Explore the concept of vulnerabilities, which are security flaws in a system. Lisa Bock introduces the Open Web Application Security Project (OWASP) Top 10 List, and Common Vulnerabilities and Exposures. Discover ways to safeguard your system include performing ‘white list’ input validation, and using Content Security Policy.
- [Voiceover] When developing security strategies it's important to understand the following terms, Assets, Risks, Threats, and Vulnerabilities. Assets are tangible and intangible items that can be assigned a value. Risk is exposure to an event by a person or other entity that might result in business disruption, financial loss, or even loss of life. Risk is a function of a threat exploiting a vulnerability according to a formula, Risk = Threats times Vulnerabilities.
In order to understand the risk to assets, possible threats and vulnerabilities must be evaluated. A threat is something that might happen and can range from innocent mistakes by employees to natural disasters. And in general, they're difficult to control. Threats include disgruntled employees, terrorists, or nature. A threat is anything that can exploit a vulnerability, intentionally or accidentally, and obtain, damage, or destroy an asset.
A vulnerability is a security flaw in a system that can be exploited by threats. The goal is to gain unauthorized access to an asset. Connecting a system to the internet can represent a vulnerability if the system is unpatched. Vulnerabilities include human error or software flaws. Many can be found online. I'm at one website, US-CERT, United States Computer Emergency Readiness Team. I'll scroll down and here we can see a list of recent vulnerabilities.
Another website is CVE, or Common Vulnerabilities and Exposures. There is database of common vulnerabilities and methods to reduce the threat. If you are a developer, you should become very familiar with this site. An organization's web interface can be a potential target. Many web developers are not aware of the many vulnerabilities, and more importantly, that the risk can be reduced by the proper coding practices. The Open Web Application Security Project, or OWASP, is an organization aimed at increasing awareness of web security.
The list is not published every year, and may very well be because the vulnerabilities do not change dramatically from year to year. They do however move up or down in priority, or in some cases are renamed. Now here we see the list from 2010 to 2013. And as you can see, the top five remain the same. The fact is, they may change, they may move up or down in priority, but they can be reduced by proper coding techniques.
Security expert Lisa Bock starts with an overview of ethical hacking and the role of the ethical hacker. She reviews the kinds of threats networks face, and introduces the five phases of ethical hacking, from reconnaissance to covering your tracks. She also covers penetration-testing techniques and tools. The materials map directly to the "Introduction to Ethical Hacking" competency from the CEH Body of Knowledge, and provide an excellent jumping off point for the next courses in this series.
Note: Our Ethical Hacking series will map to the 18 parts of the EC-Council's certification exam. Find more courses in the series on Lisa's author page.
- Ethical hacking principles
- Managing incidents
- Creating security policies
- Protecting data
- Conducting penetration testing
- Hacking in phases