Security+ Objectives 1.6

1.6 Explain the impact associated with types of vulnerabilities

• Race Conditions — A programming flaw that occurs when two sets of code attempt to access the same resource. The first one to access the resource wins, which can result in inconsistent results. This often happens with code written by new developers because they do not know to protect for it. An example of this happening would be two people buy the exact same ticket to an event and one arriving before the other meaning the secondary person is unable to use the ticket.
• Improper input handling — If there is not proper input validation that allows an attacker to send malicious code to an application and can be used to gain access that isn’t authorized. This is one of the most common security issues on web-based applications. It can allow attacks such as buffer overflow, SQL injection, command injection and cross-site scripting.
• Input validation — A programming process that verifies data is valid before using it.
• Improper error handling — Improper error handling techniques could lead to a failure in an application that leaves it vulnerable to attack. If errors are overly detailed when presented to the user it could give valuable information to an attacker which could help expose a vulnerability.
• Misconfiguration/ Weak Configurations — If an application or operating system is not configured properly this would leave a vulnerability for attackers to find. In this scenario this could be the failure to put security methods in place or provide weak methods that are easy to hack.
• Default Configurations — This is the act of not changing configurations that come by default. A password and username is an obvious example. Some applications and programs come with default credentials that are easy to attack. An additional example would be a wifi router that never had their administrator log ins changed.
• Resource Exhaustion — The malicious result of many DoS and DDoS attacks. The attack overloads a computer’s resources (such as the processor and memory) resulting in service interruption.
• Untrained Users — Untrained users are often the largest vulnerability to an organization. By being unaware of the risk that are present they can accidentally create large area of vulnerability. For example, if a user isn’t trained to avoid phishing attempts they could fall victim to that type of attack.
• Improperly Configured accounts — In the case of improperly configured account this could allow a user to have permissions above what is intended. This could create a vulnerability or give someone the ability to corrupt the system accidentally or on purpose.
• Vulnerable Business processes — If critical systems and components fail and cannot be restored quickly, mission- essential functions can’t be completed. This will result in the business losing money and could cause the business to not be able to survive.
• Weak cipher suites and implementations — By having weak cipher suites and implementations this opens the opportunity for an attacker to decipher the information that is being transmitted. If the information is sensitive this could lead to a vulnerability and the opportunity for the attacker to get access to the system.
• System sprawl/ undocumented assets — A vulnerability that occurs when an organization has more systems than it needs and systems it owns are underutilized. In this scenario it is more likely that a system is overlooked and/or not monitored which can create an opportunity for an attack.
• Architecture/ design weakness — If software or applications are not properly designed and developed they can be vulnerable to attack. They leave possible vulnerabilities built into the code.
• New Threats/Zero Day — A vulnerability or bug that is unknown to trusted sources but can be exploited. This is often found when a software or system is updated.
• Improper certificate and key management — If certificates are not stored properly they can be compromised. Certificates can also be expired or not trusted. If you use a not trust or expired certificate there is no way to know that it is safe and not providing the opportunity for an attacker to find a vulnerability.

Vulnerabilities due to:

• End-of-life systems — a system that is end of life is no longer supported and because of this if you continue to use that version of the system there is a likelihood that it is vulnerable to attack. The version will no longer be updated and could have security issues that have not been addressed.
• Embedded Systems — Any device that has a dedicated function and uses computer system to perform that function. It includes a CPU, an operating system, and one or more applications. An example of this system is something like a printer that has a web page that can be accessed wirelessly to configure. They may be a source of a vulnerability if default configurations aren’t changed.
• Lack of Vendor Support — If a vendor does not support their product with regular updates and upkeep there is a chance that it could be vulnerable to attack. Most if not all products need continued support to avoid being vulnerable.

Memory/buffer vulnerability:

• Memory leak — An application flaw that consumes memory without releasing it.
• Integer Overflow — An application attack that attempts to use or create a numeric value that is too big for an application to handle. Input handling and error handling thwart the attack.
• Buffer Overflow — An error that occurs when an application receives more input, or different input, than it expects. It exposes system memory that is normally inaccessible.
• Pointer dereference — A programming practice that uses a pointer to reference a memory area. A failed dereference operation can corrupt memory and sometimes even cause an application to crash.
• DLL Injection — An attack that injects a Dynamic Link Library (DLL) into memory and runs it. Attackers rewrite the DLL, inserting malicious code.