Sec+ 006:Security concerns with various types of vulnerabilities.
We hear about companies falling victim to cyberattacks, resulting in severe damage to their reputation. As customers, we are influenced by such incidents and may choose to discontinue using their services. However, this issue extends beyond the realm of cybersecurity. For example, as a user of Twitter (now referred to as X), I've observed cases where Gen Z (as people of my generation are fondly called) publicly call out brands that fail to meet our expectations. These instances often gain traction and visibility on the trend table, leading others to boycott the brand. This phenomenon is not limited to Gen Z, as older generations also learn about such news through platforms like WhatsApp, which can tarnish the brand's image even if personal information or money isn't directly impacted.
Now, imagine the repercussions a company faces after suffering an attack that results in significant consequences, such as those listed below. The impact on their reputation would be even more severe.
As technology exists and evolves, so do its vulnerabilities. Identifying these weak points and managing your organization's security is important. To conduct a successful security assessment, you must understand the vulnerabilities that affect information systems and networks and prioritize remediation based on their potential impacts (YOU CAN'T REMEDIATE WHAT YOU DON'T UNDERSTAND). It is not all about choosing the right tools (yes, there are hundreds of tools out there) but understanding the consequences of vulnerabilities to focus on critical areas.
In this post, we will explore the various types and impacts of vulnerabilities.
STAY TUNED!!!
6.1 Cloud-based vs. on-premises vulnerabilities
FIRST, WHAT IS CLOUD COMPUTING?
Cloud Computing is the on-demand delivery of IT resources over the internet. The computing environment and their security concerns includes
Cloud-Based: These are services, resources, and applications hosted and provided over the internet by third-party cloud service providers, such as AWS, Microsoft Azure, and Google Cloud Platform (GCP). Vulnerabilities in this environment include data breaches, data loss, shared resources due to multi-tenancy, and insider threats from cloud providers.
On-premises: These are services, resources, and applications hosted and managed within an organization's own physical data centers, providing the organization with full control over its data, software, and hardware. Vulnerabilities in this environment include unauthorized physical access, insider threats from within the organization, lack of monitoring, and delayed response to breaches.
6.2 Zero-day
A zero-day vulnerability is a security flaw discovered by attackers but remains unknown to the software vendor and has no patch. Compensating controls, such as containment measures can me used to mitigate against the risk of zero-day. These controls aim to limit the vulnerability's impact until an official fix or patch is made available.
6.3 Weak configurations
Poor configuration management could be a sign that the company isn't strictly controlling and documenting its assets. Misconfiguration provides attackers with entry points and opportunities to elevate privileges, allowing them to gain control over critical components and potentially compromising the entire enterprise. The following are examples of weak configurations that an organization must avoid and check their systems against:
Open permissions: Permissions specify the types of activities that can be performed on an object within a system. When access rights for user groups are not correctly distinguished, open permissions occur. This leads to an unauthorized person accessing sensitive data or modifying critical settings. ENSURE THAT YOUR PERMISSIONS ARE SECURE.
Unsecure root accounts: The root account, also known as the superuser or Administrator account, has unrestricted system access and poses a serious security risk. Unsecure root accounts give threat actors unlimited access to the system. To reduce risks, implement least privilege management and permission rules to limit the superuser account. Disable direct login to the root account and implement access control vault.
Errors: Applications that are not properly configured can expose error messages that can be advantageous to attackers. To reduce this risk, practice secure coding, avoid disclosure of sensitive information, and ensure that programs trap errors and generate appropriate log files for better security.
Weak encryption: Encryption algorithms protect data at rest and in transit, requiring a decryption key for access. Weak encryption vulnerabilities allow unauthorized access to data. Weak encryption vulnerabilities arise from simple password-generated keys, known algorithm weaknesses, and insecure key distribution. For example, all versions of SSL are now considered deprecated, therefore, TLS should be used. Also, AES (Advanced Encryption Standard) is the strongest encryption algorithm advised to be used.
Unsecure protocols: Unsecure protocols transfer data in cleartext without encryption, leaving it vulnerable to interception and modification. Without encryption, there is no secure way to authenticate endpoints, allowing attackers to perform man-in-the-middle attacks. Examples of unsecure protocols are Telnet, FTP, SMTP, IMAP, HTTP, and their alternatives are SSH, SFTP, IMAPS, HTTPS.
Default settings: Default settings may enable unsecure interfaces, leaving devices vulnerable to compromise and allowing attackers to move through the network undetected. To ensure a secure environment, organizations should customize settings to their specific needs and create a well-defined default configuration baseline.
Open ports and services: To access a service, its port must be open. However, having unnecessary open ports can create potential pathways for unauthorized users to exploit. To ensure security, it's important to control the open ports and services on a system through auditing and disable any unnecessary services that run with elevated privileges.
6.4 Third-party risks
Third-party risk refers to potential risks and vulnerabilities arising from involving external entities, like vendors, suppliers, or contractors, in an organization's operations. Reliance on third-party services exposes organizations to security, operational, financial, and compliance risks.
Vendor management: This involves identifying needs and finding vendors that align with business goals.
System integration: System integration links components and services from different vendors, with the main risk being a lack of expertise in overseeing the project and excessive trust in the third-party integrator.
Lack of vendor support: This may occur when manufacturers stop providing assistance for products(This may be due to the product reaching its End of Life), leaving organizations vulnerable. Compensating controls become crucial in such cases.
Supply chain: It involves interconnected components and vendors in an organization's IT infrastructure. When using third-party hardware or software, maintaining local security controls is vital to mitigate risks.
Outsourced code development: This can be a security concern due to lack of control, potential data exposure, and quality assurance issues. Mitigation includes clear security requirements and regular assessments.
Data storage: Data storage, being distributed throughout an organization, requires proper access controls and security measures to prevent risks, such as data manipulation leading to disruptions in operations. Implementing a consistent data storage policy and checklist helps secure data from becoming vulnerabilities in the system.
6.5 Improper or Weak Patch Management
Weak patch management leaves systems exposed to potential exploits. Implement centralized patch management with an update server, thorough testing, and efficient deployment.
Firmware: Firmware vulnerabilities include weaknesses in BIOS/UEFI and device firmware that controls the boot process for PCs, as well as bugs in device firmware like network cards and disk controllers. Exploits can be hard to detect due to high privilege access.
Operating System: OS vulnerabilities, like in the kernel or shared library, can lead to privilege escalation. Promptly apply monthly and on-demand patches.
Application: Application vulnerabilities run with user permissions. Limit permissions and timely patches from manufacturers to protect against known vulnerabilities.
6.6 Legacy platforms
Legacy platforms are systems that are no longer supported with security patches by their developers or vendors, making them unpatchable. These systems are highly likely to have vulnerabilities and need to be protected using security controls other than patching, such as isolating them in networks inaccessible to attackers physically. The risks associated with legacy platforms must be weighed against the costs of change when considering their use in an organization.
6.7 Impacts
Data loss occurs when information becomes inaccessible, either permanently or temporarily.
Data breaches occur when sensitive data is viewed, moved, modified, or deleted without authority. A privacy breach occurs when personal data is not gathered, maintained, or processed in accordance with applicable laws or regulations.
Data exfiltration involves the methods and tools used by an attacker to transfer data from the victim's systems to an external network or media without authorization.
Identity theft is a breach in privacy where the threat actor illegally uses the sensitive information obtained or sells the data to other malicious actors.
Financial losses are incurred due to damages, fines, and loss of business.
Reputation loss occurs when an organization loses its integrity, good name, and customers' trust.
Availability loss occurs when a company's systems are brought down, or when the organization experiences downtime due to malicious disaster events, leading to a loss of revenue and customers.
END.
There are only two different types of companies in the world: those that have been breached and know it and those that have been breached and don’t know it.
Ted Schlein
Review Questions
