Massive hacks continue to fill the front page of major media outlets, so what are the main attack vectors that are not being addressed? According to Kevin Mitnick, the world’s most wanted hacker turned IT consultant, organizations should be aware of the following Six Deadly Sins of Data Security as they can impact the potential for data breaches:
- Social Engineering end-users who are low-hanging fruit
- Injection Vulnerabilities
- Buffer Overflows
- Sensitive Data Exposure
- Broken Authentication and Session Management
- Security Misconfiguration
Let's have a quick look at each one of these.
1) Social Engineering end-users who are low-hanging fruit
Despite all the funds you may have spent on state-of-the-art security software, the bad guys are just one gullible user click away from staging an all-out invasion. To make matters worse, that user might very well be you! Recent surveys show that executives can be some of the biggest culprits when it comes to clicking on phishing links and opening malicious email attachments.
Yet the most effective strategy for combatting these attacks is also one of the most poorly implemented – security awareness training. The long list of “Worst Practices” for user education is almost endless – break room briefings while people eat lunch and catch up on email; short instructional videos that provide no more than superficial understanding; and the time-honored practice of hoping for the best and doing nothing.
2) Injection Vulnerabilities
Every time an application sends untrusted data to an interpreter, you have an injection vulnerability. There are many flavors of this type of vulnerability, but the most popular ones affect SQL, LDAP, XPath, and XML parsers.
Obviously, you want to prevent these vulnerabilities during the coding of your application, because once the application has been deployed, these vulnerabilities can be difficult to find and fix. To help identify potential vulnerabilities, you should engage a third-party to perform penetration testing and check your Internet-facing applications on an ongoing basis. If you don't do it, the hackers will.
3) Buffer Overflows
A buffer overflow vulnerability exists when an application writes more data in a buffer than that buffer can hold. That allows a hacker to overwrite the content of adjacent memory attempting to execute their malicious code. Buffer overflow attacks are quite common, but they are harder to exploit than injection attacks.
4) Sensitive Data Exposure
This happens any time a hacker gets access to user sensitive data. Sensitive data exposure is defined as access to data at rest or in transit, including backups and user browsing data.
Some examples are hacking of data storage, interception of data transfers between a server and a browser, or tricking an e-commerce application to change things in a cart. The main cause is failing to encrypt data or badly implemented encryption mechanisms. And, of course, destruction of storage media in the proper way is also a very important factor which includes thumb drives.
5) Broken Authentication and Session Management
You can exploit broken authentication and session management when an attacked user leaks account data, passwords, or session IDs which allows the attacker to impersonate that user.
There are several ways to try to hack into authentication mechanisms, for instance by "brute-forcing” the targeted account, grabbing a session identifier from a URL, reusing an already used session token or compromising a user’s browser.
Web developers need to carefully look at all Cross-Site Scripting (XSS) flaws and deploy all necessary countermeasures to fix them because XSS is one of the most common methods to steal session IDs and impersonate other users.
6) Security Misconfiguration
This category of vulnerability is actually very common and one of the most dangerous. It's easy to discover web servers and applications that have been misconfigured resulting in simply letting the bad guys in. Here are some typical examples of security misconfigurations:
- Running outdated software
- Apps still running in debug mode or that still include debugging modules
- Running unnecessary services on the system
- Allowing access to server resources and services
- Failing to change default settings like keys and passwords
- Use of default accounts
Badly configured Internet of Things devices could easily be turned into a large "ThingNet" owned by the bad guys. Think paying micro-ransoms before you can get in your car. Defense-in-depth is the answer to the risks of losing your data.