1.6 Explain the impact associated with types of vulnerabilities. Flashcards
Race Conditions
A programming flaw that occurs when two sets of code attempt to access the same resource. The first one to access resource wins, which can result in inconsistent results.
To be more exact, A race condition is a software programming issue where two (or more) threads (a thread is a unit of work) have access to shared data. Problems can arise if both threads are accessing the shared data and one thread modifies the shared data while the other thread is executing logic based on the value of the thread data before the data was changed.
To solve race conditions, programmers put locks on the shared data so that only one thread can access the shared data at one time. Applications vulnerable to race conditions could have the hacker access a resource when he/she should not be able to (because the resource should be locked).
Vulnerabilities Due to - End-of-life Systems
An end-of-life (EOL) system is a system that has reached the end of its usefulness (or profitability) from a vendor’s point of view. EOL systems are typically referred to as legacy systems and are vulnerable because vendors stop maintaining them after they reach their EOL date. For example, a vendor will not create patches for any new vulnerabilities found in software that has reached EOL.
Vulnerabilities Due to - Embedded Systems
An embedded system is a small computer system that contains minimal hardware, such as a processor, circuit board, and memory, and usually a stripped-down version of an OS, and is embedded within a larger device or system to perform specific functions. Because hardware devices run embedded systems with software, they are vulnerable to attack just like a regular computer system if the running software has vulnerabilities.
Embedded systems are often overlooked from a security standpoint, so extra effort should be made to locate embedded systems and evaluate vulnerabilities that
might exist.
Vulnerabilities Due to - Lack of Vendor Support
One of the largest reasons for vulnerabilities is lack of vendor support. All software has vulnerabilities, and once a vulnerability has been found, the vendor typically creates a fix for the vulnerability. If you are using a product that the vendor no longer supports, that means the vendor is no longer creating fixes for vulnerabilities that arise.
Improper Input Handling
Input handling is another job for software programmers. Any time data is passed into an application, the programmer is supposed to validate that data and ensure it is appropriate for the task. If the data is invalid, an error is displayed to the user instead of processing the information. If the programmer does not validate input, hackers can inject malicious data into the application
to control the software in a manner that is not desired.
Improper Error Handling
Error handling is yet another job of software programmers and includes ensuring that the application traps any errors that occur and then handles those errors appropriately so that the application doesn’t crash. When testing the software, developers are testing for the existence of errors.
Misconfiguration/Weak Configuration
Most vulnerabilities exist because software or the operating system has been misconfigured and placed in a nonsecure state.
Default Configuration
When installing software or systems, always make sure to change the default configuration. Hackers know the default configurations of products and learn how to exploit systems based on the default configurations. You should change the defaults to make hackers more likely to give up and look for easier targets.
Resource Exhaustion
Insufficient manpower to get the job done properly is a type of vulnerability. For example, not having enough programmers may result in cutting corners and skipping important tasks such as input validation. Similarly, overworked programmers are more prone to make errors.
Untrained Users
Security training is one of the most important steps an organization can take to help improve the security posture of the organization. For example, users should be trained to never place unknown DVDs or flash drives into the system. Users should be taught about viruses, the need to secure their personal systems, and the importance of mobile device security. Untrained users are also more susceptible to social engineering attacks, as they are not familiar with how to recognize when someone is trying to trick the user into compromising security.
Improperly Configured Accounts
Having user accounts that are not configured properly is a huge vulnerability to the organization. Examples of improperly configured accounts include having too many accounts in the admin group or configuring accounts to never have passwords expire.
Vulnerable Business Processes
Having vulnerable business processes is another weakness for hackers to exploit. Be sure to review all business processes and ensure they follow security best practices. Examples of business processes for the HR department include how to handle a vacation request and what to do when given notice that an employee is leaving the organization. In both examples, you want to be sure that the HR department is following security best practices, such as ensuring there is a backup person to cover a job role when someone goes on vacation, or ensuring that an employee participates in an exit interview before leaving the organization.
Weak Cipher Suites and Implementations
Another common vulnerability in systems today is the use of weak encryption technologies or protocols. For example, never use WEP for wireless encryption because it is an encryption type that is easily cracked
Memory/Buffer Vulnerability - Memory Leak
A memory leak occurs when a program does not release memory for other processes to use after it is done with it. If each program held on to memory after it was done with it, the system would run out of memory and crash.
Memory/Buffer Vulnerability - Integer Overflow
When data is stored in memory, it is assigned a block of memory of a specific size. An integer overflow error occurs when a block of memory has been created to store an integer value, but the result of the arithmetic operation exceeds the maximum size of the integer type assigned.
