Cyber security concerns - Top 10s
A look at what keeps security folks awake at night as we head into 2022
In September, The Open Web Application Security Projects (OWASP) released its latest top 10 ranking of software security concerns.
In this list, the first update since 2017, there were a few notable developments.
First Injection vulnerabilities, which had been at the top for many years now - mainly because there are so many different types of possible injection attacks - are no longer number one.
The OWASP Top 10 2021
Injection's long-held place at the top has been taken by Broken Access Control, which is where an attacker is able to get access to user accounts and operate as the user or as an administrator in the system. Such vulnerabilities often develop as complex applications evolve over time. OWASP found 34 common weakness enumerations, or CWEs, in this category, more than any other.
Another change to the list was the introduction of three new categories into the top 10
Insecure Design, refers to software that cannot be fixed by a perfect implementation, since the underlying code is insecure because of faulty architecture.
Software and Data Integrity Failures encompass false assumptions made about automated processes and CI/CD pipelines. They are frequently exploited in supply chain attacks.
These new categories emphasise the need to protect the integrity of apps across the entire software development life cycle - the 2020 SolarWinds breach was a clear example of software integrity failure.
The third new category, Server-Side Request forgery (SSRF), is where the attacker can abuse functionality on the server to read or update internal resources.
The OWASP list provides a usefully comprehensive picture of the way the security landscape is evolving. We thought it would be interesting to see how it compares with the current concerns of security professionals and IT leaders among the Computing readership. So here is the Computing top 10, drawn up by asking 150 IT professionals to rank the OWASP categories.
Please rank the following software vulnerabilities in order of concern to your organisation
Our list is topped by Identity and Authentication Failures, which only made number 7 on the OWASP list. The distinctions between that and OWASP's top flaw, Broken Access Control, and are subtle and so this difference may just come down to wording.
Next up were Vulnerable and Outdated Components, which were number 6 on the OWASP list overall, but number 2 in terms of the developer concerns reported to the organisation. (The OWASP rankings combine developer opinions with real-world data points and a measure of the severity and likelihood of each category).
And third was Security Misconfiguration.
Identity and Authentication Failures were seen as the biggest menace because they are provide a simple way for an attacker to gain a foothold. Get into someone's laptop while they are working from home and if they're connected to the network you're in. If not, there's still a lot to learn by snooping around email accounts.
"People-based vulnerabilities [are the] most common and protections [are] difficult to enforce," opined one IT leader.
"Individuals and accounts are the weakest link: poor passwords, passwords shared, hacked accounts and mismanaged authentication," added a second.
So on to Vulnerable and Outdated Components.
More than ever before, enterprise software is an amalgam of hundreds or thousands of third-party libraries, APIs and connectors. One respondent said they'd been "bitten a lot" by third-party tools.'
"With so many applications and devices deployed it's difficult to keep pace with it all," said another, "most likely to happen or be missed even though it's the most obvious," said a third while others complained about the difficulty of tracking hundreds of vulnerabilities and applying patches.
Which brings us neatly to the third - Configuration issues. Stories about databases stuffed full of sensitive data being left accessible by anyone with a browser are legion, and the complexity of modern applications can make such mistakes all the more likely.
"Complex architectures make it difficult to avoid security misconfigurations," commented a security specialist in local government.
"This part is prone to user error, many other errors can be automated or more strictly policed," added a technical operations director in media, while a third respondent in education mentioned the difficulty of ensuring that newer employees do the right thing: "Inexperienced IT staff will accept the default security settings of systems."
As well as the flaws, we also looked at attack vectors.
Please rank the following attack vectors in order of concern to your organisation
First up was phishing - the vector of choice of many cybercriminals because it's simple, cheap and may only need to work once, and once again, the chief weakness it relies upon is the distracted human. Working from home at one remove from colleagues may have exacerbated the problem, and on mobile devices it's harder to check if the URL looks phishy.
Next were compromised credentials. Credential theft may be the next stage of a phishing attack, or credentials may be obtained through social engineering or via a data leak.
"Compromised credentials continue to be a major issue as they rely on the end users taking appropriate precautions," said one IT leader.
Third was weak access controls. "If your front door is easy to open, then it may not require anything complex or sophisticated to get through," commented a respondent.
OK, the attackers are in, what's the worst that can happen?
Please rank the following breach types in order of concern to your organisation
Encryption of important data is the worst thing that can happen, according to our respondents, followed by having data stolen and weaponised or published on the dark web. All of which are tactics that we've sadly become very familiar with, owing to their popularity among ransomware gangs.
Data encryption is the top concern because it is both relatively likely and highly disruptive.
"Attackers encrypting important data is the hardest and most disruptive to recover from, with the most immediate operational impact if successful," explained one IT leader.
Indeed, recovery could be so difficult that it could lead to the demise of the company, or at least result in extremely heavy costs.
Increasingly, data theft may also follow encryption and blackmail may follow the theft, leaving firms facing massive reputational and financial damage.
"Losing customer data is the scariest prospect and would kill our business quickly through destroying trust," said an IT director.
In a cyber attack on your organisation, which of these potential repercussions would cause you the most concern?
Reputational damage was the biggest concern, followed by fear that customers' leaked could be used to harm them. Interestingly, fines are some way down the list.
We also asked participants to tell us which of 20 recent Computing stories about cyber attacks concerned them most.
The most worrying was the Microsoft Exchange story, where state-sponsored hackers used Exchange as a stepping stone into thousands of organisations. To quote:
"An example of vulnerabilities in a single core solution providing massive opportunity for cyber attackers to attack multiple parts of the supply chain."
Next was the recent Sunderland University attack, which was unsurprisingly of major concern to IT leaders in education, an easy and popular target for ransomware gangs: "Same sector as us and hence potentially the same software in use," said one.
Then there was the story that Russian intelligence may be colluding with ransomware gangs, which, if accurate, makes them a whole lot more dangerous.
Does senior management at your organisation have a better understanding of cyber security threats now than two years ago?
However, on the plus side, the scale of the cyber challenge is now very apparent, and cyber issues much less likely to be brushed aside or dropped down the priority list by the board. Asked whether senior management at their organisation has a better understanding of cyber threats now than two years ago, more than three quarters said yes.
What has led to this increased awareness of cyber security issues?
Why? Well often its thanks to security evangelists within the organisation spreading the word, including through formal training and awareness raising. Media gets a nod too, with the big cyber stories increasingly finding their way into the mainstream press. Plus, the need to respond to the pandemic and support homeworking has certainly opened a few eyes. Sometimes the worst-case scenario does happen, and it's important to be prepared.