3 Vulnerabilities to be on the Lookout for in 2020

3 Vulnerabilities to be on the Lookout for in 2020

Photo by Soumil Kumar from Pexels

1.Security Misconfigurations

What is a security misconfiguration?

A security misconfiguration occurs when a server, network, application, or platform is exposed because certain settings are kept as default or not set up properly. One example of this could be failing to change the default password on a particular database or neglecting to block access to a set of critical network ports. These types of vulnerabilities are unfortunately common and can typically be found through penetration testing, and easily remediated.

How do I prevent it?

Real-world example: Microsoft

While the recent Microsoft Service Misconfiguration was *technically* found at the end of 2019, news of the breach was not released until a few days ago — meaning we can still count it for the sake of this blog post. Microsoft’s data leakage exposed millions of customer support cases stemming from a security misconfiguration in the Azure database. An employee from Comparitech found that this data could be accessed from a web browser link without any authentication whatsoever! Microsoft is, of course, taking the oversight very seriously and is taking internal measures to prevent this in the future.

Learn more about the Microsoft security misconfiguration here.

2.Sensitive Data Exposure

What is Sensitive Data Exposure?

Sensitive Data Exposures occur when secure data points are unintentionally exposed.  Some examples of sensitive data include things like credit card information, Social Security Numbers, health records, etc. It’s also commonly referred to as PII. Sensitive data exposures can overlap with other types of vulnerabilities because many attackers are specifically attempting to breach a system in order to access this data. These attacks are typically widely publicized because they have the potential to impact a large number of customers. Once an attacker gets their hands-on sensitive data, they often use it in phishing attacks and fraud down the road, and/or sell it to other hackers. Sophisticated nation-states often use this data for espionage purposes, too.

How do I prevent it?

  • Classify data processed, stored, or transmitted by an application. Identify which data is sensitive according to privacy laws, regulatory requirements, or business needs.
  • Don’t unnecessarily store sensitive data.
  • Make sure to encrypt all sensitive data at rest, and ensure up-to-date and strong encryption algorithms, protocols, and key protection policies and procedures are in place.
  • Disable caching for responses that contain sensitive data.
  • Consider using Data Loss Prevention (DLP) software to assist in tracking outgoing information from your networks.

Real-world example: LabCorp

It was recently announced that LabCorp exposed customer’s health records containing Personally Identifiable Information (PII), SSNs, and health test records. A vulnerability from the company’s CRM allowed these records to be cached and saved by Google. This information was easily searchable and public for anyone to read. Tech Crunch originally discovered the vulnerability and responsibly reported it to LabCorp immediately. Read more about this incident here.

3. Cross-Site Request Forgery (CSRF)

What is a Cross-Site Request Forgery?

A CSRF vulnerability occurs when an attacker routes the user to an unintended action within an application via their web browser. These attacks can be carried out in a variety of different ways, but a common example is through social engineering tactics like phishing. A CSRF attack might lead a user to transfer funds unknowingly or encourage a user to change the password to their account email. These vulnerabilities usually require a decent amount of knowledge from an attacker but can be detrimental to an organization’s reputation, financials, and customers.

How do I prevent it?

Real-world example: TikTok

In the case of TikTok, their recently discovered CSRF vulnerability carried about by attackers via SMS messaging. Security researchers found that attackers could exploit this vulnerability by sending users a message to download the TikTok app. Instead of going to the TikTok site, users could be redirected to fake sites that sent malware to their device. With a growing number of security concerns with the Tik Tok service, certain US government organizations have outright banned employees from downloading the app or using the service.

Learn more about this vulnerability here.