When protecting an organisation against cyber attacks, the words security threats, vulnerabilities, risk exposure, and sometimes exploits are seen very commonly. Unfortunately, these terms are not used correctly or interchangeably and are often left undefined.
Security issues such as data breaches that may adversely affect a business, it is essential for security professionals to understand these terms and the relationship between them.
This article will discover what each of these terms mean and how they are used together for calculating and assessing risk.
What are information security vulnerabilities?
Security vulnerabilities can be described as weaknesses in any IT assets, whether it be software flaws or hardware component flaws. These weaknesses or entry points equip a hacker to hack their way into an organisation’s IT infrastructure, website, operating systems or network.
Other than an IT component (software or hardware) having existing vulnerabilities in the system, vulnerabilities can also be introduced by human error, misconfigurations or simply because of a lack of implemented security controls.
A system has a weak password or a system that has not been updated or is using legacy software; all of these introduce vulnerabilities that a hacker can use to their advantage.
Examples of computer security vulnerabilities
- Insecure encryption
- Broken authentication
- OS command injection
- SQL injection
- Insecure authorization
- Unrestricted file uploads allowing malicious uploads and execution
- Buffer overflows
Furthermore, some of the routinely exploited CVEs during the Covid pandemic as per CISA are:
- Citrix CVE-2019-19781
- Pulse secure CVE-2019-11510
- Fortinet CVE-2018-13379
- F5- Big IP CVE-2020-5902
- MobileIron CVE-2020-15505
- Microsoft CVE-2017-11882
- Atlassian CVE-2019-11580
- Drupal CVE-2018-7600
- Microsoft CVE-2019-0604
- Microsoft CVE-2020-0787
- Microsoft CVE-2020-1472
Implementing vulnerability management and penetration testing
An organisation is bound to have vulnerabilities in its IT infrastructure as attack vectors and methods increase day by day. However, organisations can enforce continuous security vulnerability management and penetration exercises to establish a robust security posture.
A technical vulnerability management program is used to aid organisations in identifying, classifying, evaluating and mitigating vulnerabilities, Generally, this programs can be carried out in the following steps:
- Preparation – Define the scope of the vulnerability assessments.
- Vulnerability scanning – Conduct manual vulnerability scanning of vulnerabilities as well as using automated tools such as any vulnerability scanner.
- Identification, classification and evaluation – Evaluate all vulnerabilities and identify the impact, severity and risk associated with each found security vulnerability.
- Mitigation – Figure out the appropriate mitigating controls with the help of asset owners to remediate the vulnerabilities.
- Revalidation – After the controls are implemented, a revalidation cycle is conducted to check whether the mitigating controls are in fact remediating the vulnerability or not.
In the vulnerability management process, an organisation can also hire independent third-party consultants to conduct a thorough penetration test of the assets in scope.
Examples of common vulnerabilities
There are a number of common security vulnerabilities that an organisation might be affected by; some of these are defined below:
- Broken authentication – This is an example of web application vulnerability where an attacker can gain access to authenticated functionality because the login mechanism is faulty.
- Using outdated components – Outdated software or hardware components can sometimes have code-level vulnerabilities; if these are not updated then an attacker can take advantage of these vulnerabilities.
- Using default or weak passwords – More often than not, organisations do not change the default passwords for products such as routers, switches, cameras etc. If an attacker uses the product or solution’s default password, they can get access to that asset.
- Security misconfigurations – Usually, while deploying or implementing any technology, human error can cause misconfigurations. An attacker can leverage these misconfigurations and target the system.
What is a threat?
A threat is an incident that has the potential to harm a system of the entire organisation. There are many types of threats to an organisation, including natural threats, such as floods, hurricanes etc.; unintentional threats, such as an employee making any mistake, intentional threats or insider threats, such as disgruntled employees etc.
A threat is usually associated with a security vulnerability, which means that a threat was created because a vulnerability exists. There might be cases where a vulnerability exists, but there is no threat associated with that vulnerability. We will look into this in more detail in later parts of this article.
What is an exploit?
An exploit is when an attacker uses specific techniques, pieces of code or methods to exploit an existing vulnerability and target the IT system. An attacker exploits a vulnerability and causes harm to the organisation, such as getting authorised access to sensitive systems.
For an attacker to exploit a system, a vulnerability needs to exist; this means that mitigating the vulnerability will render the exploit useless.
What are exploit kits?
With the advancements in malicious hacking, a new tool has emerged known as exploit kits. These exploit kits are embedded in malicious websites, which automatically scan a visitor’s machines for vulnerabilities for exploitation. If the vulnerability exists and is successfully exploited, the exploit kits transfer malware to the visitors’ system.
This is especially alarming as these kits are available to any tech-savvy or non-expert users to deploy on their websites.
Zero-day vulnerabilities is the name given to those vulnerabilities that have yet to be discovered by the asset or product owners. For example, many users worldwide use Microsoft Windows as their operating system. Now consider that a malicious attacker is working on finding a vulnerability in the Windows Operating Systems, this attacker finds a vulnerability that is not known publicly, and they can exploit this vulnerability. Since this vulnerability is new, not known publicly, and Microsoft itself does not know that known vulnerabilities exist, this is known as a zero-day vulnerability.
Zero days are dangerous as these unknown vulnerabilities are typically undetectable by antivirus software, as no existing signature is available from them.
Publicly available vulnerability repositories
When a vulnerability is discovered, and an exploit code is written, the authors of the exploit publish their codes on the public internet. Websites such as exploit-dB, CVE, NVD, OVAL etc., maintain a list of all publicly available exploits for any hardware or software vulnerabilities.
Suppose a company is using outdated and vulnerable components. In that case, the chances are that the exploit code for that vulnerability exists and will be publicly available to anyone to use and target that asset.
Examples of exploiting vulnerabilities
To get a better understanding of how vulnerabilities are exploited, let’s consider a few examples:
A company’s website is built using a CMS. This CMS is outdated and contains a publicly known SQL injection vulnerability.
An attacker searches the internet for known vulnerabilities for the CMS and finds that an SQLi vulnerability exists. He then uses the published SQLi exploit payload and retrieves sensitive information.
A website’s admin portal has a weak/easy password that does not meet the standard complexity requirements.
An attacker uses a password list for weak or easy passwords and brute forces the admin panel, eventually guessing the correct password and logging in as admin.
A website has a file upload functionality but does not validate the file type or extension.
An attacker can upload malicious executables or reverse shellcodes and access the website’s server using web shells.
Some common exploitation tools
The following are some of the common exploitations that malicious hackers, as well as penetration testers, use:
- BurpSuite: This web proxy allows users to intercept traffic between the browser and the webserver. It can manipulate requests before they are sent to the server.
- OWASP ZAP: This is also a web proxy that allows its user to intercept traffic between the browser and the web server, which is an open-source alternative to BurpSuite.
- Commix: This exploitation tool allows its users to exploit command injection vulnerabilities.
- w3af: This tool scans for vulnerabilities and also lets the user exploit the discovered vulnerabilities such as command injections, SQL injections, path traversals etc.
- Jexboss: This tool allows its users to exploit misconfigured JBoss servers.
- Metasploit Framework: This framework contains various modules, including a vulnerability scanner and exploitation and post-exploitation modules. This tool includes thousands of working exploits against multiple vulnerabilities.
- Mimikatz: This tool allows its user to perform multiple password-based attacks against Windows operating systems.
- Nmap: This is a network mapper that contains various scripts that can be used to scan and attack networks or individual vulnerable systems.
- John the Ripper: This is a password-cracking tool that one can use to crack passwords such as LM, NTLM, etc.
- Hashcat: This is also a password cracker that can be configured to use a system’s GPU to crack hashes.
- Sqlmap: This tool allows users to perform SQL injection successful attacks against a target.
- BSQL (Blind SQL) Hacker: This tool allows users to perform blind SQL injection attacks against a target.
- Safe3 SQL Injector: This tool leverages the power of artificial intelligence to identify injection points and payloads.
- Frida: Frida is a dynamic instrumentation toolkit that allows users to perform dynamic analysis of mobile web applications as they are executed in real-time.
- MobSF: This automatic code analyser scans the code for mobile applications and provides a report with vulnerabilities found.
What is the risk?
Risk is described as the potential damage an organisation may suffer if any threat agent exploits a vulnerability. Risk includes assessing financial damage, reputational damage, legal implications, loss of privacy, loss of availability, damage to physical assets etc.
In cyber security, the risk is calculated as the product of vulnerability and threat; the more critical the vulnerability is, and the more dangerous the danger is, the higher the resultant risk.
In most organisations, formal risk management activities are conducted; through these activities, a company quantifies its risk exposure and identifies areas for improvement. Generally, the risk management plan consists of:
- Defining the scope and frequency of the risk management exercise.
- Include all stakeholders in the risk assessment.
- Delegate and assign tasks to a relevant team to carry out the risk assessment.
- Carry out the risk assessment and identify the policies and controls to be implemented.
- Repeat the exercise periodically for all company assets and monitor the plan to adjust for improvements.
Components of risk management
While performing a risk assessment, there are several components to consider:
We have talked about vulnerabilities, threats, and exploits, which raises the question of what is being threatened? The answer is the company’s assets.
An asset is anything owned by the company; this includes physical assets, paper documents, virtual assets, people, prosperity information, software, locations, infrastructure, facilities etc.
The first step to risk management is identifying and creating an inventory of all the assets owned by an organisation. Then these assets must be assigned an asset rating depending upon the criticality of the asset. This is a crucial step as, without proper asset rating, the risk calculated would not be accurate.
A vulnerability is a weakness or flaw in any asset.
An exploit is any payload or malicious code used to take advantage of a vulnerability.
Discuss your concerns today
A threat is any event or action that causes damage to an asset and disrupts the confidentiality, integrity or availability of an asset.
Risk is the damage caused by threat agents exploiting a vulnerability. It is important to note here that if a vulnerability does not have a corresponding threat, then there is no risk.
How to assess risk for an organisation
An organisation must determine two essential elements, i.e. likelihood and impact, to calculate risk.
The likelihood is the probability or chance that a specific threat actor will exploit a vulnerability. Factors that affect likelihood include is it easy for the vulnerability to be exploited, is easy to access the asset in question, are protection controls already in place, is the asset critical, and does publicly available exploits exist if the answer is yes, the likelihood of vulnerability exploitation increases.
Impact describes the extent of damage that can occur if the vulnerability is exploited. The higher the asset’s criticality is, the higher the impact.
Putting all the knowledge together
Let’s consider that a vulnerability exists in a company’s e-commerce website, and a matching threat exists. To assess the risk, we will use the simplified risk matrix below:
First and foremost, one must define the asset’s criticality; in this, the e-commerce website is a high-value asset. Because of the high value of the asset, the impact of the vulnerability is exploited will also be increased. Secondly, consider the likelihood of exploitation; the resulting risk will be medium if the probability is low, but the impact is high.
Similarly, if the asset is of low criticality, the impact will be low. However, the likelihood of exploiting the vulnerability is high, so that the resulting risk will be medium.
Best practices for mitigating vulnerabilities and exploits
Below are a few tips or best practices that can help organisations in mitigating vulnerabilities:
Implement SSL/TLS certificates
If the organisation has any hosted web applications, ensure that they have correctly configured SSL certificates. This will ensure that all communication to and from the webserver is secure and can not be viewed by any attacker.
Configure end-to-end encryption
All communication entering or leaving the organisation, such as emails, should be encrypted. This will ensure that no attacker, whether external or an insider, can view and access confidential information.
Enforce a firm password management policy
Tring weak and default passwords are the go-to mechanism for hackers to try to get into an organisation’s assets. Therefore the organisation must change the default passwords for all products, solutions etc., that they are using and implement strong password policies for their other assets, including servers and employees entire computer systems.
Discuss your concerns today
Implement Access Controls
The network and system administrators should implement appropriate access control mechanisms so that even if an attacker gains control of one asset, they may not be able to cause further damage or sensitive access assets.
Access control means limiting employees’ access to a need-only basis and removing all inactive accounts. This can be implemented by deploying Privileged Access Management (PAM) solutions.
Keep all software, hardware, and plugins updated.
Outdated software, hardware or plugins are a source of many vulnerabilities and exploits. As discussed earlier, many organisations keep a database record of all vulnerabilities and exploits found in all components available. An attacker can use the publicly disclosed exploits and vulnerable target the outdated components of the organisation.
Regularly perform security code reviews.
After every development cycle, you should conduct security code reviews if the organisation has in-house applications or build applications for customers. This is a crucial step as it can mitigate vulnerabilities in the development stage.
Organisations should also implement secure coding techniques such as the ones described by OWASP.
Perform Vulnerability Assessment and Penetration Testing
Conduct regular vulnerability assessment and penetration testing exercises using internal and external third-party assessments. In doing so, the company will try to identify all potential vulnerabilities within the IT infrastructure and take steps to mitigate these vulnerabilities, reducing the exposure and risk. These activities should be conducted periodically and after any significant change in the environment.
Get in touch to schedule a short, casual conversation to see we can contribute to reducing your security concerns.
The post Vulnerability, Threats, Exploits and their relationship with risk appeared first on Cyphere | Securing Your Cyber Sphere.
*** This is a Security Bloggers Network syndicated blog from Cyphere | Securing Your Cyber Sphere authored by Editor. Read the original post at: https://thecyphere.com/blog/vulnerability-threat-exploits-relationship/