When protecting an organisation against cyber attacks, the words security threats, vulnerabilities, risk exposure, and sometimes exploits are prevalent. Unfortunately, these terms are not used correctly or interchangeably and are often left undefined.
For security issues such as data breaches that may adversely affect a business, it is essential for security professionals to understand these terms and the relationship between vulnerability, threats, exploits and risk. This is equally beneficial for security teams that need to interpret penetration testing results, information security reviews, security compliance assessments, third-party risk management and cyber risk assessments.
This article will discover what each of these terms means and how they are used to calculate and assess risk.
What are information security vulnerabilities?
Security vulnerabilities can be described as weaknesses in any IT assets, whether software or hardware component flaws. These weaknesses or entry points equip a hacker to hack into an organisation’s IT infrastructure, website, operating systems or network.
Other than an IT component (software or hardware) having existing system vulnerabilities, it can also be introduced by human error, misconfigurations or simply because of a lack of implemented security controls.
A system has a weak password or a system that has not been updated or is using legacy software; all of these introduce vulnerabilities that
a hacker an attacker can use to their advantage.
Examples of computer security vulnerabilities
The following lists some well-known security vulnerabilities, also covered by OWASP’s top 10 risks.
- Insecure encryption
- Broken authentication
- OS command injection
- SQL injection
- Insecure authorisation
- Unrestricted file uploads allowing malicious uploads and execution
- Buffer overflows
Furthermore, some of the routinely exploited CVEs during the Covid pandemic as per CISA are:
- Citrix CVE-2019-19781
- Pulse secure CVE-2019-11510
- Fortinet CVE-2018-13379
- F5- Big IP CVE-2020-5902
- MobileIron CVE-2020-15505
- Microsoft CVE-2017-11882
- Atlassian CVE-2019-11580
- Drupal CVE-2018-7600
- Microsoft CVE-2019-0604
- Microsoft CVE-2020-0787
- Microsoft CVE-2020-1472
Implementing vulnerability management and penetration testing
An organisation is bound to have vulnerabilities in its IT infrastructure as attack vectors and methods increase daily. However, organisations can enforce continuous security vulnerability management and penetration exercises to establish a robust security posture.
A technical vulnerability management program is used to aid organisations in identifying, classifying, evaluating and mitigating vulnerabilities. Generally, these programs can be carried out in the following steps:
- Preparation – Define the scope of the vulnerability assessments.
- Vulnerability scanning – Conduct manual vulnerability scanning of vulnerabilities and use automated tools such as website vulnerability scanner.
- Identification, classification and evaluation – Evaluate all vulnerabilities and identify the impact, severity and risk associated with each found security vulnerability.
- Mitigation – Identify the appropriate mitigating controls with the help of asset owners to remediate the vulnerabilities.
- Revalidation – After the controls are implemented, a revalidation cycle is conducted to check whether the mitigating controls are remediating the vulnerability or not.
In the vulnerability management process, an organisation can hire independent third-party consultants to conduct a thorough penetration test of the assets in scope.
It’s essential to understand the differences between various technical terms, for example, penetration testing vs vulnerability scanning if you select vulnerability scanning, its different types, vulnerability scanning process and scanning frequency.
Examples of common vulnerabilities
There are several common security vulnerabilities that an organisation might be affected by; some of these are defined below:
- Broken authentication – This is an example of a web application vulnerability where an attacker can gain access to authenticated functionality because the login mechanism is faulty.
- Using outdated components – Outdated software or hardware components can sometimes have code-level vulnerabilities; if these are not updated, an attacker can take advantage of these vulnerabilities.
- Using default or weak passwords – Often, organisations do not change the default passwords for products such as routers, switches, cameras, etc. If an attacker uses the product or solution’s default password, they can get access to that asset.
- Security misconfigurations – While deploying or implementing any technology, human error can cause misconfigurations. An attacker can leverage these misconfigurations and target the system.
What is a threat?
A threat is an incident that can harm the entire organisation’s system. There are many types of threats to an organisation, including natural threats, such as floods, hurricanes etc.; unintentional threats, such as an employee making any mistake, intentional threats or insider threats, such as disgruntled employees etc.
A threat is usually associated with a security vulnerability, meaning a threat was created because a vulnerability exists. There might be cases where a vulnerability exists, but there is no threat associated with that vulnerability. We will look into this in more detail later in this article.
What is an exploit?
An exploit is when an attacker uses specific techniques, code, or methods to exploit an existing vulnerability and target the IT system. An attacker exploits a vulnerability and causes harm to an organisation, such as getting unauthorised access to sensitive systems.
For an attacker to exploit a system, a vulnerability needs to exist; mitigating the vulnerability will render the exploit useless.
This risk treatment is akin to a doctor’s prescribing against patient’s illness based on symptoms.
What are exploit kits?
With advancements in malicious hacking, a new tool known as exploit kits has emerged. These exploit kits are embedded in malicious websites, which automatically scan a visitor’s machines for vulnerabilities for exploitation. The exploit kits transfer malware to the visitors’ system if the vulnerability is successfully exploited.
This is especially alarming as these kits are available to tech-savvy or non-expert users to deploy on their websites.
Zero-day vulnerabilities is the name given to those vulnerabilities that have yet to be discovered by the asset or product owners. For example, many users worldwide use Microsoft Windows as their operating system. Now consider that a malicious attacker is working on finding a vulnerability in the Windows Operating Systems, this attacker finds a vulnerability that is not known publicly, and they can exploit this vulnerability. Since this vulnerability is new, not known publicly, and Microsoft itself does not know that known vulnerabilities exist, this is known as a zero-day vulnerability.
Zero days are dangerous as these unknown vulnerabilities are typically undetectable by antivirus software, as no existing signature is available from them.
Publicly available vulnerability repositories
When a vulnerability is discovered and an exploit code is written, the authors of the exploit publish their codes on the public internet. Websites such as exploit-dB, CVE, NVD, OVAL etc., maintain a list of all publicly available exploits for any hardware or software vulnerabilities.
Suppose a company is using outdated and vulnerable components. In that case, the chances are that the exploit code for that vulnerability exists and will be publicly available to anyone to use and target that asset.
Examples of exploiting vulnerabilities
To get a better understanding of how vulnerabilities are exploited, let’s consider a few examples:
A company’s website is built using a CMS. This CMS is outdated and contains a publicly known SQL injection vulnerability.
An attacker searches the internet for known vulnerabilities for the CMS and finds that an SQLi vulnerability exists. He then uses the published SQLi exploit payload and retrieves sensitive information.
A website’s admin portal has a weak/easy password that does not meet the standard complexity requirements.
An attacker uses a password list for weak or easy passwords and brute forces the admin panel, eventually guessing the correct password and logging in as admin.
A website has a file upload functionality but does not validate the file type or extension.
An attacker can upload malicious executables or reverse shellcodes and access the website’s server using web shells.
Some common exploitation tools
The following are some of the common exploitations that attackers, as well as penetration testers, use:
- BurpSuite: This web proxy allows users to intercept traffic between the browser and the webserver. It can manipulate requests before they are sent to the server.
- OWASP ZAP: This web proxy allows its user to intercept traffic between the browser and the web server, which is an open-source alternative to BurpSuite.
- Commix: This exploitation tool allows its users to exploit command injection vulnerabilities.
- w3af: This tool scans for vulnerabilities and also lets the user exploit the discovered vulnerabilities such as command injections, SQL injections, path traversals etc.
- Jexboss: This tool allows its users to exploit misconfigured JBoss servers.
- Metasploit Framework: This framework contains various modules, including a vulnerability scanner and exploitation and post-exploitation modules. This tool includes thousands of working exploits against multiple vulnerabilities.
- Mimikatz: This tool allows its user to perform multiple password-based attacks against Windows operating systems.
- Nmap: This is a network mapper that contains various scripts that can be used to scan and attack networks or individual vulnerable systems.
- John the Ripper: This is a password-cracking tool that one can use to crack passwords such as LM, NTLM, etc.
- Hashcat: This is also a password cracker that can be configured to use a system’s GPU to crack hashes.
- Sqlmap: This tool allows users to perform SQL injection successful attacks against a target.
- BSQL (Blind SQL) Hacker: This tool allows users to perform blind SQL injection attacks against a target.
- Safe3 SQL Injector: This tool leverages the power of artificial intelligence to identify injection points and payloads.
- Frida: Frida is a dynamic instrumentation toolkit that allows users to perform dynamic analysis of mobile web applications as they are executed in real-time.
- MobSF: This automatic analyser scans the code for mobile applications and provides a report with vulnerabilities found.
What is the risk?
Risk is described as the potential damage an organisation may suffer if any threat agent exploits a vulnerability. Risk includes assessing financial damage, reputational damage, legal implications, loss of privacy, loss of availability, damage to physical assets etc.
In cyber security, the risk is calculated as the product of vulnerability and threat; the more critical the vulnerability is, and the more dangerous the danger is, the higher the resultant risk.
In more organisations, formal risk management activities are conducted; through these activities, a company quantifies its risk exposure and identifies areas for improvement. Generally, the risk management plan consists of:
- Defining the scope and frequency of the risk management exercise.
- Include all stakeholders in the risk assessment.
- Delegate and assign tasks to a relevant team for risk assessment.
- Carry out the risk assessment and identify the policies and controls to be implemented.
- Repeat the exercise periodically for all company assets and monitor the plan to adjust for improvements.
Components of risk management
While performing a risk assessment, there are several components to consider:
We have talked about vulnerabilities, threats, and exploits, which raises the question of what is being threatened? The answer is the company’s assets.
An asset is anything owned by the company; this includes physical assets, paper documents, virtual assets, people, prosperity information, software, locations, infrastructure, facilities etc.
The first step to risk management is identifying and creating an inventory of all the assets owned by an organisation. Then these assets must be assigned an asset rating depending upon the asset’s criticality. This is a crucial step because the risk calculated would not be accurate without a proper asset rating.
A vulnerability is a weakness or flaw in any asset.
An exploit is any payload or malicious code used to take advantage of a vulnerability.
A threat is any event or action that causes damage to an asset and disrupts the confidentiality, integrity or availability of an asset.
Risk is the damage caused by threat agents exploiting a vulnerability. It is important to note here that if a vulnerability does not have a corresponding threat, then there is no risk.
How to assess risk for an organisation?
An organisation must determine two essential elements, i.e. likelihood and impact, to calculate risk.
The likelihood is the probability or chance that a specific threat actor will exploit a vulnerability. Factors that affect likelihood include is it easy for the vulnerability to be exploited, is easy to access the asset in question, are protection controls already in place, is the asset critical, and does publicly available exploits exist if the answer is yes, the likelihood of vulnerability exploitation increases.
Impact describes the damage that can occur if the vulnerability is exploited. The higher the asset’s criticality is, the higher the impact.
Putting all the knowledge together
Let’s consider that a vulnerability exists in a company’s e-commerce website, and a matching threat exists. To assess the risk, we will use the simplified risk matrix below:
First and foremost, one must define the asset’s criticality; in this, the e-commerce website is a high-value asset. Because of the high value of the asset, the impact of the vulnerability is exploited will also be increased. Secondly, consider the likelihood of exploitation; the resulting risk will be medium if the probability is low, but the impact is high.
Similarly, the impact will be low if the asset is of low criticality. However, the likelihood of exploiting the vulnerability is high, so the resulting risk will be medium.
Best practices for mitigating vulnerabilities and exploits
Below are a few tips or best practices that can help organisations in mitigating vulnerabilities:
Implement SSL/TLS certificates
If an organisation has hosted web applications, ensure they have correctly configured SSL or TLS certificates. This will ensure that all communication to and from the webserver is secure and can not be viewed by any attacker.
Configure end-to-end encryption
All communication entering or leaving an organisation, such as emails, should be encrypted. This will ensure that no attacker, whether external or an insider, can view and access confidential information.
Enforce a firm password management policy
Tring weak and default passwords are the go-to mechanism for hackers to try to get into an organisation’s assets. Therefore, an organisation must change the default passwords for all products, solutions etc., that they are using and implement strong password policies for their other assets, including servers and employees’ entire computer systems.
Implement Access Controls
The network and system administrators should implement appropriate access control mechanisms so that even if an attacker gains control of one asset, they may not be able to cause further damage or sensitive access assets.
Access control means limiting employees’ access to a need-only basis and removing all inactive accounts. This can be implemented by deploying Privileged Access Management (PAM) solutions.
Keep all software, hardware, and plugins updated.
Outdated software, hardware or plugins are a source of many vulnerabilities and exploits. As discussed earlier, more organisations keep a database record of all vulnerabilities and exploits found in all components available. An attacker can use the publicly disclosed exploits and vulnerable target the outdated components of an organisation.
Regularly perform security code reviews.
After every development cycle, you should conduct security code reviews if an organisation has in-house applications or build applications for customers. This is a crucial step as it can mitigate vulnerabilities in the development stage. Organisations should also implement secure coding techniques such as the ones described by OWASP.
Perform Vulnerability Assessment and Penetration Testing
Conduct regular vulnerability assessment and penetration testing exercises using internal and external third-party assessments. In doing so, the company will try to identify all potential vulnerabilities within the IT infrastructure and take steps to mitigate them, reducing the exposure and risk. These activities should be conducted periodically and after any significant environmental change.
Get in touch to schedule a short, casual conversation to see if we can contribute to reducing your security concerns.