Exploits feed on vulnerabilities. Vulnerabilities, in turn, pave the way for exploits. These closely related security concepts are often confused, but it’s key to understand the difference and how they each play out to make sure your systems are as airtight as they can possibly be.
What is a vulnerability?
First, let’s look at the concept of a vulnerability. In most cases, in cloud security, when we talk about vulnerabilities we mean weak spots in software code. These can slip in either at the beginning or anytime an update is made to the code base. Vulnerabilities are more common in older, more convoluted software than in SaaS applications, but they are very common.
Attackers find vulnerabilities using automation tools and scans that search the web over and over again looking for any soft spot they can exploit in the absence of a patch. They know that, regardless of their point of entry, if they can get into your system, they can steal data, extort money or expose an organization (depending on their goals). Though targeted attacks do happen, most cyber attacks are crimes of opportunity. So remember that attackers are always out there, always looking for vulnerabilities they can exploit.
How to minimize your vulnerabilities
By now you’re probably wondering what you can do to avoid being the next victim. The best way to reduce the number of vulnerabilities in your own system is to keep all software and systems up-to-date all the time. There are two keys to this:
Auto-update: Set up automatic updates for all software and infrastructure systems. Don’t leave it up to the user to take the time out to manually update. Make it a no-brainer, and you’ll greatly reduce your attack surface.
- Vulnerability assessment: Invest in an alerting system that will scan your systems on a regular basis and let you know as soon as a new vulnerability arises, so you can patch it or take other precautionary measures.
Of course, there’s no way to be sure every single vulnerability is caught, but you want to do as much as you can given the knowledge you can get your hands on.
What is an exploit?
A vulnerability is essentially an open door through which an exploit can pass. To put it another way, exploits require vulnerabilities to succeed. You can have a vulnerability without an exploit, but you can’t have a (successful) exploit without a vulnerability. Exploits rely on mistakes and oversights — out-of-date software, unpatched servers, etc. — to succeed.
The good news is that there are a few key steps you can take to dramatically reduce the success of potential exploits.
- Multifactor authentication: Make sure that your users don’t just have to enter a password to access software and services. Multifactor authentication makes use of smart devices or special hardware to ensure that bad guys don’t just have to find a password (which can be trivial) to break into your systems.
- Credential lockouts: If attackers can keep trying passwords all day long, the reality is that eventually they’ll get in (hello brute force). That’s why we strongly recommend instituting lockouts after a certain number of password attempts. If users have simply forgotten a password, they can reach out to the IT team to retrieve it. If bad guys are behind the persistent attempts, they will be out of luck.
- Continuous monitoring: Finally, implementing a continuous monitoring solution means you will know when something suspicious — any anomalous activity — is happening on your systems. That way you can take immediate action and put a stop to any exploit before it does major damage to your organization.
Any company whose systems touch the Internet in any way, shape or form must understand the basics of vulnerabilities and exploits. Of course, there’s no such thing as perfect security. There will always be a new zero-day threat, persistent vulnerability or unexpected soft spot. Both human factors and technological factors can open your organization up to attacks. It’s impossible to eliminate every single attack opportunity.
But we always say, you don’t have to be faster than the bear (a.k.a. the attacker). You just have to be faster than the other guy. In other words, the key is always to reduce your attack surface as much as possible, first by minimizing vulnerabilities and then by defending against exploits as described above. This one-two punch will ensure that your organization is a very unappealing target for attackers, and that’s exactly the goal.