The Top Five Cyber Security Vulnerabilities

Uploaded on 2015-07-21 in TECHNOLOGY--Hackers, NEWS-News Analysis, FREE TO VIEW, BUSINESS-Services-Law

openssl-2.jpg

Recently, the hack of the Federal Office of Personnel Management (OPM), apparently tied to Chinese sponsored hackers, raised the discussion about the potential catastrophic damage caused by the exploitation of a cyber-security vulnerability. 

Part of the cyber-security community has considered this last incident the equivalent of a cyber-9/11. Millions of data belonging to the Government personnel were compromised and there is a concrete risk threat that the, stolen data, could be used by threat actors in further cyber-attacks against Government agencies.

The Office of Personnel Management (OPM) hack must serve as a wake-up call for reorganizing cyber security posture of the country. To do this it is essential to profile the threat actors, understand their motivation, learn the way they operate and adopt the necessary countermeasures, a very simple strategy to theorize, but very difficult to achieve.

But first try to understand the possible motivation of a potential attacker. Hackers act to steal sensitive data (i.e. corporate secrets, personal information, and intellectual property) or to sabotage. Recent events demonstrate that cyber espionage is still considered the most dangerous threat for Governments; APT groups worldwide constantly search for vulnerabilities to exploit on a large scale in order to gather sensitive data.

We cannot underestimate the action of cyber terrorists and cyber criminals, financial firms, retailers, and companies in the health care industry are constantly under attack. The financial damage to the world economy due to cybercrime exceed 575 billion dollars, the figures are disconcerting if we consider that are greater than the GDP of many countries.
Another danger posed by group of hackers on a global scale is represented by the possibility of cyber-attacks against critical infrastructure, such as gas pipelines, water facilities, and smart grids.

The majority of processes in modern infrastructure are controlled by SCADA systems that were exposed on the Internet for maintenance purposes without the necessary attention to the cyber security. It is not a problem of maintenance of SCADA components, instead the lack of security by design for these systems expose the entire infrastructure to the risk of cyber-attacks.

The Top five: cyber security vulnerabilities

Injection vulnerabilities

Injection vulnerabilities occur every time an application sends untrusted data to an interpreter. Injection flaws are very common and affect a wide range of solutions. The most popular injection vulnerabilities affect SQL, LDAP, XPath, XML parsers and program arguments. As explained in the OWASP “Top 10″ guide, the injection flaws are quite easy to discover by analyzing the code, but frequently hard to find during testing sessions when systems are already deployed in production environments.

The possible consequences of a cyber-attack that exploits an Injection flaw are data loss and consequent exposure of sensitive data, lack of accountability, or denial of access. An attacker could run an Injection attack to completely compromise the target system and gain control on it. The business impact of an Injection attack could be dramatic, especially when hacker compromise legacy systems and access internal data.

SQL injection vulnerabilities are among most exploited flaws, despite the high level of awareness on the various techniques of hacking that exploit this category of bugs the impact of such attacks is very serious.

A study released by the Ponemon Institute in October 2014 titled “The SQL Injection Threat Study” investigated on the reply of organizations to the SQL injection threat.

The study revealed that despite about one-third believing that their organization has the necessary technology to detect and mitigate the cyber threat, the success rate of SQL injection attacks is too high.
Injection vulnerabilities could affect various software and their impact depends on the level of diffusion of the vulnerable application.

A classic example of the possible effect of the presence of injection flaws is the critical vulnerability dubbed Bash Bug affecting the Linux and UNIX command-line shell. The flaw, coded as CVE-2014-6271, is remotely exploitable and affects Linux and Unix command-line shell potentially exposing to risk of cyber-attacks websites, servers, PCs, OS X Macs, various home routers, and many other devices.

The vulnerability has existed for several decades and it is related to the way bash handles specially formatted environment variables, namely exported shell functions. To run an arbitrary code on affected systems it is necessary to assign a function to a variable, trailing code in the function definition will be executed.

The critical Bash Bug vulnerability, also dubbed Shellshock, affects versions GNU Bash versions ranging from 1.14 through 4.3, a threat actor could exploit it to execute shell commands remotely on a targeted machine using specifically crafted variables.

Such kind of vulnerabilities could have a dramatic effect on a large scale, let’s think for example to the dangers for the Internet-of-things devices like smart meters, routers, web cameras and any other device that runs software affected by this category of flaws.

Buffer Overflows

A buffer overflow vulnerability condition exists when an application attempts to put more data in a buffer than it can hold. Writing outside the space assigned to buffer allows an attacker to overwrite the content of adjacent memory blocks causing data corruption, crash the program, or the execution of an arbitrary malicious code.

Buffer overflow attacks against are quite common and very hard to discover, but respect the injection attacks they are more difficult to exploit. The attacker needs to know the memory management of the targeted application, the buffers it uses, and the way to alter their content to run the attack.

In a classic attack scenario, the attacker sends data to an application that store it in an undersized stack buffer, causing the overwriting of information on the call stack, including the function’s return pointer. In this way, the attacker is able to run its own malicious code once a legitimate function is completed and the control is transferred to the exploit code contained in the attacker’s data.
There are several types of buffer overflow; most popular are the Heap buffer overflow and the Format string attack. Buffer overflow attacks are particularly dangerous; they can target desktop applications, web servers, and web applications.
An attacker can exploit a buffer overflow to target a web application and execute an arbitrary code. He can corrupt the execution stack of a web application by sending specifically crafted data.

Buffer overflows affecting widely used server products represent a significant risk to users of these applications, in the last years, many buffer overflow vulnerabilities were discovered in a number of SCADA components. Considering that the number of cyber-attacks against SCADA is increasing even more it is likely that these buffer overflow vulnerabilities will be exploited with increasing frequency. A number of crimeware kit could be sold in the underground ecosystem to attack this particular category of targets causing serious damages.

Sensitive Data Exposure

Sensitive data exposure occurs every time a threat actor gains access to the user sensitive data.
Data could be stored (at rest) in the system or transmitted between two entities (i.e. servers, web browsers), in every case a sensitive data exposure flaw occurs when sensitive data lack of sufficient protection.

Sensitive data exposure refers the access to data at rest, in transit, included in backups and user browsing data.
The attacker has several options such as the hack of data storage, for example by using a malware-based attack, intercept data between a server and the browser with a Man-In-The-Middle attack, or by tricking a web application to do several things like changing the content of a cart in an e-commerce application, or elevating privileges.

The principal sensitive data exposure flaw is the lack of encryption for sensitive data, but even if encryption mechanisms are implemented, other events concur to the exposure of information. The adoption of weak key generation and management, and weak algorithm usage is very common in many industries and applications.

A number of incidents recently occurred have demonstrated the critic of this category of flaw, let’s think to the wrong implementation of encryption algorithms and the lack of encryption for mobile and cloud solutions.
In September 2014, the CERT Coordination Center at Carnegie Mellon University (CERT/CC) published the results of the tests conducted by its experts on popular Android applications that fail to properly validate SSL certificates.
The failure of the certificate pinning procedure exposes users to the risk of MitM attacks and consequent theft of sensitive information.

The CERT confirmed that the problems is widespread, the circumstance was confirmed by another study conducted by security experts at FireEye that evaluated the level of security offered by 1,000 of the most popular free apps offered on Google Play.

FireEye provided shocking results. 68% of the apps don’t check server certificates and 77% ignore SSL errors. According to the CERT, the applications are using vulnerable libraries, such as the Flurry and Chartboost ad libraries. For this reason, Android users are exposed to the risk of attacks. Despite the fact that FireEye the developers about the flaws, the CERT pointed out that only a few companies took steps to secure their products.

As highlighted by the numerous studies of the topic, attackers typically don’t break crypto directly; they operate to exploit a sensitive data exposure flaw. This means that threat actors operate to steal encryption keys, run man-in-the-middle attacks, steal clear text data off the server, while in transit, or from the user’s browser.

The exploitation of sensitive data exposure flaw could be dramatic for every organization in every industry, the principal losses for data breaches are related to the business value of the compromised data and the impact to the reputation of the victim organization.

Sensitive data exposure attacks could be run by any category of attackers, including cyber criminals, state-sponsored hackers and hacktivists, in the majority of case this kind of attacks are part of a first stage offensive that involve also other hacking techniques.

Every organization that manages sensitive data (i.e. healthcare and banking data, personal information) is potentially exposed to the attacks that could involve a large number of users; millions of users are already open to cyber-attacks.

Broken Authentication and Session Management

The exploitation of a broken Authentication and Session Management flaw occurs when an attacker uses leaks or flaws in the authentication or session management procedures (e.g. Exposed accounts, passwords, session IDs) to impersonate other users.

This kind of attack is very common; many groups of hackers have exploited these flaws to access victim’s accounts for cyber espionage or to steal information that could advantage their criminal activities.

As explained by the OWASP, one of the main problems is related to the custom implementation of authentication and session management schemes, in the majority of cases these schemes result flawed and hackers are able to compromise them. This category of flaws affects web applications, in the majority of cases functionalities such as the logout, password management, remember me, timeouts, secret question, and account update are affected by broken authentication vulnerabilities.

The bad news is that once this kind of flaw is successfully exploited, the attacker can impersonate the victim doing anything he could do with the privileges granted to his account.

Unfortunately, the exploitation of a broken Authentication and Session Management flaw is hard to mitigate due to the large number of authentication schemes implemented by each victim. Not all authentication and session management systems are equal, complicating the adoption of best practices on a large scale.

There are several ways to bypass authentication mechanisms, including “Brute-forcing” the targeted account, using a SQL Injection attack, retrieving a session identifier from an URL, relying on the session timeout, reusing an already used session token or compromising a user’s browser.

The most popular attack scenario relies on the session, authentication mechanisms are usually based on tokens associated with each session on the server side. An attacker that is able to retrieve the session identifier could impersonate victims without providing login credentials again.

The possible business impact of broken authentication and session attacks is severe because an attacker could takeover users account and impersonate him to conduct various malicious activities.

Such practice is very common in both cyber-criminal ecosystem and state-sponsored hacking.

Security Misconfiguration

I consider this category of vulnerability the most common and dangerous. It is quite easy to discover web servers and applications that have been misconfigured resulting in opening to cyber-attacks. Below some typical example of security misconfiguration flaws:

    - Running outdated software.
    
    - Applications and products running in production in debug mode or that        still include debugging modules.
    
    - Running unnecessary services on the system.
    
    - Not configuring problems the access to the server resources and services that can result in the disclosure of sensitive information or that can allow an attacker to compromise it.
    
    - Not changing factory settings (i.e. default keys and passwords).
    
    - Incorrect exception management that could disclose system information to the attackers, including stack traces.

    - Use of default accounts.

The exploitation of one of the above scenarios could allow an attacker to compromise a system. Security misconfiguration can occur at every level of an application stack. An attacker can discover that the target is using outdated software or flawed database management systems.

In many cases, it is quite easy for an attacker to search for this kind of vulnerability. The availability of automated scanners on the market allows the detection of systems not correctly configured or correctly patched.
Security misconfiguration vulnerabilities could have a dramatic impact when systems targeted by hackers are widely adopted. For example, the presence on the market of routers with hardcoded credentials or network appliances using default SSH keys that allow an attacker to establish remote and unauthorized connection to the device.

These kind of vulnerabilities could have a severe impact for the new paradigm of the Internet of Things, poorly configured IoT devices could be exploited by hackers to compromise the software they run and recruit them in large “thingbot.”

Recovery cost could be very expensive and the impact on the organizations that are using flawed devices could be severe.
Security misconfiguration is very insidious for any organization and cause incident difficult to mitigate that can have catastrophic impact.

InfoSecInstitute: http://bit.ly/1Ka2Vzp

 

« Combat the Insider Cyber Threat
Cyber-security Startup Darktrace Valued at More Than £60m »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

SecureNow Insurance Broker

SecureNow Insurance Broker

SecureNow is a commercial insurance broker based in India. Services offered include Cyber Risk insurance.

Kenna Security

Kenna Security

Kenna Security is a risk intelligence & vulnerability management platform that helps prioritize and remediate vulnerabilities.

MixMode

MixMode

MixMode's PacketSled platform delivers network monitoring, deep forensic analysis and incident response.

NordForsk

NordForsk

NordForsk facilitates and provides funding for Nordic research cooperation and research infrastructure. Project areas include digitalisation and digital security.

Verlingue

Verlingue

Verlingue (formerly ICB Group) is a leading corporate insurance broker providing Insurance, Risk Management and related advice to businesses and private clients.

SIGA

SIGA

SIGA provides cyber security solutions for Industrial Control Systems SCADA systems used in critical infrastructures and industrial processes.

Echoworx

Echoworx

Echoworx primary and exclusive focus is providing organizations with secure email services.

Right-Hand Cybersecurity

Right-Hand Cybersecurity

Right-Hand Cybersecurity empowers businesses to monitor, measure and mitigate employee induced cyber risks in real-time.

Forum Systems

Forum Systems

Forum Systems is a global leader in API Security Management with industry-certified, patented, and proven products deployed in the most rigorous and demanding customer environments.

Defensity

Defensity

Defensity offer bespoke & pre packaged IT Security Solutions for Small business to help companies reduce overall IT related risk.

Intellias

Intellias

Intellias is a trusted technology partner to top-tier organizations and digital natives helping them accelerate their pace of sustainable digitalization.

ProLion

ProLion

ProLion provides Data Integrity solutions that ensure organisations’ data remains secure, compliant, manageable and accessible.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall And Why Does It Matter

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall And Why Does It Matter

See how to use next-generation firewalls (NGFWs) and how they boost your security posture.

Cyber Bytes Foundation

Cyber Bytes Foundation

Cyber Bytes Foundation exists to establish and sustain a unique Cyber Ecosystem to accelerate the development of a strong Cyber workforce and support community outreach programs.

Sealing Technologies (SealingTech)

Sealing Technologies (SealingTech)

SealingTech is a leader in cutting edge research, products, engineering, and integration services in the Internet of Things, Edge, Machine Learning, Artificial Intelligence, and Cloud.

Bastazo

Bastazo

Bastazo provides tools for vulnerability and patch management. Focus your cybersecurity operations on vulnerabilities with the highest risk of exploitation.