CompTIA Security SY0-601 Exam: A Simple Guide To Vulnerabilities

Objective: Explain the security concerns associated with various types of vulnerabilities.

Topics:
- cloud-based vs. on-premises
- zero-day attack
- weak configuration
- third-party risk
- patch management
- impact

Vulnerability scanners are capable of prioritizing vulnerabilities based on accepted criteria that reflect the severity of various weaknesses. However, each organization is unique and has varying degrees of resources to fix vulnerabilities. Keep in mind that the mere act of patching a vulnerability introduces risk because the application of the patch might negatively affect the systems. Furthermore, most organizations require resources to ensure that such fixes are properly tested.
Organizations need to consider vulnerabilities across various factors, including existing security controls, the threat likelihood, the goals of the business, and the impact on the systems and on the business if the vulnerability is exploited. This guide examines the impacts associated with many common vulnerability types. Identifying vulnerabilities gives an organization the opportunity to consider their impact and criticality and to evaluate approaches to remediate the weaknesses.
Zero-day vulnerabilities are particularly concerning because vulnerability scanners cannot initially detect them. Attackers who know about these otherwise unknown vulnerabilities can take advantage of the situation. When vendors learn of such a vulnerability, they immediately work on a patch. In some cases, organizations may be pressured into immediately deploying patches without adequate testing.

Cloud-Based vs. On-Premises
Organizations continue to move to cloud-based computing rather than developing and maintaining systems on-premises, where they are responsible for everything from the physical elements up through the application. Organizations face varying considerations when considering cloud-based vs. on-premises systems. When the systems are moved into the cloud, an organization no longer has responsibility for the physical aspects. In fact, in most scenarios, the customer is responsible for the elements above the hypervisor in a virtualized environment. This means, however, that organizations still have a lot of responsibility and should be concerned about vulnerabilities. Many of the same vulnerabilities that affect on-premises systems also affect cloud-based systems. In addition, cloud-based systems bring new vulnerabilities and exposures. Almost everything in the cloud is accessible from behind a single console, and small misconfigurations can have huge impacts across the environment.

Zero-Day
A zero-day (or zero-hour or day-zero) attack or threat is a computer threat that tries to exploit computer application vulnerabilities that are unknown to others—even the software developer. (Those weaknesses are also called zero-day vulnerabilities.) Zero-day exploits involve using software to exploit security holes to carry out attacks; attackers carry out these exploits or share information about them before the developer of the target software knows about the vulnerability.
A zero-day attack differs from other attacks and vulnerabilities. Most attacks on vulnerable systems involve known vulnerabilities. In some cases, developers know about the vulnerabilities, but patches have not yet been issued. In most cases, however, attacks target known vulnerabilities for which fixes or controls exist but have not been implemented. In the case of zero-day attacks, the software developer does not know about the vulnerability and so has not created or distributed a fix for the software.
Remember that for a zero-day vulnerability, a patch is not yet available. Keep this in mind when evaluating techniques to protect your organization. Effective security policies, training, and mitigations are most effective—even compared to the most aggressive patch management strategies—when it comes to zero-day exploits.

Weak Configurations
Improper and weak configurations across the architecture and systems and software can contribute to continued vulnerabilities. Most organizations follow standard good practices and use well-established frameworks, development life cycles, and governing principles for secure design and architecture. Consider the following examples, however, of configuration weaknesses that increase the likelihood of vulnerabilities:
- Software that allows users to perform tasks with unnecessary privileges, violating the principle of least privilege.
- Systems that fail open instead of failing securely. Such a system failure would allow an attacker to access resources.
- Security through obscurity, to prevent against only relatively insignificant threat actors.
- Unnecessary complexity, which makes systems management more difficult to understand and control.
The last point is particularly important as it relates to system sprawl and undocumented assets. Clear oversight of the design and architecture of systems is vital to operations and security. The design and architecture of systems can easily become poorly documented over time, often because of personnel changes, rapidly evolving needs, and disjointed operations. System sprawl and lack of clear documentation can then result in a loss of visibility and control, which can have negative impacts on an organization and lead to weak configurations.

Systems need to be managed to ensure operational efficiency and effective security practices. Organizations cannot really manage what they do not know about. Organizations therefore require sound information systems governance programs and often use automated tools to constantly monitor the network to identify assets and ensure that they have been properly provisioned and documented. Otherwise, weak and improper configurations manifest in many ways, including the following:
- Errors
- Open permissions
- Unsecured root accounts
- Weak encryption
- Unsecure protocols
- Default settings
- Open ports and services

Be able to explain security concerns associated with weak configurations, including open permissions, unsecured root accounts, errors, weak encryption, unsecured protocols, default settings, and open ports and services.
Configuration errors are common sources of data breaches. Configuration errors typically result when default configurations are not modified and when systems are not configured to align with standards or best practices.
Many vendors ship their systems for ease of use and entrust the customers with applying proper configurations. For example, systems that ship with a default password are open to a simple exploit that can have grave consequences. Many home routers used to ship with a default password that was common to all models of that particular router. Left unchanged, it provided simple access for any malicious attacker who knew the make and model of the device.
Most systems provide cryptographic methods that are based on strong standards. These should be used, and careful attention should be given to managing the cryptographic keys. It is not unusual, however, for these cryptographic standards to become outdated or deprecated due to flaws in design or improvements in technology that make their strength obsolete. It’s important to implement encryption based on strong standards and ensure that the encryption continues to remain strong. An organization should never try to create its own cryptographic algorithms within systems. Such attempts tend to lack the peer review and scrutiny of standard algorithms.
Another example of weak configuration is the presence of unneeded applications and services. Such services provide additional avenues for attackers, especially if default accounts aren’t removed or changed. They also leave open ports, providing more vectors for reconnaissance and attack. An application running an unneeded web server is open to denial-of-service attacks against that HTTP port. In addition, each additional service could carry additional flaws that might go unnoticed. Many web servers, for example, can be configured to reveal directory contents and allow unauthorized users to download sensitive data. These situations themselves can be harmful, but an attacker can also use them to pivot within the environment to cause even more harm.
A denial-of-service (DoS) attack against an unneeded web service is one example of how a nonessential service can potentially cause problems for an otherwise functional system.
One of the most common types of misconfigurations is improperly configured accounts. For example, accounts, along with the associated authentication and authorization mechanisms, may be configured in such a way that they do not restrict access to people who shouldn’t have access. Misconfigured accounts can impact organizations in several ways, including allowing escalated privileges that then harm systems and allowing attackers to exfiltrate data. An unsecured administrator or root account can have serious implications for the entire system and anything it’s connected to.
Devices are often left with default passwords set or with default accounts enabled. Certain accounts are installed by default. Administrators should know what these accounts are so they can determine which ones are really needed and which ones should be disabled to make the system more secure. It is also important for administrators to know which accounts, if any, are installed with blank passwords. The security settings in many of the newer operating systems do not allow blank passwords, but older operating systems might and legacy platforms might allow such vulnerabilities to exist.
Renaming or disabling the administrator account and guest account in each domain is advisable to prevent attacks on domains. Default credentials and unmonitored accounts such as the guest or admin accounts commonly established in older equipment and software soften security because they give attackers one component of access credentials. Attempts to compromise both an account and its associated password are more difficult if the account has been renamed or disabled or had its password changed.
Similar principles apply to routers and other network devices. Equipment manufacturers typically use a simple default password on their equipment, with the expectation that the purchaser will change the password. Default logins and passwords are freely available on the Internet, and leaving them in place on a live network poses a huge security risk.
When you are presented with a scenario on the exam, you might be tempted to keep all services enabled to cover all requirements. Be wary of this option as it might mean you would be installing unnecessary services or protocols.

Improper or Weak Patch Management
Security begins at the hardware level. When a device is attacked at the hardware or firmware level, the root cause might not be detected for an extended period of time simply because people tend to implicitly trust hardware and firmware. In today’s environment, however, hardware and firmware are no longer trustworthy and need to be secured. As the Internet of Things (IoT) grows, firmware- and hardware-based exploits will become more common. Just as software gets updated and patched, so does firmware. Organizations have always needed to ensure that firmware is up to date. Hardware manufacturers provide updates and software to perform these updates.
Improperly programmed software can be exploited. Software exploitation takes advantage of a program’s flawed code and involves searching for specific problems, weaknesses, or security holes in software code. The most effective ways to prevent an attacker from exploiting software bugs is to ensure proper patch management. This includes the process of evaluating, testing, and deploying the latest manufacturer patches and updates, and to monitor appropriate resources for new vulnerabilities.
Because of the emergence of blended-threat malware, which targets multiple vulnerabilities in a single attack, all major operating systems and application solutions must be considered in system-hardening plans. Automated reverse engineering of newly released patches has significantly reduced the time from the initial release of an update until its first exploits are seen in the wild. Whereas unpatched applications previously could be targeted in a matter of months, now threats can materialize in only hours.

You should be familiar with the following types of updates:
- Hotfix: A hotfix is a small, specific-purpose update that alters the behavior of installed applications in a limited manner. Hotfixes are the most common type of update.
- Service pack: A service pack is a tested, cumulative set of all hotfixes, security updates, critical updates, and updates.
- Update: An update addresses a noncritical, non-security-related bug and is usually a fix for a specific problem. Although the term update is often used in a generic manner, this category can consist of various types of updates that can address critical issues. For example, Microsoft divides its update categories into critical, definition, and security types. A security update addresses a fix for a product-specific security-related vulnerability, and a critical update addresses a fix for a specific problem that is a critical non-security-related bug.

To make the patching process easier, Microsoft releases its security-only updates, or monthly rollup, on a regular schedule. Any system running Microsoft products in an enterprise should be evaluated for the release requirements.
Updates for most systems are released on a schedule, which makes it easier to put a sensible plan into place. If an attacker learns of a vulnerability and releases an exploit for it before the update date, the security updates are posted ahead of schedule if the situation warrants.

Third-Party Risks
Every organization interfaces one way or another with a third party for management of systems or at least for the supply of systems and services. This creates what’s known as third-party risk. Third parties may introduce into an organization vulnerabilities that need to be considered. The following are some examples of third-party relationships:
- Vendor management
- Outsourced code development
- Data storage

Many systems are provided by third parties, and organizations need adequate processes in place to manage the vendor relationships and the software, hardware, and services these third parties provide. One important factor related to vendor management is ensuring systems operability between vendors. This is particularly important when multiple vendors’ products must be integrated together and are expected to be interoperable without introducing new vulnerabilities. In addition, vendors tend to provide support for the systems only until a particular time. Most systems are at some point no longer supported by the vendor—either because there is a required upgrade or the product has been abandoned or discontinued. Unsupported software means more than just a lack of technical support or poor reliability: As systems a vendor once supported go end-of-life (EOL), the vendor no longer provides patches for newly discovered vulnerabilities. For example, attackers looking for Windows XP or Windows 7 systems might not find many of them, but when they do, they have easy targets. Such a system may potentially open the door to an attacker seeking to impact an organization in many ways, including establishing a foothold inside.
Maintaining proper governance is key when dealing with areas that are often out of sight, such as the supply chain, outsourced code development, and data storage. An organization may, for example, contract with a third party for offsite backups. Governance, policies, and due diligence will go a long way toward ensuring that expectations and requirements around data security and potential vulnerabilities are understood and addressed with third parties.
If patches and system updates are no longer available because a system has gone end-of-life, attackers have an easy way to exploit the system.

Impacts
An organization should do an analysis based on impacts it is likely to face. A breach, loss of a business process, or loss of information will likely result in some sort of impact, which needs to be measured to understand the severity. A more complex analysis considers the different types of impacts that result from the loss of a functional business process. Consider, for example, the importance of availability to an e-commerce site. An obvious impact is the loss of sales and income that occurs if web servers are not available. You likely can imagine other potential consequences. When measuring impact, an organization should consider potential consequences across a broad set of categories, including the following:
- Data loss
- Data breaches and exfiltration
- Identity theft
- Financial
- Reputation
- Availability loss
- Life and safety

The example of the loss of web servers for an e-commerce site clearly illustrates a potentially severe impact on finances. In addition, the company’s reputation would be impacted. The loss of web servers might not impact personal life and safety, but the loss of emergency management systems might. Subsequently, the loss of fire suppression systems could certainly have a significant impact on the availability of facilities, physical property, and related systems. Taken as a whole, all these factors could impact an organization financially.

Quiz:

1. Your company provides outsourced information security services and has a static web presence as most business is conducted over the phone and in person. Your website was hacked due to a vulnerability in the Apache web server. The attacker ended up modifying your home page with a message disparaging the company. Which one of the following impacts to the organization is most likely? A. Data loss B. Financial loss C. Reputation loss D. Data exfiltration

2. Which of the following threats is unknown to others and does not yet have a patch available? A. Unsecured root accounts B. Weak encryption C. Unsecure protocols D. Zero-day attack

3. Which of the following will go a long way toward ensuring that expectations and requirements around data security and potential vulnerabilities are understood and addressed with third parties? (Select three.) A. Governance B. Policies C. Due diligence D. DoS

Answer 1: C. Often an attack on a vulnerability has multiple consequences. The best choice in this case is that an impact on the reputation of the company is the most likely consequence—particularly given that the company doesn’t conduct business online, and the company that was hacked is a security company. Answers A, B, and D are incorrect.
Answer 2: D. A zero-day attack is an attack that tries to exploit computer application vulnerabilities that are unknown to others—even the software developer—and so there is not yet a patch available for them. Effective security policies, training, and mitigation are the most effective ways to deal with zero-day vulnerabilities. Although they all represent weak or improper configurations, answers choices A, B, and C are incorrect.
Answer 3: A, B, and C. Maintaining proper governance is key when dealing with areas that are often out of sight, such as the supply chain, outsourced code development, and data storage. Governance, policies, and due diligence will go a long way toward ensuring that expectations and requirements around data security and potential vulnerabilities are understood and addressed with third parties. Answer D is incorrect. A denial-of-service (DoS) attack against an unneeded web service is an example of how a nonessential service can potentially cause problems for an otherwise functional system.