Watch Out for these Vulnerabilities in 2020
1. Security Misconfigurations
What isa security misconfiguration?
A security misconfiguration occurs when a server, network, application, or platform is exposed because certain settings are kept as default or not set up properly. One example of this could be failing to change the default password on a particular database or neglecting to block access to a set of critical network ports. These types of vulnerabilities are unfortunately common and can typically be found through penetration testing, and easily remediated.
How do I prevent it?
- Consider using configuration management and testing tools on a regular basis. An example would be performing CIS benchmarking scans using Nessus/Security Center/Tenable.io
- Consider conducting routine configuration checks on all standard or gold-images for virtual environments once a secure configuration baseline is implemented. Here is an example 51-point security checklist for your AWS cloud environment.
- Automating much of your security controls as possible, for instance, using something like Ansible Lockdown.
Real-world example: Microsoft
While the recent Microsoft Service Misconfiguration was *technically* found at the end of 2019, news of the breach was not released until a few days ago — meaning we can still count it for the sake of this blog post. Microsoft’s data leakage exposed millions of customer support cases stemming from a security misconfiguration in the Azure database. An employee from Comparitech found that this data could be accessed from a web browser link without any authentication whatsoever! Microsoft is, of course, taking the oversight very seriously and is taking internal measures to prevent this in the future.
Learn more about the Microsoft security misconfiguration here.
2. Sensitive Data Exposure
What isSensitive Data Exposure?
Sensitive Data Exposures occur when secure data points are unintentionally exposed. Some examples of sensitive data include things like credit card information, Social Security Numbers, health records, etc. It’s also commonly referred to as PII. Sensitive data exposures can overlap with other types of vulnerabilities because many attackers are specifically attempting to breach a system in order to access this data. These attacks are typically widely publicized because they have the potential to impact a large number of customers. Once an attacker gets their hands-on sensitive data, they often use it in phishing attacks and fraud down the road, and/or sell it to other hackers. Sophisticated nation-states often use this data for espionage purposes, too.
How do I prevent it?
- Classify data processed, stored, or transmitted by an application. Identify which data is sensitive according to privacy laws, regulatory requirements, or business needs.
- Don’t unnecessarily store sensitive data.
- Make sure to encrypt all sensitive data at rest, and ensure up-to-date and strong encryption algorithms, protocols, and key protection policies and procedures are in place.
- Disable caching for responses that contain sensitive data.
- Consider using Data Loss Prevention (DLP) software to assist in tracking outgoing information from your networks.
Real-world example: LabCorp
It was recently announced that LabCorp exposed customer’s health records containing Personally Identifiable Information (PII), SSNs, and health test records. A vulnerability from the company’s CRM allowed these records to be cached and saved by Google. This information was easily searchable and public for anyone to read. Tech Crunch originally discovered the vulnerability and responsibly reported it to LabCorp immediately. Read more about this incident here.
3. Cross-Site Request Forgery (CSRF)
What isa Cross-Site Request Forgery?
A CSRF vulnerability occurs when an attacker routes the user to an unintended action within an application via their web browser. These attacks can be carried out in a variety of different ways, but a common example is through social engineering tactics like phishing. A CSRF attack might lead a user to transfer funds unknowingly or encourage a user to change the password to their account email. These vulnerabilities usually require a decent amount of knowledge from an attacker but can be detrimental to an organization’s reputation, financials, and customers.
How do I prevent it?
- Consider using an ant-CSRF/synchronizer token and/or using same-site cookies for your applications. Please see more here at OWASP’s guide on how to prevent CSRF.
Real-world example: TikTok
In the case of TikTok, their recently discovered CSRF vulnerability carried about by attackers via SMS messaging. Security researchers found that attackers could exploit this vulnerability by sending users a message to download the TikTok app. Instead of going to the TikTok site,users could be redirected to fake sites that sent malware to their device. With a growing number of security concerns with the Tik Tok service, certain US government organizations have outright banned employees from downloading the app or using the service.
Learn more about this vulnerability here.