8 security concerns for the modern web [Updated]
Just a couple decades ago, a trusty antivirus program was all you needed for healthy security.
But so much has changed in recent years.
We've diversified the types of devices that we use on a daily basis in our personal and professional lives (laptops, mobile phones, IoT devices).
At one time, nearly everyone worked in an office. Now we have remote and hybrid environments, which increase our attack surfaces and give the threat actors more vulnerabilities to exploit.
And as one would expect, the types of vulnerabilities exploited by threat actors have expanded.
What follows is not a comprehensive list. But it features some of the biggest security concerns we see for the modern web, including:
1. End-of-life (EOL) hardware and software
"End of life" means the manufacturer has stopped updating and supporting a piece of hardware or software.
Every product has a lifecycle. The product lifecycle begins the day the product is released and ends when the developer stops providing software and firmware updates.
These life cycles may last for many years—decades, even—but chances are that a manufacturer is going to stop supporting its product at some point.
While users initially fall in love with a new piece of software or hardware, expectations tend to swell as time passes. After the luster of something new wears off, users desire more features and better performance. Eventually, the old product becomes incapable of meeting these demands, so a new product is created to replace it, much like how a new car model replaces the previous model.
A manufacturer will stop supporting a product for any number of reasons, including:
The product has matured to a point that it makes more sense to start from scratch with fresh code or updated components.
The manufacturer is spread too thin updating too many products, so they shed support for a product to focus on supporting fewer products.
The product was a flop or had so many issues at launch that the manufacturer has decided to abandon it to work on its next success.
Why do businesses keep using end-of-life products?
Software and hardware may keep working even though they're no longer supported.
Some business owners prefer to hold on to software they've already paid for rather than buy a new version or transition to a subscription/SaaS model. And buying one piece of new hardware may require buying other hardware that integrates with the upgrade.
In addition to the direct cost of purchasing new systems, there are the indirect costs associated with losing and resetting customizations that have made users' lives easier and sped up workflows for the last few years. Business owners will be concerned whether their specific software can work on a new operating system.
But the legacy products will have gaping security holes that make for easy intrusions and attacks from various types of threatware. Such security issues pose major risks to your business and your customers' information.
Any end-of-life device or software that requires an internet connection should be swapped out for a newer product as soon as possible because the obsolete product will not receive security updates and is therefore unsecured. Keeping such products connected to your network creates vulnerabilities that attackers can exploit to gain access to your network and systems.
While monitoring the end of life for each product can be tedious or even daunting, failing to do so leads to a security nightmare for your business.
2. Zero-day vulnerabilities
The term zero-day is used to describe a flaw that the manufacturer has not had a chance to patch, meaning the flaw can used by threat actors.
Zero-day exploit vs. zero-day vulnerability
There are two terms that accurately describe a zero-day flaw.
The most commonly used is a zero-day attack or exploit which describes an exploit actively being abused.
The other is a zero-day vulnerability. These are less pressing. Many times, quality assurance testers have already located these exploits. Or in some cases, a competitor will stumble upon one. It is rare these are disclosed publicly until a patch has been found.
A zero-day vulnerability does not mean it is being actively exploited. However, the vulnerability will likely be exploited if software patches aren't developed and installed.
In the world of software security, zero-day exploits carry more potential to do damage. Depending on the nature of the exploit, they can steal data, cause software to malfunction, or perform tasks that benefit the hacker, such as cryptojacking or enrolling your computer to a botnet. They can even reprogram voltage on hardware causing physical damage. Because of the nature of the exploit, this can all happen with your software provider and antivirus program being caught totally unaware until they are discovered.
Vendors can substantially limit the damage a zero-day exploit can cause by catching it as soon as possible. However, catching vulnerabilities before they become exploited by threat actors is both costly and time-consuming.
3. Phishing attacks
In phishing attacks, fraudsters commit identity theft typically by sending phony emails that trick internet users into submitting personal information to illegitimate websites.
In a spear phishing attack, a malicious hacker gathers detailed information about a specific individual, role, or organization to target the victim more easily. By presenting believable details about his/her bank, favorite places, title at work, etc., the attacker increases the likelihood of success.
Whaling attacks are similar to spear phishing attacks. However, they are specifically targeted at executive officers or other high-profile targets within a business, government or other organization (the "big fish") in order to swindle the upper manager into divulging confidential company information.
How can I avoid phishing attacks?
The best way to keep yourself and your employees safe from phishing attacks is to enroll your business in an end user security training program. The details and specifics of phishing attacks (and other attacks) will change over time, so it's good to be sure that your employees are exposed to the latest trends so that they know which communications are safe and which should be avoided.
4. Ransomware and fileless attacks
Ransomware is big business and it isn’t slowing down anytime soon.
These days, ransomware like emotet often spreads via fileless attacks.
For years, traditional attacks have relied on attack vectors like phishing emails, social engineering schemes, and malware-laden attachments. All of these rely on some form of interaction with a computer in an attempt to install a malicious program on a victim’s machine.
But in the past few years, there has been an increase in the use of a technique called “fileless attacks.”
How a fileless attack works
The idea of a fileless attack is fairly simple on the surface. The attack often involves breaching a system with stolen credentials. But that’s the end result of a long campaign to access said credentials and ultimately penetrate the target network.
The attacks use a type of malware that doesn’t actually install a file on the hard drive of the target system itself. Referred to as a memory resident malware, it instead stays active in the RAM of the computer and embeds itself into a machine like a tick. As long as the computer is turned on, the malicious program lives in the machine's short-term memory. While on the computer, this form of fileless attack steals credentials and snoops on user activity, enabling it to provide the logon information required to breach the network at a later date.
Exploit kits employ various versions of fileless hacking programs, making the task streamlined and easier to execute. This explains the uptick in this form of hacking, as well as the anticipated growth in this type of crime.
5. Network backdoors
"Network backdoor" is a slang term typically used in the IT community for access credentials which are hardcoded onto a particular piece of network hardware.
Backdoors are put onto the hardware to allow the manufacturer to maintain the hardware they've built via stock access credentials.
The problem is that malicious hackers and other threat actors know these backdoors exist. And they're constantly seeking ways to find and exploit the backdoors. If they were able to access the backdoor, they would theoretically have access to all data flowing through the hardware. This obviously poses a major security risk for companies.
Companies need to understand that these backdoors exist and also which pieces of hardware have these backdoors. Investing in network documentation and IT asset management (ITAM) can go a long way in keeping tabs on potential network backdoors.
6. Ghost users
Ghost users are inactive accounts that are still enabled on your network.
The accounts could have once belonged to former employees or vendors. Or they could have been temporary accounts used during the setup of something on the network.
Up to 34% of user accounts on a typical network fall into the category of ghost users.
Ghost accounts are unnecessary security risks for a few reasons:
These accounts are unmanaged and unmonitored.
Their passwords may not have been changed in a while.
They provide unnecessary additional access to the network.
The risk is compounded by the fact that the typical user account has more access to data than the user needs to perform daily tasks.
Studies suggest that 21% of a company's data is accessible by all users on the network.
These ghost accounts should be removed. But following the principle of least privilege also reduces the damage for any ghost accounts that slip through the cracks.
An in-depth network security assessment is a great way to identify any ghost user accounts that may cause trouble in the future.
7. BYOD and IoT devices
We assume that most professionals have their own cell phones. Many employers implement a BYOD program and rely on their employees using their personal devices for work, allowing the business to save on hardware costs.
This practice comes with its fair share of security risks. So be sure to consider the pros and cons of BYOD before adopting this program.
Malware in mobile apps has become a big problem. More apps are exceeding granted permissions. Some outright steal data off users’ devices. Even some initially legitimate apps have had permission changes with updates that introduced malicious adware and data tracking. Having a mobile device between your home and work networks make both insecure if you don’t keep them updated and aren’t careful about what you download.
And IoT (Internet of Things) devices have already started playing a big part in security.
If you don’t have any IoT devices in the workplace, you are probably better off. But if you work from home and have IoT devices linked to your home network, you risk bringing the security issues of your home to your workplace.
IoT has had a very weak focus on security for as long as it’s been out. Hopefully that will change after some of the noteworthy exploits that have taken place, but until the companies that develop internet-connected gadgets start taking security seriously, there will be more problems.
8. Malicious browser extensions
Correctly configured, a malicious browser extension collects and relays all sorts of private data from your machine.
Even downloading your browser extensions from reputable sources like Google's Chrome Web Store does not ensure safety because Google does not perform a security check on extensions uploaded to its marketplace. This makes it extremely easy to publish malicious extension code to the public platform, making it freely available for millions of users. This is not to label all extensions as untrustworthy; just confirm you know the extension's source before you install.
Many of the bad apples that are uploaded to the extension stores aren’t discovered to be malicious until they’ve had thousands of downloads.
Why should I worry if I already know my browser extensions are safe?
Here’s another grim reality: Even if the extension is a legitimate program initially, it can be updated to become malicious. This can happen for many reasons.
A well-known browser extension can be acquired by a company or be abandoned by its creator entirely. They can even be hijacked. But no matter the reason, once you’ve given the extension permission to be on your browser, it can be updated at any time and it can change functions to become malicious without your knowledge or consent.