Explore

1.0 Threats, Attacks, and Vulnerabilities.

1.6 Explain the security concerns associated with various types of vulnerabilities.

Last edited 835 days ago by Makiel [Muh-Keel].

Zero-Day

Zero Days are vulnerabilities that are not known to other attackers or cybersecurity teams. Zero-day attacks are particularly dangerous because they are unknown to product vendors, and therefore, no patches are available to correct them.

Attackers who exploit zero-day vulnerabilities are often able to easily compromise their targets.

⁠

Weak Configurations

Weak configurations can be a an easy pothole to cover before things get really serious. Configuring strong security settings should be one of your base preemptive layers of security. Leaving a device with default factory settings leaves it open season for any semi-clever adversary.

Open permissions

Open Permissions is the mistake not applying any authentication or passwords to the data placed online.

Non-admin users having access violates the principle of least privilege.

Not securing the information you put on the internet is leaving the front door open for adversaries to walk in.

Becoming more common as Cloud technology advances.

Attackers constantly search through cloud repositories to find any ‘unlocked door’ or any easy point of access.

Make the sure the data you put on the cloud is properly secure or kiss it bye bye.

Unsecure Root Accounts

Leaving Root accounts or admin accounts unsecure is like leading a lamb to a pack of wolves; Slaughter is imminent.

Accounts are considered unsecure when they have weak, easily researchable default passwords, or if they have no password at all.

Securing these root accounts with some method of secure authentication is a must.

Attackers can gain full control of your operating system this way.

Access to root and admin accounts should be closely monitored considering entrance to these accounts could mean catastrophe.

Errors

Error messages are commonly used to give users an idea of what’s wrong, but occasionally we come across error messages that give out too much information.

Savvy attackers can reverse engineer these error messages and extract useful information utilized in compromising your system.

It’s important to monitor any error message that populates after attempting to access databases or critical pots of information.

Debug Mode is a great example.

Debug mode normally gives in-depth information about the inner-workings of an application or server and their relation to databases.

Great for Developers! Even greater for attackers!

Greater for attackers using debug mode, because if an adversary is capable, they have the ability to gain information about the structure of a database, it’s relation to said app or server, and in-depth knowledge about the authentication methods used to access the resource.

Prevenatative Measures

Solving this issue requires the cooperation of developers and disabling debug modes on systems with public exposure.

Mature organizations have a dedicated lab or developer environment where debugging is encouraged.

Unsecure Protocols

Many of the older protocols built in the early days of the internet were not created with any security in mind. This leaves some protocols on the ‘Do not Use’ list for anything that needs securing.

These Unsecure Protocols often failed to use encryption to protect usernames, passwords, and any content sent over an open network. This leaves anybody using these unsecure protocols vulnerable to eavesdropping attack.

This list includes the following:

Telnet

FTP

SMTP

IMAP

Fortunately, a lot of these protocols have a secured alternative:

SSH - Telnet

SFTP - FTP

SMTPS - SMTP

IMAPS - IMAP

Weak Encryption

Encryption is a crucial security control used in every cybersecurity program to protect stored data and data in transit over networks. Weak encryption is a fundamental flaw in any security ecosystem.

Encryption must be configured securely to ensure optimal data protection.

Implementing encryption comes down to two questions:

What algorithm are you using for your encryption?

What encryption key are you using to decrypt the data?

The answers to both of these questions will have an intense and immediate impact on the security of your environment.

Encryption too weak? Attackers break in easily.

Encryption Key too easily guessable or un-complex? Adversaries break in using a cryptographic attack.

When it comes to encryption, be sure to research the following:

The encryption protocol used.

Web Servers and clients should be using the strongest protocols.

The length of the encryption key being used (Is it 40-bits, 128-bits, 256-bits).

The Hash used for the integrity check (SHA, MD5)

Be sure you aren’t using any outdated hashes.

The wireless encryption protocol used if needed.

Default Settings

A lot more devices are being created with network capabilities, meaning that these devices will come with Default Settings (default username + password).

It’s important to ensure that the default settings for these IoT devices (Door Bells, cameras, garage doors, thermostat, refrigerators, etc) are turned off, and new login credentials are created.

Example: Mirai Botnet

Botnet that takes control of several different types of IoT devices by taking advantage of the default login credentials (has 60+ default login credentials stored).

Compromised IoT devices become enslaved to a bigger botnet and used for nefarious purposes.

Mirai Botnet is now open-source

Attackers can download the source code and modify it to fit whatever objective they have in mind.

⁠

Open Ports and Services

In order for services and protocols to be used over the network, we have to allow or ‘open’ these ports/services. By doing so, we create an obvious security concern.

Opening these network ports creates an opening in our servers.

This is often managed and overseen by a Firewall:

ACLs are used to allow or disallow anyone or packet types from accessing our internal network.

The security professional or network engineer will normally audit the rule set and make sure all rules are up-to-date and verify IP addresses, port numbers, or any other services allowed/disallowed.

⁠

Third-Party Risks

Security Policies don’t change because it’s a third party; If anything, security policies are more closely monitored because it is a Third-Party Risk.

We’re putting a great deal of trust in these third parties by trusting they’ll implement proper IT security policies.

Always prepare for the worst!

Keep a contingency plan or failsafe security procedure incase a breach does originate from one of your third parties due to outright malicious intent or configuration mistakes.

We’re all human so we make mistakes; Sometimes third-parties aren’t security-oriented, so it’s up to us to educate them to the greatest extent while simultaneously preparing for a very possible breach from their end.

Vendor Management

System Integration Risk

A Third-Party may need to have additional internal access to your system to do their jobs. An example of this could be:

Developers who need internal access to an environment.

Hosting Services.

Cloud Providers.

Even if not on site, they will need access to the data (whether that’s on-site or virtual).

They are a significant security risk because they are passed all the perimeter security that impedes any other unauthorized foreign entities.

These guys have internal access to our brain, guts, and internal organs; They can also run software in our internal network.

They could do it all.

Inject Malware, Inject spyware, use port scanners, packet sniffers.

And sometimes all this is done inadvertently without them even knowing; They could be used a trojan horse for unknown adversaries who’ve been waiting for weeks.

Lack Of Vendor Support

It’s apart of our job to make sure the vendor knows a problem exists, but even then, it’s up to the vendor to

Believe the security concern is actually serious.

Be motivated enough to keep those systems up-to-date and safe.

Take the necessary action to resolve the security concern/vulnerability.

We can’t do everything ourselves, so it’s important to partner with vendors who are motivated, quick, and diligent enough to react to security vulnerabilities as they come.

Below is an example of a vendor who didn’t care to patch vulnerabilities until 2 years later.

⁠

Supply-Chain Risks

95% of all equipment comes from a third-party. We are not omnipresent or omniscient, we can’t be everywhere all at once. It’s important for us to at least stay alert and stay on-top of local security controls configured once the hardware/software reaches our front doors.

There are many steps involved in the supply chain process, and at each step there’s potential for security intrusion.

We can’t control what happens in those steps, but we can control how our local security policies lock adversaries down.

Malware-ridden Software

Although rare, but not impossible, sometimes trusted software from vendors will be pre-infected with malware before it even makes it to your system.

Counterfeit Hardware

Bogus and bootleg vendor hardware is also a security concern.

Be sure to carefully examine all vendor hardware before setting it up at your location.

Outsourced Code Development

Not every organization is mature enough or has the need for a dedicated internal developer. Outsourcing Code development is the only other viable option.

Building a monitorable secure environment for these 3rd part developers to work in is a necessity. This environment can be built in different ways, but security configuration comes down to how the code is store:

Internal-access over a VPN

Used when the data or repository is stored on-premise.

Using a VPN creates a secure tunnel for data encapsulation.

Cloud-Based access

If the repository is not on-premise, it can be kept on a cloud-based server where it is accessible from anywhere.

Be sure the correct security controls are created in order to properly secure access to the repository.

Network segmentation for the development team is also needed so it’s isolated from the production environment.

Once the code has been completed and the application is in production, it needs to be checked for any backdoors. The data used in the application needs to be validated and securely stored using some form of encryption.

Data Shortage

Cloud-based Data storage will always store data in a separate 3rd-party location. Because of this, its important to ensure the data in transit in & out is always encrypted.

This data could potentially be highly sensitive information, so it’s important to exercise the proper security policies for said data:

Health Records

Financial Information

Government Documents

Encryption is normally the Go-To option for securing data in-transit.

It’s important to properly manage and maintain the encryption at all times.

⁠

Improper Weak Patch Management

Applying security patches to systems should be one of the core practices of any information security program, but this routine task is often neglected due to a lack of resources for preventive maintenance.

One of the most common alerts from a vulnerability scan is that one or more systems on the network are running an outdated version of an operating system or application and require security patches.

Patch Management is often centrally managed by a group of security professionals who first deploy the patches in a lab environment to gauge the effects before deciding if they’re clear to deploy to the production environment.

These patches may be associated with the following:

Firmware

Sometimes the Bios will need a security patch.

Operating System

These are the monthly Windows and Linux OS patches constantly released.

⁠

Applications

Could also be patches associated with a particular application and provided by the manufacturer.

Be sure any workstation that has this application gets any critical patch needed.

⁠

Legacy Platforms

Software vendors eventually discontinue support for every product they make. This is true for operating systems as well as applications. After these OS or apps are discontinued, they are considered Legacy Platforms.

Once they announce the final end of support for a product, organizations that continue running the outdated software put themselves at a significant risk of attack.

In most cases, your organization will not be able to simply convert over once the legacy platform loses support.

This can be due to the Legacy platform performing a critical or semi-important function that would require considerable amount of time and effort that your organization may not have on-demand.

You’ll have to implement your own security policies and configurations in order to keep the legacy platform in compliance.

This could be the following:

Add additional firewall rules

IPS signature capture for older technology.

It’s of course up to the security administrator to weigh the pros and cons of still having this legacy platform in production.

The vendor simply will not investigate or correct security flaws that arise in the product after that date, and believe me when I say this not a situation your organization to be in.

Always closely monitor the life cycle of any software currently being used in your environment.

Keep track of any updates or announcements regarding manufacturer support.

⁠

Vulnerability Impacts

Malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016 according to the –

The Cost of Malicious Cyber Activity to the U.S. Economy.⁠

⁠

These impacts created by vulnerabilities are the reason security professionals put food on their tables.

Data Loss

Sometimes losing the data can be worse than losing any amount of money.

The data can be leveraged to commit monumental cyber crimes.

Thousands of databases can de stolen, modified, or deleted.

Always keep a readily available backup of your data.

Identify Theft

Sometimes adversaries don’t delete the data, but steal it and sell it for either financial gain or leverage the stolen identities for an even bigger attack.

⁠

Financial Loss

Financial Loss is the most obvious concern. Leaving your internal network riddled with critical vulnerabilities increases the chances of attackers compromising it, then riding off with any monetary assets that were stored in it.

March 2016 - Bank of Bangladesh was compromised and a request of $81Ms was successfully processed.

⁠

Reputation

Successful hacks to your organization will most definitely make people think twice about doing business with you. No one wants to store resources with a company that’s consistently been an easy kill for adversaries.

A lot of times, it’s hard to gain lost trust after a major breach due to just how serious hacks are.

⁠

Availability Loss

Attackers may not want to steal data or money; Sometimes their goal is to cause as much damage to your network as possible. By doing so, the uptime and availability of your product or resource will be compromised.

Someone taking advantage of a vulnerability may cause an outage, downtime, and cause the system to become unavailable.

Your company will essentially be ‘out of business’ until either the breach is contained or the ransomware is paid.

⁠

Want to print your doc?
This is not the way.

Try clicking the ⋯ next to your doc name or using a keyboard shortcut (

CtrlP

) instead.