1.6 Explain the impact associated with types of vulnerabilities. Flashcards
Vulnerability types
There are many types of vulnerabilities • Some digital, some physical • Cover a broad scope • Programming, network design, process/procedure • Any of these can be exploited at any time
Race condition
A programming conundrum
• Sometimes, things happen at the same time
• This can be bad if you’ve not planned for it
End-of-life vulnerabilities
Without vendor support, no security patches
Upgrade to maintain security
Embedded system vulnerabilities
No direct access to the operating system
These devices are usually connected to the Internet - convenient to the hacker
Lack of vendor support
Vendors are the only ones who can fix their products
Assuming they know about the problem And care about fixing it
Improper input handling
Many applications accept user input• We put data in, we get data back
• All input should be considered malicious• Check everything. Trust nobody
.• Allowing invalid input can be devastating• SQL injections, buffer overflows, denial of service
Improper error handling
Errors happen
Messages should be just informational enough
Network information, memory dump, stack traces, database dumps• This is an easy one to find and fix• A development best-practice
Misconfiguration/weak configuration
• Very easy to leave a door open
The hackers will always find it
Default configuration
• Every application and network device has a default login• Not all of these are ever changed
Untrained users
It takes one person to allow a breach
Training is critical
Improperly configured accounts
Technical issue and process issue • Frequent audits are important • Accounts without a need • Abandoned and unnecessary accounts • Accounts with administrative access • These should be severely limited • Should not be able to login directly as administrator • Unless it’s on a server console
Vulnerable business processes
Vulnerable business processes
Weak cipher suites
Encryption protocol (AES, 3DES, etc.) and key length (40 bits, 128 bits, 256 bits, etc.)
• Hash used for the integrity check (SHA, MD5, etc.)
• Some cipher suites are easier to break than others so Stay updated with the latest best practices
• TLS is one of the most common issues - Over 300 cipher suites
• Weak or null encryption (less than 128 bit key sizes), outdated hashes (MD5)
Memory/buffer vulnerabilities
Manipulating memory can be advantageous• Relatively difficult to accomplish
Memory leak
Unused memory is not properly released
• Begins to slowly grow in size
• Eventually uses all available memory
• System crashes
Integer overflow
Large number into a smaller sized space
• Where does the extra number go?
• You shouldn’t be able to manipulate memory this way
Buffer overflow
• Overwriting a buffer of memory and Spilling over into other memory areas
NULL Pointer dereference
- Programming technique that references a portion of memory
- What happens if that reference points to nothing?
- Application crash, debug information displayed, Denial of Service, etc.
DLL injection
• The bad guys didn’t write the application, But they could write an external library and manipulate the operating system or application to run the library
System sprawl/undocumented assets
Hundreds of projects, test platforms, active operating systems, production VMs
• Spin up a new instance with a click
• Keeping track is a challenge
• Easy to miss a forgotten compute - Under a desk
• Part of a retired application
• Not part of regular security patches
• These become pivot points
Architecture/design weaknesses
The best security system fails if you don’t have locks on the doors • The network doors aren’t always visible • Examine every part of the network • Ingress • VPN • Third-party access • Internal controls • Account access • Front door access • Conference room access
New threats/zero day
What you don’t know can really hurt you
• And you won’t even see it coming
• Vulnerabilities are sitting in your system, waiting for someone to find them
• Some problems are hidden for years
• As soon as the problem is discovered (day zero), patch it
• There isn’t always time to properly test
• Balance severity with stability
Improper certificate and key management
Manage your keys and certificates
• This needs to be well planned
• Important decisions, can’t do this on the fly
• What will be the organization’s certificate authority?
• How will the CA content be protected?
• How will intermediate CAs be created and managed?
• Who will validate and sign the organization’s certificates?• What is the validation process?
