Cybera security analyst works with NREN to identify, fix a vulnerability on FortiSIEM

This past November, we shared an interview with Cybera’s security analyst, Andrew Klaus, in which he talked about the new Security Information and Event Management (SIEM) initiative being carried out through Canada’s 13 provincial, territorial and federal partners in the National Research and Education Network (NREN). As Andrew noted, the biggest benefit of a collaborative cybersecurity project like this is the ability to quickly and easily share information on security risks. 

As reported this week by ZDNet, this collaborative effort has already paid off, through the identification by Andrew and his NREN partners of a major vulnerability on FortiSIEM, Fortinet’s SIEM product. This product is used by the NREN to monitor Canada’s vital research and education infrastructure, and is widely utilized by other research networks around the globe.

In December 2019, Andrew noticed a reference to an SSH key in one of FortiSIEM’s configuration files on Cybera’s network monitoring appliance. Working with the NREN security analyst team, he found the same key on several other appliances.

“An SSH key, or Secure Shell key, is a safer way to authenticate a user than through a simple password, as it is much longer — too long to memorize,” explains Andrew. “People who know how SSH works know the importance of keeping this key confidential, because if someone has access to it, they can then impersonate you.”

As the ZDNet article noted: “Due to the sensitive nature of the data processed by a SIEM product and its central role in a company's cyber-security defenses, any backdoor mechanism in these systems is considered a dangerous and highly critical vulnerability.”

Thanks to the quick identification of the exposed SSH key on the NREN infrastructure, Andrew and his fellow analysts were able to notify Fortinet of the vulnerability, and create a work-around solution as they waited on new, unique SSH keys to be generated by FortiSIEM for all its users.

“The collaborative nature of the NREN SIEM project has been a great benefit for Cybera, as it allows us to openly share issues or questions with other groups, and work together to implement solutions,” says Andrew.

The NREN initiative represents an unprecedented pan-Canadian effort to coordinate network threat monitoring. In Alberta, Cybera is currently working with post-secondary partners to bring them on-board, to further add to the collective monitoring capabilities of the group.

For further information on Cybera’s security initiatives, visit cybera.ca/services/cybersecurity.