespread availability. Dashlane is working to help users manage passkeys with websites that support this method. The app currently supports save, storing, logging in, viewing, editing, and deleting passkeys on the web and Android apps, with plans for iOS support in the future. As more websites and platforms adopt passkeys, Dashlane will become more versatile in managing passkeys across various online services.

Pricing

Dashlane offers competitive pricing for Personal/Family and Business plans. Under their Personal/Family plan, they have an Advance Plan for $2.75 per month with access to most features, Premium Plan for $3.33 per month with access to all features including a VPN, and the Friends and Family plan for $4.99 per month with up to 10 users per account and access to all premium features with Friends and Family Dashboard. Their Business Plan offers a Starter Plan for $2 per user per month with a minimum of 10 users, Team Plan for $5 per user per month with unlimited number of users and access to all features including VPN. Finally, Dashlane offers a Business Plan for $8 per user per month with unlimited number of users, SSO integration and SCIM provisioning.

Features

Password audit
Passkey support
Emergency access
Password sharing
Advance form filling
Built-in VPN
2FA activation

Pros

Authentication using 2FA
Free plan
Biometric account recovery
Money-back guarantee with all their plans
VPN for their premiums
Compatible with latest browsers

Cons

No desktop app since 2022
Limited free version
Internet dependent

Read more:

Password Boss

Best for reducing security breaches

Password Boss is a cloud-based password manager that is both user-friendly and highly functional. It has an easy-to-navigate interface and remote wipe feature. Password Boss offers a range of secure features such as secure password sharing, 20-character password generator, and the ability to retain a comprehensive history and passwords. In addition, its comprehensive security dashboard is designed to identify weak, duplicate, and compromised websites to ensure maximum security for all online accounts.

Pricing

Password Boss offers different pricing plans for individuals and businesses. They offer a Free version but it is only available for individuals and has limited features. To access all features, you must subscribe to Password Boss Premium for $2.50 per month, which is billed annually, and $1.53 per month if you choose a three-year subscription. This premium subscription has a 30-day money back guarantee and a 30-day free trial. As for business plans, they offer a Standard Plan for $2 per month per user and an advanced Plan for $3 per month per user where you can customize the features and security policy that your business needs.

Features

Secure password sharing
2FA
Role-based access
Remote control integration
AES-256 and PBKDF2 encryptions
MSP management portal
Multi-device access
Autologins

Pros

New, more secure version will be released in 2023
Refined business-specific features
Robust mainstream capabilities
User-friendly interface

Cons

Limited MFA options
Form filling can be faulty at times

Key Features of Password Manager Software

To ensure the security of login credentials for online accounts, a password manager should offer users the ability to securely store and manage them. In addition, premium password managers even provide users with a personal vault where they can safely store essential information such as credit card details and notes. To choose the best password manager software for your needs, here are some key features you should consider:

Password Generator

A password generator allows users to create strong, unique passwords for each account. Passwords that are generated by a password manager are typically long and complex so they will be harder to crack. These passwords are then stored in the vault for easy access.

Autofill

This feature automatically fills in login credentials when users visit a website or application to save time and reduce risk of typing errors.

Encryption

Password managers use advanced encryption techniques to ensure that sensitive information is kept secure. A military-grade encryption known as 256-bit AES encryption is what most password managers use since it encrypts and decrypts data so only authorized users can access.

Cross-Platform Support

One of the many tasks a password manager should have is cross-platform support that enables users to access their passwords from any device regardless of operating system or platform. This is to prevent the inconvenience of being locked out of an account if the user loses their device or if they need to access their account from a different device.

2FA or Multi-Factor Authentication

2FA or Multi-Factor Authentication gives an extra layer of protection and security by requiring users to verify their identity using a second or third factor of authentication. This can be done either by biometric authentication, OTP, and security questions. Passkey support is increasingly important for authentication.

Password Auditing

Auditing the strength and security of users’ password is a critical feature of a password manager. This helps to ensure that users’ passwords are strong, unique and secure. This typically works by scanning the passwords stored in the password manager and checking them against a database of known weak, compromised or reused passwords.

These features are essential for a good password manager since they help users create and manage strong, unique passwords so their login credentials and other important data are kept secure. By using a password manager, users can avoid the risk of weak or reused passwords, reduce the risk of identity theft, and make it easier to manage multiple accounts.

See the Best Passkey Solutions for MFA, SSO & Passwordless Authentication

Benefits of Password Manager Software

Working with password manager software offers several advantages and benefits to make your online security easier.

Generates strong passwords for you

Generating complex and unique passwords for each of your online accounts reduces the likelihood of your accounts being hacked due to weak passwords. You don’t have to remember all the different passwords for each site, which can be a hassle especially when you try to access your accounts on different devices and platforms.

Stores and secures all your passwords in one place

Password managers provide a secure way to store all your passwords in one encrypted location or vault. This eliminates the need to write down passwords or remember multiple passwords at the same time.

Conveniently autofills your login details

You no longer have to type in your login credentials every time you visit a website. Password manager software can automatically fill in your login details for you to save time and effort and avoid typographical errors.

Individual vaults for employees

If you use a password manager in a business setting, each employee can have their own vault to store their login credentials, ensuring privacy and security. This can also help streamline the login process by auto-filling credentials, saving time and reducing frustration and leading to increased productivity and efficiency in the workplace.

Easy access to accounts across devices and browsers

Password managers provide easy access to all your accounts from any device or browser, allowing you to manage your passwords in one central location without having to search through multiple documents or remember where you stored your login details. This means that you can access your passwords from any device or browser and still maintain secure access to all your accounts.

Secure password or file sharing

Securely sharing passwords or files with a password manager makes it easy to collaborate with family members or team members. You no longer have to worry about sending passwords or sensitive information over unsecured channels like email or messaging systems.

How Do I Choose the Best Password Manager Software for My Business?

Choosing the best password management software for your business involves several factors that you should consider to ensure that you select the most suitable option for your business’s needs.

Security

Security should be your top priority when selecting password manager software. Ensure that the service you choose has strong encryption and that it stores your passwords securely. Having multifactor authentication as an extra layer of security is also one of the important features a password manager should have. And look at the solution’s security history – LastPass, for example, has suffered a number of data breaches but has pledged to improve security, a hopeful sign for users of that service.

Ease of use

The software should be user-friendly and easy to use for you and your team members. Choose software that has an intuitive user interface and simple to navigate to minimize the learning curve and maximize productivity. Passkeys and passwordless approaches are also increasingly important for ease of use and end user compliance.

Integration

Look for software that integrates with tools and services that you are using in your business such as browsers, operating systems, and communication systems. Integration ensures that the software is seamlessly integrated into your workflow and improves efficiency.

Customization

Each business has its own requirements and needs that password manager software should meet. Look for a service that is customizable and can be tailored to your business’ specific needs.

Collaboration

If your team members need to share login credentials or files, look for a password manager that offers secure collaboration features. This software should allow you to securely share passwords, set permissions and access levels and track changes made to passwords you shared.

Pricing

Consider the pricing structure of the software, including the subscription model and any additional fees for add-ons or extra users. The service must be within your budget and should provide value for your money.

How We Evaluated Password Managers

Password managers were evaluated based on security, user interface, features, compatibility, customer support, affordability, history and user reviews. Security features include encryption strength, multi-factor authentication, passkey and passwordless support, and data protection. User interface should be easy to navigate and user-friendly. Features include password generation, strength analysis, secure sharing, autofill, and password syncing across multiple devices.

Bottom Line: Password Managers

Password management tools remain an important first line of cybersecurity defense, protecting you organization, applications and data from weak or stolen credentials while enabling productivity through ease of use and collaboration. Taking the time to find the solution that best fits your business’ needs is well worth the time and research.

Further reading:

The post 8 Best Password Managers for Business & Enterprises in 2023 appeared first on eSecurityPlanet.

eSecurityPlanet

How To Use Nmap for Vulnerability Scanning: Complete Tutorial

Getting Started with Nmap

Installing Nmap

Built-in Nmap Scripts

Using Custom Nmap Scripts

Nmap Vulnerability Scanning

Specific Nmap Vulnerability Scans

How to Use Vuln

How to Use Vulscan

How to Use Vulners

Vuln vs Vulners vs Vulscan

How Do Attackers Use Nmap?

Do Host Systems Detect Nmap Scans?

Pros and Cons of Using Nmap

Pros: Reasons to Use Nmap

Cons: Reasons Not to Use Nmap

Nmap Vulnerability Scanner Alternatives

1 Intruder

Bottom Line: Use Nmap for Inexpensive, Effective Vulnerability Scanning

Malicious Microsoft Drivers Could Number in the Thousands: Cisco Talos

Forged Timestamps

A Real-World Example

Defending Against Signed Drivers

Black Hat AI Tools Fuel Rise in Business Email Compromise (BEC) Attacks

WormGPT and Generative AI Hacking Uses

Countering AI-Driven BEC Attacks

Top 7 Cloud Security Posture Management (CSPM) Tools

Top CSPM Software Comparison

Palo Alto Networks Prisma Cloud

Pricing

Features

Pros

Cons

Check Point CloudGuard Cloud Security Posture Management

Pricing

Features

Pros

Cons

Lacework

Pricing

Features

Pros

Cons

CrowdStrike Falcon Cloud Security

Pricing

Features

Pros

Cons

Cyscale

Pricing

Features

Pros

Cons

Trend Micro Trend Cloud One Conformity

Pricing

Features

Pros

Cons

Ermetic

Pricing

Features

Pros

Cons

Key Features of CSPM Tools

Infrastructure-level risk monitoring and assessments

Threat detection and intelligence

Remediation and recommendations

Advanced data governance and compliance management

Automation

Benefits of Working with CSPM Tools

How Do I Choose the Best CSPM Tool for My Business?

Frequently Asked Questions (FAQs)

What is cloud security posture management?

What is the difference between CASB and CSPM?

Is CSPM a part of SASE?

Methodology

Bottom Line: Cloud Security and Posture Management (CSPM) Tools

Microsoft Patch Tuesday Addresses 130 Flaws – Including Unpatched RomCom Exploit

Malicious Drivers Addressed by Advisory