Let’s start with the definition of vulnerability in cybersecurity. Essentially, a vulnerability is a weakness in a system or network that can be exploited by criminals to gain access to your information. After the initial access has been gained, the next steps are to install malware, steal sensitive data, or to cause damage with malicious code and more.
Here are the official definitions of a cybersecurity vulnerability:
National Institute of Standards and Technology (NIST): Weakness in a system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat.
ISO 27005: A weakness of an asset or group of assets that can be exploited by one or more cyberthreats, where an asset is anything that has value to the organization, its business operations, and their continuity, including information resources that support the organization’s mission.
IETF RFC 4949: A flaw or weakness in a system’s design, implementation, or operation and management that could be exploited to violate the system’s security policy.
So… What’s the difference between a vulnerability and a threat?
Risk is assessed and measured when the potential business impact of a vulnerability is carefully considered. For example, a vulnerability report might uncover a minor flaw in an application that is not widely used in the organization. A risk assessment might determine that the risk of this vulnerability is very low. On the other hand, if a vulnerability is discovered on a primary business application, the risk of significant business impact would be high, and the vulnerability would need to be addressed immediately.
What are the different types of vulnerabilities?
Vulnerabilities come in all shapes and forms. Some of the most common types are:
Outdated and unpatched software: This is the number one vulnerability identified by the U.S. Department of Homeland Security. Unpatched systems and software are some of the easiest targets for cybercriminals. While every security patch is aimed at fixing a vulnerability, an unpatched system is an open invitation to criminals.
Missing data encryption: When data is left unencrypted, it’s easy for criminals to steal that data. By making it harder (more expensive) for hackers to get access to data, the chances of them gaining access to your data goes down.
Operating system and security misconfigurations: System misconfigurations emerge when a network asset has improper security controls or settings. One of the first things cybercriminals do is scan a network for endpoints with system misconfigurations.
Multi-Factor Authentication: Yet another common tactic used by attackers to gain access to a network is by cracking or guessing employee credentials. When MFA is correctly implemented, the chances of that account getting hacked drop to about 2%.
Cybersecurity training and human error: Even with the best mechanical controls in place, an organization’s employees can be the weak link without frequent awareness training. Regular Phishing tests and security awareness campaigns can make a big difference.
What Is Vulnerability Management?
Vulnerability management is the regular process of identifying, assessing, documenting, managing and remediating security vulnerabilities across endpoints, and systems in a network. In short, vulnerability management is a proactive approach to closing the security gaps that exist in a network before they are used by a bad actor.
Please reach out if we can help you develop a vulnerability management process to help keep your organization safe from cybersecurity threats.
Russ serves as the Vice President, of Customer Success at Philantech3 Consulting Group. He loves high-tech! Russ started his career as an Electrical & Computer Engineer designing Hewlett-Packard computers. After getting an MBA, Russ moved into management and spent the last 18 years designing, building, marketing, and selling IT, software, & video solutions to hospitals. He has managed large divisions for multi-billion-dollar companies but has also bought, built, or sold several small businesses – from $1M to $25M. So, he knows the challenges of owning, building, and managing your own company!
Russ lives in Spokane with his wife and six children. He is passionate about building a better Spokane community by helping businesses succeed! He is active in church and community service. He enjoys landscaping, playing games, and “building stuff” in his spare time.