October 11, 2016

Last Updated on October 11, 2016

Especially if your information security controls are robust, a seemingly insignificant vulnerability could be the one that leads to a breach. It all depends on your specific situation and the actual risk presented.
As an analogy, consider a bank whose vault has a state-of-the-art, highly secure door. On the other side of one of the walls of the vault space there happens to be a janitor’s closet, which happens to be accessible from the building’s roof via an air vent. It also happens that that wall has a crack in it. It might initially seem like an intruder in that space couldn’t steal anything more valuable than cleaning supplies. But if the intruder takes time to examine the walls of the closet, they could potentially mount an attack that would get them into the vault with much less effort than trying to bypass the highly secure door.
I noted a real-world example of “small problem, big risk” recently at a customer site. They had configured an externally accessible web application so that users were able to see/browse what files were on the server. Often this wouldn’t be a big deal, as all there is to see is web page code or image files. But in this case, users were able to browse directories that contained extremely sensitive customer data.
A related example would be a default web application configuration that only allows new users to login with the least amount of privileges. But if those privileges, whether by design or by accident, allow users to run programs on the system, or upload their own programs (e.g., malware), it’s possible they could escalate their privileges to an admin level and launch an attack.
Another potentially significant concern—again, depending on the specific circumstances—are self-signed SSL certificates. Many organizations use them on internal sites because they’re free, and direct users to simply ignore the warnings from their browser. There are two problems with this:

  1. Obviously, because the certificate doesn’t really verify that the host is what it says it is, bad actors can mirror self-signed certificates and configure a man-in-the-middle attack to heist login credentials and potentially sensitive data.
  2. Employees who are habituated to ignore warnings on internal sites might well be quicker to ignore them on external sites also. This could make your business more vulnerable to malware and other threats.

For these reasons, it’s worth it to spend the money for real certificates for your production applications where sensitive data is involved. “Trust, but verify” as the saying goes.
You typically won’t find these kinds of easily overlooked issues unless you perform some kind of audit or code review. Even then, you’d need to look at the data and systems involved and decide whether a specific scenario was a risk or not, as automated scanning tools generally don’t reflect their actual significance. Moreover, if your information security management system (ISMS) isn’t pretty well in line with best practices to begin with, you’ve probably got bigger fish to fry.
Even a company with mature InfoSec controls can benefit from having third-party experts go through their environment with a fine-toothed comb, because we can see both the big picture and the details in a fresh way that in-house staff frequently can’t. For more information, contact Pivot Point Security.