Published December 9, 2020
WRITTEN BY MICHAEL SOLOMON
Michael G. Solomon, PhD, CISSP, PMP, CISM, PenTest+, is a security, privacy, blockchain, and data science author, consultant, educator and speaker who specializes in leading organizations toward achieving and maintaining compliant and secure IT environments.
Cybersecurity is getting a lot of attention, from the break room to the board room. Few weeks pass without another salacious story in the media about a new large-scale data breach, ransomware outbreak or other attack designed to disrupt normal life.
Cybercriminals know what they are doing, and they’re able to succeed in their goals with uncomfortable regularity. Those goals are increasingly focused on enterprise applications due to the large number of access opportunities that are supposed to support end-users and internal personnel. For example, last year 62 US colleges were targets of cyberattacks that exploited their enterprise resource planning (ERP) system vulnerabilities.
Cybercriminals constantly search for easy targets. Expanding complexity, growing numbers of users and partners, and rapidly emerging exploits make security an elusive target. Learning about the most common security gaps found in software, why those gaps really matter, and how to close them can make you less likely to be the next big victim.
Instead of approaching security by being as secure as you can be, a better approach is to just be as secure as you need to be. That’s a subtle difference, but the outcome of the latter can be similar to the goal of the former, with much less effort and expense.
Let’s cover some rudimentary aspects of security and a basic approach that balances security with budget and effort.
The lure of low-hanging fruit
In this article I’m focusing on general cybercriminals who are looking for financial gain. They don’t care who their next victim is. Other types of cybercriminals, such as disgruntled (possibly former) personnel, “hacktivists,” or other people who are targeting your specific data or intellectual property are more determined and motivated to succeed. But here, we’re talking about cybercriminals looking for any victim, so they mainly want a quick and easy attack.
Using the path of least resistance is a good thing. The easiest and cheapest path to the bottom line is most commonly the desirable path. Of course, there are reputational impacts and other obstacles that affect the decision-making process, but there is always some appeal to the path of least resistance. Cybercriminals spend a lot of effort identifying the easiest targets.
What does this have to do with your security? One important key to being as secure as you need to be is simply avoiding being a hacker’s “low-hanging fruit.” Most cybercriminals use automated scanners to find potential victims they can attack without much work. They look for well-known vulnerabilities that their potential victims haven’t addressed. Cybercriminals know that keeping security controls current takes time and effort, and many organizations have “more important” tasks than hardening systems and networks.
This gap between known vulnerabilities and implemented controls defines the sweet spot that cybercriminals are looking for. The best defense from most cybercriminals is to just be secure enough to not be worth their effort.
This approach to cyber defense simply means that you should learn about the most common vulnerabilities and fix those first. If you have more budget to go further, that’s great. But at least you won’t be the easiest target on the next cybercriminal’s victim scan.
You can absolutely apply this philosophy to an operational environment, but we’ll focus more on developing secure software. After all, software is the most common cybercriminal attack target, after the human.
Identifying common security gaps
The good news is that with the “low-hanging fruit” approach, most of the mitigation effort should be relatively easy. Remember, you’re starting by eliminating the easy attack vectors.
There are lots of good resources for well-known security vulnerabilities. One of my favorites is OWASP (the Open Web Application Security Project). Although their primary focus is web application security, much of their work translates to general application software. Their OWASP Top 10 list presents a current list of the most commonly found web application security vulnerabilities.
I’ve put together a general list of common security gaps, both technical and non-technical, that I see in enterprise application software environments. You can call it the Solomon Cyber Security Top Eight list. This list represents the categories of security vulnerabilities that make your enterprise software application environment ripe for cybercriminal picking.
1. Delayed updates
New exploits emerge all the time, so keep your software updated to the latest security patches. Systems that rarely get updated may still contain vulnerabilities from years ago.
2. Excessive access rights
A favorite attack technique is to hack accounts with high enough privilege to do some damage. By implementing the “principle of least privilege,” users only possess the privileges they need to do their jobs, which makes it harder for attackers to leverage excessive privileges.
3. Insufficient security training
Ignorance is not bliss. Everyone associated with your organization should receive recurring security awareness training. Everyone is a cybersecurity agent. (And your security personnel should pursue specific technical security training to be the best at what they do. Don’t ignore your software developers. It is quite difficult to secure software that was written without security as part of its design.)
4. Compliance gaps
Know the regulatory requirements in play for your organization and ensure that you meet those requirements.
5. Unauthorized devices
Know what devices access your network. Don’t allow unauthorized devices to connect.
6. Excessive external apps
Productivity software, such as Microsoft Office, can introduce vulnerabilities. For example, exporting confidential data to an Excel spreadsheet may make that data easy to steal — especially if the user takes that spreadsheet home on a personal laptop.
7. Uncontrolled configuration changes
Once you harden a system or device, control any configuration changes. A single unauthorized and undetected configuration change can expose an entire network to attack.
8. Single-factor authentication
Passwords are simply not secure. All sensitive data and resources should require at least two-factor authentication. There are lots of options available today. Use one of them.
Closing the Gaps
The first step in avoiding being an easy target is going through the list to see if you can find any of these vulnerabilities in your environment. If you do, the next step is to remediate them.
The following steps depend on your job role and responsibilities. If you’re part of the software development process, your job is to avoid introducing or allowing any security gaps. Don’t make the operational folks create unnecessary or redundant security control layers to mitigate a vulnerability in your software. Learn about designing and developing secure software, and include security from the start.
If your job role is to secure deployed software (and the supporting environments), you’ll focus more on assessing your current environment and searching for gaps. There are multiple ways to do this, and complete coverage is beyond the scope of this article. In a nutshell, you’ll probably want to carry out vulnerability assessments and perhaps penetration testing. Regardless of your role or approach, the goal is to find vulnerabilities before the attackers do.
Once you identify any security gaps, you should close as many as you can. Closing a security gap means either removing the vulnerability or adding controls that reduce the chances that a threat can successfully leverage the vulnerability.
A good way to approach formal security remediation is to start with the most dangerous gaps. Those are the ones with the highest probability of occurring and the greatest impact if the threat is realized. Of course, you should only start with threats that target critical business functions. That means you do a few things first:
- Conduct a business impact analysis to identify and prioritize your critical business functions.
- Carry out automated and manual assessments to identify as many vulnerabilities (gaps) as possible.
- Rank each vulnerability’s relative threat by the probability of occurrence and impact.
- Select mitigation options for each vulnerability, starting with the highest priority threat.
- Implement selected mitigations.
- Validate mitigation operation.
We’ve covered a lot of material in a short article, but I hope I’ve reminded you of what’s really important. The key to being secure enough is to deny the low-hanging fruit. If you do that, in most cases cybercriminals will move on to an easier target.
You don’t have to implement perfect security. Just be a harder target than the next address on the potential victim list.
Would you like to know more about implementing a Static Code Analysis solution in your company? Get in touch with our Kiuwan team! We love to talk about security.