Part of a series on |
Computer hacking |
---|
Vulnerabilities are flaws in a computer system that weaken the overall security of the device/system. Vulnerabilities can be weaknesses in either the hardware itself, or the software that runs on the hardware. Vulnerabilities can be exploited by a threat actor, such as an attacker, to cross privilege boundaries (i.e. perform unauthorized actions) within a computer system. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerabilities are also known as the attack surface. Constructs in programming languages that are difficult to use properly can also manifest large numbers of vulnerabilities.
Vulnerability management is a cyclical practice that varies in theory but contains common processes which include: discover all assets, prioritize assets, assess or perform a complete vulnerability scan, report on results, remediate vulnerabilities, verify remediation - repeat. This practice generally refers to software vulnerabilities in computing systems. [1] Agile vulnerability management refers to preventing attacks by identifying all vulnerabilities as quickly as possible. [2]
A security risk is often incorrectly classified as a vulnerability. The use of vulnerability with the same meaning of risk can lead to confusion. The risk is the potential of a significant impact resulting from the exploit of a vulnerability. Then there are vulnerabilities without risk: for example when the affected asset has no value. A vulnerability with one or more known instances of working and fully implemented attacks is classified as an exploitable vulnerability—a vulnerability for which an exploit exists. The window of vulnerability is the time from when the security hole was introduced or manifested in deployed software, to when access was removed, a security fix was available/deployed, or the attacker was disabled—see zero-day attack.
Security bug is a narrower concept. There are vulnerabilities that are not related to software: hardware, site, personnel vulnerabilities are examples of vulnerabilities that are not software security bugs.
ISO 27005 defines vulnerability as: [3]
IETF RFC 4949 vulnerability as: [5]
The Committee on National Security Systems of United States of America defined vulnerability in CNSS Instruction No. 4009 dated 26 April 2010 National Information Assurance Glossary: [6]
Many NIST publications define vulnerability in IT context in different publications: FISMApedia [7] term [8] provide a list. Between them SP 800-30, [9] give a broader one:
ENISA defines vulnerability in [10] as:
The Open Group defines vulnerability in [11] as
Factor Analysis of Information Risk (FAIR) defines vulnerability as: [12]
According to FAIR vulnerability is related to Control Strength, i.e. the strength of control as compared to a standard measure of force and the threat Capabilities, i.e. the probable level of force that a threat agent is capable of applying against an asset.
ISACA defines vulnerability in Risk It framework as:
Data and Computer Security: Dictionary of standards concepts and terms, authors Dennis Longley and Michael Shain, Stockton Press, ISBN 0-935859-17-9, defines vulnerability as:
Matt Bishop and Dave Bailey [13] give the following definition of computer vulnerability:
National Information Assurance Training and Education Center defines vulnerability: [14] [15]
A resource (either physical or logical) may have one or more vulnerabilities that can be exploited by a threat actor. The result can potentially compromise the confidentiality, integrity or availability of resources (not necessarily the vulnerable one) belonging to an organization and/or other parties involved (customers, suppliers). The so-called CIA triad is a cornerstone of Information Security.
An attack can be active when it attempts to alter system resources or affect their operation, compromising integrity or availability. A "passive attack" attempts to learn or make use of information from the system but does not affect system resources, compromising confidentiality. [5]
OWASP (see figure) depicts the same phenomenon in slightly different terms: a threat agent through an attack vector exploits a weakness (vulnerability) of the system and the related security controls, causing a technical impact on an IT resource (asset) connected to a business impact.
The overall picture represents the risk factors of the risk scenario. [16]
A set of policies concerned with the information security management system (ISMS), has been developed to manage, according to Risk management principles, the countermeasures to ensure a security strategy is set up following the rules and regulations applicable to a given organization. These countermeasures are also called Security controls, but when applied to the transmission of information, they are called security services. [17]
Vulnerabilities are classified according to the asset class they are related to: [3]
The research has shown that the most vulnerable point in most information systems is the human user, operator, designer, or other human: [26] so humans should be considered in their different roles as asset, threat, information resources. Social engineering is an increasing security concern.
The impact of a security breach can be very high. [27] Most legislation sees the failure of IT managers to address IT systems and applications vulnerabilities if they are known to them as misconduct; IT managers have a responsibility to manage IT risk. [28] Privacy law forces managers to act to reduce the impact or likelihood of that security risk. Information technology security audit is a way to let other independent people certify that the IT environment is managed properly and lessen the responsibilities, at least having demonstrated good faith. Penetration test is a form of verification of the weakness and countermeasures adopted by an organisation: a White hat hacker tries to attack an organisation's information technology assets, to find out how easy or difficult it is to compromise the IT security. [29] The proper way to professionally manage IT risk is to adopt an Information Security Management System, such as ISO/IEC 27002 or Risk IT and follow it, according to the security strategy set forth by the upper management. [17]
One of the key concepts of information security is the principle of defence in depth, i.e. to set up a multilayer defence system that can: [27]
Intrusion detection system is an example of a class of systems used to detect attacks.
Physical security is a set of measures to physically protect an information asset: if somebody can get physical access to the asset, it is widely accepted that an attacker can access any information on it or make the resource unavailable to its legitimate users.
Some sets of criteria to be satisfied by a computer, its operating system and applications to meet a good security level have been developed: ITSEC and Common criteria are two examples.
Coordinated disclosure (some refer to it as "responsible disclosure" but that is considered a biased term by others) of vulnerabilities is a topic of great debate. As reported by The Tech Herald in August 2010, " Google, Microsoft, TippingPoint, and Rapid7 have issued guidelines and statements addressing how they will deal with disclosure going forward." [30] The other method is typically full disclosure, when all the details of a vulnerability is publicized, sometimes with the intent to put pressure on the software author to publish a fix more quickly. In January 2014 when Google revealed a Microsoft vulnerability before Microsoft released a patch to fix it, a Microsoft representative called for coordinated practices among software companies in revealing disclosures. [31]
Mitre Corporation maintains an incomplete list of publicly disclosed vulnerabilities in a system called Common Vulnerabilities and Exposures. This information is immediately shared with the National Institute of Standards and Technology (NIST), where each vulnerability is given a risk score using Common Vulnerability Scoring System (CVSS), Common Platform Enumeration (CPE) scheme, and Common Weakness Enumeration.
Cloud service providers often do not list security issues in their services using the CVE system. [32] There is currently no universal standard for cloud computing vulnerability enumeration, severity assessment, and no unified tracking mechanism. [33] The Open CVDB initiative is a community-driven centralized cloud vulnerability database that catalogs CSP vulnerabilities, and lists the steps users can take to detect or prevent these issues in their own environments. [34]
OWASP maintains a list of vulnerability classes with the aim of educating system designers and programmers, therefore reducing the likelihood of vulnerabilities being written unintentionally into the software. [35]
The time of disclosure of a vulnerability is defined differently in the security community and industry. It is most commonly referred to as "a kind of public disclosure of security information by a certain party". Usually, vulnerability information is discussed on a mailing list or published on a security web site and results in a security advisory afterward.
The time of disclosure is the first date a security vulnerability is described on a channel where the disclosed information on the vulnerability has to fulfill the following requirement:
Many software tools exist that can aid in the discovery (and sometimes removal) of vulnerabilities in a computer system. Though these tools can provide an auditor with a good overview of possible vulnerabilities present, they can not replace human judgment. Relying solely on scanners will yield false positives and a limited-scope view of the problems present in the system.
Vulnerabilities have been found in every major operating system [36] including Windows, macOS, various forms of Unix and Linux, OpenVMS, and others. The only way to reduce the chance of a vulnerability being used against a system is through constant vigilance, including careful system maintenance (e.g. applying software patches), best practices in deployment (e.g. the use of firewalls and access controls) and auditing (both during development and throughout the deployment lifecycle).
Vulnerabilities are related to and can manifest in:
It is evident that a pure technical approach cannot always protect physical assets: one should have administrative procedure to let maintenance personnel to enter the facilities and people with adequate knowledge of the procedures, motivated to follow it with proper care. However, technical protections do not necessarily stop Social engineering (security) attacks.
Examples of vulnerabilities:
Common types of software flaws that lead to vulnerabilities include:
Some set of coding guidelines have been developed and a large number of static code analyzers has been used to verify that the code follows the guidelines.
Part of a series on |
Computer hacking |
---|
Vulnerabilities are flaws in a computer system that weaken the overall security of the device/system. Vulnerabilities can be weaknesses in either the hardware itself, or the software that runs on the hardware. Vulnerabilities can be exploited by a threat actor, such as an attacker, to cross privilege boundaries (i.e. perform unauthorized actions) within a computer system. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerabilities are also known as the attack surface. Constructs in programming languages that are difficult to use properly can also manifest large numbers of vulnerabilities.
Vulnerability management is a cyclical practice that varies in theory but contains common processes which include: discover all assets, prioritize assets, assess or perform a complete vulnerability scan, report on results, remediate vulnerabilities, verify remediation - repeat. This practice generally refers to software vulnerabilities in computing systems. [1] Agile vulnerability management refers to preventing attacks by identifying all vulnerabilities as quickly as possible. [2]
A security risk is often incorrectly classified as a vulnerability. The use of vulnerability with the same meaning of risk can lead to confusion. The risk is the potential of a significant impact resulting from the exploit of a vulnerability. Then there are vulnerabilities without risk: for example when the affected asset has no value. A vulnerability with one or more known instances of working and fully implemented attacks is classified as an exploitable vulnerability—a vulnerability for which an exploit exists. The window of vulnerability is the time from when the security hole was introduced or manifested in deployed software, to when access was removed, a security fix was available/deployed, or the attacker was disabled—see zero-day attack.
Security bug is a narrower concept. There are vulnerabilities that are not related to software: hardware, site, personnel vulnerabilities are examples of vulnerabilities that are not software security bugs.
ISO 27005 defines vulnerability as: [3]
IETF RFC 4949 vulnerability as: [5]
The Committee on National Security Systems of United States of America defined vulnerability in CNSS Instruction No. 4009 dated 26 April 2010 National Information Assurance Glossary: [6]
Many NIST publications define vulnerability in IT context in different publications: FISMApedia [7] term [8] provide a list. Between them SP 800-30, [9] give a broader one:
ENISA defines vulnerability in [10] as:
The Open Group defines vulnerability in [11] as
Factor Analysis of Information Risk (FAIR) defines vulnerability as: [12]
According to FAIR vulnerability is related to Control Strength, i.e. the strength of control as compared to a standard measure of force and the threat Capabilities, i.e. the probable level of force that a threat agent is capable of applying against an asset.
ISACA defines vulnerability in Risk It framework as:
Data and Computer Security: Dictionary of standards concepts and terms, authors Dennis Longley and Michael Shain, Stockton Press, ISBN 0-935859-17-9, defines vulnerability as:
Matt Bishop and Dave Bailey [13] give the following definition of computer vulnerability:
National Information Assurance Training and Education Center defines vulnerability: [14] [15]
A resource (either physical or logical) may have one or more vulnerabilities that can be exploited by a threat actor. The result can potentially compromise the confidentiality, integrity or availability of resources (not necessarily the vulnerable one) belonging to an organization and/or other parties involved (customers, suppliers). The so-called CIA triad is a cornerstone of Information Security.
An attack can be active when it attempts to alter system resources or affect their operation, compromising integrity or availability. A "passive attack" attempts to learn or make use of information from the system but does not affect system resources, compromising confidentiality. [5]
OWASP (see figure) depicts the same phenomenon in slightly different terms: a threat agent through an attack vector exploits a weakness (vulnerability) of the system and the related security controls, causing a technical impact on an IT resource (asset) connected to a business impact.
The overall picture represents the risk factors of the risk scenario. [16]
A set of policies concerned with the information security management system (ISMS), has been developed to manage, according to Risk management principles, the countermeasures to ensure a security strategy is set up following the rules and regulations applicable to a given organization. These countermeasures are also called Security controls, but when applied to the transmission of information, they are called security services. [17]
Vulnerabilities are classified according to the asset class they are related to: [3]
The research has shown that the most vulnerable point in most information systems is the human user, operator, designer, or other human: [26] so humans should be considered in their different roles as asset, threat, information resources. Social engineering is an increasing security concern.
The impact of a security breach can be very high. [27] Most legislation sees the failure of IT managers to address IT systems and applications vulnerabilities if they are known to them as misconduct; IT managers have a responsibility to manage IT risk. [28] Privacy law forces managers to act to reduce the impact or likelihood of that security risk. Information technology security audit is a way to let other independent people certify that the IT environment is managed properly and lessen the responsibilities, at least having demonstrated good faith. Penetration test is a form of verification of the weakness and countermeasures adopted by an organisation: a White hat hacker tries to attack an organisation's information technology assets, to find out how easy or difficult it is to compromise the IT security. [29] The proper way to professionally manage IT risk is to adopt an Information Security Management System, such as ISO/IEC 27002 or Risk IT and follow it, according to the security strategy set forth by the upper management. [17]
One of the key concepts of information security is the principle of defence in depth, i.e. to set up a multilayer defence system that can: [27]
Intrusion detection system is an example of a class of systems used to detect attacks.
Physical security is a set of measures to physically protect an information asset: if somebody can get physical access to the asset, it is widely accepted that an attacker can access any information on it or make the resource unavailable to its legitimate users.
Some sets of criteria to be satisfied by a computer, its operating system and applications to meet a good security level have been developed: ITSEC and Common criteria are two examples.
Coordinated disclosure (some refer to it as "responsible disclosure" but that is considered a biased term by others) of vulnerabilities is a topic of great debate. As reported by The Tech Herald in August 2010, " Google, Microsoft, TippingPoint, and Rapid7 have issued guidelines and statements addressing how they will deal with disclosure going forward." [30] The other method is typically full disclosure, when all the details of a vulnerability is publicized, sometimes with the intent to put pressure on the software author to publish a fix more quickly. In January 2014 when Google revealed a Microsoft vulnerability before Microsoft released a patch to fix it, a Microsoft representative called for coordinated practices among software companies in revealing disclosures. [31]
Mitre Corporation maintains an incomplete list of publicly disclosed vulnerabilities in a system called Common Vulnerabilities and Exposures. This information is immediately shared with the National Institute of Standards and Technology (NIST), where each vulnerability is given a risk score using Common Vulnerability Scoring System (CVSS), Common Platform Enumeration (CPE) scheme, and Common Weakness Enumeration.
Cloud service providers often do not list security issues in their services using the CVE system. [32] There is currently no universal standard for cloud computing vulnerability enumeration, severity assessment, and no unified tracking mechanism. [33] The Open CVDB initiative is a community-driven centralized cloud vulnerability database that catalogs CSP vulnerabilities, and lists the steps users can take to detect or prevent these issues in their own environments. [34]
OWASP maintains a list of vulnerability classes with the aim of educating system designers and programmers, therefore reducing the likelihood of vulnerabilities being written unintentionally into the software. [35]
The time of disclosure of a vulnerability is defined differently in the security community and industry. It is most commonly referred to as "a kind of public disclosure of security information by a certain party". Usually, vulnerability information is discussed on a mailing list or published on a security web site and results in a security advisory afterward.
The time of disclosure is the first date a security vulnerability is described on a channel where the disclosed information on the vulnerability has to fulfill the following requirement:
Many software tools exist that can aid in the discovery (and sometimes removal) of vulnerabilities in a computer system. Though these tools can provide an auditor with a good overview of possible vulnerabilities present, they can not replace human judgment. Relying solely on scanners will yield false positives and a limited-scope view of the problems present in the system.
Vulnerabilities have been found in every major operating system [36] including Windows, macOS, various forms of Unix and Linux, OpenVMS, and others. The only way to reduce the chance of a vulnerability being used against a system is through constant vigilance, including careful system maintenance (e.g. applying software patches), best practices in deployment (e.g. the use of firewalls and access controls) and auditing (both during development and throughout the deployment lifecycle).
Vulnerabilities are related to and can manifest in:
It is evident that a pure technical approach cannot always protect physical assets: one should have administrative procedure to let maintenance personnel to enter the facilities and people with adequate knowledge of the procedures, motivated to follow it with proper care. However, technical protections do not necessarily stop Social engineering (security) attacks.
Examples of vulnerabilities:
Common types of software flaws that lead to vulnerabilities include:
Some set of coding guidelines have been developed and a large number of static code analyzers has been used to verify that the code follows the guidelines.