IS Vulnerability
In
computer security, vulnerability is a weakness which allows an attacker to
reduce a system's information assurance. Vulnerability is the intersection of
three elements: a system susceptibility or flaw, attacker access to the flaw,
and attacker capability to exploit the flaw. To exploit vulnerability, an
attacker must have at least one applicable tool or technique that can connect
to a system weakness. In this frame, vulnerability is also known as the attack
surface.
Vulnerability
management is the cyclical practice of identifying, classifying, remediating,
and mitigating vulnerabilities. This practice generally refers to software
vulnerabilities in computing systems.
A
security risk may be classified as vulnerability. The use of vulnerability with
the same meaning of risk can lead to confusion. The risk is tied to the
potential of a significant loss. Then there are vulnerabilities without risk:
for example when the affected asset has no value. Vulnerability with one or
more known instances of working and fully implemented attacks is classified as
an exploitable vulnerability a vulnerability for which can exploit exists. The
window of vulnerability is the time from when the security hole was introduced
or manifested in deployed software, to when access was removed, a security fix
was available/deployed, or the attackers was disabled see zero-day attack.
A
weakness of an asset or group of assets that can be exploited by one or more
threats where an asset is anything that has value to the organization, its
business operations and their continuity, including information resources that
support the organization's mission.
1 Data and Computer Security
Dictionary
of standards concepts and terms, authors Dennis Longley and Michael Shain,
Stockton Press, ISBN 0-935859-17-9, defines
vulnerability as:
In computer security, a weakness in automated
systems security procedures, administrative controls, Internet controls, etc.,
that could be exploited by a threat to gain unauthorized access to information
or to disrupt critical processing.
In computer security, a weakness in the physical
layout, organization, procedures, personnel, management, administration,
hardware or software that may be exploited to cause harm to the ADP system or
activity.
In computer security, any weakness or flaw existing
in a system. The attack or harmful event, or the opportunity available to a
threat agent to mount that attack.
Matt
Bishop and Dave Bailey give the following definition of computer vulnerability:
A
computer system is composed of states describing the current configuration of
the entities that make up the computer system. The system computes through the
application of state transitions that change the state of the system. All
states reachable from a given initial state using a set of state transitions
fall into the class of authorized or unauthorized, as defined by a security
policy. In this paper, the definitions of these classes and transitions are
considered axiomatic. A vulnerable state is an authorized state from which an
unauthorized state can be reached using authorized state transitions. A
compromised state is the state so reached. An attack is a sequence of
authorized state transitions which end in a compromised state. By definition,
an attack begins in a vulnerable state. Vulnerability is a characterization of
a vulnerable state which distinguishes it from all non-vulnerable states.
2 National Information Assurance Training and Education Center defines vulnerability
A weakness in automated system security procedures,
administrative controls, internal controls, and so forth that could be
exploited by a threat to gain unauthorized access to information or disrupt
critical processing.
A weakness in system security procedures, hardware
design, internal controls, etc., which could be exploited to gain unauthorized
access to classify or sensitive information.
A weakness in the physical layout, organization,
procedures, personnel, management, administration, hardware, or software that
may be exploited to cause harm to the ADP system or activity. The presence of
vulnerability does not in itself cause harm; vulnerability is merely a
condition or set of conditions that may allow the ADP system or activity to be
harmed by an attack.
An assertion primarily concerning entities of the
internal environment (assets); we say that an asset (or class of assets) is
vulnerable (in some way, possibly involving an agent or collection of agents);
we write: V (i,e) where: e may be an empty set.
Susceptibility to various threats.
A set of properties of a specific internal entity
that, in union with a set of properties of a specific external entity, implies
a risk.
The characteristics of a system which cause it to
suffer a definite degradation (incapability to perform the designated mission)
as a result of having been subjected to a certain level of effects in an
unnatural (manmade) hostile environment.
3 Vulnerability and risk factor models
A
resource (either physical or logical) may have one or more vulnerabilities that
can be exploited by a threat agent in a threat action. The result can
potentially compromise the confidentiality, integrity or availability of
resources (not necessarily the vulnerable one) belonging to an organization
and/or others parties involved (customers, suppliers). The so-called CIA triad
is the basis of Information Security.
An attack
can be active when it attempts to alter system resources or affect their
operation, compromising integrity or availability. A "passive attack"
attempts to learn or make use of information from the system but does not
affect system resources, compromising confidentiality.
OWASP:
relationship between threat agent and business impact OWASP depicts the same
phenomenon in slightly different terms: a threat agent through an attack vector
exploits a weakness (vulnerability) of the system and the related security
controls, causing a technical impact on an IT resource (asset) connected to a
business impact.
4 Information security management system
A set of
policies concerned with information security management, the information
security management system (ISMS), has been developed to manage, according to
Risk management principles, the countermeasures in order to ensure the security
strategy is set up following the rules and regulations applicable in a country.
These countermeasures are also called Security controls, but when applied to
the transmission of information they are called security services.[17]
4.1 Classification
Vulnerabilities are classified according to the
asset class they are related to:
hardware
susceptibility
to humidity
susceptibility
to dust
susceptibility
to soiling
susceptibility
to unprotected storage
software
insufficient
testing
lack of
audit trail
network
unprotected
communication lines
insecure
network architecture
personnel
inadequate
recruiting process
o inadequate
security awareness
site
o area subject
to flood
unreliable
power source
organizational
lack of
regular audits
o lack of
continuity plans
lack of
security
Causes
Complexity: Large, complex systems
increase the probability of flaws and unintended access points
Familiarity: Using common, well-known
code, software, operating systems, and/or hardware increases the probability an
attacker has or can find the knowledge and tools to exploit the flaw
Connectivity: More physical
connections, privileges, ports, protocols, and services and time each of those
are accessible increase vulnerability
Password management flaws: The
computer user uses weak passwords that could be discovered by brute force. The
computer user stores the password on the computer where a program can access
it. Users re-use passwords between many programs and websites.
Fundamental operating system design
flaws: The operating system designer chooses to enforce suboptimal policies on
user/program management. For example operating systems with policies such as
default permit grant every program and every user full access to the entire
computer. This operating system flaw allows viruses and malware to execute
commands on behalf of the administrator.
Internet Website Browsing: Some
internet websites may contain harmful Spyware or Adware that can be installed
automatically on the computer systems. After visiting those websites, the
computer systems become infected and personal information will be collected and
passed on to third party individuals.
Software bugs: The programmer leaves
an exploitable bug in a software program. The software bug may allow an
attacker to misuse an application.
Unchecked user input: The program
assumes that all user input is safe. Programs that do not check user input can
allow unintended direct execution of commands or SQL statements (known as
Buffer overflows, SQL injection or other non-validated inputs).
Not learning from past mistakes: for
example most vulnerabilities discovered in IPv4 protocol software were
discovered in the new IPv6 implementations
The
research has shown that the most vulnerable point in most information systems
is the human user, operator, designer, or other human: so humans should be
considered in their different roles as asset, threat, information resources. Social engineering is an
increasing security concern.
6 Vulnerability consequences
The
impact of a security breach can be very high. The fact that IT managers, or
upper management, can (easily) know that IT systems and applications have
vulnerabilities and do not perform any action to manage the IT risk is seen as
misconduct in most legislations. Privacy law forces managers to act to reduce
the impact or likelihood of that security risk. Information technology security
audit is a way to let other independent people certify that the IT environment
is managed properly and lessen the responsibilities, at least having
demonstrated the good faith. Penetration test is a form of verification of the
weakness and countermeasures adopted by an organization: a White hat hacker
tries to attack an organization's information technology assets, to find out
how easy or difficult it is to compromise the IT security. The proper way to
professionally manage the IT risk is to adopt an Information Security
Management System, such as ISO/IEC 27002 or Risk IT and follow them, according
to the security strategy set forth by the upper management.
One of
the key concepts of information security is the principle of defense in depth:
i.e. to set up a multilayer defense system that can:
prevent the exploit
detect and intercept the attack
find out the threat agents and
prosecute them
Intrusion
detection system is an example of a class of systems used to detect attacks.
Physical security is a set of measures to protect physically the information
asset: if somebody can get physical access to the information asset, it is
quite easy to make resources unavailable to its legitimate users.
7 Vulnerability disclosure
Responsible
disclosure (many now refer to it as 'coordinated disclosure' because the first
is a biased word) of vulnerabilities is a topic of great debate. As reported by
The Tech Herald in August 2010, "Google, Microsoft, TippingPoint, and
Rapid7 have recently issued guidelines and statements addressing how they will
deal with disclosure going forward."
A
responsible disclosure first alerts the affected vendors confidentially before
alerting CERT two weeks later, which grants the vendors another 45 day grace
period before publishing a security advisory.
Full
disclosure is done when all the details of vulnerability is publicized, perhaps
with the intent to put pressure on the software or procedure authors to find a
fix urgently.
Well
respected authors have published books on vulnerabilities and how to exploit
them: Hacking: The Art of Exploitation Second Edition is a good example.
Security
researchers catering to the needs of the cyberwarfare or cybercrime industry
have stated that this approach does not provide them with adequate income for
their efforts. Instead, they offer their exploits privately to enable Zero day
attacks. The never ending effort to find new vulnerabilities and to fix them is
called Computer insecurity.
8 Vulnerability inventory
Mitre
Corporation maintains a list of disclosed vulnerabilities in a system called
Common Vulnerabilities and Exposures, where vulnerability is classified (scored)
using Common Vulnerability Scoring System (CVSS).
OWASP
collects a list of potential vulnerabilities in order to prevent system
designers and programmers from inserting vulnerabilities into the software.
9 Examples of vulnerabilities
Vulnerabilities
are related to:
physical
environment of the system
the
personnel
management
administration
procedures and security measures within the organization
business
operation and service delivery
hardware
software
communication
equipment and facilities
It is
evident that a pure technical approach cannot even protect physical assets: one
should have administrative procedure to let maintenance personnel to enter the
facilities and people with adequate knowledge of the procedures, motivated to
follow it with proper care.
10 Software vulnerabilities
Common types of software flaws that lead to
vulnerabilities include:
Memory
safety violations, such as:
Buffer
overflows and over-reads
Dangling
pointers
Input
validation errors, such as:
Format
string attacks
SQL
injection
Code
injection
E-mail
injection
Directory
traversal
Cross-site
scripting in web applications
HTTP
header injection
HTTP
response splitting
Race
conditions, such as:
Time-of-check-to-time-of-use
bugs
Symlink
races
Privilege-confusion
bugs, such as:
Cross-site
request forgery in web applications
o Clickjacking
FTP
bounce attack
Privilege
escalation
User
interface failures, such as:
Warning
fatigue or user conditioning.
o Blaming
the Victim Prompting a user to make a security decision without giving the user
enough information to answer it
Race
Conditions
Related Topics
Privacy Policy, Terms and Conditions, DMCA Policy and Compliant
Copyright © 2018-2023 BrainKart.com; All Rights Reserved. Developed by Therithal info, Chennai.