The term vulnerability refers to an error, weakness, or deficiency in a system that makes it possible to overcome or circumvent the security mechanisms of an IT system or network. Vulnerabilities can lie in the design, implementation, configuration, operation, or organization of IT systems. The existence of a vulnerability implies the possibility of exploiting it. Whether a vulnerability is exploited by an attack depends on the following factors:
- Complexity of exploitation of the vulnerability,
- Existence of one or more threats to the system in which the vulnerability exists,
Exploitation of weak points
Depending on these two factors is the probability of vulnerability exploitation. For example, low complexity and the presence of numerous threats to a system lead to a high probability that an existing vulnerability will be exploited. If you also consider the impact that exploiting the vulnerability would have, you get the risk.
In IT security, when a vulnerability can be exploited, it is referred to as an exploit. One of the most well-known vulnerabilities became public in 2017 in the SMB protocol. This protocol used in Microsoft Windows was vulnerable to attacks.
This became known after the US intelligence agency NSA lost a large number of exploits in a leak. One of these exploits was codenamed ETERNALBLUE and subsequently caused cyber attacks and damage worldwide. Microsoft released a security update to fix the vulnerability before ETERNALBLUE became public, but because many systems are often updated too late or not at all, many systems were still vulnerable when the exploit became public.
This vulnerability was subsequently exploited by the WannaCry and NotPetya cyberattacks, which infected hundreds of thousands of computers worldwide. This caused damage in the double-digit billions.
Evaluation criteria and naming methods for identifying vulnerabilities
In order to successfully identify vulnerabilities, there are various evaluation criteria and naming methods in IT security. Common Weakness Enumeration (CWE) describes types and kinds of vulnerabilities in order to categorize them and describe basic remediation and avoidance strategies.
Common Vulnerabilities and Exposures (CVE) describes specific vulnerabilities in products so that they can be clearly identified. For example, CVE-2017-0144 identifies the SMB Remote Windows Kernel Pool Corruption vulnerability and thus the vulnerability to ETERNALBLUE.
The Common Vulnerability Scoring System is used to assess criticality and risk, assigning a value between 0 and 10 to a vulnerability. A rating of 10 here means the highest possible criticality of a vulnerability.
Vulnerabilities must be checked regularly
To protect against the exploitation of any vulnerabilities that may exist within an organization’s IT, it should be regularly checked for vulnerabilities. To this end, it is advisable to conduct regular penetration tests and to regularly check IT networks, systems, and applications using vulnerability scanners.
If these measures reveal vulnerabilities, it is essential to take targeted measures to eliminate them. This requires a coordinated approach in the form of so-called vulnerability management, in which detection, assessment, and remediation are carried out as part of patch management or change management.
In addition to simply eliminating vulnerabilities, which can often be symptoms of deeper-lying problems, findings from pentests and vulnerability scans should be analyzed in order to then address fundamental improvements in IT security.
This may involve, for example, the introduction of configuration management, in which the occurrence of vulnerabilities can be prevented by centrally controlling the configuration of IT systems. This often requires a fundamental rethinking of procedures and processes within IT. External expertise can be very valuable here.