What are some examples of security vulnerabilities and poor security practices?

Email marketer from Reddit user u/security_advice states that using default configurations for software and hardware leaves systems vulnerable to known exploits. Attackers often target default settings because they are widely known and rarely changed.

Email marketer from CSO Online shares that insider threats involve malicious or negligent actions by individuals who have legitimate access to an organization's systems and data. This can include employees, contractors, or partners who misuse their privileges for personal gain or cause harm to the organization.

Email marketer from Sucuri explains that a poor security practice is a web page or a server being infected with malware. This can lead to data theft, website defacement, and the spread of malware to visitors.

Email marketer from StackExchange user 'securityfanatic' explains that Insufficient access controls refers to not properly restricting access to resources or functionalities. This can allow users to perform actions they are not authorized to, potentially leading to data breaches or system compromise.

Email marketer from SANS ISC shares leaving unnecessary ports open on a system exposes it to potential attacks. Attackers can exploit vulnerabilities in the services running on those ports to gain unauthorized access.

Email marketer from SANS Institute shares that social engineering is a technique used to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.

Email marketer from Troy Hunt's Blog explains that failing to keep software updated with the latest security patches is a major vulnerability. Unpatched software is susceptible to known exploits that attackers can easily leverage.

Expert from Email Geeks shares a viewpoint that the quality of security auditors can be questionable and that they may rely too heavily on automated software scanners instead of more in-depth methods.

Email marketer from Reddit user u/cybersecurityexpert shares that Phishing attacks are a social engineering tactic where attackers attempt to deceive users into revealing sensitive information, such as usernames, passwords, and credit card details. They often use emails, websites, or messages that appear legitimate to trick victims.

Marketer from Email Geeks shares an example of a company specializing in data privacy training and certification sending full credit card details to an email address.

Marketer from Email Geeks shares an experience of a telco allowing password resets over the phone, with reps reading out the password.

Expert from Spam Resource explains that list washing (sending emails to third-party services to remove invalid addresses) is a poor practice due to potential spam trap hits and data privacy concerns.

Expert from Word to the Wise shares that poor data hygiene, such as not validating or cleaning user data, can lead to security vulnerabilities and is a poor practice.

Expert from Email Geeks explains how they failed a PCI audit because the auditor couldn't get past the firewall, and the IDS kept blocking them even after opening a hole.

Expert from Email Geeks shares a frustrating experience of failing a PCI compliance audit due to being 'too secure' and having to remove security measures to pass.

Expert from Email Geeks, Laura Atkins and Marketer from Email Geeks, Ken O'Driscoll describe secure and insecure ways of handling credit card information, including using Stripe and avoiding hosting payment forms directly.

Expert from Email Geeks expresses horror at discovering an ESP that leaves plaintext passwords in contact records.

Expert from Email Geeks recounts telling a client about having access to user passwords, and the client expressing trust, which they felt was inappropriate.

Documentation from CWE (Common Weakness Enumeration) explains that Cross-Site Scripting (XSS) is a vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. It happens when a web application improperly validates or encodes user input before displaying it, leading to the execution of arbitrary JavaScript code in the victim's browser.

Documentation from SANS Institute explains that the use of weak or default passwords is a significant security vulnerability. Attackers can easily guess or crack these passwords, gaining unauthorized access to systems and data.

Documentation from CERT (Computer Emergency Response Team) explains that Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. CSRF attacks specifically target state-changing requests, not data theft, since the attacker cannot see the response to the forged request.

Documentation from NIST (National Institute of Standards and Technology) explains that not validating user inputs before processing them can lead to various vulnerabilities, such as command injection, buffer overflows, and cross-site scripting.

Documentation from Mozilla shares that an insecure direct object reference (IDOR) is a type of access control vulnerability that arises when an application uses user-supplied input to directly access objects. This allows an attacker to bypass authorization and access resources belonging to other users.

Documentation from OWASP explains that SQL injection is a vulnerability where an attacker can inject malicious SQL code into a query, allowing them to bypass security measures and potentially access, modify, or delete data. It occurs when user-supplied data is not properly validated or sanitized before being used in a SQL query.