Oxford dictionary defines vulnerability as “the quality or state of being exposed to the possibility of being attacked or harmed, either physically or emotionally.”
In the context of information systems, NIST defines vulnerability as “Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.”
In essence, vulnerability is a weakness, it is a flaw in software or hardware or process that can be exploited by an attacker.
Lets understand this further with a real-life example. Consider that there is a large bank that is considered secure as it has all the modern security amenities at the main gate like-
- a metal detector gate.
- a body scanner.
- X ray scanner for belongings.
- A security guard to catch any suspicious people.
- armed guards around the gate.
- access to more force if needed, and more
The layered security arrangements at the gate makes it almost impossible for anyone with malicious intent to enter the bank. In the same bank, there’s a lift connected to the parking lot. The parking lot area, on the contrary, does not have as elaborate security arrangements as the main gate. There is a guard with a metal detector but not all the other features. The guard could be sparsely attentive during certain times of the day, or could be temporarily unavailable at the location. The manually guarded parking lot area gives a window of opportunity to an intruder to exploit the situation and get inside the bank.
The weak system at the parking lot is an example of a vulnerability.
Example of a Security Vulnerability:
Let’s look at the Equifax breach as an illustrative example. Equifax Inc. is an American multinational consumer credit reporting agency. The data breach occurred between May and July 2017. Private records of ~150 million citizens of different nationalities were compromised in the breach, making it one of the largest cyber crimes related to identity theft. In a settlement with the United States Federal Trade Commission, Equifax offered affected users settlement funds and free credit monitoring.
It is likely that when planning the breach, the adversaries looked at all externally exposed assets (the external facing portion of the Equifax attack surface) until they found a weakness. In this case, the weakness was an unpatched vulnerability in a public-facing web server. The initial attack vector targeted that vulnerability. From there, the attackers had internal access to Equifax and a broader addressable attack surface.
The next vectors in the Equifax breach leveraged trust relationships and compromised credentials. Since Equifax hadn’t properly segmented and isolated assets on their network, the attackers were able to move laterally, eventually finding a server that stored usernames and passwords in cleartext, giving them access to even more assets. On it went, until critical data was eventually exfiltrated from the Equifax network.
What causes vulnerabilities?
Legacy vulnerability management tools, in use since the late 1990s, have historically constricted the definition of a security vulnerability to just imply CVEs. Common Vulnerabilities and Exposures (CVE) is a database of publicly disclosed information security issues released periodically by the vendors. Hence, one of the common causes of vulnerabilities is the known security issues in publicly released software packages. But CVEs are not the only vulnerabilities. Vulnerabilities can be caused due to the issues such as Password issues, Misconfigurations, weak or missing encryption and more. Jump on to the next section to check out the details
Different types of Security Vulnerabilities:
Unpatched Software
Unpatched security vulnerabilities allow attackers to run a malicious code by leveraging a known security bug that has not been patched. The adversary will try to probe your environment looking for unpatched systems, and then attack them directly or indirectly.
Misconfiguration
System misconfigurations (e.g. assets running unnecessary services, or with vulnerable settings such as unchanged defaults) can be exploited by attackers to breach your network. The adversary will try to probe your environment looking for systems that can be compromised due to some misconfiguration, and then attack them directly or indirectly.
Weak Credentials
An attacker may use dictionary or brute force attacks to attempt to guess weak passwords, which can then be used to gain access to systems in your network.
Easy-to-phish-users
Phishing is used by attackers to get users to inadvertently execute some malicious code, and thereby compromise a system, account or session. The adversary will send your users a link or malicious attachment over email (or other messaging system), often alongside some text/image that entices them to click.
Trust Relationship
Attackers can exploit trust configurations that have been set up to permit or simplify access between systems (e.g. mounted drives, remote services) to propagate across your network. The adversary, after gaining access to a system, can then proceed to breach other systems that implicitly trust the originally compromised system.
Compromised Credentials
An attacker can use compromised credentials to gain unauthorized access to a system in your network. The adversary will try to somehow intercept and extract passwords from unencrypted or incorrectly encrypted communication between your systems, or from unsecured handling by software or users. The adversary may also exploit reuse of passwords across different systems.
Malicious Insider
An employee or a vendor who might have access to your critical systems can decide to exploit their access to steal or destroy information or impair them. This is particularly important for privileged users and critical systems.
Missing/Poor Encryption
With attacks on Missing/Poor Encryption, an attacker can intercept communication between systems in your network and steal information. The attacker can intercept unencrypted or poorly encrypted information and can then extract critical information, impersonate either side and possibly inject false information into the communication between systems.
Zero-days & Unknown Methods
Zero days are specific software security vulnerabilities known to the adversary but for which no fix is available, often because the bug has not been reported to the vendor of the vulnerable system. The adversary will try to probe your environment looking for systems that can be compromised by the zero day exploit they have, and then attack them directly or indirectly.
What is the difference between vulnerability and risk?
A vulnerability is a weakness which can be exploited to gain unauthorized access to or perform unauthorized actions on a computer system. Vulnerabilities can allow attackers to get direct access to a system or a network, run code, install malware, and access internal systems to steal, destroy, or modify sensitive data. . If it goes undetected, it could allow an attacker to pose as a super-user or system administrator with full access privileges.
Risk is defined as the probability of a loss event occurring in a given unit of time (likelihood) multiplied by the expected magnitude of loss resulting from that loss event (impact). Cyber risk is the expected loss resulting from a cyberattack or data breach. Vulnerability is a component of likelihood component of the risk equation.
What is a vulnerability database?
A vulnerability database is a platform aimed at collecting, maintaining, and disseminating information about discovered computer security vulnerabilities. The database will customarily describe the identified vulnerability, assess the potential impact on affected systems, and any workarounds or updates to mitigate the issue. A vulnerability database will assign a unique identifier to each vulnerability cataloged such as a number (e.g. 123456) or alphanumeric designation (e.g. VDB-2020-12345). Information in the database can be made available via web pages, exports, or API. Some vulnerability databases are:
NVD – The National Vulnerability Database (NVD) is a database, maintained by NIST, that is fully synchronized with the MITRE CVE list.
CVE – Common Vulnerabilities and Exposures (CVE) is a list of publicly disclosed vulnerabilities and exposures that is maintained by MITRE.
Key quotes about security vulnerability
- “It takes 20 years to build a reputation and a few minutes of cyber-incident to ruin it.” – Stephane Nappo
- “We discovered in our research that insider threats are not viewed as seriously as external threats, like a cyberattack. But when companies had an insider threat, in general, they were much more costly than external incidents. This was largely because the insider that is smart has the skills to hide the crime, for months, for years, sometimes forever.” — Dr. Larry Ponemon
- “The knock-on effect of a data breach can be devastating for a company. When customers start taking their business—and their money—elsewhere, that can be a real body blow.” – Christopher Graham
