How vulnerabilities can be exploited and what is the purpose of vulnerability scanners?
Vulnerability mitigation is an important topic for any cybersecurity analyst. It is enough to note that the producers with the highest number of detected vulnerabilities are: Microsoft, Oracle, IBM, Google and Apple. Vulnerability is a weakness that an adversary can exploit to breach the confidentiality, availability, or integrity of a resource, and the licensed software we use on a daily basis on our computers is full of them.
Cybersecurity vulnerability refers to implementation flaws or security implications that result from design choices. For example, the possibility of exceeding the buffer limits while writing data to it introduces a buffer overflow vulnerability, the lack of validation of user input exposes the system to SQL-injection attacks, etc. Examples of significant vulnerabilities include Heartbleed, Shellshock/Bash, and POODLE. Several public vulnerability repositories are available that allow interested parties to easily access information on known vulnerabilities.
The most famous vulnerability repositories are:
- Common Vulnerabilities and Exploits – CVE’s goal is to provide a consistent base of vulnerabilities and common language to cybersecurity analysts. Established in 1999, MITER’s public vulnerability repository is approved by the industry through CVE Numbering Authorities (vendors, organizations and researchers actively publishing in the CNA), the CVE council and many products and services based on CVE mitigation. As the creators themselves say – CVE is a dictionary, not a database. The CVE created a vulnerability registration reference system called the CVE identifier (CVE-ID). CVE IDs usually contain a brief description of the security vulnerability, and sometimes advice, mitigation measures, and reports.
- National Vulnerability Database – US government repository based on vulnerability management data standards, aggregated using SCAP – Security Content Automation Protocol. This data enables the automation of vulnerability management, security measurement and compliance. The NVD includes references to security checklists, security related software bugs, misconfiguration, product names, and “business” impact indicators. In addition to data collected from SCAP, NVD automatically retrieves data from CVE.
- Open Vulnerability and Assessment Language – is an information security community initiative that aims to standardize how computer systems are assessed and reported on. OVAL includes a language to encode system details and an assortment of content repositories located throughout the community. Tools and services use OVAL for the three stages of system evaluation – representing system information, expressing specific machine states, and reporting evaluation results – provide accurate, consistent, and useful information so that they can improve their security.
Vulnerability management identifies, classifies, assesses and mitigates vulnerabilities. IT security professionals conduct the vulnerability management process in an organized and timely manner by following the steps below:
- Preparation: Define the scope of the vulnerability management process.
- Vulnerability scanning: Vulnerability scanners are automated tools that scan your system for known vulnerabilities and provide a report of all identified vulnerabilities sorted by severity. Known vulnerability scanners are e.g. Tenable Nessus.
- Vulnerability Identification, Classification and Assessment: The Vulnerability Scanner provides a report on the identified vulnerabilities.
- Vulnerability Mitigation: The asset owner determines which gaps will be mitigated.
- Rescan: After the corrective actions are completed, a rescan is performed to verify its effectiveness. Penetration tests are also often performed at this stage to verify the company’s improved IT security posture.
- Monitoring and updates
There is some confusion in general public about penetration testing and vulnerability scanning. It’s worth emphasizing that the two approaches complement each other, and vulnerability scanning is one of the first steps in a penetration test.
We have already understood what a vulnerability is and how it affects the system – it is a weak spot that can be exploited to gain unauthorized access to a given resource on the network.
So what is an exploit?
An exploit is specially crafted code used by attackers to exploit a certain security vulnerability and compromise the security of resources. This is a vulnerability exploitation tool. The exploit kits are as popular as the exploits themselves. These are tools embedded in attacked websites, which automatically scan the visitor’s computer for vulnerabilities and try to use them in real time by selecting an exploit from their database. If the exploit is successful, the kit will introduce malware to the user’s system. It is very disturbing for information security professionals that the ease of use and user-friendly interface of the exploit kits allow their deployment also to non-expert users.
To sum up – a vulnerability is a a weak spot, an exploit is a way of using it in the form of a specially prepared source code. There may be dozens, and sometimes even hundreds, of exploits per vulnerability.