Is your team tackling vulnerabilities across all three categories to best protect your organization?
Generally, there are three types of vulnerability categories that vulnerabilities can be grouped into and each can be associated by their severity, helping define which teams or administrators tackle specific issues. Many of these issues that arise can be easily mitigated, however some may require new technologies in the corporation to be protected or may require a social engineering aspect, leaving only user awareness campaigns as a route to mitigation.
Let’s dive into the three categories that can help better define a roadmap for your team’s efforts, provided by our penetration testing team.
Vulnerability Category 1 – Out-of-Date Systems/Missing Patches
The first category of issues is out-of-date systems or systems missing security patches.
Out-of-date systems specifically can be end-of-life (EoL) meaning that the vendor or the creator does not maintain the project any longer. This could lead to new vulnerabilities being found in hardware or software that is never patched, updated, or ever disclosed as the developer moves on to new goals.
Missing security patches also fall into category one but has dissimilarities. While out-of-date systems will rarely receive new developer-approved patches, systems that are missing security patches are being maintained by the developer or vendor. The responsibility in keeping the system’s security patches up to date lies with the network administrator and the patching policy. But as we move into more business working from home, every user, especially with heightened access, needs to stay up to date on security patches.
Due to the vulnerability’s severity impact on an organization, RedLegg usually categorizes these attacks as Critical or High vulnerabilities. RedLegg most commonly uses the application misconfiguration and out-of-date systems attack categories which allows remote code or data leakage to occur.
Fortunately, many operating systems have automatic updates set by default. This practice mitigates risk to the user and more importantly the sensitive information their devices have access to. On the other hand, users may not keep systems up to for a myriad of reasons. Companies should enact a user awareness program that would educate the new work from home workforce on such practices.
Vulnerability Category 2 – Misconfigurations
Misconfiguration in both applications and infrastructure are the most common vulnerabilities that RedLegg encounters in our engagements. Misconfigurations have led to sensitive data disclosure as well as access to admin panels and their assigned functions such as file uploads, user settings, configuration pages, data leakage, traffic interception and decryption, clickjacking, and more.
These vulnerabilities are usually found on old systems that have not been in use for years. Old hardware and software like this should be taken offline and replaced or noted as acceptable risk. Vulnerabilities found in new or maintained applications and systems are harder to treat. Legacy systems need to be noted as acceptable risk as well, and a high level of alerts should be set on this host.
Often overlooked, many web application vulnerabilities also fall under the misconfiguration category. During our testing, RedLegg has found security header tokens to be a common issue. Many pages without proper security tokens can be ‘highjacked’ to coerce the victim into completing an action that was not intended. This could allow a malicious user to transfer funds from one bank account to the other, change the account email and password, share private API keys, and log-in to the application completely.
Many of these issues require more than just a ‘point-and-click’ approach, similar to missing security patches and out of date systems. Exploiting a misconfiguration requires the attacker to use multiple data points to gain possible access to a basic user account. For example, and attacker may have to explore the site as a normal user to discover that there is a clickjacking flaw that would allow the attacker to change the victim’s password. The attacker would need to construct a fake page from the login page that they are spoofing. This includes copying the template, creating and registering a fake site that would be similar to the victim, and then convincing the victim to interact with the malicious page to capture the credentials used by the victim. Even then, those credentials may not be valid, or the system may be protected by other control systems such as Two-Factor Authentication.
Normally, these vulnerabilities fall into the Medium or Low severity category.
Vulnerability Category 3 – Social Engineering Attacks
Social engineering attacks define our third category. As the success of the attack depends solely on convincing the victim that the actor is who they say they are, there are more variables at play and thus is harder to quantify. Social attacks can vary from an exposed badge, enabling the attacker to capture the authentication mechanism used to get into the building, to someone quickly following behind a person into a building in order to gain access, or posing as a member of IT or HR in need of urgent information.
The severity of these attacks is quite hard to quantify in the scheme of critical, high, low, and medium. If a victim user is only given low access, for instance a public workstation that is cut off from the vital part of the network, then the risk to the network is low. But if a motivated attacker used the ‘tailgating’ technique to quickly get in through the door, they may be able to plant any device they wish such as keyloggers, data taps, and drop points, as well scope out the building for additional weak points or even the lock to the server closet.
Because the social engineering attack category is quite an unknown variable, user awareness training and physical penetration testing are two of the most trustworthy ways to combat such attacks.
As we've noted, many vulnerabilities can be categorized into three overarching categories and corresponding severity levels. Out-of-date systems and missing security patches pose one of the most easily mitigated vulnerabilities faced by RedLegg during testing and their test clients. Misconfigurations amongst applications, while less severe, can be more numerous and harder to completely eradicate, dependent on the network’s general ecosystem and time allowed to diagnose each specific problem.
Social engineering attacks are one of the greatest threat to organizations today. Since these attacks could come from anywhere, including internal sources, they are incredibly hard to combat. The best a company can do against social engineering attacks is to conduct user awareness training in order to educate users how to spot a phishing attempt, on safe web practices, and general social awareness.
Or, keep reading...