01 Jun, 2020

Uncovering Security Vulnerabilities Before You Become A Headline

by nVisium

Some believe that “what you don’t know won’t hurt you.” Others emphatically proclaim that “what you don’t know can (and will) hurt you.” While we would all like to believe the former, the reality is that the latter has proven time and time again to be the case, especially when it comes to security vulnerabilities inadvertently coded into applications, networks, IoT, mobile and cloud infrastructure.

simple programming oversights

Technology has clearly made business more productive with the automation but also has opened an entirely new set of vulnerabilities that cybercriminals can exploit. TechRepublic reported that:

“Even if developers go above and beyond to avoid flaws that can be exploited by hackers, attackers can often still take advantage of bugs in the design of the underlying programming language.”

Even the simplest mistake or missed best practice can cause a breach. If you catch the breach before your customers do, then you can avoid the impact to your brand courtesy of the negative headlines that are sure to ensue. If not, then you may join an illustrious group of household names.

2020 breaches showcase vulnerabilities

Yes, data breaches can be costly.  According to an IBM and Poneman Institute study that cost is on average $3.92 million. An article titled “2020 Data Breaches | The Worst So Far” highlighted over 30 major breaches in 2020 to date that affected name brands such as:

  • Landry’s: announced a point of sale malware attack that exposed payment data.
  • Microsoft: announced that customer support database holding over 280 million Microsoft customer records was left unprotected on the web.
  • Estee Lauder: announced that an unsecured database exposed 440 million customer records.
  • Fifth Third Bank: announced that a former employee was responsible for a data breach which exposed customers’ name, Social Security number, driver’s license information, mother’s maiden name, address, phone number, date of birth and account numbers.
  • Walgreens: announced an error within their mobile app’s messaging feature that exposed not only personal messages sent within the app but also the names, prescription numbers and drug names, store numbers, and shipping addresses of its users.
  • T-Mobile: announced an unknown number of customers’ sensitive information was accessed through a T‑Mobile employee email accounts after a malicious attack of a third-party email vendor.
  • General Electric: announced that a third-party vendor experienced a data breach, exposing the personally identifiable information of over 280,000 current and former employees.
  • Marriott International: announced that the personal information of 5.2 million hotel guests impacted included names, mailing addresses, email addresses, phone numbers, loyalty account numbers and points balances, company, genders, birth dates, linked airline loyalty programs and numbers, room preferences and language preferences.
  • Zoom: announced that 500,000 account email addresses, passwords, personal meeting URLs, and host keys are said to be collected through a credential stuffing attack and were available for sale on the dark web for as little as $0.02.
  • GoDaddy: announced to its users that an unauthorized third party was granted access to login credentials where possibly 24,000 users (of their 19 million users) had their usernames and passwords exposed.
So, how long are you willing to risk your brand reputation and digital assets before you do a security assessment of your infrastructure?

the intersection of software and security

By integrating security into the development process, nVisium strives to find and help fix security vulnerabilities in our client's software while teaching our clients the importance of incorporating security from the ground up. We offer a range of comprehensive services to ensure that you and your company are protected from cyber threats, including security assessments, software assurance, and training.

Bottom line is that you will ultimately need to security assessments for:

  • Applications: A standard assessment combines static and dynamic analysis, which allows our team to evaluate all aspects of an application and test risk mitigation solutions, This service also offers the most precise remediation advice.
  • Internet of Things (IoT): IoT presents its own unique set of security challenges and requires a broad skillset for assessing. Our IoT assessments identify weaknesses in an entire IoT architecture including software, hardware, API, and web/mobile components.
  • Networks: Using a combination of automated and manual techniques, our team will identify risks to your systems and networks that attackers could find and exploit. We will provide detailed information of our findings along with recommendations to help remediation efforts.
  • Mobile: Identify weaknesses in how an application interacts with the mobile device, the remote APIs it communicates with, how the application is written, and the libraries it uses to function.
  • Cloud: Assessments of AWS, Azure, or GCP go beyond the simple security issues that are easily detected through automation. We get to know the business purpose behind your architecture, review the design, and begin an analysis of security controls, monitoring and alerting, hardening, and IAM policies and permissions…. And BTW, we are an AWS Partner

Do you want to be the next headline due to a security breach or do you want to uncover vulnerabilities with an independent security assurance assessment?   Schedule a demo today.

security assessments DevSec cyber breach

RECENT POSTS