Understanding Vulnerability, Part One – What are Vulnerabilities?

This is part 1 of a 3 part series about truly understanding vulnerabilities and taking this knowledge to make a difference in the way you practice information security.

Understanding Vulnerability
By David E. Stern, CISSP

Introduction
Most IT practitioners today are familiar with Microsoft Patch Tuesday. On the second Tuesday of every month, Microsoft publishes whatever security alerts they have collected since the last month. This begins a cycle of patching, testing, and worrying. If any of the security alerts are really troublesome, major media outlets will run with the story, scaring up the less educated masses with stories of vulnerability.

The word vulnerability fits in nicely to the glossary of information security because it evokes martial themes and imagery of valiant defenders on the perimeter. The newly minted CIO, when confronted by his serious-faced security team, likely looks at his office door waiting for a battering ram to come through, allowing the barbarians in.

In all seriousness, the risk management process cannot begin without first understanding the true nature of vulnerability. In this inaugural session of the Security School House, we will endeavor to understand the foundations of vulnerability, their various types, how they exploited, and how we evaluate and defend against them.

What are vulnerabilities?
Lets look at a few traditional vulnerabilities. The strongest castles became vulnerable to intrusion with the introduction of modern artillery; big enough guns destroy the biggest walls. Early wild west stage coaches were easy targets for large groups of bandits because of their limitations in armor, speed, and defensive weaponry. Humans, without the benefit of vaccinations fall victim to viruses and bacteria because their vulnerable bodies simply can’t fight back.

The chips, wires, and other gizmos found inside a computer is little more than a pile of hardware. Software is the blood that runs through a computer system and makes it function. At the highest level, software is your word processor or video game. At the lowest level, software is the super critical microcode that makes the silicon work. No human can ever work through every permutation that a software-hardware system presents to ensure 100% quality. Whether it runs on servers, network equipment, embedded controllers, or home computers, the software will have bugs.

When a system inherits a bug related to features or functions, the software simply doesn’t work. The worst result of a functional bug is a lost customer. When a system develops a bug that allows the user to assume unauthorized control over it, crash it, or use it to do harm to other systems, you have vulnerability. Attacks on these vulnerabilities are known as exploits.

What kinds of vulnerabilities are there and how do they work?
There is a wide chasm of understanding between knowing why vulnerabilities exist and how they are exploited. For the purposes of this introductory lesson, we will categorize vulnerability and their parallel exploits into three types: denial of service, local, and remote. Knowing how each type works allows you to understand how it may or may not affect you.

Denial of Service or “DoS” attacks are the car bombs of the electronic world. They are aimed at denying the user from accessing a vulnerable service. Depending on the vulnerability, a denial of service attack can cause a system to chase its tail, using up all available memory, CPU and disk space. DoS attacks can also aim to flood the system’s network connection, making it impossible to communicate. Once these resources are gone, the system can no longer function.

Denial of service attacks are extremely hard to defend against. Banks keep money from robbers by placing it in vaults, behind strong doors, protected by guards and alarms. To protect the money from floods or hurricanes, the bank building must be designed by skilled architects and engineers and be built with the strongest materials. These two protection schemes vary in terms of purpose, cost, and ultimate value. Similarly, the protection measures that might be used to defend computer systems against the most common vulnerabilities are miles away from those that are required to resist DoS attacks. Ultimately, most organizations do not bother with these specialized and expensive defenses.

Local exploits against a system need local access to the system itself, either through an application or a command line interface. A successful local exploit requires the user to upload an attack tool or have access to other system programs to assist in the attack. The results of a successful attack will either be a denial of service or elevation of privileges. With elevation of privileges, a normal user with restricted access to basic functions overrides those restrictions gaining access to all of the critical subsystems. With this access, the attacker now has complete control over the system, allowing him to reconfigure it for other tasks. Local exploits are usually limited to larger, multi-user systems such as those found in educational or hosting environments where many users share a single system.

Remote exploits keep security folks up at night. A network connected system derives its value from its ability to use resources on the network and share its own resources with others. Just as a bank needs to let customers inside to do business, network connected systems need to expose their services to accomplish their tasks. The sheer size and volume of the connections that comprise the Internet make any exposed service on a system fair game to anyone in the world. The minute that you open up a file share or personal web server on your humble home PC, you become a target. Your vulnerability becomes a 24/7 convenience store since the Internet never sleeps.

Coming Up in Part 2: How do adversaries launch attacks to exploit vulnerabilities?

Until the Catalyst Community is up, comments are open!