Weaknesses and Vulnerabilities explained - Everything you need to know in simple words.
Introduction
Ever wondered what the fuzz around vulnerabilities is? Vulnerabilities affect everyone — from large enterprises and governments to anyone using a device with software on it. They even popup in regular things we deal with on a regular basis! They can have severe consequences if not handled appropriately.
In this article, I will explain what they are, and various concepts around them, using real-life analogies and simple words, so that anyone can follow.
Let’s start with a story…
I think most concepts are best explained using stories, so let’s use one!
Imagine… that you are into gardening as a hobby (if you are, then you don’t have to imagine it!). Unless you really want to get your hands dirty, you will need some tools. Tools range in functionality and of course price. You will also need a place to store your tools — most often that is a tool shed so let’s imagine you have one and this is where all your tools end up. To keep them safe and secure, you install a lock.
A flaw…
After some time, you stumble upon an article in your favorite news source that describes a flaw in a series of locks that makes them very easy to break. Turns out, the lock you installed seems to be affected by this. You start analyzing the situation.
What have you learned so far?
Congratulations, you just learned about the following security concepts:
- Weakness
- Exploit
- Vulnerability
Let’s tie this back to our story. The flaw in the lock, is called a weakness. Because the flaw makes the lock very easy to break, it means the weakness is easily exploitable thus making this a vulnerability in the lock. Here is the NIST definition of a vulnerability:
Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.
A few more scary words are added here like “information system”, “internal controls” and “threat source” but it pretty much boils down to what I just explained few sentences above.
Note, that if a flaw exists, but cannot be exploited, it is just a weakness. An example would be using a weaker material to build the lock. If there is no way to exploit the weaker material to break the lock, it is just a weakness of the lock, but not a vulnerability.
So far so good? With some basics now established, let’s continue our story…
A million thoughts…
Now you start thinking about the situation you are in. What questions come to your mind?
Take a moment to think about them, before you continue reading this article.
Here are some questions and thoughts that would come to my mind:
- What if someone breaks in and steals my tools?
- How much are the tools worth and how much would I loose?
- Are thieves common in the area I live in?
- Is there a fix available?
- Will the place or vendor I bought the lock from fix it for free or at all?
- What would be the cost to fix or replace the lock?
- How long would the replacement process take?
- What do I do in the mean-time? Are my tools going to be unprotected?
If you’ve asked yourself one or more of the above questions (or similar ones), you are on the right track of thinking like a security professional or a risk analyst!
All the above questions touch upon the following concepts:
- Probability (often referred to as Likelihood)
- Impact
- Risk
In fact, the basic formula for Risk is the following:
Risk = Probability * Impact
Probability
This is all about asking yourself the magic question of “what are the chances?”. In our case, if we live in a fairly secure neighborhood, with no break-ins, probability of exploitation might be low. Things that can also help lower probability, are what we call compensating controls. Think for example of a high fence, security cameras, motion detectors, patrolling security guards. They don’t eliminate the chances, but lower them.
Impact
We counted our chances — now let’s ask ourselves what happens if we hit the odds. The first thing we think about in impact is most often money. How much are my tools worth and how much would I loose if someone steals my tools?
But don’t forget about things that aren’t so easily countable, like sentimental value — maybe the tools aren’t worth that much, but some tools have been in the family for a long time and loosing them would have a large emotional impact.
Risk
Let’s put two and two together. Let’s say we have a very low probability of a break-in but the tools we keep in the shed are very valuable thus the impact is very high. What do you do? Are you willing to take the chances and the risk or will you mitigate the risk by investing in a replacement lock? Those are decisions that business and engineering owners need to make on a regular basis when dealing with vulnerabilities in the IT world.
Vulnerabilities and Risks — how do they relate?
There are many types of risks, and one of them are risks coming from vulnerabilities. What are other types? If you are into investing or trading, you are dealing with financial risks for example.
A few more concepts…
Before we wrap up this article, I wanted to go over a few more concepts around vulnerabilities that are often referred to when reading various articles or news.
What if you want to look up weaknesses and vulnerabilities in future locks and hardware you are buying to avoid the same scenario? Are there any frameworks for helping you determine a severity of a vulnerability? There are! but they exist for software and systems, so the story about the lock and toolshed ends here (◡︵◡).
If you look at your laptop, desktop, tablet or mobile — there are so many different types of software installed — the operating system like Windows, MacOS, Linux, Android or IOS and stuff on top of it like your email client, chatting application, web browser, video games etc… how to know what’s vulnerable and what is not?
Catalogs
There are two (there are more out there but to keep it simple let’s focus on the most commonly used ones) common catalogs that keep track of weaknesses and vulnerabilities across software:
Both of these are state sponsored which means the government pays for their maintenance and evolution.
Severity and Scoring
Each CVE is scored using a system called Common Vulnerability Scoring System (CVSS). Without going too much into details, it essentially takes in parameters around the probability and impact of the vulnerability on a system and calculates a score that you then compare to a table to determine the severity of the vulnerability from informational (score 0) to critical (10).
Scanning
With a vulnerabilities being cataloged and scored, you can now use a tool like a scanner to run it through your system to check if any of the software installed has vulnerabilities. The scanner checks what you have installed and essentially compares it to the catalogs and then lets you know what software is vulnerable and often scanners will recommend actions to take (most often update the software).
To fix or not to fix?
Everything up until now, was related to discovering and categorizing risks related to vulnerabilities. Now you need to decide what your strategy is for dealing with a risk. This goes into Risk Management and Strategies, which is a topic on it’s own (maybe for another article :) ?). The most secure way is to get rid of the risk completely but strategies vary based on context.
Conclusion and Key Takeaways
As you can see, almost everyone has to deal with weaknesses, vulnerabilities and risks is some way, shape or form in their lives. My goal with this article is to teach security concepts to everyone and make everyone more security and risk aware.
This is what I want you to takeaway from this article:
- Be able to describe what Weaknesses and Vulnerabilities are.
- Be able to explain what Risk is.
- Be aware, that Risks and Vulnerabilities are all around us.
- Start being curious about Risk Management and learning how to deal with Risks.
Hope you enjoyed the read! I did writing it! ٩(^ᗜ^ )و ´-