A vulnerability is a weakness in an IT system that can be exploited by an attacker to deliver a successful attack. They can occur through flaws, features or user error, and attackers will look to exploit any of them, often combining one or more, to achieve their end goal.
A flaw is unintended functionality. This may either be a result of poor design or through mistakes made during implementation. Flaws may go undetected for a significant period of time. The majority of common attacks we see today exploit these types of vulnerabilities. Between 2014 and 2015, nearly 8,000 unique and verified software vulnerabilities were disclosed in the US National Vulnerability Database (NVD).
Vulnerabilities are actively pursued and exploited by the full range of attackers. Consequently, a market has grown in software flaws, with ‘zero-day’ vulnerabilities (that is recently discovered vulnerabilities that are not yet publically known) fetching hundreds of thousands of pounds
Zero-days are frequently used in bespoke attacks by the more capable and resourced attackers. Once the zero-days become publically known, reusable attacks are developed and they quickly become a commodity capability. This poses a risk to any computer or system that has not had the relevant patch applied, or updated its antivirus software. The ability for an attacker to find and attack software flaws or subvert features depends on the nature of the software and their technical capabilities. Some target platforms are relatively simple to access, for example web applications could, by design, be capable of interacting with the Internet and may provide an opportunity for an attacker.
A feature is intended functionality which can be misused by an attacker to breach a system. Features may improve the user’s experience, help diagnose problems or improve management, but they can also be exploited by an attacker.
When Microsoft introduced macros into their Office suite in the late 1990s, macros soon became the vulnerability of choice with the Melissa worm in 1999 being a prime example. Macros are still exploited today; the Dridex banking Trojan that was spreading in late 2014 relies on spam to deliver Microsoft Word documents containing malicious macro code, which then downloads Dridex onto the affected system.
A computer or system that has been carefully designed and implemented can minimise the vulnerabilities of exposure to the Internet. Unfortunately, such efforts can be easily undone (for example by an inexperienced system administrator who enables vulnerable features, fails to fix a known flaw, or leaves default passwords unchanged).
More generally, users can be a significant source of vulnerabilities. They make mistakes, such as choosing a common or easily guessed password, or leave their laptop or mobile phone unattended. Even the most cyber aware users can be fooled into giving away their password, installing malware, or divulging information that may be OFFICIAL useful to an attacker (such as who holds a particular role within an organisation, and their schedule). These details would allow an attacker to target and time an attack appropriately.