IT and Cybersecurity leaders need the clearest picture of their networks and assets to understand if their organizations are at risk and what to do about it. When it comes to looking ahead at zero day vulnerabilities, it can be helpful for leaders to first look back to understand the collective strengths and weaknesses of the cybersecurity industry and the effects they’ve had on the different risks and threats it’s tasked with analyzing and preventing.

As a helpful tool for 2023 strategic cybersecurity planning, we’re highlighting the most common vulnerability categories found in 2022, across more than 27,000 discovered vulnerabilities by the Synack Red Team. Each of these vulnerabilities have the potential to pose significant threats to large organizations and will continue to be monitored as we move through the year.

Here are the top five vulnerability categories found by Synack in 2022:

#1 Authorization Permission

The most common vulnerability found in 2022 relates to improper authorizations. With authorizations, a user’s right to “access a given resource [is] based on the user’s privileges and any permissions or other access-control specifications that apply to the resource.” In this case, unauthorized users may gain access to resources or initiate unwanted actions that they should not be allowed to perform, potentially leading to data exposures, DoS or arbitrary code execution.

#2 Cross Site Request Forgery

The runner up vulnerability is Cross Site Request Forgery (CSRF), which is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.

#3 Information Disclosure

Information Disclosure can occur due to security mistakes which expose sensitive information to an actor that is not explicitly authorized to have access to that information. Information exposures can occur in different ways, resulting from mistakes that occur in behaviors that explicitly manage, store, transfer or cleanse sensitive information. 

#4 SQL Injection

This attack style consists of insertion or injection of a SQL query via the input data from client to application. A successful exploit of this style can read and even modify sensitive data, execute admin functions (including shutting down systems), and in some cases, issue commands to an operating system.

#5 Authentication Session Management

Broken Authentication Session Management vulnerabilities round out the Top 5 found by Synack in 2022. Websites may require users to login using a username and password, MFA or other authentication schemes, which may contain exploitable vulnerabilities. The site will assign and send each logged in visitor a unique session ID that serves as a key to the user’s identity on the server, if the session ID is not properly secured a cybercriminal can impersonate a valid user and access that user’s account.

How to Reduce Your Exposure to a Top 5 Vulnerability

Synack offers an offensive security testing platform allowing enterprise customers to track exploitable vulnerabilities in their environment and to close security gaps before they can be exploited by bad actors. The Synack Platform pairs the Synack Red Team, a community of 1,500 expert and vetted adversarial researchers, with the machine intelligence in our platform. Synack’s security testing missions cover web assets and host assets, as well as mobile, cloud and API security.

If you’re not penetration testing on a continuous basis, you should be. Talk to your Synack rep or your authorized security sales representative to learn more about strategic security testing.

The post Synack’s Top 5 Vulnerabilities Found in 2022 appeared first on Synack.

Reflections from a Synack customer success manager

By Michelle Welch Fuller

What does the cyber kill chain and cocktails have in common? Surprisingly I did find comparisons. A cocktail is an enjoyable drink that helps you remove barriers and inhibitions. The cyber kill chain defines the stages of a cyber attack that removes barriers and exposes your vulnerabilities.

Ask yourself, do you binge drink on the weekend? If you do, and I am not judging, just know the cyber attack binge is 24/7. Sit down, pour yourself a drink and let’s map out the 7 steps of the kill chain process compared to that of a proper cocktail. 

The cyber kill chain versus the cocktail

• Reconnaissance

Cocktail: The beginners cocktail has to be a ‘Kir Royale,’ it’s chic and sophisticated and if you’re in a crowded bar you’re likely looking around to identify other refined and stylish individuals.

Hacker: Initially, an attacker farms as much information as they possibly can to prepare for an attack on your assets. They will review public information or use common scanning tooling to identify known vulnerabilities in your firewalls, IDS systems or authentication mechanisms.

• Weaponization

Cocktail: The choice of cocktails are endless, go straight in for the hard liquor! I suggest a ‘Whiskey Mac.’. You are that debonair individual holding that kristal tumbler and looking for that potent effect in your throat as you take your first sip. 

Hacker: The hacker has a choice of weapons to use that are widely available to both attackers and defenders. Their decision will be based on what they discovered in the reconnaissance phase to determine the most effective attack vector and the appropriate weapon.

• Delivery

Cocktail: Next try the ‘Harvey Wallbanger’ but order this one via table service. Attempt to inject as much alcohol content into your bloodstream as you no longer need to get out of your seat. Ignore the  vodka and galliano and keep telling yourself it’s just orange juice!

Hacker: An attacker is identifying the best option to get a starting position on their attack, they have done their due diligence on which approach to take? They could inject malware, exploit a known vulnerability or use a mail campaign. The question is will they be detected?

• Exploitation

Cocktail: Jumping straight into the ‘Grasshopper,’ this is not the coding app for beginners or a chewing insect, it’s actually one of my personal favorites. The effect of chocolate and mint is quite divine! You will undoubtedly want to consume more of these.

Hacker: Ta da! The hacker’s technique has worked producing the desired effect, they can now proceed to bypass one or more of your security protections. But how far will the attacker go to get the level of control they desire, or are there protections to stop them in their tracks? They could simply stop at this point, but (thinking back to my analogy with the cocktails) unlikely!

• Installation

Cocktail: You are now feeling warm and fuzzy and want to stay out for a while longer, then go for a ‘Sloe Gin Fizz.’ Take the time to move and mingle progressively through the crowd. If you persevere you may even make it to the bathroom door but try not to stumble along the way.

Hacker: If the hacker remains undetected they will continue to look for design flaws, known bugs or configuration issues in your application or operating system. If they can persist on target and elevate access to more resources, they may achieve their desired effect.

• Command and Control 

Cocktail: Take some time out and enjoy a minty cocktail with zero-alcohol, a ‘Virgin Mojito.’ This is not only good for your breath but helps present yourself as someone still being in control. You may be singing badly on karaoke but you still have reasonable faculties and hold it together.

Hacker: The researcher’s actions result in having the staying power to remain on target and control their actions remotely. The implant deployed during installation is now ready for data extraction or further reconnaissance. There is a beacon of hope once that communication channel has been established, all whilst putting in diversions to keep ahead of the game.

• Actions on Objectives

Cocktail: No cocktail recommendations here, just a bit of advice. Have a glass of water before you drop or smash a few glasses, or buy too many drinks for your friends or even tip your drink onto a friendly bystander. You will do it all over again, so learn that rehydration is important.

Hacker: The hacker may have accomplished their goals for now but they may not stop there. If your data is compromised it could be used by a malicious actor to cause an effect or by an ethical actor to show you the errors of your ways. I hope it is not the former but the latter. Now ask yourself what you would do in each situation.

For a detailed journey into the hacker mindset, check out How Hackers Hack: Attacker Methodology and Exploitation — a step-by-step look into the seven steps of the kill chain, from Reconnaissance to Actions on Objectives. 

Back to the bar, for reference we’ve included a full cocktail recipe list for the above-mentioned cocktails – enjoy! 

Cocktail List
Kir Royal		Add a small dash of creme to cassis to a flute and top with either champagne or a good quality sparkling white wine.
Whiskey Mac		1 1/2 ounces blended scotch, 1 ounce Stone’s original green ginger wineFill an Old Fashioned glass with ice. Add scotch and green ginger wine, and lightly stir to combine.
Harvey Wallbanger		1 1/2 oz (3 parts) Vodka, 1/2 oz (1 part) Galliano, 3 oz (6 parts) Fresh orange juiceStir the vodka and orange juice with ice in the glass, then float the Galliano on top. Garnish and serve.
Grasshopper		1 oz (1 part) Crème de cacao (white), 1 oz (1 part) Crème de menthe (green), 1 oz (1 part) Fresh cream and a sprinkle of chocolate. Pour ingredients into a cocktail shaker with ice. Shake briskly and then strain into a chilled cocktail glass.
Sloe Gin Fizz		1 1/2 ounces sloe gin, 1 ounce lemon juice, freshly squeezed, 3/4 ounce syrup, club soda, to top, garnish with lemon wedge and cherry. Add the sloe gin, lemon juice and syrup into a cocktail shaker with ice, fill a highball glass with ice and pour. Top with soda and garnish.
Virgin Mojito		20g/¾oz of mint, 3 tbsp caster sugar,150ml/¼ pint fresh lime juice, plus a few lime slices or wedges to serve, 2 handfuls ice, 1 litre/1¾ pint chilled soda water (ingredients for a pitcher – probably needed). Pick the leaves from the mint and put in the base of a large jug. Sprinkle over the sugar, then pour over the lime juice.Add some ice, then pour over the chilled soda water.
Water		Go to the kitchen, take a glass from your cupboard. Put the tap on. Fill your glass and drink it…

The post Cyber Ramblings of a Middle-Aged Woman: The Cocktail appeared first on Synack.