From the Winter 2022 Issue

Back to Basics: The Vulnerabilities You’re Overlooking

Gabrielle Hempel
Systems Engineer | RSA Security

By now, data breaches are commonplace. Almost every day, there seems to be a new one—it has become a regular occurrence. Often, these breaches involve ransomware, which has become a much larger problem in recent years. Ransomware is concerning because it preys upon both Information Technology (IT) and Operational Technology (OT), which is disruptive to the business’s operations and, in some cases, can cause severe financial damage. The global average cost of a data breach is $3.86 million.

The most common causes of these breaches are weak or stolen credentials, application vulnerabilities, malware, and malicious insiders/insider error. However, much of what companies focus on is the elaborate attack possibilities. It can be tempting to buy the latest software or focus on the shiniest, newest technology. Yet, most data breaches and attacks we continue to see continually employ the most basic tactics. The nature of cybersecurity is complex. This article will explore some well-known attacks that have occurred due to the above-mentioned types of vulnerabilities, how they were handled, and what companies should focus on to get “back to basics” when securing their infrastructure.

The Colonial Pipeline Breach

The Colonial Pipeline attack in early 2021 was unprecedented. This attack on infrastructure took down the largest fuel pipeline in the United States and led to fuel shortages across the East Coast. While it seems that it would take an elaborate strategy to accomplish this takedown, the company was breached due to three fundamental security flaws: stolen credentials, an outdated VPN, and failure to use Multi-Factor Authentication (MFA). 

Compromised or stolen credentials occur when user information, such as usernames and passwords, is accessed by unauthorized actors. This commonly happens when victims fall prey to phishing attempts and enter their login credentials on malicious sites. If these credentials have privileged access, they can potentially give elevated or administrative access to an attacker. Additionally, it is not just users who hold credentials – servers, network devices, and other tools often have their own credentials. These machine-to-machine communications can allow lateral movement through an enterprise. 
…most data breaches and attacks we continue to see 
continually employ the most basic tactics.
The credentials for the user that was compromised during the Colonial Pipeline attack were later discovered on a forum on the Dark Web. This could be how hackers obtained these credentials, although investigators have not confirmed this yet. 

The VPN account that these credentials accessed was no longer in use at Colonial Pipeline, but it was still active and could still be used to access Colonial’s Network. 

In addition, this VPN account did not use any form of MFA, so the network could be accessed solely using the username and password for the account. 

The entire pipeline needed to be shut down due to ransomware on the network, which interrupted the company’s almost 2.5 million barrels of the fuel being transported via the pipeline. 

Common usernames and weak passwords can also lead to compromised credentials, so it is essential that an enterprise has effective password policies. Additionally, password sharing across services can easily cause an application to be vulnerable. Finally, MFA should be implemented to reduce the chances of credentials falling into the wrong hands.

The Equifax Data Breach

The Equifax data breach occurred in 2017. The company was compromised, exposing records of 147.9 million Americans as well as 15.2 million British citizens and about 19,000 Canadians. 

Again, similarly to Colonial Pipeline, a few key events occurred. A third-party software called Apache Struts was exploited. This particular exploit had a patch issued; however, Equifax had not applied it. The hackers were able to gain access to the network, perform scans and ultimately compromise 34 servers in 20 different countries. The lack of patching was a critical failure, but it was later found that the network was not segmented, leading to ease of lateral movement for the attackers. What’s more, there was ineffective encryption for Personally Identifiable Information (PII) and breach detection that failed to do its job. 

Missing or poor encryption can lead to sensitive information being transmitted in plaintext or weak cryptographic ciphers. This implies that an adversary intercepting data storage, communication, or processing could access sensitive data using brute force approaches to break weak encryption.



Patching vulnerabilities is a critical action that should not be overlooked. It is easy to overlook legacy or unsupported technology and focus on newer technologies and vulnerabilities. However, the majority of exploited vulnerabilities are those that have existed for some time. 



All the tools in the world will not help if an organization does not have a good security posture. The solution is not complex; it is about simplifying in order to strengthen security. A robust cybersecurity posture can be accomplished by focusing on seven separate areas.


What is a Strong Security Posture?

Visibility

Visibility of infrastructure and assets is crucial because they need to be seen to be protected. Technical visibility surrounds understanding where threats and vulnerabilities exist in an enterprise. Operational visibility surrounds the operations of an enterprise and the compliance and processes that are also encompassed within. Organizational visibility understands potential threats against intellectual property, brand, or reputation. All three of these combined make up the visibility landscape necessary for an organization.

Risk Management

Risk Management in cybersecurity is having a holistic understanding of an organization’s threats. A robust risk management program encompassing cyber risk assessments and responses is necessary to have a strong cybersecurity posture. Often, organizations will follow standards and frameworks like NIST. 

Access Management

Access Management is the action of authenticating, authorizing, and auditing users and their access to systems and applications. Understanding who has access to what helps rein in the sprawl of large systems and allows for fine-grained access control.

Vulnerability Management

Vulnerability Management is the entire process of detecting, analyzing, and remediating security vulnerabilities in systems and in any software or products that utilize them.

Security Controls

Security Controls are guardrails put in place to detect or mitigate security risks to computer systems, infrastructure, or any other assets.

Incident Response

Incident Response is the method by which an organization can detect, respond to, and recover from a security incident.

Security Education, Training, & Awareness

End users are a weak link in security, as there is always room for human error. Security awareness training is vital to help mitigate breaches in this area.

Web Application Vulnerabilities

According to Verizon, web application breaches account for 43% of all breaches and have doubled since 2019. The global number of web attacks blocked per day increased by 56.1% between 2017 and 2018. Web application attacks continue to shadow other attack vectors completely. 

Because so many attacks employ web application attack vectors, it is also prudent to focus on the top vulnerabilities in that area from a technological aspect. The OWASP Top Ten is a framework that focuses on the top ten most critical and widely-exploited security risks to web applications and effectively secures critical assets. Below is a summary of the Top Ten:

  1. Broken Access Control
    Access control ensures that users cannot perform actions that they are not permitted to. Failure to appropriately control access can result in a user performing actions outside their limits or unauthorized information disclosure, modification, or destruction of data.
  1. Cryptographic Failures
    An essential aspect of data protection is data encryption in transit and at rest. Passwords, credit card numbers, health records, personal information, and business secrets require extra protection, especially if that data falls under pertinent privacy laws.
  1. Injection Flaws
    These result from a failure to filter untrusted input. It can happen when unfiltered data is passed to a server or a browser. Attackers can inject commands to these entities, resulting in loss of data and hijacking of client browsers.
  1. Insecure Design
    These are design flaws that a perfect implementation cannot fix. Needed security controls were never created to defend against specific attacks.
  1. Security Misconfiguration
    Software is becoming more customizable, which allows for more room for error. An application can be vulnerable if it is missing security hardening, has unnecessary features enabled, uses default accounts and passwords, reveals too much information in error messages, does not have the latest security features enabled, or is out of date and vulnerable.
  1. Vulnerable and Outdated Components
    An organization is likely vulnerable if they do not know the versions of all used components (both client-side and server-side), including nested dependencies. Software may be vulnerable, unsupported, or out of date.
  1. Identification and Authentication Failures
    Confirmation of user identity, authentication, and session management is critical to protect against authentication-related attacks. This weakness can happen if the application permits automated attacks like credential stuffing or permits brute force attacks. Additionally, the application is vulnerable if it uses weak or ineffective credential recovery, has missing or no MFA, exposes session identifier in the URL, or reuses the session ID after successful login.
  1. Software and Data Integrity Failures
    An insecure CI/CD pipeline can introduce the potential for unauthorized access, malicious code, or system compromise. This occurs when code and infrastructure do not prevent integrity violations. An example of this is where an application relies upon plugins, libraries, or modules from untrusted sources, repositories, and CDNs. Applications also often include auto-update functionality, where updates are downloaded without sufficient integrity verification and applied to the previously trusted application. Attackers could potentially upload their own updates to be distributed and run on all installations.
  1. Security Logging and Monitoring Failures
    Failure to log is a failure to detect. This occurs when auditable events are not logged or are not monitored for suspicious activity, appropriate alerting thresholds and response escalation processes are not in place or effective, and if the application cannot detect, escalate, or alert for active attacks in real-time or near real-time.
  1. Server-Side Request Forgery (SSRF)
    Server-Side Request Forgery (SSRF) flaws occur when a web application fetches a remote resource without validating the user-supplied URL.

Summary

The key to fewer data breaches is getting back to basics—focusing on more simple security measures. If a corporation can establish a robust security posture and implement mitigations for the most commonly exploited web application vulnerabilities, that is an excellent start to avoid a data breach.  lock

Gabrielle Hempel

Leave a Comment