Professional Documents
Culture Documents
Kevin Coyne
09/10/2023
What threats are new this year and which have become more prevalent?
Many threats are faced by a cyber security team working for any company, because it’s
not if an attack occurs, it’s when. With that in mind it’s important to always keep an eye out for
2
both new threats, and ones that attackers use over and over again to help keep the company safe
from both old and new threats. Looking at CISA’s “2022 Top Routinely Exploited
Vulnerabilities” list, there’s a lot of different programs and vendors that are being exploited, but
when you look at how they’re being exploited, you can start to see that there are some common
tactics that malicious users are doing in order to attempt to gain access into a system. Remote
Code Execution (RCE) is done threw inserting a code remotely that can affect the whole
network. Types of RCE include SQL attacks, which include injecting Structured query language
into an open text field on a website or application that is vulnerable. Server Side Injection
attacks, similar to SQL attacks however they focus their attacks on servers that may be
Arbitrary Code Execution is similar to Remote Code Execution, however where RCE
focuses more on network devices or applications, ACE focuses more on hardware and software
exploits. The attacks are carried out in a similar fashion, by using techniques such as SQL
injections, and desterilization. These types of attacks work by finding a vulnerability where
codes can be injected in order to reveal more information about a network, whether that be from
removing or adding privileges, exfiltration of data whether that be customers PPI or proprietary
Many other attack types featured on the CISA’s list of routinely exploited vulnerabilities
include attacks that try to negate security features, whether through privilege escalation, code
injection, or impersonation attacks. As well as Insecure design, whether that be from the
network using old outdated equipment or programs, applications aren’t properly updated and
patched, or important parts of the network being attached to unsecured public networks that
Comparing these attack types to OWASP top ten from 2021 there is a large overlap
between the attacks used in the CISA’s list and OWASP’s. Insecure design, using outdated
components, broken access control, Identification and Authentication Failures, and injections are
featured on both lists which means company’s should make sure that they’re designing their
Why are these threats more common and why are they important?
safe, so do the type of attacks that we face. Some may come and go, while others are constantly
changing and adapting to the times in order to continue to present a threat. Injections are one of
those attacks that have been around forever that will most likely never go away. There's always
new websites being built, and always net applications being made everyday that can and do leave
themselves vulnerable to attacks. For the right hacker it can also be easy to do, as it usually just
starts with access to a given webpage. From here, if the website is not secured properly the
attacker can gain access to control lists that may allow them to see usernames and passwords in
Insecure network design has been increasing as well. Technology can move fast, almost
too fast if your not paying close attention, and using old outdated hardware and software can
expose a network to unwanted attacks. When programs are no longer being patched, or have
reached the end of their life cycle it’s important to have a back up ready for your company to be
able to switch to while maintaining little to no downtime for users, and keeping their information
and your information secure. Although old and outdated hardware and software are a part of
insecure designs, it's not the only part. Setting up a network with poor firewall placements, or as
4
stated above having important information stored on servers that may also contain your web
server or email server. Making sure that the proper placement and separation of key network
elements are not easily compromised should an attacker gain access to the network.
Privilege escalation is probably one of the most important things an attacker is trying to
do, other than stealing information. If they can get onto the network through the use of an
administrative account, or create a fake account and give it administrative control, then they’ll
have almost free reign of the network until they’re detected. From that point it’s almost up to the
hacker as to what they may choose to do, deleting files, creating files, or exfiltrating files all can
be goals of the attacker. This is a popular attack year after year because it has many different
way in which an attacker can attempt this attack. From phishing, or social engineering, to
injecting code, it’s a main goal of the attacker to have the network think that they belong.
Comparing old lists of the OWASP top ten list to the current one, many different changes
happen, some categories are taken off, multiple different categories are merged into one, or
sometimes new ones are created to better explain how certain attacks or morphing throughout
time. While how these attacks are carried out may vary over the years, they showcase how
certain elements of attacks have always been used and how companies have kept themselves
As stated previously about Insecure designs, sometimes technology can move very fast,
at least compared to the corporate world that uses it. So constantly keeping a network up to date
with not only the latest patched and software updates, but also the newest hardware. While
certain programs have been known to have exploits for years, like Windows Lightweight
5
Directory, many programs take time to have attackers test out different methods of attacks in
order to find one that is successful, if it’s something that can be patched the vendor will release it
to anyone who may be using the program. Which is why it’s important to keep them up to date,
because once one attacker knows it and it gets released, now anyone can know it, so keeping the
Lack of firewalls, or a poorly set up firewall, can also lead to insecure designs as well as
other issues. Firewalls can block unwanted traffic from flowing in or out of a certain area,
preventing a remote malicious user from gaining access to whatever is behind the firewall. Even
if an attacker were to get past the firewall it could still be configured to block traffic that is
traveling outside of the network. Doing this can help prevent data from being exfiltrated even if
they were to gain access to the server that the firewall is protecting. Being able to block certain
signatures from traveling through the firewall, such as passwords or credit card numbers can also
help prevent an attack even if a user gains access from preventing data exfiltration.
As more sites use web applications, more companies are susceptible to injection attacks.
They can take advantage of open text fields on a web page and insert special characters in order
to reveal hidden information. A simple prompt like “The password doesn’t match the username”
lets an attacker know that the username is correct and they can try cracking the password for that
account. While that is the most simplest form SQL that a website should protect against, it isn’t
all that can be done. Preventing special characters that are commonly associated with SQL, in
order to prevent such attacks on a webpage. It’s important to monitor not just the website but
also any databases, as they’re also targets for attack through means like Remote Code Execution
(RCE) discussed earlier. Keeping the infrastructure updated and patched will help prevent new
6
SQL attacks from happening, and monitoring database SQL inputs can help detect any
What threats do you believe will become more critical in the next 12 months? Why?
As the Adventure Scuba and Diving Institute (ASDI) continues to do business and
expand, its data will likely face threats not only from other competitors but outside malicious
users. All of the previous mentioned attack vectors will likely be a main focus of attack, and
they also cover a broad spectrum of attacks. Code injections can happen in different places, and
the attacks can have different scopes of vulnerabilities. Injection attacks on a website might not
require the same solution as an injection attack on a database. Insecure designs could be
improved from something as simple as adding a patch manager to keep critical applications
updated and secure, to closing ports, to rearranging the topology of a network. Privilege
escalation can come from information learned from an injection attack, due to insecure designs,
or from bad access controls. It’s important to understand the scope that these vulnerabilities can
have, and what are the most critical assets to the company to keep secure, so that you can
Microsoft’s Lightweight Active Directory Protocol has its known vulnerabilities, but it
also has a lot of support behind it, so if it's a protocol that will be used at the company proper
steps need to be taken to help ensure that data does not get exposed. Making sure that the
network is set up in a way that keeps public clients and company clients separate, and tries to add
as much separation between the outside network and important file and email servers that can
7
This type of layout is able to keep the computer lab work contained within the computer
lab, running it through a firewall before it attempts to escape the network. Firewalls on the
company side can also be set up to block certain requests from users not within the company
network. Ports on the web server should also be examined, and close any ports that are not
needed in order to keep the website up and running on a daily basis. Some ports are known to
have vulnerabilities, and attackers will sometimes try to carry out their attacks in open unused
Exploits are constantly being found, if the company happens to be using a program or a
piece of hardware that does not have a known exploit, then it’s important to stay vigilant for
8
when an exploit is found. LADP has some vulnerabilities to it, but through other means it can be
made to be relatively secure. Its wide use by many different companies and vendors prove that
point, but it’s also necessary to keep the protocols and software used around it secure, making it
harder for hackers to be in the position to run an injection attack against the directory, and it’s
Keeping key infrastructure parts away from the public, both logically and physically
through strategic network design, and patching software. Vendors release patches for a reason,
it’s because someone else was the victim of an attack and they don’t want more of their
customers being vulnerable so they release a patch. Failing to keep the network updated will
leave the network open for exploits for any one with the knowledge who decides to look.
Software or systems that are vulnerable to the types of attacks mentioned above are
devices and programs that will be used every day by employee’s and customers/students.
Keeping these systems secure and operational is not only important for the company but also to
anyone who may use the service they provide. Directories, databases, websites, emails, ect, can
fall victim to many different forms of attacks and are constantly under threat, which is why it’s
References
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-215a
https://logixconsulting.com/2022/05/16/what-is-arbitrary-code-execution-in-cybersecurity/
#:~:text=During%20an%20arbitrary%20code%20execution,could%20be%20lost%20or
%20stolen.
https://owasp.org/www-project-top-ten/