Encryption is a method of converting data into a coded format to prevent unauthorised access. Inadequate or weak encryption can expose sensitive information, such as personal data, payment information, and intellectual property.
Example: The Equifax Breach (2017)
One of the largest data breaches in history, the Equifax incident exposed the personal information of over 147 million people. A critical failure involved not encrypting sensitive data adequately. While some data was encrypted, Equifax did not maintain consistent encryption across all stored data, leaving portions vulnerable to attackers. This lapse contributed to the scale of the breach and highlighted the dangers of inconsistent encryption practices.
Interactive Tools and Activities on Inadequate Encryption
Cyber Threat Defender (CTD)
Cyber Threat Defender is a multiplayer collectible card game designed to teach essential cybersecurity concepts, including encryption. While it doesn’t focus solely on inadequate encryption, it provides scenarios where players must defend against threats that exploit weak encryption practices.
Explore CTD:Cyber Threat Defender
Further Reading on Inadequate Encryption
To deepen your understanding, consider these resources:
Inadequate Encryption Deep Dive
An article discussing the risks associated with improper or weak encryption implementations.
Read More
The Fragile Armor: Understanding the Risks of Inadequate Encryption
An exploration of how inadequate encryption can compromise data security.
Read More
CWE-326: Inadequate Encryption Strength
A detailed look at common weaknesses related to encryption strength.
Read More
Outdated software lacks recent security updates and patches, making it a prime target for attackers. Software vendors regularly release updates to fix security flaws, and failing to apply these can leave systems exposed.
Case Study: Marriott International Data Breach (2018)
Marriott suffered a massive data breach impacting 500 million customers. One contributing factor was the use of outdated and unpatched software inherited from the Starwood hotel chain, which was acquired in 2016. Attackers had been accessing the system undetected for years, exploiting old vulnerabilities that should have been patched, ultimately gaining access to a wealth of personal and financial data.
Hardware becomes outdated when it no longer supports modern software or security protocols. Using obsolete hardware may mean critical security patches cannot be applied, increasing exposure to vulnerabilities.
Example: NHS WannaCry Attack (2017)
The NHS in the UK was significantly impacted by the WannaCry ransomware attack. Many affected systems were running on outdated hardware that couldn’t support newer versions of Windows or updated security features. As a result, they remained vulnerable to the ransomware exploit, which rapidly spread across multiple trusts, leading to the cancellation of appointments and operational disruptions.
Firmware is the low-level software embedded in hardware devices. Manufacturers occasionally release updates to fix bugs or patch vulnerabilities. Neglecting these updates can allow attackers to exploit flaws at the hardware level, which is often more difficult to detect and mitigate.
Example: Cisco Router Vulnerability (2019)
Cisco disclosed a critical vulnerability affecting the firmware in some of its routers. The flaw allowed attackers to remotely execute commands on the device. Organisations that had not updated their router firmware were at risk of remote access breaches. Many small to medium enterprises using outdated networking equipment were especially vulnerable, as they often lacked the resources to maintain regular firmware updates.
When software reaches its “end of life” (EOL), the supplier stops providing security updates and support. Continuing to use such software significantly increases the risk of exploitation, as new vulnerabilities will not be patched.
Example: Windows XP Use in ATMs
Years after Microsoft ended support for Windows XP in 2014, many ATMs and corporate systems continued to run on the unsupported OS. Cybercriminals targeted these systems, exploiting known flaws that would never be fixed. The use of unsupported software left banks and organisations open to attack, forcing some to pay high costs for custom support or system upgrades after suffering breaches.
Create a presentation that exaplains the issues above (Inadiquate Encryption, Out of Date Hardware, Out of Date Software, Out of Date Firmware, Software no Longer Supported by a Supplier) , research and discuss other examples of where these have happened and the impacts on those linked to it, Clients and Customers, Suppliers, owners, Banks and more.
o compatibility of legacy systems
o fail-open electronic locks
- Weak passwords (for example default passwords)
A weak password is one that is easy to guess or crack. This could include things like short passwords (e.g. “12345”), using obvious words (like “password” or your name), or using default passwords (like “admin” or “1234”) that come pre-set on devices and systems.
Why Weak Passwords Are a Problem
When an organisation uses weak passwords, it’s like leaving the front door unlocked. Hackers can easily break in, gain access to systems, steal data, or even take full control of the network. This is especially risky if important systems or customer information are protected by these weak passwords.
Default Passwords – A Common Issue
Default passwords are one of the biggest problems. Devices like routers, CCTV systems, or even company laptops often come with a username and password already set by the manufacturer. These are often things like “admin/admin” or “user/1234”. Hackers know these defaults and can try them to get in—this is known as a brute force attack or dictionary attack.
If the company doesn’t change these passwords when setting things up, they’re giving hackers an easy way in.
Real-World Example: The Mirai Botnet Attack
A famous example of this is the Mirai botnet attack in 2016. Hackers scanned the internet looking for devices like smart cameras and home routers that were still using default passwords. Once they found them, they took control of these devices and used them to launch a massive attack that took down websites like Twitter, Netflix, and Reddit. While this started with home devices, businesses using similar systems were also affected.
Consequences for Organisations
If a company is caught out by weak or default passwords, it could face:
Data breaches – Customer information, payment details or company secrets could be stolen.
Fines and legal trouble – Under laws like the UK GDPR, companies can be fined for not protecting data properly.
Reputation damage – If customers don’t trust a company to keep their data safe, they might stop using its services.
Operational disruption – Systems could be shut down or locked by hackers, which can stop the business from running.
How to Fix the Problem
To avoid these issues, organisations should:
Always change default passwords when setting up new devices.
Use strong passwords – at least 12 characters, with a mix of letters, numbers, and symbols.
Consider using multi-factor authentication (MFA) to make it even harder for hackers to get in.
-Missing authentication and authorisation
Authentication is about checking who you are, like when you log in with a username and password.
Authorisation is about checking what you're allowed to do, like whether you have permission to view certain files or settings once you're logged in.
If a system doesn’t properly check these things — or skips them completely — it opens the door to serious problems.
What Happens If Authentication or Authorisation Is Missing?
Let’s say a company builds a website or app but forgets to add login checks in certain areas. That means anyone could get in — even if they’re not supposed to. They might access sensitive company data, customer records, or even admin settings.
If authorisation isn’t set up properly, someone might log in as a regular user but still be able to do things only an admin should do — like deleting accounts or changing important settings.
Real-World Example: Facebook’s Internal Tools Leak (2019)
In 2019, security researchers found that some Facebook employees could access private user data through internal tools without proper authorisation checks. While this didn’t involve external hackers, it showed how poor authorisation inside a company can lead to major privacy risks — especially when staff access things they shouldn’t.
Consequences for Organisations
Missing authentication or authorisation can lead to:
Data breaches – Hackers or even staff could get into systems they shouldn’t.
Loss of trust – If private data gets out, customers may leave.
Fines – Under UK GDPR rules, businesses must keep data safe or face serious penalties.
Internal misuse – Staff could accidentally (or intentionally) change, delete or leak information.
- Exploitable bugs/zero-day bugs
Every piece of software — from apps to operating systems — can have bugs, which are mistakes in the code. Most bugs are harmless, but some can be exploited by hackers to break into systems. These are called exploitable bugs.
A zero-day bug is a special kind of vulnerability. It’s a security flaw that developers don’t know about yet, so there’s no fix or update for it. Hackers who discover it can take advantage of it before anyone even realises there’s a problem.
Why Are These Bugs Dangerous?
If a hacker finds a bug in software and figures out how to exploit it, they can use it to:
Bypass login systems
Install malware
Steal data
Crash systems or take full control
Zero-day bugs are especially dangerous because companies haven’t had time to patch them. Hackers can attack before any protection is in place.
Real-World Example: Zoom Zero-Day Bug (2020)
In 2020, a zero-day vulnerability in Zoom (the video call software) was discovered that let hackers remotely take control of a user’s computer — all without the person knowing. Because it was a zero-day, no patch was available at first. Organisations using Zoom were at serious risk until an update was released.
Consequences for Organisations
If an organisation is hit by an exploit or zero-day attack, the effects can include:
Data loss – Hackers might steal or delete important information.
System downtime – Services could go offline, stopping work or customer access.
Financial loss – From fines, legal action, or having to fix the damage.
Reputation damage – If people find out the company was hacked, they might stop trusting it.
o employees:
▪ not following policies and procedures
▪ competency levels of staff
▪ lack of recruitment screening
▪ poor data/cyber hygiene (for example not archiving dormant staff accounts and access)
o physical access controls:
▪ inadequate security procedures:
• door access codes not changed regularly
• using simple access codes and reusing access codes (for example 1234)
• no monitoring of access to secure areas
▪ unnecessary staff access to secure areas
Links to Learning Outcomes |
Links to Assessment criteria |
|
|---|---|---|
Anonymous Assessment - Learners assess an anonymous piece of work containing deliberate mistakes against given success criteria.