BLOG: How Are Vulnerabilities Defined?

A vulnerability is a weakness or error in a system/device’s code that can compromise the confidentiality of sensitive data through unauthorised access, the elevation of privileges, or denial of service when exploited. Vulnerabilities coincide with exploits, a code or tool used to manipulate and misuse a vulnerability is called an exploit. Cybercriminals and threat actors are using the increase of devices requiring internet use to can conduct complex cyberattacks against unsuspecting organisations/individuals and their networks.

Vulnerabilities can be forced to make software to collect and garner information about the current security defences in place. Once an ‘error’ is determined to be a vulnerability, it is registered by MITRE as a CVE, or common vulnerability or exposure, and assigned a Common Vulnerability Scoring System (CVSS) score to reflect the potential risk it could introduce to organisations.

Organisations must use vulnerability management planning to identify, analyse and deal with flaws in hardware or software that could serve as attack vectors. Vulnerabilities can be exploited by a variety of methods including SQL injection, buffer overflows, cross-site scripting (XSS) and open-source exploit kits that look for known vulnerabilities and security weaknesses in web applications. Many vulnerabilities impact popular software, placing the many consumers and businesses using the software at a heightened risk of a data breach, or supply chain attack as we’ve witnessed through breaches such as the Kaseya breach or the colonial pipeline.

A zero-day vulnerability is a software security flaw that is known to the software vendor but doesn’t have a patch in place to fix the flaw. Before the vulnerability is corrected, attackers may use the flaw to cause a programming/network disruption. Zero-day is when a vulnerability is notified, this results in a fix or solution being formed in order to prevent exploitation. The key area of focus regarding zero-day vulnerability is to remember is that days after day zero, there will likely have been no patch or protection created, which increases the chance of a successful attack on the unsuspecting system. Zero-day exploits are registered by MITRE as a Common Vulnerability Exposure (CVE).

To understand how Orpheus Cyber can help with Risk-Based Vulnerability Management, click here.