What is a Vulnerability? Why do Vulnerabilities Exist? Where We Should Refer Registered Vulnerabilities?

Whether you know it or not, your computer and the network it connects to likely has security vulnerabilities. But what exactly is a vulnerability? Why do they exist? And where should security professionals refer to find information about vulnerabilities that have been publicly disclosed? This blog post covers the basics that every internet user should know.

What is a Vulnerability?

According to IT security professionals, “a vulnerability is defined as the quality or state of being exposed to the possibility of being attacked or harmed, either physically or emotionally.” In simpler terms, a vulnerability is a weakness or flaw that could allow an attacker to do harm to a system or network. These flaws exists in hardware devices, software programs, or incorrect configurations. Attackers aim to exploit these vulnerabilities to perform malicious unauthorized actions like stealing data, installing malware, or disrupting services.

To help visualize vulnerabilities, the video’s presenter shared this analogy of weaknesses in a house’s physical security controls:

“Let’s think about house. Houses, like computers, have several mechanisms or security controls to protect its contents and inhabitants. Because we don’t want a random stranger off the street to just walk into our homes, we insist that the exterior doors and windows are in place and they have locks so that outsiders can’t just walk inside.”

Even with security controls in place, vulnerabilities may still exist:

“But even with these security controls, there are weaknesses or vulnerabilities in those controls or even areas beyond the scope of those controls that an attacker might be able to use to break into your home or your computer.”

Some examples of house vulnerabilities that could allow burglars to enter:

This demonstrates how even strong security controls can have flaws that render them ineffective against intruders. The same concept applies to computers and networks – no system is perfect when it comes to vulnerability risks.

Why do Vulnerabilities Exist?

Vulnerabilities frequently come down to human design flaws and oversights in software programs and systems:

“Security vulnerabilities are kind of like that. A system was built or set up with flaws or bugs in it, and those flaws can lead to security issues.”

This instructor outlines a few common reasons why vulnerabilities get introduced:

Security wasn’t always a priority in early computer systems

In the early days of computing, flaws that could lead to compromise just weren’t a major concern because systems weren’t interconnected. Vulnerabilities existed but weren’t as easily exploitable by outsiders.

After the internet took off, these vulnerabilities became a bigger issue:

“Back then, in order to even try to take advantage of vulnerabilities, you had to figure out how to get access to something that was probably behind a locked door, or several. Obviously, things have changed now that everything, even refrigerators and washing machines, the Internet of Things, communicates over the internet.”

Bugs in operating system code

Operating systems are complex pieces of software containing hundreds of thousands of lines of code. Developers invariably make mistakes that introduce flaws:

“Flaws happen. Flaws in the code of an OS can introduce vulnerabilities that need to be fixed.”

Microsoft Windows, Linux, macOS, and other OS vendors release frequent patches to address discovered vulnerabilities. But new flaws continue to emerge.

Vulnerabilities in installed applications

Flaws also exist in installed software applications, especially those that communicate across networks:

“While most applications aren’t as complex as operating systems, many are still complex enough that inadvertently introducing a security issue is not uncommon.”

One example was the Heartbleed bug discovered in 2014. This vulnerability in OpenSSL encryption software allowed attackers to access systems’ sensitive data.

Insecure default configurations

Many devices and applications work with standard out-of-the-box configurations that emphasize convenience over security:

“Unfortunately, that usually means the least secure configuration.”

Examples include internet-connected cameras, smart home devices, and other IoT products that ship with easy default passwords that attackers can look up. Network administrators often neglect to change insecure defaults, leaving their systems exposed.

So in summary, vulnerabilities frequently originate from human design oversights, coding mistakes, or configuration errors rather than technical limitations. This means many vulnerabilities can be prevented with more secure software development and network administration practices. But for now flaws continue to emerge, requiring ongoing vigilance.

What is CVE and NVD?

Once vulnerabilities come to light, where should security teams go to find information about them? Two important resources are CVE and NVD:

What is CVE?

CVE stands for Common Vulnerabilities and Exposures. CVE is a dictionary that provides identifiers, descriptions, and references for publicly known cybersecurity vulnerabilities.

“CVE was created in 1999. That was a time when individual vendors named and identified publicly known vulnerabilities. Before CVE, each vendor had different terms for vulnerability types that resulted in confusion and sometimes multiple names for a single vulnerability.”

In other words, CVE aimed to standardize vulnerability information so security tools and professionals could communicate using common terminology.

Some key facts about CVE:

So in summary, CVE serves as a baseline dictionary that normalizes details across different vulnerabilities. But it doesn’t provide extensive information on each entry.

What is NVD?

NVD stands for National Vulnerability Database. NVD is a more extensive US government-run public database that builds on CVE:

“NVD takes the information from CVE and adds in more analysis, including a risk assessment and a search engine. That analysis adds context about the software and the versions affected by the vulnerability.”

Specifically, NVD:

In other words, CVE provides the dictionary and identifiers for vulnerabilities while NVD enriches those entries with more security context and risk analysis. Together they make an invaluable public knowledge base that helps organizations understand and address vulnerabilities.

How to Read the CVE ID of a Vulnerability?

CVE identifiers reveal useful information if you know how to interpret them. Let’s break down an example:

CVE-2017-0144

So in human terms, this tells us:

The year and number allow administrators to distinguish between vulnerabilities without relying solely on descriptions that may differ between sources.

Bottom Line

Hopefully this post gave you a better understanding of what vulnerabilities are, why they arise, and resources like CVE and NVD that collect details about publicly disclosed flaws. It’s important for both personal and enterprise security to monitor these vulnerability databases and apply any necessary software updates and configuration changes to reduce risks. Major vulnerabilities like Log4Shell and PrintNightmare originating from these databases made global headlines when exploited in the wild. So staying aware goes a long way towards improving security and avoiding similar incidents.

We hope this post helped in learning what is a vulnerability, why do vulnerabilities exist, and where we should refer registered vulnerabilities. Thanks for reading this post. Please share this post and help secure the digital world. Visit our website, thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive updates like this.