1.6 Explain the impact associated with types of vulnerabilities. Flashcards
Vulnerability types
There are many types of vulnerabilities • Some digital, some physical • Cover a broad scope • Programming, network design, process/procedure • Any of these can be exploited at any time
Race condition
A programming conundrum
• Sometimes, things happen at the same time
• This can be bad if you’ve not planned for it
End-of-life vulnerabilities
Without vendor support, no security patches
Upgrade to maintain security
Embedded system vulnerabilities
No direct access to the operating system
These devices are usually connected to the Internet - convenient to the hacker
Lack of vendor support
Vendors are the only ones who can fix their products
Assuming they know about the problem And care about fixing it
Improper input handling
Many applications accept user input• We put data in, we get data back
• All input should be considered malicious• Check everything. Trust nobody
.• Allowing invalid input can be devastating• SQL injections, buffer overflows, denial of service
Improper error handling
Errors happen
Messages should be just informational enough
Network information, memory dump, stack traces, database dumps• This is an easy one to find and fix• A development best-practice
Misconfiguration/weak configuration
• Very easy to leave a door open
The hackers will always find it
Default configuration
• Every application and network device has a default login• Not all of these are ever changed
Untrained users
It takes one person to allow a breach
Training is critical
Improperly configured accounts
Technical issue and process issue • Frequent audits are important • Accounts without a need • Abandoned and unnecessary accounts • Accounts with administrative access • These should be severely limited • Should not be able to login directly as administrator • Unless it’s on a server console
Vulnerable business processes
Vulnerable business processes
Weak cipher suites
Encryption protocol (AES, 3DES, etc.) and key length (40 bits, 128 bits, 256 bits, etc.)
• Hash used for the integrity check (SHA, MD5, etc.)
• Some cipher suites are easier to break than others so Stay updated with the latest best practices
• TLS is one of the most common issues - Over 300 cipher suites
• Weak or null encryption (less than 128 bit key sizes), outdated hashes (MD5)
Memory/buffer vulnerabilities
Manipulating memory can be advantageous• Relatively difficult to accomplish
Memory leak
Unused memory is not properly released
• Begins to slowly grow in size
• Eventually uses all available memory
• System crashes