🔐
CompTIA Security+
  • Introduction
  • Threats, Vulnerabilities, and Attacks
    • Threats
      • Threat Actors
      • Malware
    • Vulnerabilities
      • Vulnerability Research
      • Vulnerability Discovery
    • Attacks
      • Social Engineering
      • Password Guessing
      • Services & Applications
      • Wireless Communications
  • Technologies and Tools
    • Devices
      • Network Devices
      • Mobile Devices
    • Tools
    • Analysis
    • Troubleshooting
  • Architecture and Design
    • Frameworks & Guides
    • Cloud & Virtualization
    • Physical Security
    • Network Design
    • System Design
      • System Development
      • Application Security
      • Automation
    • Embedded Systems
  • Identity and Access Management
    • Concepts
    • Services
    • Controls
    • Procedures
  • Risk Management
    • Policy
    • Business Impact Analysis
    • Security Controls
    • Information Security
      • Data Security
      • Privacy
    • Contingency Planning
      • Incident Response
      • Disaster Recovery
      • Continuity of Operations
  • Cryptography and PKI
    • Concepts
    • Algorithms
    • Protocols
      • Authentication Protocols
      • Encryption Protocols
      • Network Service Protocols
    • Public Key Infrastructure
      • Concepts
      • Components
      • Certificates
Powered by GitBook
On this page
  • Standard Operating Procedures
  • Untrained Users
  • Undocumented Assets
  • Improper Key Management
  • System Design
  • Improper Input Handling
  • Improper Error Handling
  • Race Conditions
  • Memory Buffers
  • Resource Exhaustion
  • Zero-Days
  • System Misconfigurations
  • Default Configurations
  • Accounts
  • Cipher Suites
  • Network Defensibility

Was this helpful?

  1. Threats, Vulnerabilities, and Attacks
  2. Vulnerabilities

Vulnerability Research

Explain the impact associated with types of vulnerabilities.

As a cybersecurity professional, it is important to routinely conduct research into the conditions or security flaws that enable threat actors to achieve their objectives. At a high-level, these vulnerabilities can be organized as business processes, system design, misconfigurations, and architecture design. Although, I prefer to use Standard Operating Procedures (SOPs), system design, system misconfigurations, and network defensibility.

Vulnerabilities are conditions or security flaws that enable threat actors to achieve their objectives.

Standard Operating Procedures

Standard Operating Procedures (SOPs) contain administrative security controls and provide instruction on for what should be routine work. For example, the impact of having untrained users, undocumented assets, and poor key management are all signs the organization either does not have, follow, or enforce an SOP. If they did, the risk of the scenarios mentioned would not be a source of vulnerability.

Untrained Users

Untrained Users are people who are unaware of the cybersecurity responsibilities they have within the organization. Their ignorance is all that stands between a determined Threat Actor and the next billion dollar data breach. Before granting anyone network access, ensure they have the correct security clearance, need-to-know, signed an Acceptable Use Policy (AUP), signed a Non-Disclosure Agreement (NDA), and has completed your organization's cybersecurity awareness training. As we will discuss in the "Social Engineering" section, if you want to positively influence someone's behavior, you have to increase their awareness and communicate what is acceptable/unacceptable.

Undocumented Assets

You must understand what you have in order to protect it. Undocumented Assets are systems that were added to the network and were either forgotten about at some point or never inventoried. They are your organization's blind-spots. It's like being a home owner. How can you protect your family if you don't know how many doors you need to lock at night?

Improper Key Management

As a cybersecurity professional, you must ensure keys are properly created, shared, used, stored, and disposed. When we say "keys" we really mean anything that provides access. This includes physical keys, RFID badges, smart cards, PINs, passwords, digital certificates, and safe combinations. I discuss attacks against RFID systems in the "Wireless Communications" section.

System Design

System Design represents an opportunity for developers and engineers to bake cybersecurity into the System Development Lifecycle (SDLC). The SDLC is a process computers and software programs go through before they’re put in front of the user. Generally speaking, it begins with the user identifying the need for something they don’t have. Next, the developer takes the requirements provided and designs, produces, tests, and deploys a solution. As a cybersecurity professional, be cognizant of these decision points. What the developer and user believe are features are often vulnerable functions.

Improper Input Handling

Improper Input Handling is when the developer fails to include code that sanitizes data before it is processed. This code should explicitly define what the program expects to receive and specify what should happen if it gets something else. Cross-Site Scripting and SQL Injection are two real-world examples. Again, the vulnerability or security flaw here is a lack of input validation.

Improper Error Handling

Improper Error Handling is when the developer fails to limit the verbosity of output generated by a program when something bad happens. Verbosity is a fancy way of saying “full of words.” So when a program crashes it should include the minimum words necessary for the user and/or developer to resolve the problem at-hand. For instance, details like the date, time, and type of error (input, network, etc.) are fine. Yet, a program should not disclose the underlying Operating System (OS) version, program version, etc. This kind of information helps make it easier for the attacker to perform reconnaissance and prepare their exploits.

Race Conditions

Race Conditions are when programs compete to access or change a shared resource at the same time. The winning operation depends on the program. Yet, the impact could allow an attacker to access confidential information, escalate their privileges, or cause a computer to crash. As a cybersecurity professional, impress upon your developers to use resource locks in their code. A great example is when you try to access a file already opened by someone else. You get told someone is using it and you have to wait. This is how programs should work.

Memory Buffers

Buffers are what programs use to absorb input and store data in memory. Think of them like glasses of water on a waiter’s tray. The tray their holding is the program, the glasses are buffers, and the water is data. If a developer fails to control how much data (water) goes into a buffer (glass), the system (waiter) and program (tray) could crash. Another name for when these conditions lead to a program crash is called a Buffer Overflow. The best way to prevent Buffer Overflows is to use Bounds Checking. Bounds Checking is when a program checks to see if the data provided will fit into the buffer it’s destined for before ingesting it.

Resource Exhaustion

Resource Exhaustion will happen if a developer fails to efficiently address memory, computing, storage, and networking usage. While Resource Exhaustion is the vulnerability, the impact is a Denial-of-Service (DoS). Without additional resources to reorganize itself, a program will pause indefinitely or even crash the system it’s residing on (preventing the organization from doing what it needs to do).

Zero-Days

Zero-Days are software vulnerabilities that don’t have a patch yet. The name is intended to describe how little time the developer has had to address the security flaw. Zero-Days are important in terms of risk because they carry a high probability of success. If an attacker is able to discover one, they will not only be able to compromise your organization, but any organization running the same vulnerable program.

System Misconfigurations

Default Configurations

Accounts

Cipher Suites

Network Defensibility

PreviousVulnerabilitiesNextVulnerability Discovery

Last updated 4 years ago

Was this helpful?