The most common causes of these breaches are weak or stolen credentials, application vulnerabilities, malware, and malicious insiders/insider error. However, much of what companies focus on is the elaborate attack possibilities. It can be tempting to buy the latest software or focus on the shiniest, newest technology. Yet, most data breaches and attacks we continue to see continually employ the most basic tactics. The nature of cybersecurity is complex. This article will explore some well-known attacks that have occurred due to the above-mentioned types of vulnerabilities, how they were handled, and what companies should focus on to get “back to basics” when securing their infrastructure.
The Colonial Pipeline Breach
The Colonial Pipeline attack in early 2021 was unprecedented. This attack on infrastructure took down the largest fuel pipeline in the United States and led to fuel shortages across the East Coast. While it seems that it would take an elaborate strategy to accomplish this takedown, the company was breached due to three fundamental security flaws: stolen credentials, an outdated VPN, and failure to use Multi-Factor Authentication (MFA).Compromised or stolen credentials occur when user information, such as usernames and passwords, is accessed by unauthorized actors. This commonly happens when victims fall prey to phishing attempts and enter their login credentials on malicious sites. If these credentials have privileged access, they can potentially give elevated or administrative access to an attacker. Additionally, it is not just users who hold credentials – servers, network devices, and other tools often have their own credentials. These machine-to-machine communications can allow lateral movement through an enterprise.
continually employ the most basic tactics.
The VPN account that these credentials accessed was no longer in use at Colonial Pipeline, but it was still active and could still be used to access Colonial’s Network.
In addition, this VPN account did not use any form of MFA, so the network could be accessed solely using the username and password for the account.
The entire pipeline needed to be shut down due to ransomware on the network, which interrupted the company’s almost 2.5 million barrels of the fuel being transported via the pipeline.
Common usernames and weak passwords can also lead to compromised credentials, so it is essential that an enterprise has effective password policies. Additionally, password sharing across services can easily cause an application to be vulnerable. Finally, MFA should be implemented to reduce the chances of credentials falling into the wrong hands.
The Equifax Data Breach
The Equifax data breach occurred in 2017. The company was compromised, exposing records of 147.9 million Americans as well as 15.2 million British citizens and about 19,000 Canadians.Again, similarly to Colonial Pipeline, a few key events occurred. A third-party software called Apache Struts was exploited. This particular exploit had a patch issued; however, Equifax had not applied it. The hackers were able to gain access to the network, perform scans and ultimately compromise 34 servers in 20 different countries. The lack of patching was a critical failure, but it was later found that the network was not segmented, leading to ease of lateral movement for the attackers. What’s more, there was ineffective encryption for Personally Identifiable Information (PII) and breach detection that failed to do its job.
Missing or poor encryption can lead to sensitive information being transmitted in plaintext or weak cryptographic ciphers. This implies that an adversary intercepting data storage, communication, or processing could access sensitive data using brute force approaches to break weak encryption.
Patching vulnerabilities is a critical action that should not be overlooked. It is easy to overlook legacy or unsupported technology and focus on newer technologies and vulnerabilities. However, the majority of exploited vulnerabilities are those that have existed for some time.
All the tools in the world will not help if an organization does not have a good security posture. The solution is not complex; it is about simplifying in order to strengthen security. A robust cybersecurity posture can be accomplished by focusing on seven separate areas.
What is a Strong Security Posture?
Visibility
Visibility of infrastructure and assets is crucial because they need to be seen to be protected. Technical visibility surrounds understanding where threats and vulnerabilities exist in an enterprise. Operational visibility surrounds the operations of an enterprise and the compliance and processes that are also encompassed within. Organizational visibility understands potential threats against intellectual property, brand, or reputation. All three of these combined make up the visibility landscape necessary for an organization.
Risk Management
Risk Management in cybersecurity is having a holistic understanding of an organization’s threats. A robust risk management program encompassing cyber risk assessments and responses is necessary to have a strong cybersecurity posture. Often, organizations will follow standards and frameworks like NIST.
Access Management
Access Management is the action of authenticating, authorizing, and auditing users and their access to systems and applications. Understanding who has access to what helps rein in the sprawl of large systems and allows for fine-grained access control.
Vulnerability Management
Vulnerability Management is the entire process of detecting, analyzing, and remediating security vulnerabilities in systems and in any software or products that utilize them.
Security Controls
Security Controls are guardrails put in place to detect or mitigate security risks to computer systems, infrastructure, or any other assets.
Incident Response
Incident Response is the method by which an organization can detect, respond to, and recover from a security incident.
Security Education, Training, & Awareness
End users are a weak link in security, as there is always room for human error. Security awareness training is vital to help mitigate breaches in this area.
Web Application Vulnerabilities
According to Verizon, web application breaches account for 43% of all breaches and have doubled since 2019. The global number of web attacks blocked per day increased by 56.1% between 2017 and 2018. Web application attacks continue to shadow other attack vectors completely.
Because so many attacks employ web application attack vectors, it is also prudent to focus on the top vulnerabilities in that area from a technological aspect. The OWASP Top Ten is a framework that focuses on the top ten most critical and widely-exploited security risks to web applications and effectively secures critical assets. Below is a summary of the Top Ten:
Broken Access Control
Access control ensures that users cannot perform actions that they are not permitted to. Failure to appropriately control access can result in a user performing actions outside their limits or unauthorized information disclosure, modification, or destruction of data.
Cryptographic Failures
An essential aspect of data protection is data encryption in transit and at rest. Passwords, credit card numbers, health records, personal information, and business secrets require extra protection, especially if that data falls under pertinent privacy laws.
Injection Flaws
These result from a failure to filter untrusted input. It can happen when unfiltered data is passed to a server or a browser. Attackers can inject commands to these entities, resulting in loss of data and hijacking of client browsers.
Insecure Design
These are design flaws that a perfect implementation cannot fix. Needed security controls were never created to defend against specific attacks.
Security Misconfiguration
Software is becoming more customizable, which allows for more room for error. An application can be vulnerable if it is missing security hardening, has unnecessary features enabled, uses default accounts and passwords, reveals too much information in error messages, does not have the latest security features enabled, or is out of date and vulnerable.
Vulnerable and Outdated Components
An organization is likely vulnerable if they do not know the versions of all used components (both client-side and server-side), including nested dependencies. Software may be vulnerable, unsupported, or out of date.
Identification and Authentication Failures
Confirmation of user identity, authentication, and session management is critical to protect against authentication-related attacks. This weakness can happen if the application permits automated attacks like credential stuffing or permits brute force attacks. Additionally, the application is vulnerable if it uses weak or ineffective credential recovery, has missing or no MFA, exposes session identifier in the URL, or reuses the session ID after successful login.
Software and Data Integrity Failures
An insecure CI/CD pipeline can introduce the potential for unauthorized access, malicious code, or system compromise. This occurs when code and infrastructure do not prevent integrity violations. An example of this is where an application relies upon plugins, libraries, or modules from untrusted sources, repositories, and CDNs. Applications also often include auto-update functionality, where updates are downloaded without sufficient integrity verification and applied to the previously trusted application. Attackers could potentially upload their own updates to be distributed and run on all installations.
Security Logging and Monitoring Failures
Failure to log is a failure to detect. This occurs when auditable events are not logged or are not monitored for suspicious activity, appropriate alerting thresholds and response escalation processes are not in place or effective, and if the application cannot detect, escalate, or alert for active attacks in real-time or near real-time.
Server-Side Request Forgery (SSRF)
Server-Side Request Forgery (SSRF) flaws occur when a web application fetches a remote resource without validating the user-supplied URL.
Summary
The key to fewer data breaches is getting back to basics—focusing on more simple security measures. If a corporation can establish a robust security posture and implement mitigations for the most commonly exploited web application vulnerabilities, that is an excellent start to avoid a data breach.
Gabrielle Hempel
Leave a Comment