A Beginner’s Guide to Vulnerabilities

What is a ‘vulnerability’?

‘Vulnerability’ is a very important term as regards cybersecurity; a vulnerability refers to a weakness in a computer system or software- an OS, a device, an application, a browser etc- which can be exploited to perform unauthorized access of a system, network, website or device.

So, who discovers vulnerabilities? The answer is simple- either the good guys or the bad guys!

When the good guys, i.e., ‘white hat’ security researchers discover a vulnerability, they report the issue immediately to the software vendors (sometimes through bug bounty programs). The issue thus gets fixed before anyone can exploit it. On the other hand, when it’s the bad guy, the hacker, who discovers the vulnerability, it can be exploited to carry out malicious activities like data breaches and network hijacking. Even after the software vendor issues a patch for a discovered vulnerability, there might be users who don’t apply the patch and thus hackers would continue to exploit the vulnerability.

Exploiting vulnerabilities…

A vulnerability usually arises when it’s discovered (by a hacker or a researcher) that part of a program’s code can be forced to run in a totally unexpected way, thereby causing an undesirable kind of behavior. Every vulnerability is unique and hence an attacker who wishes to use a vulnerability would need to use a specific piece of code or method to trigger the unexpected behavior that the flaw can be used to trigger. This method or piece of code that a hacker uses is called an exploit.

Attackers can exploit vulnerabilities either remotely or working locally. In a system or mobile device that’s connected to the internet, an attacker can exploit a vulnerability remotely and manipulate the working of the system/device or certain programs on it. At the same time, there are certain vulnerabilities that can be exploited only by an attacker working locally, either with direct access to the system/device or over a local network. Thus, physical access might be needed and sometimes it would be an authorized user who tries to gain unauthorized access or privileges. Sometimes it would be an on-the-spot intruder, who somehow manages to sneak in and carry out an attack.

When it’s a remote attack, the vulnerability is exploited either using exploit kits or as direct exploitation.

As regards using an exploit kit, a user can be lured into opening a website on his system/device; this website would host an exploit kit and the kit would look for vulnerabilities which would then be exploited.

Coming to direct exploitation, it would be an instance when the hacker exploits a flaw that’s there in the way devices are connected to the Internet.

What are zero-day vulnerabilities?

Any vulnerability that’s found and exploited even before the software vendor releases a patch for it is known as a ‘zero-day vulnerability’; attacks exploiting zero-day vulnerabilities are known as ‘zero-day attacks’. Such attacks are difficult to spot and deflect. There are many notable instances of such attacks which have led to the attackers causing great damages to organizations and businesses.

When such incidents happen, vendors might release advisories that would offer the users/organizations workarounds or mitigation strategies, which could be deployed while waiting for an official patch to be released.

The impacts and consequences of vulnerability exploitations

As we know, a hacker can, by successfully exploiting a vulnerability, perform unauthorized actions on a system/device or program. The scale of the impact, and the consequences, depend on the severity of the vulnerability in question.

Vulnerabilities are classified based on severity ratings, which again are based on two factors- the ease of exploitation and the impact upon device/program/data.

A vulnerability is classified as critical when there is no visible sign of infection and there is no visible user interaction. Vulnerabilities classified as important require some form of user interaction and moderate vulnerabilities are those in which certain products or setup conditions could be used to mitigate exposure. Vulnerabilities that are rated low as regards severity would require specific product and/or setup conditions for mitigation.

Now let’s discuss the consequences of each type. Critical vulnerabilities could lead to the hacker taking control of an affected device or the data on it. Such vulnerabilities could also help attackers use the device or program to launch attacks on other devices connected to it.

Vulnerabilities that are rated important could be used to manipulate the user (with fraudulent prompts, messages etc) and making him expose data or resources on a device/system at his disposal.

Moderate vulnerabilities can help attackers compromise data or resources on an impacted device and vulnerabilities that are rated low, which can be exploited only when specific program/setup conditions are met, can give access to data or resources on a device/system.

Pro-active protection is best against vulnerabilities!

To safeguard one’s devices, systems or networks against vulnerabilities, it’s a proactive method or protection that’s most needed.

The best approach would be ASR (Attack Surface Reduction), which includes minimizing or closing all weak points in a device/system by taking certain precautions. For this, there are certain things that must be done. Let’s take a look:

Keep programs up-to-date- The OS and all installed programs on a device or system should be kept up-to-date, with all latest security patches applied and all software upgrades done. As soon as a security patch is released by the vendor, it needs to be installed.

Disconnect when not in use- Connect your system/device to the internet only when it’s needed. It’s always best to disconnect when you’re not actively using data. This includes turning off Wi-Fi.

Use separate administrator account- Use a separate, password-protected administrator account, thereby making it difficult for an attacker to hijack the system or network.

Use effective security software- Use effective, up-to-date antimalware tool and other security software. Make sure they are updated regularly. Do regular system scans.

Remove vulnerable or unused programs- It would be wise to remove programs that are frequently targeted by hackers. It would also be wise to remove those that are not used or rarely used. Those that are rarely used can be disabled when not in use.

Encryption is good- It would be good to encrypt the data that’s stored on your device; this prevents unauthorized access to a great extent. You could even encrypt the device itself.