Ransomware, supply chain disruption, social engineering leading to credential theft—cyber attacks seem to be disrupting businesses and lives regularly. How do you help ensure your organization does not fall victim?
To prevent an attack, it’s crucial to understand how attackers find their way into your network in the first place. We did some research and found some of the most common attack vectors. The question is: how many of them are available on your attack surface right now? Our (my) recommendation: get a solution that can find them, and prioritize them based on risk, then start remediating or mitigating.
Let’s distinguish an attack vector from attack surface and breaches
Attack vectors are the path that an attacker uses to gain access to your organization’s network. This includes exposed assets or abandoned assets, but also unpatched software vulnerabilities, misconfigured software, weak authentication, and domain hijacking.
The total sum of these exposed IT assets are the attack surface. These could be secure or vulnerable, known or unknown, active or not in use, on-premise or in the cloud and in subsidiary or third-party environments.
A security incident happens when an unauthorized party gets into your IT ecosystem and gains access to your organization’s sensitive, protected, or confidential data or can take control of your systems. This can have significant impacts on your brand, customers, and bottom line. A few examples of security breaches include the Colonial Pipeline ransomware, Robinhood customer data breach, and the exposure of FireEye’s red team tools through the SolarWinds supply chain attack.
The challenge with detection solutions today
Vulnerability scanners are used by organizations to monitor their networks, systems, and applications for security gaps. They identify a range of tens of thousands of Common Vulnerabilities and Exposures (CVEs). Matching scans of your organization against a CVE list identifies outdated software that needs patching and other common issues.
When presented with a long list of findings from the scan, it’s easy to assume that your organization is being thoroughly assessed. However, CVEs alone aren’t enough to gauge risk. There are more potential issues that your team needs to detect in order to outmaneuver attackers.
What about data on an FTP server? Vulnerability scanners are interested in vulnerabilities, not data exposed by a misconfiguration, and finding the data is a multi-step process usually requiring an expensive penetration tester.
What about identification of dangling DNS which can easily lead to subdomain takeover and potential third party attacks and loss of reputation? Vulnerability scans just can’t detect these, either. To understand the full extent of your risk, you need to discover all of the attack vectors that attackers can use.
Figure 1: Exposed data on an FTP
15 attack vectors your organization should look out for:
1. Abandoned assets
When assets haven’t been updated in a long time or are running outdated services, they’ll be vulnerable to targeted attacks. Common instances include abandoned assets that are exposed for extended periods of time without any mechanism to detect attacks in place. It also includes abandoned assets running end-of-life or outdated software with multiple exploitable vulnerabilities. And sometimes there are dead giveaways, like a © 2018 on the bottom of a webpage or login screen.
2. Misconfigured cloud components
With 99% of cloud breaches predicted to be misconfigurations, attackers can easily gain access into cloud information systems. This happens when organizations don’t configure the cloud-based system correctly, and this often results from lack of awareness of new and existing cloud security and policies. It can also be due to a lack of adequate controls and oversight, negligent insider behavior, or too many cloud APIs and interfaces.
3. Exposed remote access services
Exposed systems that offer remote access services are attractive to attackers for obvious reasons: gaining access allows full system administration privileges and a convenient platform for further attacks into the network. Remote Desktop Protocol (RDP) and Secure Shell (SSH) are the most commonly used remote access protocols and notoriously popular targets when unconfigured or misconfigured. Oh, and they can install and propagate ransomware without relying on finding an employee to trick into clicking a link.
4. Default credentials
Credentials that have been shipped with the device and remained unchanged allow for attackers to access the device with the help of user manuals. For example, a remote attacker can gain access to a router with a default username and password. Default credentials almost always represent a path of least resistance for attackers, especially when it’s internet-facing and connected to other devices within an organization. At least make it a little difficult: like @dmin. Or passw0rd.
5. Data exposures
Typically when there’s misconfiguration or default configurations, sensitive files, configuration details, or personal data can be exposed. For your organization this could include intellectual property, user or password lists, logs or history, and code. You’d be surprised how much information could be found in a log[.]txt file.
6. Bypassable authentication mechanisms
Weak or unsafe login mechanisms put authentication at risk. For example, a login that doesn’t mitigate brute force attacks because there’s no limit on password attempts. Avoid weak authentication by implementing robust mechanisms, such as challenge-response or limited password attempts. And make sure failed attempts are logged.
7. Web application and database risks
Insecure code issues and vulnerable third-party software components enable attackers to take control of assets. The interface between the web application and database can be exploited through SQL injections, authentication flaws, and privilege escalation.
Figure 2: An example of a dangling DNS
8. DNS and mail server hijacking
These attack vectors can significantly damage your organization’s reputation. Email servers can be taken over commonly for impersonations, phishing users by posing as your organization’s CEO, shareholders, or other employees. Domain takeovers and DNS hijacking can redirect legitimate users to malicious sites.
9. Software vulnerabilities
This is when a flaw exists in commercial software that can potentially be exploited with attack tools. For the most part, these will be high severity vulnerabilities that are well known and easily exploitable. For example, CVE-2020-3421 is a vulnerability in Cisco Small Business RV042 and its routers that could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against users.
10. Exposed internal assets or sensitive ports
The network topology itself can provide an easy avenue of attack. This includes internet-facing assets which should be protected by at least a firewall or DMZ, yet seem to have no mitigating security controls in place as well as services running on internet-facing hosts with non-standard ports which might indicate an already compromised host or one that could be easily compromised.
11. Unencrypted communications and cryptographic weaknesses
These attack vectors expose data about a system, or on a system, to attackers. Whether it’s because the login mechanism or communication channel is either unauthenticated or unencrypted, or the cryptography used to secure communications is exploitable, attackers will take advantage of weaknesses that leave data exposed.
12. Certificate trust vulnerabilities
These are issues that involve certificate trust chains, where digital certificates identify assets and also secure communications. Vulnerabilities enable attackers to intercept encrypted communications, for example, via man-in-the-middle attacks. The opportunity to misuse an organization’s certificates will create a major trust issue with customers and the public.
13. SaaS platform takeover risks
Software-as-a-Service (SaaS) providers introduce risk to your organization because of their access to your operations. If the provider has poor security and access controls, attackers can gain access to your systems and attack your data. Ensure clarity in the contract and conduct a compliance audit to make sure the SaaS provider is secure.
14. Inactive IP addresses
When the IP address has been handed out by your organization’s DHCP server the address is considered inactive. This makes it easier for attackers to track the address, especially for data mining purposes. To make it active, assign reservations to use DHCP for IP address assignment and not static IP.
15. Insecure and exploitable code
Common flaws in code include injection flaws, cross-site scripting (XSS), buffer overflows, and broken authentication. Strengthening your code involves addressing vulnerabilities with secure coding techniques. Architect code to limit the area of attack for hackers and to identify all types of input and reject all malicious ones. Attack your code often and test the security of your organization’s code architecture.
Stay safe across your entire IT ecosystem
To effectively manage the vulnerabilities in your business, establish and maintain full visibility of assets that connect to and relate to your organization, not just the ones you own. Then you can perform automated security testing, using an advanced assessment process to detect a broad range of attack vectors including CVEs, data exposures, and misconfigurations.
. To see how CyCognito can detect and prioritize the highest-risk exposures, watch our demo video.