Whether you know it or not, your computer and the network it connects to likely has security vulnerabilities. But what exactly is a vulnerability? Why do they exist? And where should security professionals refer to find information about vulnerabilities that have been publicly disclosed? This blog post covers the basics that every internet user should know.
According to IT security professionals, “a vulnerability is defined as the quality or state of being exposed to the possibility of being attacked or harmed, either physically or emotionally.” In simpler terms, a vulnerability is a weakness or flaw that could allow an attacker to do harm to a system or network. These flaws exists in hardware devices, software programs, or incorrect configurations. Attackers aim to exploit these vulnerabilities to perform malicious unauthorized actions like stealing data, installing malware, or disrupting services.
To help visualize vulnerabilities, the video’s presenter shared this analogy of weaknesses in a house’s physical security controls:
“Let’s think about house. Houses, like computers, have several mechanisms or security controls to protect its contents and inhabitants. Because we don’t want a random stranger off the street to just walk into our homes, we insist that the exterior doors and windows are in place and they have locks so that outsiders can’t just walk inside.”
Even with security controls in place, vulnerabilities may still exist:
“But even with these security controls, there are weaknesses or vulnerabilities in those controls or even areas beyond the scope of those controls that an attacker might be able to use to break into your home or your computer.”
Some examples of house vulnerabilities that could allow burglars to enter:
Doors and windows left unlocked
Pet doors big enough for a person to fit through
Locks that can be picked or doors that can be pried open
Smoke detectors with missing or dead batteries
Incorrectly spaced smoke detectors that won’t detect fires
Fire extinguishers that are inaccessible when needed
Home security systems that aren’t armed when residents are away
This demonstrates how even strong security controls can have flaws that render them ineffective against intruders. The same concept applies to computers and networks – no system is perfect when it comes to vulnerability risks.
Vulnerabilities frequently come down to human design flaws and oversights in software programs and systems:
“Security vulnerabilities are kind of like that. A system was built or set up with flaws or bugs in it, and those flaws can lead to security issues.”
This instructor outlines a few common reasons why vulnerabilities get introduced:
In the early days of computing, flaws that could lead to compromise just weren’t a major concern because systems weren’t interconnected. Vulnerabilities existed but weren’t as easily exploitable by outsiders.
After the internet took off, these vulnerabilities became a bigger issue:
“Back then, in order to even try to take advantage of vulnerabilities, you had to figure out how to get access to something that was probably behind a locked door, or several. Obviously, things have changed now that everything, even refrigerators and washing machines, the Internet of Things, communicates over the internet.”
Operating systems are complex pieces of software containing hundreds of thousands of lines of code. Developers invariably make mistakes that introduce flaws:
“Flaws happen. Flaws in the code of an OS can introduce vulnerabilities that need to be fixed.”
Microsoft Windows, Linux, macOS, and other OS vendors release frequent patches to address discovered vulnerabilities. But new flaws continue to emerge.
Flaws also exist in installed software applications, especially those that communicate across networks:
“While most applications aren’t as complex as operating systems, many are still complex enough that inadvertently introducing a security issue is not uncommon.”
One example was the Heartbleed bug discovered in 2014. This vulnerability in OpenSSL encryption software allowed attackers to access systems’ sensitive data.
Many devices and applications work with standard out-of-the-box configurations that emphasize convenience over security:
“Unfortunately, that usually means the least secure configuration.”
Examples include internet-connected cameras, smart home devices, and other IoT products that ship with easy default passwords that attackers can look up. Network administrators often neglect to change insecure defaults, leaving their systems exposed.
So in summary, vulnerabilities frequently originate from human design oversights, coding mistakes, or configuration errors rather than technical limitations. This means many vulnerabilities can be prevented with more secure software development and network administration practices. But for now flaws continue to emerge, requiring ongoing vigilance.
Once vulnerabilities come to light, where should security teams go to find information about them? Two important resources are CVE and NVD:
CVE stands for Common Vulnerabilities and Exposures. CVE is a dictionary that provides identifiers, descriptions, and references for publicly known cybersecurity vulnerabilities.
“CVE was created in 1999. That was a time when individual vendors named and identified publicly known vulnerabilities. Before CVE, each vendor had different terms for vulnerability types that resulted in confusion and sometimes multiple names for a single vulnerability.”
In other words, CVE aimed to standardize vulnerability information so security tools and professionals could communicate using common terminology.
Some key facts about CVE:
CVE entries have a standard ID format such as CVE-2019-19781
The ID indicates the year when made public and a unique number
Provides a description and references for each vulnerability
Acts as an international standard vocabulary for vulnerabilities
So in summary, CVE serves as a baseline dictionary that normalizes details across different vulnerabilities. But it doesn’t provide extensive information on each entry.
NVD stands for National Vulnerability Database. NVD is a more extensive US government-run public database that builds on CVE:
“NVD takes the information from CVE and adds in more analysis, including a risk assessment and a search engine. That analysis adds context about the software and the versions affected by the vulnerability.”
Specifically, NVD:
Imports new CVE entries and analyzes risks
Adds additional metadata like affected software/versions
Provides a search engine for finding vulnerabilities
Displays severity scores like CVSS (explained below)
In other words, CVE provides the dictionary and identifiers for vulnerabilities while NVD enriches those entries with more security context and risk analysis. Together they make an invaluable public knowledge base that helps organizations understand and address vulnerabilities.
CVE identifiers reveal useful information if you know how to interpret them. Let’s break down an example:
CVE-2017-0144
CVE – Indicates this is a CVE identifier
2017 – The year this vulnerability was assigned
0144 – A unique 4 to 7 digit number
So in human terms, this tells us:
Standard CVE identifier
Assigned in the year 2017
Has the unique number 0144 for that year
The year and number allow administrators to distinguish between vulnerabilities without relying solely on descriptions that may differ between sources.
Hopefully this post gave you a better understanding of what vulnerabilities are, why they arise, and resources like CVE and NVD that collect details about publicly disclosed flaws. It’s important for both personal and enterprise security to monitor these vulnerability databases and apply any necessary software updates and configuration changes to reduce risks. Major vulnerabilities like Log4Shell and PrintNightmare originating from these databases made global headlines when exploited in the wild. So staying aware goes a long way towards improving security and avoiding similar incidents.
We hope this post helped in learning what is a vulnerability, why do vulnerabilities exist, and where we should refer registered vulnerabilities. Thanks for reading this post. Please share this post and help secure the digital world. Visit our website, thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive updates like this.
You may also like these articles:
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”
"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.
BurpGPT is a cutting-edge Burp Suite extension that harnesses the power of OpenAI's language models to revolutionize web application security testing. With customizable prompts and advanced AI capabilities, BurpGPT enables security professionals to uncover bespoke vulnerabilities, streamline assessments, and stay ahead of evolving threats.
PentestGPT, developed by Gelei Deng and team, revolutionizes penetration testing by harnessing AI power. Leveraging OpenAI's GPT-4, it automates and streamlines the process, making it efficient and accessible. With advanced features and interactive guidance, PentestGPT empowers testers to identify vulnerabilities effectively, representing a significant leap in cybersecurity.
Tenable BurpGPT is a powerful Burp Suite extension that leverages OpenAI's advanced language models to analyze HTTP traffic and identify potential security risks. By automating vulnerability detection and providing AI-generated insights, BurpGPT dramatically reduces manual testing efforts for security researchers, developers, and pentesters.
Microsoft Security Copilot is a revolutionary AI-powered security solution that empowers cybersecurity professionals to identify and address potential breaches effectively. By harnessing advanced technologies like OpenAI's GPT-4 and Microsoft's extensive threat intelligence, Security Copilot streamlines threat detection and response, enabling defenders to operate at machine speed and scale.