An organization’s information technology infrastructure is essential to its business operations and long-term growth. However, attack vectors that exploit software or other vulnerabilities in IT infrastructure can create risks to the confidentiality, integrity, and availability of data stored in these systems.
Such risks may also expose an organization to liability for failing to protect sensitive data under privacy and other laws. Any software application may have bugs or vulnerabilities that cyber attackers could exploit. Such attacks can come from many sources but most commonly result from:
Improperly Configured Systems
Attackers may be able to exploit improperly configured systems as gateways into more critical information systems. More importantly, poor system configurations can create conditions that allow an operation to result in critical failures, including the accidental release of confidential information, the disruption of critical services, or the shut-down of an organization’s IT systems.
Common examples of improperly configured systems include using public networks for secure communications, the cloud or other network-accessible storage that is not appropriately secure, or using default passwords, user IDs, and other login credentials.
Outdated Software
Newer software releases often contain significantly fewer bugs than older releases and can offer improved functionality and security. However, most organizations do not routinely upgrade their software to the latest version. This is especially likely for custom-developed or off-the-shelf software that is expensive to upgrade.
Newer software releases often incorporate new security features, such as patches for known bugs, additional authentication mechanisms, and improved security protocols. To reduce the risk that an outdated software release will threaten your operations, you should closely monitor your vendors’ release schedules to ensure that you are using the latest software releases.
Viruses and Malware
Computer viruses and malware exploit known vulnerabilities in software programs. Many viruses and malware propagate themselves by exploiting unsecured and unprotected internet connections. The most effective way to protect an organization from viruses and malware is to maintain secure internet connections and secure computer systems.
Computer systems should be regularly scanned for viruses and malware to eliminate any threats, and the virus protection software should be updated frequently to protect against emerging threats. Organizations that fail to maintain secure internet connections and secure computer systems will likely be subject to ever-increasing ransomware attacks.
“Ransomware is a type of malware (malicious software) that “locks” a system or encrypts files, making the data inaccessible until a victim pays a specified amount of money, usually in cryptocurrency. Once the ransom payment is made, the victim is supposed to receive a decryption key to regain access to files and systems,” according to Zscaler.
Misused or Misconfigured Software APIs
Many modern software programs allow third-party developers to create applications that can interact with the initial program. These applications can be as simple as providing information to the initial program or as complex as using the initial program to control a piece of machinery. In either case, the initial program needs to be “configured” to permit the third-party application to interact with it.
Many of these application programming interfaces have been misused or misconfigured by third-party developers to create vulnerabilities in the initial program. To reduce the risk, you should closely monitor the configuration of all APIs to ensure they are being used only as intended.
Insecure Storage of Data
Some computer systems do not protect sensitive data from unauthorized access or accidental deletion. This could result from a design defect or because the system’s operators failed to implement adequate safeguards to protect sensitive data.
An organization’s computer systems should be regularly tested to ensure they are configured to protect sensitive data. If your organization’s computer systems fail to secure sensitive data, you could be subject to fines or penalties under various laws, including those that govern privacy.
The information technology infrastructure is subject to threats that can be costly and time-consuming to address. The most effective way to reduce risks is to employ a combination of preventive, detective, corrective, and administrative controls. By taking these steps, organizations can reduce the risk of software attacks.