The term vulnerability refers to a flaw, weakness or defect in a system that allows the security mechanisms of an IT system or network to be overcome or circumvented.
Weak points can lie in the conception, implementation, configuration, operation or organization of IT systems. The existence of a vulnerability requires the possibility of exploiting it. Whether a vulnerability is exploited by an attack depends on the following factors:
The likelihood of the vulnerability being exploited depends on these two factors. For example, low complexity and the presence of numerous threats to a system lead to a high probability that an existing vulnerability will be exploited. If you also consider the effects that exploiting the vulnerability would have, you get the risk.
In IT security, if a vulnerability can be exploited, it is called an exploit. One of the most well-known vulnerabilities became public in the SMB protocol in 2017. This protocol used in Microsoft Windows was vulnerable to attacks.
This became known after the US secret service NSA lost a large number of exploits in a leak. One of these exploits was codenamed ETERNALBLUE and subsequently caused worldwide concern Cyberattacks and damage. Even before ETERNALBLUE became public, Microsoft released a security update to fix the vulnerability, but because many systems are often updated too late or not at all, many systems were still vulnerable even when the exploit became known.
In order to successfully identify weak points, there are various evaluation criteria and naming methods in IT security. The Common Weakness Enumeration (CWE) describes types and types of vulnerabilities in order to categorize them and describe basic remediation and avoidance strategies.
Common Vulnerabilities and Exposures (CVE) describes specific vulnerabilities in products so that they can be clearly identified. For example, this is the name given to: CVE-2017-0144 the SMB Remote Windows Kernel Pool Corruption vulnerability and thus the vulnerability to ETERNALBLUE.
This is used to assess criticality and risk Common Vulnerability Scoring System used in which a vulnerability is assigned a value between 0 and 10. A rating of 10 means the highest possible criticality of a vulnerability.
In order to protect yourself from exploiting any existing vulnerabilities within an organization's IT, you should regularly check for vulnerabilities. For this purpose, it is recommended to carry out regularly penetration testing as well as regular checking of IT networks, systems and applications by vulnerability scanners.
If these measures reveal weak points, they should definitely be remedied through targeted measures. This requires a coordinated approach in the form of so-called vulnerability management, in which detection, evaluation and remediation are carried out as part of patch management or change management.
In addition to simply fixing vulnerabilities, which can often be symptoms of deeper problems, findings from pen tests and vulnerability scans should be analyzed in order to then address fundamental improvements to IT security.
This can, for example, involve the introduction of a configuration management system in which the occurrence of weak points can be prevented by centrally controlling the configuration of IT systems. This often requires a fundamental rethinking of the operations and processes within IT. External expertise can be very valuable here.