What is a Vulnerability?
A vulnerability is a weakness that cybercriminals can exploit to gain unauthorized access to information or perform illegal actions on a computer system.
According to the National Institute of Standards and Technology (NIST), the weakness can be in an information system, system security procedures, internal controls, or implementation that threat sources could trigger and exploit.
Vulnerabilities give hackers a leeway to run malicious code, access computer memory, install malware, and steal or destroy sensitive information.
- A vulnerability is a weakness that cybercriminals exploit to gain unauthorized access to systems and information
- Hackers connect to a system to exploit vulnerabilities through different methods like SQL injection and buffer overflows
- A vulnerability is a weakness or flaw that hackers can exploit while a risk is the probability and impact of a hacker using the vulnerability
- Vulnerability sources include complex systems, familiar codes, internet connectivity, operating system and software bugs, and people
- Conduct vulnerability scanning to detect system flaws and isolate insecure systems before applying vendor patches
Vulnerability Vs. Risk
People use the terms vulnerability and risk interchangeably. However, they are not the same thing.
A vulnerability is a flaw or risk that hackers can exploit, while a risk is the probability and impact of a cybercriminal exploiting a vulnerability. If a vulnerability has a low impact and probability, then the risk is low. Inversely, vulnerabilities with high likelihood and impact represent high risks.
Some common vulnerabilities pose no risk if their probability and impact are negligible.
What is an Exploitable Vulnerability?
An exploitable vulnerability has one or more working attack vector. An attack vector is a path or means by which a cybercriminal gains unauthorized access to a computer or network to deliver a negative outcome. Attack vectors allow attackers to exploit system vulnerabilities and launch cyberattacks.
Both cybercriminals and ethical hackers regularly search for exploitable vulnerabilities to perform illegal activities or to secure a system.
Sources of Vulnerabilities?
Several factors cause vulnerabilities:
- Complex systems – while setting up a complex system, tech personnel can leave a flaw, misconfiguration, or unintended access
- Familiarity – using opensource software, shared code, and operating systems increases the probability of a hacker discovering exploitable vulnerabilities
- Connectivity – connecting devices to the internet increases vulnerabilities. The internet has a wide range of spyware and adware that hackers install automatically on victims’ computers
- Unpatched operating system – operating systems have flaws, making them insecure by default. Hackers can quickly launch viruses and malware in an outdated OS
- Software bugs – developers can accidentally or deliberately leave exploitable bugs in applications
- Invalidated user input – failing to check user input in website forms may lead to unintended SQL injections
- Unencrypted data in the network – lack of encryption makes it easy for attackers to steal and misuse sensitive information
- Superuser and admin account privileges – many companies fail to control user access privileges, allowing every user in the network to have administrator-level access
- People – the human factor plays a significant role in making businesses vulnerable. Non-IT staff are the weakest link who unknowingly click malicious attachments that spread malware from their computers to the entire network
The National Vulnerability Database (NVD) shares most of the previously disclosed vulnerabilities. The flaws are enumerated in the Common Vulnerabilities and Exposures (CVE) List, making it easier for cybersecurity experts to share data across separate vulnerabilities.
Some notable vulnerabilities include:
- CVE-2019-19781 – An arbitrary code execution vulnerability in Citrix VPN appliances
- CVE-2017-11882 – vulnerable products (Microsoft 2013 SP3/2010 SP2/2013 SP1/2016 products)
- CVE-2017-0199 – vulnerable software (Microsoft 2007 SP3/2010 SP2/2013 SP1/2016, Vista SP2, Server 2008 SP2, Windows 7 SP1, Windows 8.1)
- CVE-2019-11510 – vulnerabilities on On Pulse Secure VPN servers that allow a remote attacker to send specially crafted URI to perform an arbitrary file reading task
- CVE-2019-0708 (BlueKeep) – a remote code execution vulnerability in Remote Desktop Services on Windows operating systems
Detecting and Mitigating Vulnerabilities in Your Systems
You can deploy relevant tools and skills to conduct vulnerability assessments and scans to identify, analyze, and address flaws in hardware or systems that could allow hackers to attack your IT resources.
Some companies offer bug bounties to encourage ethical hackers to search for vulnerabilities in systems.
After detecting vulnerabilities in your system, you can take the affected IT asset offline and install a patch from vendors.