What Is A Vulnerability?
Table of Contents
Are you under attack?
The Finnish Parliament Attack, the Estonian Government Attack, and the Greek Natural Gas Distributor Attack are some of the most recent large scale cyber attacks we have heard about in 2022. An exploitable vulnerability must always be present, for a cyber attack to take place. Attackers exploit vulnerabilities in computer systems and networks to obtain unauthorized access to computer systems. This article musters some of the most important facts on vulnerabilities starting off with an introduction to the topic followed by some historical facts pertaining to the rise of vulnerabilities. In addition, the article discusses the differences between the commonly and interchangeably used terms, vulnerability and weakness.
Vulnerabilities – Know them to fight them
A vulnerability in the context of computers is any flaw in a system, design, or code that can allow attackers to exploit a frail computer system.
Just as a malfunction of a doorknob, a failure in a security camera, or even a loose brick in a wall may create a possibility for a burglar to gain access to assets inside a house, a vulnerability or a weakness in an information system may create a possibility for a malicious attacker to gain access to information assets and thereby exploit them for their own benefit.
This not only relates to a possible attack but also most importantly, to the level of difficulty or ease of breaking into a system.
A large number of different, common vulnerabilities have been exposed to date. CVE, short for Common Vulnerabilities and Exposures, is a public database of information system vulnerabilities and exposures launched by MITRE corporation. It has identified over one hundred thousand common vulnerabilities starting from 1999 and, several thousands are discovered each year.
A hardware vulnerability is a flaw that can be exploited by an attacker through remote or physical access to the hardware of the system. If any weakness in a system can allow a hacker to insert new code into the program, it creates a hardware vulnerability.
Some examples of common hardware vulnerabilities are Rowhammer, Directory Traversal, Thunderclap, Foreshadow, etc.
Human vulnerability refers to the weaknesses caused by the mistakes of human beings. Humans play a major role in the security of cyber assets. The innate nature of humans to make mistakes proves the fact that humans are the weakest link in the cybersecurity sphere.
Some main causes for human vulnerabilities are lack of security awareness, inattentiveness, and not adhering to policies and procedures.
A network vulnerability is any flaw in hardware, software, or even processes that can be exploited by attackers to gain access and sabotage a network. As any device connected to the network can be used as an entry point, network vulnerabilities have been widespread.
There are a number of network vulnerabilities exploited by attackers. Malware, outdated software, and Misconfigured Firewalls or Operating Systems to name a few.
Regarded as highly threatening and damaging, application vulnerabilities are rising in popularity among the hacker community, surpassing all other kinds of vulnerabilities. This is due to the abundance of web applications accessed and paraded by the massive global reach of the Internet. Application vulnerabilities are flaws in an application that make way for attackers to exploit the application.
SQL Injection (SQLi), Cross-Site Scripting (XSS), and Cross-site Request Forgery (CSRF) are some examples of common application vulnerabilities.
Some common causes for vulnerabilities are weak passwords, errors in the code of programs, the complexity of systems, unrestricted user input, etc.
How it all began
The computer has come quite a long way from the earliest machines manufactured in the 20th century which took up whole rooms and used vacuum tubes as their basic components.
These early machines consisted purely of hardware components. Ada Lovelace laid the foundation for the development of software by composing an algorithm for what would have been the first piece of software, alongside Charles Babbage’s invention of the Analytical Engine, in the 19th century. However, the idea was not applied until the mid-1940s, when modern computers were invented. Therefore, hardware vulnerabilities and human vulnerabilities can be considered to be the earliest computer-related vulnerability types.
Although the idea of networking had been around since the early 80s, it was not until the establishment of ARPANET that the concept flourished, laying the foundation for the notion of the ‘Internet’. ARPANET (Advanced Research Projects Agency Network) was the first packet-switched Wide Area Network and was founded by the US Department of Defense.
The unleashing of the Morris worm in 1988 by Robert Tappan Morris is considered to be the very first attack experienced by the internet. It was a large scale outbreak that affected a number of prestigious colleges and research centers. Although Morris admitted that he did not have any malicious intent and that he only developed the program to get a count of the number of devices connected to the internet, he was arrested as the first person convicted under the 1986 Computer Fraud and Abuse Act.
The worm exploited several vulnerabilities for its swift spread:
- A hole in the debug mode of the Unix mail program
- A bug in the “finger” program that identified users connected to the network
- Users who set up unprotected network logins with no passwords
Thanks to the Morris worm, flaws in the security of ARPANET were exposed and the victim organizations were keen on building security measures to protect themselves from any more attacks. The development of the first firewall by a researcher at a NASA center in California is one such advantageous consequence of the Morris worm.
Web applications play a crucial role in our lives today. Regardless of the profession, age, location, or status, each of us tends to obtain the benefit of a few or more web apps, be it for business optimization, knowledge acquisition, communication, or even for entertainment. The development of web application concepts began in the early 1990s with simple, static HTML web pages. Just as with the development of any technology, the dark side associated with it also developed at a similar pace (cybercriminal activities in this case). It is evident that even at the earliest stage of web applications, there have been several vulnerabilities although not as frequent as today.
Cross-site scripting [XSS] is a common application vulnerability reported to have been exploited since the 1990s and the term ‘cross-site scripting’ was introduced at the beginning of the year 2000. SQL injection, another such contemporary vulnerability, is reported to have been publicly disclosed for the first time in 1998.
Therefore, it is clear that whichever technology is used, a person with a strong intent and desire to sabotage a system will always find a vulnerability to creep in. This is why cybersecurity is important and why it is never too much.
What is the difference between a vulnerability and a weakness?
We find the 2 words, vulnerability, and weakness, often used interchangeably, in the context of security. However, MITRE organization identifies the 2 terms apart with a subtle change of meaning. It identifies weaknesses as errors that cause vulnerabilities. Weaknesses cannot be used by attackers directly unless it results in a vulnerability. Vulnerabilities are defined as flaws in a system that can be directly exploited by a hacker to enter the system or network.
CWE and CVE are two separate standards defined by MITRE and stand for ‘Common Weakness Enumeration’ and ‘Common Vulnerabilities and Exposures’ respectively. CVE denotes a specific instance of a vulnerability within a system. And CWE refers to a type of software weakness, rather than a specific instance of vulnerabilities within a system. Basically, CWE can be introduced as a “dictionary” of software vulnerabilities, and CVE as a list of known instances of vulnerability for specific products or systems.
Below are a few examples of weaknesses from the CWE list:
CWE ID | Name |
CWE-787 | Out-of-bounds Write |
CWE-79 | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
CWE-89 | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
CWE-20 | Improper Input Validation |
CWE-125 | Out-of-bounds Read |
Below are a few examples of vulnerabilities from the CVE list:
CVE ID | Vulnerability Type | Description |
CVE-2022-38493 | DoS | Rhonabwy 0.9.99 through 1.1.x before 1.1.7 doesn’t check the RSA private key length before RSA-OAEP decryption. This allows attackers to cause a Denial of Service via a crafted JWE (JSON Web Encryption) token. |
CVE-2022-38392 | DoS | A certain 5400 RPM OEM hard drive, as shipped with laptop PCs in approximately 2005, allows physically proximate attackers to cause a denial of service (device malfunction and system crash) via a resonant-frequency attack with the audio signal from the Rhythm Nation music video. |
CVE-2022-38359 | CSRF | Cross-site request forgery attacks can be carried out against the Eyes of Network web application, due to an absence of adequate protections. |
CVE-2022-38188 | Exec Code XSS | There is a reflected XSS vulnerability in Esri Portal for ArcGIS version 10.9.1 which may allow a remote attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the victim’s browser. |
CVE-2022-38193 | Exec Code | There is a code injection vulnerability in Esri Portal for ArcGIS versions 10.8.1 and below that may allow a remote, unauthenticated attacker to pass strings which could potentially cause arbitrary code execution in a victim’s browser. |
How vulnerabilities become a threat to us
Following the global pandemic COVID-19, the trend of remote working has increased resulting in an exponential growth of cyber-criminal activities. Therefore, awareness of vulnerabilities is imperative. Lack of knowledge about vulnerabilities and assuming that your systems are free from any flaw is unwise and risky. So, in this case, ignorance isn’t bliss!
It is quite reckless to presume that your company, business, or website is too trivial for criminals to notice. Not hearing about cyberattacks on small or medium-sized companies does not mean that they do not take place. In fact, innumerable attacks take place on small companies that we do not get to hear about, only because they are not headline-worthy. Therefore, being well-versed in vulnerabilities is always beneficial.
A cybercriminal can have one of several motivations to carry out an attack. He would be trying to assume the victim’s identity to carry out a monetary transaction. A hacker can take down a website for a personal grudge or even simply to show off that he is able to. The most common and the most overwhelming motive is money. A hacker can take charge of your cyber assets and demand a hefty sum of money to release your assets. But the most perturbing fact is not knowing whether they would keep their word, even after paying the ransom.
Whichever the motivation is, it is obvious that vulnerabilities are not to be taken lightly as they can leave your business or organization seriously damaged. Cybersecurity is not to be regarded as an optional amenity but rather as a priority.
Is there a solution?
In a time where the most attention of cybercriminals is focused on web applications, securing them has become a tremendous task. But luckily there are hundreds of solutions out there assuring your applications’ protection from hackers. The only challenge is to select the best out of them. This may vary according to your organizational requirements, policies, and views. But whatever the nature or the size of your organization is, ultimately you would be looking for a good product that is cost effective, highly secured, and requires less manual intervention for its operation.
Application Vulnerability Scanning and Penetration Testing are 2 such solutions for ensuring that your applications are free from vulnerabilities.
Application Vulnerability Scanning is the process of scanning an application proactively for any exploitable vulnerabilities that might be existing in a system.
eBuilder Security provides Application Vulnerability Scanning service as a regular security health check. eBuilder Vulnerability scanning service entails a number of key benefits like high detection & accuracy, low monthly cost, and not being bound with licenses. With our service, you are not required to have an internal team, and as data is stored in a private cloud in Sweden, we can assure the highest protection of your data. Another unique feature of eBuilder Vulnerability Scanner is its convenient scalability on tap service.
Our service can detect vulnerabilities early on compared to a penetration test which is a less frequent and lengthy process. A vulnerability scan can take anything from a few minutes to a few hours depending on the size and complexity of the application. It can also be conducted at a fraction of the cost of a penetration test and can be run daily or weekly. Hence if a new vulnerability is present, it will be automatically detected faster than via any other detection mechanism.
Affordability and less time consumption are two other advantageous features of vulnerability scanning over pentests.
An Application Penetration Test is a comprehensive approach to identifying the weaknesses and vulnerabilities in an application that can be exploited by a hacker and this is executed using a real-life simulation of an attack. Experienced pentesters carry out the task of performing real-life simulation attacks to look at an application through the point of view of an attacker and hence identify any hidden vulnerabilities.
With the eBuilder Penetration Testing service, you can get your applications tested manually by specialists following a tested and proven methodology to simulate a real-life hacker attack.
Although not cost effective as vulnerability scans, pentests provide a more detailed analysis of the overall application’s vulnerability status.
Network Penetration Testing is an exercise where a real-life attack is simulated to gain information about any existing vulnerabilities in your network that can be exploited by an attacker to gain access to your network.
eBuilder provides Automated Network Penetration Testing combining the knowledge, methodology, processes, and toolsets of a team of security consultants into a single, deployable platform for organizations of all sizes. eBuilder helps organizations perform penetration tests within their environment at any given time, satisfying both compliance requirements and meeting network security best practices. This platform is automated and is based on a framework that continuously improves over time.
Having sessions to promote security awareness among your employees is an ideal way to reduce the impact of Human vulnerability. Running an effective Security awareness training program is time and resource intensive, requiring dedicated personnel and being up to date with threats and cyber security trends. As a solution, eBuilder offers Complorer Security Awareness Training. Here Security Awareness is offered as a Managed Service where you can unburden yourself from all administration and management responsibilities.
Vulnerabilities and attackers snooping around them would never cease to exist. Safeguarding information systems is therefore vital for the success of any organization. Our goal at eBuilder Security is to let you focus on your core business while we take care of your cyber security.