- 1.1 What Is Computer Security?
- 1.2 Threats
- 1.3 Harm
- 1.4 Vulnerabilities
- 1.5 Controls
- 1.6 Conclusion
- 1.7 What's Next?
- 1.8 Exercises
1.4 Vulnerabilities
As we note earlier in this chapter, a vulnerability is a weakness in the security of the computer system—in procedures, design, or implementation, for example—that might be exploited to cause loss or harm. Think of a bank with an armed guard at the front door, bulletproof glass protecting the tellers, and a heavy metal vault requiring multiple keys for entry. To rob a bank, you would have to find a way to exploit a weakness not covered by these defenses. For example, you might bribe a teller or pose as a maintenance worker.
Computer systems have vulnerabilities too. In this book, we consider many, such as weak authentication, lack of access control, errors in programs, finite or insufficient resources, and inadequate physical protection. Paired with a credible attack, each of these vulnerabilities can allow harm to confidentiality, integrity, or availability. Each attack vector seeks to exploit a particular vulnerability.
Vulnerabilities are weaknesses that can allow harm to occur.
Security analysts speak of a system’s attack surface, which is the system’s full set of vulnerabilities—actual and potential. Thus, the attack surface includes physical hazards, malicious attacks by outsiders, stealth data theft by insiders, mistakes, and impersonations. Although such attacks range from easy to highly improbable, analysts must consider all possibilities.
Our next step in providing security is to find ways to block threats by neutralizing vulnerabilities.