Lurking in your enterprise, there are demons, ghosts and goblins that are so scary, they will keep InfoSec teams up at night. While they are not actual supernatural entities, they are vulnerabilities, misconfigurations and critical errors in mission-critical applications that can be exploited causing significant breaches and downtime events. That is enough to instill fear in anyone responsible for keeping your organization protected.
With Halloween upon us, here are three cybersecurity horror stories that just may scare you straight when thinking that you are protecting the applications your organization relies on.
The Vulnerability of Despair
It’s 2:17 AM. Your mobile phone has just vibrated on your nightstand. Probably just another random text message you think, and start to drift back to sleep. But now, your phone starts to ring, over and over. This can’t be good. You answer the phone and it’s your boss, the CIO. The tremble in his voice says it all. “We’ve been attacked and they have accessed our applications holding personal identifiable information (PII) on our employees and customers.” As the CISO, you know this is not good. Your company does business in the European Union, and this is a violation of GDPR that will need to be reported. You ask yourself, “how could this have happened?” However, you have that sinking feeling that a critical patch was missing. In this case, the missing patch was a vulnerability that exposed internet-facing systems directly to the internet. The attacker has gained access to your organization’s human capital management (HCM) and customer relationship management (CRM) applications. This breach resulted in the theft of thousands of PII records. Your company is now facing costly forensics and clean up of the situation, penalties and fines, and irrevocable damage to its reputation.
Is this just a scary story or can this really happen? I encourage you to read more about the SAP RECON vulnerability and make your own decision.
Misconfigurations From the Deep
As a publicly-traded U.S. based company, a Sarbanes-Oxley (SOX) audit has been fairly routine to date. However, on this day, there’s a problem. External auditors have found the integrity of financial reporting has been compromised. The balance sheet is filled with errors, including missing funds. As the CIO, you quickly realize that there was a failure in IT general controls that were meant to prevent this. It’s a very big deal. This situation will need to be reported to the Security and Exchange Commission and publicly disclosed. Not only was your organization breached and money was stolen, but the disclosure will impact your company’s stock value, severely damage your business reputation and result in fines and penalties for a SOX compliance violation. How could this happen? Cybersecurity forensics and an extensive audit traced the issue to a misconfiguration in the financial applications that attackers were able to exploit.
Is this just a spooky tale, or a haunting reality? I encourage you to read more about 10KBLAZE, misconfigurations lurking deep in SAP, and you can make your own decision.
Hidden Code Errors
Hiding in plain sight, there are potentially thousands of errors that can leave your organization open to internal and external threats. Additionally, malicious intent by a developer can hide exploitable code in mission-critical applications that can create backdoor access to critical data and information, including financials. Having just completed a massive supply chain management (SCM) optimization project using third-party outsourced development, a significant materials order could not be accounted for. After investigation, the order was found to have shipped to an offshore warehouse that was not associated with your company. This mishap cost your company hundreds of thousands of dollars in lost materials and caused a disruption in the supply chain and manufacturing process. How did this happen? Cybersecurity forensics and code review found that destination data was maliciously changed to reroute materials orders to other locations. With millions of lines of custom code, errors such as these simply go undetected in manual code reviews and unfortunately find their way into production environments with no checks.
These are just a few mission-critical application cybersecurity horror stories that keep InfoSec professionals awake at night. Happy Halloween and Cybersecurity Month! If you’d like less scare and more assurance you are protecting your mission-critical applications, request one of our free Business Risk Illustration assessments today.