Vulnerability Management - Core Concepts

What is a Vulnerability?

Commonly, a vulnerability is a flaw in a system that weakens the overall security of the device/system (Wikipedia).

Computers all use software to make them useful. The most visible software are the tools we interact with - email, browsers, spreadsheets, etc. Less visible are the components that make up the Operating System (OS) upon which the software above would run. Even less visible are the ‘smart’ devices that we all use for a variety of things, including lights, doorbells, door entry systems, cash registers, and so on - the list is almost endless - this is often referred to as firmware.

When software engineers write the code that becomes the software/OS/firmware, mistakes can be made in how data are handled (both within and input / output); how access is controlled; how the software interacts with the OS and other processes. Sometimes these are through negligence, and more commonly through learning about an unforeseen condition long after the software / OS / firmware has been published.

Where are vulnerabilities?

Literally anywhere that there  ‘smartness’ (ie add examples) one can find vulnerabilities. Some vulnerabilities are latent - just not discovered yet either through lack of testing or obfuscation. All computer systems are incredibly complex, and with some operating ‘in the background’ there is not even awareness of the potential for vulnerabilities to be present.

Well-known vulnerabilities in common Operating Systems, and popular software are frequently found unpatched despite vendor-supplied patches being available.

 

What’s wrong with vulnerabilities

Exploitation of vulnerable systems is the obvious outcome when an exploitable vulnerability is not patched and rendered ‘safe’. Exploitation affects any of the so-called CIA triad: 

  • Confidentiality (data able to be accessed only by authorized users) 
  • Integrity (data can be relied on as intended)
  • Availability (data can be accessed ‘on demand’


So the question is: which ones are exploitable? Pretty much every single one that’s been reported, and then some - like configuration errors, which don’t even attract any CVE. Here’s where the CVSS Vector string becomes important - and in particular: AV (Access Vector) - which can take one of 2 values = L (Local) or N (Network). This tells us whether the exploitation is achievable remotely or not, and whether an attacker would require ‘initial access’ 

Types of vulnerability

The most common vulnerability is that of memory manipulation - or implanting code in the RAM of the target computer and triggering its execution. Similarly, poor sanitation of data input is a common source of compromise.

Credential validation for the purpose of authentication can often fail with some strange exceptions, for example a test account not requiring a password,

Hardware itself has been shown to be vulnerable to attack - whether it’s plugging firewire cables into Apple MacBook computers to gain direct access to the memory bus (where data flows), or tampering with actual soldered connections on the electronic circuit boards, etc.

In terms of prevalence, but not something that is even measured is the lowly user - being tricked using social engineering techniques into clicking on links to nefarious websites where the content is typically known to contain exploits




1

Comments

0 comments

Please sign in to leave a comment.

Didn't find what you were looking for?

New post