1

Module 8: Portfolio Project - Option 2

Kevin Coyne

Undergraduate Certificate in Cyber Security - CSU Global University

ITS415: Ethical Hacking and Penetration Testing

Professor Lawrence Snyder

09/10/2023

Module 8: Portfolio Project - Option 2

What threats are new this year and which have become more prevalent?

Many threats are faced by a cyber security team working for any company, because it’s

not if an attack occurs, it’s when. With that in mind it’s important to always keep an eye out for
 2

both new threats, and ones that attackers use over and over again to help keep the company safe

from both old and new threats. Looking at CISA’s “2022 Top Routinely Exploited

Vulnerabilities” list, there’s a lot of different programs and vendors that are being exploited, but

when you look at how they’re being exploited, you can start to see that there are some common

tactics that malicious users are doing in order to attempt to gain access into a system. Remote

Code Execution (RCE) is done threw inserting a code remotely that can affect the whole

network. Types of RCE include SQL attacks, which include injecting Structured query language

into an open text field on a website or application that is vulnerable. Server Side Injection

attacks, similar to SQL attacks however they focus their attacks on servers that may be

vulnerable to attacks on their databases.

Arbitrary Code Execution is similar to Remote Code Execution, however where RCE

focuses more on network devices or applications, ACE focuses more on hardware and software

exploits. The attacks are carried out in a similar fashion, by using techniques such as SQL

injections, and desterilization. These types of attacks work by finding a vulnerability where

codes can be injected in order to reveal more information about a network, whether that be from

removing or adding privileges, exfiltration of data whether that be customers PPI or proprietary

company information, and disruption of network services.

Many other attack types featured on the CISA’s list of routinely exploited vulnerabilities

include attacks that try to negate security features, whether through privilege escalation, code

injection, or impersonation attacks. As well as Insecure design, whether that be from the

network using old outdated equipment or programs, applications aren’t properly updated and

patched, or important parts of the network being attached to unsecured public networks that

anyone could have access to.

 3

Comparing these attack types to OWASP top ten from 2021 there is a large overlap

between the attacks used in the CISA’s list and OWASP’s. Insecure design, using outdated

components, broken access control, Identification and Authentication Failures, and injections are

featured on both lists which means company’s should make sure that they’re designing their

network properly when designing or changing a network.

Why are these threats more common and why are they important?

As cybersecurity continues as a field to help keep companies and peoples information

safe, so do the type of attacks that we face. Some may come and go, while others are constantly

changing and adapting to the times in order to continue to present a threat. Injections are one of

those attacks that have been around forever that will most likely never go away. There's always

new websites being built, and always net applications being made everyday that can and do leave

themselves vulnerable to attacks. For the right hacker it can also be easy to do, as it usually just

starts with access to a given webpage. From here, if the website is not secured properly the

attacker can gain access to control lists that may allow them to see usernames and passwords in

cleartext in order to grant access to the network.

Insecure network design has been increasing as well. Technology can move fast, almost

too fast if your not paying close attention, and using old outdated hardware and software can

expose a network to unwanted attacks. When programs are no longer being patched, or have

reached the end of their life cycle it’s important to have a back up ready for your company to be

able to switch to while maintaining little to no downtime for users, and keeping their information

and your information secure. Although old and outdated hardware and software are a part of

insecure designs, it's not the only part. Setting up a network with poor firewall placements, or as
 4

stated above having important information stored on servers that may also contain your web

server or email server. Making sure that the proper placement and separation of key network

elements are not easily compromised should an attacker gain access to the network.

Privilege escalation is probably one of the most important things an attacker is trying to

do, other than stealing information. If they can get onto the network through the use of an

administrative account, or create a fake account and give it administrative control, then they’ll

have almost free reign of the network until they’re detected. From that point it’s almost up to the

hacker as to what they may choose to do, deleting files, creating files, or exfiltrating files all can

be goals of the attacker. This is a popular attack year after year because it has many different

way in which an attacker can attempt this attack. From phishing, or social engineering, to

injecting code, it’s a main goal of the attacker to have the network think that they belong.

What threats remain constant from year to year? Why?

Comparing old lists of the OWASP top ten list to the current one, many different changes

happen, some categories are taken off, multiple different categories are merged into one, or

sometimes new ones are created to better explain how certain attacks or morphing throughout

time. While how these attacks are carried out may vary over the years, they showcase how

certain elements of attacks have always been used and how companies have kept themselves

vulnerable throughout time.

As stated previously about Insecure designs, sometimes technology can move very fast,

at least compared to the corporate world that uses it. So constantly keeping a network up to date

with not only the latest patched and software updates, but also the newest hardware. While

certain programs have been known to have exploits for years, like Windows Lightweight
 5

Directory, many programs take time to have attackers test out different methods of attacks in

order to find one that is successful, if it’s something that can be patched the vendor will release it

to anyone who may be using the program. Which is why it’s important to keep them up to date,

because once one attacker knows it and it gets released, now anyone can know it, so keeping the

software patched will keep new vulnerabilities from being a threat.

Lack of firewalls, or a poorly set up firewall, can also lead to insecure designs as well as

other issues. Firewalls can block unwanted traffic from flowing in or out of a certain area,

preventing a remote malicious user from gaining access to whatever is behind the firewall. Even

if an attacker were to get past the firewall it could still be configured to block traffic that is

traveling outside of the network. Doing this can help prevent data from being exfiltrated even if

they were to gain access to the server that the firewall is protecting. Being able to block certain

signatures from traveling through the firewall, such as passwords or credit card numbers can also

help prevent an attack even if a user gains access from preventing data exfiltration.

As more sites use web applications, more companies are susceptible to injection attacks.

They can take advantage of open text fields on a web page and insert special characters in order

to reveal hidden information. A simple prompt like “The password doesn’t match the username”

lets an attacker know that the username is correct and they can try cracking the password for that

account. While that is the most simplest form SQL that a website should protect against, it isn’t

all that can be done. Preventing special characters that are commonly associated with SQL, in

order to prevent such attacks on a webpage. It’s important to monitor not just the website but

also any databases, as they’re also targets for attack through means like Remote Code Execution

(RCE) discussed earlier. Keeping the infrastructure updated and patched will help prevent new
 6

SQL attacks from happening, and monitoring database SQL inputs can help detect any

irregularities as they occur.

What threats do you believe will become more critical in the next 12 months? Why?

As the Adventure Scuba and Diving Institute (ASDI) continues to do business and

expand, its data will likely face threats not only from other competitors but outside malicious

users. All of the previous mentioned attack vectors will likely be a main focus of attack, and

they also cover a broad spectrum of attacks. Code injections can happen in different places, and

the attacks can have different scopes of vulnerabilities. Injection attacks on a website might not

require the same solution as an injection attack on a database. Insecure designs could be

improved from something as simple as adding a patch manager to keep critical applications

updated and secure, to closing ports, to rearranging the topology of a network. Privilege

escalation can come from information learned from an injection attack, due to insecure designs,

or from bad access controls. It’s important to understand the scope that these vulnerabilities can

have, and what are the most critical assets to the company to keep secure, so that you can

develop a plan to keep them safe from attacks.

Microsoft’s Lightweight Active Directory Protocol has its known vulnerabilities, but it

also has a lot of support behind it, so if it's a protocol that will be used at the company proper

steps need to be taken to help ensure that data does not get exposed. Making sure that the

network is set up in a way that keeps public clients and company clients separate, and tries to add

as much separation between the outside network and important file and email servers that can
 7

store important information.

This type of layout is able to keep the computer lab work contained within the computer

lab, running it through a firewall before it attempts to escape the network. Firewalls on the

company side can also be set up to block certain requests from users not within the company

network. Ports on the web server should also be examined, and close any ports that are not

needed in order to keep the website up and running on a daily basis. Some ports are known to

have vulnerabilities, and attackers will sometimes try to carry out their attacks in open unused

ports in order to try to evade detection.

Has an exploit been released? What is the likelihood of an exploit?

Exploits are constantly being found, if the company happens to be using a program or a

piece of hardware that does not have a known exploit, then it’s important to stay vigilant for
 8

when an exploit is found. LADP has some vulnerabilities to it, but through other means it can be

made to be relatively secure. Its wide use by many different companies and vendors prove that

point, but it’s also necessary to keep the protocols and software used around it secure, making it

harder for hackers to be in the position to run an injection attack against the directory, and it’s

likely that an attack can happen.

Keeping key infrastructure parts away from the public, both logically and physically

through strategic network design, and patching software. Vendors release patches for a reason,

it’s because someone else was the victim of an attack and they don’t want more of their

customers being vulnerable so they release a patch. Failing to keep the network updated will

leave the network open for exploits for any one with the knowledge who decides to look.

How widely used is the software or system?

Software or systems that are vulnerable to the types of attacks mentioned above are

devices and programs that will be used every day by employee’s and customers/students.

Keeping these systems secure and operational is not only important for the company but also to

anyone who may use the service they provide. Directories, databases, websites, emails, ect, can

fall victim to many different forms of attacks and are constantly under threat, which is why it’s

important to understand how to protect the network from vulnerabilities.

 9

References

CISA, August 03, 2023, 2022, Top Routinely Exploited Vulnerabilities

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-215a

Logix, May 16, 2022, What Is Arbitrary Code Execution in Cybersecurity?

 10

https://logixconsulting.com/2022/05/16/what-is-arbitrary-code-execution-in-cybersecurity/

#:~:text=During%20an%20arbitrary%20code%20execution,could%20be%20lost%20or

%20stolen.

OWASP, 2021, OWASP Top Ten 2021

https://owasp.org/www-project-top-ten/