Configuration & Application Vulnerabilities in Cyber & IT Security

Posted on July 25, 2019December 20, 2021

Despite the best efforts of IT teams, organizations continue to be plagued with IT security vulnerabilities in their systems by both internal and external threats.

The most common vulnerabilities are poor configurations and outdated/unpatched systems or applications. These vulnerabilities may subject your organization to the risk of hackers gaining access to sensitive employee or client data.

What are Countermeasures/Prevention Techniques?

Change Management

Organizations must establish and document their process for reviewing and implementing changes to the IT environment. Change management is a comprehensive system which monitors the additions, adjustments, and decommissions of any applications or infrastructure for the organization.

Any new items, modifications, or deletions require this clear tracking system to streamline their integration into or out of the existing system. Change management systems can also track what approvals are required, the collection of necessary sign offs, and manage requests for proposals.

AAFCPAs can assist in developing, enhancing, and/or implementing a change management process for your organization.

Implement Secure Configurations

The most prevalent security weaknesses exploited by hackers include system, server, and application configurations. These configurations are often poorly protected, as the default settings allow hackers to easily obtain sensitive data.

Companies should adopt a standard for secure configurations, such as NIST, SANS, or CIS. Each of the organizations listed maintain standards for configuring operating systems and developing a baseline for security configuration. The adoption of a uniform set of standards will help to create a consistent configuration for the deployment of new or modified systems.

AAFCPAs can conduct configuration reviews for best practices or in order to comply with existing adopted organization standards.

Protect Both Outside and Inside the Firewall

It is imperative that organizations secure both internal and external systems or applications. When someone exploits an external system or application, in most cases they will then use that system to gain access to internal systems. Internal systems historically have more vulnerabilities, often due to either inconsistent configurations or the mindset that once the external is secure no one will be able to breach the internal.

It is possible to breach an internal system without accessing the external system first. For example, internal breaches could be achieved by a former employee who still has access to the system, or by family/friends of remote employees who use the virtual private network (VPN) to work from home.
Organizations can prevent these exploitations of their system by using the aforementioned directions for change management and secure configurations. In addition, management must be vigilant to ensure the processes are followed for all changes, so that anomalies like former or remote employee do not result in gaps for an organization’s security.

AAFCPAs can support your organization’s efforts by conducting firewall configuration reviews or assist in implementation and design of firewalls and demilitarized zones (DMZs).

Vulnerability Scans

Vulnerability scans inspect potential points of exploitation on a computer or network based on known vulnerabilities. These scans allow organizations to locate and classify gaps in security and improve protection through remediation.

For example, AAFCPAs’ IT security specialists conduct IP and port scans to determine which services and applications are currently running. These scans identify which parts of the system/application are vulnerable and require reinforcement, such as a firewall configuration change, new firewall rule, web server patches, an additional system for protection, or an update to an application.

Penetration Tests

A penetration test is a simulated cyber-attack against your computer system to check for exploitable vulnerabilities. Penetration tests can confirm the results of a vulnerability scan and assert false positives with certainty. Penetration tests should follow vulnerability scans, as they use the knowledge from the scan to understand which weak points should be further tested for security purposes.

AAFCPAs’ penetration tests attempt to exploit any noted vulnerabilities through a “red team” and “blue team” approach. The designated red team will attempt to exploit the specified vulnerability, while the blue team attempts to defend against the red team’s calculated attacks. These teams are determined ahead of time and may consist of an individual or a group, such as AAFCPAs’ cybersecurity team (red) versus a client’s internal IT team (blue). The purpose of the competition between these teams is to test the vulnerabilities and defenses of a system or application within an organized setting.

For example, the Apache web server application regularly receives patches and updates from Apache to mitigate security flaws. When a vulnerability scan suggests that a necessary patch is missing in the client’s version, the designated red team may be deployed in a penetration test to exploit the potentially vulnerable web server while the blue team attempts to block their intrusions.

AAFCPAs advises clients to annually assess internal and external vulnerabilities through scanning and testing their systems. However, this should be increased to a quarterly assessment when a new system has been added or a configuration has changed.

Remain Vigilant

Your best line of defense in protecting your organization’s vulnerabilities is the standardization of security processes and the annual scanning/testing of all systems and applications. AAFCPAs advises clients to remain vigilant, assess your system configurations and applications regularly, and maintain a proactive approach against internal and external threats.

To schedule a cybersecurity assessment, or for specific advice on vulnerability management and how to best protect your organization against the exploitation of internal and external vulnerabilities, please contact James Jumes at 774.512.4062, jjumes@nullaafcpa.com; Mr. Anderson at 774.512.4066, manderson@nullaafcpa.com; or your AAFCPAs Partner.

About the Authors

James Jumes, MBA, M.Ed.

James joined AAFCPAs in 2013 to lead the firm’s Business Process & IT Consulting practice. He leads a team of senior technologist in the delivery of solutions related to business intelligence & productivity, information risk management and cybersecurity, and special IT attestations, compliance, and certifications. His goal is to strengthen the links between people, process, and technology, which increases productivity and drives business growth. James has more than 30 years of experience working with information technology …

Mr. Anderson, MCSE, CCNP, CISSP, CEH

Mr. Anderson is a “white hat” ethical security hacker and business continuity advisor with extensive experience in the development & implementation of security-focused audit and control programs. He is highly sought-after for his expertise in Cyber Security & Technology Assessments, including: security architecture reviews; penetration/vulnerability testing; business resiliency, disaster recovery and other remediation strategies; hardware system selection and configuration; cloud application security reviews; and wireless security assessments. Mr. Anderson has a deep understanding of industry standards and …

Related Insights

Safeguarding Against Holiday Season Phishing and Cyber Threats

AAFCPAs would like to remind clients that the period between Thanksgiving and New Year’s is a prime time for phishing and other malicious cyberattacks. Cybercriminals take advantage of increased internet shopping, debit/credit card use, and the influx of holiday offers to deceive individuals into disclosing sensitive information. Now more than ever, vigilance is required in […]

Shift in EEC Funding Model Requires Business Process Assessment

Effective October 1, 2024, the Massachusetts Department of Early Education and Care (EEC) shifted its contract reimbursement from a primarily unit-rate model to a mix of unit-rate and cost-reimbursable contracts. Under the new contracts, childcare seats will be reimbursed on a unit-rate basis while administrative and supportive services will be funded through cost reimbursement contracts. […]

Cost Center Coding Strategies for Effective Grant Reporting

For complex human and social services providers, managing grants and ensuring compliance can often feel like navigating a labyrinth. One effective strategy to simplify this process is through cost center coding. AAFCPAs provides the following detailed guidance on how to leverage cost center coding to streamline grant reporting and maintain compliance. Design Your Cost Centers […]