Browse Definitions :
Definition

vulnerability (information technology)

A vulnerability, in information technology (IT), is a flaw in code or design that creates a potential point of security compromise for an endpoint or network. Vulnerabilities create possible attack vectors, through which an intruder could run code or access a target system’s memory. The means by which vulnerabilities are exploited are varied and include code injection and buffer overruns; they may be conducted through hacking scripts, applications and free hand coding. A zero-day exploit, for example, takes place as soon as a vulnerability becomes generally known. 

The question of when to make a vulnerability disclosure public remains a contentious issue. Some security experts argue for full and immediate disclosure, including the specific information that could be used to exploit the vulnerability. Proponents of immediate disclosure maintain that it leads to more patching of vulnerabilities and more secure software. Those against vulnerability disclosure argue that information about vulnerabilities should not be published at all, because the information can be used by an intruder. To mitigate risk, many experts believe that limited information should be made available to a selected group after some specified amount of time has elapsed since detection.

Both black hats and white hats regularly search for vulnerabilities and test exploits. Some companies offer bug bounties to encourage white hat hackers to look for vulnerabilities. Typically, payment amounts are commensurate with the size of the organization, the difficulty in hacking the system and how much impact on users a bug might have.

Vulnerability scanning and assessments

Vulnerability management planning is a comprehensive approach to the development of a system of practices and processes designed to identify, analyze and address flaws in hardware or software that could serve as attack vectors. Vulnerability management processes include:

Checking for vulnerabilities - This process should include regular network scanning, firewall logging, penetration testing or use of an automated tool like a vulnerability scanner. A vulnerability scanner is a program that performs the diagnostic phase of a vulnerability analysis, also known as vulnerability assessment. This often includes a pen test component to identify vulnerabilities in an organization's personnel, procedures or processes that might not be detectable with network or system scans. 

Identifying vulnerabilities - This involves analyzing network scans and pen test results, firewall logs or vulnerability scan results to find anomalies that suggest a malware attack or other malicious event has taken advantage of a security vulnerability, or could possibly do so.

Verifying vulnerabilities - This process includes ascertaining whether the identified vulnerabilities could actually be exploited on servers, applications, networks or other systems. This also includes classifying the severity of a vulnerability and the level of risk it presents to the organization.

Mitigating vulnerabilities - This is the process of figuring out how to prevent vulnerabilities from being exploited before a patch is available, or in the event that there is no patch. It can involve taking the affected part of the system off-line (if it's non-critical), or various other work-arounds.

Patching vulnerabilities - This is the process of getting patches -- usually from the vendors of the affected software or hardware -- and applying them to all the affected areas in a timely way. This is sometimes an automated process, done with patch management tools. This step also includes patch testing.

Vulnerability management frameworks

The Common Vulnerability Scoring System (CVSS) is a framework for rating the severity of security vulnerabilities in software. Operated by the Forum of Incident Response and Security Teams (FIRST), the CVSS uses an algorithm to determine three severity rating scores: Base, Temporal and Environmental. The scores are numeric; they range from 0.0 through 10.0 with 10.0 being the most severe.

The National Vulnerability Database (NVD) is a government repository of standards-based vulnerability information. NVD is a product of the National Institute of Standards and Technology (NIST) Computer Security Division and is used by the U.S. Government for security management and compliance as well as automatic vulnerability management. The NVD is sponsored by the Department of Homeland Security (DHS), NCCIC and US-CERT.

This was last updated in February 2019

Continue Reading About vulnerability (information technology)

SearchCompliance
  • compliance risk

    Compliance risk is an organization's potential exposure to legal penalties, financial forfeiture and material loss, resulting ...

  • information governance

    Information governance is a holistic approach to managing corporate information by implementing processes, roles, controls and ...

  • enterprise document management (EDM)

    Enterprise document management (EDM) is a strategy for overseeing an organization's paper and electronic documents so they can be...

SearchSecurity
  • session key

    A session key is an encryption and decryption key that is randomly generated to ensure the security of a communications session ...

  • data breach

    A data breach is a cyber attack in which sensitive, confidential or otherwise protected data has been accessed and/or disclosed ...

  • computer forensics (cyber forensics)

    Computer forensics is the application of investigation and analysis techniques to gather and preserve evidence from a particular ...

SearchHealthIT
SearchDisasterRecovery
  • risk mitigation

    Risk mitigation is a strategy to prepare for and lessen the effects of threats faced by a business.

  • call tree

    A call tree is a layered hierarchical communication model that is used to notify specific individuals of an event and coordinate ...

  • Disaster Recovery as a Service (DRaaS)

    Disaster recovery as a service (DRaaS) is the replication and hosting of physical or virtual servers by a third party to provide ...

SearchStorage
  • cloud storage

    Cloud storage is a service model in which data is transmitted and stored on remote storage systems, where it is maintained, ...

  • cloud testing

    Cloud testing is the process of using the cloud computing resources of a third-party service provider to test software ...

  • storage virtualization

    Storage virtualization is the pooling of physical storage from multiple storage devices into what appears to be a single storage ...

Close