All software you install or use presents a certain level of risk due to vulnerabilities (discovered and undiscovered) in the software itself. This article will discuss the common types of software vulnerabilities are and what you can do to reduce the impact of those vulnerabilities on your organization.
In its simplest definition, a vulnerability is the technical term we use to describe a weakness of some sort. All software has varying degrees of these weaknesses or vulnerabilities. Let’s discuss a few of the most common vulnerabilities:
- Remote Code Execution (RCE). An RCE is one of the scariest vulnerability classes. Software vulnerable to an RCE can allow remote attackers to control the system running the vulnerable software. Once that happens, the attacker has full control of the system and likely the network it’s on.
- Denial of Service (DoS). A DoS vulnerability indicates that a particular vulnerability can render the software, and possible it’s server and network, unusable for some period of time. This is typically used in what are called Logic-based DoS attacks where the attacker exploits a company’s DoS vulnerabilities to crash servers or processes.
- Overflows. Overflow vulnerabilities are a very technical concept, but one of the most common types of vulnerabilities. An overflow occurs when an application tries to insert more data into memory than is allowed. When that happens, the data “overflows” and other data can be inadvertently exposed, modified, or deleted.
- Injection. Most often seen in web applications, injection vulnerabilities (e.g. SQL Injection, Command Injection) are a result of attackers inserting malicious code into inputs – like in a web form – and having the server execute that code. This often leads to data leaks, remote code executions, and denial of service.
Reducing the Risk
There are several ways we can reduce the risk that software vulnerabilities will affect your organization.
- Update your software
- Uninstall unnecessary software
- Do not expose software or services to the internet unless absolutely required
- Protect your web applications with a Web Application Firewall
- Train your software developers on security (if you develop in-house)
- Look up the software you run on a site like CVEDetails.com to see if you are at risk
You’ll notice we’re reducing the risks posed by vulnerabilities, not eliminating the risk. There will always residual risk for all the software vulnerabilities that we don’t know about yet. As with most things IT-related, this is an ongoing process of assessment and fixes that organizations must commit to in order to keep risk low.
If you’d like more help with this, or any other topic, please reach out! We’re here to help.