Parenting in the Cyber World: Kids, Tech, and Empowering the Next Generation
Our purpose at Do We Belong Here is to prove that we all have a place in the cyber world, but there’s one very important group that we haven’t yet discussed – the kiddos!
Kids in today’s world are growing up with technology as second nature. As a parent in the cyber world, there is a delicate balance between letting your kids explore the online world and keeping them protected from the dangers that are out there. In this month’s episode of Do We Belong Here, Tashya Denose and Pam Lindemoen tap into their mom-sides to give us their favorite advice and resources for maintaining a healthy balance with their kids and the world online. They also talk about the importance of introducing the realities of the digital world at a young age and what that education could mean for the future of this industry.
Beyond that, Tashya gives Pam some insight into what it was like being the only one in the room who looked like her at the beginning of her career, and how that experience shaped the way she shows up for herself, her daughter, and her fellow women in the cyber world.
Oh, No… Hacked Again! and See Yourself in Cybersecurity by Zinet Kamal
pbskids.org/cyberchase/ | PBS kids show focused on STEM topics with online games for kids 6-8.
USF Cyber Summer Camps | Annual camps for K-12 students to learn about cybersecurity and explore a career in the field.
girlswhohack.com | Training resources specifically made for teaching young girls how to hack, created by 16-year-old hacker Bianca Lewis –
Lighthouse Solutions | lhsolutions.org
Follow us on social media: @DoWeBelongPod
Watch us on YouTube: @CybersecurityFL
Want a Do We Belong Here t-shirt? DM us on Instagram @DoWeBelongPod 💛
Norwegian authorities recently revealed a critical zero-day vulnerability in Ivanti Endpoint Manager Mobile (EPMM), posing a significant security threat. The flaw enables unauthenticated remote attackers to bypass authentication and gain access to the server’s API, potentially leading to data theft and unauthorized system modifications.
III. Additional Background Information
On July 24th, the Norwegian Government Security and Service Organization (DSS) and the Norwegian National Security Agency (NSM) informed the public about a zero day vulnerability in Ivanti Endpoint Manager Mobile (EPMM), a mobile management software that can be used for mobile device management and mobile application/content management (Tenable). This vulnerability has received a maximum CVSS score of 10, which means that it is very easy to exploit and does not require particular tools or skills to do so (Mnemonic).
This vulnerability, classified as CVE-2023-35078, is an authentication bypass in Ivanti’s EPMM. An unauthenticated, remote attacker could exploit this vulnerability to gain access to the server’s application program interface (API), normally accessible only to authenticated users (Tenable). Successful exploitation would allow an attacker to be able to access “specific API paths”. By utilizing these unrestricted API paths, a malicious actor could potentially steal personally identifiable information (PII) such as names, phone numbers, and other mobile device details. An attacker can also make other configuration changes, including the creation of an EPMM administrative account on the server that can make further changes to a vulnerable system (CISA). The attack consists of changing the URI path to the API v2, which can in fact be accessed without any authentication methods (Mnemonic). According to the API documentation, all API calls are based on the URL format: https://[core-server]/api/v2/. If we add the path to a vulnerable endpoint, it is easy to execute commands withouth needing authentication, as shown here: https://[core-server]/vulnerable/path/api/v2. Luckily, it is fairly simple to detect whether the vulnerability has been exploited in a system. This can be done by checking the logs from the mobile management software to determine if the API v2 endpoint in Ivanti’s EPMM has been targeted (Uzun). This may be evident if regular API calls to unusual paths are present in the logs.
Ivanti reported that the vulnerability impacts all supported versions – Version 11.4 releases 11.10, 11.9 and 11.8. Older unsupported versions/releases are also at risk (CISA). Furthermore, the company has promptly issued security patches for the EPMM vulnerability. Customers can fix it by upgrading the software to EPMM versions 126.96.36.199, 188.8.131.52, and 184.108.40.206. These fixed versions cover also unsupported and End-of-Life (EoL) software versions that are lower than 220.127.116.11 (Uzun).
According to the articles posted by Ivanti, the vulnerability was exploited in the wild as a zero-day against a small number of customers (Tenable). However, it is known that the unnamed attackers utilized this flaw to compromise 12 government ministries in Norway (Muncaster).
IV. MITRE ATT&CK
T1190 – Exploit Public Facing Application Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration. Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet-accessible open sockets. Depending on the flaw being exploited this may also involve Exploitation for Defense Evasion.
T1059 – Command and Scripting Interpreter Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.
T1018 – Remote System Discovery Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as Ping or net view using Net.
T1015.003 -Server Software Component: Web Shell Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.
T1070 – Indicator Removal Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer’s alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit.
T1005- Data from Local System Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
T1572 – Protocol Tunneling Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. Tunneling involves explicitly encapsulating a protocol within another. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). Tunneling could also enable routing of network packets that would otherwise not reach their intended destination, such as SMB, RDP, or other traffic that would be filtered by network appliances or not routed over the Internet.
T1090 – Proxy (Internal Proxy) Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Establish and Maintain a Vulnerability Management Process:Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
Perform Automated Vulnerability Scans of Internal Enterprise Assets: Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.
Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
Ensure Network Infrastructure is Up-to-Date:Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support.
Establish and Maintain a Penetration Testing Program:Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
Manage Default Accounts on Enterprise Assets and Software: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
Caitlin Sarian, also known as @CybersecurityGirl, is a cybersecurity content creator and the Former Senior Manager of Privacy and Security at TikTok.
Caitlin is a multifaceted woman with a variety of passions in life; from cybersecurity to modeling she embraces bringing her whole self to the table, even when it’s scary. In this episode, Caitlin joins Tashya and Pam to talk about her growth throughout her past decade in cyber, how she maintains her confident mindset even if she’s the only person like her in the room, and the impact she hopes to make with her cybersecurity content. Caitlin, Tashya, and Pam also share insights on the ongoing efforts needed to continue making space for women to flourish in this dynamic field.
Find Caitlin on social media: @CybersecurityGirl (TikTok) | @Cybersecurity_Girl (Instagram)
Join Cyber Florida Senior Fellow Stacy Arruda, Founder and CEO of the Arruda Group and former FBI Supervisory Special Agent, for an eye-opening experience that will help you better understand how to prevent and recover from cyberattacks. The event starts with Network Noise, a three-hour tabletop exercise where real-world cyberattack scenarios illustrate the far-reaching effects a cyberattack can inflict on your organization. Bring your leadership team to learn how cyberattacks impact not only IT but also legal, finance, operations, human resources, public relations, and other departments.
Once you understand the threat, move on to preparation with a session on creating a comprehensive cyber incident response plan specific to your organization. You’ll leave equipped with a template and foundational plan you can take back to complete and test with your organization.
The International Association of Certified ISAOs (IACI) and Cyber Florida jointly present this session of Cybersecurity Education.