Introduction

In the past year, vulnerability exploitation, as the entry point of threat actors, has doubled according to Verizon’s Data Breach Investigation Report.  To find these vulnerabilities, threat actors are leveraging a  wide variety of techniques including scanning IPs and open ports, crawling for specific services, testing specific CVEs, and running remote code execution.

As one of the four key information security threats of 2022, vulnerability exploitation must remain a priority in an organization’s security strategy.  If a weakness is leveraged by a threat actor and they are able to gain unauthorized access to their network, an organization risks network compromise, data exfiltration, unplanned system downtime, ransomware, and more.  Such cybersecurity risks can have debilitating effects across the organization, including financially, operationally, reputationally, and economically.   As a result, it is crucial for organizations to do what they can to avoid vulnerability exploitation.  By understanding how vulnerabilities are identified and categorized, as well as understanding standard conventions for information that can be used to measure and mitigate the risks to your organization, you can avoid exploitation all together. Refer to the characteristics and sources chapters to find out more.

With an ever changing threat landscape comes an ever evolving vulnerability market.  As vulnerabilities are discovered and shared publicly, threat actors are forced to become more sophisticated in their approach to exploit weaknesses in a timely manner.  In the following chapters we will explore what some of those leading vulnerabilities are today.

Common values that are important to understand as it relates to a vulnerability include Common Vulnerability and Exposure (CVE) values, Common Weakness Enumeration (CWE) values, and Common Vulnerability Scoring System (CVSS) values.  These characteristics provide organizations with a common set of nomenclature to leverage throughout the industry, providing ease when developing their strategy to protect against vulnerabilities.

CVE

CVEs refer to a database that catalogs publicly disclosed vulnerabilities specific to an explicit occurrence. Thousands of new CVE’s are published every year for the good of the security industry.  The goal of CVE’s is to provide organizations with a repository of known vulnerabilities to ease information sharing.  The database gives organizations a starting point when it comes to vulnerability management as well as creating and implementing a proactive security strategy.  The catalog serves as a baseline to evaluate current coverage against the known vulnerabilities.  Keeping up with the current vulnerability market is the first step towards proper cyber hygiene.

CWE

Beyond understanding the vulnerability, organizations can benefit from understanding the characteristics of the building blocks that lead to the vulnerability.  While CVE refers to the instance of a vulnerability, CWE focuses on the cause of the vulnerability type.  For the security community, CWE’s provide common nomenclature for discussing weaknesses and categorizing them by software, hardware or use case. The list of weakness types provide a baseline for identification, mitigation and prevention of a weakness.

CVSS

Once an organization understands relevant vulnerabilities and the underlying weaknesses, understanding the severity of the vulnerability is extremely valuable.  CVSS provides a consistent score for vulnerabilities, regardless of the industry.  By leveraging the CVSS, organizations can understand the severity of the vulnerability in their environment as well as let them prioritize the remediation of each vulnerability.

Vulnerabilities can occur throughout an organization’s IT environment.  While it is impossible to find and address every weakness, understanding the leading causes of vulnerabilities can aid organizations in the development of their security strategy.

Complex Systems

In today’s complex IT environment, incorporating cloud resources, IoT devices, and other systems-of-systems, presents an exceptionally challenging security task.  To properly secure complex systems is tedious and while doing so, organizations run a higher risk of control misconfiguration and improper user access.  Flaws such as these lead to a higher likelihood of vulnerabilities in the complex system.

People

The human element of security is oftentimes the weakest link.  Social engineering is an exceptionally costly threat to organizations nowadays with a spike in phishing and other social engineering techniques.  People are extremely vulnerable to causing vulnerabilities.  This year, 82% of breaches involved the human element according to Verizon’s Data Breach Investigations Report.

Familiarity

As security has become a more streamlined function in every organization, security teams run the risk of threat actors being able to rely on their familiarity with tools, code, hardware, operating systems, etc. to find a vulnerability.  Consequently, it’s important to tailor an organization’s security practices and software settings to its specific circumstances.

Connectivity

The large number of connected devices on your organization’s network presents a huge attack surface.  This connectivity makes it possible for threat actors to discover and exploit vulnerabilities on your network.  The number of connected devices provides many possible routes for attackers to move laterally inside the environment.