Classification of Vulnerabilities in Cybersecurity

  • by Yatin Jog
  • 10 Months ago

Information security professionals need to be aware of the processes involved in identifying system vulnerabilities. It is important to devise suitable countermeasures, in a cost-effective and efficient way, to reduce the risk factor associated with the identified vulnerabilities.

 

Vulnerabilities can be classified into the following types:

 

  1. Access Control Vulnerabilities

It is an error due to the lack of enforcement pertaining to users or functions that are permitted, or denied, access to an object or a resource.

Examples:

Improper or no access control list or table

No privilege model

Inadequate file permissions

Improper or weak encoding

Security violation and impact:

Files, objects, or processes can be accessed directly without authentication or routing.

 

  1. Authentication Vulnerabilities

It is an error due to inadequate identification mechanisms so that a user or a process is not correctly identified.

Examples:

Weak or static passwords

Improper or weak encoding, or weak algorithms

Security violation and impact:

An unauthorized, or less privileged user (for example, Guest user), or a less privileged process gains higher privileges, such as administrative or root access to the system

 

  1. Boundary Condition Vulnerabilities

It is an error due to inadequate checking and validating mechanisms such that the length of the data is not checked or validated against the size of the data storage or resource.

Examples:

Buffer overflow

Overwriting the original data in the memory

Security violation and impact:

Memory is overwritten with some arbitrary code so that is gains access to programs or corrupts the memory. This will ultimately crash the operating system. An unstable system due to memory corruption may be exploited to get command prompt, or shell access, by injecting an arbitrary code

 

  1. Configuration Weakness Vulnerabilities

It is an error due to the improper configuration of system parameters or leaving the default configuration settings as it is, which may not be secure.

Examples:

Default security policy configuration

File and print access in Internet connection sharing

Security violation and impact:

Most of the default configuration settings of many software applications are published and are available in the public domain. For example, some applications come with standard default passwords. If they are not secured, they allow an attacker to compromise the system. Configuration weaknesses are also exploited to gain higher privileges resulting in privilege escalation impacts.

 

  1. Exception Handling Vulnerabilities

It is an error due to improper setup or coding where the system fails to handle, or properly respond to, exceptional or unexpected data or conditions.

Example:

SQL Injection

Security violation and impact:

By injecting exceptional data, user credentials can be captured by an unauthorized entity

 

  1. Input Validation Vulnerabilities

It is an error due to a lack of verification mechanisms to validate the input data or contents.

Examples:

Directory traversal

Malformed URLs

Security violation and impact:

Due to poor input validation, access to system-privileged programs may be obtained.

 

  1. Randomization Vulnerabilities

It is an error due to a mismatch in random data or random data for the process. Specifically, these vulnerabilities are predominantly related to encryption algorithms.

Examples:

Weak encryption key

Insufficient random data

Security violation and impact:

The cryptographic key can be compromised which will impact the data and access security.

 

  1. Resource Vulnerabilities

It is an error due to a lack of resources available for correct operations or processes.

Examples:

Memory getting full

CPU is completely utilized

Security violation and impact:

Due to the lack of resources, the system becomes unstable or hangs. This results in a denial of services to the legitimate users.

 

  1. State Error

It is an error that is a result of the lack of state maintenance due to incorrect process flows.

Examples:

Opening multiple tabs in web browsers

Security violation and impact:

There are specific security attacks, such as Cross-site scripting (XSS), that will result in user-authenticated sessions being hijacked.

 

 

-Yatin Jog

(Ref: CISSP: Vulnerability and Penetration Testing for Access Control)

  • facebook
  • googleplus
  • twitter
  • linkedin
  • linkedin

1 Comment Already

  1. Realy good information on types of vulnerabilities!

Leave a Reply

Your email address will not be published. Required fields are marked *