↑
Top 

week 4

R10.4 The technical and non-technical vulnerabilities that exist within an organisation:

 

Technical:

Inadequate Encryption

Encryption is a method of converting data into a coded format to prevent unauthorised access. Inadequate or weak encryption can expose sensitive information, such as personal data, payment information, and intellectual property.

Example: The Equifax Breach (2017)

One of the largest data breaches in history, the Equifax incident exposed the personal information of over 147 million people. A critical failure involved not encrypting sensitive data adequately. While some data was encrypted, Equifax did not maintain consistent encryption across all stored data, leaving portions vulnerable to attackers. This lapse contributed to the scale of the breach and highlighted the dangers of inconsistent encryption practices.

 

Interactive Tools and Activities on Inadequate Encryption

Cyber Threat Defender (CTD)
Cyber Threat Defender is a multiplayer collectible card game designed to teach essential cybersecurity concepts, including encryption. While it doesn’t focus solely on inadequate encryption, it provides scenarios where players must defend against threats that exploit weak encryption practices.

Explore CTD:Cyber Threat Defender
Further Reading on Inadequate Encryption

To deepen your understanding, consider these resources:

Inadequate Encryption Deep Dive
An article discussing the risks associated with improper or weak encryption implementations.
Read More

The Fragile Armor: Understanding the Risks of Inadequate Encryption
An exploration of how inadequate encryption can compromise data security.
Read More 

CWE-326: Inadequate Encryption Strength
A detailed look at common weaknesses related to encryption strength.
Read More 

 

Out of Date Software

Outdated software lacks recent security updates and patches, making it a prime target for attackers. Software vendors regularly release updates to fix security flaws, and failing to apply these can leave systems exposed.

Case Study: Marriott International Data Breach (2018)

Marriott suffered a massive data breach impacting 500 million customers. One contributing factor was the use of outdated and unpatched software inherited from the Starwood hotel chain, which was acquired in 2016. Attackers had been accessing the system undetected for years, exploiting old vulnerabilities that should have been patched, ultimately gaining access to a wealth of personal and financial data.

 

Out of Date Hardware

Hardware becomes outdated when it no longer supports modern software or security protocols. Using obsolete hardware may mean critical security patches cannot be applied, increasing exposure to vulnerabilities.

Example: NHS WannaCry Attack (2017)

The NHS in the UK was significantly impacted by the WannaCry ransomware attack. Many affected systems were running on outdated hardware that couldn’t support newer versions of Windows or updated security features. As a result, they remained vulnerable to the ransomware exploit, which rapidly spread across multiple trusts, leading to the cancellation of appointments and operational disruptions.

 

Out of Date Firmware

Firmware is the low-level software embedded in hardware devices. Manufacturers occasionally release updates to fix bugs or patch vulnerabilities. Neglecting these updates can allow attackers to exploit flaws at the hardware level, which is often more difficult to detect and mitigate.

Example: Cisco Router Vulnerability (2019)

Cisco disclosed a critical vulnerability affecting the firmware in some of its routers. The flaw allowed attackers to remotely execute commands on the device. Organisations that had not updated their router firmware were at risk of remote access breaches. Many small to medium enterprises using outdated networking equipment were especially vulnerable, as they often lacked the resources to maintain regular firmware updates.

 

 

Software No Longer Supported by a Supplier

When software reaches its “end of life” (EOL), the supplier stops providing security updates and support. Continuing to use such software significantly increases the risk of exploitation, as new vulnerabilities will not be patched.

 

Example: Windows XP Use in ATMs

Years after Microsoft ended support for Windows XP in 2014, many ATMs and corporate systems continued to run on the unsupported OS. Cybercriminals targeted these systems, exploiting known flaws that would never be fixed. The use of unsupported software left banks and organisations open to attack, forcing some to pay high costs for custom support or system upgrades after suffering breaches.

Create a presentation that exaplains the issues above (Inadiquate Encryption, Out of Date Hardware, Out of Date Software, Out of Date Firmware, Software no Longer Supported by a Supplier) , research and discuss other examples of where these have happened and the impacts on those linked to it, Clients and Customers, Suppliers, owners, Banks and more.

 

o compatibility of legacy systems

o fail-open electronic locks

 

- Weak passwords (for example default passwords)

A weak password is one that is easy to guess or crack. This could include things like short passwords (e.g. “12345”), using obvious words (like “password” or your name), or using default passwords (like “admin” or “1234”) that come pre-set on devices and systems.

Why Weak Passwords Are a Problem

When an organisation uses weak passwords, it’s like leaving the front door unlocked. Hackers can easily break in, gain access to systems, steal data, or even take full control of the network. This is especially risky if important systems or customer information are protected by these weak passwords.

Default Passwords – A Common Issue

Default passwords are one of the biggest problems. Devices like routers, CCTV systems, or even company laptops often come with a username and password already set by the manufacturer. These are often things like “admin/admin” or “user/1234”. Hackers know these defaults and can try them to get in—this is known as a brute force attack or dictionary attack.

If the company doesn’t change these passwords when setting things up, they’re giving hackers an easy way in.

Real-World Example: The Mirai Botnet Attack

A famous example of this is the Mirai botnet attack in 2016. Hackers scanned the internet looking for devices like smart cameras and home routers that were still using default passwords. Once they found them, they took control of these devices and used them to launch a massive attack that took down websites like Twitter, Netflix, and Reddit. While this started with home devices, businesses using similar systems were also affected.

Consequences for Organisations

If a company is caught out by weak or default passwords, it could face:

• Data breaches – Customer information, payment details or company secrets could be stolen.

• Fines and legal trouble – Under laws like the UK GDPR, companies can be fined for not protecting data properly.

• Reputation damage – If customers don’t trust a company to keep their data safe, they might stop using its services.

• Operational disruption – Systems could be shut down or locked by hackers, which can stop the business from running.

How to Fix the Problem

To avoid these issues, organisations should:

• Always change default passwords when setting up new devices.

• Use strong passwords – at least 12 characters, with a mix of letters, numbers, and symbols.

• Consider using multi-factor authentication (MFA) to make it even harder for hackers to get in.

 

-Missing authentication and authorisation

Authentication is about checking who you are, like when you log in with a username and password.
Authorisation is about checking what you're allowed to do, like whether you have permission to view certain files or settings once you're logged in.

If a system doesn’t properly check these things — or skips them completely — it opens the door to serious problems.

What Happens If Authentication or Authorisation Is Missing?

Let’s say a company builds a website or app but forgets to add login checks in certain areas. That means anyone could get in — even if they’re not supposed to. They might access sensitive company data, customer records, or even admin settings.

If authorisation isn’t set up properly, someone might log in as a regular user but still be able to do things only an admin should do — like deleting accounts or changing important settings.

 

Real-World Example: Facebook’s Internal Tools Leak (2019)

In 2019, security researchers found that some Facebook employees could access private user data through internal tools without proper authorisation checks. While this didn’t involve external hackers, it showed how poor authorisation inside a company can lead to major privacy risks — especially when staff access things they shouldn’t.

 

Consequences for Organisations

Missing authentication or authorisation can lead to:

• Data breaches – Hackers or even staff could get into systems they shouldn’t.

• Loss of trust – If private data gets out, customers may leave.

• Fines – Under UK GDPR rules, businesses must keep data safe or face serious penalties.

• Internal misuse – Staff could accidentally (or intentionally) change, delete or leak information.

 

- Exploitable bugs/zero-day bugs

Every piece of software — from apps to operating systems — can have bugs, which are mistakes in the code. Most bugs are harmless, but some can be exploited by hackers to break into systems. These are called exploitable bugs.

A zero-day bug is a special kind of vulnerability. It’s a security flaw that developers don’t know about yet, so there’s no fix or update for it. Hackers who discover it can take advantage of it before anyone even realises there’s a problem.

 

Why Are These Bugs Dangerous?

If a hacker finds a bug in software and figures out how to exploit it, they can use it to:

• Bypass login systems

• Install malware

• Steal data

• Crash systems or take full control

Zero-day bugs are especially dangerous because companies haven’t had time to patch them. Hackers can attack before any protection is in place.

 

Real-World Example: Zoom Zero-Day Bug (2020)

In 2020, a zero-day vulnerability in Zoom (the video call software) was discovered that let hackers remotely take control of a user’s computer — all without the person knowing. Because it was a zero-day, no patch was available at first. Organisations using Zoom were at serious risk until an update was released.

 

Consequences for Organisations

If an organisation is hit by an exploit or zero-day attack, the effects can include:

• Data loss – Hackers might steal or delete important information.

• System downtime – Services could go offline, stopping work or customer access.

• Financial loss – From fines, legal action, or having to fix the damage.

• Reputation damage – If people find out the company was hacked, they might stop trusting it.

 

Non-Technical:

o employees:

 

Not following policies and procedures

 

 

▪ competency levels of staff

 

▪ lack of recruitment screening

 

Poor data/cyber hygiene (for example not archiving dormant staff accounts and access)

Cyber hygiene means keeping systems tidy, secure, and well-managed — a bit like how you’d regularly clean and organise your room so it doesn’t become a mess. In a business, this includes things like deleting old accounts, updating software, and removing access from people who no longer work there.

If an organisation doesn’t keep up with this, it creates a non-technical vulnerability that can be just as dangerous as a hacker.

What Does This Look Like in Real Life?

Let’s say someone leaves a company, but their staff account stays active. That means:

• Their email, files, and systems are still accessible.

• If they had remote access (like VPN or cloud login), they could still get in from home.

• A hacker could also target their account and use it as a way into the system.

The longer these “dormant” accounts stay active, the more chances there are for someone to take advantage.

Real-World Example: Twitter Insider Attack (2020)

In 2020, Twitter suffered a major cyberattack where high-profile accounts (like Elon Musk and Barack Obama) were taken over and used to scam followers. One cause was poor internal controls — including former staff accounts and insider access not being properly managed. It showed that even big tech companies can suffer if they don’t keep on top of cyber hygiene.

Consequences for Organisations

If an organisation doesn’t practise good data or cyber hygiene, it could face:

• Unauthorised access – Ex-employees or hackers could use old logins.

• Data breaches – Sensitive information could be stolen or leaked.

• Internal threats – Dormant accounts could be used to hide illegal or damaging activity.

• Legal issues – The company could be fined for breaking data protection rules (like UK GDPR).

 

o physical access controls:

▪ inadequate security procedures:

Door access codes not changed regularly

Door access codes are used to stop unauthorised people from entering buildings or secure areas. But if these codes aren’t changed regularly, they can become a serious security risk.

Why Is This a Problem?

Over time, lots of people may find out a door code — current staff, ex-employees, cleaners, contractors, or even visitors. If the code stays the same for months or even years, there’s no way of knowing who still knows it. Someone who no longer works there could easily return and walk straight in.

Even worse, people might share the code without thinking, like texting it to a mate or writing it on a sticky note near the door. If the code isn’t updated, all of these risks build up.

Real-World Example: NHS Staff Door Code Leak

In a 2020 incident, a photo of an NHS hospital door keypad with the code written next to it was shared on social media. The post went viral. The problem wasn’t just the note – it turned out the code hadn’t been changed in months. That meant anyone who saw the post could have walked into the building, putting staff and patient safety at risk.

Consequences for Organisations

If an organisation doesn’t change door codes regularly, it could face:

• Unauthorised access – Ex-staff, intruders, or even criminals might get in.

• Theft or damage – Valuable equipment or data could be stolen.

• Health and safety breaches – People could access dangerous or sensitive areas.

• Legal trouble – If someone gets hurt or data is stolen, the organisation might be fined.

• Loss of trust – Customers and staff may feel unsafe or lose confidence in the company.

Using simple access codes and reusing access codes (for example 1234)

Not all security risks are caused by high-level hacking. Sometimes, it’s simple human mistakes that leave systems wide open. One common non-technical vulnerability is using basic access codes (like "1234" or "0000") or reusing the same code for multiple doors, devices, or systems.

Why Is This a Problem?

Access codes are meant to control who can get into certain areas or systems — like office doors, alarm panels, or even phone voicemail systems. If someone uses a code like “1234”, it’s incredibly easy to guess. Hackers or intruders don’t need any special tools — just a bit of common sense or luck.

Reusing the same code across multiple areas or devices makes it even worse. Once someone learns the code for one thing, they can try it everywhere else. If it works, they suddenly have full access.

 

Real-World Example: Heathrow Airport USB Stick Leak (2017)

In 2017, a USB stick containing sensitive security details about Heathrow Airport was found on a London street. One of the issues reported was that physical access to secure areas used simple or reused codes. This made it easy for someone to enter restricted zones if they had the right code — no hacking needed.

Even though this wasn't the main cause of the leak, it highlighted poor physical security and how weak access controls can put big organisations at risk.

Read more about this breach using the link below Heathrow Airport

 

Consequences for Organisations

Using weak or reused access codes can lead to:

• Unauthorised physical access – People getting into buildings, server rooms, or secure storage.

• Theft or sabotage – Equipment, confidential documents, or data could be stolen or damaged.

• Health and safety risks – In places like hospitals or data centres, the wrong person entering could put lives or systems at risk.

• Loss of trust and reputation – Especially if customer data or staff safety is involved.

• Regulatory action – If poor access control breaks health, safety or data protection laws.

 

No monitoring of access to secure areas

In any organisation, secure areas might include server rooms, filing rooms, storage for valuable equipment, or areas where sensitive information is kept. If there’s no monitoring of who goes in or out of these spaces, it becomes a big non-technical security risk.

Why Is This a Problem?

If nobody is keeping track of who enters a secure area, then:

• Anyone could sneak in, especially during busy times.

• If something goes wrong (like theft, damage, or data loss), there’s no way to know who was there.

• Internal threats (like a dishonest employee) are harder to catch because there’s no trail.

It’s not just about cameras either. Monitoring could include using access logs, sign-in sheets, or swipe cards that record who entered and when.

 

Real-World Example: Government USB Leak (HMRC, 2007)

Back in 2007, HMRC (Her Majesty’s Revenue and Customs) lost two discs containing personal data of over 25 million people. While the data was posted, not hacked, one of the key failures was a lack of monitoring and proper access controls — no one knew who exactly accessed the data or handled the discs. There were no proper logs or oversight.

This event caused massive public concern and led to new policies on data protection and access control in government departments.

Read further detail on this breach using the link belowUK Government data breach

 

Consequences for Organisations

If access to secure areas isn’t monitored, the organisation might face:

• Theft or sabotage – Expensive equipment or sensitive documents could go missing.

• Data protection breaches – Especially if someone accesses personal or financial data.

• No accountability – If something goes wrong, it’s hard to investigate without knowing who was there.

• Fines or legal action – Under UK GDPR or health and safety laws.

• Reputation damage – Customers, clients, and staff may feel the company isn’t trustworthy.

 

▪ unnecessary staff access to secure areas

 

In small groups, create a presentation on what a Non-Technical vulnerability is/are. In your presentation create a opening slide that identifys the definition of a non-technical vulnerability, once you have done this provide examples of them and case studies where this has happened. Discuss in the slide the impact on the organisation and how they responded, both from a identifying the issue to their users and public, but also to resolve the issues.

 

 

Last Updated
2025-05-13 13:11:20

---

Links to Learning Outcomes		Links to Assessment criteria

---

English and Maths Coverage

---

Stretch and Challenge

---

Homework

---

How 2's Coverage

---

Equality and Diversity Calendar

Files that support this week

---

Democracy: | Rule of Law: | Mutual Respect: | Individual Liberty: | Acceptance of Difference: | College Values:

Week 3←
PrevWeek 4←
PrevWeek 5←
Prev→
Next