In computer security, a vulnerability is a recognized weakness that can be exploited by a threat actor, such as a hacker, to move beyond imposed privilege boundaries. In other words, it is a weakness that allows a malicious third party to perform unauthorized actions in a computer system. A threat actor must have a technique or tool that can connect to a system’s weakness, in order to exploit a vulnerability, and there are many types of vulnerabilities.
In a constant race to stay ahead of the latest threats, organizations implement practises known as vulnerability management. Vulnerability management is the necessary, engrained drill that enlists the common processes including asset discovery, asset prioritization, assess or perform a complete vulnerability scan, report on results, remediate vulnerabilities, verify remediation – repeat. This is the recurring process of vulnerability management. A process that all successful organizations must have a handle on if they are to stand any chance against a well-versed adversary.
Vulnerabilities vary in source, complexity and ease of exploitation. In today’s article, we take a high-level glance at some of the more common vulnerabilities and their implications on an organizations’ security posture. Though this list of vulnerabilities is by no means exhaustive, it highlights some of the basic features of vulnerabilities centered around configuration, credentials, patching and zero day.
System misconfigurations, or assets running unnecessary services, or with vulnerable settings such as unchanged defaults, are commonly exploited by threat actors to breach an organizations’ network. Initially, the attacker will attempt to probe your environment looking for any systems that may be compromised due to some form of misconfiguration. From there, the attack will be mounted either directly, or indirectly.
Unfortunately, by default operating systems are commonly configured “wide open,” allowing every feature to function straight out of the box. While this may be convenient, where functionality is concerned, this inevitably increases the attack surface area. Configuration-related vulnerabilities include support for legacy protocols, weak encryption ciphers, overly-permissive permissions, exposure of management protocols, etc. We recommend hardening based on the Center of Information Security benchmarking, or CIS Benchmarks, which is defined as a “set of vendor-agnostic, internationally recognized secure configuration guidelines.”
Weak or Default Credentials
It should go without saying that, given the opportunity, an attacker will use dictionaries, word lists or brute force attacks in an attempt to guess your organizations’ weak passwords; this may also include default passwords. These attacks can often be used to obtain VPN access to your corporate network or unauthorized access to various appliances including UPS, firewalls, fibre switches, load balancers, SANs and more. an attacker can modify, steal, delete data, perform transactions, install additional malware, and gain greater access to systems and files.
When it comes to managing credentials, it’s crucial to confirm that developers avoid insecure practices. Some of these practices may include storing passwords in comments, use of plain text, and using hard-coded credentials. For authentication, the use of encryption is absolutely vital. As well, it is important to limit permissions to only those who absolutely require access to a file, limit key functions to the system console, and develop robust protections for system files and encryption keys.
When it comes to inbound authentication, using passwords, it is wise to use strong one-way hashes to passwords and store these hashes in a rigorously protected configuration database.
Missing Security Patches
A security patch is a modification applied to an asset to remove the weakness described by a given vulnerability. This remedial action will thwart a threat actor from successful exploitation, by removing or mitigating the threat actors’ capacity to exploit a particular vulnerability identified within an asset. The process of patch management is a vital component of vulnerability management.
Security patches are the principal method of correcting security vulnerabilities in commercial and open-source software packages. In the present day, operating systems like Microsoft release their security patches on a monthly basis; in tandem, organizations enlist security teams dedicated to ensuring software patches are applied as quickly as possible.
In truth, security patches are integral to ensuring business processes are not affected. As a well-known example, in 2017, organizations the world over were struck by a ransomware strain known as WannaCry. WannaCry encrypts files in specific versions of Microsoft Windows, proceeding to demand a ransom over BitCoin. Reacting to this threat, Microsoft released a patch to prevent the ransomware from executing.
Prior to its discovery, the WannaCry ransomware used a zero-day vulnerability. A zero-day vulnerability is a software vulnerability that is unidentified to both the victims and the vendors who would otherwise seek to mitigate the vulnerability. Until a given vulnerability is mitigated, hackers will continue to exploit it in order to gain access to systems networks and data.
For context, the term “zero-day” initially referred to the number of days from the time when a new piece of software was released. Simply put, “zero-day” software was software that had been illegally attained by hacking, before it’s official release date. Ultimately, the term was applied to the vulnerabilities that allowed this hacking, and to the number of days that the vendor has had to fix them. After a vendor learns of the vulnerability, the vendor will race to create patches or create workarounds to mitigate it.
Unfortunately, because zero-day attacks are generally unknown to the public, it is often very difficult to defend against them. That being said, techniques do exist to limit the success of zero-day vulnerabilities, for example, buffer overflow.
To summarize, a vulnerability refers to a known, and sometimes unknown weakness in an asset that can be exploited by threat actors. Testing for vulnerabilities is crucial to ensuring the enduring security of your organization’s systems. Only in the identification of these weaknesses, can you develop a strategy to remediate before it’s too late. If you would like to learn more about how Packetlabs can assist your organization in doing just that, contact us for details!