What is a vulnerability?
Anything built by humans is vulnerable to something. Information systems, even those that are better protected, have many vulnerabilities that can be exploited by intruders or attackers. We define what a vulnerability or security hole is and what recommendations we can adopt.
What is it?
In IT, a vulnerability is any weakness that exists in a system that can be used by a malicious person to compromise security. There are various types of vulnerabilities - hardware, software, procedural or human, and these can be exploited or used by intruders or attackers.
In order to understand this better, a vulnerability might be, for example:
- A service of a computer system operating in a certain logical port.
- Systems and applications not updated or patched that have multiple vulnerabilities.
- An open Wifi network.
- An open port in a firewall.
- Inadequate or non-existent control of physical access to the premises.
- The non-application of a password management policy.
Types of IT vulnerability
Some of the typical system and application vulnerabilities are:
- Buffer overflow or buffer overrun: this occurs when applications do not control the amount of data they copy onto the buffer and when this exceeds the buffer size it can alter contiguous memory areas affecting the data they contain.
- Race condition: when applications or systems do not implement mutual exclusions in the access to shared resources, such as a variable, and several processes access it at the same time, obtaining unexpected values.
- Formatting error in strings: when the applications do not validate the input data that the user enters, allowing, for example, commands or instructions to be executed that may allow the attacker to obtain confidential data or damage the system.
- Cross Site Scripting: this problem involves attackers embedding scripts into legitimate web pages that are affected by this vulnerability and that the user browses through. The user enters data such as their username and password, not on the legitimate website but on the attacker's, who then steals their data.
- SQL Injection: when form input data that communicates with databases is not validated, malicious SQL code might be executed, for example to obtain confidential data or to corrupt table data.
Recommendations to avoid IT security vulnerabilities
For the detection and correction of vulnerabilities, it is advisable to perform reviews or audits, in which the technical and organisational security measures implemented by an organisation are evaluated (at a system, process and people level). Identification and analysis is the first step in defining corrective action plans and the rectification of any potential defects.
For specific system and application vulnerabilities, a number of actions are recommended:
- Keep applications and systems up to date and patched.
- Perform vulnerability scans that allow their detection and subsequent correction.
- Run penetration tests for systems, network and applications to identify any weaknesses.
System, process and human related vulnerabilities are gaps in security that occur in all organisations and which provide a way in for intruders or hackers so that they can bypass the security.