Common security threats discovered through vulnerability assessments

December 9, 2020 by

Dimitar Kostadinov

A vulnerability assessment can efficiently highlight a huge number of diverse security issues. Here are our top 10 security threats that companies may stumble upon when they perform vulnerability assessments.

Security misconfiguration

That is likely the most common security issue encountered in the wake of a vulnerability assessment. One can consider that there is a security misconfiguration whenever the implementation of security controls concerning a specific server or a web application is rife with errors or simply fails. 

In 2017, an unsecured Amazon S3 bucket exposed the phone numbers and account PINs of around 14 million Verizon subscribers. Anyone with the right web address could download this data. 

Learn Vulnerability Assessments

Seven courses build the skills needed to perform a custom vulnerability assessment for any computer system, application or network.

Start Learning

Outdated or unpatched software

It is common knowledge that some applications consist of millions of lines of code that is not always properly tested against every known threat. For whatever reason, despite the best efforts of software developers, products are coming out to the market with bugs, errors and all sorts of vulnerabilities. In this regard, the best way for developers to remediate the issues is to deploy patches.

This process is an ongoing battle – major companies like Microsoft and Apple release patches every day. Sometimes software and hardware vendors announce end-of-life dates; that is when a product will be no longer supported with security updates. For instance, Microsoft ceased the support of Windows 7 OS after January 14, 2020.

Lack of input validation

Input validation is a process that takes place every time an application receives an input which is then tested against a predefined standard within the application. In essence, this process ensures that only properly formed data will enter the information system; otherwise, if malformed data is accepted, this may trigger a malfunction of some components.

The lack of input validation is a common security vulnerability on web-based applications, which allows adversaries to instigate buffer overflow, canonicalization and various injection attacks. 

Code injection attacks

SQL injection

SQL injection vulnerabilities “open the gates” of websites and applications to cybercriminals, giving them an opportunity to insert malicious code or commands via legitimately existing website/application input forms that the server misinterprets as if they are submitted by the developers. At the heart of the problem is the fact that user inputs are accepted without restriction or proper validation.

If the injection attack is successful, it can result in data breaches, data corruption, data leaks, denial of access and loss of accountability. 

Cross-site scripting (XSS)

Instead of targeting the website itself, this attack is directed towards a specific user or a group of users who visit the website/application. Because the website/application is injected with malicious code, the user(s) can get infected when he or she accesses the said platform.

Consequences can take the shape of all kinds of nuisances ranging from hijacking clients’ browsers to a loss of valuable data.

Vulnerable communication protocols

Unfortunately, they can be vulnerable to cyber attacks, and some are to a greater extent than others. To give an example, Hypertext Transfer Protocol Secure (HTTPS) offers much better protection than HTTP. SSL certificates in general harden systems against all kinds of exploits.

In fact, some industries have demanded this action as a standard requirement – June 30, 2018, was the deadline for disabling support for SSL and early versions of TLS (up to and including TLS 1.0) pursuant to the PCI Data Security Standard. 

If we take a look at some other types of protocols, the situation is no different. Due to flaws in the GTP protocol, for instance, 5G networks are found to be vulnerable to several cyber attacks. After conducting a vulnerability assessment, Dmitry Kurbatov, CTO at Positive Technologies stated for BetaNews, "Every network tested was found to be vulnerable to DoS, impersonation and fraud. In practice, this means that attackers could interfere with network equipment and leave an entire city without communications, defraud operators and customers, impersonate users to access various resources, and make operators pay for non-existent roaming services. Moreover, the risk level is very high: some of these attacks can be performed using just a mobile phone."

Insecure defaults

It is a common practice for software and hardware products to come off the production line with insecure settings (e.g., a default password that is easy to guess). That is good from a usability perspective, but unfortunately, many people leave, for some reason, these configurations remain unchanged, which can be detrimental to their security and privacy.

Also, leaving default credentials unchanged, and weak credentials in general, is the Achilles heel of the Internet of Things (IoT) security, and perhaps that has been best highlighted by the rise of the Mirai botnet.

Weak user authentication

Common usernames and weak passwords are a leading cause for concern among many businesses.

Credentials are weak either because the company’s policy and enforcement of authentication are flawed or it is employees’ fault. In the first case, management could implement a more stringent password policy in combination with technical solutions such as multi-factor authentication, whereas frequent security awareness programs and training are rather appropriate to alleviate the second issue.

Least privilege not enforced

Password sharing across the company is a perilous practice because it makes using passwords a measure that is pointless. Furthermore, it also makes it pointless to use important security principles like the least privilege. Because they provide administrative access to systems or specific devices, privilege access credentials usually pose a higher risk to the company than regular user credentials.

In the context of IoT, smart devices (as well as servers and some security tools) operate with passwords that allow communication and integration among them. What may exacerbate the initial point of compromise is the fact that such machine-to-machine credentials can be employed to facilitate lateral movement throughout the enterprise. In the Target breach, for example, attackers managed to obtain Active Directory credentials and sneak into the enterprise payment network.

Sensitive data exposure

One of the most prevalent signs of negligent behavior is demonstrated when leaving unencrypted sensitive data out in the open. Even if the owner/custodian of the data chooses to encrypt his data, he should do so properly, using strong key generation and management, reliable algorithm and password hashing techniques. 

7Safe’s lead penetration tester, Aleksander Gorkowienko, reminded us how a company like the extramarital affair dating website Ashley Madison that stores sizable customer sensitive data could have prevented the fallout in 2015 if the data was encrypted: “When assessing the security implications of this breach, we should take a step back from the moral issues of what Ashley Madison was encouraging its customers to do and think firstly about the business implications of the theft: would any of us in industry trust a supplier that stored its sensitive data unencrypted on servers connected to the internet? And yet it appears from the uploaded data dumps that the dating website did just that…”

Insufficient logging & monitoring

Provided that you do not have these measures working effectively, then you expose yourself to continuous exploitation of your system. Simply put, your organization is blind to a stealthy cyberattack as it can detect neither the initial compromise nor its further entry into the system where more damage can be done.

Additionally, at some point after the cyber exploitation is noticed, digital forensic experts may have a difficult time gathering enough data during their investigation. As one forensic expert ascertained, “If You Have Zero Incidents, You Probably Lack Monitoring”.

Learn Vulnerability Assessments

Seven courses build the skills needed to perform a custom vulnerability assessment for any computer system, application or network.

Start Learning

Sources

1. 8 Common Cyber Attack Vectors and How to Avoid Them, Balbix
2. 10 Most Common Web Security Vulnerabilities, Toptal
3. A Guide to Application Security Assessments, LBMC
4. Cyber Security Awareness: 7 Ways Your Employees Make Your Business Vulnerable to Cyber Attacks, Kaspersky Lab
5. Common Types Of Network Security Vulnerabilities In 2020, PurpleSec LLC
6. How to mitigate the most important vulnerabilities in 2020, Panda Security
7. Improving Efficiency Of Vulnerability Assessment In NFV Based Cloud Networks, HCL Technologies
8. Input Validation Cheat Sheet, CheatSheets Series Team
9. Insecure Network Protocols: The Hidden Dangers, Packetlabs.
10. Most Common Cyber Security Threats and How to Mitigate Them, Monovm
11. Most Common Cyber Vulnerabilities Part 3 (Sensitive Data Exposure), EC-Council
12. Most Common Cyber Vulnerabilities Part 5 (Security Misconfiguration), EC-Council
13. OWASP TOP 10: Security Misconfiguration, Detectify
14. Protocol flaws leave 5G and other mobile networks open to vulnerabilities, BetaNews, Inc.
15. Reduce Your Risk with Threat and Vulnerability Management, Certitude Security
16. TCP/IP Vulnerabilities, Finjan Holdings, Inc.
17. TLS Security 6: Examples of TLS Vulnerabilities and Attacks, Acunetix
18. Top Database Security Threats and How to Mitigate Them, SHRM
19. Understanding Cloud Computing Vulnerabilities, InfoQ.com
20. Understanding Vulnerability Scoring: CVSS Explained, Contemporary Computer Services, Inc.
21. Vulnerability assessment, Imperva
22. What is Code Injection and How to Avoid It, Netsparker Ltd.
23. What is Security Misconfiguration and How to Avoid It, Guardicore
24. What is SSL, TLS? And how this encryption protocol works, CSO from IDG