teissTalk: Prioritising your security vulnerabilities

teissTalk host Jenny Radcliffe was joined by Leandros Maglaras, Professor of Cyber Security, De Montfort University as lead guest; Andrea Manning University Lecturer, National University of Ireland; and Maor Bin, CEO & Co-Founder, Adaptive Shield.

 

Views on news

Security vendor Check Point’s study has discovered 2113 mobile apps that had been leaking sensitive user data as their Firebase back-end got exposed due to misconfigurations. “Developers often manually change the default locked and secured configurations of security rules to run tests. If left unlocked and unprotected before releasing the application to production, it leaves the database open to anyone accessing it and thus susceptible to read and write into the database.”

 

But often it’s not the apps themselves that are unsecure but the way we use them often relying on the same combination of letters, numbers and special characters to log into all of them. This way, once the attacker steals the credentials, they will have access to all of the apps we use, as well as a treasure trove of personal data that they can exploit to their heart’s content.

 

The increasing uptake of SaaS applications is adding another layer of complexity each of them being separate universes with dozens or even hundreds of security settings each, which can get challenging even for a security expert. Apps are also dynamic and so are organisations, which calls for ongoing monitoring.

 

The best way to tackle the security problem is to establish what may go wrong and reverse engineer controls from there.

 

Going back to GDPR can put you in a defensible position and it also forces you to check your procedures and policies and identify where your risks are. Your responsibility depends on whether it’s an app on prem or in the cloud, or an SaaS app we talk about. If it’s a SaaS app then the responsibility to secure the infrastructure lies with the SaaS vendor, while configuring it is with the security team of the organisation.

 

Guidelines for prioritising your assets

Before prioritising your vulnerabilities, you’ll need to understand the attack surface that you’re to defend. Prioritise low-hanging fruits that can bring immediate value. Then you can go on to finding and protecting your most valuable assets. Rely on the Common Vulnerabilities Scoring System or do a vulnerability-based risk management.

 

Companies can be rather oblivious of their assets in some extreme cases going as far as being unaware of the servers they have – most probably a result of deficiencies in business continuity. Frameworks that help identify company assets and vulnerabilities include ISO/IEC 27001 or broader frameworks such as Maturity Assessment that will go beyond cyber risk and also assess the level of security awareness within the organisation and whether the right business continuity and incident response plans are in place. 

 

This should be matched with the resources – both human and financial – available for the company to manage risks.

 

The CISO’s job is a bit like being a goalkeeper. They may fend off thousands of attacks and go practically unnoticed, while as soon as a cybercriminal breaks into the network, everybody will point at them.

 

The misconfigurations most often exploited are legacy protocols – with them the best practice is to use MFA.

 

When you allow your user to bypass MFA or enable them to access corporate data stored in the Exchange server via Exchange ActiveSync, attackers will be able to exploit these vulnerabilities too.

 

The EU’s ENISA has put forward a Cloud Computing Information Assurance Framework, a set of assurance criteria designed to assess the risk of adopting cloud services, compare different Cloud Provider offers, obtain assurance from the selected cloud providers, reduce the assurance burden on cloud providers.