fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

MITRE updates list of top 25 most dangerous software bugs

MITRE updates list of top 25 most dangerous software bugs

MITRE has shared this year’s top 25 list of most common and dangerous weaknesses plaguing software throughout the previous two years.

Software weaknesses are flaws, bugs, vulnerabilities, and various other types of errors impacting a software solution’s code, architecture, implementation, or design, potentially exposing systems it’s running on to attacks.

MITRE developed the top 25 list using Common Vulnerabilities and Exposures (CVE) data from 2019 and 2020 obtained from the National Vulnerability Database (NVD) (roughly 27,000 CVEs).

Also Read: 5 Types of Ransomware, Distinguished

“A scoring formula is used to calculate a ranked order of weaknesses that combines the frequency that a CWE is the root cause of a vulnerability with the projected severity of its exploitation,” MITRE explained.

“This approach provides an objective look at what vulnerabilities are currently seen in the real world, creates a foundation of analytical rigor built on publicly reported vulnerabilities instead of subjective surveys and opinions, and makes the process easily repeatable.”

MITRE’s 2021 top 25 bugs are dangerous because they are usually easy to discover, have a high impact, and are prevalent in software released during the last two years

They can also be abused by attackers to potentially take complete control of vulnerable systems, steal targets’ sensitive data, or trigger a denial-of-service (DoS) following successful exploitation.

The list below provides insight to the community at large into the most critical and current software security weaknesses.

RankIDNameScore
[1]CWE-787Out-of-bounds Write65.93
[2]CWE-79Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)46.84
[3]CWE-125Out-of-bounds Read24.9
[4]CWE-20Improper Input Validation20.47
[5]CWE-78Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)19.55
[6]CWE-89Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)19.54
[7]CWE-416Use After Free16.83
[8]CWE-22Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)14.69
[9]CWE-352Cross-Site Request Forgery (CSRF)14.46
[10]CWE-434Unrestricted Upload of File with Dangerous Type8.45
[11]CWE-306Missing Authentication for Critical Function7.93
[12]CWE-190Integer Overflow or Wraparound7.12
[13]CWE-502Deserialization of Untrusted Data6.71
[14]CWE-287Improper Authentication6.58
[15]CWE-476NULL Pointer Dereference6.54
[16]CWE-798Use of Hard-coded Credentials6.27
[17]CWE-119Improper Restriction of Operations within the Bounds of a Memory Buffer5.84
[18]CWE-862Missing Authorization5.47
[19]CWE-276Incorrect Default Permissions5.09
[20]CWE-200Exposure of Sensitive Information to an Unauthorized Actor4.74
[21]CWE-522Insufficiently Protected Credentials4.21
[22]CWE-732Incorrect Permission Assignment for Critical Resource4.2
[23]CWE-611Improper Restriction of XML External Entity Reference4.02
[24]CWE-918Server-Side Request Forgery (SSRF)3.78
[25]CWE-77Improper Neutralization of Special Elements used in a Command (‘Command Injection’)3.58

Top 10 most exploited vulnerabilities

Last year, on May 12, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) had also published a list of the top 10 most exploited security vulnerabilities between 2016 and 2019.

“Of the top 10, the three vulnerabilities used most frequently across state-sponsored cyber actors from China, Iran, North Korea, and Russia are CVE-2017-11882, CVE-2017-0199, and CVE-2012-0158,” CISA said. “All three of these vulnerabilities are related to Microsoft’s OLE technology.”

Chinese hackers have frequently exploited CVE-2012-0158 starting with December 2018, showing that their targets have failed to apply security updates promptly and that threat actors will keep trying to abuse bugs as long as they’re not patched.

Attackers have also been focusing on exploiting security gaps caused by hasty deployments of cloud collaboration services like Office 365.

Unpatched Pulse Secure VPN vulnerabilities (CVE-2019-11510) and Citrix VPN (CVE-2019-19781) have also been a favorite target last year, after the move to remote working caused by the ongoing COVID-19 pandemic.

CISA recommends transitioning away from end-of-life software as soon as possible as the easiest and quickest way to mitigate old unpatched security bugs.

The complete list of the top 10 most exploited security flaws since 2016 is available below, with direct links to their NVD entries.

CVEAssociated Malware
CVE-2017-11882Loki, FormBook, Pony/FAREIT
CVE-2017-0199FINSPY, LATENTBOT, Dridex
CVE-2017-5638JexBoss
CVE-2012-0158Dridex
CVE-2019-0604China Chopper
CVE-2017-0143Multiple using the EternalSynergy and EternalBlue Exploit Kit
CVE-2018-4878DOGCALL
CVE-2017-8759FINSPY, FinFisher, WingBird
CVE-2015-1641Toshliph, Uwarrior
CVE-2018-7600Kitty

Also Read: Data Protection Policy: 8 GDPR Compliance Tips

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us