Vulnerability in cyber security: When giants fall to attacks

Vulnerability in cyber security: When giants fall to attacks

Vulnerabilities in cyber security are gaps in the organisation’s system that can be exploited by bad actors if not patched accordingly. Whenever present and not detected or mitigated, this could infiltrate the organisation’s databases containing personal data of its employees or clients alike. 

It does not discriminate whether the victim is a large organisation or small, but it’s intriguing to think that even large organisations or corporations can still be infected given that they house mounts of personal data for their clients and are expected to have more robust security systems in place. But before we delve into it, let’s first discover what a vulnerability in cyber security is, its examples, and the types of vulnerabilities.

Also Read: How GDPR Singapore impacts businesses and its compliance

What is a vulnerability in cyber security?

A vulnerability in cyber security refers to any weakness in an organisation’s system processes, internal controls, or information system. Cybercriminals are looking for ways to take advantage of these points of vulnerability, which are easy to find. 

These hackers are capable of gaining unauthorised access to systems and causing significant harm to data privacy. As a result, cybersecurity vulnerabilities are critical to monitor for overall security posture, as gaps in a network can result in a full-scale breach of an organization’s systems.

Examples of vulnerabilities

Listed below are examples of vulnerability: 

• A vulnerability in a firewall that can allow malevolent hackers to access a computer network 
• Lack of surveillance cameras 
• Unlocked business entrances 

All of these are vulnerabilities that bad actors can leverage to hurt an organisation or its assets.

Types of Vulnerabilities

Listed below are many of the most prevalent types of cyber security vulnerabilities: 

System misconfigurations

System misconfigurations can be caused by network assets with inconsistent security measures or insecure settings. Commonly, cybercriminals scan networks for system misconfigurations and vulnerabilities that appear exploitable. As a result of the rapid digital transition, network misconfigurations are increasing. Consequently, it is essential to collaborate with seasoned security professionals throughout the adoption of new technologies. 

Using unpatched or outdated software 

Similar to system misconfigurations, hackers typically scan networks for unpatched, easy-to-attack systems. Attackers can exploit these vulnerabilities without patches to steal sensitive data. To mitigate these types of risks, it is vital to develop a patch management schedule to ensure that all system updates are applied as soon as they are issued. 

Insufficient or weak authorization credentials 

Commonly, attackers gain access to systems and networks by guessing employee credentials or by using brute force. Therefore, it is vital that employees are taught the best cybersecurity procedures so that their login credentials cannot be misused easily. 

Malicious insider threats

Whether purposefully or accidentally, personnel having access to vital systems may share information that assists cybercriminals in penetrating the network. Insider threats are notoriously difficult to detect, as their actions often appear to be legitimate. To combat these types of dangers, one should invest in network access control systems and segregate the network based on the seniority and competence of individual employees. 

Absent or inadequate data encryption 

If a network has poor or no encryption, it is easier for attackers to intercept communication between systems and breach the network. When information is inadequate or unencrypted, cyber attackers can harvest vital information and implant it onto a server. This can severely weaken an organization’s cyber security compliance efforts and result in regulatory body sanctions. 

Zero-day Vulnerabilities 

Zero-day vulnerabilities are distinct software vulnerabilities that have been identified by attackers but not yet by the business or user. 

In these instances, there are no known remedies or workarounds, as the system vendor has not yet identified or disclosed the vulnerability. These vulnerabilities are especially hazardous since there is no defense against them until after an attack has occurred. To prevent zero-day attacks, it is crucial to remain vigilant and regularly check systems for vulnerabilities.

Giants can also be vulnerable and prone to cyber attacks.

Sembcorp Marine is a Singapore-based Asian corporation. Products and services offered by Sembcorp Marine include rigs and floaters, repairs and upgrades, offshore platforms, and specialised shipbuilding. It operates internationally via shipyards in Singapore, Indonesia, the United Kingdom, and Brazil. In essence, it is a big Singapore-based organisation. 

However, recent reports indicate that an unauthorised party infiltrated Sembcorp Marine’s IT network and compromised “certain personally identifiable information” of its employees, including the “incoming, current, and past” personnel. Aside from this, its so-called non-critical operational information was also compromised. 

Sembmarine reports that it has contacted the affected parties and is assisting them in managing all potential risks and taking the necessary next steps. 

What Sembcorp is experiencing should provide organisations that handle personal data with a clear perspective. Giants are not immune to cyberattacks and can be held accountable under the PDPA for any data breaches. The same applies to smaller businesses, but the coming financial ramifications may be more severe for them.

Conclusion

Big and small organisations must ensure that there are no vulnerabilities in their systems, and they should be reminded that bad actors have no discrimination as to which organisation they should target next. 

Since every breach of the protection obligation set by the PDPA could mean a financial penalty, it is encouraged for organisations, big or small, to use services such as a Data Protection Officer as a service (DPOaas), Chief Technology Officer-as-a-Service (CTOaas), and  Vulnerability Assessment & Penetration Testing (VAPT), which are all offered by Privacy Ninja.

• Privacy Ninja’s DPOaas helps oversee the cybersecurity posture of the organisation, making sure that there are policies in place to ensure that the management of personal data is in compliance with the PDPA.
• Privacy Ninja’s CTOaas helps Small and Medium Enterprises (MSE) with their digital readiness and needs which includes bolstering security of these organisations in the digital space.
• Privacy Ninja’s VAPT ensures that your organisation does not contain any vulnerabilities that bad actors can exploit by patching it up before they can discover it first.

This is to help spot security lapses early and prevent a data breach or at least serve as mitigating factors during breach penalty assessment by the PDPC.

Also Read: The necessity of a data protection plan for businesses in Singapore