The US Cybersecurity and Infrastructure Security Agency has added a new vulnerabilities to it’s Known Exploited Vulnerabilities Catalog.
CISA Adds One Known Exploited Vulnerability to Catalog | CISA
This is an interesting issue, as credentials had been hard coded into the application:
“Atlassian Questions For Confluence App has hard-coded credentials, exposing the username and password in plaintext. A remote unauthenticated attacker can use these credentials to log into Confluence and access all content accessible to users in the confluence-users group.”
CISA Known Exploited Vulnerabilities Catalog
My advice: Either you or your IT support need to check whether these issues impact your systems. You need to have a master document that details your systems, hardware, software, online, networks, back-ups, suppliers etc – so when cyber security (or operational) issues arise you and your support teams can quickly check if you are affected. From there you can take fast, effective action.
How this can impact you?
This type of error is why, if you have a desktop, mobile or web app developed for you, you should exercise due diligence over the project. If you are paying for the work, you or your cyber security consultant should be free to challenge the developers over their handling of the projects security. Here are a few of my sample questions:
- Please document all users during development and the level of access of their authorisation gives them – include the process and accountability for revoking these credentials
- How accountable is your dev team. Are they your people or sub-contractors?
- How do you check the code and committed updates?
These questioned are simplified, and not comprehensive, but it gives you an idea on what your security stance should be. Because remember, if things go wrong and you compromise your client’s information and end up on the Information Commissioner’s Office website, it will be your fault.
Later the blame may spread around, but if you cannot demonstrate that you took every step you could think of to make sure that all personally identifiable in formation (PII) was kept secure, then it will still be down to you.
Remember when I say you, it could just be you as owner or director of the company, or it could be the board of a bigger business. It will just depend on who skipped the due diligence.
Clive Catton MSc (Cyber Security) – by-line and other articles