Vulnerability (computing)
Encyclopedia
In computer security
, a vulnerability is a weakness which allows an attacker
to reduce a system's information assurance
.
Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerability is also known as the attack surface
.
Vulnerability management
is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities" This practice generally refers to software vulnerabilities in computing systems.
A security risk may be classified as a vulnerability. The usage of vulnerability with the same meaning of risk can lead to confusion. The risk is tied to the potential of a significant loss. Then there are vulnerabilities without risk: for example when the affected asset has no value. A vulnerability with one or more known instances of working and fully implemented attacks is classified as an exploitable vulnerability - a vulnerability for which an exploit
exists. The window of vulnerability is the time from when the security hole was introduced or manifested in deployed software, to when access was removed, a security fix was available/deployed, or the attacker was disabled.
Security bug
is a narrower concept: there are vulnerabilities that are not related to software: hardware, site, personnel vulnerabilities are examples of vulnerabilities that are not software security bugs.
Constructs in programming languages that are difficult to use properly can be a large source of vulnerabilities.
defines vulnerability as:
where an asset is anything that can has value to the organization, its business operations and their continuity, including information resources that support the organization's mission
IETF RFC 2828 define vulnerability as:
The Committee on National Security Systems
of United States of America
defined vulnerability in CNSS Instruction No. 4009 dated 26 April 2010 National Information Assurance Glossary
:
Many NIST publications define vulnerability in IT contest in different publications: FISMApedia term provide a list. Between them SP 800-30, give a broader one:
ENISA defines vulnerability in as:
The Open Group
defines vulnerability in as:
Factor Analysis of Information Risk
(FAIR) defines vulnerability as:
According FAIR vulnerability is related to Control Strength, i.e. the strength of a control as compared to a standard measure of force and the threat
Capabilities, i.e. the probable level of force that a threat agent is capable of applying against an asset.
ISACA defines vulnerability in Risk It
framework as:
Data and Computer Security: Dictionary of standards concepts and terms, authors Dennis Longley and Michael Shain, Stockton Press, ISBN 0-935859-17-9, defines vulnerability as:
Matt Bishop and Dave Bailey give the following definition of computer vulnerability:
National Information Assurance Training and Education Center
defines vulnerability:
A resource (either physical or logical) may have one or more vulnerabilities that can be exploited by a threat agent in a threat action. The result can potentially compromise the confidentiality
, integrity
or availability
of resources (not necessarily the vulnerable one) belonging to an organization and/or others parties involved(customers, suppliers).
The so called CIA triad is the basis of Information Security
.
The attack can be active when it attempts to alter system resources or affect their operation: so it compromises integrity or availability. A "passive attack" attempts to learn or make use of information from the system but does not affect system resources: so it compromises Confidentiality.
OWASP
(see figure) depicts the same phenomenon in slightly different terms: a threat agent through an attack vector exploits a weakness (vulnerability) of the system and the related security controls causing a technical impact on an IT resource (asset) connected to a business impact.
A set of policies concerned with information security management, the Information Security Management Systems (ISMS), has been developed to manage, according to Risk management
principles, the countermeasures
in order to accomplish to a security strategy set up following rules and regulations applicable in a country. Countermeasures are also called Security controls
; when applied to the transmission of information are named security services
.
The overall picture represents the risk factors
of the risk scenario.
Classification
Vulnerabilities are classified according to the asset class they are related to:
Causes
The research has shown that the most vulnerable point in most information systems is the human user, operator, designer, or other human: so humans should be considered in their different roles as asset, threat, information resources. Social engineering
is an increasing security concern.
Vulnerability consequences
The impact of a security breach can be very high.
The fact that IT managers, or upper management, can (easily) know that IT systems and applications have vulnerabilities and do not perform any action to manage the IT risk
is seen as a misconduct in most legislations. Privacy law
forces managers to act to reduce the impact or likelihood that security risk. Information technology security audit is a way to let other independent people certify that the IT environment is managed properly and lessen the responsibilities, at least having demonstrated the good faith.
Penetration test
is a form of verification of the weakness and countermeasures
adopted by an organization: a White hat
hacker tries to attack an organization information technology assets, to find out how is easy or difficult to compromise the IT security.
The proper way to professionally manage the IT risk
is to adopt an Information Security Management System
, such as ISO/IEC 27002
or Risk IT
and follow them, according to the security strategy set forth by the upper management.
One of the key concept of information security is the principle of defence in depth
: i.e. to set up a multilayer defence system that can:
Intrusion detection system is an example of a class of systems used to detect attacks
.
Physical security
is a set of measures to protect physically the information asset: if somebody can get physical access to the information asset is quite easy to made resources unavailable to its legitimate users.
Some set of criteria to be satisfied by a computer, its operating system and applications in order to meet a good security level have been developed: ITSEC
and Common criteria
are two examples.
Vulnerability disclosure
Responsible disclosure of vulnerabilities is a topic of great debate. As reported by The Tech Herald in August 2010, "Google
, Microsoft
, TippingPoint
, and Rapid7
have recently issued guidelines and statements addressing how they will deal with disclosure going forward."
A responsible disclosure
first alerts the affected vendors confidentially before alerting CERT
two weeks later, which grants the vendors another 45 day grace period before publishing a security advisory.
A full disclosure
is done when all the details of vulnerability is publicized, perhaps with the intent to put pressure on the software or procedure authors to find a fix urgently.
Well respected authors have published books on vulnerabilities and how to exploit them: Hacking: The Art of Exploitation Second Edition
is a good example.
Security researchers catering to the needs of the cyberwarfare or cybercrime
industry have stated that this approach does not provide them with adequate income for their efforts. Instead, they offer their exploits privately to enable Zero day attacks.
The never ending effort to find new vulnerabilities and to fix them is called Computer insecurity
.
Vulnerability inventory
Mitre Corporation maintains a list of disclosed vulnerabilities in a system called Common Vulnerabilities and Exposures
, where vulnerability are classified (scored) using Common Vulnerability Scoring System
(CVSS).
OWASP
collects a list of potential vulnerabilities in order to prevent system designers and programmers from inserting vulnerabilities into the software
Vulnerability disclosure date
The time of disclosure of a vulnerability is defined differently in the security community and industry. It is most commonly referred to as "a kind of public disclosure of security information by a certain party". Usually, vulnerability information is discussed on a mailing list or published on a security web site and results in a security advisory afterward.
The time of disclosure is the first date a security vulnerability is described on a channel where the disclosed information on the vulnerability has to fulfill the following requirement:
Identifying and removing vulnerabilities
Many software tools exist that can aid in the discovery (and sometimes removal) of vulnerabilities in a computer system. Though these tools can provide an auditor with a good overview of possible vulnerabilities present, they can not replace human judgment. Relying solely on scanners will yield false positives and a limited-scope view of the problems present in the system.
Vulnerabilities have been found in every major operating system
including Windows
, Mac OS
, various forms of Unix
and Linux
, OpenVMS
, and others. The only way to reduce the chance of a vulnerability being used against a system is through constant vigilance, including careful system maintenance (e.g. applying software patches), best practices in deployment (e.g. the use of firewalls and access control
s) and auditing (both during development and throughout the deployment lifecycle).
Examples of vulnerabilities
Vulnerabilities are related to:
It is evident that a pure technical approach cannot even protect physical assets: you should have administrative procedure to let maintenance personnel to enter the facilities and people with adequate knowledge of the procedures, motivated to follow it with proper care. see Social engineering (security)
.
Four examples of vulnerability exploits:
Software vulnerabilities
Common types of software flaws that lead to vulnerabilities include:
Some set of coding guidelines have been developed and a large number of static code analysers has been used to verify that the code follows the guidelines.
See also
External links
Computer security
Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
, a vulnerability is a weakness which allows an attacker
Hacker (computer security)
In computer security and everyday language, a hacker is someone who breaks into computers and computer networks. Hackers may be motivated by a multitude of reasons, including profit, protest, or because of the challenge...
to reduce a system's information assurance
Information Assurance
Information assurance is the practice of managing risks related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes...
.
Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerability is also known as the attack surface
Attack surface
The attack surface of a software environment is the code within a computer system that can be run by unauthenticated users. This includes, but is not limited to: user input fields, protocols, interfaces, and services....
.
Vulnerability management
Vulnerability management
"Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities" This practice generally refers to software vulnerabilities in computing systems.- Vulnerability Management Programs :...
is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities" This practice generally refers to software vulnerabilities in computing systems.
A security risk may be classified as a vulnerability. The usage of vulnerability with the same meaning of risk can lead to confusion. The risk is tied to the potential of a significant loss. Then there are vulnerabilities without risk: for example when the affected asset has no value. A vulnerability with one or more known instances of working and fully implemented attacks is classified as an exploitable vulnerability - a vulnerability for which an exploit
Exploit (computer security)
An exploit is a piece of software, a chunk of data, or sequence of commands that takes advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic...
exists. The window of vulnerability is the time from when the security hole was introduced or manifested in deployed software, to when access was removed, a security fix was available/deployed, or the attacker was disabled.
Security bug
Security bug
A security bug is a software bug that benefits someone other than intended beneficiaries in the intended ways.Security bugs introduce security vulnerabilities by compromising one or more of:* Authentication of users and other entities...
is a narrower concept: there are vulnerabilities that are not related to software: hardware, site, personnel vulnerabilities are examples of vulnerabilities that are not software security bugs.
Constructs in programming languages that are difficult to use properly can be a large source of vulnerabilities.
Definitions
ISO 27005ISO/IEC 27005
ISO/IEC 27005, part of a growing family of ISO/IEC ISMS standards, the 'ISO/IEC 27000 series', is an information security standard published by the International Organization for Standardization and the International Electrotechnical Commission...
defines vulnerability as:
- A weakness of an asset or group of assets that can be exploited by one or more threats
where an asset is anything that can has value to the organization, its business operations and their continuity, including information resources that support the organization's mission
IETF RFC 2828 define vulnerability as:
- A flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security policy
The Committee on National Security Systems
Committee on National Security Systems
The Committee on National Security Systems is a United States intergovernmental organization that sets policy for the security of the US security systems.-Charter, mission, and leadership:...
of United States of America
United States
The United States of America is a federal constitutional republic comprising fifty states and a federal district...
defined vulnerability in CNSS Instruction No. 4009 dated 26 April 2010 National Information Assurance Glossary
National Information Assurance Glossary
Committee on National Security Systems Instruction No. 4009, National Information Assurance Glossary, published by the United States federal government, is an unclassified glossary of Information security terms intended to provide a common vocabulary for discussing Information Assurance...
:
- Vulnerability - Weakness in an IS, system security procedures, internal controls, or implementation that could be exploited
Many NIST publications define vulnerability in IT contest in different publications: FISMApedia term provide a list. Between them SP 800-30, give a broader one:
- A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system's security policy.
ENISA defines vulnerability in as:
- The existence of a weakness, design, or implementation error that can lead to an unexpected, undesirable event [G.11] compromising the security of the computer system, network, application, or protocol involved.(ITSEC)
The Open Group
The Open Group
The Open Group is a vendor and technology-neutral industry consortium, currently with over three hundred member organizations. It was formed in 1996 when X/Open merged with the Open Software Foundation...
defines vulnerability in as:
- The probability that threat capability exceeds the ability to resist the threat.
Factor Analysis of Information Risk
Factor Analysis of Information Risk
Factor analysis of information risk is a taxonomy of the factors that contribute to risk and how they affect each other. It is primarily concerned with establishing accurate probabilities for the frequency and magnitude of loss events...
(FAIR) defines vulnerability as:
- The probability that an asset will be unable to resist the actions of a threat agent
According FAIR vulnerability is related to Control Strength, i.e. the strength of a control as compared to a standard measure of force and the threat
Threat (computer)
In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and thus cause possible harm.A threat can be either "intentional" or "accidental" In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and...
Capabilities, i.e. the probable level of force that a threat agent is capable of applying against an asset.
ISACA defines vulnerability in Risk It
Risk IT
Risk IT provides an end-to-end, comprehensive view of all risks related to the use of IT and a similarly thorough treatment of risk management, from the tone and culture at the top, to operational issues.Risk IT was published in 2009 by ISACA...
framework as:
- A weakness in design, implementation, operation or internal control
Data and Computer Security: Dictionary of standards concepts and terms, authors Dennis Longley and Michael Shain, Stockton Press, ISBN 0-935859-17-9, defines vulnerability as:
- 1) In computer security, a weakness in automated systems security procedures, administrativecontrols, Internet controls, etc., that could be exploited by a threat to gain unauthorized access toinformation of to disrupt critical processing. 2) In computer security, a weakness in the physicallayout, organization, procedures, personnel, management, administration, hardware or softwarethat may be exploited to cause harm to the ADP system or activity. 3) In computer security, any weakness or flaw existing in a system. The attack or harmful event, or the opportunity availableto a threat agent to mount that attack.
Matt Bishop and Dave Bailey give the following definition of computer vulnerability:
- A computer system is composed of states describing the current configuration of the entities that make up the computer system. The system computes through the application of state transitions that change the state of the system. All states reachable from a given initial state using a set of state transitions fall into the class of authorized or unauthorized, as defined by a security policy. In this paper, the definitions of these classes and transitions is considered axiomatic. A vulnerable state is an authorized state from which an unauthorized state can be reached using authorized state transitions. A compromised state is the state so reached. An attack is a sequence of authorized state transitions which end in a compromised state. By definition, an attack begins in a vulnerable state. A vulnerability is a characterization of a vulnerable state which distinguishes it from all non-vulnerable states. If generic, the vulnerability may characterize many vulnerable states; if specific, it may characterize only one...
National Information Assurance Training and Education Center
National Information Assurance Training and Education Center
The National Information Assurance Training and Education Center is an American consortium of academic, industry, and government organizations to improve the literacy, awareness, training and education standards in Information Assurance...
defines vulnerability:
- A weakness in automated system security procedures, administrative controls, internal controls, and so forth, that could be exploited by a threat to gain unauthorized access to information or disrupt critical processing. 2. A weakness in system security procedures, hardware design, internal controls, etc. , which could be exploited to gain unauthorized access to classified or sensitive information. 3. A weakness in the physical layout, organization, procedures, personnel, management, administration, hardware, or software that may be exploited to cause harm to the ADP system or activity. The presence of a vulnerability does not in itself cause harm; a vulnerability is merely a condition or set of conditions that may allow the ADP system or activity to be harmed by an attack. 4. An assertion primarily concerning entities of the internal environment (assets); we say that an asset (or class of assets) is vulnerable (in some way, possibly involving an agent or collection of agents); we write: V(i,e) where: e may be an empty set. 5. Susceptibility to various threats. 6. A set of properties of a specific internal entity that, in union with a set of properties of a specific external entity, implies a risk. 7. The characteristics of a system which cause it to suffer a definite degradation (incapability to perform the designated mission) as a result of having been subjected to a certain level of effects in an unnatural (manmade) hostile environment.
Phenomenology
The term "vulnerability" relates to some other basic security terms as shown in the following diagram:
+ - - - - - - - - - - - - + + - - - - + + - - - - - - - - - - -+
| An Attack: | |Counter- | | A System Resource: |
| i.e., A Threat Action | | measure | | Target of the Attack |
| +----------+ | | | | +-----------------+ |
| | Attacker |<||<
| |
| | i.e., | Passive | | | | | Vulnerability | |
| | A Threat |<>||<> | |
| | Agent | or Active | | | | +-------|||-------+ |
| +----------+ Attack | | | | VVV |
| | | | | Threat Consequences |
+ - - - - - - - - - - - - + + - - - - + + - - - - - - - - - - -+
A resource (either physical or logical) may have one or more vulnerabilities that can be exploited by a threat agent in a threat action. The result can potentially compromise the confidentiality
Confidentiality
Confidentiality is an ethical principle associated with several professions . In ethics, and in law and alternative forms of legal resolution such as mediation, some types of communication between a person and one of these professionals are "privileged" and may not be discussed or divulged to...
, integrity
Integrity
Integrity is a concept of consistency of actions, values, methods, measures, principles, expectations, and outcomes. In ethics, integrity is regarded as the honesty and truthfulness or accuracy of one's actions...
or availability
Availability
In telecommunications and reliability theory, the term availability has the following meanings:* The degree to which a system, subsystem, or equipment is in a specified operable and committable state at the start of a mission, when the mission is called for at an unknown, i.e., a random, time...
of resources (not necessarily the vulnerable one) belonging to an organization and/or others parties involved(customers, suppliers).
The so called CIA triad is the basis of Information Security
Information security
Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....
.
The attack can be active when it attempts to alter system resources or affect their operation: so it compromises integrity or availability. A "passive attack" attempts to learn or make use of information from the system but does not affect system resources: so it compromises Confidentiality.
OWASP
OWASP
The Open Web Application Security Project is an open-source application security project. The OWASP community includes corporations, educational organizations, and individuals from around the world. This community works to create freely-available articles, methodologies, documentation, tools, and...
(see figure) depicts the same phenomenon in slightly different terms: a threat agent through an attack vector exploits a weakness (vulnerability) of the system and the related security controls causing a technical impact on an IT resource (asset) connected to a business impact.
A set of policies concerned with information security management, the Information Security Management Systems (ISMS), has been developed to manage, according to Risk management
Risk management
Risk management is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities...
principles, the countermeasures
Countermeasure (computer)
In Computer Security a countermeasure is an action, device, procedure, or technique that reduces a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective action can be taken.The definition is...
in order to accomplish to a security strategy set up following rules and regulations applicable in a country. Countermeasures are also called Security controls
Security controls
Security controls are safeguards or countermeasures to avoid, counteract or minimize security risks.To help review or design security controls, they can be classified by several criteria, for example according to the time that they act, relative to a security incident:*Before the event, preventive...
; when applied to the transmission of information are named security services
Security service (telecommunication)
Security service is a service, provided by a layer of communicating open systems, which ensures adequate security of the systems or of data transfers as defined by ITU-T X.800 Recommendation....
.
The overall picture represents the risk factors
Risk factor (computing)
In Information security, Risk factor is a collectively name for circumstances affecting the likelihood or the impact of a security risk.- FAIR :...
of the risk scenario.
Classification
Vulnerabilities are classified according to the asset class they are related to:
- hardware
- susceptibility to humidity
- susceptibility to dust
- susceptibility to soiling
- susceptibility to unprotected storage
- software
- insufficient testing
- lack of audit trail
- network
- unprotected communication lines
- insecure network architecture
- personnel
- inadequate recruiting process
- inadequate security awareness
- site
- area subject to flood
- unreliable power source
- organizational
- lack of regular audits
- lack of continuity plans
- lack of security
Causes
- Complexity: Large, complex systems increase the probability of flaws and unintended access points
- Familiarity: Using common, well-known code, software, operating systems, and/or hardware increases the probability an attacker has or can find the knowledge and tools to exploit the flaw
- Connectivity: More physical connections, privileges, ports, protocols, and services and time each of those are accessible increase vulnerability
- Password management flaws: The computer user uses weak passwordsPassword strengthPassword strength is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. In its usual form, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to guess it correctly...
that could be discovered by brute force. The computer user stores the password on the computer where a program can access it. Users re-use passwords between many programs and websites.
- Fundamental operating systemOperating systemAn operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
design flaws: The operating system designer chooses to enforce suboptimal policies on user/program management. For example operating systems with policies such as default permit grant every program and every user full access to the entire computer. This operating system flaw allows viruses and malware to execute commands on behalf of the administrator. http://www.ranum.com/security/computer_security/editorials/dumb/ - Internet Website Browsing: Some internet websites may contain harmful SpywareSpywareSpyware is a type of malware that can be installed on computers, and which collects small pieces of information about users without their knowledge. The presence of spyware is typically hidden from the user, and can be difficult to detect. Typically, spyware is secretly installed on the user's...
or AdwareAdwareAdware, or advertising-supported software, is any software package which automatically plays, displays, or downloads advertisements to a computer. These advertisements can be in the form of a pop-up. They may also be in the user interface of the software or on a screen presented to the user during...
that can be installed automatically on the computer systems. After visiting those websites, the computer systems become infected and personal information will be collected and passed on to third party individuals. - Software bugSoftware bugA software bug is the common term used to describe an error, flaw, mistake, failure, or fault in a computer program or system that produces an incorrect or unexpected result, or causes it to behave in unintended ways. Most bugs arise from mistakes and errors made by people in either a program's...
s: The programmer leaves an exploitable bug in a software program. The software bug may allow an attacker to misuse an application. - Unchecked user input: The program assumes that all user input is safe. Programs that do not check user input can allow unintended direct execution of commands or SQL statements (known as Buffer overflowBuffer overflowIn computer security and programming, a buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory. This is a special case of violation of memory safety....
s, SQL injectionSQL injectionA SQL injection is often used to attack the security of a website by inputting SQL statements in a web form to get a badly designed website in order to dump the database content to the attacker. SQL injection is a code injection technique that exploits a security vulnerability in a website's software...
or other non-validated inputs). - Not learning from past mistakes: for example most vulnerabilities discovered in IPv4IPv4Internet Protocol version 4 is the fourth revision in the development of the Internet Protocol and the first version of the protocol to be widely deployed. Together with IPv6, it is at the core of standards-based internetworking methods of the Internet...
protocol software were discovered in the new IPv6IPv6Internet Protocol version 6 is a version of the Internet Protocol . It is designed to succeed the Internet Protocol version 4...
implementations
The research has shown that the most vulnerable point in most information systems is the human user, operator, designer, or other human: so humans should be considered in their different roles as asset, threat, information resources. Social engineering
Social engineering (security)
Social engineering is commonly understood to mean the art of manipulating people into performing actions or divulging confidential information...
is an increasing security concern.
Vulnerability consequences
The impact of a security breach can be very high.
The fact that IT managers, or upper management, can (easily) know that IT systems and applications have vulnerabilities and do not perform any action to manage the IT risk
IT risk
Information technology risk, or IT risk, IT-related risk, is a risk related to information technology. This relatively new term due to an increasing awareness that information security is simply one facet of a multitude of risks that are relevant to IT and the real world processes it...
is seen as a misconduct in most legislations. Privacy law
Privacy law
Privacy law refers to the laws which deal with the regulation of personal information about individuals which can be collected by governments and other public as well as private organizations and its storage and use....
forces managers to act to reduce the impact or likelihood that security risk. Information technology security audit is a way to let other independent people certify that the IT environment is managed properly and lessen the responsibilities, at least having demonstrated the good faith.
Penetration test
Penetration test
A penetration test, occasionally pentest, is a method of evaluating the security of a computer system or network by simulating an attack from malicious outsiders and malicious insiders...
is a form of verification of the weakness and countermeasures
Countermeasure (computer)
In Computer Security a countermeasure is an action, device, procedure, or technique that reduces a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective action can be taken.The definition is...
adopted by an organization: a White hat
White hat
The term "white hat" in Internet slang refers to an ethical hacker, or a computer security expert, who specializes in penetration testing and in other testing methodologies to ensure the security of an organization's information systems...
hacker tries to attack an organization information technology assets, to find out how is easy or difficult to compromise the IT security.
The proper way to professionally manage the IT risk
IT risk
Information technology risk, or IT risk, IT-related risk, is a risk related to information technology. This relatively new term due to an increasing awareness that information security is simply one facet of a multitude of risks that are relevant to IT and the real world processes it...
is to adopt an Information Security Management System
Information security management system
An information security management system is a set of policies concerned with information security management or IT related risks. The idioms arose primarily out of ISO 27001....
, such as ISO/IEC 27002
ISO/IEC 27002
ISO/IEC 27002 is an information security standard published by the International Organization for Standardization and by the International Electrotechnical Commission , entitled Information technology - Security techniques - Code of practice for information security management.ISO/IEC 27002:2005...
or Risk IT
Risk IT
Risk IT provides an end-to-end, comprehensive view of all risks related to the use of IT and a similarly thorough treatment of risk management, from the tone and culture at the top, to operational issues.Risk IT was published in 2009 by ISACA...
and follow them, according to the security strategy set forth by the upper management.
One of the key concept of information security is the principle of defence in depth
Defence in depth
Defence in depth is a military strategy; it seeks to delay rather than prevent the advance of an attacker, buying time and causing additional casualties by yielding space...
: i.e. to set up a multilayer defence system that can:
- prevent the exploit
- detect and intercept the attack
- find out the threat agents and persecute them
Intrusion detection system is an example of a class of systems used to detect attacks
Attack (computer)
In computer and computer networks an attack is any attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset.- IETF :Internet Engineering Task Force defines attack in RFC 2828 as:...
.
Physical security
Physical security
Physical security describes measures that are designed to deny access to unauthorized personnel from physically accessing a building, facility, resource, or stored information; and guidance on how to design structures to resist potentially hostile acts...
is a set of measures to protect physically the information asset: if somebody can get physical access to the information asset is quite easy to made resources unavailable to its legitimate users.
Some set of criteria to be satisfied by a computer, its operating system and applications in order to meet a good security level have been developed: ITSEC
ITSEC
The Information Technology Security Evaluation Criteria is a structured set of criteria for evaluating computer security within products and systems. The ITSEC was first published in May 1990 in France, Germany, the Netherlands, and the United Kingdom based on existing work in their respective...
and Common criteria
Common Criteria
The Common Criteria for Information Technology Security Evaluation is an international standard for computer security certification...
are two examples.
Vulnerability disclosure
Responsible disclosure of vulnerabilities is a topic of great debate. As reported by The Tech Herald in August 2010, "Google
Google
Google Inc. is an American multinational public corporation invested in Internet search, cloud computing, and advertising technologies. Google hosts and develops a number of Internet-based services and products, and generates profit primarily from advertising through its AdWords program...
, Microsoft
Microsoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
, TippingPoint
Tippingpoint
TippingPoint was an American software company with roots back to 1999 focused on network security products, particularly intrusion prevention systems for networks. TippingPoint was acquired by 3Com Corporation in 2005, and was run as an autonomous security-focused division from 2005 to 2010. On...
, and Rapid7
Rapid7
Rapid7 is a vulnerability management and penetration testing company headquartered in Boston, Massachusetts. Its primary products are Nexpose and Metasploit...
have recently issued guidelines and statements addressing how they will deal with disclosure going forward."
A responsible disclosure
Responsible disclosure
Responsible disclosure is a computer security term describing a vulnerability disclosure model. It is like full disclosure, with the addition that all stakeholders agree to allow a period of time for the vulnerability to be patched before publishing the details. Developers of hardware and software...
first alerts the affected vendors confidentially before alerting CERT
Cert
Cert or CERT may refer to:* Certificate, an official document* Certiorari, a Latin legal term for a court order requiring judicial review of a case...
two weeks later, which grants the vendors another 45 day grace period before publishing a security advisory.
A full disclosure
Full disclosure
In computer security, full disclosure means to disclose all the details of a security problem which are known. It is a philosophy of security management completely opposed to the idea of security through obscurity...
is done when all the details of vulnerability is publicized, perhaps with the intent to put pressure on the software or procedure authors to find a fix urgently.
Well respected authors have published books on vulnerabilities and how to exploit them: Hacking: The Art of Exploitation Second Edition
Hacking: The Art of Exploitation Second Edition
-Author and background information:This book is written by Jon Erickson and was published in 2008. Jon Erickson is a computer security expert, with a background in computer science. He currently works as a vulnerability researcher and computer security specialist in California. He also wrote...
is a good example.
Security researchers catering to the needs of the cyberwarfare or cybercrime
CyberCrime
CyberCrime was an innovative, weekly America television program on TechTV that focused on the dangers facing computer users. Filmed in San Francisco, California, the show was hosted by Alex Wellen and Jennifer London...
industry have stated that this approach does not provide them with adequate income for their efforts. Instead, they offer their exploits privately to enable Zero day attacks.
The never ending effort to find new vulnerabilities and to fix them is called Computer insecurity
Computer insecurity
Computer insecurity refers to the concept that a computer system is always vulnerable to attack, and that this fact creates a constant battle between those looking to improve security, and those looking to circumvent security.-Security and systems design:...
.
Vulnerability inventory
Mitre Corporation maintains a list of disclosed vulnerabilities in a system called Common Vulnerabilities and Exposures
Common Vulnerabilities and Exposures
The Common Vulnerabilities and Exposures or CVE system provides a reference-method for publicly-known information-security vulnerabilities and exposures. MITRE Corporation maintains the system, with funding from the National Cyber Security Division of the United States Department of Homeland...
, where vulnerability are classified (scored) using Common Vulnerability Scoring System
CVSS
Common Vulnerability Scoring System is an industry standard for assessing the severity of computer system security vulnerabilities. It attempts to establish a measure of how much concern a vulnerability warrants, compared to other vulnerabilities, so efforts can be prioritized...
(CVSS).
OWASP
OWASP
The Open Web Application Security Project is an open-source application security project. The OWASP community includes corporations, educational organizations, and individuals from around the world. This community works to create freely-available articles, methodologies, documentation, tools, and...
collects a list of potential vulnerabilities in order to prevent system designers and programmers from inserting vulnerabilities into the software
Vulnerability disclosure date
The time of disclosure of a vulnerability is defined differently in the security community and industry. It is most commonly referred to as "a kind of public disclosure of security information by a certain party". Usually, vulnerability information is discussed on a mailing list or published on a security web site and results in a security advisory afterward.
The time of disclosure is the first date a security vulnerability is described on a channel where the disclosed information on the vulnerability has to fulfill the following requirement:
- The information is freely available to the public
- The vulnerability information is published by a trusted and independent channel/source
- The vulnerability has undergone analysis by experts such that risk rating information is included upon disclosure
Identifying and removing vulnerabilities
Many software tools exist that can aid in the discovery (and sometimes removal) of vulnerabilities in a computer system. Though these tools can provide an auditor with a good overview of possible vulnerabilities present, they can not replace human judgment. Relying solely on scanners will yield false positives and a limited-scope view of the problems present in the system.
Vulnerabilities have been found in every major operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
including Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
, Mac OS
Mac OS
Mac OS is a series of graphical user interface-based operating systems developed by Apple Inc. for their Macintosh line of computer systems. The Macintosh user experience is credited with popularizing the graphical user interface...
, various forms of Unix
Unix
Unix is a multitasking, multi-user computer operating system originally developed in 1969 by a group of AT&T employees at Bell Labs, including Ken Thompson, Dennis Ritchie, Brian Kernighan, Douglas McIlroy, and Joe Ossanna...
and Linux
Linux
Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
, OpenVMS
OpenVMS
OpenVMS , previously known as VAX-11/VMS, VAX/VMS or VMS, is a computer server operating system that runs on VAX, Alpha and Itanium-based families of computers. Contrary to what its name suggests, OpenVMS is not open source software; however, the source listings are available for purchase...
, and others. The only way to reduce the chance of a vulnerability being used against a system is through constant vigilance, including careful system maintenance (e.g. applying software patches), best practices in deployment (e.g. the use of firewalls and access control
Access control
Access control refers to exerting control over who can interact with a resource. Often but not always, this involves an authority, who does the controlling. The resource can be a given building, group of buildings, or computer-based information system...
s) and auditing (both during development and throughout the deployment lifecycle).
Examples of vulnerabilities
Vulnerabilities are related to:
- physical environment of the system
- the personnel
- management
- administration procedures and security measures within the organization
- business operation and service delivery
- hardware
- software
- communication equipment and facilities
- and their combinations.
It is evident that a pure technical approach cannot even protect physical assets: you should have administrative procedure to let maintenance personnel to enter the facilities and people with adequate knowledge of the procedures, motivated to follow it with proper care. see Social engineering (security)
Social engineering (security)
Social engineering is commonly understood to mean the art of manipulating people into performing actions or divulging confidential information...
.
Four examples of vulnerability exploits:
- an attacker finds and uses an overflow weakness to install malware to export sensitive data;
- an attacker convinces a user to open an email message with attached malware;
- an insider copies a hardened, encrypted program onto a thumb drive and cracks it at home;
- a flood damage your computer systems installed at ground floor.
Software vulnerabilities
Common types of software flaws that lead to vulnerabilities include:
- Memory safetyMemory safetyMemory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities dealing with random-access memory access, such as buffer overflows and dangling pointers....
violations, such as:- Buffer overflowBuffer overflowIn computer security and programming, a buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory. This is a special case of violation of memory safety....
s - Dangling pointerDangling pointerDangling pointers and wild pointers in computer programming are pointers that do not point to a valid object of the appropriate type. These are special cases of memory safety violations....
s
- Buffer overflow
- Input validationData validationIn computer science, data validation is the process of ensuring that a program operates on clean, correct and useful data. It uses routines, often called "validation rules" or "check routines", that check for correctness, meaningfulness, and security of data that are input to the system...
errors, such as:- Format string attackFormat string attackUncontrolled format string is a type of software vulnerability, discovered around 1999, that can be used in security exploits. Previously thought harmless, format string exploits can be used to crash a program or to execute harmful code...
s - Improperly handling shellUnix shellA Unix shell is a command-line interpreter or shell that provides a traditional user interface for the Unix operating system and for Unix-like systems...
metacharacterMetacharacterA metacharacter is a character that has a special meaning to a computer program, such as a shell interpreter or a regular expression engine.-Examples:...
s so they are interpreted - SQL injectionSQL injectionA SQL injection is often used to attack the security of a website by inputting SQL statements in a web form to get a badly designed website in order to dump the database content to the attacker. SQL injection is a code injection technique that exploits a security vulnerability in a website's software...
- Code injectionCode injectionCode injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by an attacker to introduce code into a computer program to change the course of execution. The results of a code injection attack can be disastrous...
- E-mail injection
- Directory traversalDirectory traversalA directory traversal consists in exploiting insufficient security validation / sanitization of user-supplied input file names, so that characters representing "traverse to parent directory" are passed through to the file APIs....
- Cross-site scriptingCross-site scriptingCross-site scripting is a type of computer security vulnerability typically found in Web applications that enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same...
in web applications - HTTP header injectionHTTP header injectionHTTP header injection is a general class of web application security vulnerability which occurs when Hypertext Transfer Protocol headers are dynamically generated based on user input...
- HTTP response splittingHTTP response splittingHTTP response splitting is a form of web application vulnerability, resulting from the failure of the application or its environment to properly sanitize input values...
- Format string attack
- Race conditions, such as:
- Time-of-check-to-time-of-useTime-of-check-to-time-of-useIn software development, time-of-check-to-time-of-use is a class of software bug caused by changes in a system between the checking of a condition and the use of the results of that check...
bugs - Symlink raceSymlink raceA symlink race is a kind of software security vulnerability that results from a program creating files in an insecure manner. A malicious user can create a symbolic link to a file not otherwise accessible to him or her...
s
- Time-of-check-to-time-of-use
- Privilege-confusionConfused deputy problemA confused deputy is a computer program that is innocently fooled by some other party into misusing its authority. It is a specific type of privilege escalation...
bugs, such as:- Cross-site request forgeryCross-site request forgeryCross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts...
in web applications - ClickjackingClickjackingClickjacking is a malicious technique of tricking Web users into revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages...
- FTP bounce attackFTP bounce attackFTP bounce attack is an exploit of the FTP protocol whereby an attacker is able to use the PORT command to request access to ports indirectly through the use of the victim machine as a middle man for the request....
- Cross-site request forgery
- Privilege escalationPrivilege escalationPrivilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user...
- User interfaceUser interfaceThe user interface, in the industrial design field of human–machine interaction, is the space where interaction between humans and machines occurs. The goal of interaction between a human and a machine at the user interface is effective operation and control of the machine, and feedback from the...
failures, such as:- Warning fatigue http://www.freedom-to-tinker.com/?p=459 or user conditioning http://www.cs.auckland.ac.nz/~pgut001/pubs/phishing.pdf
- Blaming the VictimVictim blamingVictim blaming occurs when the victim of a crime, an accident, or any type of abusive maltreatment are held entirely or partially responsible for the transgressions committed against them. Blaming the victim has traditionally emerged especially in racist and sexist forms...
Prompting a user to make a security decision without giving the user enough information to answer it http://blog.mozilla.com/rob-sayre/2007/09/28/blaming-the-victim/ - Race ConditionRace conditionA race condition or race hazard is a flaw in an electronic system or process whereby the output or result of the process is unexpectedly and critically dependent on the sequence or timing of other events...
s http://www.squarefree.com/2004/07/01/race-conditions-in-security-dialogs/ http://lcamtuf.blogspot.com/2010/08/on-designing-uis-for-non-robots.html
Some set of coding guidelines have been developed and a large number of static code analysers has been used to verify that the code follows the guidelines.
See also
- Common Vulnerabilities and ExposuresCommon Vulnerabilities and ExposuresThe Common Vulnerabilities and Exposures or CVE system provides a reference-method for publicly-known information-security vulnerabilities and exposures. MITRE Corporation maintains the system, with funding from the National Cyber Security Division of the United States Department of Homeland...
(CVE) - Common Vulnerability Scoring SystemCVSSCommon Vulnerability Scoring System is an industry standard for assessing the severity of computer system security vulnerabilities. It attempts to establish a measure of how much concern a vulnerability warrants, compared to other vulnerabilities, so efforts can be prioritized...
(CVSS) - Computer emergency response team
- Computer insecurityComputer insecurityComputer insecurity refers to the concept that a computer system is always vulnerable to attack, and that this fact creates a constant battle between those looking to improve security, and those looking to circumvent security.-Security and systems design:...
- Full disclosureFull disclosureIn computer security, full disclosure means to disclose all the details of a security problem which are known. It is a philosophy of security management completely opposed to the idea of security through obscurity...
- Hacking: The Art of Exploitation Second EditionHacking: The Art of Exploitation Second Edition-Author and background information:This book is written by Jon Erickson and was published in 2008. Jon Erickson is a computer security expert, with a background in computer science. He currently works as a vulnerability researcher and computer security specialist in California. He also wrote...
- Information technology security audit
- Information SecurityInformation securityInformation security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....
- Intrusion detection system
- IT riskIT riskInformation technology risk, or IT risk, IT-related risk, is a risk related to information technology. This relatively new term due to an increasing awareness that information security is simply one facet of a multitude of risks that are relevant to IT and the real world processes it...
- ITSECITSECThe Information Technology Security Evaluation Criteria is a structured set of criteria for evaluating computer security within products and systems. The ITSEC was first published in May 1990 in France, Germany, the Netherlands, and the United Kingdom based on existing work in their respective...
- List of tools for static code analysis
- National Information Assurance GlossaryNational Information Assurance GlossaryCommittee on National Security Systems Instruction No. 4009, National Information Assurance Glossary, published by the United States federal government, is an unclassified glossary of Information security terms intended to provide a common vocabulary for discussing Information Assurance...
- Penetration testPenetration testA penetration test, occasionally pentest, is a method of evaluating the security of a computer system or network by simulating an attack from malicious outsiders and malicious insiders...
- Physical SecurityPhysical securityPhysical security describes measures that are designed to deny access to unauthorized personnel from physically accessing a building, facility, resource, or stored information; and guidance on how to design structures to resist potentially hostile acts...
- Security controlsSecurity controlsSecurity controls are safeguards or countermeasures to avoid, counteract or minimize security risks.To help review or design security controls, they can be classified by several criteria, for example according to the time that they act, relative to a security incident:*Before the event, preventive...
- Security service (telecommunication)Security service (telecommunication)Security service is a service, provided by a layer of communicating open systems, which ensures adequate security of the systems or of data transfers as defined by ITU-T X.800 Recommendation....
- Vulnerability managementVulnerability management"Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities" This practice generally refers to software vulnerabilities in computing systems.- Vulnerability Management Programs :...
- Vulnerability scannerVulnerability scannerA vulnerability scanner is a computer program designed to assess computers, computer systems, networks or applications for weaknesses. There are a number of types of vulnerability scanners available today, distinguished from one another by a focus on particular targets...
- White hatWhite hatThe term "white hat" in Internet slang refers to an ethical hacker, or a computer security expert, who specializes in penetration testing and in other testing methodologies to ensure the security of an organization's information systems...
External links
- Security advisories links from the Open Directory http://www.dmoz.org/Computers/Security/Advisories_and_Patches/
- Languages Standard's group: Guidance for Avoiding Vulnerabilities through Language Selection and Use
- Microsoft Security Response Center: Definition of a Security Vulnerability
- NIST Software Assurance Metrics and Tool Evaluation (SAMATE) project
- Open Source Vulnerability Database (OSVDB) homepage
- Open Web Application Security Project
- Common Vulnerabilities and Exposures (CVE)