CySA+ domain #7: Common vulnerabilities
The vulnerability landscape today is wide-reaching and extends to nearly all systems, devices and applications, and vulnerabilities can come in many forms. And yet, despite this large universe of potential vulnerabilities, there is a set of common vulnerabilities that appear time after time.
This article will detail the common vulnerabilities covered on the CySA+ certification exam hosted by CompTIA. On a finer level of detail, this article will examine servers, endpoints, network infrastructure, network appliances, virtual infrastructure, mobile devices and interconnected networks. If you are preparing for the CySA+ certification exam or just looking to brush up your common vulnerability knowledge, this article is for you.
13 common vulnerabilities covered on the CySA+
Organizations all have different kinds of servers throughout the business world, but most vulnerabilities occur on web servers and database servers.
The most common vulnerabilities in web servers are its services and web applications. The different software on the server is normally composed of different modules which may have their own vulnerabilities.
It is pivotal to keep the web services on a web server patched; being behind on new patches puts your server in a position where vulnerabilities may develop. It is also important to only enable those modules that are needed, because more enabled modules mean a larger attack surface.
Database servers are mainly vulnerable in two ways — directly and from web applications. An example of a database server exploit is when information is sent to it (web application specifically) without validation. Unvalidated input exposes the database server to SQL injection attacks.
Endpoints are traditionally among the weakest points in an organization. All endpoints have different software packages, and all need their own updates so as not to be a potential vulnerability.
There is also the human factor, which can open up a new front of vulnerability (social engineering, malware and so on). Make sure to update the endpoint’s antivirus, operating system, software and host firewall regularly.
All network infrastructure devices, including routers and wireless controllers, need to be secured. Compromised infrastructure devices can further attacks and even act as a platform to attack other devices.
One sign of a potential compromise is when a network device unexpectedly reboots on its own. Sometimes the bootloader is altered, and this can cause a more effective compromise. Logs and operating system files should be checked when this occurs. It should be noted that sometimes vendors offer hashes for the devices OS files, which may prove helpful.
Some tips for a more secure network infrastructure include:
- Harden network devices using best practices (NIST, DHS)
- Send all network infrastructure device logs to a SIEM or central syslog
- Only enable necessary services
Network appliances, even those used to secure a network, have their own potential vulnerabilities. Some common vulnerabilities are:
- Appliance management interfaces without brute-force protection
- Firmware not updated (if applicable)
- Whether unauthenticated users have access to appliance model and version information
Virtualization technology, including VMWare, Hyper-V, KVM and XenApp, have changed the landscape of computing since its inception. Unfortunately, just like physical infrastructure, virtual infrastructure is not without its security issues.
There are two main types of attacks covered on the CySA+ certification exam.
- VM escape: Attackers bypass the virtual machine’s isolation and engage in direct contact with the hypervisor which can lead attackers to the other guests on the host
- Data remnants: When guests are moved to another host, information can be left behind. Attackers can access this information unless it is protected
Just like in a physical infrastructure, virtual network switches can be vulnerable to attackers. Not surprisingly, virtual switches and the software that runs then must be regularly updated and protected from attackers to prevent vulnerabilities.
Virtual management interface
Management interfaces are necessary to manage virtual infrastructure. Unfortunately, this interface can be used as an attack vector. Cybersecurity analysts need to consider the following when securing their virtual infrastructure:
- Privilege elevation: Privilege elevation can open up all guests on the host to compromise
- Live VM migration: Information shared between hosts needs to be protected during a vMotion, as it is more susceptible to attackers
To simply say mobile devices are commonplace in today’s world would be a serious understatement. They are everywhere, everyone has one, and their numbers are only growing. These devices normally move between public and organization networks, making their information security of the utmost importance.
The best way to secure your information security environment from these ubiquitous devices is by using a combination of policies and tools. Issues to keep in mind are:
- Insecure web browsing
- Insecure Wi-Fi connections
- Trojan horse applications, often coming in by way of phone apps
- Information on lost and stolen devices
- Software and device operating systems that are not updated
- Devices that contain malware or that are otherwise compromised (BYOD)
Virtual Private Networks (VPN)
VPNs assures information integrity and confidentiality sent across unsecured connections. VPN services need to be fully patched (up to date) and are based on either IPSec or TLS/SSL technology.
VPNs use cryptographic cyphers and because of this fact, the technology faces similar issues that TLS and SSL face when they use insecure cyphers.
Industrial Control Systems/SCADA
Both ICS and SCADA are used in factories and power plants, and sometimes in critical infrastructure. If compromised, this would cause severe damage, and this would be even worse when it happens to critical infrastructure.
ICS/SCADA is specialized technology that is not designed with a focus on security. To secure ICS/SCADA technology, network and physical segmentation is used to prevent or mitigate attacks against it.
Cybersecurity would be a far less important subsphere of information security in a world without vulnerabilities. Unfortunately, that kind of a world is a fantasy and information security vulnerabilities are one of the biggest challenges facing enterprise today.
While technology has more or less kept pace with new vulnerabilities, it is crucial to be aware of common vulnerabilities. If you keep this article in mind, you will be in a good position to earn a passing score on this section of the CompTIA CySA+ certification exam.
- CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives, CompTIA
- CompTIA CySA+ Objective 2.3, Pack IT Forwarding