Massive hacks continue to fill the front page of major media outlets. The recent hack of the Federal Office of Personnel Management (OPM) by Chinese state-sponsored hackers again showed how vulnerable we are.
But what are the main attack vectors that apparently are holes which are not being addressed? Last week, KnowBe4's Chief Hacking Officer Kevin Mitnick was asked: "What do you believe are the most serious cyber threats facing businesses today? Here is his answer on vimeo, (0:33) where he summarizes: social engineering and vulnerable web application.
if you break that down into more technical detail, here are your Deadly Six Sins of Data Security in terms of potential for data breaches:
- Social Engineering end-users who are low-hanging fruit
- Injection Vulnerabilities
- Buffer Overflows
- Sensitive Data Exposure
- Broken Authentication and Session Management
- Security Misconfiguration
Let's have a quick look at each one of these.
1) Social Engineering end-users who are low-hanging fruit
Despite all the funds you may have spent on state-of-the-art security software, the bad guys are just one gullible user click away from staging an all-out invasion. To make matters worse, that user might well be you! Recent surveys show that executives can be some of the biggest culprits when it comes to clicking on phishing links and opening malicious email attachments.
Yet by far the most effective in combatting these attacks is also one of the most poorly implemented – security awareness training. The long list of “Worst Practices” for user education is almost endless – break room briefings while people eat lunch and catch up on email; short instructional videos that provide no more than superficial understanding; and the time-honored practice of hoping for the best and
doing nothing.
2) Injection Vulnerabilities
Every time an application sends untrusted data to an interpreter, you have an injection vulnerability. There are many flavors of this type of vulnerability, but the most popular ones affect SQL, LDAP, XPath, and XML parsers.
Obviously, you want to prevent these during the coding of your app, because finding them when the app is already deployed is hard and can be difficult to fix. Despite that, you should have outside pentesters check your internet-facing was apps on a regular basis. If you don't do it, the hackers will.
3) Buffer Overflows
A buffer overflow vulnerability exists when an app writes more data in a buffer than that buffer can hold. That allows a hacker to overwrite the content of adjacent memory attempting to execute their malicious code. Buffer overflow attacks are quite common, but they are harder to exploit than injection attacks.
4) Sensitive Data Exposure
This happens any time a hacker gets access to user sensitive data. Sensitive data exposure is defined as access to data at rest or in transit, includeding backups and user browsing data.
Some examples are hacking of data storage, intercept data transfers between a server and the browser, or by tricking an e-commerce application to change things in a cart. The main cause is no encryption of data at all, or badly implemented encryption mechanisms. And of course destruction of storage media in the proper way is also a very important factor, and that includes thumb drives.
5) Broken Authentication and Session Management
You can exploit broken authentication and session management when an attacked user leaks account data, passwords, or session IDs which allows the attacker to impersonate that user.
There are several ways to try to hack into authentication mechanisms, for instance by "brute-forcing” the targeted account, grabbing a session identifier from an URL, reusing an already used session token or compromising a user’s browser.
Web developers need to carefully look at all Cross-Site Scripting (XSS) flaws and deploy all necessary countermeasures to fix them because XSS is one of the most common methods to steal session id's and impersonate other users.
6) Security Misconfiguration
This category of vulnerability is actually very common and one of the most dangerous. It's easy to discover web servers and apps that have been misconfigured resulting in simply letting the bad guys in. Here are some typical examples of security misconfigurations:
- Running outdated software
- Apps still running in debug mode or that still include debugging modules.
- Running unnecessary services on the system
- Allowing access to server resources and services
- Not changing default settings like keys and passwords
- Use of default accounts
Badly configured Internet of Things devices could easily be turned into a large "ThingNet" owned by the bad guys. Think paying micro-ransoms before you can get to Game of Thrones or get in your car. Defense-in-depth is the answer to the risks of losing your data.
The place to start, with the biggest immediate impact is end-user educatyion which affects every aspect of your organization’s security profile. That is why it is so important that you all end-users through effective Security Awareness Training, and enforce compliance. Find out now how affordable this is for your organization today and be pleasantly surprised.
Grateful acknowledgement to the InfoSec Institute