1.6 Explain the security concerns associated with various types of vulnerabilities

1.6 Explain the security concerns associated with various types of vulnerabilities

• Cloud-Based vs. On-Premises Vulnerabilities
• Zero-Day
• Weak Configurations
  • Open Permissions
  • Unsecure Root Accounts
  • Errors
  • Weak Encryption
  • Unsecure Protocols
  • Default Settings
  • Open Ports and Services
• Third-Party Risks
  • Vendor Management
    • System Integration
    • Lack of Vendor Support
  • Supply Chain
  • Outsourced Code Development
  • Data Storage
• Improper or Weak Patch Management
  • Firmware
  • Operating System (OS)
  • Applications
• Legacy Platforms
• Impacts
  • Data Loss
  • Data Breaches
  • Data Exfiltration
  • Identity Theft
  • Financial
  • Reputation
  • Availability Loss

Cloud-Based vs. On-Premises Vulnerabilities

Is the cloud more secure or is your own facility more secure?  That is a difficult question to answer, but when properly set up, I would personally lean to the cloud, and here is why

• Physical security.  You are obviously taking a risk by outsourcing your computing infrastructure to a third party.  You may not have a way to audit or verify their physical security.  But the physical security at most cloud service providers is well documented and likely better than the physical security at your organization.
  
  

Some people from the cloud service provider have physical access to the devices holding your data, and these people are not part of your organization.  But the potential for them to cause harm is low and it can be mitigated by encrypting all your data.

• Logical security.  You can create the same logical security on your cloud infrastructure as you can on your physical infrastructure.  For example, Active Directory works the same way in the cloud as it does in the office.
  
  Either way, your devices are connected to the internet.  Threats from the internet are going to attack your infrastructure regardless of whether they are in the cloud or in your office.  But the cloud service provider might allow you to rent a more powerful firewall that you normally couldn’t afford to purchase or install in your office.
  
  The cloud service providers use shared hardware.  That means that your logical server is hosted on a physical server with logical servers belonging to other customers.  The risk that one of those other customers would be able to access your data is extremely low.  But you can also mitigate against this risk by requesting that the cloud provider use dedicated hardware for your account.  This is slightly more expensive.
  
  
• Account security.  The additional risk that the cloud brings is that you now have an online account for administrating your physical infrastructure.  Thus, the security of your cloud infrastructure is only as good as the security provided by the cloud service provider.  You must also be careful to keep your cloud credentials secret.

A single security breach at a cloud service provider could cause harm to its reputation that may be measured in billions of dollars.  Thus, a cloud service provider must take more precautions to ensure that your infrastructure is safe.  A large cloud service provider can spend billions of dollars on security and research, but you probably can’t.

Zero-Day

As mentioned earlier, a Zero Day attack is one that uses a Zero Day exploit.  A Zero Day exploit is a vulnerability in a software program or system that has just been discovered; therefore, there is no patch.  Day Zero is the day that the exploit is first discovered by the public.

It is a kind of “we don’t know what we don’t know”. 

• We don’t know about a Zero Day exploit until somebody uses it to attack us or somebody else.  We might be under attack and still not known about it.
  
  
• Even when we find out about the exploit, we might not be able to stop the attack because no patch is available.  If we can’t find a fix, we might have to take the device offline, which could cause other disruptions.

Weak Configurations

Poor security configurations can be the cause of many headaches.  Many of them can be summarized as when you buy a new device, change the default settings and passwords.  Many times, a hacker gets in because your admin password is “admin”.  If you can’t change the default settings and passwords, then you probably bought some junk from a manufacturer that doesn’t care about security.

• Open Permissions.  That means we set up the device and everybody has access to everything.  We should instead have granular permissions so that a user is given access only to the specific resources that he needs to do his job.
  
  Authentication should be tied to a TACAS+ or RADIUS server wherever possible.  That way, we can centralize, monitor, and revoke user accounts.
  
  
• Unsecure Root Accounts.  That means that the device came with a local root (superadmin) account, and we didn’t change the default password.  Ideally, we should be able to change the root username and password, or disable it entirely and use a TACAS+ or RADIUS server to log in.
  
  
• Errors.  The device displays errors in plain text to any user that is connected to it.  Users can learn about the device configuration from the error message and possibly use the information to hack it.  We should configure the device to log errors internally or send them to an administrator.
  
  
• Weak Encryption.  The device uses weak encryption by default and we didn’t change it to something better.  Or the device supports only a weak form of encryption, and we can’t change it.  Or the device supports strong encryption by default, but a user who uses only weak encryption can force the device to also use weak encryption.
  
  
• Unsecure Protocols.  The device uses an unsecure protocol (such as http) by default, and we may or may not be able to change it.  We might be able to make the default protocol secure, but the device might still allow access over an unsecure protocol when a user makes such a request.
  
  
• Default Settings.  The device uses default settings such as a default IP address or default hostname.  We should change the default settings.
  
  
• Open Ports and Services.  The device has many open ports or many services running, even if they are not required.  We should close unneeded ports and turn off unnecessary services.

Third-Party Risks

I mentioned third-party risks earlier.  We are only as strong as our weakest link.  Some of the risks are

• Vendor Management.  We should evaluate each of our vendors.  Does the vendor supply us with critical components?  If the vendor stops supplying us with products or services, what would happen to our business?  Can we find a replacement vendor quickly?  We might consider having two or more vendors for the same critical product or service.
  
  
  • System Integration.  How well does the vendor’s product or service integrate with our product or service?  For example, a chemical plant I worked with had over one million valves.  When a valve failed, they would have to replace it quickly or risk shutting down part of the plant.  If the valve manufacturer stops making valves, or if they stop making valves that fit onto the chemical plant’s pipes, then the chemical plant will be in big trouble.  They will have to find a new valve manufacturer or shut down the plant and design a new one.
    
    
  • Lack of Vendor Support.  Before buying a product, we should ensure that we will have enough support for the duration of its useful life.  We should also think about where we can get support should the vendor go out of business. 
    
    If the product is critical, there are two extreme things we can consider
    
    
    • We can buy the vendor.  Amazon bought the company that made conveyor belts for its warehouses.  This ensured that Amazon always had the expertise to make conveyor belts for new warehouses.  It was feasible because Amazon was their largest customer and had the financial resources to do so.
      
      
    • We can ask the vendor to give us documentation regarding their product.  This includes service manuals, special tools required to disassemble or clean the product, and special software that is used to program or configure the product.
      
      

A manufacturer may stop offering support for their product because

• The product has reached the end of its life
  
  
  • The manufacturer has ceased operations
    
    
  • The manufacturer has poor customer service and/or does not provide support without an expensive maintenance contract, which the client refuses to pay for (or cannot afford)
    
    
  • The product’s warranty has expired or has been invalidated (due to misuse, improper use, use with incompatible equipment, etc.)
    
    
  • The customer purchased the product from an unauthorized source and the manufacturer refuses to support it
    
    
  • The manufacturer no longer has the expertise to support the product or the manufacturer purchased the product from a white-label vendor (and the white-label vendor refuses to provide support)

• Supply Chain.  As I mentioned earlier, the supply chain is critical.  We need to regularly evaluate two things
  
  
  • If a vendor in our supply chain is unavailable, how will it affect our products or services?  If a vendor in one of our vendor’s supply chain is unavailable, how will it affect our products or services?  Can additional vendors support us or is this a product or service that is proprietary to one supplier?
    
    
  • Does each of our vendors follow the same security standards we do, or are they more vulnerable to being hacked?  If not, what can we do help them.

How much luck we will have at convincing the vendor depends on three things

• How big is the vendor compared to us?  If we are larger than the vendor, they will be more likely to cooperate.
  
  
  • Does the vendor supply us with something proprietary or can we go elsewhere?  The vendor will cooperate if there is a risk that they will lose our business.
    
    
  • How much business do we do with the vendor?  If we are the vendor’s largest customer, they will take steps to stay in business.
    
    
  • Outsourced Code Development.  We might outsource some of our software development to a third party.  Every organization needs software.
    
    At the most basic level, a small business needs a website. 
    
    Larger businesses may not be able to efficiently use “off the shelf” applications, so they turn to software developers who can create custom programs that do exactly what they need.  These programs might manage the business’s logistics, supply chain, or accounting.
    
    The risk with outsourcing the development of a small website is low.
    
    The risk with outsourcing a larger application is much higher.  It rarely goes well.  Many businesses do it because the cost benefit analysis shows that it is better to outsource the development than to hire a team of programmers.  A team of programmers in an offshore country might be cheaper and possibly more experienced, but here is what really happens
    
    
    • It never finishes on time or on budget.
      
      
    • The people who are writing the program are far away.  They are not in your office and you can’t meet with them in person.
      
      
    • You might not have access to the source code, only the final application.
      
      
    • You will need to go back to the developer each time you want to make a change, and each change costs money.  You may need to negotiate a new scope of work for each change.
      
      
    • Even if you do have access to the source code, it may be in a programming language that is not common, or it may be written in a manner that is convoluted.  If you try to make changes yourself, you may have trouble finding somebody who understands it.
      
      
    • There might be disputes about who owns the source code.  Even if the software is your idea, the developer may claim that they own the copyright.  They may reserve the right to sell the program that you are using to other organizations.
      
      If the program turns out to provide you with a competitive advantage, soon some of your competitors will be using it.  And you won’t be able to make any money off it.  
      
      
    • If the program uses external libraries or if the source code is long, you won’t be able to evaluate it and determine whether it contains any backdoors.  You don’t know how secure the development process was.
      
      
  • Data Storage.  Vendors might be tasked with storing our data.  There are two reasons
    
    
    • They need some of our data to provide us with products or services.  For example, if we design a gear that the gear manufacturer is producing, they will need electronic copies of the gear design.
      
      We should make sure that our vendors only receive the data that they specifically need, and that they store the data in a system that is secure as ours.  That means that the data is encrypted and only accessible to the specific employees that need it, and that all access attempts are logged.
      
      
    • We have too much data and no place to put it. 
      
      
      • If the data is electronic and in use, then there is no reason to outsource its storage.  You should store the data on a storage appliance in your facility or in the cloud (technically the cloud is outsourcing but you should be in control of the account). 
        
        
      • If the data is an electronic back up or if it is in paper format, then you might need to outsource the storage to a company such as Iron Mountain.
        You can’t encrypt paper documents, but you can put them in locked boxes and ensure that the service provider has adequate security.  You should encrypt all the electronic data.  This data is normally stored on magnetic tapes or drive cartridges and is not ever placed on the vendor’s computer infrastructure.

Improper or Weak Patch Management

We must keep track of every device in our organization and ensure that patches are applied as soon as they become available.  It is bad enough that there are zero-day vulnerabilities that we don’t know about and that we can’t patch.  There are three layers of devices that need to be patched

• Firmware.  The firmware is the operating system that runs on a physical device or device component.  A firmware patch won’t be available automatically.  We must manually identify the firmware update it and install it.  On many devices, a firmware patch must be manually applied through a USB drive.  It may require rebooting the device and may cause some downtime.
  
  Firmware updates are often neglected.
  
  
• Operating System.  An Operating System update is usually available automatically.  For example, Windows Update automatically forces you to install software updates within a week of them becoming available.
  
  Windows Enterprise gives organizations more time to apply the updates, but they must still be applied.  Some organizations have taken the practice of delaying the updates by several months, which can increase the risk of an attack.
  
  
• Application.  Some common applications such as Adobe Creative Suite and Microsoft Office are configured to check for updates automatically.  Less common applications may not.  A few applications can download and install updates automatically.
  
  A user may not have the administrator rights to update an application.  We should keep track of each application, and automatically push updates to users when they become available.

Legacy Platforms

A Legacy Platform is a computer system or application that is critical to the organization but that cannot be upgraded.  For example, many factories and banks use software and servers that were built in the 1970s or 1980s. 

The problem

• We don’t know when the system will break down
  
  
• It is hard to find replacement parts
  
  
• It is hard to find people who know how to maintain or troubleshoot the system
  
  
• The systems were built before encryption existed and we can’t upgrade the system to support encryption or practically any form of reliable security.  We must keep the system air gapped (not connected to any network).

Why are these systems still in place?

• We don’t have the money to switch to a new system
  
  
• We don’t have a reliable way to copy the data from the old system to a new system
  
  
• The system is critical and replacing it involves shutting it down, which cannot be accomplished without losing money.
  
  
• Management thinks that since the system has worked for so long, it will keep working.  Management doesn’t want to take the risk of replacing a system that has worked reliability with something new that they don’t understand.

Impacts of a Vulnerability

Think about what happens when your organization gets attacked.

• Data Loss.  Data loss means that your data is gone.  You no longer have it.  If you have a reliable back up, you might be able to restore it, but if not, you are in trouble.  The cost of the data loss depends on the type and quantity of data that is lost.
  
  
• Data Breaches.  A data breach means that an unauthorized person has accessed the data.  If the data is a trade secret or some confidential information, it could harm the company by destroying their competitive advantage.
  
  If the data contains personal customer information, then the company might be required to notify the customers and possibly compensate them for the loss.
  
  
• Data Exfiltration.  Data exfiltration is the theft of data. 
  
  The difference between a data breach and a data exfiltration is that exfiltration involves the data leaving the organization.  A data breach happens when somebody accesses the data (or a server containing the data) but does not necessarily copy it.  We might be obligated to report a breach when an unauthorized person logs in to a server containing the data, but we don’t know whether they actually saw or copied anything.
  
  Data could leave through
  
  
  • Paper documents
    
    
  • USB drives
    
    
  • The minds of the employees
    
    
  • The internet

What do people steal?

• Usernames and passwords
  
  
  • Cryptographic keys
    
    
  • Trade secrets
    
    
  • Personal information such as names, social security numbers, and credit card numbers
    
    
  • Customer lists
    
    

Data leaks can be prevented by

• Using proper security measures on firewalls, routers, and computers
  
  
  • Prohibiting the use of USB drives and cell phones at work
    
    
  • Installing Data Leak Prevention appliances
    
    
  • Searching employees when they leave the work site

• Identity Theft.  The next logical step after stealing personal data is to sell it.  Somebody will buy the data and use it to commit identity theft against the affected person.  If the identity theft is traced back to our poor security, then we will probably be required to compensate the customers.
  
  
• Financial.  The cost of a data loss can be massive.  We must attempt to restore the data.  If we can’t restore the data, then we must recreate it, which might be impossible.  The cost could range from thousands of dollars to billions of dollars.
  
  The cost of a data breach depends on the type of data that was stolen and the number of people who are affected.  We will probably be required to compensate each customer for their loss.
  
  The cost of a data breach that results in lost trade secret data could destroy the company if it reduces its competitive advantage in the marketplace.
  
  
• Reputation.  After a data breach, or data loss the company’s reputation will be harmed.  If customer data is stolen, some of them will no longer want to do business with the company. 
  
  If the company’s trade secrets are stolen, then people may start purchasing products from a competitor that uses those secrets to develop the same technology.
  
  
• Availability Loss.  If the data is not available because a hacker deleted it, then employees won’t be able to do their jobs.  The organization will shut down or slow down until the data is restored or recreated.  The amount of loss depends on the amount of data that was stolen.