It's Time to Broaden the Definition of a Vulnerability

May 5, 2020 | 6 min read | Vulnerability Management

In a very informal, completely unscientific survey of 10 cybersecurity pros, I asked, “what is a security vulnerability?” 8 out of 10 folks responded with “a CVE”, one said “that’s a loaded question” and one wise person said “it’s anything that puts you at risk”.

The dictionary defines a vulnerability as “the quality or state of being exposed to the possibility of being attacked or harmed.”  Wikipedia defines a security vulnerability as “a weakness which can be exploited by a threat actor, such as an attacker, to perform unauthorized actions within a computer system. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness.”

Here’s where things get interesting. According to MITRE’s CVE website, a vulnerability is an issue in software code that provides an attacker with direct access to a system or network. If it goes undetected, it could allow an attacker to pose as a super-user or system administrator with full access privileges.

But what about users who have a tendency to reuse passwords across work and personal accounts? What about those “click-happy” employees that have never met a link they don’t click on? They also fit within the bounds of exposing the organization “to the possibility of being attacked or harmed,” but are not CVEs.

By traditional definition, vulnerability = CVE

Legacy vulnerability management tools, in use since the late 1990s, have historically constricted the definition of a security vulnerability to just imply CVEs. This is because vulnerability management vendors only consider an application defect as a vulnerability. This definition serves these vendors well since they only look at Common Vulnerabilities and Exposure (CVEs) –known security vulnerabilities and exposures in publicly released software packages. Regardless, you have a job to do – ensure that your organization is protected from being attacked or harmed – so you have no choice but to consider all possible vulnerabilities.

If you consider the broader, dictionary definition of a vulnerability, it is anything that exposes you and puts you at risk. The enterprise attack surface is exploding with assets including thousands of devices, apps and users, susceptible to hundreds of attack vectors, ranging from simple things like weak passwords, to more complex things like phishing, unpatched software, encryption and configuration issues, etc. Known vulnerabilities, or CVEs, are only a small subset of most enterprises’ overall breach risk.

CVEs are not the ONLY vulnerabilities

Password issues

According to the 2019 Verizon Data Breach Investigations Report, 80% of hacking-related breaches involved compromised and weak credentials and 29% of all breaches, regardless of attack type, involved the use of stolen credentials. And this has been the case for years. This serious vulnerability is not related to software or applications at all, but rather human beings and our cyber hygiene, or lack thereof.

Misconfigurations 

Misconfigured devices and apps present an easy entry point for an attacker to exploit and numerous misconfigurations in application, cloud, and OS settings exist across the enterprise.  According to Gartner, through 2025, 99% of cloud security failures will be the customer’s own fault, owing to misconfigurations and mismanaged credentials, not cloud provider vulnerabilities.

Weak or missing encryption

Missing / poor encryption leads to sensitive information, such as credentials, being transmitted either in plaintext or using weak cryptographic ciphers or protocols. This implies that an adversary intercepting data storage, communication, or processing could easily get access to sensitive data using brute-force approaches to break weak encryption.

not-a-cve

The accepted definition of a vulnerability needs to broaden

Typically associated with flaws in software that must be patched, infosec leaders must redefine the term vulnerability to anything that is open to attack or damage. The impact of this will be on systematic processes, similar to those commonly applied to patching, extended to weak or shared passwords, phishing and social engineering, risk of physical theft, third party vendor risk, and more.

Recall the wise person responding to my survey that I mentioned in the beginning? A final word of advice from her, “So the next time you hear the word “vulnerability”, remember the risk goes far beyond CVEs.”