Misconfigured Cloud Storage
Cloud Security Report 2019 assets that 64% of cybersecurity professionals perceive data loss and leakage as the biggest risk associated with the cloud. Misuse of employee credentials and improper access controls are the top challenges for 42% of security professionals, while 34% struggle with compliance in the cloud, and 33% name lack of visibility into infrastructure security as their predominant concern.
How to mitigate: train your team, implement an organization-wide cloud security policy, continuously run discovery of public cloud storage to maintain an up-2-date inventory of your cloud infrastructure.
Notorious Collection #1, revealed in 2019 by security expert Troy Hunt, is a set of email addresses and plaintext passwords totaling 2,692,818,238 rows. Anyone can anonymously purchase this data for Bitcoins without leaving a trace. Being one of the largest publicly known databases of stolen credentials, it is a mere slice of compromised data available for sale on Dark Web. Many organizations are hacked every day without being aware of this due to the complexity of the attacks or simple negligence, lack of resources or skills.
How to mitigate: ensure digital assets visibility, implement holistic password policy and incident response plan, continuously monitor Dark Web and other resources for leaks and incidents.
Abandoned and Unprotected Websites
According to 2019 research by a web security company ImmuniWeb, 97 out of 100 the world’s largest banks have vulnerable websites and web applications. A wide spectrum of problems is attributed to uncontrolled usage of Open Source Software, outdated frameworks, and JS libraries, some of which contained exploitable vulnerabilities publicly known since 2011.
How to mitigate: start with a free website security test for all your external-facing websites and continue with in-depth web penetration testing for the most critical web application and APIs.
Mobile Applications’ Back-ends
While most of the APIs used by the mobile application send or receive sensitive data, including confidential information, their privacy and security are widely forgotten or deprioritized, leading to unpardonable consequences.
How to mitigate: build holistic API inventory, implement software testing policy, run a free mobile app security test on all your mobile apps and backends, conduct mobile penetration testing for critical ones.
Public Code Repositories
Agile CI/CD practices are a great business enabler; however, if inadequately implemented, they swiftly morph into a disaster. Within this context, public code repositories are often the weakest link undermining organizational cybersecurity efforts.
How to mitigate: implement a policy addressing code storage and access management, enforce it internally and for third-parties, continuously run public code repositories monitoring for leaks.
Source: The Hacker News