What is It?
In cyber security, a vulnerability is a flaw or weakness in a system that could be exploited by a threat vector and lets the adversary bypass the implemented protection mechanisms with respect to confidentiality, integrity and availability. Vulnerabilities can allow attackers to gain unauthorized access to resources, steal, modify or destroy data, install malware etc.
Other definitions of security vulnerability as described in standards or other resources are as follows:
- National Institute of Standards and Technology (NIST): A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.
- ISO 27005: A weakness on an asset or group of assets that can be exploited by one or more threats, where an asset is anything that has value to the organization, its business operations and their continuity, including information resources that support the organization’s mission.
- IETF RFC 4949: A flaw or weakness in a system’s design, implementation, or operation and management that could be exploited to violate the system’s security policy.
- European Union Agency for Cybersecurity (ENISA): The existence of a weakness, design, or implementation error that can lead to an unexpected, undesirable event compromising the security of the computer system, network, application, or protocol involved.
What Causes Vulnerabilities?
To understand what causes security vulnerabilities in a system, definition of the cyber security needs to be revisited.
Cyber security is the protection of the confidentiality, integrity and availability of information, whether it’s in transit, in processing or at store, and the underlying information systems (both hardware and software), in a cyber space where people, processes and technology is involved, through the application of policy, training & awareness and technology.
According to this definition, a system in cyber security consists of three components, that are, people, processes and technology. In this regard, any flaw or weakness in the design or implementation of a system or its security controls with respect to these components cause vulnerabilities. Following is a more detailed list of causes for security vulnerabilities:
- Operating System Flaws: Operating systems are fundamental in establishing a secure environment. Mostly, due to complexity, operating systems contain lots of vulnerabilities. Known operating system vulnerabilities can be remediated through updates or patches.
- Software Bugs: In addition to operating systems, applications running on top of them also cause vulnerabilities frequently. Pressures over the projects, complexity in software, inadequate security training of the developers or insufficient security testing are some of the reasons that cause vulnerabilities in software. Known software vulnerabilities can be eliminated through updates or patches. To learn more about what are the common errors that causes vulnerabilities in software, you can refer to Top 25 Most Dangerous Software Weakness, published by the MITRE Organization.
- Hardware/Firmware Flaws: Not only the software, but also the hardware contain vulnerabilities. Moreover, they are harder to detect, awkward to fix and usually more critical than software vulnerabilities.
- Communication or Security Protocol Flaws: Sometimes vulnerabilities arise due to design flaws in the protocols rather than their implementation whether as software or hardware. For instance, a weakness in a cryptographic algorithm (E.g., DES has known weaknesses) or a communication protocol (E.g., Telnet does transmit data in clear text).
- Misconfigurations: Vulnerabilities could also arise due to misconfigurations in a system. Default configurations might cue vulnerable or secure initial configurations could be changed later inadvertently or due to user needs.
- Poor Password Management: Weak passwords, default passwords, reused or shared passwords are usually the most lucrative vulnerabilities for attackers.
- Lack of or Insufficient Security Training & Awareness: People are at the heart of a cyber system and not only the systems but also the people can be hacked through social engineering attacks. As Bruce Schneier states, “Amateurs hack systems, professionals hack people.”. Sometimes, even the most cyber aware users can be fooled into installing a malware or divulging an information that could be leveraged for conducting attacks.
- Lack of or Incomplete Security Processes: Processes define how people interact with the technology. Thus, to ensure a secure system, processes need to be thorough and implemented carefully.
Also note that, vulnerabilities could be introduced into a system deliberately or inadvertently. Hidden backdoors on a program or existing malware on a downloaded file constitutes a few examples for intentionally created vulnerabilities.
One single vulnerability all an attacker needs.Window Snyder
Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.
What Is a Zero-Day Vulnerability?
A zero-day vulnerability is a weakness in a system that has been identified by hackers (Either white hat or black hat) but it is unknown to, or unaddressed by the system owners, developers, or the general community. Thus, a security vulnerability could be considered a zero-day vulnerability until a patch/update or a mitigation strategy is issued, or the details of the vulnerability is disclosed to the general public.
What is Vulnerability Management?
Vulnerability management is defined as the security practice that proactively identifies, evaluates and resolves vulnerabilities in an IT system.
Since both the system under evaluation and the cyber attacks are constantly evolving, vulnerability management should be conducted as a cyclic and repetitive process to respond to the changes and establish a more secure system.
A vulnerability management process consists of the following steps:
- Vulnerability Identification: Vulnerabilities in a system can be detected through vulnerability scanning (using vulnerability scanner tools), penetration testing or security testing (source code evaluations and testing).
- Vulnerability Verification: Detected vulnerabilities should be verified to eliminate any false positives.
- Vulnerability Assessment: As part of a risk assessment process, vulnerability assessment is evaluating the probability of a vulnerability being exploited by an attacker and determining the impact should the vulnerability is exploited. According to the findings of vulnerability assessment, a vulnerability resolution strategy is determined at the next step.
- Vulnerability Resolution: Once a vulnerability has been discovered and evaluated, fixing or patching (vulnerability remediation) is the ideal solution to eliminate a known vulnerability in a system. But in some cases, a fix or a patch is not available. Or, due to some restrictions, such as compatibility issues with other systems, a fix or a patch can not be applied. In such circumstances, additional control measures, such as blocking (or restricting) the related ports on a firewall, can be applied to remediate a vulnerability. Note that, mitigation is usually a temporal solution that buys time before applying a remediation solution, such as patching or updating.
A vulnerability database is a platform that collects, maintains and shares information about discovered vulnerabilities. National Vulnerability Database (NVD) is the largest and most well known of these vulnerability databases. In the NVD, each vulnerability is uniquely labeled using a Common Vulnerabilities and Exposure (CVE) Id. In addition to a CVE Id, each vulnerability is assigned a risk score using Common Vulnerability Scoring System (CVSS), a Common Platform Enumeration (CPE) (to denote which product category it is related – hardware, operating system, or application) and a Common Weakness Enumeration (CWE).
To learn more about vulnerabilities, you could also read our article What Is Vulnerability Scanning?