A vulnerability is
|“||[t]he potential for the function of a biometric system to be compromised by intent (fraudulent activity); design flaw (including usage error); accident; hardware failure; or external environmental condition.||”|
|“||[a] flaw or weakness in the design or implementation of an information system (including the security procedures and security controls associated with the system) that could be intentionally or unintentionally exploited to adversely affect an organization's operations or assets through a loss of confidentiality, integrity, or availability.||”|
|“||a technical term for a bug that has security impact; that is, if exploited, it can undermine the security of the user's system.||”|
|“||[a] flaw in security procedures, software, internal system controls, or implementation of an IS that may affect the integrity, confidentiality, accountability, and/or availability of data or services. Vulnerabilities include flaws that may be deliberately exploited and those that may cause failure due to inadvertent human actions or natural disasters.||”|
|“||[a]ny weakness, administrative process, act, or physical exposure that makes a computer susceptible to exploitation by a threat.||”|
A vulnerability (also called a security weakness) is
|“||[a] characteristic or specific weakness that renders an organization or asset (such as information or an information system) open to exploitation by a given threat or susceptible to a given hazard.||”|
|“||the characteristic of an asset, system, or network’s design, location, security posture, process, or operation that render it susceptible to destruction, incapacitation, or exploitation by mechanical failures, natural hazards, terrorist attacks, or other malicious acts.||”|
|“||[a]ny circumstance or event that has the potential to adversely impact an asset through unauthorized access, destruction, disclosure, modification of data, and/or denial of service.||”|
|“||qualitative or quantitative expression of the level to which an entity, asset, system, network, or geographic area is susceptible to harm when it experiences a hazard.||”|
|“||a physical feature or operational attribute that renders an entity open to exploitation or susceptible to a given hazard.||”|
The growing number of known vulnerabilities increases the number of potential attacks created by the hacker community. As vulnerabilities are discovered, attackers may attempt to exploit them. Attacks can be launched against specific targets or widely distributed through viruses and worms.
Today, many vulnerabilities are easy to exploit, and individuals and organizations worldwide can access systems and networks connected to the Internet across geographic and national boundaries. Current technology also makes it easy to hide or disguise the origin and identity of the individuals or organizations that exploit these vulnerabilities.
In addition, cyber security vulnerabilities are volatile; even as existing vulnerabilities are patched, new ones are discovered. Even when vulnerabilities are discovered and patched by security professionals prior to an attack, hackers are increasingly reverse-engineering patches in order to discover the vulnerabilities and develop attacks that exploit them. Hostile actors are deriving attacks from new patches with increasing speed, often launching attacks before these patches are widely tested and deployed to secure vulnerable systems. The result of these trends is a vicious cycle in which there is a constant need for new countermeasures.
While the Internet receives the most attention in press coverage of cyber incidents, from a national security perspective the playing field for potential cyber attack operations is much broader. Sensitive information tends to be isolated from the Internet, but the various gateways that exist to facilitate the transfer of information from the outside into a closed network provide many openings for possible attack.
Moreover, though substantial progress has been made in raising levels of awareness about cyber security across industry and government, securing critical infrastructures remains a significant national challenge. Many critical industries, previously isolated from Internet security problems because they used older mainframe computing systems and leased telephone lines in dedicated networks, are reaching the time when this legacy infrastructure is being retired. They are adopting modern networks using personal computers, workstations, and servers with mainstream operating systems, interconnected through local-area networks, and connected to the Internet.
In addition, the telecommunications industry itself is going through a systemic transformation caused by deregulation, economic change, and technological evolution, which may also leave these networks more vulnerable to attack.
- Software. Application or system software may have accidentally or deliberately introduced flaws whose use can subvert the intended purpose for which the software was designed.
- Hardware. Vulnerabilities can also be found in hardware, including microprocessors, microcontrollers, circuit boards, power supplies, peripherals such as printers or scanners, storage devices, and communications equipment such as network cards. Tampering with such components may secretly alter the intended functionality of the component, or provide opportunities to introduce hostile software.
- Seams between hardware and software. An example of such a seam might be the reprogrammable read-only memory of a computer (firmware) that can be improperly and clandestinely reprogrammed.
- Communications channels. The communications channels between a system or network and the “outside” world can be used by an attacker in many ways. An attacker can pretend to be an “authorized” user of the channel, jam it and thus deny its use to the adversary, or eavesdrop on it to obtain information intended by the adversary to be confidential.
- Configuration. Most systems provide a variety of configuration options that users can set, based on their own security versus convenience tradeoffs. Because convenience is often valued more than security, many systems are configured insecurely.
- Users and operators. Authorized users and operators of a system or network can be tricked or blackmailed into doing the bidding of an attacker.
Software may have vulnerabilities due to buffer overflows and improper packet header handling. These flaws typically occur because the software is not validating critical information properly. For example, a short integer may be used as a table index without checking whether the parameter passed to the function exceeds 32,767, resulting in invalid memory accesses or crashing of the system.
Exploitable software flaws typically result in two types of vulnerabilities: denial-of-service attacks or revelation of critical system parameters. A denial-of-service attack often can be implemented remotely, by passing packets with specially constructed headers that cause the software to fail. In some cases the system can be crashed, producing a memory dump in which an intruder can find IP addresses of critical system nodes, passwords, or other security-relevant information. In addition, buffer overflows that allow the introduction of malicious code may occur.
- NSTC Subcommittee on Biometrics, Biometrics Glossary, at 29 (Sept. 14, 2006) (full-text).
- NIST Special Publication 800-37, rev. 1). See also CNSSI 4009 ("Weakness in an IS, system security procedures, internal controls, or implementation that could be exploited.").
- Apple Inc. v. Corellium, LLC, 2020 WL 8642269, at *4, 2021 Copr. L. Dec. ¶31,769, (S.D. Fla. Dec. 29, 2020).
- Practices for Securing Critical Information Assets, Glossary, at 59.
- Privacy and Civil Liberties Policy Development Guide and Implementation Templates, App. E, Glossary.
- NICCS, Explore Terms: A Glossary of Common Cybersecurity Terminology (full-text).
- National Infrastructure Protection Plan, at 38.
- Security and Resilience in Governmental Clouds, at 96.
- DHS Risk Lexicon, at 39.
- Maritime Critical Infrastructure Protection: DHS Needs to Better Address Port Cybersecurity, at 14 n.27.
- "Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities" 85 (William A. Owens, Kenneth W. Dam & Herbert S. Lin eds. 2009).
- Cross-site scripting vulnerability
- Cyber vulnerabilities
- Dangling vulnerability
- Electromagnetic vulnerability
- Hazard vulnerability
- Physical vulnerability
- Security vulnerability
- Social vulnerability
- Software vulnerability
- SQL injection vulnerability
- Vulnerability analysis
- Vulnerability assessment
- Vulnerability class
- Vulnerability database
- Vulnerability management
- Vulnerability scanner
- Zero-day vulnerability