We cannot start a meaningful exploration of computer security without defining the subject itself. In this post, we'll talk about what security actually means.
Welcome to the Security Fundamentals series. In this series we will explore the core principles of computer security, what makes an application vulnerable, different defense mechanisms, and many others!
However, we cannot start a meaningful exploration of computer security without defining the subject itself. So, let’s begin the discussion by answering the most obvious question: what is security?
What is security?
Whether you work in the IT industry or not, you probably noticed that security buzzwords come and go in the media. They are all over the Internet — a new data breach here, a malware or phishing campaign there, millions of devices at risk due to a security bug, financial information of thousands stolen, social media accounts of a large company got hacked. But what’s this “security” thing that people keep talking about?
Let’s consult the dictionaries:
Security: the quality or state of being secure such as
a: freedom from danger : SAFETY
b: freedom from fear or anxiety
c: freedom from the prospect of being laid off //job securitySecure:
a: free from danger
b: affording safety //a secure hideaway
c: TRUSTWORTHY, DEPENDABLE //a secure foundation
d: free from risk of loss
Security:
a: freedom from risk and the threat of change for the worse
b: freedom from danger; safety
So, we can say that security is freedom from danger, a threat, or a risk. In the context of information security, it refers to the risks, threats, and dangers related to computing devices such as computers, smartphones, IoT, servers, networks, but also covers the data stored on these devices.
The primary goal of security is simple: to make sure that technology does only what it is supposed to, and nothing else. Security’s job is not necessarily to stop hackers and prevent breaches but to work towards the same goal as the rest of the company and help the business move forward. For instance, if the company’s goal is to make money, the security department should make sure that the organization doesn’t lose money due to a lack of security measures.
Each industry has its own jargon terms, and security makes no exception. In this field, you will often come across terms such as vulnerability, attack, threat, exploit, and the list can go on. So, before diving deeper, it is important to make sure we all talk the same language. Don’t worry — we won’t overwhelm you with all of it. We’ll cover additional terms and technologies in more detail as we explore further in this series.
What is a vulnerability?
A vulnerability is a weakness of a system that allows an attacker to perform unauthorized actions such as viewing sensitive data of other users, destroy or modify data. Vulnerabilities are, in most cases, caused accidentally by our fallible ability to design secure systems.
Over time, studies suggested that the number of vulnerabilities grows with the complexity of a system. Other studies showed this correlation is vague and almost impossible to demonstrate [1] [2] [3]. While the relationship between complexity and vulnerabilities can’t be generalised, there is one thing we can be sure of — there is no absolutely secure system.
What is an attack?
Vulnerabilities, by their nature, are to be discovered. They simply exist in software — but until one finds and uses them, they are latent.
A cyber attack is when an attacker uses a vulnerability to gain unfair benefits, cheat access controls, or inflict damage on systems. Usually, it is a multi-step process. To make things easier to understand, we will use an example in which an attacker wants to get access to someone else’s account on uphack.io. Here are the steps involved:
-
Reconnaissance — everything starts when the attacker innocuously gathers information about the targeted feature.
-
Weaponization — Once the attacker understands the underlying principle behind the targeted feature, he comes up with different attack scenarios to confirm if a vulnerability exists. Here are just a few hypotheses:
- If the recovery code is short (e.g., four digits), he may be able to guess it by tests all 8999 possible codes (1000-9999)
Note
Here is an example where programming can be useful. Testing 9999 codes manually may take a while, but a ten lines Python script can do it in a matter of seconds.
- Maybe the application is vulnerable to SMTP header injection, and the recovery link could be redirected to the attacker’s email address.
- Maybe the application’s behavior could be changed by altering the HTTP request (e.g., changing the Host header).
- Maybe the reset password feature is vulnerable to SQL Injection.
Note
An attack is a single-contained attempt to exploit a specific vulnerability. Hence, each of the above scenarios is an independent attack attempt.
- If the recovery code is short (e.g., four digits), he may be able to guess it by tests all 8999 possible codes (1000-9999)
-
Profit — if one or more attack scenarios works, then the attacker found a vulnerability. He can further use it in his own interests.
Who is the attacker?
In the last few years, many great security tools emerged. Some of them even made the exploitation of specific vulnerabilities (e.g., SQL Injection) as easy as inserting the target URL and pressing the Start button. While their purpose was to speed up the job of ethical hackers, some people used them as their primary weapon to substitute the competence and actual security knowledge.
Such people are called script-kiddies. They lack the expertise and solely rely on already existing hacking tools to hack into systems without even understanding how these tools work or what’s going on behind the scenes. Motivated by curiosity, mischievous, or simply to show-off, they are opportunistic attackers that don’t have a target in mind. Instead, they use automated scanners to find targets vulnerable to low-hanging vulnerabilities.
Next, there are cybercriminals or hackers. In contrast to skiddies, a hacker is usually highly skilled, operating individually, or as a part of criminal organisations. Motivated by financial gains, they are interested in financial information or a large number of personally identifiable information (PII) that can be sold on the black market. Hackers are usually opportunistic attackers, but they can be much more patient, persistent, well-funded, and stealth compared to skiddies.
On the top of the chain are the state-sponsored attackers. They could have unlimited patience and funding to achieve their purpose, and are motivated by either the political, commercial, or military interests of their country, instead of financial gain. This type of attacker targets critical infrastructures and services of a country. This includes fuel pipelines, power grids, nuclear reactors, healthcare, or financial sectors. One example of such an attack is Stuxnet — a malicious worm designed to sabotage Iran’s nuclear program.
What is an exploit?
An exploit is a tool, a method, or a command that allows an attacker to take advantage of a vulnerability.
What is a threat?
A security threat refers to anything that can put a system or its information at risk. This includes viruses, backdoors, vulnerabilities, and even natural disasters.
But what’s the difference between an attack and a threat then?
A threat is a circumstance that has the potential to inflict harm, while an attack is the attempt to cause damage. Here is a simple example to illustrate this.
If you don’t regularly update your operating system to the latest version, your computer may have lots of vulnerabilities. The fact that one day an attacker could target your computer because you don’t update your OS represents a threat. Once an attacker founds out your system is vulnerable, he will attempt to exploit them. That is an attack.
So, let’s recap: A threat is any bad thing that can happen to a system. A threat exists because there is a vulnerability; hence, a vulnerability makes a threat possible. An attack is a deliberate attempt to exploit that vulnerability.
What impact means
Vulnerabilities can be exploited in many ways, depending on their nature and the skill level of the attacker. Upon identifying a security issue, one of the first things you do is to try to establish the impact of the issue. Impact refers to the consequences or effects of a vulnerability being exploited. It describes the actual damage or harm that can occur if a security flaw is leveraged by an attacker. When establishing the impact, you need to think about the worst-case scenario: what is the most damaging thing that an attacker could accomplish with this vulnerability? Could they gain unauthorized access to sensitive data, disrupt critical operations, or compromise other interconnected systems?
Being able to accurately establish the impact of a vulnerability is an essential skill as a security engineer. That’s because understanding the severity of a security issue helps in determining how much time, effort, and budget should be allocated to rectifying it. Higher severity issues may require immediate attention and significant resources to resolve, while lower severity issues might be scheduled for routine maintenance windows or monitored for any change in status.
What is risk?
Risk is the likelihood of a threat to transform into an attack. Also, it refers to the harm that such an attack would cause. The commonly used formula to calculate the risk is the likelihood of someone identifying ithe issue multiplied by the maximum impact of a successful attack:
Risk = Likelihood * ImpactThe impact of a vulnerability depends on the likelihood that it will be successfully exploited. In contrast, likelihood depends on the existing security mechanisms, the difficulty of the attack, and the type of potential attacks. For example, an SQL Injection vulnerability is considered highly dangerous as it is both easy to find and exploit, and can have a serious impact.
You can find more details on this topic on the OWASP Risk Rating Methodology page: https://owasp.org/www-community/OWASP_Risk_Rating_Methodology
Conclusion
This post, hopefully, sheds some light on what computer security is and the terms commonly used in this industry. While many other concepts need to be explained, we’ll cover them in upcoming posts in this series, as we explore further.