A vulnerability is a flaw or weakness in a system that, if exploited, would allow a user to gain unauthorized access to conduct an attack. Vulnerabilities can exist within applications, operating systems, software, hardware, or anywhere else in your network. They can result from a misconfiguration in a security setting, an organizational policy that falls short, or a bug in a piece of code. The reality of cybersecurity vulnerabilities is that, unlike Achilles, you won’t have just one. Despite your best intentions, vulnerabilities are bound to exist throughout your security architecture. You can, however, take steps to ensure that your vulnerabilities are not exploited by conducting routine, thorough vulnerability assessments.
A vulnerability assessment is a systematic review of security weaknesses in your environment. The goal of a vulnerability assessment is to identify, prioritize, and suggest a course of remediation for known vulnerabilities. Your assessment should consider all facets of your business, from the architecture of your network and code in your applications, to the actual people using these technologies.
Here are some of the common vulnerabilities that your vulnerability assessment may uncover:
Network Vulnerabilities
Network vulnerabilities are flaws in hardware or software used to operate a network that could be exploited to gain unauthorized access to the network. Some common network vulnerabilities include:
Misconfigured Firewalls: Firewalls act as your first line of defense, deciding what traffic to let in and out of your network. When these are misconfigured, it can leave an easy entry or vantage point for attackers. For example, internet control message protocol (ICMP), if not blocked, can allow threat actors to ping it, allowing them to gain visibility into the network and potentially redirect traffic. Similarly, firewalls can be misconfigured to leave unneeded TCP/UDP ports open or allow in IP addresses they shouldn’t.
Unsecured Wi-Fi: This is of particular concern with the broad implementation of work-from-home policies in the last few years. Make sure that your employees are using Wi-Fi with a WPA2 encryption, that they have changed the default network name and password, and they’ve disabled unknown devices from connecting to the network.
IoT Devices: The number of internet-connected devices continues to grow rapidly, expanding the attack surface. These devices inherently have greater security risks as they’re less likely to have security controls in place. For example, there may be less password and data protection, a lack of software updates, and insecure interfaces, on top of the potential for lack of visibility into just how many of these devices exist in your network.
Unpatched Software: Patches are regularly released to protect against newly discovered bugs that could be exploited. Not applying patches promptly leaves vulnerabilities in your environment that are generally known to threat actors, thus making you an easy target for these attacks for much longer than needed.
Application Vulnerabilities
According to F5’s State of the State of Application Exploits in Security Incidents, web application attacks were the leading incident pattern in data breaches in six of the last eight years. Application vulnerabilities remain a consistent problem, especially as development teams rely more and more on third-party libraries. Not only do you need to ensure that any proprietary code is secure, but you also should be testing the open-source frameworks your applications are using to make sure they don’t contain known vulnerabilities. Keeping a record of which of these components are used is also essential as new vulnerabilities are continually discovered. For example, if you were using Apache’s Log4j software library in December of 2021, it would have been crucial to know where and exactly which version you were using, otherwise, you’re wasting precious time scouring your code for a vulnerability that may or may not exist.
Here are a few of the top application vulnerabilities to pay attention to during your vulnerability assessment.
Broken Access Control: Broken access control ranked number one on 2021’s OWASP Top 10 Web Application Vulnerabilities list. Access controls are what prevent users from acting outside of their given permissions. However, if there are vulnerabilities in these controls, they can be exploited to gain access to resources and actions that should be restricted. This can be broken down into two main categories, horizontal privilege escalation and vertical privilege escalation.
Vertical privilege escalation is when a user acquires permissions above what they would normally have access to. This can occur through unprotected functionality, such as when a user can access the admin panel by modifying the URL and checking the robots.txt or parameter-based access control where the privilege level is hidden in a form field, cookie, or query string parameter, and the attacker can add the parameter to gain privileges.
Horizontal access escalation is when a user can access data or perform actions of another user of the same permission level. For example, a user can modify the id parameter to access someone else’s account. Typically, it won’t be as simple as just guessing another number, as most applications will be using a globally unique identifier (GUID), however, users’ GUIDs could be leaked or hidden somewhere in the application.
A couple of tips for preventing access control vulnerabilities:
- Don’t depend on obfuscation alone for access control.
- Employ the principle of least privilege, providing only the access needed and denying access by default.
- Use role-based access control to group users and decide permissions for each role group.
- Use a single application-wide mechanism for enforcing access controls if possible.
- Perform penetration testing as vulnerabilities scanners will not always be able to detect broken access control.
- Ensure all requests go through an access control verification layer.
- Limit the use of cross-origin resource sharing (CORS) and ensure correct configuration where used. Misconfiguration of a CORS policy can allow an attacker to use cross-domain authenticated requests to steal data from your web application.
Cryptographic Failures: Cryptographic failures can lead to exposure of sensitive data. This most often occurs when you store or move data in clear text, protect data with old or weak encryption, or improperly filter or mask data while in transit. Cryptographic failures can be prevented by using proper encryption practices, key management, and data storage policies. Don’t use legacy protocols such as FTP and SMTP for transporting sensitive data, and store passwords using strong adaptive and salted hashing functions.
Remote Code Execution (Code Injection): Remote code execution, also known as code injection, allows a threat actor to remotely execute any code of their choice over LAN, WAN, or internet. For example, dynamic SQL injection allows an attacker to inject malicious SQL query commands into input fields, if they are not vetted, which will allow the attacker to access database information. Similarly, cross-site scripting utilizes injection to perform a similar operation, except that the injected scripts are run on the client-side, and the scripts used are JavaScript as opposed to query. Avoid code injection vulnerabilities by validating and sanitizing inputs, avoiding vulnerable evaluation constructs, and locking down your interpreter.
Personnel and Process Vulnerabilities
Personnel
Most of the vulnerabilities previously discussed are technical vulnerabilities. You can update your code or change a setting to resolve them. But behind the technology of cybersecurity, we are still relying on humans, which are perhaps the most significant vulnerability.
Phishing remains one of the most common initial attack vectors for ransomware delivery and other breaches. In a recent report, RiskRecon confirmed a correlation between a high susceptibility to phishing and the likelihood of being the victim of a ransomware attack. Security awareness training is an essential part of reducing your risk and managing your vulnerabilities.
Credential Theft: According to Cofense’s 2022 Annual State of Phishing Report, credential theft was the most commonly observed type of phishing attempt, making up 67% of all phishing emails. In a credential phishing scam, the attacker poses as a known entity, spoofing a legitimate webpage and stealing the credentials when the user logs in to the fake site. One of the most important ways to reduce the impact of credential theft is to implement multi-factor authentication so if the attacker attempts to log in with the stolen credentials, they are at least thwarted before reaching the information they’re ultimately after. This should be used in conjunction with security awareness training, which is the only real way to stop credential theft before it occurs. Employees should be educated not to log into sites through an email, but instead to navigate to the site directly.
Business Email Compromise: Business email compromise occurs when a threat actor uses social engineering to request funds or sensitive information. For example, the attacker may pose as a CEO, or a vendor sending an invoice and request a wire transfer. An attacker may also target HR departments trying to obtain tax information or personally identifiable information about employees. These emails will invoke a sense of urgency and can trick employees who may be distracted and trying to quickly complete a task. Employees should be trained on the company’s policies so they can recognize a scam as opposed to a legitimate request.
Process
Humans are also the ones conceptualizing the applications and networks that are put in place. They are the ones who make the policies and processes that ultimately determine how secure your organization is. If security is an afterthought for your organization’s leadership, an overall lack of security processes could itself be a vulnerability.
Insecure Design: Insecure design is a vulnerability category that was added to the OWASP Top Ten in 2021. Insecure design refers to a lack of security strategy in the design of the application. This is different from an insecure implementation, which might mean bugs in the code. Insecure design would not be a few application security vulnerabilities; it would be a lack of overarching security planning that leaves the application vulnerable. Before an application is developed, business risk profiling must be done to determine the protection requirements needed. Secure design takes the mindset of shifting security left in the development pipeline, all the way to the beginning of the process, where security is incorporated into the discussion of the functioning of the application.
Conducting a vulnerability assessment may leave you overwhelmed by the vulnerabilities that you uncover, but knowing how to prioritize them and implementing a vulnerability management process will help you get your VM program under control.
RH-ISAC members have access to additional resources for vulnerability management like requests for information and industry reports, such as HackEDU’s 2021 Vulnerability Benchmark Report. Visit the RH-ISAC website to learn more about how RH-ISAC membership could benefit you.