[IncludeSecurity]

We do security audits for a living.

In a nut shell, here's why things are so screwed up IMHO:

1) Most of these companies have had audits, but they're being done by 3rd rate or very inexperienced external consultants.

2) The companies limit the scope of the tests. Real hackers don't give a shit about your scope of work, they have no rules, only goals.

3) Even when a test is properly done the exec management looks for silver bullet product solutions instead of changing across people/process/technology

My company solves #1, but we can't do anything about #2 or #3 :-/

[mox1]

Based on my experience on multiple internal Red Teams this is more or less correct.

Add some funding / IT cost center, no value add language in there as well.

[mcguire]

Not to mention some theatre and empire-building.

[user-the-name]

What audit would have found a zero-day vulnerability?

[mox1]

The entire idea behind modern network security is that zero-days happen regularly. You should design your security controls around this fact, defense in depth, least privilege, etc etc

[dogman144]

"The attackers were able to exploit zero-day vulnerabilities in the VSA product to bypass authentication and run arbitrary command execution," the Miami-headquartered company noted in the incident analysis. "This allowed the attackers to leverage the standard VSA product functionality to deploy ransomware to endpoints. There is no evidence that Kaseya's VSA codebase has been maliciously modified."

This is very likely not the full story, unless the 0day in VSA was somehow wormable. That "deployment" is doable through overly permissive IAM and everything else that enables privesc.

There are two parts to these vulns. Whatever gets the foothold, and whatever allows privilege escalation. Audits do a great job in catching the misconfigs that allow privesc.

The tragic thing about these attacks is often the blast radius can be contained fairly easily by asking the right questions... If you're someone who has passed these audits, or done these audits, it becomes pretty easy to see how many unforced errors go into these catastrophic attacks.

[raesene9]

If https://old.reddit.com/r/msp/comments/ocggbv/crticial_ransom... is correct a compentent web application security review (white box or black box) which was correctly scoped to include the affected files would likely have found the SQLi and authentication bypass issues (mentioned in update 12)

Without seeing the codebase in question, you can't be sure, but having been a web app pentester for 10+ years, these are the kind of issues that were found regularly, and whenever I saw classic ASP in tests, they were the kind of issues I'd be looking for, knowing the inherent weaknesses in the platform.

[twistedpair]

Did the RMM box really have to be on the open internet? In infra I run, anything with a public IP is behind numerous layers of FWs and VPNs, why not the same here?