Which type of security assessment notifies the customer of vulnerabilities but does not actively or intentionally exploit them?

A security vulnerability is defined as an unintended characteristic of a computing component or system configuration that multiplies the risk of an adverse event or a loss occurring either due to accidental exposure, deliberate attack, or conflict with new system components. This article explains the definition and types of security vulnerabilities and shares some best practices for 2021.

Table of Contents

What Is a Security Vulnerability?

A security vulnerability is an unintended characteristic of a computing component or system configuration that multiplies the risk of an adverse event or a loss occurring either due to accidental exposure, deliberate attack, or conflict with new system components.

By its very definition, a vulnerability can be fixed using a software patch, reconfiguration, user training, firmware update, or hardware replacement, unlike a security risk that might be inevitable. As digital systems evolve, new vulnerabilities emerge along with it. It is important not to take your systems’ security and health for granted, which could leave the enterprise exposed to potential cyber threats. 

Instead, it is advisable to: 

• • Proactively monitor for vulnerabilities in your security processes, application code, infrastructure configurations, and user behavior. 
  • Prioritize vulnerabilities and fix them, basis the severity of the potential attack, in partnership with external security researchers, software providers, and infrastructure vendors. 
  • Disclose vulnerabilities in a controlled manner to avoid litigation risks while also not giving away so much information that a criminal becomes aware of and takes advantage of the vulnerability. 
  • Contribute vulnerability data to third-party threat intelligence data feeds to help the global InfoSec community gain from their collective intelligence. 

Most importantly, it is essential for enterprises to take ownership of vulnerabilities, even if they are inadvertent and inevitable. This reassures users and customers that you value their data security and privacy. 

Learn More: Whaling vs. Spear Phishing: Key Differences and Similarities

Types of Security Vulnerabilities

There are numerous ways security vulnerabilities could enter your systems, both through in-house negligence and external oversight. These include: 

Types of Security Vulnerabilities

1. Vulnerabilities in the source code

Code vulnerabilities creep in right at the time of software development. There might be logical errors that lead to security flaws – for example, creating an access privilege lifecycle that an attacker can hijack. The software might inadvertently transfer sensitive data without encryption, or even if it uses randomized encryption strings, they aren’t random enough. Sometimes, if the software development lifecycle is too protracted, multiple developers work on the project and may cause certain functionalities to remain unfinished. 

Ideally, all of these vulnerabilities should be picked up and patched during testing/QA, but they could trickle down the supply chain to impact enterprises. 

2. Misconfigured system components

Misconfigurations are another common error when setting up enterprise IT systems. At the very basic level, for example, the administrator might forget to switch from a software’s default configurations, thereby leaving the system open to vulnerabilities. 

Incorrectly configured cloud systems, network misconfigurations, hurriedly set up Wi-Fi environments, and even the failure to restrict non-work device usage could exponentially multiply your risk exposure. Fortunately, these vulnerabilities are relatively easy to fix – they are typically the result of an overburdened IT team, requiring the intervention of extra hands, preferably a managed services provider. 

3. Trust configurations

Trust configurations refer to the allowances you make for data exchange to and from software and hardware systems. For example, a mounted hard disk might be able to read sensitive data from a computing client without necessitating any extra privileges. Trust relationships may exist between active directories and account records, leading to unmitigated data flow between sources that aren’t constantly monitored. 

Once an attacker gains access to a compromised system, they can exploit these trust configuration vulnerabilities to spread the infection from the original system and bring down your entire IT environment. 

4. Weak credentialing practices

This has emerged as one of the most common causes of vulnerabilities in both consumer and enterprise systems. Users tend to stick to convenient or comfortable credentialing practices, prioritizing ease of use over security. 

For example, it is now the norm (despite expert recommendations) to store passwords and account credentials in a browser’s built-in password manager. Weak passwords that use common alphanumeric strings (123456, passw0rd, etc.) and those reusing personal data like your name are potential vulnerabilities. 

These security vulnerabilities can be curbed at two levels – through user awareness and enforced credentialing processes, such as password expiration. 

5. Lack of strong encryption

Unencrypted data flow is a massive risk and can lead to severe data breaches. Data encryption ensures that if your primary storage platform falls into the wrong hands, someone with malicious intent will not be able to decrypt or make sense of the information. 

Unfortunately, encryption is still lagging behind the pace of digital transformation and the consequent digitization of documents. Research suggests that while mobile data storage is now a primary focus for encryption, organizations are yet to address this vulnerability in USB sticks, laptops, and portable hard drives. Ideally, data must be properly encrypted at rest as well as in motion. 

6. Insider threat

Vulnerabilities arising from insider threats are difficult to detect and even harder to prevent, particularly in a remote working world. According to Forrester, 1 in 3 security breaches in 2021 will be caused by an insider threat, growing by eight percentage points from the previous year. 

There are myriad reasons why your workforce might be exposed to insider threat-related vulnerabilities, ranging from poorly thought-out recruitment practices and background checks to bad blood within the organization and geopolitical forces. With most employees working from home, it can be difficult to detect anomalous behavior that might indicate an insider threat in your organization. 

Learn More: What Is Network Security? Definition, Types, and Best Practices

7. Psychological vulnerability

Psychological vulnerabilities are also human-caused, but unlike insider threats, they are inadvertent, and everyone is susceptible to them. As human beings, we are motivated by core psychological drivers such as the urge for self-preservation, an eagerness to save/get exclusive benefits, and a fear of danger. 

Hackers typically exploit these vulnerabilities through social engineering. They convince users that they need to take action to unlock a benefit or avoid an adverse situation. A simple example is a psychological vulnerability that leads many users to click on emails spoofing promotional discounts and download malware into their systems. 

8. Inadequate authentication

Authentication vulnerabilities arise when there aren’t enough checks and balances to reset passwords and credentials. This means that a hacker might exploit the “forgot password” option present in every login system to hijack your account and find a backdoor to initiate an account takeover (ATO) attack. 

The authentication question might be too easy to guess – for example, your date of birth, which is publicly available thanks to social media. Or, the system might not follow multi-factor authentication procedures, where a single device’s compromise cannot impact an account’s security. 

9. Injection flaws

Misconfigured web applications can be prone to injection flaws. If the application takes user input through an online form and inserts that input into a backend database, command, or operations system call, it would leave the application open to injection attacks such as SQL, XML, or LDAP injections. 

Essentially, this vulnerability allows hackers to obtain a backdoor into the web app’s data flow and redirect user data or even insert malicious code that causes the application to read, update, or even delete user data without the user’s consent. Injection vulnerabilities are typically responsible for data breaches.

10. Sensitive data exposure

Sensitive data exposure can happen in several ways. Sheer human negligence can cause data to be uploaded to a public website or a commonly accessed database. Inappropriate access controls might lead to a single employee owning control over a huge database of sensitive information. 

Unlike a data breach, there isn’t always malicious intent behind such scenarios. Human errors or system misconfigurations cause sensitive data (intellectual property, user credentials, personally identifiable information, payment details, etc.) to end up in the wrong place where it is vulnerable to exploitation. 

11. Insufficient monitoring and logs

Regular log analysis and detailed log records are essential for curbing security vulnerabilities. Otherwise, an unauthorized entity may gain entry into your computing landscape without anyone finding out before it is too late. 

Typically, a hacker or a malicious bot will leave behind bread crumbs in the form of strange systems signals that will show up via log analysis. Irregular monitoring or scheduled analysis only during a specific part of the day/week/month leaves your systems vulnerable to attacks when there is no supervising eye looking out for suspicious behavior. 

12. Shared tenancy vulnerabilities 

Finally, shared tenancy vulnerabilities are an inevitable reality of the cloud era. Public cloud solutions operate in a multi-tenant model where a shared set of resources are leased out to various organizations at different times, depending on the scale of their resource requirements. 

If one tenant is compromised, it’s possible that the attack will spread to other organizations on the cloud by exploiting shared tenancy vulnerabilities. That’s why organizations dealing with sensitive information – like banks, schools, and hospitals – choose to divide their workloads between public and private tenants, keeping their most valuable data compartmentalized. 

Learn More: Spear Phishing vs. Phishing: Key Differences and Similarities

10 Best Ways to Identify a Security Vulnerability

Identifying vulnerabilities on time – before a criminal has the chance to exploit them – can save your organization immensely in terms of penalties, customer trust, and corporate reputation. Given that an average data breach costs a whopping $3.86 million, preemptively identifying security vulnerabilities is a smarter idea. 

Here’s how: 

Best Ways to Identify a Security Vulnerability

1. Run a network audit 

Network audits reveal the hardware, software, and services running on your network, checking if there are any undocumented or unauthorized entities at work. Particularly after a transformation event such as a merger, acquisition, or a business expansion, it is a good idea to perform an audit and check for any technical debt you might have inherited, non-compliance with new industry standards, and sprawl of network assets. 

2. Analyze system log data 

Computing environments generate real-time and historical logs that provide visibility into your IT stack’s health and performance. Real-time log analysis reveals anomalous entities, hidden flaws in the source code, and signs of system malfunctioning due to misconfigurations. You can correlate log data across computing elements to detect the root cause of issues and prevent a vulnerability from turning into an attack vector. 

3. Use a penetration tester or white-hat hacker 

Penetration testers or ethical, white hat hackers can provide an objective, third-party perspective into your system status. They can place themselves in a cybercriminal’s shoes, thereby detecting vulnerabilities that might otherwise pass underneath the radar. Penetration testing is particularly useful to identify zero-day vulnerabilities, which are unfamiliar to the InfoSec community. 

4. Leverage a threat intelligence database 

A cyber threat intelligence database consolidates vulnerability and attack information from across the world, compiling data from various computing environments. You could partner with a security vendor who collects threat intelligence data from organizations. You may also leverage open-source databases such as the SANS Internet Storm Center, FBI’s InfraGard Portal, Cisco Talos Intelligence (free edition), Spamhaus, and Google Safe Browsing. Analyze your IT landscape regularly against these databases, and fag any violations as per these known threats. 

5. Simulate a social engineering attack 

Social engineering simulations help address and mitigate psychological vulnerabilities that may be present in your workforce. In a simulated scenario, you send out phishing messages in a controlled environment, observe users’ susceptibility, and document the results to overhaul your user awareness training program. Several cybersecurity organizations like Redscan or NetSentries offer specialized social engineering simulation services. 

6. Use process mining to detect hidden flaws 

Process mining is a data analysis technique that investigates data from system-generated events to understand how you could optimize enterprise processes. This technique can be applied to security vulnerabilities and break down enterprise structures to find loopholes and their possible solutions. Process mining reveals any deviation from your enterprise security protocols or hidden shadow processes that could be increasing your attack surface area. 

7. Review the source code 

Source code review is a must-have for identifying security vulnerabilities, especially if your enterprise apps regularly deal with sensitive user information. Inadequate testing at the software development stage, logical flaws, or vulnerable open source code snippets used by your software vendor could all contribute to security vulnerabilities at the source code level. That’s why it is advisable to request the source code whenever you implement an application landscape overhaul, or at least reverse-engineer if the full source code isn’t available. 

8. Audit the IT supply chain 

Lack of visibility into your IT supply chain could create backdoors that a hacker can exploit. For example, your organization might have a policy prohibiting IT procurement from a specific location due to geopolitical conflicts and national security requirements. But a supplier who hasn’t been audited might be relying on the said region for a small component or service. IT supply chain audits are essential to trace back your ecosystem’s origins, right down to the source code and hardware manufacturing level. 

9. Automate the security testing process 

No matter how vigilant your InfoSec team, human testers are bound to overlook some flaws, given the enormous scope of enterprise apps today. Automated security testing checks for known issues, bugs, and vulnerabilities at crucial points of the software development lifecycle. Software companies can incorporate automated security testing into their DevOps process, preventing flawed code from going into production. Enterprises can leverage automation for source code review. 

10. Document the hardware landscape 

In addition to maintaining up-to-date docs for your enterprise apps and software, your hardware landscape also requires careful scrutiny. This includes mapping its origins, documenting its trust relationship with other system components, keeping track of firmware update schedules, and analyzing hardware behavior logs at regular intervals. During security audits, hardware documentation will help auditors find vulnerabilities in your environment if there are any. 

Learn More: Top 10 Vulnerability Management Tools

5 Best Practices to Prevent Security Vulnerabilities

You can take measures to prevent vulnerabilities by finding and fixing potential bugs, so they do not become high-risk threat vectors. 

Best Practices to Prevent Security Vulnerabilities

1. Follow a least-privilege access model

The least privilege access entails that access is extended to humans, systems, and automated bots to perform only the requisite task and nothing more. Let’s say that a supply chain partner uses a remote device for five hours every day, during which they need access to your network systems to perform maintenance. 

According to least privilege principles, access will be available only during the scheduled hours and revoked afterward. Similarly, if a guest needs to log into your corporate network, they can access as per least privilege principles and cannot go beyond those assets within their realm of relevance. 

By ensuring the least privilege access, you can prevent hackers from misusing human psychology or exploiting access rights (as they don’t exist beyond a point) – thereby controlling your vulnerability footprint. 

2. Start a bug bounty program

A bug bounty program invites ethical hackers from around the world to find security flaws and vulnerabilities in their public-facing systems and product offerings. Nearly every major company, such as Microsoft, Slack, Google, and Facebook, all have attractive bug bounty programs. Microsoft paid $13.7 million in rewards last year to recognize the efforts 300+ researchers put into finding hidden vulnerabilities in Microsoft products. 

You can start a bug bounty program if you operate a vast product landscape or have an expansive public-facing online footprint, making it difficult for in-house developers to catch and address every vulnerability, particularly zero-day ones. 

3. Have a strong business continuity plan

A business continuity or disaster recovery (BC/DR) plan reduces the impact that a potential data breach might have on your enterprise. Ransomware attacks are now increasingly common where a cybercriminal targets an enterprise and threatens to publicly reveal or destroy business-critical data unless the company pays a ransom. 

A business continuity plan will make sure there is a backup database in place to keep your operations running while you report the attack to the authorities, trace it to its origins, and take legal action, confident that your business will not be interrupted. 

If databases are protected using very strong encryption, the criminal will threaten to destroy the data and bring your business to a standstill. You can prevent such vulnerabilities by maintaining an up-to-date BC/DR data copy. 

Learn More: 5 Step Guide to Business Continuity Planning (BCP) in 2021 

4. Secure your APIs and inventory native integrations

In a connected world, API security is essential to prevent the exposure of sensitive data and internal infrastructure to public sites. Since APIs are easily accessible through a public network, they can be exploited by cybercriminals who insert themselves between two interfacing systems and gather information from both by posing as one or the other. 

This is called a “man in the middle” attack. You can prevent such vulnerabilities by ensuring that your web resources use the HTTPS protocol and only users/machines from trusted IPs can access the APIs. Also, maintain an inventory of all the APIs in use across the application landscape, including those that are natively provided by third-party software vendors. 

5. Encourage a culture of skepticism

At the end of the day, the most important best practice for preventing security vulnerabilities is your users — the weakest link in your system. A culture of skepticism means that users are trained to not accept anything at face value and question the veracity of statements, access requests, and instructions. For example, if a colleague on holiday asks for quick approval for a supplier payment, users must immediately get skeptical and raise red flags. 

There are several ways to encourage a culture of skepticism at your enterprise, from regular user awareness training to in-app prompts (e.g., displaying an “are you sure you want to click on that hyperlink?” notification in emails). Importantly, organizational leaders must set an example by following and demonstrating how they authenticate information. 

Takeaway

These five best practices will help you strengthen organizational security and address the risk of vulnerabilities, wherever they might exist in the ecosystem. 9000+ new vulnerabilities emerged in H1 of 2020, a 22% uptick from the same period in the previous year. As digital transformation accelerates further, organizations need to plug vulnerabilities at a similar pace, stay a step ahead of criminals, and protect the global user community. 

Was this article helpful? Comment below or let us know on LinkedIn, Twitter, or Facebook. We would love to hear from you!