Learn About Vulnerability Attributes

Introduction

 
In general, vulnerability is a major component of risk. In terms of Information Technology, vulnerability is a flaw that can be exploited by an attacker to perpetrate unauthorized/malicious actions to a computer system. Modern attackers are well skilled and take time to study and devise ways to exploit major business systems. The number of vulnerabilities continues to rise yearly. In this article, we are going to look at vulnerability attributes.
 
RISK = IMPACT x EXPOSURE x VULNERABILITY
 

Vulnerability Attributes

 
An overall approach to Vulnerability Attributes of Information Systems classifies them into three categories:
  • Design/Architecture
  • Behavioral
  • General
It is common for all systems to have vulnerabilities, but it is good practice to scan systems for vulnerabilities before deploying them. The Common Vulnerabilities and Exposure (CVE) is an incomplete list of all common vulnerabilities which have been identified internationally and are rated using the Common Vulnerabilities Scoring System (CVSS) to evaluate their impact using various techniques and formulae.
 
Organizations need to prioritize which vulnerabilities to prioritize and invest their security efforts on the most critical vulnerabilities using the CVSS.
 
Vulnerability attributes are not only found in the software systems but they also encompass hardware, personnel, geo-location, network, and organizational policies. As organizations grow it is normal that their vulnerabilities and risk factor increases and it is advisable that at each stage of growth organizations compile a Vulnerability Checklist which they may use to assess their position and priorities in terms of security standards.
 

Design/Architecture

 
This category of vulnerabilities is software-based and it is concerned with how the software is designed, which classes are used and how objects are being used. It looks at how objects are accessed and whether sensitive objects are well encapsulated depending on the design the system is using. Some designs may have centrality issues. Centrality refers to faulty components of a system are collected in a single place. These components may contain sensitive data, decisions, or control passing through a central point. This may result in critical impacts once an attacker compromises that central node.
 
Design/Architecture may also include a homogeneity attribute. Homogeneity refers to type replication of multiple objects. If multiple objects share a common type, this may cause severe impacts if one of the objects is compromised, then it means that the attacker may also tamper with the other objects which share the same type.
 

Behavioral

 
Besides their structure and design, objects may also have exploitable characteristics that may alter the object's behavior once it receives untrusted input. This attribute is not only limited to software systems but may include other aspects of the organization such as the personnel (i.e. Insider threats). Individuals in an organization may cooperate with outsider attackers to compromise a system's functionality willingly or under duress e.g. from blackmailing. This part also involves the organizational hiring policy.
 
Organizations need to be critical when hiring individuals by checking background information and every other aspect that may have an influence on personnel.
 
Besides being corrupted by outsiders personnel may also be complacent. Individuals may lack security diligence. Individuals may exercise poor administration procedures or overlook certain testing procedures and respond to threats dismally.
 
In terms of information systems, there is a need to have thorough testing procedures before an application is deployed and security concerns should be raised and addressed against a vulnerability checklist. Certain objects may have a malleable weakness that means they can easily be modified, inserted, manipulated, or deleted, and this causes a lot of damage to the system's basic functionality.
 
The system's behavior may expose it to attack vectors such as SQL Injection, Distributed-Denial-of-Service attacks, etc.
 

General Attributes

 
These attributes cut across all the spheres of the organization from the design of the system, personnel, geo-location, hardware, and network issues.
 
An organization may have its central back-up server located at a location that is prone to natural disasters. In some cases, organizations may house their hardware devices in inadequate places where they become susceptible to humidity or dust, overheating or theft, or vandalism due to poor physical security.
 
In some cases, organizations may have unprotected communication lines and transfer sensitive data over these channels. Insecure network architecture may result in spoofing or other threats which may result in the organization losing a lot of money.
 

Conclusion

 
Vulnerability attributes vary in description, but most fall into the categories described above. There is a dire need to scan systems for vulnerabilities and analyze the causes. Organizations need to perform an interior and exterior assessment of their security environment using the CVSS and prioritize their risks accordingly.