Security gaps exist in the most surprising of places. However, the weak links outlined below don’t have to leave organizations vulnerable to breaches or other security threats. The right mix of tools for detecting vulnerabilities and threats can plug security holes before they become a serious threat to the enterprise and critical customer information.
When evaluating soft spots in the security perimeter one of the most obvious, but often overlooked weaknesses, is including people as a priority in that evaluation. Below are four critical areas where enterprises should be looking to identify security blind spots, the security tools that are a must-add, and how to successfully implement them:
1. You are the weakest link
Although cybersecurity awareness and hygiene are improving, humans remain one of the weakest links for nefarious actors to target. With a vast majority of US information personnel continuing their work-from-home status during the global pandemic, you should ensure your security awareness training is up to date with an emphasis on including the increased threats faced by a remote workforce. You can have the most advanced security tools available but all it takes is a sleepy or distracted employee to be duped into clicking a spear-phishing email that appears perfectly legitimate, and all of those fancy tools go right out the window.
As the pandemic surges we have seen a surge in phishing attacks with COVID-19-themed traps, including one selling a phony vaccine created from the blood of recovered coronavirus patients. Every organization should try to create a culture that includes proper cybersecurity hygiene in order to lessen the security weak link posed by humans.
2. API threats persist
Application programming interfaces (APIs) define a backdoor into adjacent systems and apps for gaining access. Detailed documentation about APIs is usually available to provide transparency to developers and help them understand how they work. However, this documentation can also be leveraged as blueprints for bad actors to use APIs in their attacks. Analysis of Fortify on Demand (FoD) vulnerability data shows that API abuse issues have roughly doubled over the past four years.
APIs reveal application logic and data, which provide access to numerous sources of potentially sensitive data and mission-critical services. As a result, the application layer attack surfaces widen. Fortify research found that 35% of the analyzed web applications had API abuse problems, and the incidence increased to 52% for mobile applications.
Organizations can use API collaboration tools such as Swaggerhub to provide input into dynamic application security testing tools for a vulnerability analysis of APIs. API scanning tools can identify weaknesses and vulnerabilities, giving the visibility needed to take remediation actions.
3. Container security troubles
Containers provide organizations a simpler way to deploy applications and have played a significant role in the DevOps evolution. By combining them with platforms such as Kubernetes, development teams can deliver code commits faster and achieve business objectives faster.
While the emphasis on shifting left and extending right with the use of containers and Kubernetes grows, organizations continue to be concerned about their runtime environments. According to StackRox, organizations are experiencing issues during runtime, with more than one out of four (27%) experiencing a security incident in their runtime environment, while another 24% had a major vulnerability to remediate.
Runtime risks that are associated with container and Kubernetes deployments require the involvement of developers, operations, and security teams to mitigate. Shifting left requires organizations to build security into applications during the build stage of the development cycle and assess containers for potential issues that could lead to exploitation. Teams can alleviate risks by scanning containers for vulnerabilities prior to their use in production runtime environments.
4. Supply chain integrity concerns
Supply chain integrity remains a major concern as open-source component use continues to rise, with one in eight open-source downloads containing a known vulnerability. Last year, research by Micro Focus and Sonatype determined that open-source software continued to account for the most reported vulnerabilities. The number of days between disclosure of a vulnerability in an open-source component and exploitation of that vulnerability shrank to three days in 2017 from 45 days in 2006.
Further, one in eight open-source downloads contains a known vulnerability. Recent supply chain attacks have focused on the open-source ecosystem, with attackers hoping to pollute the open-source software supply chain.
Everyone needs to work together to tackle the issues of supply chain integrity and mitigate the risk of pre-compromised products infiltrating businesses and government agencies, research firm MITRE concluded in a 2018 report.
While MITRE’s COA’s are primarily directed at the US Department of Defense, the objective of having secure, high-integrity software from concept to retirement is valid in the private sector as well. To achieve this objective, MITRE recommends using industry best practices, including the use of static and dynamic application testing, as a means of establishing software security goals and measuring progress toward them.
Identify your organization's weakest links
Your organization’s cybersecurity defenses are only as strong as your weakest link. Granted, humans are certainly a fragile link, but focus also on these other weak links as well to ensure that you don’t get blindsided.
Stan Wisseman is Chief Security Strategist and Business Development Director for Security Products at Micro Focus. In the information security field for over 30 years, he has applied security best practices to operating systems, networks, systems, software, and organizations. Prior to joining HP in 2014, Stan served as the Chief Information Security Officer for Fannie Mae. He has worked for NSA, Oracle, Cable & Wireless, Cigital, and Booz Allen Hamilton in various security roles.