What Is a Vulnerability?
A vulnerability is a security weakness that cybercriminals can exploit to obtain unauthorized access to computer systems or networks. A cybercriminal exploiting a vulnerability can perform various malicious actions, such as installing malicious software (malware), running malicious code, and stealing sensitive data.
Common exploitation techniques include SQL injection (SQLi), cross-site scripting (XSS), and buffer overflow. Cybercriminals also use open source exploit kits to find known vulnerabilities in web applications. Vulnerabilities that impact popular software place the vendor’s customers at a high risk of a supply chain attack and data breach.
This is part of a series of articles about vulnerability management.
In this article:
Common Types of Security Vulnerabilities
Here are the four main types of vulnerabilities in information security:
- Network vulnerabilities— this category represents all hardware or software infrastructure weaknesses that can allow cybercriminals to gain unauthorized access and cause harm. Common examples include poorly-protected wireless access and misconfigured firewalls.
- Operating system vulnerabilities— cybercriminals exploit these vulnerabilities to harm devices running a particular operating system. A common example includes a Denial of Service (DoS) attack that repeatedly sends fake requests to clog an operating system until it becomes overloaded. Outdated and unpatched software can also lead to operating system vulnerabilities.
- Process (or procedural) vulnerabilities— occur when procedures placed to act as security measures are insufficient. Common process vulnerabilities include authentication weaknesses like weak passwords and broken authentication.
- Human vulnerabilities— this category includes all user errors that can expose hardware, sensitive data, and networks to cybercriminals. Human vulnerabilities arguably pose the most critical threat, especially because of the increase in remote work. Common human vulnerabilities include opening email attachments infected with malware or forgetting to install software updates on mobile devices.
Here are common categories of security vulnerabilities to watch out for:
- Broken authentication— compromised authentication credentials allow cybercriminals to hijack user sessions and steal identities to impersonate legitimate users.
- SQLi— cybercriminals use SQL injections to gain unauthorized access to database content using malicious code injection. A successful SQL injection can allow a cybercriminal to engage in various malicious activities, such as spoofing identities and stealing sensitive data.
- XSS— this technique injects malicious code into a website to target website users, putting sensitive user information at risk of theft.
- Cross-site request forgery (CSRF)— these attacks attempt to trick authenticated users into performing an action on behalf of a malicious actor. Cybercriminals often use CSRF with social engineering to deceive users into unintentionally providing them with personal data.
- XML external entity (XXE)— cybercriminals use XXE to attack applications that can parse XML input. This attack exploits weakly configured XML parsers containing XML code that can reference external entities.
- Server-side request forgery (SSRF)— these attacks allow cybercriminals to make requests to domains using a vulnerable server. They force the server to connect back to itself, an internal resource or service, or to the server’s cloud provider.
- Security misconfigurations— can include any security component that cybercriminals can exploit. These configuration errors allow cybercriminals to bypass security measures.
- Command injection— cybercriminals use command injection to exploit a vulnerable application to execute arbitrary commands on the host operating system. These attacks typically target a vulnerable application’s privileges.
Related content: Read our guide to vulnerability testing.
Security Vulnerabilities: 5 Real Life Examples
Microsoft
Microsoft disclosed a vulnerability in January 2020, admitting that an internal customer support database that stored the company’s anonymized user analytics got exposed online accidentally. This accidental server exposure resulted from misconfigured Azure security rules that Microsoft deployed on December 5, 2019.
Microsoft expressed confidence that commercial cloud services were not exposed, and the company’s engineers remediated the configuration quickly to prevent unauthorized access to the exposed database. Unfortunately, the 2020 data breach exposed IP addresses, email addresses, and other data stored in the support case analytics database.
Marriott
In January 2020, threat actors abused a third-party application Marriott used for guest services, obtaining unauthorized access to 5.2 million records of Marriott guests. These records included contact information, passport data, gender, loyalty account details, birthdays, and personal preferences.
By the end of February 2020, Marriott’s security team noticed the suspicious activity and sealed the insider-caused breach. This data breach presumably affected nearly 339 million hotel guests. Since the company failed to comply with General Data Protection Regulation (GDPR) requirements, Marriott Hotels & Resorts had to pay an £18.4 million fine.
Ring Home
Ring is a home security and smart home company owned by Amazon. In recent years, the company has experienced two security incidents:
- Ring accidentally revealed user data to Google and Facebook via third-party trackers embedded into the company’s android application.
- An IoT security breach allowed cybercriminals to successfully hack into several families’ connected doorbells and home monitoring systems.
Cybercriminals used weak, default, and recycled credentials during the IoT breach to access live feeds from cameras around Ring customers’ homes. They could also use the devices’ integrated microphones and speakers to communicate remotely. More than thirty people in fifteen families reported that cybercriminals were verbally harassing them.
SolarWinds
SolarWinds provides IT software to around 33,000 customers, including government entities and large corporations. In 2022, cybercriminals injected malicious code into one of SolarWinds’ software systems, transferring the code to all customers during a regular system update.
This malicious code allowed cybercriminals to install more malware and spy on organizations and government agencies, including the Treasury Department and the US Department of Homeland Security.
Cognyte
In June 2021, Cognyte, a cyber analytics firm, failed to secure the company’s database, exposing five billion records that revealed previous data incidents. These records were posted online without any authentication, like passwords. Cognyte’s database was exposed for four days. While it is unclear how many passwords were exposed, the records contained names, email addresses, and the data source.
Learn more in our detailed guide to vulnerability cve.
Security Testing with Bright Security
Bright Security helps address the shortage of security personnel, enabling AppSec teams to provide governance for security testing, and enabling every developer to run their own security tests.
Brightempowers developers to incorporate an automated Dynamic Application Security Testing (DAST), earlier than ever before, into their unit testing process so they can resolve security concerns as part of their agile development process. Bright’s DAST platform integrates into the SDLC fully and seamlessly:
- Test results are provided to the CISO and the security team, providing complete visibility into vulnerabilities found and remediated
- Tickets are automatically opened for developers in their bug tracking system so they can be fixed quickly
- Every security finding is automatically validated, removing false positives and the need for manual validation
Bright Security can scan any target, whether Web Apps, APIs (REST/SOAP/GraphQL) to help enhance DevSecOps and achieve regulatory compliance with our real-time, false positive free actionable reports of vulnerabilities. In addition, our ML-based DAST solution provides an automated solution to identify Business Logic Vulnerabilities.
