Vulnerability
Updated – Saturday, July 04, 2020
As we all know, Information Technology is an unstoppable growing world for the last few decades. Enormous data is being generated, stored, and processed every minute, throughout the world. As per a recent survey, approximately 50 trillion gigabytes of data (50 zettabytes) is present around the world in 2020, and its growing at a radical pace. In a report, IDC predicts that the Global Datasphere will grow to 175 Zettabytes, by 2025. In the same report they mentioned- “In 2025, each connected (Estimated 6 billion, or 75% of the world’s population) person will have at least one data interaction every 18 seconds. Many of these interactions will be because of the billions of IoT devices connected across the globe, which are expected to create over 90 ZB of data in 2025.”
Even the daily data statistics highlighted by Infographics are as below:
- 500 million tweets are sent
- 294 billion emails are sent
- 4 petabytes of data are created on Facebook
- 4 terabytes of data are created from each connected car
- 65 billion messages are sent on WhatsApp
- 5 billion searches are made
And this data does not have the details of YouTube, Tiktok and business data being generated worldwide.
The data is growing, and so does the various hardware & software like servers, storage, network devices, tools, websites, applications, databases, Operating systems, Hypervisors, Virtualization software, Protocols, Games, Mobile Apps, IoT and other similar device’s firmware etc. As per an estimate, Thousands of such tools & software are being developed, and millions of software patches are released, every day.
Vulnerability Meaning
Vulnerability comes from the Latin word for “wound,” vulnus. In General terms, Vulnerability means “susceptible to being wounded or hurt, as by a weapon” or “Open to moral attack, criticism, temptation, assaults, etc.”. The vulnerability can also be defined as the diminished capacity of an individual or group to anticipate, cope with, resist and recover from the impact of a natural or man-made hazard. Vulnerability is most often associated with poverty, but it can also arise when people are isolated, insecure, and defenseless in the face of risk, shock, or stress. For example, as on-time of writing this article (May 2020), the whole world is vulnerable to COVID 19 and it is a vulnerability in our immune system, that cannot stop the virus from getting into our body and fight against this virus. Or like the vulnerability of a soccer goal that is unprotected by any defensive players.
Vulnerability in Cyber Security:
Similarly, in the digital era, Vulnerability is about the inability of a software or hardware or a function/process to withstand the effects of a hostile environment. Think about a 15-minute gap in shift overlapping of the security guards of a company. That company security will be at stake for those 15 minutes and will be known as a process vulnerability of shift gap. Similarly, if you are keeping data safe in your laptop and your company servers are also secure, but it goes insecure while transferring data from laptop to server. This copying data process can be treated as vulnerability, in this case. Have you ever heard the statements – “Every software has a bug” or “there is no bug-free software”? They are so true all the time. Whatever good piece of software you build, someone will find a loophole in it to breakthrough. And that loophole is the vulnerability / vulnerability-point for that software. Like as we say, you can’t remove risk completely, it can only be reduced or mitigated to some extent. Similarly, you cannot have a bug free software. It is just that who finds the bug first – OEM who release the patches or a hacker who continuously tries to break the system. In cybersecurity, vulnerability is defined as a weakness that can be exploited by a threat actor, such as an attacker, to perform unauthorized actions within a computer system. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerabilities are also known as the attack surface. Vulnerability in Cybersecurity is not just about software or hardware it can be a weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source.
Vulnerability Definitions
Vulnerability as defined in ISO 27005: A weakness of an asset or group of assets that can be exploited by one or more threats, where an asset is anything that has value to the organization, its business operations, and its continuity, including information resources that support the organization’s mission.
Vulnerability defined in IETF RFC 4949: A flaw or weakness in a system’s design, implementation, or operation and management that could be exploited to violate the system’s security policy.
A Window of Vulnerability (WOV) is a time frame within which defensive measures are diminished, compromised, or lacking.
Vulnerability Impact on CIA: A resource (either physical or logical) may have one or more vulnerabilities that can be exploited by a threat agent in a threat action. The result can potentially compromise the confidentiality, integrity, or availability of resources (not necessarily the vulnerable one) belonging to an organization and/or other parties involved (customers, suppliers).
Active Attacks: An attack can be active when it attempts to alter system resources or affect their operation, compromising integrity or availability.
Passive Attacks: A “passive attack” attempts to learn or make use of information from the system but does not affect system resources, compromising confidentiality.
Vulnerability classification:
Vulnerabilities are classified according to the asset class they are related to:
Hardware
- susceptibility to humidity
- susceptibility to dust
- susceptibility to soiling
- susceptibility to unprotected storage
- susceptibility to Physical theft and failures
Software
- insufficient testing
- lack of audit trail
- design flaw
Network
- unprotected communication lines
- insecure network architecture
Personnel
- inadequate recruiting process
- inadequate security awareness
Physical site
- area subject to flood
- unreliable power source
Organizational
- lack of regular audits
- lack of continuity plans
- lack of process
- lack of security
Vulnerability Causes
Complexity: Large, complex systems increase the probability of flaws and unintended
Familiarity: Using common, well-known code, software, operating systems, and/or hardware increases the probability an attacker has or can find the knowledge and tools to exploit the flaw.
Connectivity: Increased number of devices like physical connections, privileges, ports, protocols, and services and time each of those are accessible, increase vulnerability.
Password management flaws: The computer user uses weak passwords that could be discovered by brute force. The computer user stores the password on the computer where a program can access it. Users re-use passwords between many programs and websites.
Fundamental operating system design flaws: The operating system designer chooses to enforce suboptimal policies on user/program management. For example, operating systems with policies such as default permit grant every program and every user full access to the entire computer. This operating system flaw allows viruses and malware to execute commands on behalf of the administrator.
Internet Website Browsing: Some internet websites may contain harmful Spyware or Adware that can be installed automatically on the computer systems. After visiting those websites, the computer systems become infected and personal information will be collected and passed on to third party individuals.
Software bugs: The programmer leaves an exploitable bug in a software program. The software bug may allow an attacker to misuse an application.
Unchecked user input: The program assumes that all user input is safe. Programs that do not check user input can allow unintended direct execution of commands or SQL statements (known as Buffer overflows, SQL injection, or other non-validated inputs).
Not learning from past mistakes: for example, most vulnerabilities are repeated in most of the organizations.
Process Vulnerability: Process or procedure vulnerability is a fault or flaw in the existing process of a team, company or any other defined procedure. As we have already defined above, a gap in shift change of security guards or NOC team can be treated as process vulnerability.
Human: Yes, you read it right. Humans are the biggest threat to the information system. Business always remains vulnerable to such Intentional or un-intentional threats from Internal or external humans. Research has shown that the most vulnerable point in most information systems is the human user, operator, designer, or other humans. So, humans should be considered in their different roles as assets, threats, information resources. Social engineering is an increasing security concern as well.
Vulnerability In-depth:
Credit/Source:
By Neil Smithline – http://www.owasp.org/index.php/File:2010-T10-rchitectureDiagram.png
CC BY-SA 3.0 – https://commons.wikimedia.org/w/index.php?curid=12312894
Vulnerability inventory or Vulnerability Database
A vulnerability database is a platform aimed at collecting, maintaining, and publishing information about discovered computer security vulnerabilities. The database will customarily describe the identified vulnerability, assess the potential impact on affected systems, and any workarounds or updates to mitigate the issue.
The Mitre Corporation (an American not-for-profit) organization maintains a list of disclosed vulnerabilities in a system called Common Vulnerabilities and Exposures (CVE), where vulnerabilities are classified using Common Vulnerability Scoring System (CVSS).
OWASP (the Open Source Foundation for Application Security – An American based non-profit foundation that works to improve the security of software) also collects a list of potential vulnerabilities with the aim of educating system designers and programmers, therefore reducing the likelihood of vulnerabilities being written unintentionally into the software.
The Open Sourced Vulnerability Database (OSVDB) was an independent and open-sourced vulnerability database. The goal of the project was to provide accurate, detailed, current, and unbiased technical information on security vulnerabilities. The project promoted greater and more open collaboration between companies and individuals. On 5 April 2016, the database was shut down, although the blog will continue.
The National Vulnerability Database (NVD) is the U.S. government repository of standards-based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables the automation of vulnerability management, security measurement, and compliance. NVD includes databases of security checklists, security-related software flaws, misconfigurations, product names, and impact metrics.
Vulnerability Identifiers
Above databases keep the vulnerability databases, but the point is – who find the vulnerability and update these forums, how disclosure is made and what timelines are defined:
- In case the vulnerability is identified by a whistle-blower, independent researchers, or white-hat hacker; a responsible disclosure or coordinated disclosure will be done. Where they first alert the affected vendors confidentially before alerting CERT two weeks later, which grants the vendors another 45-day grace period before publishing a security advisory (Full Disclosure). Full disclosure is the practice of publishing an analysis of software vulnerabilities as early as possible, making the data accessible to everyone without restriction.The primary purpose of widely disseminating information about vulnerabilities is:
- So that potential victims are as knowledgeable as those who attack them.
- If customers do not know about vulnerabilities, they cannot request patches, and vendors experience no economic incentive to correct vulnerabilities.
- Administrators cannot make informed decisions about the risks to their systems, as information on vulnerabilities is restricted.
- Malicious researchers who also know about the flaw, have a long period of time to continue exploiting the flaw.
- In case the vulnerability is first identified by a malicious researcher or a hacker, he can misuse the flaw for his benefits in terms of hacking the servers of vulnerable companies, stealing the data or by disrupting the services of an organization.
Examples of vulnerabilities
Though in the cybersecurity world vulnerability is majorly about software bugs and flaws, yet the term itself is wider and has scope covering software, hardware, process, environment, and lot more.
Some examples of vulnerability exploits:
- an attacker finds and uses an overflow weakness to install malware to export sensitive data.
- an attacker convinces a user to open an email message with the attached malware.
- an insider copies a hardened, encrypted program onto a thumb drive and cracks it at home.
- a flood damages one’s computer systems installed at the ground floor.
- A Govt policy restrict you from operating in that area
Some common vulnerabilities which are specific to Software are:
- Code injection (the exploitation of a computer bug that is caused by processing invalid data. E.g. SQL Injection – where an attacker takes advantage of the syntax of SQL to inject commands that can read or modify a database or compromise the meaning of the original query.
- Privilege escalation is the act of exploiting a bug, design flaw, or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application with more privileges than intended by the application developer or system administrator can perform unauthorized actions.
- Cross-Site Scripting is also shortly known as XSS. XSS vulnerabilities target scripts embedded in a page that is executed on the client-side i.e. user browser rather than at the server-side. These flaws can occur when the application takes untrusted data and send it to the web browser without proper validation.
Vulnerability consequences
As data is the most important stuff to any organization, the security of the data as well as the processing tool is equally important. The impact of a security breach can be very high. It can turn into a financial loss, legal issues, or a brand loss for a company. So, one must be very careful about the handling of vulnerabilities.
Data Privacy is the utmost concern for all businesses and organizations, as several Data Privacy Acts like GDPR, PDPB, CCPA, etc are applicable to client’s data and governments are very stringent regarding the same. Heavy fines are imposed on companies who do not follow the guidelines and security measures, as well as for being careless in implementing security policies, like handling vulnerabilities and mitigating the risks of the same.
Vulnerability Management
Handling vulnerability is very important. It has multiple phases:
- Listing down vulnerabilities:
- From vulnerabilities databases, as discussed above
- Zero-day exploits
- Vulnerability Identification
- Vulnerability Scanning
- Vulnerability Assessment – Evaluation of the risk posed by any vulnerabilities identified
- Penetration Testing
- Following appropriate prevention measures
- Traditional methods / layered approach
- Defence in Depth
- Counteracting vulnerabilities
Listing down vulnerabilities:
Publicly available Vulnerabilities:
Listing down vulnerabilities or managing the database is very important. While vulnerabilities that are available at public forums are very important to mitigate, one must work ahead in mitigating vulnerabilities that are yet unidentified by software vendors or afore-mentioned vulnerability databases.
Zero-Day Exploits:
A zero-day (also known as 0-day) vulnerability is a computer-software vulnerability that is unknown to, or unaddressed by, the vendor of software and such public vulnerability database houses. Until the vulnerability is mitigated, hackers can exploit it to adversely affect computer programs, data, additional computers, or a network. An exploit directed at a zero-day (fresh software or when no-one has identified it yet) is called a zero-day exploit, or zero-day attack.
Many tools are available in the market which keeps updating themselves with such databases and will keep you informed about these vulnerabilities in your ecosystem.
Vulnerability Identification:
Vulnerability identification is about finding vulnerabilities and loopholes in your environment.
Vulnerability Scanning
Vulnerabilities can be identified by checking the same manually or using tools. While the first one is a very time and effort consuming process, the second one is more popular and practical. A vulnerability scanner is an application that identifies and creates an inventory of all the systems (including servers, storage, network devices, desktops, laptops, virtual machines, containers, firewalls, switches, and printers) connected to a network. For each device that it identifies it also attempts to identify the operating system it runs, and the software installed on it, along with other attributes such as open ports, protocols it supports, and user accounts.
Vulnerability Assessment – Evaluation of the risk:
Once the vulnerabilities are identified in the ecosystem, the second most important task is to evaluate the risk posed by identified vulnerabilities. Same will help us with below:
- To identify how critical the vulnerability is and what the impact on the organization would be if it were to be exploited successfully
- how practical it would be for a hacker to exploit the vulnerability (for example, could it be exploited from the internet or would physical access be required), and how easily this could be accomplished (perhaps using publicly available exploit code)
- whether any existing security controls could reduce the risk of the vulnerability being exploited
- prioritize our work to first mitigate the vulnerabilities which are most exposed and harmful for the business.
- if the vulnerability detected is a “false positive” that can be ignored
Penetration Testing:
While vulnerability scanning aims to identify any systems that are subject to known vulnerabilities, a penetration test aims to identify weaknesses in specific system configurations and organizational processes and practices that can be exploited to compromise security.
Follow appropriate prevention measures
Any vulnerability that is detected during vulnerability scanning and is not false positive, should be patched or otherwise fixed so that it no longer poses a risk.
Traditional Approach
Unfortunately, most of the time, a simple fix or patch is not always immediately available for zero-day-exploits or newly listed (in CVE database) vulnerabilities. In these circumstances the IT security staff may choose to mitigate the risk that the vulnerability poses by ceasing to use a vulnerable system, adding other security controls or workarounds to try to make the vulnerability harder to exploit, or any other means that reduces the likelihood of the vulnerability being exploited or reduces the impact of it being exploited successfully, or sometimes live with a vulnerable system if the risk is low.
Defence in Depth:
One of the key concepts of information security is the principle of defence-in-depth: i.e. to set up a multilayer defense system that can:
- prevent the exploit
- detect and intercept the attack
- find out the threat agents and prosecute them
Defense-in-depth, also known as deep defence or elastic defence, is a strategy that seeks to delay rather than prevent the advance of an attacker, buying time and causing additional casualties by yielding space. Rather than defeating an attacker with a single, strong defensive line, defence in depth relies on the tendency of an attack to lose momentum over time or as it covers a larger area.
Counteracting vulnerabilities:
Counteracting vulnerabilities requires:
- reducing the impact of the hazard itself where possible (through mitigation, prediction and warning, preparedness).
- building capacities to withstand and cope with hazards.
- tackling the root causes of vulnerability, such as process flaw, software flaw, defence flaw, environmental challenges, Governance etc.
- Logging, Reporting and proper auditing of the vulnerability is a must and the same should be a continuous approach for the organization.
Vulnerability Scanning Tools
Several IT security vendors offer vulnerability scanning tools, among them few which offers a wide range of products to scan and get the vulnerabilities are:
- SolarWinds
- Qualys
- Rapid7
- Comodo
- Tripwire
- High-Tech Bridge
- Tenable
- Core Security
- Acunetix
Open source vulnerability scanners
Many vulnerability scanners are proprietary products, but there also some open source vulnerability scanners, or free “community” versions of proprietary scanners, also available on the Internet. These include:
- Retina
- Wireshark
- OpenVAS
- Nexpose Community
- Nikto
Some Relevant Laws / Acts
General Data Protection Regulation (GDPR)– Personal Data Protection law for European Citizens.
Personal Data Protect Bill (PDP) – India – Personal Data Protection law for Indian Citizens.
California Consumer Privacy Act (CCPA) – California, United States – Personal Data Protection law for Citizens of California.
The Brazilian Data Protection Law — LGPD Brazil – Data protection act of Brazilians.
Data Privacy – Everything you need to know.
External References / Citation
https://en.wikipedia.org/wiki/Vulnerability_(computing)
Data Classification:
This Website/document does not constitute any professional advice. The information in this document has been obtained or derived from different sources believed by dataprivacyacts.com to be reliable but dataprivacyacts.com does not represent that this information is accurate or complete. Any opinions or estimates contained in this document represent the judgment of Dataprivacyacts.com at this time and are subject to change without notice. Readers of this publication are advised to seek their own professional advice before taking any course of action or decision, for which they are entirely responsible, based on the contents of this publication. Dataprivacyacts.com neither accepts or assumes any responsibility or liability to any reader of this publication in respect of the information contained within it or for any decisions readers may take or decide not to or fail to take.
© dataprivacyacts.com. All rights reserved.
Nicely Drafted…