Exploits feed on vulnerabilities. Vulnerabilities, in turn, pave the way for exploits. These closely related security concepts are often confused, but it’s key to understand the difference and how they each play out to make sure your systems are as airtight as they can possibly be.
What is a vulnerability?
First, let’s look at the concept of a vulnerability. In most cases, in cloud security, when we talk about vulnerabilities we mean weak spots in software code. These can slip in either at the beginning or anytime an update is made to the code base. Vulnerabilities are more common in older, more convoluted software than in SaaS applications, but they are very common.
Attackers find vulnerabilities using automation tools and scans that search the web over and over again looking for any soft spot they can exploit in the absence of a patch. They know that, regardless of their point of entry, if they can get into your system, they can steal data, extort money or expose an organization (depending on their goals). Though targeted attacks do happen, most cyber attacks are crimes of opportunity. So remember that attackers are always out there, always looking for vulnerabilities they can exploit.
Examples of vulnerabilities
Some examples of recent, highly publicized vulnerabilities are Shellshock and Heartbleed. (You could say 2014 was a rough year for vulnerabilities.)
Heartbleed was the first of these two major vulnerabilities to be discovered. It was a security bug within the OpenSSL cryptography library, widely used to implement the Transport Layer Security (TLS) protocol. The bug entered the software in 2012, but was not publicized until April 2014. The vulnerability allowed attackers to exploit any OpenSSL instance using TLS and ultimately made it possible for them to access data that should have been private. The vulnerability was patched the same day it was publicly disclosed.
Shellshock was a family of security bugs that was disclosed in September 2014. It affected the popular Unix Unix Bash shell, which is used by many Internet-facing services. The vulnerability allowed those with malicious intent to execute arbitrary commands and ultimately to gain unauthorized access to computer systems. Upon discovery, Shellshock was used by some hackers to execute DDoS attacks. Patches have since been released and for the most part implemented, but the original attack surface was huge (on the order of millions of servers), so this vulnerability understandably garnered quite a bit of media attention.
How to minimize your vulnerabilities
By now you’re probably wondering what you can do to avoid being the next victim. The best way to reduce the number of vulnerabilities in your own system is to keep all software and systems up-to-date all the time. There are two keys to this:
- Auto-update: Set up automatic updates for all software and infrastructure systems. Don’t leave it up to the user to take the time out to manually update. Make it a no-brainer, and you’ll greatly reduce your attack surface.
- Vulnerability assessment: Invest in an alerting system that will scan your systems on a regular basis and let you know as soon as a new vulnerability arises, so you can patch it or take other precautionary measures.
Of course, there’s no way to be sure every single vulnerability is caught, but you want to do as much as you can given the knowledge you can get your hands on.
What is an exploit?
A vulnerability is essentially an open door through which an exploit can pass. To put it another way, exploits require vulnerabilities to succeed. You can have a vulnerability without an exploit, but you can’t have a (successful) exploit without a vulnerability. Exploits rely on mistakes and oversights — out-of-date software, unpatched servers, etc. — to succeed.
Examples of exploits
Heartbleed and Shellshock are examples of vulnerabilities. Attackers use these vulnerabilities (and others that may be less publicized or specific to a single organization) to execute exploits. Here are some well-known exploits.
- Dyn DDoS attack: October 2016 saw a major attack against Dyn, an internet infrastructure company that powers the likes of Twitter, Amazon and Netflix. The Dyn DDoS attack was executed when attackers used unsecured DVRs and IP cameras connected to the internet to overwhelm the company’s servers, resulting in a massive internet outage. It was one of the biggest DDoS attacks of all time.
- Retail POS breaches: Other exploits include the Target breach in 2013 and Home Depot breach in 2014. In both of these, stolen third-party vendor credentials and malware were used to scrape sensitive private data. Payment card data is a high-value target for attackers, who are very clever about finding any weak spot to get access to it.
- How to protect against exploits
We discussed how you can minimize the vulnerabilities your system features, but how can you protect against exploits that use unknown vulnerabilities (or ones that don’t have a patch yet)?
The good news is that there are a few key steps you can take to dramatically reduce the success of potential exploits.
- Multifactor authentication: Make sure that your users don’t just have to enter a password to access software and services. Multifactor authentication makes use of smart devices or special hardware to ensure that bad guys don’t just have to find a password (which can be trivial) to break into your systems.
- Credential lockouts: If attackers can keep trying passwords all day long, the reality is that eventually they’ll get in (hello brute force). That’s why we strongly recommend instituting lockouts after a certain number of password attempts. If users have simply forgotten a password, they can reach out to the IT team to retrieve it. If bad guys are behind the persistent attempts, they will be out of luck.
- Continuous monitoring: Finally, implementing a continuous monitoring solution means you will know when something suspicious — any anomalous activity — is happening on your systems. That way you can take immediate action and put a stop to any exploit before it does major damage to your organization.
Any company whose systems touch the Internet in any way, shape or form must understand the basics of vulnerabilities and exploits. Of course, there’s no such thing as perfect security. There will always be a new zero-day threat, persistent vulnerability or unexpected soft spot. Both human factors and technological factors can open your organization up to attacks. It’s impossible to eliminate every single attack opportunity.
But we always say, you don’t have to be faster than the bear (a.k.a. the attacker). You just have to be faster than the other guy. In other words, the key is always to reduce your attack surface as much as possible, first by minimizing vulnerabilities and then by defending against exploits as described above. This one-two punch will ensure that your organization is a very unappealing target for attackers, and that’s exactly the goal.