Let’s talk vulnerabilities

In this guide

• What is a vulnerability?

• What is a vulnerability assessment?

• What is vulnerability management?

What is a vulnerability?

A vulnerability, in the context of cybersecurity, refers to a weakness or flaw in a system, network, application, or process that can be exploited by threat actors to compromise the security, integrity, or availability of the targeted entity. 

Vulnerabilities can exist in software, hardware, configurations, or even in the things people do. They pose a risk to the confidentiality, integrity, or availability of data or systems.

Types of vulnerabilities

Software vulnerabilities: These are flaws or weaknesses in software applications, operating systems, libraries, or firmware – things like buffer overflow, code injection, insecure defaults, or insecure authentication mechanisms.

Network vulnerabilities: These arise from weaknesses in network devices, protocols, or configurations. Examples include misconfigured firewalls, weak encryption protocols, or unpatched network equipment.

Configuration vulnerabilities: Weak passwords, excessive user privileges, incorrect access controls and other misconfigurations in systems, applications, or network settings can create vulnerabilities. 

Human vulnerabilities: These vulnerabilities stem from human actions or lack of security awareness. Examples include social engineering attacks, phishing, or poor password management.

Exploitation of vulnerabilities

Cybercriminals actively search for vulnerabilities to exploit and gain access, steal data, disrupt services, or compromise systems. Exploitation techniques can involve leveraging software exploits, conducting network-based attacks, tricking users through social engineering, or targeting weak configurations.

Vulnerability disclosure

When vulnerabilities are discovered, security researchers or ethical hackers often follow responsible disclosure practices by notifying the affected party. This allows them to develop and release patches or mitigations to address the vulnerabilities before they can be exploited.

The Common Vulnerability Scoring System (CVSS) is a standardised framework used to assess and communicate the severity of vulnerabilities. It assigns scores based on factors such as the impact, exploitability, and complexity of the vulnerability, helping organisations to prioritise their remediation efforts.

Vulnerability management

Systematically identifying, assessing, prioritising, and mitigating vulnerabilities can include activities such as vulnerability scanning, risk assessment, patch management, configuration hardening, and security awareness training.

All of this is crucial to maintaining a secure environment. You should regularly update software and firmware, apply patches promptly, implement secure configurations, and follow best practices to minimise your risk. Additionally, conducting regular vulnerability assessments and penetration testing helps to identify and remediate vulnerabilities before threat actors can take advantage.

What’s the difference between a vulnerability and a misconfiguration?

Vulnerabilities and misconfigurations are two distinct cybersecurity concepts. 

Vulnerabilities can exist due to coding errors, design flaws, or inherent weaknesses in technology components.

Misconfigurations, on the other hand, are errors or incorrect settings in software, systems, networks, or applications. Misconfigurations can happen due to human error, oversight, or lack of proper configuration management practices. They often result from deviations from recommended or secure configuration settings.

They can include:

• Insecure access controls that grant excessive permissions or fail to restrict access.

• Weak authentication and authorisation.

• Improper encryption or data handling.

• Network or firewall misconfigurations.

What is a vulnerability assessment?

The primary purpose of a vulnerability assessment is to assess a system’s security and identify its weaknesses. It’s important to note that a vulnerability assessment does not involve attempts to exploit or get into systems, which distinguishes it from a penetration test.

Typical steps

1. Discovery of all assets, systems, and components within the scope of the assessment. This involves identifying hardware devices, software applications, operating systems, network infrastructure, and other elements that could be potential entry points.
2. Vulnerability scanning tools automatically scan and analyse the systems for known vulnerabilities. These compare the system’s configuration and software versions against a database of known vulnerabilities and weaknesses.
3. The scanning process generates a list of identified vulnerabilities, along with information about their severity, potential impact, and affected systems. Each vulnerability is typically assigned a CVSS score, which helps prioritise and understand the severity of the vulnerabilities.
4. The identified vulnerabilities are assessed and analysed in the context of the specific environment for their potential impact on the system’s security. The level of risk associated with each vulnerability is assessed.
5. The assessment results are documented in a comprehensive report that includes detailed information about the identified vulnerabilities, their impact, and recommendations for mitigation or remediation. The report often categorises the vulnerabilities based on their severity and provides guidance on the steps required to address them effectively.
6. Based on the assessment findings, organisations can develop a prioritised plan for appropriate remediation actions, such as applying patches, configuration changes, or implementing additional security controls.
7. Vulnerability assessments are not one-time events. Ongoing monitoring is required to catch new vulnerabilities introduced by system changes or emerging threats.

What is vulnerability management?

As the name suggests, vulnerability management is a planned approach to prioritising, mitigating, and monitoring vulnerabilities within your organisation’s IT infrastructure. It aims to proactively manage and reduce the risk posed by vulnerabilities. Its key steps are:

1. Identification
2. Assessment
3. Prioritisation
4. Remediation and mitigation
5. Monitoring and verification
6. Reporting and communication