A vulnerability in Microsoft’s Exchange Server contributed to a large series of cyberattacks affecting over 60,000 private companies in the US. And just one month earlier, an aerospace company, Bombardier, had its employees’ and suppliers’ data breached due to weaknesses in its third-party file transfer app.
There are many security vulnerability types that can put your IT system on hackers’ radar. From poor coding practices to defective external components, no matter what the reason is, many companies end up being exposed. To mitigate this issue, businesses benefit from QA and testing services to evaluate their own software and networks and assess the security risks of external vendor components.
So, which security vulnerability types may be exposing your system to cyberthreats at this very moment? How do vulnerabilities appear? And how can we mitigate them?
A security vulnerability is an unintended system or component characteristic that magnifies the risk of an intrusion or data loss, either by accidental exposure, intentional attack, or conflicts with new components. Such a vulnerability can be a design flaw, an implementation bug, a misconfiguration, etc.
Before we proceed any further, let’s clarify the difference between a vulnerability, an exploit, and a threat.
A vulnerability exists in the system without any efforts from outsiders
An exploit is a way that intruders use an existing system weakness to mount an attack
A threat is an actual incident when one or multiple exploits use a vulnerability to penetrate a system
Security experts can eliminate vulnerabilities upon discovery using software patches, hardware replacement, and system reconfiguration. Training the end-users on security practices and keeping all components up to date will also prevent and minimize vulnerabilities. Additionally, the security teams need to keep in mind that as systems evolve, new weaknesses appear. Therefore, businesses need to scan their software, hardware, and networks systematically for emerging vulnerabilities and fix them before they are discovered and exploited.
New security vulnerabilities keep emerging rapidly, as the US government’s National Vulnerability Database (NVD) published over 8,000 new entries in the first quarter of 2022. With this rapid pace, many businesses can’t keep up and leave open weaknesses for years, exposing their systems. A study of software vulnerabilities revealed that 75% of the attacks mounted in 2020 exploited exposures that were at least two years old, while 18% relied on weaknesses reported back in 2013!
According to research, 75% of applications developed by software vendors don’t comply with the Open Web Application Security Project (OWASP) Top 10 standards. These standards are publicly available. So, why are so many still failing to produce a safe application? Here are the main reasons:
There are two platforms, OWASP and CWE, that offer a reliable and detailed security vulnerabilities list. They update their listings to include any emerging weaknesses. Both resources can be used to educate programmers, testers, and engineers.
OWASP is a non-profit global community, and it regularly publishes OWASP top 10 software vulnerabilities list. Common Weakness Enumeration (CWE) is a composition of software and hardware vulnerabilities also developed by a dedicated community, and it includes 25 entries.
Here are 18 of the most prominent security vulnerabilities that we want to highlight in this article, sorted by domain. These can manifest themselves in any IT system, such as the cloud, IoT-based configurations, and mobile apps.
Network-based |
OS-based |
Human-made |
Process-related |
---|---|---|---|
Unencrypted data |
Misconfigured system components |
Running scripts without checking viruses |
Security bugs in programming interface |
Sensitive data exposure |
Weak server-side control |
Weak credentialing |
Inadequate authentication |
Insufficient transport layer protection |
Remote code execution |
Using components with known vulnerabilities |
Insufficient monitoring and logs |
|
Known OS-based vulnerabilities |
Insecure design |
SQL injection |
|
|
|
Superuser privileges |
|
|
|
Outdated SW |
|
|
|
Vulnerabilities in source code |
1. Lack of strong encryption practices Even though encryption would not stop a cyberattack, it is essential to ensure that sensitive data remains safe even if its storage platform is breached. Attackers can’t misuse encrypted data until they decode it, which gives the violated business time to take the necessary measures, such as notifying the impacted parties and preparing identity theft countermeasures.
Research shows that many companies have no immediate plans of encrypting data on USB sticks, laptops, and desktops. And speaking of data protection regulations, GDPR doesn’t explicitly require encryption but describes it as “appropriate technical and organizational measures” for data safety.
In its Cost of a Data Breach report, IBM pointed out that encryption is one of the most impactful factors that can reduce the average cost of data breaches.
Sensitive data exposure
Data can be exposed due to human error when a negligent employee uploads it to a public database or a website. But this security vulnerability type can also be supported by internal processes that actually allow an unauthorized employee to gain access to and manipulate sensitive data.
Egress, a cybersecurity firm, conducted a survey uncovering that 83% of US organizations have accidentally exposed sensitive data through email, file sharing, collaboration software, and messaging apps.
This type of vulnerability deals with information exchange between the client and the server application. Such information can contain sensitive data, including user credentials and credit card details. When data transportation is not secured, the communication can be intercepted, and attackers can gain access to the data and decipher the encryption if weak algorithms are used.
Incorrectly configuring components and interactions between them is another security issue that we often encounter. For instance, while setting up an IT system, the administrator forgets to override the manufacturer’s default settings and disable directory listings, leaving the system exposed. Another example is forgetting to restrict access to outside devices.
Speaking of interactions, it is advisable for applications to adopt a zero-trust approach and view every input as risky before it is verified and proven to be legitimate. This will help avoid attacks, such as cross-site scripting, where attackers infuse an application with untrusted data.
This aspect is particularly relevant to cloud-based solutions. One research reported that server misconfigurations contributed to 200 cloud breaches in two years. Another study shows that around 70% of cloud security breaches start with faulty architecture. As an example, a misconfigured AWS storage bucket exposed 750,000 birth certificate applications in the US in 2019.
This security vulnerability type stands for everything that can go wrong on the server-side, from poor authentication to security misconfigurations that enable attacks, such as cross-site request forgery where some user’s browser issues unauthorized actions to the server without that user’s knowledge.
For instance, a misconfiguration in a database server can result in data becoming accessible through a basic web search. And if it contains admin credentials, then intruders can gain access to the rest of the system.
This means that software security vulnerabilities presented by your system enable intruders to execute malicious code over the internet on your devices. For example, when an employee clicks on an email link on a third-party website, the hacker behind this setup injects the victim’s computer with malware and assumes control from there. The outsider can access sensitive data or lock the machine and demand ransom.
Every operating system has its list of software vulnerabilities. Some lists are published online for everyone to see. For example, here is the list of top 10 Windows 10 OS weaknesses, and here is the corresponding listing for OS X. It is up to security teams to review these points and address them to minimize the openings for attacks.
This is a common security vulnerability type that is present in certain web browsers. For instance, Safari allows running “trusted” scripts without explicit user permission. Hackers tend to exploit this weakness by attempting to run a malicious piece of code that can be confused with a “safe” script. Luckily, it’s often possible to disable this “feature.”
Intruders can gain access by brute-forcing users’ credentials. This is especially easy when the password “123456” alone is used by over 23 million people. This is in addition to passwords, such as “admin”, “password”, and “qwerty”, which are also common and rather easy to hack.
This type of software vulnerability is regarded as human-made, but businesses can implement measures that would force employees to choose stronger options and change their credentials often enough. This is crucial, given the role that weak credentialing plays in system security. Statistics show that 80% of security breaches were enabled by weak passwords and that 61% of users tend to utilize one security phrase for multiple services.
Deploying third-party components, such as libraries, APIs, datasets, and frameworks, can significantly reduce the effort required to have your system up and running. But it can also introduce vulnerabilities. It’s important to remain diligent and evaluate these components to make sure they don’t leave any backdoors open to access sensitive data.
Even downloading and using third-party images could be dangerous. In 2021, 30 Docker Hub images with a download volume of 20 million, were deployed to spread crypto mining malware.
Insecure design
This is a relatively new security vulnerability type that appeared on OWASP in 2021. The organization calls for secure design patterns, threat modeling, and reference architecture to eliminate weaknesses from the very beginning.
Secure design is a methodology that constantly evaluates threats and ensures the code’s robustness. It encourages systematic testing against known attack methods. It views security as an essential part of software development, not as an add-on or a nice-to-have feature.
Security bugs in APIs
Application programming interfaces (APIs) allow software components to interact with each other, which is an essential part of an IT system. However, APIs with weak security measures can open multiple loopholes, such as broken authentication and permit code injection, and other malicious practices.
For instance, a recklessly built API, which relies on the client-side to filter information before presenting it to users, can expose data, making it available for grabs. Sensitive data must be filtered at the server-side. Here’s another example of this security vulnerability type: if an API doesn’t restrict the number of incoming requests, it can open the opportunity for Denial of Services (DoS) attacks.
Here is the OWASP list of the top 10 API-related security vulnerabilities for your consideration. Insecure APIs opened the door to many attacks in the past years. One infamous example comes from LinkedIn, as a malicious actor used the platform’s authentication-free API to download data of 700 million users. Using a similar API breach, an intruder retrieved information on 1.3 million Clubhouse users and published it on a hacker forum.
Inadequate authentication
Weak authentication measures allow hackers to exploit the “forgot password” option to reset accounts or initiate an account takeover attack. It helps the intruder when the authentication question is something like the user’s birthdate or pet name, as this is publicly available information thanks to social media. Following a multi-factor authentication process will increase security. Sadly, research shows that only 26% of the US companies use this strong authentication method.
Insufficient monitoring and logs
Logs store data on system events, network activities, and user actions. By monitoring logs, security teams can observe all the activities that took place recently and identify suspicious events. If logs are not reviewed systematically, this creates an information gap where software vulnerabilities and malicious activities remain undetected.
Superuser privileges
The fewer data a user can access, the less damage their account can do if compromised. However, some businesses still negligently grant superuser privileges left and right and fail to restrict employees’ access to what they need to fulfill their everyday duties. If an intruder takes hold of an admin-level account, they can disable anti-virus software and firewall, install harmful apps, take ownership of files, etc.
According to research, 74% of data breaches start with abusing privileged credentials.
Outdated software
Most businesses realize that a timely software update is a key to a secure system. However, it seems like only a few actually follow this practice. Cybernews reports on a recent study that investigates software update frequency. This research was conducted over an 18 months period, and it discovered that 95% of the websites examined actually run on outdated software with known vulnerabilities. The research team also discovered that an average software product is typically four years behind its latest patch.
Moreover, Kaspersky determined that companies running outdated software are likely to incur 47% more costs in case of a breach.
To give an example, the Marriott hotel chain had 500 million data records compromised in a security breach that resulted from unpatched software.
Vulnerabilities in source code
These code vulnerabilities creep in during software development. For example, a program might transmit sensitive data without encryption or use a randomized string, which is not actually random. Such errors are often caught during the software testing phase.
According to a recent Secure Code Warrior Survey, 86% of the participating developers admitted that they don’t view application security as a top priority when writing a code, with 36% attributing this to tight deadlines. The survey also revealed that 33% of the respondents don’t even understand what makes their code vulnerable.
SQL injection
This security vulnerability type is relevant to websites and applications powered by Structured Query Language (SQL). It allows the attacker to alter user-supplied SQL statements and trick the interpreter to execute unintended commands and grant access to the database. This way, intruders can manipulate sensitive data by replacing/deleting/modifying sensitive fields.
This is a rather old vulnerability that accounted for over 65% of attacks on software apps already back in 2019.
After highlighting common security vulnerabilities, let’s move to application and system-specific weaknesses and figure out how to protect your systems from them.
There is an extensive list of possible security vulnerability types in the cloud, independently of whether it’s Azure, AWS, GCP, or any other cloud provider. Our cloud expert, Alexey Zhadov, divides these vulnerabilities by layers and gives tips on how to prevent them.
System layer vulnerabilities
Whatever cloud service your software is running on, there is always an operating system under the hood. Even if you can only access a control panel for your resource. Every operating system has its “holes” and “backdoors”. OS developers constantly look for these weaknesses, trying to cover the bases. That’s why it is important to keep your software up to date and be in touch with the latest developments in the cybersecurity field on known issues.
Network layer vulnerabilities
Every cloud resource is running on a cloud network. And with this comes the possibility to connect to the resource externally. The security team needs to ensure that network configuration is adequate. Never open ports that you are not planning to deploy, use whitelisting of IPs that you know and networks that are expected to connect to your solution. Be cautious about opening the direct connections to RDP/SSH ports from anywhere other than known IPs.
Configuration layer vulnerabilities
The cloud must be properly configured according to the user’s requirements and goals, and this configuration must be always maintained up to date. Set up configuration management policies and procedures, and monitor any suspicious activities.
Human factor vulnerabilities
Don’t forget about end-users and administrators that have access to the cloud solution. Account hijacking is one of the most common weaknesses in any IT system. If an intruder gains access to someone’s account credentials, they can freely enter and manipulate the system within the account’s rights, and no one will stop them until receiving a notification from the hacked user. Here is the list of the most common types of security vulnerabilities in cloud applications:
Alexey recommends a few simple rules that companies can implement to protect their cloud systems:
Alexey also weighed in on software security issues haunting web applications. By exploiting these vulnerabilities, attackers can cause severe damage to the application and the organization as a whole. Here are the most common web app attacks resulting from web app security vulnerabilities:
If cybercriminals launch these attacks successfully, they can plant malware, compromise user accounts, access restricted information, and more. So, how to test software for vulnerabilities? Alexey recommends conducting web application security testing to assess the following parameters:
When speaking of mobile app security, we can’t disregard security vulnerability types presented by the device itself in addition to the application. Alexey Zhadov, our cloud and mobile expert, also shared common issues that affect mobile apps:
To secure mobile applications, Alexey recommends some simple practices that companies can implement in app design and maintenance:
What makes IoT solutions unique from the security point of view is that every device’s capabilities are restricted by its usage requirements. There is no room to implement any fancy security features that consume extra capacity, memory, or power, which makes IoT devices vulnerable.
Our IoT expert, Yahor Paloika, highlights the following security vulnerability types in connected devices:
Hacking into IoT systems can have a devastating effect. For example, in an experiment, a team of researchers could penetrate IoT devices’ software in Jeep Cherokee and send malicious commands through Jeep’s entertainment system. They tampered with air conditioning, decreasing the temperature, turned the windshields on, and afterward, to the driver’s horror, they disabled the brakes. Luckily, it was just an experiment. Here are some tips that Yahor recommends to protect IoT systems:
There is one aspect that substantially differentiates artificial intelligence (AI) and machine learning (ML) solutions from the rest of the systems mentioned in this article –- it’s the fact that such models are often trained to make predictions, and this training process introduces several types of security vulnerabilities. Our AI expert, Maksym Bochok, highlighted the most popular weaknesses:
Moreover, AI is often combined with other technologies, such as IoT and the cloud, making it susceptible to the security vulnerability types introduced by those systems.
To secure AI systems, our expert recommends the following:
If you are a successful business, there is a good chance that someone has/is attempting to penetrate your system either to ask for ransom or to cause reputational damage. And as hackers are constantly looking for loopholes to exploit, your IT team is working to reduce risks. To make sure you win this race, consult an experienced security and testing company that will help you assess the state of your system and give recommendations on how to improve.
And in the meantime, to prevent different security vulnerability types from exposing your applications, pay attention to your system’s configuration, ensure that all your software is up to date, and train your employees on security practices.
Also Published here