Common Vulnerabilities, Threats, and Risks

This section reviews some of today’s more common vulnerabilities, threats, and risks that you will face. As a general rule, imperfect people create imperfect software, and they make mistakes unintentionally allowing vulnerabilities to be exploited by hackers. This list provides a brief synopsis and examples to help increase awareness, enabling you to protect and educate your users. The next section deals with attack examples.

• Antivirus software: A software program dedicated to protecting your computer from viruses. As threats are evolving, so are these programs. With the decreasing occurrences of virus and increased exploits and attacks, these programs have developed into suites of programs designed to protect you while browsing the Internet and from threats you might not see. Unfortunately, these programs are anything but perfect; they, too, have limitations and bugs. For example, a bug may enable the program to be stopped or not to update. Of course, without updates the software cannot recognize attack variations and changes. Industrywide, the move is from signature to anomaly-based antimalware and host IPS so that the end user is not left waiting for the latest signature, much like anomaly detection on network-based IPS to be used with signature and correlation services. Initial attacks known as zero-day threats, which are much more common today, exist where no signature is available initially to remediate such a threat or exploit.

• Media players: It is common to have links in websites or files (music or movies) that when clicked start your system’s media player, thus allowing the content to be played. Hackers have learned to embed in these links or files means to exploit vulnerabilities within media players, yet another example to only click links you trust.

• Adobe Flash: One of the de facto standards of web content, Flash is quickly becoming the playground of hackers because they love to find vulnerabilities in Flash and exploit them. The worrisome aspect of these vulnerabilities is that hackers can infect Flash on servers and PCs; thus, you may go to a reputable site that has been compromised already. These concerns and others have caused a backlash against Adobe, resulting in its developers and users slowly reconsidering its use for more open standards such as HTML5.

• Adobe Reader and Acrobat: Adobe has another winning piece of software on its hands here. These products enable us to read and create PDF files, yet another de facto standard online about how to protect and share documents. This success also means it is drawing interest by hackers, who go where the users are. The risk here is that many companies by default permit PDFs easily throughout their network, whereas they are actively scanning or blocking other document formats, making these new vulnerabilities a serious concern.

• Backup software: Backups are critical, and as computing moves to virtual machines stored on storage arrays, the ability to cause damage by finding exploits in this type of software is rather serious. Past vulnerabilities have allowed entire servers to be hacked rather easily.

• Database software: Whole books have been written on databases and securing them, which isn’t discussed here. The vulnerabilities and threats are not unique; several programs dominate the market and run most database applications. These applications are often web-based or have a web interface, enabling exploits to allow DoS attacks and deep exploitation when initially compromised.

• Email clients: Hackers have changed tactics and use email vulnerabilities to corrupt and compromise email clients. They are preying on user ignorance, which unfortunately has given them a fertile field of growth because users believe almost any email they get and click away. User awareness, security education, and regular software patching are important as server-based technologies are evolving to protect users and their email. You can put web and email security point security solutions in place in addition to succinct policy to support those controls.

• Excessive user rights: Have a single sign-on domain? Most do, and the threats here are based around users with rights to areas and things they do not need; they might want, but they do not need—a rather important distinction. Hackers then rely on weak password policies or nonexistent policies that enable users to never change passwords or use extremely weak ones; thus, the user gets hacked, and the hacker has sufficient privileges to hack again.

• Instant messaging and social messaging: Another communication mechanism that is seeing users adopt it like crazy, with hackers following suit by researching a variety of different ways to attack systems. One thing that astounds me is that when people randomly message you; typically they are hot women or at least claim to be. The hacker’s hope is that you click on a shared link or otherwise behave in a way you normally would not. User education and awareness is key as the old axiom of “If its too good to be true, it is, besides all the money in those accounts people in Africa have is all mine!’ Encryption should be considered when it is required for businesses to use instant messaging.

• Office software: This sort of threat is one that hackers are not more reactive in; they will infect a document or spreadsheet, say, via a macro vulnerability. They make the document useful and place it online or replace a good copy with an infected copy. Users come along, download and open the file, and poof, they become infected, enabling the hacker access to your computer without you even being aware of what has occurred.

• Removable media: Perhaps not a traditional vulnerability but still much has been made of allowing USB keys to flow freely between users’ homes and corporate resources. In many high-security environments, they are not allowed. The belief is that after a USB key gets infected it can be spread unwittingly between physical PCs in different locations. Unfortunately, manufacturers have been slow to place security onto these sorts of removable devices, further adding to the problem. Encryption should be considered for removable media and whole disk if possible managed by a comprehensive PKI.

• DNS: The Domain Name System (DNS) is a distributed resource used by most network applications, especially the newer versions of Windows. DNS data is generally trusted implicitly. Considering that DNS is the lynchpin of the corporate enterprise, the impact of these vulnerabilities is significant, and a successful attack could jeopardize the integrity of any network. In my experience, patching your DNS application security and hardening is critical.

• SSL: Perhaps the most common data security protocol on the Internet, you can find SSL in use at every e-commerce site to protect data during transactions. Current threats enable a hacker to get in the middle of the information flow between the user with the credit card and the server that processes his order after he hands over all the credit card information. Granted, it is difficult to get in the middle like that, but it is not impossible. SSL decryption is possible, as mentioned earlier, but this is a time- and resource-consuming effort.

• Phishing: Pronounced fishing, this term describes a hacking technique that attempts to acquire sensitive information such as credit card numbers, bank accounts, usernames, passwords, and so on. Hackers do this via electronic communications such as email or impersonating a website to trick people into revealing this information without knowing they did so. Phishing is perhaps one of the most advanced criminal techniques and successful use of social engineering in use on the Internet today. Phishing has been extremely successful in tricking people to reveal their secrets through the hacker’s use of these bait (email) and catch (fake website) techniques.

• Spear phishing or whaling: These terms are used to describe a specific type of phishing, such as when these email techniques target high-profile individuals, such as corporate executives.

• Vishing: This attack sends users an email claiming to be a financial institution that needs the victims to call a phone number about some fictitious problem with their account. These phones are owned by the hacker and are provided via a Voice over IP (VoIP) service so that when the victims dial the account, it prompts them for their account numbers and PIN, recording it all.

• Peer-to-Peer (P2P): These types of networks are quite common these days and have continued to be risky to users. Typically, attacks here come in several forms; there is a passive attack, where a hacker creates a desirable file that people can download and access, thereby infecting their PCs. The more active version is when hackers take advantage of a P2P network’s design allowing them to execute a man-in-the-middle attack.

• Web browsers: As the primary tool of people accessing the Internet, everyone should be well aware of the security issues surrounding every web browser.