Everything Old is New Again
5–6–2024 (Monday)
Hello and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for growth stage companies, investors, and management teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, May 6, 2024, and we’ve got to come to the hard conclusion that everything old is new again. What does that mean in cyber and what does that mean for us? Let’s discuss.
Everything Old is New Again
While there are lots of tropes around living long enough to see things come back around, and that life naturally happens in cycles, we’re seeing cybersecurity vulnerabilities known as “path traversals” get a lot of attention this week, and for good reason.
This idea - which essentially boils down to software not sanitizing or validating user input and allowing it to move to other parts of the operating system, known as path traversal, and then execute code - was the source of a recently disclosed vulnerability in a Palo Alto Networks firewall.
Without diving too much into the specific details of the vulnerability, Palo Alto did an admirable job of handling the vulnerability, providing some detection and mitigation information, and a patch over the next few days. Essentially a threat actor could shim in a “../“ string and the program would reference a new directory or path, and these could be used to move around the underlying operating system.
This vulnerability is so common that CISA and the FBI have released a “Secure by Design” alert to urge manufacturers to eliminate these type of traversal vulnerabilities.
They point out several other products that have this type vulnerability (including a Cisco product and a ConnectWise vulnerability used by ransomware gangs), and note that there are at least 55 directory traversal vulnerabilities in their “Known Exploited Vulnerabilities” or “KEV” catalog.
But why does it seem like we’re suddenly seeing this everywhere? I think there are a couple of reasons:
It’s not commonly tested for (even though it’s pretty easy to test for and automate such tests); and
Now that threat actors know it’s an area of weakness in some products, it becomes something they look for in all products.
This isn’t a new concept - it consistently ranks in the Top 10 of MITRE’s “Top 25 Most Dangerous Software Weaknesses.” What it highlights is the complexity required to build resilient systems, and the need for systemic focus on eliminating low-hanging fruit of introducing known vulnerabilities.
This is part of the message contained in a National Security Memorandum on Critical Infrastructure Security and Resilience released last week by the White House.
In part, this memo notes that one principle and objective of the United States is: “Requiring and enforcing minimum resilience and security requirements and recommendations that direct building resilience into critical infrastructure assets and systems upfront, and by-design.”
What it really means here is that the market incentives to deliver secure products simply aren’t working, and that regulations in these 16 critical infrastructure sectors are going to start laying down the rules of the road.
In the theme of everything old is new again, we’ve seen this sort of regulatory intervention in lots of areas - from seatbelts, airbags, and backup cameras - to the creation of the Environmental Protection Agency after the publication of Silent Spring.
Inevitably, these regulatory steps will offer progress that is imperfect, and looks a lot like two-steps-forward, one-step-back, but the reality of our current situation is that market forces aren’t working and minimum standards are going to be needed to force change. That may not always be the case, but it is right now.
This process will move more slowly than we’d like, and cost more than we’d like, but given how we’re living today, I think we’ll take slow and expensive change over the current challenges around building secure and resilient businesses.
As the FBI notes in their Alert, “vulnerabilities like directory traversal have been called 'unforgivable’ since at least 2007.” And here we are, in 2024, with leading vendors having their VPN products exploited by the same vulnerability.
Everything old is new again.
Fundraising
From a fundraising perspective, another relatively light week, clocking in at just over $6B in newly committed capital. Some strong IPO performance, however, from security company Rubrik, which not only priced higher than expected, but has risen since opening public trading of their stock.
There’s lots of hope that this return to an IPO market can generate some movement at both the top of the private market, and that it will trickle down through the mid and small portions. Remains to be seen, but this is certainly a step in the right direction.
You can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next week for another edition of the Intentional Brief.
Links
https://eclypsium.com/blog/apt-just-means-another-path-traversal
https://nvd.nist.gov/vuln/detail/CVE-2024-20345
https://nvd.nist.gov/vuln/detail/CVE-2024-20345
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
https://cwe.mitre.org/top25/archive/2023/2023_top25_list.html