.jpeg){kind=small}
A vulnerability is a weakness that can be exploited by cybercriminals to gain unauthorized access to a computer system. After exploiting a vulnerabilitya cyberattack can run malicious codeinstall malwareand even steal sensitive data.
Vulnerabilities can be exploited by a variety of methodsincluding SQL injectionbuffer overflows, cross-site scripting (XSS)and open-source exploit kits that look for known vulnerabilities and security weaknesses in web applications.
Many vulnerabilities impact popular softwareplacing the many customers using the software at a heightened risk of a data breachor supply chain attack. Such zero-day exploits are registered by MITRE as a Common Vulnerability Exposure (CVE).
Vulnerability Examples
There are several different types of vulnerabilitiesdetermined by which infrastructure they’re found on. Vulnerabilities can be classified into six broad categories:
1. Hardware
Any susceptibility to humiditydustsoilingnatural disasterpoor encryptionor firmware vulnerability.
2. Software
Insufficient testinglack of audit traildesign flawsmemory safety violations (buffer overflowsover-readsdangling pointers)input validation errors (code injectioncross-site scripting (XSS)directory traversalemail injectionformat string attacksHTTP header injectionHTTP response splittingSQL injection)privilege-confusion bugs (clickjackingcross-site request forgeryFTP bounce attack)race conditions (symlink racestime-of-check-to-time-of-use bugs)side channel attackstiming attacks and user interface failures (blaming the victimrace conditionswarning fatigue).
Learn about the MOVEit Transfer vulnerability >
3. Network
Unprotected communication lines, man-in-the-middle attacksinsecure network architecturelack of authenticationdefault authenticationor other poor network security.
4. Personnel
Poor recruiting policylack of security awareness and trainingpoor adherence to security trainingpoor password managementor downloading malware via email attachments.
5. Physical site
Area subject to natural disasterunreliable power sourceor no keycard access.
6. Organizational
Improper internal controls, lack of auditcontinuity plansecurityor incident response plan.
Learn about the top misconfigurations causing data breaches >
When Should Known Vulnerabilities Be Publicly Disclosed?
Whether to publicly disclose known vulnerabilities remains a contentious issue. There are two options:
1. Immediate Full Disclosure
Some cybersecurity experts argue for immediate disclosureincluding specific information about how to exploit the vulnerability. Supporters of immediate disclosure believe it leads to secure software and faster patching improving software securityapplication securitycomputer securityoperating system securityand information security.
2. Limited to No Disclosure
Others are against vulnerability disclosure because they believe the vulnerability will be exploited by hackers. Supporters of limited disclosure believe limiting information to select groups reduces the risk of exploitation.
Like most argumentsthere are valid arguments from both sides.
Regardless of which side you fall onknow that it's now common for friendly attackers and cyber criminals to regularly search for vulnerabilities and test known exploits.
Some companies have in-house security teams whose job it is to test IT security and other security measures of the organization as part of their overall information risk management and cybersecurity risk assessment process.
Best-in-class companies offer bug bounties to encourage anyone to find and report vulnerabilities to them rather than exploiting them. Bug bounty programs are great and can help minimize the risk of your organization joining our list of the biggest data breaches.
Typically the payment amount of a bug bounty program will be commensurate with the size of the organizationthe difficulty of exploiting the vulnerabilityand the impact of the vulnerability. For examplefinding a data leak of personally identifiable information (PII) of a Fortune 500 company with a bug bounty program would be of higher value than a data breach of your local corner store.
What is the Difference Between Vulnerability and Risk?
Cyber security risks are commonly classified as vulnerabilities. Howevervulnerability and risk are not the same thingwhich can lead to confusion.
Think of risk as the probability and impact of a vulnerability being exploited.
If the impact and probability of a vulnerability being exploited is lowthen there is low risk. Inverselyif the impact and probability of a vulnerability being exploited is highthen there is a high risk.
Generallythe impact of a cyber attack can be tied to the CIA triad or the confidentialityintegrityor availability of the resource. Following this train of reasoningthere are cases where common vulnerabilities pose no risk. For examplewhen the information system with the vulnerability has no value to your organization.
When Does a Vulnerability Become an Exploitable?
A vulnerability with at least one knownworking attack vector is classified as an exploitable vulnerability. The window of vulnerability is the time from when the vulnerability was introduced to when it is patched.
If you have strong security practicesthen many vulnerabilities are not exploitable for your organization.
For exampleif you have properly configured S3 securitythen the probability of leaking data is lowered. Check your S3 permissionsor someone else will.
Likewiseyou can reduce third-party risk and fourth-party risk with a Third-Party Risk Management framework and Vendor Risk Management strategies.
What is a Zero-Day Exploit?
A zero-day exploit (or zero-day) exploits a zero-day vulnerability. A zero-day (or 0-day) vulnerability is a vulnerability that is unknown toor unaddressed bythose who want to patch the vulnerability.
Until the vulnerability is patchedattackers can exploit it to adversely affect a computer programdata warehousecomputer or network.
"Day Zero" is the day when the interested party learns of the vulnerabilityleading to a patch or workaround to avoid exploitation.
The key thing to understand is the fewer days since Day Zerothe higher likelihood that no patch or mitigation has been developed and the higher the risk of a successful attack.
What Causes Vulnerabilities?
There are many causes of vulnerabilitiesincluding:
- Complexity - Complex systems increase the probability of a flawmisconfigurationor unintended access.
- Familiarity - Common codesoftwareoperating systemsand hardware increase the probability that an attacker can find or has information about known vulnerabilities.
- Connectivity - The more connected a device isthe higher the chance of a vulnerability.
- Poor Password Management - Weak passwords can be broken with brute forceand reusing passwords can result in one data breach becoming many.
- Operating System Flaws - Like any softwareoperating systems can have flaws. Operating systems that are insecure by default allow any user to gain access and potentially inject viruses and malware.
- Internet Usage - The Internet is full of spyware and adware that can be installed automatically on computers.
- Software Bugs - Programmers can accidentally or deliberately leave an exploitable bug in software. Sometimes end users fail to update their softwareleaving them unpatched and vulnerable to exploitation.
- Unchecked User Input - If your website or software assumes all input is safeit may execute unintended SQL commands.
- People - The biggest vulnerability in any organization is the human at the end of the system. Social engineering is the biggest threat to the majority of organizations. This category of cyber threats can be addressed with an in-house cyber threat awareness program.
What is Vulnerability Management?
Vulnerability management is a cyclical practice of identifyingclassifyingremediatingand mitigating security vulnerabilities. The essential elements of vulnerability management include vulnerability detection, vulnerability assessmentand remediation.
Methods of vulnerability detection include:
- Vulnerability scanning
- Penetration testing
- Google hacking
Once a vulnerability is foundit goes through the vulnerability assessment process:
1. Identify Vulnerabilities
Analyzing network scanspen test resultsfirewall logsand vulnerability scan results to find anomalies that suggest a cyber attack could take advantage of a vulnerability.
2. Verify Vulnerabilities
Decide whether the identified vulnerability could be exploited and classify the severity of the exploit to understand the level of risk.
3. Mitigate Vulnerabilities
Decide on countermeasures and how to measure their effectiveness if a patch is unavailable.
4. Remediate Vulnerabilities
Remediating vulnerabilities requires updating affected software or hardware where possible. Due to the fact that cyber attacks are constantly evolvingvulnerability management must be a continuous and repetitive practice to ensure your organization remains protected.
What is Vulnerability Scanning?
A vulnerability scanner is software designed to assess computersnetworks or applications for known vulnerabilities. They can identify and detect vulnerabilities rising from misconfiguration and flawed programming within a network and perform authenticated and unauthenticated scans:
- Authenticated scans: Allows the vulnerability scanner to directly access networked assets using remote administrative protocols like secure shell (SSH) or remote desktop protocol (RDP) and authenticate using provided system credentials. This gives access to low-level data such as specific services and configuration detailsproviding detailed and accurate information about operating systemsinstalled softwareconfiguration issuesand missing security patches.
- Unauthenticated scans: Result in false positives and unreliable information about operating systems and installed software. This method is generally used by cyber attackers and security analysts to try and determine the security posture of externally facing assets and to find possible data leaks.
What is Penetration Testing?
Penetration testingalso known as pen testing or ethical hackingis the practice of testing an information technology asset to find security vulnerabilities an attacker could exploit. Penetration testing can be automated with software or performed manually.
Either waythe process is to gather information about the targetidentify possible vulnerabilities and attempt to exploit themand report on the findings.
Penetration testing may also be used to test an organization's security policyadherence to compliance requirementsemployee security awarenessand an organization's ability to identify and respond to security incidents.
Learn more about penetration testing
What is Google Hacking?
Google hacking is the use of a search enginesuch as Google or Microsoft's Bing, to locate security vulnerabilities. Google hacking is achieved through the use of advanced search operators in queries that locate hard-to-find information or information that is being accidentally exposed through misconfiguration of cloud services.
Security researchers and attackers use these targeted queries to locate sensitive information that is not intended to be exposed to the public.
These vulnerabilities tend to fall into two types:
- Software vulnerabilities
- Misconfigurations
That saidthe vast majority of attackers will tend to search for common user misconfigurations that they already know how to exploit and simply scan for systems that have known security holes.
To prevent Google hackingyou must ensure that all cloud services are properly configured. Once something is exposed to Googleit's public whether you like it or not.
YesGoogle periodically purges its cachebut until thenyour sensitive files are being exposed to the public.
What are Vulnerability Databases?
A vulnerability database is a platform that collectsmaintainsand shares information about discovered vulnerabilities. MITRE runs one of the largestcalled CVE or Common Vulnerabilities and Exposuresand assigns a Common Vulnerability Scoring System (CVSS) score to reflect the potential risk a vulnerability could introduce to your organization.
This central listing of CVEs serves as the foundation for many vulnerability scanners.
The benefit of public vulnerability databases is that it allows organizations to developprioritize and execute patches and other mitigations to rectify critical vulnerabilities.
That saidthey can also cause additional vulnerabilities to be created from the hastily released patches that fix the first vulnerability but create another.
See the argument for full disclosure vs. limited disclosure above.
Common vulnerabilities listed in vulnerability databases include:
- Initial deployment failure: Functionality for databases may appear finebut without rigorous testingflaws can allow attackers to infiltrate. Poor security controlsweak passwordsor default security settings can lead to sensitive material becoming publicly accessible.
- SQL injection: Database attacks are commonly recorded in vulnerability databases.
- Misconfiguration: Companies often fail to configure their cloud services correctlyleaving them vulnerable and often publicly accessible.
- Inadequate auditing: Without auditingit's hard to know whether data has been amended or accessed. Vulnerability databases have promulgated the significance of audit tracking as a deterrent of cyber attacks.
.jpeg){kind=avatar}
.jpg){kind=avatar}
