When protecting an organisation against cyber attacks, the words security threats, vulnerabilities, risk exposure, and sometimes exploits are seen very commonly. Unfortunately, these terms are not used correctly or interchangeably and are often left undefined.
Security issues such as data breaches that may adversely affect a business, it is essential for security professionals to understand these terms and the relationship between them.
This article will discover what each of these terms mean and how they are used together for calculating and assessing risk.
What are information security vulnerabilities?
Security vulnerabilities can be described as weaknesses in any IT assets, whether it be software flaws or hardware component flaws. These weaknesses or entry points equip a hacker to hack their way into an organisation’s IT infrastructure, website, operating systems or network.
Other than an IT component (software or hardware) having existing vulnerabilities in the system, vulnerabilities can also be introduced by human error, misconfigurations or simply because of a lack of implemented security controls.
A system has a weak password or a system that has not been updated or is using legacy software; all of these introduce vulnerabilities that a hacker can use to their advantage.
Examples of computer security vulnerabilities
- Insecure encryption
- Broken authentication
- OS command injection
- SQL injection
- Insecure authorization
- Unrestricted file uploads allowing malicious uploads and execution
- Buffer overflows
Furthermore, some of the routinely exploited CVEs during the Covid pandemic as per CISA are:
- Citrix CVE-2019-19781
- Pulse secure CVE-2019-11510
- Fortinet CVE-2018-13379
- F5- Big IP CVE-2020-5902
- MobileIron CVE-2020-15505
- Microsoft CVE-2017-11882
- Atlassian CVE-2019-11580
- Drupal CVE-2018-7600
- Microsoft CVE-2019-0604
- Microsoft CVE-2020-0787
- Microsoft CVE-2020-1472
Implementing vulnerability management and penetration testing
An organisation is bound to have vulnerabilities in its IT infrastructure as attack vectors and methods increase day by day. However, organisations can enforce continuous security vulnerability management and penetration exercises to establish a robust security posture.
A technical vulnerability management program is used to aid organisations in identifying, classifying, evaluating and mitigating vulnerabilities, Generally, this programs can be carried out in the following steps:
- Preparation – Define the scope of the vulnerability assessments.
- Vulnerability scanning – Conduct manual vulnerability scanning of vulnerabilities as well as using automated tools such as any vulnerability scanner.
- Identification, classification and evaluation – Evaluate all vulnerabilities and identify the impact, severity and risk associated with each found security vulnerability.
- Mitigation – Figure out the appropriate mitigating controls with the help of asset owners to remediate the vulnerabilities.
- Revalidation – After the controls are implemented, a revalidation cycle is conducted to check whether the mitigating controls are in fact remediating the vulnerability or not.
In the vulnerability management process, an organisation can also hire independent third-party consultants to conduct a thorough penetration test of the assets in scope.
Examples of common vulnerabilities
There are a number of common security vulnerabilities that an organisation might be affected by; some of these are defined below:
- Broken authentication – This is an example of web application vulnerability where an attacker can gain access to authenticated functionality because the login mechanism is faulty.
- Injections – An attacker can inject malicious payloads and gain access to sensitive data and functionality. Injection attacks include SQL, LDAP, Command, XPATH, JavaScript injection etc.
- Using outdated components – Outdated software or hardware components can sometimes have code-level vulnerabilities; if these are not updated then an attacker can take advantage of these vulnerabilities.
- Using default or weak passwords – More often than not, organisations do not change the default passwords for products such as routers, switches, cameras etc. If an attacker uses the product or solution’s default password, they can get access to that asset.
- Security misconfigurations – Usually, while deploying or implementing any technology, human error can cause misconfigurations. An attacker can leverage these misconfigurations and target the system.
What is a threat?
A threat is an incident that has the potential to harm a system of the entire organisation. There are many types of threats to an organisation, including natural threats, such as floods, hurricanes etc.; unintentional threats, such as an employee making any mistake, intentional threats or insider threats, such as disgruntled employees etc.
A threat is usually associated with a security vulnerability, which means that a threat was created because a vulnerability exists. There might be cases where a vulnerability exists, but there is no threat associated with that vulnerability. We will look into this in more detail in later parts of this article.
What is an exploit?
An exploit is when an attacker uses specific techniques, pieces of code or methods to exploit an existing vulnerability and target the IT system. An attacker exploits a vulnerability and causes harm to the organisation, such as getting authorised access to sensitive systems.
For an attacker to exploit a system, a vulnerability needs to exist; this means that mitigating the vulnerability will render the exploit useless.
What are exploit kits?
With the advancements in malicious hacking, a new tool has emerged known as exploit kits. These exploit kits are embedded in malicious websites, which automatically scan a visitor’s machines for vulnerabilities for exploitation. If the vulnerability exists and is successfully exploited, the exploit kits transfer malware to the visitors’ system.
This is especially alarming as these kits are available to any tech-savvy or non-expert users to deploy on their websites.
