SECURITY

VULNERABILITY
PREPARED BY: ER. LOCHAN RAJ DAHAL
 What Is a Security Vulnerability?

► A security vulnerability is an unintended characteristic of a computing component or system configuration that multiplies the risk of an adverse event
or a loss occurring either due to accidental exposure, deliberate attack, or conflict with new system components.
► By its very definition, a vulnerability can be fixed using a software patch, reconfiguration, user training, firmware update, or hardware replacement,
unlike a security risk that might be inevitable. As digital systems evolve, new vulnerabilities emerge along with it. It is important not to take your systems’
security and health for granted, which could leave the enterprise exposed to potential cyber threats.
► Instead, it is advisable to:
► Proactively monitor for vulnerabilities in your security processes, application code, infrastructure configurations, and user behavior.
► Prioritize vulnerabilities and fix them, basis the severity of the potential attack, in partnership with external security researchers, software providers, and
infrastructure vendors.
► Disclose vulnerabilities in a controlled manner to avoid litigation risks while also not giving away so much information that a criminal becomes aware of
and takes advantage of the vulnerability.
► Contribute vulnerability data to third-party threat intelligence data feeds to help the global InfoSec community gain from their collective intelligence.
► Most importantly, it is essential for enterprises to take ownership of vulnerabilities, even if they are inadvertent and inevitable. This reassures users and customers
that you value their data security and privacy.
 Types of Security Vulnerabilities

► There are numerous ways security vulnerabilities could enter your systems, both through in-house
negligence and external oversight. These include:
 1. Vulnerabilities in the source code

► Code vulnerabilities creep in right at the time of software development. There might be logical errors that lead to
security flaws – for example, creating an access privilege lifecycle that an attacker can hijack. The software might
inadvertently transfer sensitive data without encryption, or even if it uses randomized encryption strings, they
aren’t random enough. Sometimes, if the software development lifecycle is too protracted, multiple developers
work on the project and may cause certain functionalities to remain unfinished.
► Ideally, all of these vulnerabilities should be picked up and patched during testing/QA, but they could trickle
down the supply chain to impact enterprises.
2. Misconfigured system components

► Misconfigurations are another common error when setting up enterprise IT systems. At the
very basic level, for example, the administrator might forget to switch from a software’s
default configurations, thereby leaving the system open to vulnerabilities.
► Incorrectly configured cloud systems, network misconfigurations, hurriedly set up Wi-Fi
environments, and even the failure to restrict non-work device usage could exponentially
multiply your risk exposure. Fortunately, these vulnerabilities are relatively easy to fix –
they are typically the result of an overburdened IT team, requiring the intervention of extra
hands, preferably a managed services provider.
3. Trust configurations

► Trust configurations refer to the allowances you make for data exchange to and from
software and hardware systems. For example, a mounted hard disk might be able to read
sensitive data from a computing client without necessitating any extra privileges. Trust
relationships may exist between active directories and account records, leading to
unmitigated data flow between sources that aren’t constantly monitored.
► Once an attacker gains access to a compromised system, they can exploit these trust
configuration vulnerabilities to spread the infection from the original system and bring
down your entire IT environment.
 4. Weak credentialing practices

► This has emerged as one of the most common causes of vulnerabilities in both consumer and enterprise systems.
Users tend to stick to convenient or comfortable credentialing practices, prioritizing ease of use over security.
► For example, it is now the norm (despite expert recommendations) to store passwords and account credentials in a
browser’s built-in password manager. Weak passwords that use common alphanumeric strings (123456, passw0rd,
etc.) and those reusing personal data like your name are potential vulnerabilities.
► These security vulnerabilities can be curbed at two levels – through user awareness and enforced credentialing
processes, such as password expiration.
 5. Lack of strong encryption

► Unencrypted data flow is a massive risk and can lead to severe data breaches. Data encryption ensures that if your
primary storage platform falls into the wrong hands, someone with malicious intent will not be able to decrypt or
make sense of the information.
► Unfortunately, encryption is still lagging behind the pace of digital transformation and the consequent digitization
of documents. Research suggests that while mobile data storage is now a primary focus for encryption,
organizations are yet to address this vulnerability in USB sticks, laptops, and portable hard drives. Ideally, data
must be properly encrypted at rest as well as in motion.
 6. Insider threat

► Vulnerabilities arising from insider threats are difficult to detect and even harder to prevent, particularly in a remote
working world. According to Forrester, 1 in 3 security breaches in 2021 will be caused by an insider threat, growing
by eight percentage points from the previous year.
► There are myriad reasons why your workforce might be exposed to insider threat-related vulnerabilities, ranging
from poorly thought-out recruitment practices and background checks to bad blood within the organization and
geopolitical forces. With most employees working from home, it can be difficult to detect anomalous behavior that
might indicate an insider threat in your organization.
 7. Psychological vulnerability

► Psychological vulnerabilities are also human-caused, but unlike insider threats, they are inadvertent, and everyone is
susceptible to them. As human beings, we are motivated by core psychological drivers such as the urge for
self-preservation, an eagerness to save/get exclusive benefits, and a fear of danger.
► Hackers typically exploit these vulnerabilities through social engineering. They convince users that they need to
take action to unlock a benefit or avoid an adverse situation. A simple example is a psychological vulnerability that
leads many users to click on emails spoofing promotional discounts and download malware into their systems.
 8. Inadequate authentication

► Authentication vulnerabilities arise when there aren’t enough checks and balances to reset passwords and
credentials. This means that a hacker might exploit the “forgot password” option present in every login system to
hijack your account and find a backdoor to initiate an account takeover (ATO) attack.
► The authentication question might be too easy to guess – for example, your date of birth, which is publicly
available thanks to social media. Or, the system might not follow multi-factor authentication procedures, where a
single device’s compromise cannot impact an account’s security.
 9. Injection flaws

► Misconfigured web applications can be prone to injection flaws. If the application takes user input through an
online form and inserts that input into a backend database, command, or operations system call, it would leave the
application open to injection attacks such as SQL, XML, or LDAP injections.
► Essentially, this vulnerability allows hackers to obtain a backdoor into the web app’s data flow and redirect user
data or even insert malicious code that causes the application to read, update, or even delete user data without the
user’s consent. Injection vulnerabilities are typically responsible for data breaches.
 10. Sensitive data exposure

► Sensitive data exposure can happen in several ways. Sheer human negligence can cause data to be uploaded to a
public website or a commonly accessed database. Inappropriate access controls might lead to a single employee
owning control over a huge database of sensitive information.
► Unlike a data breach, there isn’t always malicious intent behind such scenarios. Human errors or system
misconfigurations cause sensitive data (intellectual property, user credentials, personally identifiable information,
payment details, etc.) to end up in the wrong place where it is vulnerable to exploitation.
 11. Insufficient monitoring and logs

► Regular log analysis and detailed log records are essential for curbing security vulnerabilities. Otherwise, an
unauthorized entity may gain entry into your computing landscape without anyone finding out before it is too late.
► Typically, a hacker or a malicious bot will leave behind bread crumbs in the form of strange systems signals that
will show up via log analysis. Irregular monitoring or scheduled analysis only during a specific part of the
day/week/month leaves your systems vulnerable to attacks when there is no supervising eye looking out for
suspicious behavior.
 12. Shared tenancy vulnerabilities

► Finally, shared tenancy vulnerabilities are an inevitable reality of the cloud era. Public cloud solutions operate in a
multi-tenant model where a shared set of resources are leased out to various organizations at different times,
depending on the scale of their resource requirements.
► If one tenant is compromised, it’s possible that the attack will spread to other organizations on the cloud by
exploiting shared tenancy vulnerabilities. That’s why organizations dealing with sensitive information – like banks,
schools, and hospitals – choose to divide their workloads between public and private tenants, keeping their most
valuable data compartmentalized.
 10 Best Ways to Identify a Security Vulnerability

► Identifying vulnerabilities on time – before a criminal has the chance to exploit them – can save your organization immensely in terms of
penalties, customer trust, and corporate reputation. Given that an average data breach costs a whopping $3.86 million, preemptively
identifying security vulnerabilities is a smarter idea.
► Here’s how:
 1. Run a network audit

► Network audits reveal the hardware, software, and services running on your network, checking if there
are any undocumented or unauthorized entities at work. Particularly after a transformation event such as
a merger, acquisition, or a business expansion, it is a good idea to perform an audit and check for any
technical debt you might have inherited, non-compliance with new industry standards, and sprawl of
network assets.

2. Analyze system log data

► Computing environments generate real-time and historical logs that provide visibility into your IT stack’s health and
performance. Real-time log analysis reveals anomalous entities, hidden flaws in the source code, and signs of system
malfunctioning due to misconfigurations. You can correlate log data across computing elements to detect the root
cause of issues and prevent a vulnerability from turning into an attack vector.
 3. Use a penetration tester or white-hat hacker

► Penetration testers or ethical, white hat hackers can provide an objective, third-party perspective into your system
status. They can place themselves in a cybercriminal’s shoes, thereby detecting vulnerabilities that might
otherwise pass underneath the radar. Penetration testing is particularly useful to identify zero-day vulnerabilities,
which are unfamiliar to the InfoSec community.

4. Leverage a threat intelligence database

A cyber threat intelligence database consolidates vulnerability and attack information from across the
world, compiling data from various computing environments. You could partner with a security vendor
who collects threat intelligence data from organizations. You may also leverage open-source databases
such as the SANS Internet Storm Center, FBI’s InfraGard Portal, Cisco Talos Intelligence (free edition),
Spamhaus, and Google Safe Browsing. Analyze your IT landscape regularly against these databases, and fag
any violations as per these known threats.
 5. Simulate a social engineering attack

► Social engineering simulations help address and mitigate psychological vulnerabilities that may be present in your
workforce. In a simulated scenario, you send out phishing messages in a controlled environment, observe users’
susceptibility, and document the results to overhaul your user awareness training program. Several cybersecurity
organizations like Redscan or NetSentries offer specialized social engineering simulation services

6. Use process mining to detect hidden flaws

Process mining is a data analysis technique that investigates data from system-generated events to
understand how you could optimize enterprise processes. This technique can be applied to security
vulnerabilities and break down enterprise structures to find loopholes and their possible solutions.
Process mining reveals any deviation from your enterprise security protocols or hidden shadow
processes that could be increasing your attack surface area.
 7. Review the source code

► Source code review is a must-have for identifying security vulnerabilities, especially if your enterprise apps
regularly deal with sensitive user information. Inadequate testing at the software development stage, logical flaws,
or vulnerable open source code snippets used by your software vendor could all contribute to security
vulnerabilities at the source code level. That’s why it is advisable to request the source code whenever you
implement an application landscape overhaul, or at least reverse-engineer if the full source code isn’t available.

8. Audit the IT supply chain

Lack of visibility into your IT supply chain could create backdoors that a hacker can exploit. For
example, your organization might have a policy prohibiting IT procurement from a specific location
due to geopolitical conflicts and national security requirements. But a supplier who hasn’t been
audited might be relying on the said region for a small component or service. IT supply chain audits
are essential to trace back your ecosystem’s origins, right down to the source code and hardware
manufacturing level.
 9. Automate the security testing process

► No matter how vigilant your InfoSec team, human testers are bound to overlook some flaws, given the enormous
scope of enterprise apps today. Automated security testing checks for known issues, bugs, and vulnerabilities at
crucial points of the software development lifecycle. Software companies can incorporate automated security
testing into their DevOps process, preventing flawed code from going into production. Enterprises can leverage
automation for source code review.

10. Document the hardware landscape

In addition to maintaining up-to-date docs for your enterprise apps and software, your hardware
landscape also requires careful scrutiny. This includes mapping its origins, documenting its trust
relationship with other system components, keeping track of firmware update schedules, and analyzing
hardware behavior logs at regular intervals. During security audits, hardware documentation will help
auditors find vulnerabilities in your environment if there are any.
5. Best Practices to Prevent Security Vulnerabilities

► You can take measures to prevent vulnerabilities by finding and fixing potential bugs, so they do not become
high-risk threat vectors.
 1. Follow a least-privilege access model

► The least privilege access entails that access is extended to humans, systems, and automated bots to
perform only the requisite task and nothing more. Let’s say that a supply chain partner uses a remote
device for five hours every day, during which they need access to your network systems to perform
maintenance.
► According to least privilege principles, access will be available only during the scheduled hours and
revoked afterward. Similarly, if a guest needs to log into your corporate network, they can access as per
least privilege principles and cannot go beyond those assets within their realm of relevance.
► By ensuring the least privilege access, you can prevent hackers from misusing human psychology or
exploiting access rights (as they don’t exist beyond a point) – thereby controlling your vulnerability
footprint.
 2. Start a bug bounty program

► A bug bounty program invites ethical hackers from around the world to find security flaws and vulnerabilities in
their public-facing systems and product offerings. Nearly every major company, such as Microsoft, Slack, Google,
and Facebook, all have attractive bug bounty programs. Microsoft paid $13.7 million in rewards last year to
recognize the efforts 300+ researchers put into finding hidden vulnerabilities in Microsoft products.
► You can start a bug bounty program if you operate a vast product landscape or have an expansive public-facing
online footprint, making it difficult for in-house developers to catch and address every vulnerability, particularly
zero-day ones.
 3. Have a strong business continuity plan

► A business continuity or disaster recovery (BC/DR) plan reduces the impact that a potential data breach might have
on your enterprise. Ransomware attacks are now increasingly common where a cybercriminal targets an enterprise
and threatens to publicly reveal or destroy business-critical data unless the company pays a ransom.
► A business continuity plan will make sure there is a backup database in place to keep your operations running
while you report the attack to the authorities, trace it to its origins, and take legal action, confident that your
business will not be interrupted.
► If databases are protected using very strong encryption, the criminal will threaten to destroy the data and bring your
business to a standstill. You can prevent such vulnerabilities by maintaining an up-to-date BC/DR data copy.
4. Secure your APIs and inventory native integrations

► In a connected world, API security is essential to prevent the exposure of sensitive data and
internal infrastructure to public sites. Since APIs are easily accessible through a public network, they can be
exploited by cybercriminals who insert themselves between two interfacing systems and gather information from
both by posing as one or the other.
► This is called a “man in the middle” attack. You can prevent such vulnerabilities by ensuring that your web
resources use the HTTPS protocol and only users/machines from trusted IPs can access the APIs. Also, maintain an
inventory of all the APIs in use across the application landscape, including those that are natively provided by
third-party software vendors.
 5. Encourage a culture of skepticism

► At the end of the day, the most important best practice for preventing security vulnerabilities is your users — the
weakest link in your system. A culture of skepticism means that users are trained to not accept anything at face
value and question the veracity of statements, access requests, and instructions. For example, if a colleague on
holiday asks for quick approval for a supplier payment, users must immediately get skeptical and raise red flags.
► There are several ways to encourage a culture of skepticism at your enterprise, from regular user awareness training
to in-app prompts (e.g., displaying an “are you sure you want to click on that hyperlink?” notification in emails).
Importantly, organizational leaders must set an example by following and demonstrating how they authenticate
information.
Security logging and monitoring

► Logging and monitoring provide raw data that helps to identify possible threats. This happens when the
system administration looks deeply into the data and identifies unusual patterns. These processes act as
pillars that are the foundation for a robust security framework.
► In case of security incidents or data loss in a system, logging and monitoring help find the actual cause for
any failure. However, sometimes it isn't possible to dig deeper into the problem and track things because
there are no monitoring logs.
 Importance of logging and monitoring systems

► It’s essential to have functional logging and monitoring systems, as they provide logs
and information to give timely alerts to the system if any malfunction or error occurs.
This protects the system from further damage.
► However, these issues don't frequently cause any vulnerability. Logging and
monitoring become especially important in tracing back when the system shows any
abnormal behavior. Their failure or absence highly impacts transparency, visibility,
and incident alerting.
► If the system doesn't maintain any logging mechanism, or these mechanisms fail,
there is no audit trail for events and security analysis. Therefore, attackers can keep
damaging our system because their identity and method of attacking cannot be easily
determined.
► The illustration below shows how logs help identify the patterns. The illustration also
provides information for system improvement and maintenance.
 Vulnerabilities and threats of these failures

Here are some of the vulnerabilities of logging and monitoring failures:

► There is no logging for login and failed attempts.
► Weak monitoring systems are unable to detect suspicious or alarming future situations.
► In the case of locally stored logs, if a server fails, these logs become unavailable.
► Monitoring and logging are not protected for integrity. Therefore, anyone can corrupt the data to give a false alarm.
► We might be unable to find any insight or useful information due to vague and broken logs.
 Threats

Here are some threats caused due to poor logging and monitoring:
► Botnet attacks
► DNS attacks
► Insider threats
► Malware traffic
► Ransomware attacks
► Advanced persistent threats
 How to avoid failures

The following measures can be taken to avoid logging and monitoring failures:
► Make sure that all login and failed attempts are logged properly.
► Maintain an updated copy of all the logs that are useful in case the server faces any issues.
► The logs should be kept in a formatted manner that can be used by other functions and log management
solutions. Unformatted logs can be a burden to look into.
► Ensure that the monitoring and logging system alerts in real time. Alerting and alarming the system after the
damage has been done is not beneficial.
► Protect the logs to ensure their integrity.
 What is a honeypot?

► A honeypot is a network-attached system set up as a decoy to lure cyber attackers and detect, deflect and study hacking
attempts to gain unauthorized access to information systems. The function of a honeypot is to represent itself on the internet
as a potential target for attackers -- usually, a server or other high-value asset -- and to gather information and notify
defenders of any attempts to access the honeypot by unauthorized users.
► Honeypot systems often use hardened operating systems (OSes) where extra security measures have been taken to minimize
their exposure to threats. They are usually configured so they appear to offer attackers exploitable vulnerabilities. For
example, a honeypot system might appear to respond to Server Message Block (SMB) protocol requests used by
the WannaCry ransomware attack and represent itself as an enterprise database server storing consumer information.
► Large enterprises and companies involved in cybersecurity research are common users of honeypots to identify and defend
against attacks from advanced persistent threat (APT) actors. Honeypots are an important tool that large organizations use to
mount an active defense against attackers or for cybersecurity researchers who want to learn more about the tools and
techniques attackers use.
► The cost of maintaining a honeypot can be high, in part because of the specialized skills required to implement and administer
a system that appears to expose an organization's network resources, while still preventing attackers from gaining access to
any production systems.
Honeypots are placed at a point in the network where they appear vulnerable and undefended, but they are
actually isolated and monitored.
 How do honeypots work?

► Generally, a honeypot operation consists of a computer, applications and data that simulate the behavior of a real
system that would be attractive to attackers, such as a financial system, internet of things (IoT) devices, or a public
utility or transportation network. It appears as part of a network but is actually isolated and closely monitored.
Because there is no reason for legitimate users to access a honeypot, any attempts to communicate with it are
considered hostile.
► Honeypots are often placed in a demilitarized zone (DMZ) on the network. That approach keeps it isolated from
the main production network, while still being a part of it. In the DMZ, a honeypot can be monitored from a
distance while attackers access it, minimizing the risk of the main network being breached.
► Honeypots may also be put outside the external firewall, facing the internet, to detect attempts to enter the internal
network. The exact placement of the honeypot varies depending on how elaborate it is, the traffic it aims to attract
and how close it is to sensitive resources inside the corporate network. No matter the placement, it will always have
some degree of isolation from the production environment.
 How do honeypots work?

► Viewing and logging activity in the honeypot provides insight into the level and types of threats a network
infrastructure faces while distracting attackers from assets of real value. Cybercriminals can hijack honeypots and
use them against the organization deploying them. Cybercriminals have also been known to use honeypots to
gather intelligence about researchers or organizations, act as decoys and spread misinformation.
► Virtual machines (VMs) are often used to host honeypots. That way, if they are compromised by malware, for
example, the honeypot can be quickly restored. Two or more honeypots on a network form a honeynet, while a
honey farm is a centralized collection of honeypots and analysis tools.
► Both open source and commercial offerings are available to help with deploying and administering honeypots.
Products include standalone honeypot systems, as well as honeypots packaged with other security software and
marketed as deception technology. GitHub has an extensive list of honeypot software that can help beginners get an
idea of how honeypots are used.
 THE END

THANKS FOR
ANOTHER
RESPONSIVE
SESSION