An Idiots Guide to Vulnerabilities

Right, just to be clear, I’m not inferring that anyone is an idiot – it just seemed like a catchy title. I really mean folks without the honed technical skills to exploit some of the more hidden vulnerabilities in applications & websites…

Also, you have to realize that I’m not formally trained in any security yet. I’m kinda making it up as I go along & based on my experience.

Still – a useful survey for me as I embark on this learning journey. Read on but don’t get mad. (Also, I should emphasis that I am talking about looking for vulnerabilities to help fix stuff – not really exploit it – use your awesome powers for good, never for evil.)

What is a “vulnerability”?

Not reaching for any ITIL or security manual, for me it’s anyway to exploit a system in some way, shape or form. Think making it do something it wasn’t designed for. Think tricking it into recording a transaction that was never made. Think exploiting some poor coding or poorly configured credentials request.

So far, with my limited technical skills, I’ve helped to find some basic vulnerabilities in projects I’ve worked on including classic SQL injection attacks & API vulnerabilities. But vulnerabilities don’t always live in the technical shadows. Here are a few collected observations I’ve collected so far:

Thinking Differently – one of the things I’ve realized is that good hackers have the ability to look at systems from a different perspective. They look at the whole process (see the next point) – particularly where people get involved or physical entry points crop up. You don’t need to be a coding genius to download some malicious software. You don’t need to be 007 to follow someone through a security barrier & insert your code into the nearest slot. Internal security people tend to look at things one way. Network people are the worst. Not every vulnerability can be stopped by the firewall. It’s pointless locking the windows & doors when the villain is already inside.

Mapping the Process – related to the above, I like to map the process, even if it’s at a basic level. Like the trans-Atlantic convoys during World War Two, any process is only as strong as its weakest link. It’s pointless spending zillions on endpoint security if your IT department has not correctly configured the single-sign on software. I find visually exploring the process a useful tool – I’ve included an example – not the best one granted but I’m just at the start of the process.

Ingenico_Credit_Card_Process_Flow

There are not state secrets above. It’s a basic payment flow – pretty typical really. But when you start breaking it down, you notice real time & non-real time processes etc etc. You get the point. I actually did my own version of this, with more detail but I didn’t want to post that!

Follow the Money, Follow the People – something an experienced hacker told me was to start by following the money – the transactions – makes sense. But also, to follow the people. The people are often the most unpredictable element in any process. They forget stuff. They take short cuts. In my experience, the core financial processes are well-protected with encryption that would give Sheldon Cooper a run for his money (in real terms, they are basically unbreakable….until they get broken). But people, yeah we all love them. My pearl of wisdom here is that a key source of vulnerabilities here is that users tend to do the same thing every time. They like it like that. If they find a short cut or password ‘recipe’, they use it.

Fooling AI – oo-er….I’ve mentioned before that I’ve looked at brilliant companies like Darktrace & what they are doing with network traffic analysis etc. The math behind their machine-learning is smart. But, so far at least, it seems that every AI can at least be misled if not totally fooled. In my limited experience here, it’s in the parameters of the AI search – wherever the AI looks, you need to look just outside of it. As Forrest Gump used to say, that’s about all I have to say about that.

—-

Well, that was it. I warned you at the start. I plan to develop my knowledge in this area with my studies this year but hopefully that provides something of a primer.

I would like to leave you with a few pointers – if you like solving puzzles, if you are sort of person who likes a challenge & loves finding ways to ‘break’ things, then you should learn more about vulnerabilities & threats.

I think of technical training as a kind of multiplier. Get the basics & attitude right, add the technical skills & you become one dangerous monkey.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s