Vulnerability

In computing, vulnerability refers to a weakness that can be exploited to cause damage to a system. To use technical lingo, a vulnerability can also be called the attack surface. In a way, it is like a poorly guarded door that can be opened by someone with the right tools. And attackers who intend to exploit the vulnerability will definitely have all the tools necessary to do so.

Vulnerability might sometimes be called a security risk, but the two terms are not 100% synonymous. A security risk is something that arises from the potential exploitation of an existing vulnerability. Also, not all vulnerabilities may have security risks. Security risks through vulnerability exploitation arise only when the targeted asset in question has value. If the asset that has a vulnerability has no value, then there is no security risk. Therefore, instead of using the terms vulnerability and security risk interchangeably, it would be far more appropriate to call a vulnerability a ‘security bug.’

Types of Vulnerabilities

Needless to say, there are multiple types of vulnerabilities in the computer security sphere, and not all of them are related to software. Perhaps software-related vulnerabilities are something that comes to mind first the moment we hear the term, but there are several other types as well. Let us go through the vulnerability classification, so we could focus on the software-related vulnerabilities in the second part of our entry.

Hardware vulnerabilities are related to device storage and maintenance. If a device in question is susceptible to dust or humidity, if it can overheat, or it is so old that it can cause the overall device failure, then it has hardware vulnerabilities.

There are also network vulnerabilities that refer to communication lines without proper protection and insecure network architecture. If the network is not maintained properly, it can unwittingly become an access point to the system that hackers will be quick to exploit.

Organizational and personnel vulnerabilities can be grouped under the same umbrella because both are related to planning and strategy. If an organization lacks regular audits and does not have continuity plans, there is a good chance that they will not have adequate personnel recruiting processes. This would eventually result in inadequate security awareness, and such employees can become a threat to an organization’s cybersecurity because of their ignorance. After all, opening a file attached to a spam email can lead to a ransomware infection.

Another aspect of vulnerabilities is the physical site. If the location is prone to natural disasters or it experiences constant power outages, it could easily become a threat to safe and uninterrupted work.

Finally, we have software vulnerabilities that result from insufficient testing, insecure coding, design flaws, and other types of negligence. Software vulnerabilities can remain part of a program or system for a long time until they are discovered and patched. Patches often become available almost immediately once the vulnerability is discovered, and that is why it is vital to apply the newest system updates to avoid potential vulnerability exploitation.

EternalBlue

To give you a staple example of a software vulnerability, let us look at EternalBlue. EternalBlue itself is not a vulnerability. It is an exploit that makes use of a vulnerability in Microsoft’s Server Message Block protocol. The interesting thing about EternalBlue is that this cyberattack exploit was developed by the U.S. National Security Agency (NSA). NSA did not inform Microsoft about the discovered vulnerability for more than five years.

Eventually, NSA warned Microsoft about the potential theft of the exploit, and it led to Microsoft’s releasing patches for the vulnerability on March 14, 2017. Exactly a month later, hackers from the Shadow Brokers group leaked the exploit on April 14, 2017. Although the vulnerability was already patched by then, EternalBlue was still used in some of the biggest cyberattacks of 2017. Since many Windows users did not install the update patches at once, the WannaCry Ransomware attack managed to exploit multiple systems with EternalBlue. If that were not enough, the vulnerability was also exploited by the Emotet banking trojan.

Also, it shows the importance of updates and patching. Even by the end of 2018, there were still millions of systems susceptible to the EternalBlue exploit. Thus, if the operating system urges you to install an update, you should definitely do so.

The Latest Vulnerability Trends

The cybersecurity and consequently vulnerability landscape has been strongly affected by the ongoing COVID-19 pandemic. Working from home has raised new security concerns and unearthed new security issues that have to be addressed in order to ensure a safe environment.

According to US-CERT, the year 2020 saw a new record in vulnerability reports. 17,447 vulnerabilities were recorded in 2020, following 17,306 in 2019. There was a 50% increase in mobile vulnerabilities, which shows that the lines between corporate and personal networks are blurring. This emphasizes the dangers that could arise from working from home.

Another problem that is related to software vulnerabilities and working from home is the extensive use of Remote Desktop Protocol (RDP) and the vulnerabilities that come with the function. They are often exploited for ransomware and trojan proliferation. Cybercriminals can easily take advantage of individual security concerns and overwhelmed security teams that do not have the time and resources to cater to all the issues plaguing their organizations.

To mitigate and remediate sensitive vulnerabilities, organizations have to consider several aspects of the actual vulnerability. Namely, security teams have to understand the threat origins and the system’s exposure to them based on the unique aspects of the system. Several different systems could be targeted by the same threat, but they might have different vulnerabilities, and the mitigation process for each system may differ accordingly.

Regular OS updates and personnel training should also be at the top of the cybersecurity priorities list. Investing in an anti-malware application is also crucial, but as far as vulnerabilities are concerned, they require comprehensive and multi-faceted solutions.