Vulnerabilities and Security Concerns
Vulnerabilities can occur on any level of the OSI model, each with a distinct set of
associated security concerns.
Cloud-Based vs. On-Premise Vulnerabilities
Vulnerabilities to a network can exist at both the cloud and on-premise levels. In a
cloud-based network, the physical security of the cloud is managed by the cloud
provider. The cloud user, however, is responsible for the security of their network in
the cloud. For example, the cloud user is responsible for proper authentication
protocols, configurations, and patch management of resources that it houses in the
cloud.
With on-premise security, the host is responsible for all security measures, both
physical and technical. This includes security against unauthorized access to the
physical components of the network as well as firewalls, patch management,
protocols, and configurations.
Zero-Day
A zero-day threat is a threat that has not yet been identified or has been identified
but not yet remediated through patches or updates.
Weak Configurations
Weak configurations are the most common security vulnerability in a system through
applications, devices, or settings.
open permissions—Open permissions are permissions that allow a user to access
data beyond their correct permission level. They defy the principle of least privilege.
insecure root accounts—An insecure root account is the primary account that has
access to all functions and configurations in a system or device that is not secured.
Insecure root accounts can be used to access any part of the network.
errors—Error messages are generated when a function does not run as expected.
The information regarding the error message can be viewed through debugging
programs and can give the threat actor valuable information into the inner workings
of the network.
weak encryption—Weak encryption can occur one of two ways, either by
implementing encryption that is easy to crack with known vulnerabilities or through
improper key management. Improper key management can allow access by the
threat actor to the key that decrypts the applied encryption method.
insecure protocols—Insecure protocols can be exploited by threat actors to gain
access to a network. For example, the File Transfer Protocol (FTP) is a widely
used yet highly insecure protocol that can be easily accessed by threat actors.
Protocols should employ secure encryption to ensure security both in transit and at
rest.
default settings—Default settings are a common vulnerability. When a product such
as a router is initially installed, it may be set with a generic default password. This
default password is often widely available via the manufacturer. Default settings
should always be changed and never left in their default state.
open ports and services—Open ports and services allow for easy access to a
network. Only ports and services essential to the network should be open, with all
unnecessary ports closed.
Third-Party Risks
Third-party risks are risks associated with allowing outside contractors, vendors,
products, and services access to the network. They can be easily exploited without
proper management.
Vendor Management
Vendor management is the process of integrating a vendor-specific product into
the network. Vendor management security concerns arise when the system
integration is not compatible with the host system, leading to the necessity for
workarounds. Also, a lack of vendor support may lead to security vulnerabilities.
Vendor support is the responsiveness of the vendor to concerns by the host. This
can particularly be an issue with older software and operating systems. For example,
Microsoft no longer provides support for Windows 7, so if you are using that OS on
the network,t any vulnerabilities or threats against the program will not be addressed
or patched.
Supply Chain
Supply chain risks occur when the supply chain is insecure, as, for example, when a
host receives switches from a third party. While in transit to the host location, the
ordered switches can be intercepted and injected with malware prior to delivery. This
is a supply chain vulnerability.
Outsourced Code Development
Outsourcing code development is the practice of using third parties to generate
code or using open-source code in code development. The concern with this
practice is that the code itself can be injected with malicious code.
Data Storage
Data storage vulnerabilities include weak encryption of data at rest, weak
authentication protocols for data access, improper data deletion, and weak input
validation for data requests.
Improper or Weak Patch Management
Patch management is the process of keeping track of and regularly installing
software and hardware patches. Patches are released by developers to address
known vulnerabilities within the software. However, with weak or improper patch
management, the released patch may not be installed, leaving the network open to
attack.
Firmware
Firmware is a software program that provides low-level control of hardware devices.
Firmware that is not properly patched can leave the hardware open to attack.
Operating System (OS)
The OS is the center of the computer system and manages all software, memory,
and hardware components. The OS can access every aspect of the software and
hardware it is attached to. Developers of OSs like Windows and Mac release
patches and updates regularly to address known vulnerabilities and operational
concerns. An unpatched OS will leave the entire system open to attack.
Applications
Applications are the installed programs on a network. Applications run on their own
programming files that can be vulnerable to attack if not properly patched. Improperly
patched applications can be an entry point into the entire network.
Legacy Platforms
Legacy platforms are platforms that are no longer supported by the developer.
This means that no new patches or updates will be available for download. Legacy
platforms are often incompatible with more secure protocols, which means that to
run a legacy platform, the protocols it employs will have to be downgraded to a less
secure protocol. Legacy platforms, if necessary, should be run in an environment
isolated from the main network.
Impacts
The impact of an attack can vary from minor to highly detrimental to the affected
network or company. Impacts can also be highly costly both in monetary and
reputational value.
data loss—Data loss refers to when data is lost and no longer available to the
network. This occurs when data has been deleted, physically destroyed, encrypted
by a threat actor, or frozen due to a system failure or an attack, such as a
ransomware attack. Data loss can be minimized by maintaining a regular backup
schedule.
data breaches—A data breach is the exposure of information to an unauthorized
party. A data breach can have a far-reaching impact on a company’s finances,
reputation, operations, and/or compliance.
data exfiltration—Data exfiltration is the act of copying or removing data from a
network to a secondary location by an unauthorized user.
identity theft—When data is exfiltrated or breached, the garnered information can
be used to engage in identity theft by the attacker.
financial—Financial impacts are the monetary repercussions that are accrued by an
attack. Financial impacts can be minor or significant depending on the size of the
breach.
reputational—Reputational impacts are the damage that is incurred by a company
after an attack or data breach. For example, data breaches are regulated, and
companies are required to disclose a data breach to victims involved in the data
breach within a certain time frame. This can have a massive impact on the perceived
security of the company, resulting in a loss of revenue due to consumer backlash.
availability loss—Availability loss occurs when a network is unavailable for use. For
example, when a large company such as Facebook or Google suffers an availability
loss, millions of dollars in revenue can be lost while the website is down.