Step 5 in the recommended risk assessment process is "Identify vulnerabilities". This page expands on that step.
Vulnerabilities usually refer to a weakness or error in software code which can be used to gain unauthorized access to data or a computer system. Vulnerabilities may come in many forms and may be an error in code or in software or system configuration. There are published code vulnerabilities on operating systems, firewalls, applications, server software and all types of software. The intention is to patch the software so the vulnerabilities no longer exist and cannot be exploited by an attacker to gain unauthorized access. Even humans can be vulnerabilities since attackers can fool them into providing unauthorized physical access or even provide a password to allow unauthorized access to systems.
It is very important for all organizations to have a regular schedule of checking for vulnerabilities and getting them fixed. As vulnerabilities are patched, it is worthwhile to test the patch first to prevent the breaking of active applications or capabilities of the systems being patched. Organizations should have a System Update Policy with associated procedures.
There are many categories of vulnerabilities some of which include:
- Personnel - Human engineering used to fool employees.
- Facilities - Attackers may gain physical access.
- Communications - Attackers may eavesdrop on transmitted information.
- Vulnerabilities in software:
- Operating systems
- Applications including internet browsers, email client programs, and web applications.
- Database vulnerabilities
- Anti-virus software vulnerabilities
- DNS software vulnerabilities
- Configuration weaknesses in networking products such as switches, routers, and firewalls.
Top computer vulnerabilities
Some top vulnerabilities include:
- Poor router control
- Unsecure wireless access points.
- Allowing operating system and application information to leak to the internet.
- Running unneeded services on computer systems.
- Weak and reused passwords.
- Excess privileges for user and test accounts.
- Badly configured internet servers, especially FTP.
- Badly configured firewalls
- Outdated or unpatched vulnerable software.
- Lack of security policies and procedures
- Excessive trust across domains.
- Unauthenticated services such as X Windows.
- Inadequate logging, monitoring, and detection of threats on the network
- Former employee accounts still active.
- Operating system configuration weaknesses.
- Weaknesses in internet browsers and browser configurations
Vulnerability databases such as http://nvd.nist.gov (Common Vulnerabilities and Exposures (CVE) should be checked regularly for vulnerabilities related to operating systems and popular software. Signing up to receive regular emails about vulnerability postings should also be done.
More Complete List of Vulnerabilities
- Weak or blank passwords
- Sharing passwords
- Writing down passwords or careless storing of passwords
- Loss of password.
- Human Error
- Trap Door - System developers sometimes write back doors for access to their applications and may forget to close them.
- User error - Accidental deletion or modification of programs or data.
- Improper or system configuration exposing data or systems to attack.
- Use of no encryption or weak encryption protocols when transmitting confidential or sensitive data.
- Misconfiguration of wireless devices or use of unauthorized wireless devices.
- Inaccurate data entry or modification.
- Accidental deletion of data.
- Use of unauthorized or insecure software (peer to peer, IM, screensavers, etc).
- Back door to network such as an unauthorized modem or wireless access point.
- Configuration error
- Not keeping operating systems, programs, or applications patched.
- Misconfiguration of network equipment such as routers.
- Misconfiguration of wireless access points.
- Allowing unneeded services to run on a computer system.
- Badly configured firewall
- Badly configured web, mail, and FTP servers.
- Excessive trust across domains.
- Inadequate logging or monitoring and threat detection of threats on servers or the network.
- Former employee accounts left active.
- Configuration weaknesses in the operating system.
- Weakness in internet browser configurations.
- Bad privilege assignment
- Configuration to use insecure protocols to transmit or store sensitive data.
- Not changing default passwords on systems or services such as on network devices, printer control software, etc.
- Allowing the use of weak passwords for network passwords.
- Allowing directory traversal on systems so an attacker can access directories that should not be accessed.
- Insecure permission configuration for accounts.
- Unneeded wireless SSID broadcast.
- Wireless systems using poor encryption such as WEP.
- Log files stored in insecure location.
- Storage of sensitive information in logs such as passwords.
- Anti-virus settings not configured properly such as not acanning all files and directories, not scanning weekly, etc.
- Software vulnerabilities:
- Buffer overflow
- Vulnerability to SQL, mail, or other injection.
- Instability to mal-formed input.
- Cross site scripting vulnerability allowing attackers to steal cookies.
- Format string vulnerability - A user can inject format specifiers during string processing.
- Sandbox escape
- Memory leak
- Lack of verification of authenticity causing spoofing attack vulnerability.
- Not generating random enough session numbers allowing session hijacking.
- Integer overflow
- Weak encryption for storage or transmission of sensitive data.
- Weak or bad authentication mechanism.
- Weak authentication encryption.
- Leaving desks or cabinets unlocked that should be secure.
- Leaving rooms unlocked that should be secure.
- Not having screen saver password protection implemented on a computer.
- Lack of security policies and procedures.