Configuration & Application Vulnerabilities in Cyber & IT Security

Despite the best efforts of IT teams, organizations continue to be plagued with IT security vulnerabilities in their systems by both internal and external threats.

The most common vulnerabilities are poor configurations and outdated/unpatched systems or applications. These vulnerabilities may subject your organization to the risk of hackers gaining access to sensitive employee or client data.

What are Countermeasures/Prevention Techniques?

Change Management

Organizations must establish and document their process for reviewing and implementing changes to the IT environment. Change management is a comprehensive system which monitors the additions, adjustments, and decommissions of any applications or infrastructure for the organization.

Any new items, modifications, or deletions require this clear tracking system to streamline their integration into or out of the existing system. Change management systems can also track what approvals are required, the collection of necessary sign offs, and manage requests for proposals.

AAFCPAs can assist in developing, enhancing, and/or implementing a change management process for your organization.

Implement Secure Configurations

The most prevalent security weaknesses exploited by hackers include system, server, and application configurations. These configurations are often poorly protected, as the default settings allow hackers to easily obtain sensitive data.

Companies should adopt a standard for secure configurations, such as NIST, SANS, or CIS. Each of the organizations listed maintain standards for configuring operating systems and developing a baseline for security configuration. The adoption of a uniform set of standards will help to create a consistent configuration for the deployment of new or modified systems.

AAFCPAs can conduct configuration reviews for best practices or in order to comply with existing adopted organization standards.

Protect Both Outside and Inside the Firewall

It is imperative that organizations secure both internal and external systems or applications. When someone exploits an external system or application, in most cases they will then use that system to gain access to internal systems. Internal systems historically have more vulnerabilities, often due to either inconsistent configurations or the mindset that once the external is secure no one will be able to breach the internal.

It is possible to breach an internal system without accessing the external system first. For example, internal breaches could be achieved by a former employee who still has access to the system, or by family/friends of remote employees who use the virtual private network (VPN) to work from home.
Organizations can prevent these exploitations of their system by using the aforementioned directions for change management and secure configurations. In addition, management must be vigilant to ensure the processes are followed for all changes, so that anomalies like former or remote employee do not result in gaps for an organization’s security.

AAFCPAs can support your organization’s efforts by conducting firewall configuration reviews or assist in implementation and design of firewalls and demilitarized zones (DMZs).

Vulnerability Scans

Vulnerability scans inspect potential points of exploitation on a computer or network based on known vulnerabilities. These scans allow organizations to locate and classify gaps in security and improve protection through remediation.

For example, AAFCPAs’ IT security specialists conduct IP and port scans to determine which services and applications are currently running. These scans identify which parts of the system/application are vulnerable and require reinforcement, such as a firewall configuration change, new firewall rule, web server patches, an additional system for protection, or an update to an application.

Penetration Tests

A penetration test is a simulated cyber-attack against your computer system to check for exploitable vulnerabilities. Penetration tests can confirm the results of a vulnerability scan and assert false positives with certainty. Penetration tests should follow vulnerability scans, as they use the knowledge from the scan to understand which weak points should be further tested for security purposes.

AAFCPAs’ penetration tests attempt to exploit any noted vulnerabilities through a “red team” and “blue team” approach. The designated red team will attempt to exploit the specified vulnerability, while the blue team attempts to defend against the red team’s calculated attacks. These teams are determined ahead of time and may consist of an individual or a group, such as AAFCPAs’ cybersecurity team (red) versus a client’s internal IT team (blue). The purpose of the competition between these teams is to test the vulnerabilities and defenses of a system or application within an organized setting.

For example, the Apache web server application regularly receives patches and updates from Apache to mitigate security flaws. When a vulnerability scan suggests that a necessary patch is missing in the client’s version, the designated red team may be deployed in a penetration test to exploit the potentially vulnerable web server while the blue team attempts to block their intrusions.

AAFCPAs advises clients to annually assess internal and external vulnerabilities through scanning and testing their systems. However, this should be increased to a quarterly assessment when a new system has been added or a configuration has changed.

Remain Vigilant

Your best line of defense in protecting your organization’s vulnerabilities is the standardization of security processes and the annual scanning/testing of all systems and applications. AAFCPAs advises clients to remain vigilant, assess your system configurations and applications regularly, and maintain a proactive approach against internal and external threats.

To schedule a cybersecurity assessment, or for specific advice on vulnerability management and how to best protect your organization against the exploitation of internal and external vulnerabilities, please contact James Jumes at 774.512.4062,; Mr. Anderson at 774.512.4066,; or your AAFCPAs Partner.

About the Authors

James Jumes
James joined AAFCPAs in 2013 to lead the Business Consulting Services practice. He has more than 25 years of experience working with information technology systems and diverse business operational processes. James is highly experienced in IT controls and assurance, SOX 404, and Service Organization Control (SOC) reports: SOC 1 (SSAE 18), SOC 2, SOC 2+ and 3 attestation reporting.  James developed a unique methodology to delivering SOC reporting services, and he is an AICPA-approved Peer Review SOC Specialist, assisting peer review teams to review SOC 1, 2, 2+ and 3 engagements. He is a HITRUST Certified Common Security Framework (CSF) Practitioner, providing HITRUST CSF self-assessment consulting, or SOC 2 + HITRUST for assessing against the evolving compliance landscape shaped by HITECH, HIPAA, CMS and various other federal, state and business requirements.
Mr Anderson - Ethical Security Hacker
Mr. Anderson is a “white hat” ethical security hacker and business continuity advisor with extensive experience in the development & implementation of security-focused audit and control programs.   He is highly sought-after for his expertise in: security architecture reviews; penetration/vulnerability testing; business resiliency, disaster recovery and other remediation strategies; hardware system selection and configuration; cloud application security reviews; and wireless security assessments. Mr. Anderson has a deep understanding of industry standards and extensive experience with internal controls evaluation, COSO, COBIT, ITIL, ITGCC, GLBA audits, and ISO, SOX 404 compliance requirements, including all phases of planning, evaluation, documentation, testing and remediation.