1
00:00:06,800 --> 00:00:08,570
- [Instructor] Software
and hardware vendors

2
00:00:08,570 --> 00:00:10,700
may actually have separate teams

3
00:00:10,700 --> 00:00:13,530
that handle the investigation, resolution,

4
00:00:13,530 --> 00:00:17,540
and also the disclosure of
security vulnerabilities.

5
00:00:17,540 --> 00:00:19,350
And typically,

6
00:00:19,350 --> 00:00:21,030
these teams are called

7
00:00:21,030 --> 00:00:22,890
Product Security Incident Response Team,

8
00:00:22,890 --> 00:00:25,509
or otherwise known as a PSIRT.

9
00:00:25,509 --> 00:00:29,500
As a matter of fact, I'm
actually a part of a PSIRT team,

10
00:00:29,500 --> 00:00:32,360
you know, the Cisco Product
Security Incident Response Team.

11
00:00:32,360 --> 00:00:35,740
Now, before you understand
how a PSIRT operates,

12
00:00:35,740 --> 00:00:37,570
you must understand

13
00:00:37,570 --> 00:00:39,780
what actually is a security
vulnerability, right,

14
00:00:39,780 --> 00:00:42,420
so this, of course, might be a refresher

15
00:00:42,420 --> 00:00:45,230
from the Security Fundamentals exam.

16
00:00:45,230 --> 00:00:47,890
And whenever you were
preparing for that exam,

17
00:00:47,890 --> 00:00:49,540
but just as a refresher,

18
00:00:49,540 --> 00:00:52,800
the National Institute of
Standards and Technology,

19
00:00:52,800 --> 00:00:55,777
or NIST, defines a
security vulnerability as,

20
00:00:55,777 --> 00:01:00,587
"A flaw or a weakness in system
security procedures, design,

21
00:01:00,587 --> 00:01:03,477
"implementation, or
other internal controls,

22
00:01:03,477 --> 00:01:05,457
"that could be exercised,

23
00:01:05,457 --> 00:01:07,907
"that means, accidentally triggered

24
00:01:07,907 --> 00:01:10,387
"or intentionally exploited,

25
00:01:10,387 --> 00:01:14,347
"and result in a security
breach or a violation

26
00:01:14,347 --> 00:01:15,890
"of the system's security policy."

27
00:01:15,890 --> 00:01:16,723
Right.

28
00:01:16,723 --> 00:01:19,600
Now, there are tons of
other definitions out there,

29
00:01:19,600 --> 00:01:22,220
but they tend to be variations

30
00:01:22,220 --> 00:01:25,670
of the one that NIST actually provides,

31
00:01:25,670 --> 00:01:28,653
and the one that actually I quote here.

32
00:01:29,490 --> 00:01:30,530
Now, you may ask yourself,

33
00:01:30,530 --> 00:01:32,710
why should you worry about
security vulnerabilities

34
00:01:32,710 --> 00:01:33,870
in products, right?

35
00:01:33,870 --> 00:01:37,670
And this is because each of
them represents a potential risk

36
00:01:37,670 --> 00:01:39,760
and vector how to, you know,

37
00:01:39,760 --> 00:01:42,500
how threat actors can actually compromise

38
00:01:42,500 --> 00:01:45,490
your systems and your network, right.

39
00:01:45,490 --> 00:01:48,180
Each vulnerability carries
a certain amount of risk,

40
00:01:48,180 --> 00:01:51,930
you know, within, you know,
that vulnerability, right,

41
00:01:51,930 --> 00:01:55,710
so one of the most
widely adopted standards

42
00:01:55,710 --> 00:01:58,960
to actually calculate the
severity of a given vulnerability,

43
00:01:58,960 --> 00:02:01,570
and that is also used by many PSIRT teams,

44
00:02:01,570 --> 00:02:06,150
is the Common Vulnerability
Scoring System, or CVSS, right.

45
00:02:06,150 --> 00:02:10,430
And CVSS has three major
metrics or components,

46
00:02:10,430 --> 00:02:14,750
the base, temporal, and
environmental scores, right.

47
00:02:14,750 --> 00:02:16,660
Each component is actually represented

48
00:02:16,660 --> 00:02:20,350
as a score on the scale from zero to 10.

49
00:02:20,350 --> 00:02:23,770
Again, you learned all about CVSS

50
00:02:23,770 --> 00:02:27,210
in the preparation to the Sec Fun exam,

51
00:02:27,210 --> 00:02:28,660
but here's actually a, you know,

52
00:02:28,660 --> 00:02:30,410
very brief refresher, right.

53
00:02:30,410 --> 00:02:32,360
So CVSS is an industry standard,

54
00:02:32,360 --> 00:02:35,340
that is actually
maintained by FIRST, right,

55
00:02:35,340 --> 00:02:38,430
and it's actually used by many PSIRT teams

56
00:02:38,430 --> 00:02:41,153
to convey information about
the severity of vulnerabilities

57
00:02:41,153 --> 00:02:44,153
that they actually disclose
to their customers.

58
00:02:45,030 --> 00:02:49,410
In CVSS, a vulnerability is
evaluated under three aspects,

59
00:02:49,410 --> 00:02:53,090
and scores are assigned to each of those,

60
00:02:53,090 --> 00:02:54,400
you know, different categories, right.

61
00:02:54,400 --> 00:02:56,430
So the base groups represent

62
00:02:56,430 --> 00:02:58,150
the characteristics of a vulnerability

63
00:02:58,150 --> 00:03:00,680
that are constant over time

64
00:03:00,680 --> 00:03:03,630
and do not depend on a user
specific environment, right.

65
00:03:03,630 --> 00:03:06,920
So the temporal group
assess the vulnerability,

66
00:03:06,920 --> 00:03:08,970
as it actually changes over time.

67
00:03:08,970 --> 00:03:11,980
And the environmental, you
know, just like the word says,

68
00:03:11,980 --> 00:03:14,150
actually provides and represents

69
00:03:14,150 --> 00:03:15,780
the characteristics of a vulnerability,

70
00:03:15,780 --> 00:03:19,253
taking into account the
organization's environment, right.

71
00:03:20,130 --> 00:03:22,530
Now, again, the score for the base group

72
00:03:22,530 --> 00:03:24,280
is between zero and 10,

73
00:03:24,280 --> 00:03:27,410
where zero is the least severity,

74
00:03:27,410 --> 00:03:30,050
and 10 is assigned to the, you know,

75
00:03:30,050 --> 00:03:33,200
highly critical vulnerabilities, right.

76
00:03:33,200 --> 00:03:34,610
You know, for instance,

77
00:03:34,610 --> 00:03:37,270
for vulnerabilities that
can allow an attacker

78
00:03:37,270 --> 00:03:41,050
to compromise the system and
get full control of the system,

79
00:03:41,050 --> 00:03:43,660
and perhaps, you know, do
a remote code execution,

80
00:03:43,660 --> 00:03:47,240
you will see a higher
score whenever, you know,

81
00:03:47,240 --> 00:03:48,590
you compare it to vulnerabilities,

82
00:03:48,590 --> 00:03:51,453
that perhaps are a lot more,

83
00:03:52,810 --> 00:03:54,210
you know, less risky,

84
00:03:54,210 --> 00:03:57,190
and also harder to
actually exploit, right.

85
00:03:57,190 --> 00:04:00,360
Now, the formula used to obtain the scores

86
00:04:00,360 --> 00:04:01,390
takes into account

87
00:04:01,390 --> 00:04:04,760
various characteristics
of the vulnerability

88
00:04:04,760 --> 00:04:06,420
and how the attacker is actually able

89
00:04:06,420 --> 00:04:09,330
to leverage those characteristics, right.

90
00:04:09,330 --> 00:04:13,240
So again, I'm actually
sharing here FIRST website

91
00:04:13,240 --> 00:04:17,210
that includes the standard specification.

92
00:04:17,210 --> 00:04:19,610
They also include a calculator

93
00:04:19,610 --> 00:04:21,600
that you can actually take advantage of

94
00:04:21,600 --> 00:04:23,090
and many other resources

95
00:04:23,090 --> 00:04:26,160
for you to become familiar with CVSS.

96
00:04:26,160 --> 00:04:27,690
At the time of recording,

97
00:04:27,690 --> 00:04:30,800
the latest version of
CVSS was version three,

98
00:04:30,800 --> 00:04:34,170
and that's actually what Cisco

99
00:04:34,170 --> 00:04:37,440
and many other organizations
actually now use

100
00:04:37,440 --> 00:04:41,173
to determine the risk of a
given vulnerability, right.

101
00:04:42,380 --> 00:04:44,660
Now, there's several other things

102
00:04:44,660 --> 00:04:47,530
that are actually taken
into consideration, right,

103
00:04:47,530 --> 00:04:50,570
and one thing is actually
the chaining role,

104
00:04:50,570 --> 00:04:53,210
and, you know, of a vulnerability

105
00:04:53,210 --> 00:04:57,270
and fixing prioritization
based on that chain, right.

106
00:04:57,270 --> 00:05:00,200
Now, in many instances
security vulnerabilities

107
00:05:00,200 --> 00:05:03,070
are actually not exploited in isolation.

108
00:05:03,070 --> 00:05:04,950
Threat actors actually exploit

109
00:05:04,950 --> 00:05:07,630
more than one vulnerability in a chain,

110
00:05:07,630 --> 00:05:10,370
and they do that to
carry out their attacks

111
00:05:10,370 --> 00:05:12,420
and compromise their victims.

112
00:05:12,420 --> 00:05:16,070
Now, by leveraging different
vulnerabilities in a chain,

113
00:05:16,070 --> 00:05:19,010
attackers can actually
infiltrate progressively

114
00:05:19,010 --> 00:05:23,480
to further, you know, compromise
the system and the network,

115
00:05:23,480 --> 00:05:26,170
then gaining more control over it, right.

116
00:05:26,170 --> 00:05:29,760
This is something that PSIRT
teams are actually aware of

117
00:05:29,760 --> 00:05:31,300
and must be aware of,

118
00:05:31,300 --> 00:05:33,790
and developers, security professionals,

119
00:05:33,790 --> 00:05:38,790
and users must also be aware
of this chaining capabilities,

120
00:05:39,280 --> 00:05:41,460
because they can actually change the order

121
00:05:41,460 --> 00:05:44,940
in which the vulnerability
needs to be fixed or patched,

122
00:05:44,940 --> 00:05:48,280
you know, in the actual
affected systems, right.

123
00:05:48,280 --> 00:05:49,700
So, for example, you know,

124
00:05:49,700 --> 00:05:52,250
multiple low severity vulnerabilities

125
00:05:52,250 --> 00:05:54,340
can actually become severe,

126
00:05:54,340 --> 00:05:55,510
if they're actually combined

127
00:05:55,510 --> 00:05:58,380
to perform a specific action, right.

128
00:05:58,380 --> 00:06:00,510
So performing vulnerability chaining

129
00:06:00,510 --> 00:06:02,010
is not a trivial task, right,

130
00:06:02,010 --> 00:06:05,070
any type of vulnerability
can actually be chained.

131
00:06:05,070 --> 00:06:07,460
So several commercial companies claim

132
00:06:07,460 --> 00:06:09,000
that they can actually easily do it,

133
00:06:09,000 --> 00:06:12,250
but the way that you can
chain vulnerabilities

134
00:06:12,250 --> 00:06:14,550
is actually pretty much endless, right.

135
00:06:14,550 --> 00:06:17,140
Now a PSIRT can learn
about vulnerabilities

136
00:06:17,140 --> 00:06:18,660
in a product or service, you know,

137
00:06:18,660 --> 00:06:22,130
during internal testing or at
the development phase, right.

138
00:06:22,130 --> 00:06:25,570
This, of course, is the
preference of any vendor,

139
00:06:25,570 --> 00:06:27,180
to be able to actually
find the vulnerabilities

140
00:06:27,180 --> 00:06:29,350
before somebody else finds it.

141
00:06:29,350 --> 00:06:31,760
However, vulnerabilities
can also be reported

142
00:06:31,760 --> 00:06:34,960
by external entities,
like security researchers,

143
00:06:34,960 --> 00:06:37,370
customers, and other vendors, right.

144
00:06:37,370 --> 00:06:38,970
Now the dream of every vendor is actually

145
00:06:38,970 --> 00:06:42,590
to be able to find and patch
all security vulnerabilities

146
00:06:42,590 --> 00:06:44,920
during the design and development phases,

147
00:06:44,920 --> 00:06:45,790
however, of course,

148
00:06:45,790 --> 00:06:47,940
that's actually close
to impossible, right.

149
00:06:48,790 --> 00:06:53,610
Now, this is why a secure
development life cycle, or an SDL,

150
00:06:53,610 --> 00:06:56,780
is extremely important
for any organization

151
00:06:56,780 --> 00:06:59,110
that actually produces
software and hardware.

152
00:06:59,110 --> 00:07:01,420
Cisco has their own SDL program,

153
00:07:01,420 --> 00:07:03,290
and it's actually documented at the link

154
00:07:03,290 --> 00:07:05,500
that I'm actually sharing in here, right.

155
00:07:05,500 --> 00:07:08,497
So Cisco defined the SDL as,

156
00:07:08,497 --> 00:07:11,437
"A repeatable and a measurable process

157
00:07:11,437 --> 00:07:12,677
"that actually they have designed

158
00:07:12,677 --> 00:07:15,337
"to increase the resiliency

159
00:07:15,337 --> 00:07:19,408
"and also the trustworthiness
of their products."

160
00:07:19,408 --> 00:07:20,710
Cisco's SDL is actually part

161
00:07:20,710 --> 00:07:22,980
of the product development methodology,

162
00:07:22,980 --> 00:07:24,560
or what they call PDM,

163
00:07:24,560 --> 00:07:29,560
and it's also compliant with
the ISO9000 Standard, right.

164
00:07:30,440 --> 00:07:32,350
It actually includes,

165
00:07:32,350 --> 00:07:34,610
you know, different areas,

166
00:07:34,610 --> 00:07:36,180
but it's actually not
limited to this list,

167
00:07:36,180 --> 00:07:41,050
but here are some of the
general concepts and topics

168
00:07:41,050 --> 00:07:42,080
that it actually includes, right.

169
00:07:42,080 --> 00:07:46,783
So that actually has a base
product security requirement,

170
00:07:47,710 --> 00:07:49,483
what they call a PSB, right.

171
00:07:50,350 --> 00:07:53,070
Also, third party
software security, right,

172
00:07:53,070 --> 00:07:54,500
how you handle open source

173
00:07:54,500 --> 00:07:56,880
and third party software vulnerabilities.

174
00:07:56,880 --> 00:07:59,940
Secures design guidelines,

175
00:07:59,940 --> 00:08:02,970
guidelines around secure
coding, secure analysis,

176
00:08:02,970 --> 00:08:04,723
and also vulnerability testing.

177
00:08:05,570 --> 00:08:07,170
Now, the goal of the SDL is actually

178
00:08:07,170 --> 00:08:08,830
to provide tools and processes

179
00:08:08,830 --> 00:08:10,890
that are designed to accelerate

180
00:08:10,890 --> 00:08:12,920
the product development methodology

181
00:08:12,920 --> 00:08:15,250
by developing secure, resilient,

182
00:08:15,250 --> 00:08:17,503
and trustworthy systems, right.

183
00:08:18,440 --> 00:08:21,070
Now, third party software,

184
00:08:21,070 --> 00:08:23,080
and, you know, open source security

185
00:08:23,080 --> 00:08:24,630
is one of the most important tasks

186
00:08:24,630 --> 00:08:26,440
for any organizations, right.

187
00:08:26,440 --> 00:08:28,930
Most of today's organizations actually use

188
00:08:28,930 --> 00:08:31,800
open source and third party
software libraries, right.

189
00:08:31,800 --> 00:08:34,060
Now, this creates two requirements

190
00:08:34,060 --> 00:08:35,600
on the product security team.

191
00:08:35,600 --> 00:08:36,940
The first one is actually to know

192
00:08:36,940 --> 00:08:41,610
what third party software
libraries are used and reused

193
00:08:41,610 --> 00:08:43,940
within your company and where, right,

194
00:08:43,940 --> 00:08:45,500
and the second one is, of course,

195
00:08:45,500 --> 00:08:49,050
to patch any vulnerabilities
that affect such library

196
00:08:49,050 --> 00:08:51,160
or the third party software component.

197
00:08:51,160 --> 00:08:51,993
So, for example,

198
00:08:51,993 --> 00:08:54,980
if there's an vulnerability
in open SSL or NTP,

199
00:08:54,980 --> 00:08:57,280
you know, and it's
actually disclosed today,

200
00:08:57,280 --> 00:08:58,940
what do you actually have to do?

201
00:08:58,940 --> 00:09:00,510
Can you quickly assess the impact

202
00:09:00,510 --> 00:09:02,610
of those vulnerabilities in your products?

203
00:09:03,610 --> 00:09:07,020
Also, if you use commercial
third party software,

204
00:09:07,020 --> 00:09:09,580
is the vendor of such software,

205
00:09:09,580 --> 00:09:13,150
transparently disclosing all
the security vulnerabilities?

206
00:09:13,150 --> 00:09:17,720
You know, are they actually
even gonna ask you for money,

207
00:09:17,720 --> 00:09:21,220
if they they need to actually
fix a vulnerability, right?

208
00:09:21,220 --> 00:09:22,840
Nowadays, many organizations

209
00:09:22,840 --> 00:09:26,220
are including security
vulnerability disclosure SLAs,

210
00:09:26,220 --> 00:09:28,660
in their contract with
third party vendors, right.

211
00:09:28,660 --> 00:09:29,940
This is very important,

212
00:09:29,940 --> 00:09:32,640
as many third party
software vulnerabilities,

213
00:09:32,640 --> 00:09:37,640
both in the commercial space
and also open source software,

214
00:09:38,140 --> 00:09:43,140
go on patch for many, many
months or even years, right.

215
00:09:43,740 --> 00:09:47,130
Now, third party software
security is a monumental task

216
00:09:47,130 --> 00:09:49,660
for any company of any size, right.

217
00:09:49,660 --> 00:09:51,710
To get a feeling of the scale

218
00:09:51,710 --> 00:09:54,280
of third party software,
you know, code usage,

219
00:09:54,280 --> 00:09:56,220
visit webpages,

220
00:09:56,220 --> 00:09:59,390
either of organizations that
are making these libraries

221
00:09:59,390 --> 00:10:02,700
or third party security
bulletins published by Cisco

222
00:10:02,700 --> 00:10:05,470
at the link that I'm
actually sharing in here.

223
00:10:05,470 --> 00:10:09,010
Now, another good resource
is CVEdetails.com, right.

224
00:10:09,010 --> 00:10:13,540
They actually have tons
of statistics and data

225
00:10:13,540 --> 00:10:15,800
around vulnerabilities and, you know,

226
00:10:15,800 --> 00:10:17,380
specific vendors, right.

227
00:10:17,380 --> 00:10:20,680
Now, there are many tools
available in the market today

228
00:10:20,680 --> 00:10:25,680
to enumerate all open source
components used in a product.

229
00:10:25,900 --> 00:10:29,770
Now these tools either interrogate
the product source code

230
00:10:29,770 --> 00:10:33,013
or scan binaries for the
presence of third party software.

231
00:10:33,879 --> 00:10:35,870
Here, are a few examples, but, of course,

232
00:10:35,870 --> 00:10:37,470
there are many others out there.

233
00:10:38,840 --> 00:10:41,100
The first one is actually Black Duck.

234
00:10:41,100 --> 00:10:44,011
There's also AppCheck from Codenomicon.

235
00:10:44,011 --> 00:10:46,190
Palamida, Lexumo, SourceClear,

236
00:10:46,190 --> 00:10:48,263
and again, the list goes on and on.