In network security, we use specific terms to help describe security status and events. In this video, you’ll learn the differences between a vulnerability and an exploit.
<< Previous Video: Man-in-the-Middle Next: Device Hardening >>
The term “vulnerability” and the term “exploit” are sometimes incorrectly used interchangeably. In this video, we’ll look at the differences between these two terms.
A vulnerability is a weakness. Sometimes this weakness is in an application. It might be in an operating system, or the weakness may be in the process that you follow that somehow allows someone to circumvent the security that you have in place.
For example, a vulnerability in your home might be something like an open window. This doesn’t automatically mean that someone will find their way into your home and take some of your belongings, but it is a method that somebody could take advantage of.
What’s interesting about these vulnerabilities is that some of them are never discovered on your systems. You can have your window open for years, but if nobody walks around to the back of your house, they may not even realize that a window is open. Sometimes we find these problems after years have gone by and that vulnerability has been on our system that entire time.
There are many different categories of vulnerabilities. In your home, you might leave a door unlocked or you might leave a window open. On your computer, there might be data injection, such as a SQL injection, or you may find that your authentication process is broken and someone may be able to log in with a higher level account than what they normally would have access to.
Perhaps your system unintendedly only allows people to see sensitive data, or perhaps you’ve simply misconfigured the security on your system and people could gain access to areas where normally they would not have access.
There are many different kinds of vulnerability categories. This is just a few of them. Normally, when you’re providing a patch to one of these vulnerabilities, the organization that’s providing the patch will tell you the type of vulnerability that this patch resolves.
Vulnerabilities that may be on your system don’t necessarily mean that someone has taken advantage of those vulnerabilities. When somebody does take advantage of an open window or an unlocked door, we say that they are exploiting that particular vulnerability. They’re gaining control of a system, they’re modifying the data that might be on your computer, or their disabling or enabling certain services.
There are many different ways to exploit a vulnerability. Someone may have to write a script or build an application to take advantage of a buffer overflow or a SQL injection. Or perhaps someone is simply accessing an area of the computer that was not properly secured. That may be very simple to exploit that kind of vulnerability.
Our operating systems and the applications that we use on these operating systems are very complex, and undoubtedly, there are vulnerabilities that exist in those applications and in that operating system that we simply haven’t found yet. Of course, there are researchers all over the world that are trying to find every possible vulnerability they can for every operating system and every application that may be out there.
When someone does find that particular vulnerability, it’s very common for that researcher to share that information with the developer of that application or the manufacturer of that operating . system. There is usually a lot of development work that then takes place to be able to fix or resolve that particular vulnerability. At that point, the manufacturer will usually announce that the vulnerability exists, and they will provide a patch for that particular vulnerability.
For example, Microsoft provides a set of patches once a month, and those patches are designed to address a number of different vulnerabilities that have been found. But of course, if you’re a bad guy, you don’t want to go through the process of having the manufacturer close those particular vulnerabilities. You want to be able to take advantage of those vulnerabilities yourself to gain access to data or systems.
These so-called black hat researchers will identify these vulnerabilities that no one else has discovered yet, and they tend to collect them or trade them amongst themselves. They will then create an exploit that will take advantage of those vulnerabilities in order to gain data from those vulnerable systems.
Sometimes a vulnerability will be discovered and then made public without the manufacturer having any opportunity to build a patch. We call these a zero-day vulnerability. And if somebody is taking advantage or exploiting that vulnerability, we refer to those as zero-day attacks.
We usually pay close attention when these zero-day attacks are occurring, because very often, there is not a patch available to close the vulnerability. In those cases, you’ll need to contact the manufacturer of the application or the operating system to see if there’s a workaround or patch that can be used against the zero-day attack.
It’s also a good idea to keep track of all of the different vulnerabilities that may be made public. A good index of these is at the Common Vulnerabilities and Exposure database, or the CVE. You can find that list at cve.mitre.org.