In cyber security, a vulnerability is a weakness which can be exploited by a cyber attack to gain unauthorized access to or perform unauthorized actions on a computer system. Vulnerabilities can allow attackers to run code, access a system's memory, install malware, and steal, destroy or modify sensitive data.
To exploit a vulnerability an attacker must be able to connect to the computer system. Vulnerabilities can be exploited by a variety of methods including SQL injection, buffer overflows, cross-site scripting (XSS) and open source exploit kits that look for known vulnerabilities and security weaknesses in web applications.
There are a many definitions of vulnerability:
- National Institute of Standards and Technology (NIST): Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.
- ISO 27005: A weakness of an asset or group of assets that can be exploited by one or more cyber threats where an asset is anything that has value to the organization, its business operations and their continuity, including information resources that support the organization's mission.
- IETF RFC 4949: A flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security policy.
- ENISA: The existence of a weakness, design, or implementation error that can lead to an unexpected, undesirable event compromising the security of the computer system, network, application, or protocol involved.
- The Open Group: The probability that threat capability exceeds the ability to resist the threat.
- Factor Analysis of Information Risk: The probability that an asset will be unable to resist the actions of a threat agent.
- ISACA: A weakness in design, implementation, operation or internal control
Should known vulnerabilities be publicly disclosed?
Whether to publicly disclose known vulnerabilities remains a contentious issue:
- Immediate full disclosure: Some cybersecurity experts argue for immediate disclosure including specific information about how to exploit the vulnerability. Supporters of immediate disclosure believe it leads to secure software and faster patching improving software security, application security, computer security, operating system security and information security.
- Limited to no disclosure: While others are against vulnerability disclosure because they believe the vulnerability will be exploited. Supporters of limited disclosure believe limiting information to select groups reduces the risk of exploitation.
Like most arguments, there are valid arguments from both sides.
Regardless of which side you fall on know that it's now common for friendly attackers and cyber criminals to regularly search for vulnerabilities and test known exploits.
Some companies have in-house security teams whose job it is to test IT security and other security measures of the organization as part of their overall information risk management and cyber security risk assessment process.
Best-in-class companies offer bug bounties to encourage anyone to find and report vulnerabilities to them rather than exploiting them. Bug bounty programs are great and can help minimize the risk of your organization joining our list of the biggest data breaches.
Typically the payment amount of a bug bounty program will commensurate with the size of the organization, the difficulty of exploiting the vulnerability and the impact of the vulnerability. For example, finding a data leak of personally identifiable information (PII) of a Fortune 500 company with a bug bounty program would be of higher value than a data breach of your local corner store.
What is the difference between vulnerability and risk?
Cyber security risks are commonly classified as vulnerabilities. However, vulnerability and risk are not the same thing, which can lead to confusion.
Think of risk as the probability and impact of a vulnerability being exploited.
If the impact and probability of a vulnerability being exploit is low, then there is low risk. Inversely, if the impact and probability of a vulnerability being exploit is high, then there is a high risk.
Generally, the impact of a cyber attack can be tied to the CIA triad or the confidentiality, integrity or availability of the resource. Following this train of reasoning, there are cases where common vulnerabilities pose no risk. For example, when the information system with the vulnerability has no value to your organization.
When does a vulnerability become an exploitable?
A vulnerability with at least one known, working attack vector is classified as an exploitable vulnerability. The window of vulnerability is the time from when the vulnerability was introduced to when it is patched.
If you have strong security practices, then many vulnerabilities are not exploitable for your organization.
What is a zero-day exploit?
A zero-day exploit (or zero-day) exploits a zero-day vulnerability. A zero-day (or 0-day) vulnerability is a vulnerability that is unknown to, or unaddressed by, those who want to patch the vulnerability.
Until the vulnerability is patched, attackers can exploit it to adversely affect a computer program, data warehouse, computer or network.
"Day Zero" is the day when the interested party learns of the vulnerability, leading to a patch or workaround to avoid exploitation.
The key thing to understand is the fewer days since Day Zero, the higher likelihood that no patch or mitigation has been developed and the higher the risk of a successful attack.
What causes vulnerabilities?
There are many causes of vulnerabilities including:
- Complexity: Complex systems increase the probability of a flaw, misconfiguration or unintended access.
- Familiarity: Common code, software, operating systems and hardware increase the probability that an attacker can find or has information about known vulnerabilities.
- Connectivity: The more connected a device is the higher the chance of a vulnerability.
- Poor password management: Weak passwords can be broken with brute force and reusing passwords can result in one data breach becoming many.
- Operating system flaws: Like any software, operating systems can have flaws. Operating systems that are insecure by default and give all users full access can allow viruses and malware to execute commands.
- Internet usage: The Internet is full of spyware and adware that can be installed automatically on computers.
- Software bugs: Programmers can accidentally or deliberately leave an exploitable bug in software.
- Unchecked user input: If your website or software assume all input is safe it may execute unintended SQL commands.
- People: The biggest vulnerability in any organization is the human at the end of the system. Social engineering is the biggest threat to the majority of organizations.
What is vulnerability management?
Vulnerability management is a cyclical practice of identifying, classifying, remediating and mitigating security vulnerabilities. The essential elements of vulnerability management include vulnerability detection, vulnerability assessment and remediation.
Methods of vulnerability detection include:
- Vulnerability scanning
- Penetration testing
- Google hacking
Once a vulnerability is found, it goes through the vulnerability assessment process:
- Identify vulnerabilities: Analyzing network scans, pen test results, firewall logs, and vulnerability scan results to find anomalies that suggest a cyber attack could take advantage of a vulnerability.
- Verify vulnerabilities: Decide whether the identified vulnerability could be exploited and classify the severity of the exploit to understand the level of risk
- Mitigate vulnerabilities: Decide on countermeasures and how to measure their effectiveness in the event that a patch is not available.
- Remediate vulnerabilities: Update affected software or hardware where possible.
Due to the fact that cyber attacks are constantly evolving, vulnerability management must be a continuous and repetitive practice to ensure your organization remains protected.
What is vulnerability scanning?
A vulnerability scanner is software designed to assess computers, networks or applications for known vulnerabilities. They can identify and detect vulnerabilities rising from misconfiguration and flawed programming within a network and perform authenticated and unauthenticated scans:
- Authenticated scans: Allows the vulnerability scanner to directly access networked assets using remote administrative protocols like secure shell (SSH) or remote desktop protocol (RDP) and authenticate using provided system credentials. This gives access to low-level data such as specific services and configuration details, providing detailed and accurate information about operating systems, installed software, configuration issues and missing security patches.
- Unauthenticated scans: Result is false positives and unreliable information about operating systems and installed software. This method is generally used by cyber attackers and security analysts to try and determine the security posture of externally facing assets and to find possible data leaks.
What is penetration testing?
Penetration testing, also known as pen testing or ethical hacking, is the practice of testing an information technology asset to find security vulnerabilities an attacker could exploit. Penetration testing can be automated with software or performed manually.
Either way, the process is to gather information about the target, identify possible vulnerabilities and attempt to exploit them and report on the findings.
Penetration testing may also be used to test an organization's security policy, adherence to compliance requirements, employee security awareness and an organization's ability to identify and respond to security incidents.
What is Google hacking?
Google hacking is the use of a search engine, such as Google or Microsoft's Bing, to locate security vulnerabilities. Google hacking is achieved through the use of advanced search operators in queries that locate hard-to-find information or information that is being accidentally exposed through misconfiguration of cloud services.
Security researchers and attackers use these targeted queries to locate sensitive information that is not intended to be exposed to the public.
These vulnerabilities tend to fall into two types:
- Software vulnerabilities
That said, the vast majority of attackers will tend to search for common user misconfigurations that they already know how to exploit and simply scan for systems that have known security holes.
To prevent Google hacking you must ensure that all cloud services are properly configured. Once something is exposed to Google, it's public whether you like it or not.
Yes, Google periodically purges its cache but until then your sensitive files are being exposed to the public.
What are vulnerability databases?
A vulnerability database is a platform that collects, maintains and shares information about discovered vulnerabilities. MITRE runs one of the largest called CVE or Common Vulnerabilities and Exposures and assigns a Common Vulnerability Scoring System (CVSS) score to reflect the potential risk a vulnerability could introduce to your organization.
This central listing of CVEs serves as the foundation for many vulnerability scanners.
The benefit of public vulnerability databases is that it allows organizations to develop, prioritize and execute patches and other mitigations to rectify critical vulnerabilities.
That said, they can also cause additional vulnerabilities to be create from the hastly released patches that fix the first vulnerability but create another.
See the argument for full disclosure vs. limited disclosure above.
Common vulnerabilities list in vulnerability databases include:
- Initial deployment failure: Functionality for databases may appear fine but without rigorous testing, flaws can allow attackers to infiltrate. Poor security controls, weak passwords or default security settings can lead to sensitive material becoming publicly accessible.
- SQL injection: Database attacks are commonly recorded in vulnerability databases.
- Misconfiguration: Companies often fail to configure their cloud services correctly, leaving them vulnerable and often publicly accessible.
- Inadequate auditing: Without auditing, it's hard to know whether data has been amended or accessed. Vulnerability databases have promulgated the significance of audit tracking as a deterrent of cyber attacks.
Examples of vulnerabilities
Vulnerabilities can be classified into six broad categories:
- Hardware: Susceptibility to humidity, dust, soiling, natural disaster, poor encryption or firmware vulnerability.
- Software: Insufficient testing, lack of audit trail, design flaws, memory safety violations (buffer overflows, over-reads, dangling pointers), input validation errors (code injection, cross-site scripting (XSS), directory traversal, email injection, format string attacks, HTTP header injection, HTTP response splitting, SQL injection), privilege-confusion bugs (clickjacking, cross-site request forgery, FTP bounce attack), race conditions (symlink races, time-of-check-to-time-of-use bugs), side channel attacks, timing attacks and user interface failures (blaming the victim, race conditions, warning fatigue).
- Network: Unprotected communication lines, man-in-the-middle attacks, insecure network architecture, lack of authentication or default authentication.
- Personnel: Poor recruiting policy, lack of security awareness and training, poor adherence to security training, poor password management or downloading malware via email attachments.
- Physical site: Area subject to natural disaster, unreliable power source or no keycard access.
- Organizational: Lack of audit, continuity plan, security or incident response plan.
How UpGuard can help protect your organization from vulnerabilities
Our platform shows where you and your vendors are susceptible to vulnerabilities. UpGuard BreachSight can help combat typosquatting, prevent data breaches and data leaks, avoiding regulatory fines and protecting your customer's trust through cyber security ratings and continuous exposure detection.
We can also help you continuously monitor, rate and send security questionnaires to your vendors to control third-party risk and fourth-party risk and improve your security posture, as well as automatically create an inventory, enforce policies, and detect unexpected changes to your IT infrastructure. Helping you scale your vendor risk management, third-party risk management and cyber security risk assessment processes.
Cybersecurity is becoming more important than ever before.