Vulnerability (computing)
In computer security, a vulnerability is a weakness which can be exploited by a threat actor, such as an attacker, to perform unauthorized actions within a computer system.
To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerabilities are also known as the attack surface.
Vulnerability management is the cyclical practice that varies in theory but contains common processes which include: discover all assets, prioritize assets, assess or perform a complete vulnerability scan, report on results, remediate vulnerabilities, verify remediation - repeat.This practice generally refers to software vulnerabilities in computing systems.
A security risk is often incorrectly classified as a vulnerability. The use of vulnerability with the same meaning of risk can lead to confusion. The risk is the potential of a significant impact resulting from the exploit of a vulnerability. Then there are vulnerabilities without risk: for example when the affected asset has no value. A vulnerability with one or more known instances of working and fully implemented attacks is classified as an exploitable vulnerability—a vulnerability for which an exploit exists. The window of vulnerability is the time from when the security hole was introduced or manifested in deployed software, to when access was removed, a security fix was available/deployed, or the attacker was disabled—see zero-day attack.
Security bug is a narrower concept: there are vulnerabilities that are not related to software: hardware, site, personnel vulnerabilities are examples of vulnerabilities that are not software security bugs.
Constructs in programming languages that are difficult to use properly can be a large source of vulnerabilities.
Definitions
defines vulnerability as:IETF RFC 4949 vulnerability as:
The Committee on National Security Systems of United States of America defined vulnerability in CNSS Instruction No. 4009 dated 26 April 2010 National Information Assurance Glossary:
Many NIST publications define vulnerability in IT context in different publications: FISMApedia term provide a list. Between them SP 800-30, give a broader one:
ENISA defines vulnerability in as:
The Open Group defines vulnerability in as
Factor Analysis of Information Risk defines vulnerability as:
According FAIR vulnerability is related to Control Strength, i.e. the strength of a control as compared to a standard measure of force and the threat Capabilities, i.e. the probable level of force that a threat agent is capable of applying against an asset.
ISACA defines vulnerability in Risk It framework as:
Data and Computer Security: Dictionary of standards concepts and terms, authors Dennis Longley and Michael Shain, Stockton Press,, defines vulnerability as:
Matt Bishop and Dave Bailey give the following definition of computer vulnerability:
National Information Assurance Training and Education Center defines vulnerability:
Vulnerability and risk factor models
A resource may have one or more vulnerabilities that can be exploited by a threat agent in a threat action. The result can potentially compromise the confidentiality, integrity or availability of resources belonging to an organization and/or other parties involved.The so-called CIA triad is the basis of Information Security.
An attack can be active when it attempts to alter system resources or affect their operation, compromising integrity or availability. A "passive attack" attempts to learn or make use of information from the system but does not affect system resources, compromising confidentiality.
OWASP depicts the same phenomenon in slightly different terms: a threat agent through an attack vector exploits a weakness of the system and the related security controls, causing a technical impact on an IT resource connected to a business impact.
The overall picture represents the risk factors of the risk scenario.
Information security management system
A set of policies concerned with information security management, the information security management system, has been developed to manage, according to Risk management principles, the countermeasures to ensure a security strategy is set up following the rules and regulations applicable to a given country. These countermeasures are also called Security controls, but when applied to the transmission of information, they are called security services.Classification
Vulnerabilities are classified according to the asset class they are related to:- hardware
- * susceptibility to humidity
- * susceptibility to dust
- * susceptibility to soiling
- * susceptibility to unprotected storage
- software
- * insufficient testing
- * lack of audit trail
- * design flaw
- network
- * unprotected communication lines
- * insecure network architecture
- personnel
- * inadequate recruiting process
- * inadequate security awareness
- physical site
- * area subject to flood
- * unreliable power source
- organizational
- * lack of regular audits
- * lack of continuity plans
- * lack of security
Causes
- Complexity: Large, complex systems increase the probability of flaws and unintended access points.
- Familiarity: Using common, well-known code, software, operating systems, and/or hardware increases the probability an attacker has or can find the knowledge and tools to exploit the flaw.
- Connectivity: More physical connections, privileges, ports, protocols, and services and time each of those are accessible increase vulnerability.
- Password management flaws: The computer user uses weak passwords that could be discovered by brute force. The computer user stores the password on the computer where a program can access it. Users re-use passwords between many programs and websites.
- Fundamental operating system design flaws: The operating system designer chooses to enforce suboptimal policies on user/program management. For example, operating systems with policies such as default permit grant every program and every user full access to the entire computer. This operating system flaw allows viruses and malware to execute commands on behalf of the administrator.
- Internet Website Browsing: Some internet websites may contain harmful Spyware or Adware that can be installed automatically on the computer systems. After visiting those websites, the computer systems become infected and personal information will be collected and passed on to third party individuals.
- Software bugs: The programmer leaves an exploitable bug in a software program. The software bug may allow an attacker to misuse an application.
- Unchecked user input: The program assumes that all user input is safe. Programs that do not check user input can allow unintended direct execution of commands or SQL statements.
- Not learning from past mistakes: for example most vulnerabilities discovered in IPv4 protocol software were discovered in the new IPv6 implementations.
Vulnerability consequences
The impact of a security breach can be very high.The fact that IT managers, or upper management, can know that IT systems and applications have vulnerabilities and do not perform any action to manage the IT risk is seen as a misconduct in most legislations. Privacy law forces managers to act to reduce the impact or likelihood of that security risk. Information technology security audit is a way to let other independent people certify that the IT environment is managed properly and lessen the responsibilities, at least having demonstrated the good faith.
Penetration test is a form of verification of the weakness and countermeasures adopted by an organization: a White hat hacker tries to attack an organization's information technology assets, to find out how easy or difficult it is to compromise the IT security.
The proper way to professionally manage the IT risk is to adopt an Information Security Management System, such as ISO/IEC 27002 or Risk IT and follow them, according to the security strategy set forth by the upper management.
One of the key concept of information security is the principle of defence in depth: i.e. to set up a multilayer defence system that can:
- prevent the exploit
- detect and intercept the attack
- find out the threat agents and prosecute them
Physical security is a set of measures to protect physically the information asset: if somebody can get physical access to the information asset, it is quite easy to make resources unavailable to its legitimate users.
Some sets of criteria to be satisfied by a computer, its operating system and applications in order to meet a good security level have been developed: ITSEC and Common criteria are two examples.
Vulnerability disclosure
Responsible disclosure of vulnerabilities is a topic of great debate. As reported by The Tech Herald in August 2010, "Google, Microsoft, TippingPoint, and Rapid7 have recently issued guidelines and statements addressing how they will deal with disclosure going forward."A responsible disclosure first alerts the affected vendors confidentially before alerting CERT two weeks later, which grants the vendors another 45-day grace period before publishing a security advisory.
Full disclosure is done when all the details of vulnerability is publicized, perhaps with the intent to put pressure on the software or procedure authors to find a fix urgently.
Well respected authors have published books on vulnerabilities and how to exploit them: is a good example.
Security researchers catering to the needs of the cyberwarfare or cybercrime industry have stated that this approach does not provide them with adequate income for their efforts. Instead, they offer their exploits privately to enable Zero day attacks.
The never ending effort to find new vulnerabilities and to fix them is called Computer security.
In January 2014 when Google revealed a Microsoft vulnerability before Microsoft released a patch to fix it, a Microsoft representative called for coordinated practices among software companies in revealing disclosures.
Vulnerability inventory
maintains a list of disclosed vulnerabilities in a system called Common Vulnerabilities and Exposures, where vulnerability are classified using Common Vulnerability Scoring System.OWASP collects a list of potential vulnerabilities with the aim of educating system designers and programmers, therefore reducing the likelihood of vulnerabilities being written unintentionally into the software.
Vulnerability disclosure date
The time of disclosure of a vulnerability is defined differently in the security community and industry. It is most commonly referred to as "a kind of public disclosure of security information by a certain party". Usually, vulnerability information is discussed on a mailing list or published on a security web site and results in a security advisory afterward.The time of disclosure is the first date a security vulnerability is described on a channel where the disclosed information on the vulnerability has to fulfill the following requirement:
- The information is freely available to the public
- The vulnerability information is published by a trusted and independent channel/source
- The vulnerability has undergone analysis by experts such that risk rating information is included upon disclosure
Many software tools exist that can aid in the discovery of vulnerabilities in a computer system. Though these tools can provide an auditor with a good overview of possible vulnerabilities present, they can not replace human judgment. Relying solely on scanners will yield false positives and a limited-scope view of the problems present in the system.
Vulnerabilities have been found in every major operating system including Windows, macOS, various forms of Unix and Linux, OpenVMS, and others. The only way to reduce the chance of a vulnerability being used against a system is through constant vigilance, including careful system maintenance, best practices in deployment and auditing.
Examples of vulnerabilities
Vulnerabilities are related to:- physical environment of the system
- the personnel
- management
- administration procedures and security measures within the organization
- business operation and service delivery
- hardware
- software
- communication equipment and facilities
- peripheral devices
- and their combinations.
Four examples of vulnerability exploits:
- an attacker finds and uses an overflow weakness to install malware to export sensitive data;
- an attacker convinces a user to open an email message with attached malware;
- an insider copies a hardened, encrypted program onto a thumb drive and cracks it at home;
- a flood damages one's computer systems installed at ground floor.
Software vulnerabilities
- Memory safety violations, such as:
- *Buffer overflows and over-reads
- *Dangling pointers
- Input validation errors, such as:
- *Code injection
- *Cross-site scripting in web applications
- *Directory traversal
- *E-mail injection
- *Format string attacks
- *HTTP header injection
- *HTTP response splitting
- *SQL injection
- Privilege-confusion bugs, such as:
- *Clickjacking
- *Cross-site request forgery in web applications
- *FTP bounce attack
- Privilege escalation
- Race conditions, such as:
- *Symlink races
- *Time-of-check-to-time-of-use bugs
- Side-channel attack
- *Timing attack
- User interface failures, such as:
- *Blaming the Victim prompting a user to make a security decision without giving the user enough information to answer it
- *Race Conditions
- *Warning fatigue or user conditioning.