What is system vulnerability?

In computer security, the term vulnerability is applied to a weakness in a system which

allows an attacker to violate the integrity of that system. Vulnerabilities may result from
weak passwords, software bugs, a computer virus or other malware, a script code
injection, a SQL injection or misconfiguration.

A security risk is classified as a vulnerability if it is recognized as a possible means of

attack. A security risk with one or more known instances of working and fully-
implemented attacks is classified as an exploit.

Constructs in programming languages that are difficult to use properly can be a large
source of vulnerabilities.

Causes:
• Password Management Flaws -- The computer user uses weak passwords that
could be discovered by brute force. The computer user stores the password on the
computer where a program can access it. Users re-use passwords between many
programs and websites.

• Fundamental Operating System Design Flaws – The operating system designer

chooses to enforce sub optimal policies on user/program management. For
example operating systems with policies such as default permit grant every
program and every user full access to the entire computer. This operating system
flaw allows viruses and malware to execute commands on behalf of the
administrator.

• Software Bugs – The programmer leaves an exploitable bug in a software

program. The software bug may allow an attacker to misuse an application.

• Unchecked User Input – The program assumes that all user input is safe.
Programs that do not check user input can allow unintended direct execution of
commands or SQL statements (known as Buffer overflows, SQL injection or
other non-validated inputs).
Vulnerability disclosure date

The time of disclosure of a vulnerability is defined differently in the security community

and industry. It is most commonly referred to as "a kind of public disclosure of security
information by a certain party". Usually, vulnerability information is discussed on a
mailing list or published on a security web site and results in a security advisory
afterwards.

The time of disclosure is the first date a security vulnerability is described on a channel
where the disclosed information on the vulnerability has to fulfil the following
requirement:

• The information is freely available to the public

• The vulnerability information is published by a trusted and independent
channel/source.
• The vulnerability has undergone analysis by experts such that risk rating
information is included upon disclosure.

The method of disclosing vulnerabilities is a topic of debate in the computer security

community. Some advocate immediate full disclosure of information about
vulnerabilities once they are discovered. Others argue for limiting disclosure to the users
placed at greatest risk, and only releasing full details after a delay, if ever. Such delays
may allow those notified to fix the problem by developing and applying patches, but may
also increase the risk to those not privy to full details. This debate has a long history in
security; see full disclosure and security through obscurity. More recently a new form of
commercial vulnerability disclosure has taken shape, as some commercial security
companies offer money for exclusive disclosures of Zero Day vulnerabilities. Those
offers provide a legitimate market for the purchase and sale of vulnerability information
from the security community.

From the security perspective, a free and public disclosure is only successful if the
affected parties get the relevant information prior to potential hackers, if they did not the
hackers could take immediate advantage of the revealed exploit. With Security Through
Obscurity the same rule applies, but this time rests on the hackers finding the
vulnerability themselves, as opposed to being given the information from another source.
The disadvantage here is that there is a lower number of people with full knowledge of
the vulnerability who can aid in finding similar or related scenarios.

It should be unbiased to enable a fair dissemination of security critical information. Most

often a channel is considered trusted when it is a widely accepted source of security
information in the industry (e.g CERT, SecurityFocus, Secunia and VUPEN). Analysis
and risk rating ensure the quality of the disclosed information. The analysis must include
enough details to allow a concerned user of the software to assess his individual risk or
take immediate action to protect his assets.
Identifying and removing vulnerabilities

Many software tools exist that can aid in the discovery (and sometimes removal) of
vulnerabilities in a computer system. Though these tools can provide an auditor with a
good overview of possible vulnerabilities present, they can not replace human judgment.
Relying solely on scanners will yield false positives and a limited-scope view of the
problems present in the system.

Vulnerabilities have been found in every major operating system including Windows,
Mac OS, various forms of Unix and Linux, OpenVMS, and others. The only way to
reduce the chance of a vulnerability being used against a system is through constant
vigilance, including careful system maintenance (e.g. applying software patches), best
practices in deployment (e.g. the use of firewalls and access controls) and auditing (both
during development and throughout the deployment lifecycle).

Examples of vulnerabilities

Common types of vulnerabilities include:

• Memory safety violations, such as:

o Buffer overflows
o Dangling pointers
• Input validation errors, such as:
o Format string bugs
o Improperly handling shell metacharacters so they are interpreted
o SQL injection
o Code injection
o E-mail injection
o Directory traversal
o Cross-site scripting in web applications
o HTTP header injection
o HTTP response splitting
• Race conditions, such as:
o Time-of-check-to-time-of-use bugs
o Symlink races
• Privilege-confusion bugs, such as:
o Cross-site request forgery in web applications
o Clickjacking
o FTP bounce attack
• Privilege escalation
• User interface failures, such as:
o Warning fatigue or user conditioning.
o Blaming the Victim Prompting a user to make a security decision without
giving the user enough information to answer it
 o Race Conditions.

Vulnerability assessment
A vulnerability assessment is the process of identifying, quantifying, and prioritizing (or
ranking) the vulnerabilities in a system. Examples of systems for which vulnerability
assessments are performed for include, but are not limited to, nuclear power plants,
information technology systems, energy supply systems, water supply systems,
transportation systems, and communication systems. Vulnerability assessments can be
conducted for small businesses to large regional infrastructures. Vulnerability in the
perspective Disaster Management means assesing the threats from potential hazards to
the population and to the infrastructure developed in that particular. It can be done in
political, social, economic and in environmental field.

Vulnerability assessment has many things in common with risk assessment. Assessments
are typically performed according to the following steps:

1. Cataloging assets and capabilities (resources) in a system.

2. Assigning quantifiable value (or at least rank order) and importance to those
resources
3. Identifying the vulnerabilities or potential threats to each resource
4. Mitigating or eliminating the most serious vulnerabilities for the most valuable
resources.

"Classical risk analysis is principally concerned with investigating the risks surrounding
physical plant (or some other object), its design and operations. Such analyses tend to
focus on causes and the direct consequences for the studied object. Vulnerability
analyses, on the other hand, focus both on consequences for the object itself and on
primary and secondary consequences for the surrounding environment. It also concerns
itself with the possibilities of reducing such consequences and of improving the capacity
to manage future incidents. According to U.S Depertment of defense, In general, a
vulnerability analysis serves to "categorize key assets and drive the risk management
process."

In the United States, guides providing valuable considerations and templates for
completing a vulnerability assessment are available from numerous agencies including
the Department of Energy, the Environmental Protection Agency, and the United States
Department of Transportation.
Vulnerability in news:
Source:kcbs/AP,9th April 2009,www.kcbs.com

SAN FRANCISCO (KCBS/AP) -- The work of vandals in a massive phone outage has been a
grim reminder to Americans about just how vulnerable our telecommunications
infrastructure can be to attacks.

Early Thursday morning, vandals cut several optic fiber cables located in sewers and
disrupted phone and Internet service to tens of thousands of residents in the South Bay.

Some say that very same thing could happen on an even larger scale.

“One person can do a lot of damage and it’s just amazing how vulnerable [and] critical
the Internet infrastructure grid is… and to the extent that the electric grid depends upon
the Internet, that makes the grid even more vulnerable,” said CBS Terrorism Consultant
Raymond Tanter.

Tanter says the electric grid includes miles and miles of transmission lines as well as
power plants, which terrorists—foreign or domestic—could use to take down phone
lines, Internet systems and halt power delivery.

The electric grid might already have been compromised by spies who left behind
computer programs that would let them disrupt service, a former U.S. government
official told The Associated Press. The official said the sophistication of the attack meant
it was almost certainly state-sponsored, but the government does not know its extent
because federal officials lack the authority to monitor the entire grid.

Tanter says the government is addressing the issue. The Pentagon this week said it spent
more than$100 million in the last six months responding to damage from cyber attacks
and other computer network problems. The White House is also wrapping up a 60-day
review of how the government can better use technology to protect everything from the
nation's electrical grid and stock markets to tax data, airline flight systems and nuclear
launch codes.

“The Obama Administration has asked Congress for $17 billion to decrease the
vulnerability of government Internet and electrical grid capabilities, but they have not
said anything about the private sector.”

So the question remains of whether local utilities should be included in this protection is
still the subject of debate in Washington. In the meantime, Tanter says that while we
should be concerned about the vulnerability of our infrastructure, it is very likley that the
very Internet we have become so dependent upon will help provide the solution.
In 2008, there were 5,499 known breaches of U.S. government computers with malicious
software, according to the Department of Homeland Security. That's up from 3,928 the
previous year, and just 2,172 in 2006.

Serious breaches by what are described as "unknown foreign entities" have occurred in
recent years in computers at the Departments of Defense, Homeland Security and
Commerce, as well as NASA, according to a report by the Center for Strategic and
International Studies, a nonpartisan organization in Washington.