This year alone, the National Institute of Standards and Technology (NIST) reports receiving more than 23,000 common vulnerabilities and exposures (CVEs). While there’s clearly no shortage of security vulnerabilities, a few types tend to spring up more than others, especially in business contexts. Here are seven of the most common types of security vulnerabilities — and how you can defend against them.
Security vulnerabilities vs. security threats
A security vulnerability is a weakness or error in software, hardware, a network, or a system. Threat actors often leverage vulnerabilities to launch cyberattacks.
A security threat marks the moment a hacker acts on a vulnerability, exploiting it for nefarious purposes.
We often see these terms used interchangeably. For simplicity's sake, in this blog, we'll cover the weaknesses, errors, and threats that often impact businesses. Because during an active attack, it won't matter what you call it — you'll just want to know how to fix it. 😅
Phishing
Threat actors use phishing to trick an unsuspecting person into completing a desired action. For example, a hacker may send an email blast to everyone at a company that directs them to take immediate action or else they’ll lose their benefits. The immediate action? Clicking on a malicious link that masquerades as legitimate. In turn, the user unknowingly executes malware or is redirected to a page asking for sensitive information.
Phishing is one of the most popular cybersecurity vulnerabilities. Why? Because it works. In 2023, threat actors sent a record-breaking 1.76 billion phishing emails, a 51% increase over 2022. Phishing was also the most common initial attack vector among all data breaches at organizations last year. It’s simple: People respond to urgency without thinking, which is exactly what threat actors bet on.
How to defend against phishing attacks
To defend against a phishing attack, you first have to be able to recognize a phishing attack. Make sure your end users know to look for typos and inaccuracies, examine the tone, identify and verify the sender, and use common sense when reading emails. And when in doubt, they should enlist the help of an IT professional such as yourself to play it safe. (Beats dealing with a security incident at 3 a.m., am I right?)
Other ways to defend your business against phishing include installing updates, using multifactor authentication, enforcing password policies, using up-to-date antivirus software, setting up firewalls, using a secure email gateway, backing up your devices, and — of course — training your end users.
Zero days
Zero-day exploits get their name from the “zero days” you have to prepare for them. They spring up out of nowhere and wreak havoc on cybersecurity professionals everywhere. And because you have zero days to prepare, you have to wait for a patch or other form of mitigation to be announced.
Zero days vary in severity. For example, an exploited vulnerability in a not-so-popular program is significantly less dangerous than one in an application that serves as the backbone for many programs (e.g., Java in Log4j). Either way, you should patch zero days as soon as possible — because while security researchers are working on a fix, hackers are exploiting the vulnerability in the wild.
How to defend against zero days
This should make you rest peacefully: There’s no way to defend against zero days. 😬
These threats are unique because threat actors — not software vendors or security researchers — usually discover them first. So, when security researchers discover there’s a problem, it’s only because the zero day is already being exploited in the wild.
There are ways to minimize damage from a zero-day attack, however. Make sure you keep your antivirus up to date because if the zero day executes malware, good antivirus software can catch it as long as the malware’s signature exists in the antivirus’s database. But for zero days like Log4j, the only real way to prepare is to have a disaster recovery plan in place. That way, if the worst happens, you’ll be ready to act.
You can also look for ways to remediate or mitigate a zero day while waiting for an official patch to be released. This could look like disabling services or features or deleting software or files. You might also consider increasing your log audits and limiting your attack surface however you can. If a zero day impacts a business-critical component, it’s better to find other ways to minimize your risk rather than being a sitting duck, waiting on a patch.
Remote code execution
Remote code execution (RCE) is an attack tactic that enables hackers to run malicious code on infected devices. Once an attacker gains access to one device, they can freely execute commands to other devices — or even an entire network. And that oftentimes means sleepless nights for us cybersecurity folk.
One common way hackers launch a remote code execution attack is through Structured Query Language (SQL) injection. For example, say you have a website with a form that asks for typical user information: name, address, phone number, etc. A hacker might try inserting SQL code instead of her name on the form. When the hacker hits submit, the website processes the entry, running the code the hacker inserted. Once the malicious code runs, the hacker can perform nefarious activities — such as data exfiltration, where the hacker exports all the data in the database for their own use.
How to defend against remote code execution
The example scenario we just walked through could have been prevented with input sanitization. Input sanitization is the process of disallowing certain entries (e.g., SQL code) from being accepted by a form. This would have prevented the hacker from submitting the form and executing the code.
Other ways to prevent remote code execution include regular vulnerability scanning and using secure protocols (e.g., HTTPS) so data is encrypted.
Unpatched software
Unpatched software can spell trouble whenever hackers find a way to exploit known vulnerabilities. All they need is to be able to exploit one vulnerability in unpatched software, and their job gets significantly easier. And once they’re in, they’re in.
And I get it — it’s virtually impossible to patch every single program that runs in your environment. Vendors release new patches every day, and keeping up with them all could easily warrant several full-time jobs. That’s why it’s so important to prioritize vulnerabilities and patch them accordingly. The patch available for that program on that one air-gapped machine in your environment is far less of a security risk than the patch that makes RCE possible on any of your devices.
Not patching your software is a lot like spray painting a huge red target across your back and yelling out to hackers, “I hate sleeping. Attack me!” Patch, patch, patch!
How to manage patches
Patch management is an inherently difficult undertaking. You have all these available patches in front of you with very little time to prioritize, test, or deploy them.
There are tools out there, such as — shameless plug incoming — PDQ Deploy, that can take this work off your plate. Some tools even automate patching for you so you don’t have to apply each available patch manually. Relying on these tools helps you keep your software up to date — and your inner calm intact.
Insider threats
Insider threats occur when someone with insider knowledge of a business, such as an employee, uses their privileged access for nefarious purposes. You’ve likely seen news stories where a disgruntled employee “gets back” at their company by exfiltrating sensitive data. This is an example of an intentional threat. Alternatively, some insider threats are unintentional, where an employee finds themselves the victim of an insider threat. For example, they may unknowingly assist a threat actor by performing an action that’s beneficial to a hacker (e.g., inadvertently downloading malware).
How to defend against insider threats
One way to defend against both intentional and unintentional insider threats is to adhere to the principle of least privilege. This entails issuing each user in your environment the bare minimum access they need to perform their duties. This ensures that even if an insider threat is present, the damage is minimal and (hopefully) easy to recover from.
Another way to defend against insider threats is to monitor your users’ activity with an eagle-eye lens. You don’t need to read every email, but you might consider setting up alerts to warn you when an employee signs on from an unusual location.
Security misconfigurations
A security misconfiguration is exactly what it sounds like: a misconfiguration of security settings in applications. Some of these misconfigurations occur when settings are improperly configured while others result from not configuring these settings at all (😅). XM Cyber released a startling research report stating that identity and credential misconfigurations account for 80% of security exposures.
The National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) released a bulletin in late 2023 noting the top 10 most common network misconfigurations:
Default configurations of software and applications
Improper separation of user/administrator privilege
Insufficient internal network monitoring
Lack of network segmentation
Poor patch management
Bypass of system access controls
Weak or misconfigured multifactor authentication (MFA) methods
Insufficient access control lists (ACLs) on network shares and services
Poor credential hygiene
Unrestricted code execution
How to defend against security misconfigurations
The NSA and CISA offer a multitude of tips to defend against security misconfigurations. In summary, these suggestions include the following steps:
Modify default settings of applications before deploying them to prod
Change default passwords on devices, such as routers
Implement authentication, authorization, and accounting (AAA) systems
Adhere to the principle of least privilege
Deploy next-generation firewalls
Have a patch management plan in place
Weak or stolen user credentials
Ah, the ole solarwinds123 vulnerability. We joke a lot in the industry about easy-to-guess passwords, so I know I'm preaching to the choir when I say that weak credentials are one of the more common cybersecurity vulnerabilities we deal with. Weak credentials are significantly easier for attackers to guess — and thus, steal — than strong ones. And because 86% of web application data breaches are due to stolen credentials, weak credentials are the gifts that keep on giving (you nightmares).
How to defend against weak or stolen user credentials
The best way to defend against weak or stolen user credentials is to implement a good company password policy. Provide guardrails for your end users so they can’t create easy-to-crack passwords to access company systems. Doing so helps your end users help you.
When possible, completely bypass the password game and implement single sign-on (SSO) instead. That way, your end users only need to remember one complex password to access their systems. And let’s be honest: It’s far more likely that your end users will be up for remembering one complex password than remembering a laundry list of semi-complex passwords. And the more passwords they have to remember, the less likely it is that they’ll make those passwords complex and secure. (No, we’re not spying on your end users — we just know that’s how they’re programmed. 😉)
How to protect your organization from cybersecurity vulnerabilities
I have to start off by repeating something I’ve said in many posts before. There is no foolproof way to protect your organization from security vulnerabilities — and if a vendor has ever guaranteed 100% effectiveness, they are lying to you. What we can guarantee is that taking a few common-sense steps makes it that much harder for hackers to do their jobs. And what fun is IT if we’re not making attackers work hard to earn their access?
Here are some steps you can take to defend against cybersecurity vulnerabilities — and make our adversaries question why they chose their day jobs.
Prioritize vulnerability management
Two things in life are constant: change and vulnerability exploitation. Vulnerabilities will be exploited, and even your best efforts won’t be enough to thwart threat actors at all times. But we can at least complicate the barrier of entry through an organized vulnerability management plan.
There are five main steps to vulnerability management:
Inventory the assets in your environment
Assess vulnerabilities across monitored devices
Prioritize vulnerabilities by severity and potential impact
Remediate vulnerabilities
Monitor vulnerabilities
Following these steps helps you know which vulnerabilities need addressing immediately and which can wait. Pivot to those vulnerabilities that carry the most risk for your environment, and go from there.
Enlist the help of a vulnerability scanner
Vulnerability scanning doesn’t have to be a manual process. In fact, vulnerability scanners are built to find vulnerable components in your environment and flag them for review. Some vulnerability scanners paint a picture of your attack surface by giving you a vulnerability scan report to review. This report helps you tackle the steps of vulnerability management.
Patch, patch, patch
I know you already know this, but given the risks of unpatched software vulnerabilities, it bears repeating. It is so important to test and deploy new patches, especially when they fix a vulnerability that would be particularly detrimental to your business if it were exploited. Patch management should be one of the crucial steps in your vulnerability management process.
Defending against cybersecurity vulnerabilities seems like a herculean task — but it doesn’t have to be. PDQ Detect helps you identify and prioritize the vulnerabilities that would meaningfully impact your organization. Try it free for 14 days.
Ready to apply those patches? If you manage a remote environment, try PDQ Connect, our agent-based solution. On-prem? No prob. PDQ Deploy can help.
