Security+: a guide to ramifications associated with different vulnerabilities [updated 2021]
Vulnerabilities, along with threats and attacks, make up a portion of the first domain of CompTIA’s Security+ exam (SYO-601) and account for 24 percent of the exam score. To clear the Security+ exam, a candidate should have not only knowledge of the basic terminology and concepts, but also the ramifications associated with different vulnerabilities, as discussed below.
Explain Ramifications of Vulnerabilities
When a user/company connects to the World Wide Web, they make their devices vulnerable to all kinds of illicit programs. Today, even the devices disconnected from the internet are vulnerable to adversaries. For the Security+ exam, the candidates must be aware of the ramifications of these vulnerabilities.
Improper input handling
When a software programmer or web application developer doesn’t validate the data placed into a software or web app, an adversary can inject malicious code into it to control its functionality. Hence, cybercriminals can take advantage of improper input handling to expose sensitive data, compromise tokens, deface websites, force the victim’s browser to generate fake requests, conduct a server takeover, and put SQL injections to gain access to authorized data. Enterprise-wide improper input handling can distort the positioning of its software development lifecycle, which often results in loss of business and reputation.
Many organizations continue to face the negative implications of untrained users. This is because they don’t give importance to security awareness training, and those that do don’t evaluate post-training implementation. Even though users attend training sessions, for instance, many go back and do not apply what they learned. That could have several ramifications ranging from inefficient operations to high-level security breaches, where untrained users fail to identify backdoors, making it easy for adversaries to gain authorized access to mission-critical information. Naturally, inexperienced users can create new vulnerabilities every day. Slip-ups due to lack of training on application/system/software expose enterprises significantly.
End of life systems, also referred to as legacy systems in some instances, are highly vulnerable as their vendors have stopped maintaining them. Patches, security upgrades, and bug fixes automatically stop with end-of-life technology. Therefore, it becomes easy for hackers to infiltrate these systems and wreak havoc. The result of unsecured software and hardware can be devastating and include exposure to corporate data; network failure, costly data theft, and legal action.
Race conditions highlight a programming flow where two or more threads are accessing shared data. The vulnerability arises when of thread customizes the data, while the remaining ones are executing logic based on the thread’s value before the data was modified. Financial websites are often prone to this vulnerability, with race conditions allowing hackers to withdraw an infinite amount of money. This is done by copying file descriptors during forking of processes, which are placed in a child process, resulting in concurrent file operations. The procedure can lead the data to be written or read in an unidentifiable order, producing unpredictable behavior and race conditions.
The vulnerability arises from a program/software overwriting a buffer that should not have been tweaked unintentionally or intentionally. It is mostly associated with C-languages, which do not conduct any array bounds analysis. The memory leak or buffer overflow causes a program to become unstable or crash. An adversary attempting to abuse the vulnerability can overwrite essential values in the call stack of target machine for executing unsigned malicious code. Memory/buffer vulnerabilities can be devastating for virtual machine environments, as a hacker can overwrite values on the machine’s software and stage lateral movement attacks against the host, putting other virtual instances and hosts at risk.
Improper certificate and key management
Often, the personnel that organizations get for certificate and key management are somewhat out of their depth; it’s not that they aren’t capable – it’s just difficult to be an expert in SSL and CA encryption when they’re not your specialties. Mistakes could occur as a result. For instance, the responsible person could be using outdated protocols like RC4, generating private keys that are too short, using self-issued certificates and keys (vulnerabilities arise when they’re circulated), and keeping keys in a plaintext spreadsheet and storing it on a convenient storage medium, without so much of HSM (Hardware Security Module) to protect it. In short, deploying encrypted solutions without following security and storage best practices is a step that could jeopardize vital businesses processes and systems while exposing the firm to substantial compliance and security break incidents.
Resource exhaustion vulnerabilities refer to application/software/system security exploits that hang, crash, or sometimes interfere with external programs due to having insufficient resources to perform designated tasks properly. Related attacks involve tying up finite resource on systems, making them unavailable to others. When it comes to software-related attacks, resource exhaustion attacks usually exploit a design deficiency or a bug. In programs written in C++ or C (those with manual memory management), memory leaks are commonly exploited for resource exhaustion. The ramification could be an exhausted enterprise network host that malfunctions down the road.
Undocumented assets/system sprawl
When an enterprise connects more systems or servers to its network without effectively documenting their maintenance needs, the systems can be forgotten and hence result in turning into a vulnerability. This could result in higher maintenance costs as each vulnerable system adds to the cost of maintenance with an order of magnitude. Each time standard maintenance is needed, or a new software or hardware upgrade is scheduled. Moreover, undocumented systems may not offer support for quick multi-streamed, multiplexed database backups, forcing IT staff to select between capacity optimization and fast backups.