IT components such as operating systems, application software, and even networks, have many vulnerabilities. These vulnerabilities are open to compromise or exploitation. This creates the possibility for penetration into the systems that may result in unauthorized access and a compromise of confidentiality, integrity, and availability of information assets.

Vulnerability tests are performed to identify vulnerabilities while penetration tests are conducted to check the following:

• The possibility of compromising the systems such that the established access control mechanisms may be defeated and unauthorized access is gained
• The systems can be shut down or overloaded with malicious data using techniques such as DoS attacks, to the point where access by legitimate users or processes may be denied

Vulnerability assessment and penetration testing processes are like IT audits. Therefore, it is preferred that they are performed by third parties.

The primary purpose of vulnerability and penetration tests is to identify, evaluate, and mitigate the risks due to vulnerability exploitation.

Vulnerability assessment

Vulnerability assessment is a process in which the IT systems such as computers and networks, and software such as operating systems and application software are scanned in order to indentify the presence of known and unknown vulnerabilities.

Vulnerabilities in IT systems such as software and networks can be considered holes or errors.

These vulnerabilities are due to improper software design, insecure coding, or both. For example, buffer overflow is a vulnerability where the boundary limits for an entity such as variables and constants are not properly defined or checked. This can be compromised by supplying data which is greater than what the entity can hold. This results in a memory spill over into other areas and thereby corrupts the instructions or code that need to be processed by the microprocessor.

When a vulnerability is exploited it results in a security violation, which will result in a certain impact. A security violation may be an unauthorized access, escalation of privileges, or denial-of-service to the IT systems.

Tools are used in the process of identifying vulnerabilities. These tools are called vulnerability scanners. A vulnerability scanning tool can be a hardware-based or software application.

Generally, vulnerabilities can be classified based on the type of security error. A type is a root cause of the vulnerability.

Vulnerabilities can be classified into the following types:

1. Access Control Vulnerabilities

   It is an error due to the lack of enforcement pertaining to users or functions that are permitted, or denied, access to an object or a resource.

   Examples:

   Improper or no access control list or table

   No privilege model

   Inadequate file permissions

   Improper or weak encoding

   Security violation and impact:

   Files, objects, or processes can be accessed directly without authenticationor routing.

2. Authentication Vulnerabilities

   It is an error due to inadequate identification mechanisms so that a user or a process is not correctly identified.

   Examples:

   Weak or static passwords

   Improper or weak encoding, or weak algorithms

   Security violation and impact:

   An unauthorized, or less privileged user (for example, Guest user), or a less privileged process gains higher privileges, such as administrative or root access to the system

3. Boundary Condition Vulnerabilities

   It is an error due to inadequate checking and validating mechanisms such that the length of the data is not checked or validated against the size of the data storage or resource.

   Examples:

   Buffer overflow

   Overwriting the original data in the memory

   Security violation and impact:

   Memory is overwritten with some arbitrary code so that is gains access to programs or corrupts the memory. This will ultimately crash the operating system. An unstable system due to memory corruption may be exploited to get command prompt, or shell access, by injecting an arbitrary code

4. Configuration Weakness Vulnerabilities

   It is an error due to the improper configuration of system parameters, or leaving the default configuration settings as it is, which may not be secure.

   Examples:

   Default security policy configuration

   File and print access in Internet connection sharing

   Security violation and impact:

   Most of the default configuration settings of many software applications are published and are available in the public domain. For example, some applications come with standard default passwords. If they are not secured, they allow an attacker to compromise the system. Configuration weaknesses are also exploited to gain higher privileges resulting in privilege escalation impacts.

5. Exception Handling Vulnerabilities

   It is an error due to improper setup or coding where the system fails to handle, or properly respond to, exceptional or unexpected data or conditions.

   Example:

   SQL Injection

   Security violation and impact:

   By injecting exceptional data, user credentials can be captured by an unauthorized entity

6. Input Validation Vulnerabilities

   It is an error due to a lack of verification mechanisms to validate the input data or contents.

   Examples:

   Directory traversal

   Malformed URLs

   Security violation and impact:

   Due to poor input validation, access to system-privileged programs may be obtained.

7. Randomization Vulnerabilities

   It is an error due to a mismatch in random data or random data for the process. Specifically, these vulnerabilities are predominantly related to encryption algorithms.

   Examples:

   Weak encryption key

   Insufficient random data

   Security violation and impact:

   Cryptographic key can be compromised which will impact the data and access security.

8. Resource Vulnerabilities

   It is an error due to a lack of resources availability for correct operations or processes.

   Examples:

   Memory getting full

   CPU is completely utilized

   Security violation and impact:

   Due to the lack of resources the system becomes unstable or hangs. This results in a denial of services to the legitimate users.

9. State Error

   It is an error that is a result of the lack of state maintenance due to incorrect process flows.

   Examples:

   Opening multiple tabs in web browsers

   Security violation and impact:

   There are specific security attacks, such as Cross-site scripting (XSS), that will result in user-authenticated sessions being hijacked.

Information security professionals need to be aware of the processes involved in identifying system vulnerabilities. It is important to devise suitable countermeasures, in a cost effective and efficient way, to reduce the risk factor associated with the identified vulnerabilities. Some such measures are applying patches supplied by the application vendors and hardening the systems.