Whether you know it or not, your computer and the network it connects to likely has security vulnerabilities. But what exactly is a vulnerability? Why do they exist? And where should security professionals refer to find information about vulnerabilities that have been publicly disclosed? This blog post covers the basics that every internet user should know.
Table of Contents
What is a Vulnerability?
According to IT security professionals, “a vulnerability is defined as the quality or state of being exposed to the possibility of being attacked or harmed, either physically or emotionally.” In simpler terms, a vulnerability is a weakness or flaw that could allow an attacker to do harm to a system or network. These flaws exists in hardware devices, software programs, or incorrect configurations. Attackers aim to exploit these vulnerabilities to perform malicious unauthorized actions like stealing data, installing malware, or disrupting services.
To help visualize vulnerabilities, the video’s presenter shared this analogy of weaknesses in a house’s physical security controls:
“Let’s think about house. Houses, like computers, have several mechanisms or security controls to protect its contents and inhabitants. Because we don’t want a random stranger off the street to just walk into our homes, we insist that the exterior doors and windows are in place and they have locks so that outsiders can’t just walk inside.”
Even with security controls in place, vulnerabilities may still exist:
“But even with these security controls, there are weaknesses or vulnerabilities in those controls or even areas beyond the scope of those controls that an attacker might be able to use to break into your home or your computer.”
Some examples of house vulnerabilities that could allow burglars to enter:
- Doors and windows left unlocked
- Pet doors big enough for a person to fit through
- Locks that can be picked or doors that can be pried open
- Smoke detectors with missing or dead batteries
- Incorrectly spaced smoke detectors that won’t detect fires
- Fire extinguishers that are inaccessible when needed
- Home security systems that aren’t armed when residents are away
This demonstrates how even strong security controls can have flaws that render them ineffective against intruders. The same concept applies to computers and networks – no system is perfect when it comes to vulnerability risks.
Why do Vulnerabilities Exist?
Vulnerabilities frequently come down to human design flaws and oversights in software programs and systems:
“Security vulnerabilities are kind of like that. A system was built or set up with flaws or bugs in it, and those flaws can lead to security issues.”
This instructor outlines a few common reasons why vulnerabilities get introduced:
Security wasn’t always a priority in early computer systems
In the early days of computing, flaws that could lead to compromise just weren’t a major concern because systems weren’t interconnected. Vulnerabilities existed but weren’t as easily exploitable by outsiders.
After the internet took off, these vulnerabilities became a bigger issue:
“Back then, in order to even try to take advantage of vulnerabilities, you had to figure out how to get access to something that was probably behind a locked door, or several. Obviously, things have changed now that everything, even refrigerators and washing machines, the Internet of Things, communicates over the internet.”
Bugs in operating system code
Operating systems are complex pieces of software containing hundreds of thousands of lines of code. Developers invariably make mistakes that introduce flaws:
“Flaws happen. Flaws in the code of an OS can introduce vulnerabilities that need to be fixed.”
Microsoft Windows, Linux, macOS, and other OS vendors release frequent patches to address discovered vulnerabilities. But new flaws continue to emerge.
Vulnerabilities in installed applications
Flaws also exist in installed software applications, especially those that communicate across networks:
“While most applications aren’t as complex as operating systems, many are still complex enough that inadvertently introducing a security issue is not uncommon.”
Insecure default configurations
Many devices and applications work with standard out-of-the-box configurations that emphasize convenience over security:
“Unfortunately, that usually means the least secure configuration.”
Examples include internet-connected cameras, smart home devices, and other IoT products that ship with easy default passwords that attackers can look up. Network administrators often neglect to change insecure defaults, leaving their systems exposed.
So in summary, vulnerabilities frequently originate from human design oversights, coding mistakes, or configuration errors rather than technical limitations. This means many vulnerabilities can be prevented with more secure software development and network administration practices. But for now flaws continue to emerge, requiring ongoing vigilance.
What is CVE and NVD?
Once vulnerabilities come to light, where should security teams go to find information about them? Two important resources are CVE and NVD:
What is CVE?
CVE stands for Common Vulnerabilities and Exposures. CVE is a dictionary that provides identifiers, descriptions, and references for publicly known cybersecurity vulnerabilities.
“CVE was created in 1999. That was a time when individual vendors named and identified publicly known vulnerabilities. Before CVE, each vendor had different terms for vulnerability types that resulted in confusion and sometimes multiple names for a single vulnerability.”
In other words, CVE aimed to standardize vulnerability information so security tools and professionals could communicate using common terminology.
Some key facts about CVE:
- CVE entries have a standard ID format such as
- The ID indicates the year when made public and a unique number
- Provides a description and references for each vulnerability
- Acts as an international standard vocabulary for vulnerabilities
So in summary, CVE serves as a baseline dictionary that normalizes details across different vulnerabilities. But it doesn’t provide extensive information on each entry.
What is NVD?
NVD stands for National Vulnerability Database. NVD is a more extensive US government-run public database that builds on CVE:
“NVD takes the information from CVE and adds in more analysis, including a risk assessment and a search engine. That analysis adds context about the software and the versions affected by the vulnerability.”
- Imports new CVE entries and analyzes risks
- Adds additional metadata like affected software/versions
- Provides a search engine for finding vulnerabilities
- Displays severity scores like CVSS (explained below)
In other words, CVE provides the dictionary and identifiers for vulnerabilities while NVD enriches those entries with more security context and risk analysis. Together they make an invaluable public knowledge base that helps organizations understand and address vulnerabilities.
How to Read the CVE ID of a Vulnerability?
CVE identifiers reveal useful information if you know how to interpret them. Let’s break down an example:
- CVE – Indicates this is a CVE identifier
- 2017 – The year this vulnerability was assigned
- 0144 – A unique 4 to 7 digit number
So in human terms, this tells us:
- Standard CVE identifier
- Assigned in the year 2017
- Has the unique number 0144 for that year
The year and number allow administrators to distinguish between vulnerabilities without relying solely on descriptions that may differ between sources.
Hopefully this post gave you a better understanding of what vulnerabilities are, why they arise, and resources like CVE and NVD that collect details about publicly disclosed flaws. It’s important for both personal and enterprise security to monitor these vulnerability databases and apply any necessary software updates and configuration changes to reduce risks. Major vulnerabilities like Log4Shell and PrintNightmare originating from these databases made global headlines when exploited in the wild. So staying aware goes a long way towards improving security and avoiding similar incidents.
We hope this post helped in learning what is a vulnerability, why do vulnerabilities exist, and where we should refer registered vulnerabilities. Thanks for reading this post. Please share this post and help secure the digital world. Visit our website, thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive updates like this.