Cybersecurity and Infrastructure Security Agency exploited vulnerability advisory. How this type of mistake can impact your cyber security and steps to protect yourself.

The US Cybersecurity and Infrastructure Security Agency has added a new vulnerabilities to it’s Known Exploited Vulnerabilities Catalog.

CISA Adds One Known Exploited Vulnerability to Catalog | CISA

This is an interesting issue, as credentials had been hard coded into the application:

“Atlassian Questions For Confluence App has hard-coded credentials, exposing the username and password in plaintext. A remote unauthenticated attacker can use these credentials to log into Confluence and access all content accessible to users in the confluence-users group.”
CISA Known Exploited Vulnerabilities Catalog

My advice: Either you or your IT support need to check whether these issues impact your systems. You need to have a master document that details your systems, hardware, software, online, networks, back-ups, suppliers etc – so when cyber security (or operational) issues arise you and your support teams can quickly check if you are affected. From there you can take fast, effective action.

How this can impact you?

This type of error is why, if you have a desktop, mobile or web app developed for you, you should exercise due diligence over the project. If you are paying for the work, you or your cyber security consultant should be free to challenge the developers over their handling of the projects security. Here are a few of my sample questions:

Please document all users during development and the level of access of their authorisation gives them – include the process and accountability for revoking these credentials
How accountable is your dev team. Are they your people or sub-contractors?
How do you check the code and committed updates?

These questioned are simplified, and not comprehensive, but it gives you an idea on what your security stance should be. Because remember, if things go wrong and you compromise your client’s information and end up on the Information Commissioner’s Office website, it will be your fault.

Later the blame may spread around, but if you cannot demonstrate that you took every step you could think of to make sure that all personally identifiable in formation (PII) was kept secure, then it will still be down to you.

Remember when I say you, it could just be you as owner or director of the company, or it could be the board of a bigger business. It will just depend on who skipped the due diligence.

Do you want to know more?

Clive Catton MSc (Cyber Security) – by-line and other articles

Cookie	Duration	Description
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.