In this video, Lora Vaughn McIntosh explains what a vulnerability is. Learn why vulnerabilities exist and why protective measures aren't always foolproof.
- [Instructor] Before diving into vulnerability management, we need to define what a vulnerability is in the context of computer systems. Vulnerability is defined as the quality or state of being exposed to the possibility of being attacked or harmed, either physically or emotionally. My definition of vulnerability as it relates to computer systems is a weakness that individually or in conjunction with others could allow an attacker to perform unauthorized actions on a system or network. But that's still a difficult concept to visualize since most of us don't really have a good picture of what a computer is and what its weaknesses are, at least not one that makes sense.
So instead, I'll use an analogy. Let's think about house. Houses, like computers, have several mechanisms or security controls to protect its contents and inhabitants. Because we don't want a random stranger off the street to just walk into our homes, we insist that the exterior doors and windows are in place, and they have locks so that outsiders can't just walk inside. We install smoke detectors to alert us when there's smoke and potentially fire in the house. And that way we can go grab the fire extinguisher if it's a small fire or evacuate.
We hang curtains on the windows to protect our privacy and keep our neighbors from seeing inside. We might even install a home security system. That way we can monitor the exterior doors and windows for unauthorized activity and alert the authorities in our absence if someone does try to break in. But even with these security controls, there are weaknesses or vulnerabilities in those controls, or even areas beyond the scope of those controls that an attacker might be able to use to break into your home or your computer.
So you have locks on your doors and windows, but you forgot to lock the door. Or you left the window open. Your doggy door might even be big enough for a human to fit through. Locks can be picked and doors can be pried or forced open. Then you have your smoke detectors; but you forgot to change the batteries, or they aren't spaced properly so they don't actually go off when a fire starts. You have curtains on the windows, but you left 'em open.
So you even installed a home security system for that extra level of protection, but you didn't arm it when you left home. And then by the time it goes off, it's too late. The cops may be on the way, but the intruders are already gone with your stuff. No matter what, protective measures aren't foolproof when we talk about a house, especially if someone is really determined to get in. The same thing applies to computer systems and networks.
- What's a vulnerability and why do they exist?
- Main sources for vulnerability data
- Prioritizing vulnerabilities
- The industry standard for vulnerability risk scoring
- How regulations can impact vulnerability management processes
- How compensating controls affect vulnerabilities
- Vetting false positives
- Confirming remediation
- Building a vulnerability management program