Scary Application Security Horror Stories
Lurking in your enterprise, there are demons, ghosts and goblins that are so scary, they will keep InfoSec teams up at night. While they are not actual supernatural entities, they are vulnerabilities, misconfigurations and critical errors in business applications that can be exploited causing significant breaches and downtime events. That is enough to instill fear in anyone responsible for keeping your organization protected.
With Halloween upon us, here are three cybersecurity horror stories that just may scare you straight when thinking that you are protecting the applications your organization relies on.
The Vulnerability of Despair
It’s 2:17 AM. Your phone has just vibrated on your nightstand. Probably just another random text message you think, and start to drift back to sleep. But now, your phone starts to ring, over and over. This can’t be good. You answer the phone and it’s your boss, the CIO.
The tremble in his voice says it all. “We’ve been attacked and they have accessed our applications holding personal identifiable information (PII) on our employees and customers.” As the CISO, you know this is not good. Your company does business in the European Union, and this is a violation of GDPR that will need to be reported. You ask yourself, “How could this have happened?” However, you have that sinking feeling that a critical patch was missing. In this case, the missing patch was a vulnerability that exposed internet-facing systems directly to the internet. The attacker has gained access to your organization’s human capital management (HCM) and customer relationship management (CRM) applications. This breach resulted in the theft of thousands of PII records. Your company is now facing costly forensics and clean up of the situation, penalties and fines, and irrevocable damage to its reputation.
Is this just a scary story or can this really happen? Take a look at the ICMAD vulnerabilities in SAP Internet Communication Manager and the consequences of older, unpatched vulnerabilities and make your own decision.
Misconfigurations From the Deep
As a publicly-traded U.S. based company, a Sarbanes-Oxley (SOX) audit has been fairly routine to date. However, on this day, there’s a problem. External auditors have found the integrity of financial reporting has been compromised. The balance sheet is filled with errors, including missing funds. As the CIO, you quickly realize that there was a failure in IT general controls that were meant to prevent this. It’s a very big deal. This situation will need to be reported to the Security and Exchange Commission and publicly disclosed. Not only was your organization breached and money was stolen, but the disclosure will impact your company’s stock value, severely damage your business reputation and result in fines and penalties for a SOX compliance violation. How could this happen? Cybersecurity forensics and an extensive audit traced the issue to a misconfiguration in the financial applications that attackers were able to exploit.
Spooky tale or haunting reality? Read more about 10KBLAZE and the misconfigurations lurking deep in SAP.
Hidden Code Errors
Hiding in plain sight, there are potentially thousands of errors that can leave your organization open to internal and external threats. Additionally, malicious intent by a developer can hide exploitable code in business applications that can create backdoor access to critical data and information, including financials. Having just completed a massive supply chain management (SCM) optimization project using third-party outsourced development, a significant materials order could not be accounted for. After investigation, the order was found to have shipped to an offshore warehouse that was not associated with your company. This mishap cost your company hundreds of thousands of dollars in lost materials and caused a disruption in the supply chain and manufacturing process. How did this happen? Cybersecurity forensics and code review found that destination data was maliciously changed to reroute materials orders to other locations. With millions of lines of custom code, errors such as these simply go undetected in manual code reviews and unfortunately find their way into production environments with no checks.
Could this just be a horror movie scene or is it the frightful truth? See for yourself in this paper on why you need an application security testing tool for business applications.
These are just a few application security horror stories that keep InfoSec professionals awake at night. Happy Halloween and Cybersecurity Awareness Month! If you’d like less scare and more assurance you are protecting your business applications, schedule a meeting with our team of application security experts.