Vulnerabilities

Common security threats discovered through vulnerability assessments

December 9, 2020 by Dimitar Kostadinov

A vulnerability assessment can efficiently highlight a huge number of diverse security issues. Here are our top 10 security threats that companies may stumble upon when they perform vulnerability assessments.

Security misconfiguration

That is likely the most common security issue encountered in the wake of a vulnerability assessment. One can consider that there is a security misconfiguration whenever the implementation of security controls concerning a specific server or a web application is rife with errors or simply fails. 

In 2017, an unsecured Amazon S3 bucket exposed the phone numbers and account PINs of around 14 million Verizon subscribers. Anyone with the right web address could download this data. 

Outdated or unpatched software

It is common knowledge that some applications consist of millions of lines of code that is not always properly tested against every known threat. For whatever reason, despite the best efforts of software developers, products are coming out to the market with bugs, errors and all sorts of vulnerabilities. In this regard, the best way for developers to remediate the issues is to deploy patches.

This process is an ongoing battle – major companies like Microsoft and Apple release patches every day. Sometimes software and hardware vendors announce end-of-life dates; that is when a product will be no longer supported with security updates. For instance, Microsoft ceased the support of Windows 7 OS after January 14, 2020.

Lack of input validation

Input validation is a process that takes place every time an application receives an input which is then tested against a predefined standard within the application. In essence, this process ensures that only properly formed data will enter the information system; otherwise, if malformed data is accepted, this may trigger a malfunction of some components.

The lack of input validation is a common security vulnerability on web-based applications, which allows adversaries to instigate buffer overflow, canonicalization and various injection attacks. 

Code injection attacks

SQL injection

SQL injection vulnerabilities “open the gates” of websites and applications to cybercriminals, giving them an opportunity to insert malicious code or commands via legitimately existing website/application input forms that the server misinterprets as if they are submitted by the developers. At the heart of the problem is the fact that user inputs are accepted without restriction or proper validation.

If the injection attack is successful, it can result in data breaches, data corruption, data leaks, denial of access and loss of accountability. 

Cross-site scripting (XSS)

Instead of targeting the website itself, this attack is directed towards a specific user or a group of users who visit the website/application. Because the website/application is injected with malicious code, the user(s) can get infected when he or she accesses the said platform.

Consequences can take the shape of all kinds of nuisances ranging from hijacking clients’ browsers to a loss of valuable data.

Vulnerable communication protocols

Unfortunately, they can be vulnerable to cyber attacks, and some are to a greater extent than others. To give an example, Hypertext Transfer Protocol Secure (HTTPS) offers much better protection than HTTP. SSL certificates in general harden systems against all kinds of exploits.

In fact, some industries have demanded this action as a standard requirement – June 30, 2018, was the deadline for disabling support for SSL and early versions of TLS (up to and including TLS 1.0) pursuant to the PCI Data Security Standard. 

If we take a look at some other types of protocols, the situation is no different. Due to flaws in the GTP protocol, for instance, 5G networks are found to be vulnerable to several cyber attacks. After conducting a vulnerability assessment, Dmitry Kurbatov, CTO at Positive Technologies stated for BetaNews, “Every network tested was found to be vulnerable to DoS, impersonation and fraud. In practice, this means that attackers could interfere with network equipment and leave an entire city without communications, defraud operators and customers, impersonate users to access various resources, and make operators pay for non-existent roaming services. Moreover, the risk level is very high: some of these attacks can be performed using just a mobile phone.

Insecure defaults

It is a common practice for software and hardware products to come off the production line with insecure settings (e.g., a default password that is easy to guess). That is good from a usability perspective, but unfortunately, many people leave, for some reason, these configurations remain unchanged, which can be detrimental to their security and privacy.

Also, leaving default credentials unchanged, and weak credentials in general, is the Achilles heel of the Internet of Things (IoT) security, and perhaps that has been best highlighted by the rise of the Mirai botnet.

Weak user authentication

Common usernames and weak passwords are a leading cause for concern among many businesses.

Credentials are weak either because the company’s policy and enforcement of authentication are flawed or it is employees’ fault. In the first case, management could implement a more stringent password policy in combination with technical solutions such as multi-factor authentication, whereas frequent security awareness programs and training are rather appropriate to alleviate the second issue.

Least privilege not enforced

Password sharing across the company is a perilous practice because it makes using passwords a measure that is pointless. Furthermore, it also makes it pointless to use important security principles like the least privilege. Because they provide administrative access to systems or specific devices, privilege access credentials usually pose a higher risk to the company than regular user credentials.

In the context of IoT, smart devices (as well as servers and some security tools) operate with passwords that allow communication and integration among them. What may exacerbate the initial point of compromise is the fact that such machine-to-machine credentials can be employed to facilitate lateral movement throughout the enterprise. In the Target breach, for example, attackers managed to obtain Active Directory credentials and sneak into the enterprise payment network.

Sensitive data exposure

One of the most prevalent signs of negligent behavior is demonstrated when leaving unencrypted sensitive data out in the open. Even if the owner/custodian of the data chooses to encrypt his data, he should do so properly, using strong key generation and management, reliable algorithm and password hashing techniques. 

7Safe’s lead penetration tester, Aleksander Gorkowienko, reminded us how a company like the extramarital affair dating website Ashley Madison that stores sizable customer sensitive data could have prevented the fallout in 2015 if the data was encrypted: “When assessing the security implications of this breach, we should take a step back from the moral issues of what Ashley Madison was encouraging its customers to do and think firstly about the business implications of the theft: would any of us in industry trust a supplier that stored its sensitive data unencrypted on servers connected to the internet? And yet it appears from the uploaded data dumps that the dating website did just that…

Insufficient logging & monitoring

Provided that you do not have these measures working effectively, then you expose yourself to continuous exploitation of your system. Simply put, your organization is blind to a stealthy cyberattack as it can detect neither the initial compromise nor its further entry into the system where more damage can be done.

Additionally, at some point after the cyber exploitation is noticed, digital forensic experts may have a difficult time gathering enough data during their investigation. As one forensic expert ascertained, “If You Have Zero Incidents, You Probably Lack Monitoring”.

Sources

  1. 8 Common Cyber Attack Vectors and How to Avoid Them, Balbix
  2. 10 Most Common Web Security Vulnerabilities, Toptal
  3. A Guide to Application Security Assessments, LBMC
  4. Cyber Security Awareness: 7 Ways Your Employees Make Your Business Vulnerable to Cyber Attacks, Kaspersky Lab
  5. Common Types Of Network Security Vulnerabilities In 2020, PurpleSec LLC
  6. How to mitigate the most important vulnerabilities in 2020, Panda Security
  7. Improving Efficiency Of Vulnerability Assessment In NFV Based Cloud Networks, HCL Technologies
  8. Input Validation Cheat Sheet, CheatSheets Series Team
  9. Insecure Network Protocols: The Hidden Dangers, Packetlabs.
  10. Most Common Cyber Security Threats and How to Mitigate Them, Monovm
  11. Most Common Cyber Vulnerabilities Part 3 (Sensitive Data Exposure), EC-Council
  12. Most Common Cyber Vulnerabilities Part 5 (Security Misconfiguration), EC-Council
  13. OWASP TOP 10: Security Misconfiguration, Detectify
  14. Protocol flaws leave 5G and other mobile networks open to vulnerabilities, BetaNews, Inc.
  15. Reduce Your Risk with Threat and Vulnerability Management, Certitude Security
  16. TCP/IP Vulnerabilities, Finjan Holdings, Inc.
  17. TLS Security 6: Examples of TLS Vulnerabilities and Attacks, Acunetix
  18. Top Database Security Threats and How to Mitigate Them, SHRM
  19. Understanding Cloud Computing Vulnerabilities, InfoQ.com
  20. Understanding Vulnerability Scoring: CVSS Explained, Contemporary Computer Services, Inc.
  21. Vulnerability assessment, Imperva
  22. What is Code Injection and How to Avoid It, Netsparker Ltd.
  23. What is Security Misconfiguration and How to Avoid It, Guardicore
  24. What is SSL, TLS? And how this encryption protocol works, CSO from IDG
Posted: December 9, 2020
Articles Author
Dimitar Kostadinov
View Profile

Dimitar Kostadinov applied for a 6-year Master’s program in Bulgarian and European Law at the University of Ruse, and was enrolled in 2002 following high school. He obtained a Master degree in 2009. From 2008-2012, Dimitar held a job as data entry & research for the American company Law Seminars International and its Bulgarian-Slovenian business partner DATA LAB. In 2011, he was admitted Law and Politics of International Security to Vrije Universiteit Amsterdam, the Netherlands, graduating in August of 2012. Dimitar also holds an LL.M. diploma in Intellectual Property Rights & ICT Law from KU Leuven (Brussels, Belgium). Besides legal studies, he is particularly interested in Internet of Things, Big Data, privacy & data protection, electronic contracts, electronic business, electronic media, telecoms, and cybercrime. Dimitar attended the 6th Annual Internet of Things European summit organized by Forum Europe in Brussels.

Leave a Reply

Your email address will not be published. Required fields are marked *