Question

[DATA COMMUNICATIONS]

What is a vulnerability?

How are vulnerabilities dealt with and what are the possible results of leaving systems vulnerable?

If a system has no vulnerabilities how is it exploited?

Define Social Engineering and the types of attacks that step from Social Engineering.

Answer 1

A vulnerability is a weak point in the system. Each organization has multiple security measures that keeps intruders out and sensitive data secure. We can think of such security measures as the raincoat that covers your body. Vulnerabilities are holes on that raincoat that let the water in.
Through the vulnerabilities, an attacker can find their way into the systems and network and extract sensitive information.

A good vulnerability management procedure can deal with vulnerabilities and helps to reduce the chances of its occurrence through a 3-step process:

1. Identify the vulnerabilities in your systems.
It requires a scan of your systems, applications, networks and devices. Scanning can help in revealing security vulnerabilities.

2. Prioritize them according to their level of risk.
Most of the scans give results that are referred to by their CVE (Common Vulnerabilities and Exposures). This is a standardized system. It generates a numerical criticality score from 1 to 10 (least to most critical) based on various factors.

3. Resolve them with a fast and manageable approach.
After prioritizing vulnerabilities based on severity and asset value, you can address them in manageable way and resolve the most critical ones first. Each of vulnerability in the list should include a title, severity, category, associated threat and proposed solution. With this, you should be able to resolve the most critical vulnerabilities in a manageable and efficient way.

Possible results of leaving systems vulnerable-

1. Denial of service
An attacker who exploited this vulnerability can prevent authorized person from accessing the computing resources.

2. Information disclosure
An attacker who exploited this vulnerability can get access to sensitive information.

3. Elevation of privilege
An attacker who exploited this vulnerability can get higher privileges on compromised systems.

If a system has no vulnerabilities, it would possibly be exploited by exploiting the human behaviour involved in the system.

Social Engineering is an art of exploiting human psychology, rather than technical exploitation techniques, to gain unauthorised access

For example, instead of trying to find a vulnerability in the system, a social engineer might trick an employee into divulging his credentials by posing as someone legitimate.

Here are some attacks that step from social engineering-
1. Phishing: These scams are email or text message campaigns aimed at creating a sense of urgency, curiosity or fear in victims.

2. Pretexting: Here an attacker obtains information through a series of cleverly crafted lies through texting, the attacker pretends to be someone else.

3. Baiting: Attacks uses a false promise to target a victim’s greed or curiosity. And steals their sensitive data.

4. Scareware: It involves victims being flooded with false alarms and threats. Users are deceived to think their system is infected with malware, prompting them to install software that has no real benefit.