28/03/2023

Vulnerabilities: Understand, mitigate, remediate

Understand, mitigate, remediate CyberCrime

As the value of data has grown managing vulnerabilities effectively is essential for the success of your organizations’ security and minimizing the impact of successful attacks. Before we delve into specific types of vulnerabilities, it's important to understand what they are. A vulnerability in cyber security refers to any weakness or gap in an information system or process of an organization that can be exploited by cybercriminals to compromise the confidentiality, Integrity or availability of data, either at rest or in transit.

 

The strange relationship between vulnerabilities, cyber security threats and risks.

Vulnerability, threat, and risk are all related but distinct concepts in the field of cyber security. Vulnerabilities are inherent weaknesses in a system or network that can be exploited by cybercriminals. They are not typically caused by external factors such as malware or social engineering attacks. Threats, on the other hand, are external factors that can exploit vulnerabilities and cause harm to a system. The term „risk“, meanwhile, refers to the likelihood and potential impact of a vulnerability being exploited by a threat. There is also often a time factor associated with risks, i.e. the chance of a negative event occurring increases over time, especially if no remedial action is taken.
A vulnerability with a low probability of being exploited and low potential impact would result in a low risk, while a vulnerability with a high probability of being exploited and high potential impact would result in a high risk. It is important to note that not all vulnerabilities pose a risk to an organization, if the vulnerability has no value to an attacker. To be considered exploitable, a vulnerability must have at least one attack vector. However, even if a vulnerability exists, it may not be exploitable if there is insufficient information available to attackers or local system access is required or even existing security controls are in place. Strong security practices can help prevent many vulnerabilities from becoming exploitable. To give an example: If a vulnerability causes a customer facing application to restart, without divulging any meaningful information and without affecting performance, the impact of the vulnerability  is comparatively minimal. The risk is also significantly lower, if a hypothetical attacker would need both physical access to the affected system and administrative privileges.

Where vulnerabilities come from?

There are various factors that can contribute to the creation of vulnerabilities in a system, including:

  • Software bugs: Programmers may accidentally leave exploitable bugs in software. This seems to become a bigger problem than before due to massive number of lines of code programmers need to cope with these days.
  • Operating system flaws: Unsecured or insufficiently hardened operating systems by default can give users full access and become a target for malware.
  • Social engineering: Social engineering is a significant threat to many organizations, and humans can be one of the biggest causes of vulnerability.
  • Common code: Attackers may exploit known vulnerabilities in common code, operating systems, hardware, and software that they are familiar with.
  • Complex systems: The more complex a system is, the higher the likelihood of misconfigurations, flaws, or unintended access.
  • Poor password hygiene: Weak and reused passwords can lead to multiple data breaches.
  • Connectivity: Devices that are connected to networks without there being a requirement for those connectionsare more prone to having vulnerabilities exploited.
  • Internet: The internet is full of malware that can be installed automatically on computers.
  • User input: Software or websites that perform no input validation may be vulnerable to SQL injection.

Types of Vulnerabilities

There are many types of cybersecurity vulnerabilities that organizations should be aware of, including:

  • Out of date or unpatched software: Hackers often target networks that have unpatched systems, as these vulnerabilities can be easily exploited to steal sensitive information. To minimize these risks, organizations should establish a patch management schedule to ensure all systems are updated as soon as new patches are released.
  • Misconfigurations: When networks have disparate security controls or vulnerable settings, it can result in system misconfigurations (e.g. insufficient NFS hardening or no account lockout policy) that are easily exploitable by cybercriminals. With the increase of digital transformation, these types of vulnerabilities are becoming more common, making it important for organizations to work with experienced security experts when implementing new technologies.
  • Problematic insider threats: Employees with access to critical systems can sometimes share information that helps cybercriminals breach the network, either intentionally or unintentionally. These types of threats can be difficult to trace, making it important for organizations to invest in network access control solutions and segment their networks according to employee seniority and expertise.
  • Data encryption problems: If a network has poor or missing encryption, it makes it easier for attackers to intercept communication and extract critical information. This can lead to compliance issues and fines from regulatory bodies.
  • Problems with weak authorization credentials: Attackers commonly use brute force tactics such as credential spraying or credential stuffing to gain access to systems and networks by guessing employee login credentials. It is essential that employees are educated on best practices for cybersecurity to prevent their credentials from being easily exploited.
  • Zero-day vulnerabilities: These are specific software vulnerabilities that attackers have found but that have not yet been reported on yet, and that the vendor is unaware of. There are no available fixes or solutions for these vulnerabilities until after an attack has occurred, making it important for organizations to continuously monitor systems for suspicious activity patterns to minimize the risk and impact of a zero-day attack.

Types of Vulnerabilities

Vulnerability management is the process of identifying,  remediating and mitigating security vulnerabilities in a system. It is a practice that involves three key elements: vulnerability detection, assessment and remediation.

Vulnerability Detection: This includes using various methods such as vulnerability scanning, penetration testing, and Google hacking to locate and identify vulnerabilities in computers, applications, or networks. Vulnerability scanning involves using specialized software to discover and identify vulnerabilities that arise from misconfiguration within a network. Penetration testing involves testing an IT asset such as a website, VPN connector, or a set of internal systems for security vulnerabilities that an attacker could potentially exploit. Google hacking involves using advanced search operators in search engine queries to locate hard-to-find information or data that has been accidentally exposed due to misconfiguration of cloud services.

Vulnerability Assessment: Once a vulnerability is detected, it goes through the vulnerability assessment process, which involves systematically reviewing the impact of any discovered security weaknesses in the context of the business environment. The assessment process includes identifying vulnerabilities by analyzing network scans, firewall logs, pen test results, and vulnerability scan results, verifying vulnerabilities to decide whether they could be exploited and classifying their severity level, mitigating vulnerabilities by coming up with appropriate countermeasures and measuring their effectiveness, and remediating vulnerabilities by updating affected software or hardware where possible. There are several types of vulnerability assessments such as network-based, host-based, wireless network, application, and database assessment.

Vulnerability remediation is the process of addressing and mitigating known vulnerabilities in a system to prevent malicious attacks. This includes monitoring and managing the organization's software inventory using automated tools, matching them against security advisories, issue trackers, or databases, and locating and mitigating vulnerable components effectively and efficiently. To ensure effective vulnerability remediation, security professionals should follow these steps:

  • Know: Continuously monitoring software inventory to be aware of which software components are being used and what needs immediate attention is crucial for preventing malicious attacks.
  • Prioritize: Organizations should have prioritization policies in place to evaluate the risk of vulnerabilities based on system configuration, likelihood of occurrence, impact, and existing security measures.
  • Fix: Once the vulnerabilities that require immediate attention are identified, a timeline and work plan should be established to address them.

A matter of time

It is essential to have an active approach to managing cybersecurity vulnerabilities. This includes having visibility of internal and third-party network ecosystems and understanding their potential weak point and vulnerabilities, their impact, and how to mitigate and fix them. It is also essential that vulnerabilities need to be patched ASAP depending on their respective criticality. The latter is a challenge which is still underestimated by a lot of companies and organizations, as recent reports about an old and highly critical security flaw in VMWare ESXi have demonstrated.