27 Nov Defining and Classifying IT Vulnerabilities
In principle, a vulnerability is a weakness in a system or network that can be exploited by cybercriminals to gain unauthorized access to wreak havoc. What happens next is anybody’s guess — installation of malware, the theft of sensitive data, damaged, lost or locked data caused by a malicious code and more.
Here are other definitions of a vulnerability:
National Institute of Standards and Technology (NIST): Weakness in a system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat.
ISO 27005: A weakness of an asset or group of assets that can be exploited by one or more cyberthreats, where an asset is anything that has value to the organization, its business operations, and their continuity, including information resources that support the organization’s mission.
IETF RFC 4949: A flaw or weakness in a system’s design, implementation, or operation and management that could be exploited to violate the system’s security policy.
Now let’s look at how a vulnerability compares to a threat and to a risk (two other common buzzwords in cybersecurity).
Vulnerability vs. Threat
While vulnerabilities are gaps or weaknesses that undermine an organization’s IT security efforts, threats are what an organization is up against — from malware attacks that plant dangerous executables to ransomware attacks that lock an organization’s systems and data. No two threats are the same and some are more likely to exploit a vulnerability than others.
Vulnerability vs. Risk
Risk refers to a thorough assessment of potential threats to an organization’s security and vulnerabilities in its network. It doesn’t just consider the probability of a vulnerability being exploited, but also includes the incident’s potential business impact on the organization.
What are the most prevalent vulnerabilities?
Vulnerabilities come in all shapes and forms. Some of the most common types are:
Outdated and unpatched software: This is the number one vulnerability identified by the U.S. Department of Homeland Security. Unpatched systems and software are probably the easiest targets for hackers. While every patch is aimed at eradicating a vulnerability, if a system or software is left unpatched, it’s an open invitation to malicious activity.
Missing and/or poor data encryption: It’s easy for hackers to intercept data shared among systems in a network. On top of that, if the data is unencrypted or poorly encrypted, it’s even easier for attackers to extract critical information.
Operating system and security misconfigurations: System misconfigurations result from improper security controls or settings on a network asset. One of the first things cybercriminals do is scan a network for endpoints with system misconfigurations.
Missing and broken authentication: Another common tactic used by attackers is cracking or guessing employee credentials. Missing and broken authentication make credentials even more vulnerable.
Poor cyber awareness and human error: An organization’s employees are its first line of defense against cybercrime. However, employees with poor cyber awareness, or those who unintentionally jeopardize an organization’s security, are a huge vulnerability that is often overlooked.
And in order to address vulnerabilities, risks and threats, regular network vulnerability scanning needs to be a “must-have/must do” extra layer of cyber security protection for every network you manage, regardless of size.
VulScan is a stand-alone internal and external scanning solution that can be integrated with other tools. It consists of a web-based client site management portal and licenses to set up one or more virtual network scanners at each site using our software and Hyper-V or VMWare. It delivers all the features you need for both internal and external vulnerability management.
Want to learn more about vulnerability scanning or the ultimate vulnerability management platform VulScan? Click here to get your personal demo of VulScan and find out what you’re missing.