A vulnerability is a weakness that can be exploited by cybercriminals to gain unauthorized access to a computer system. After exploiting a vulnerability, a cyberattack can run malicious code, install malware, and even steal sensitive data.
Vulnerabilities can be exploited by a variety of methods, including SQL injection, buffer overflows, cross-site scripting (XSS), and open-source exploit kits that look for known vulnerabilities and security weaknesses in web applications.
Many vulnerabilities impact popular software, placing the many customers using the software at a heightened risk of a data breach, or supply chain attack. Such zero-day exploits are registered by MITRE as a Common Vulnerability Exposure (CVE).
There are several different types of vulnerabilities, determined by which infrastructure they’re found on. Vulnerabilities can be classified into six broad categories:
Any susceptibility to humidity, dust, soiling, natural disaster, poor encryption, or firmware vulnerability.
Insufficient testing, lack of audit trail, design flaws, memory safety violations (buffer overflows, over-reads, dangling pointers), input validation errors (code injection, cross-site scripting (XSS), directory traversal, email injection, format string attacks, HTTP header injection, HTTP response splitting, SQL injection), privilege-confusion bugs (clickjacking, cross-site request forgery, FTP bounce attack), race conditions (symlink races, time-of-check-to-time-of-use bugs), side channel attacks, timing attacks and user interface failures (blaming the victim, race conditions, warning fatigue).
Unprotected communication lines, man-in-the-middle attacks, insecure network architecture, lack of authentication, default authentication, or other poor network security.
Poor recruiting policy, lack of security awareness and training, poor adherence to security training, poor password management, or downloading malware via email attachments.
5. Physical site
Area subject to natural disaster, unreliable power source, or no keycard access.
Improper internal controls, lack of audit, continuity plan, security, or incident response plan.
Learn about the top misconfigurations causing data breaches >
When Should Known Vulnerabilities Be Publicly Disclosed?
Whether to publicly disclose known vulnerabilities remains a contentious issue. There are two options:
1. Immediate Full Disclosure
Some cybersecurity experts argue for immediate disclosure, including specific information about how to exploit the vulnerability. Supporters of immediate disclosure believe it leads to secure software and faster patching improving software security, application security, computer security, operating system security, and information security.
2. Limited to No Disclosure
Others are against vulnerability disclosure because they believe the vulnerability will be exploited by hackers. Supporters of limited disclosure believe limiting information to select groups reduces the risk of exploitation.
Like most arguments, there are valid arguments from both sides.
Regardless of which side you fall on, know that it's now common for friendly attackers and cyber criminals to regularly search for vulnerabilities and test known exploits.
Some companies have in-house security teams whose job it is to test IT security and other security measures of the organization as part of their overall information risk management and cyber security risk assessment process.
Best-in-class companies offer bug bounties to encourage anyone to find and report vulnerabilities to them rather than exploiting them. Bug bounty programs are great and can help minimize the risk of your organization joining our list of the biggest data breaches.
Typically the payment amount of a bug bounty program will be commensurate with the size of the organization, the difficulty of exploiting the vulnerability, and the impact of the vulnerability. For example, finding a data leak of personally identifiable information (PII) of a Fortune 500 company with a bug bounty program would be of higher value than a data breach of your local corner store.
What is the Difference Between Vulnerability and Risk?
Cyber security risks are commonly classified as vulnerabilities. However, vulnerability and risk are not the same thing, which can lead to confusion.
Think of risk as the probability and impact of a vulnerability being exploited.
If the impact and probability of a vulnerability being exploited is low, then there is low risk. Inversely, if the impact and probability of a vulnerability being exploited is high, then there is a high risk.
Generally, the impact of a cyber attack can be tied to the CIA triad or the confidentiality, integrity, or availability of the resource. Following this train of reasoning, there are cases where common vulnerabilities pose no risk. For example, when the information system with the vulnerability has no value to your organization.
When Does a Vulnerability Become an Exploitable?
A vulnerability with at least one known, working attack vector is classified as an exploitable vulnerability. The window of vulnerability is the time from when the vulnerability was introduced to when it is patched.
If you have strong security practices, then many vulnerabilities are not exploitable for your organization.
For example, if you have properly configured S3 security, then the probability of leaking data is lowered. Check your S3 permissions, or someone else will.
Likewise, you can reduce third-party risk and fourth-party risk with third-party risk management and vendor risk management strategies.
What is a Zero-Day Exploit?
A zero-day exploit (or zero-day) exploits a zero-day vulnerability. A zero-day (or 0-day) vulnerability is a vulnerability that is unknown to, or unaddressed by, those who want to patch the vulnerability.
Until the vulnerability is patched, attackers can exploit it to adversely affect a computer program, data warehouse, computer or network.
"Day Zero" is the day when the interested party learns of the vulnerability, leading to a patch or workaround to avoid exploitation.
The key thing to understand is the fewer days since Day Zero, the higher likelihood that no patch or mitigation has been developed and the higher the risk of a successful attack.
What Causes Vulnerabilities?
There are many causes of vulnerabilities, including:
- Complexity - Complex systems increase the probability of a flaw, misconfiguration, or unintended access.
- Familiarity - Common code, software, operating systems, and hardware increase the probability that an attacker can find or has information about known vulnerabilities.
- Connectivity - The more connected a device is, the higher the chance of a vulnerability.
- Poor Password Management - Weak passwords can be broken with brute force, and reusing passwords can result in one data breach becoming many.
- Operating System Flaws - Like any software, operating systems can have flaws. Operating systems that are insecure by default allow any user to gain access and potentially inject viruses and malware.
- Internet Usage - The Internet is full of spyware and adware that can be installed automatically on computers.
- Software Bugs - Programmers can accidentally or deliberately leave an exploitable bug in software. Sometimes end users fail to update their software, leaving them unpatched and vulnerable to exploitation.
- Unchecked User Input - If your website or software assumes all input is safe, it may execute unintended SQL commands.
- People - The biggest vulnerability in any organization is the human at the end of the system. Social engineering is the biggest threat to the majority of organizations. This category of cyber threats can be addressed with an in-house cyber threat awareness program.
What is Vulnerability Management?
Vulnerability management is a cyclical practice of identifying, classifying, remediating, and mitigating security vulnerabilities. The essential elements of vulnerability management include vulnerability detection, vulnerability assessment, and remediation.
Methods of vulnerability detection include:
- Vulnerability scanning
- Penetration testing
- Google hacking
Once a vulnerability is found, it goes through the vulnerability assessment process:
1. Identify Vulnerabilities
Analyzing network scans, pen test results, firewall logs, and vulnerability scan results to find anomalies that suggest a cyber attack could take advantage of a vulnerability.
2. Verify Vulnerabilities
Decide whether the identified vulnerability could be exploited and classify the severity of the exploit to understand the level of risk.
3. Mitigate Vulnerabilities
Decide on countermeasures and how to measure their effectiveness if a patch is unavailable.
4. Remediate Vulnerabilities
Remediating vulnerabilities requires updating affected software or hardware where possible. Due to the fact that cyber attacks are constantly evolving, vulnerability management must be a continuous and repetitive practice to ensure your organization remains protected.
What is Vulnerability Scanning?
A vulnerability scanner is software designed to assess computers, networks or applications for known vulnerabilities. They can identify and detect vulnerabilities rising from misconfiguration and flawed programming within a network and perform authenticated and unauthenticated scans:
- Authenticated scans: Allows the vulnerability scanner to directly access networked assets using remote administrative protocols like secure shell (SSH) or remote desktop protocol (RDP) and authenticate using provided system credentials. This gives access to low-level data such as specific services and configuration details, providing detailed and accurate information about operating systems, installed software, configuration issues, and missing security patches.
- Unauthenticated scans: Result in false positives and unreliable information about operating systems and installed software. This method is generally used by cyber attackers and security analysts to try and determine the security posture of externally facing assets and to find possible data leaks.
What is Penetration Testing?
Penetration testing, also known as pen testing or ethical hacking, is the practice of testing an information technology asset to find security vulnerabilities an attacker could exploit. Penetration testing can be automated with software or performed manually.
Either way, the process is to gather information about the target, identify possible vulnerabilities and attempt to exploit them, and report on the findings.
Penetration testing may also be used to test an organization's security policy, adherence to compliance requirements, employee security awareness, and an organization's ability to identify and respond to security incidents.
Learn more about penetration testing
What is Google Hacking?
Google hacking is the use of a search engine, such as Google or Microsoft's Bing, to locate security vulnerabilities. Google hacking is achieved through the use of advanced search operators in queries that locate hard-to-find information or information that is being accidentally exposed through misconfiguration of cloud services.
Security researchers and attackers use these targeted queries to locate sensitive information that is not intended to be exposed to the public.
These vulnerabilities tend to fall into two types:
- Software vulnerabilities
That said, the vast majority of attackers will tend to search for common user misconfigurations that they already know how to exploit and simply scan for systems that have known security holes.
To prevent Google hacking, you must ensure that all cloud services are properly configured. Once something is exposed to Google, it's public whether you like it or not.
Yes, Google periodically purges its cache, but until then, your sensitive files are being exposed to the public.
What are Vulnerability Databases?
A vulnerability database is a platform that collects, maintains, and shares information about discovered vulnerabilities. MITRE runs one of the largest, called CVE or Common Vulnerabilities and Exposures, and assigns a Common Vulnerability Scoring System (CVSS) score to reflect the potential risk a vulnerability could introduce to your organization.
This central listing of CVEs serves as the foundation for many vulnerability scanners.
The benefit of public vulnerability databases is that it allows organizations to develop, prioritize and execute patches and other mitigations to rectify critical vulnerabilities.
That said, they can also cause additional vulnerabilities to be created from the hastily released patches that fix the first vulnerability but create another.
See the argument for full disclosure vs. limited disclosure above.
Common vulnerabilities listed in vulnerability databases include:
- Initial deployment failure: Functionality for databases may appear fine, but without rigorous testing, flaws can allow attackers to infiltrate. Poor security controls, weak passwords, or default security settings can lead to sensitive material becoming publicly accessible.
- SQL injection: Database attacks are commonly recorded in vulnerability databases.
- Misconfiguration: Companies often fail to configure their cloud services correctly, leaving them vulnerable and often publicly accessible.
- Inadequate auditing: Without auditing, it's hard to know whether data has been amended or accessed. Vulnerability databases have promulgated the significance of audit tracking as a deterrent of cyber attacks.