Vulnerability is means a weakness in a system that allows an attacker to violate the integrity of that system. Vacca (2009) thus says that “vulnerabilities may result from weak password, software bugs, a computer virus or other malware that is malicious software, a script code injection or an SQL injection” (p. 383). Vulnerabilities always existed but when the internet was in its early stage they were not as often used and exploited.
Anjum & Mouchtaris (2007) defines vulnerability as any hardware, firmware, or software flaw that leaves an information system open for potential exploitation. The exploitation can be of various types such as obtaining unauthorized access to information or disrupting critical processing of information or transaction in an organization. Anjum & Mouchtaris (2007) says that application and services in a mobile wireless network can be a weak link as well. They indicated that in these networks there are often proxies and software agents running in intermediate nodes to achieve performance gains through caching, content transcending or traffic shaping. Anjum & Mouchtaris (2007) says that potential attacks may target these proxies and agents to gain sensitive information or to mount denial of service attacks.
The intrinsic vulnerabilities of ad hoc networks reside in their routing, while others in their use of wireless links and still some others in their auto configuration mechanisms. Anjum & Mouchtaris (2007) says that the emission of false routing information by a host could thus create bogus entries in routing tables throughout the network making communication difficult. They further noted that the use of wireless links makes these networks very vulnerable to attacks ranging from passive eavesdropping to active interfering. An attack just needs to be within radio range of a node in order to intercept network traffic.
Furthermore, the auto configuration mechanisms used currently in software and hardware brings up new vulnerabilities. Anjum & Mouchtaris (2007) indicated that this functionality despite using ICMP router advertisements, neighbor solicitation messages or simple DHCP auto configuration messages is vulnerable to false replies. In addition constraints existing in ad hoc networks also add to the vulnerabilities. A good example is in networks that have limited computational ability, as evidenced by low processor frequencies and smaller memory sizes. Anjum & Mouchtaris (2007) says that the implication on these is that this may pose a easy way for an adversary to launch Denial of Service attacks in such networks by attempting to exhaust the battery of a legitimate node.
In software systems and applications within organizations the major cause of internet incidents is the vulnerability. This is used by human attackers or worm virus to launch the attacks to its information systems. Laganà (2004) says that the important way of dealing with weakness in such information systems is through removing the vulnerabilities of network based information system because the attackers make good use of the vulnerability to achieve their malicious aim.
Kim & Solomon (2010) commented that there are common vulnerabilities in the seven domains of an information technology infrastructure. The first domain is the user domain whose common vulnerabilities include lack of awareness or concern for security policy, accidental acceptable use policy violation, intentional malicious activity and social engineering (Kim & Solomon, 2010).
The second domain in IT which poses a major vulnerability is the workstation domain. The major weaknesses include unauthorized user access, malicious software being introduced in the information system, and weaknesses in the installed software (Kim & Solomon, 2010). The third domain is the local area network whose common vulnerability is unauthorized network access, transmitting private data unencrypted and spreading malicious software. Within the wide area network domain vulnerability can be through transmitting private data unencrypted, malicious attacks from anonymous sources and denial of service attacks. Kim & Solomon (2010) says that “in the remote access domain, vulnerability can be through brute-force attacks on access and private data, unauthorized remote access of resources, and data leakage from remote access or lost storage devices” (p. 97). In the system or application domain vulnerability is through unauthorized physical or logical access to resources, weakness in server operating system or application software, data loss from errors, failures or disasters (Kim & Solomon, 2010).
The reasons why it is most important
Vacca (2009) says that vulnerability assessments is important because it may be performed on many objects not only computer systems/networks. He also says that an example, a physical building can be assessed so it will be clear what parts of the building have what kind of flaw. Vacca (2009) also says that vulnerability assessment without a comprehensive report is useless. Organizations through their CIO’s should identify and quantify vulnerabilities that exist in their software, hardware, networks and transmission media. In his book, Vacca (2009) says that vulnerabilities should be sorted by severity and then by services/ servers. The critical vulnerabilities should be at the top of the report and should be listed in descending order that is critical, high, medium and low.
A routine use of vulnerability check tools along with immediate response to defined problems will alleviate risks. Vacca (2009) says that vulnerability checks should be a standard element of every organizations security policy. Assessing vulnerability is what most organizations should do since the systems they use are live production systems and cannot afford to be disrupted by active exploits that might crash the systems (Vacca, 2009). The team assessing vulnerability should catalogue assets and capabilities in the system, assign quantifiable value and importance to the information system, and identify the vulnerabilities or potential threats to each hardware and software. Vacca (2009) says that they should mitigate or eliminate the most serious vulnerabilities for the most valuable resources in the organization.
In this context a weakness for the company’s network security should be considered to be any source of potential disclosure to the company’s data and information or any other source of vulnerability. Vellani (2007) indicated that “some of these threats include human factors, acts caused by human beings such as accidental data changes or deliberate actions” (p. 141). Environmental vulnerabilities on the other hand should be defined that are known could occur due to power failure, fluid damage, and conflagration and smolder damage. Besides that, Vellani (2007) established that “natural vulnerabilities of an organization can result from winds, floods, and earthquakes” (p. 141). These are some of the potential weaknesses identified and could cause harm to the network of the company. The IT management team should critically analyze potential vulnerabilities to the company’s information systems and its network environment.
Another important aspect in vulnerability assessment is that the company should clearly be defined the sources of the vulnerabilities, the motivation behind them and also identify the possible actions. Vellani (2007) says that “one potential source of vulnerability is a hacker whose motivation could be rebellion or challenge while threat action could be social engineering, system intrusion or unauthorized system access” (p. 142). Computer criminals were identified as another source of weakness that is an individual who may be motivated by information destruction and unauthorized data alteration. His or her vulnerability actions could be information theft or spoofing (Vellani, 2007). These can be some of the possible sources of vulnerabilities and therefore organizations should examine all the possible sources of weaknesses that could in turn exploit network vulnerabilities for the organization.
The impact of this vulnerability on organizations
Stoneburner, Goguen & Feringa (2001) in their publication indicated that “the analysis of weakness to an IT system should involve an analysis vulnerabilities associated with the system environment” (p. 15). This should help organizations to come up with a list of the current and future system vulnerabilities which are flaws and weaknesses that could as well be exploited by the potential network threat sources. The definition of network vulnerability according to Stoneburner, Goguen & Feringa (2001) is that “it is a flaw or weakness in the company’s system security procedures, design, implementation, or internal controls” (p. 15).
The IT department team should perform vulnerability identification based on the real vulnerability, the sources of the network weakness and the action that were supposed to be taken to exploit the vulnerability. Stoneburner, Goguen & Feringa (2001) says that “in such cases the threat action could be the former employees trying to dial into the company’s network and accessing its data” (p. 15). Stoneburner, Goguen & Feringa (2001) continues to say that vulnerability could result from firewalls that could allow inbound telnet and guest users enabled on the company’s specific server. In this case the vulnerability source should be identified as unauthorized users and the action could probably be the use telnet to the specific company server and browse company files using guest ID (Stoneburner, Goguen & Feringa, 2001).
The third vulnerability that faces organizations is that a vendor may have identified flaws in the company’s network security design of its system (Stoneburner, Goguen & Feringa, 2001). The source in this case could be illegal users and the action could be obtaining unofficial access to sensitive system files. According to Stoneburner, Goguen & Feringa (2001) the “recommended methods which can effectively applied for identifying system vulnerabilities are the use of vulnerability sources, the performance of system security testing and the development of security requirements checklists” (p. 15).
In addition the company’s should perform system vulnerability testing. Stoneburner, Goguen & Feringa (2001) established that “system testing can be used to identify system vulnerabilities efficiently on the basis of the criticality of the information system and available resources within the company” (p. 15). The network security and administration should take the flagship from the front and employed some test methods such as automated vulnerability scanning tool, security test and evaluation and penetration testing (Stoneburner, Goguen & Feringa, 2001). These are some of the ways through which organizations can spot potential vulnerabilities.
The aim of impact assessment on vulnerability is to analyze the controls that have been put in place, or are been planned for implementation by the company so as to minimize the possibility of a threat exercising a network vulnerability (Stoneburner, Goguen & Feringa, 2001). Organizations should came up with the control methods, categories, and analyzed the techniques and it was determined that the company employed the use of technical and nontechnical methods.
Stoneburner, Goguen & Feringa (2001) says that “technical controls are safeguards that can be incorporated into computer hardware, software, and firmware which include access control mechanisms, identification and authentication mechanisms, encryption methods and intrusion detection software’s” (p. 20). Companies should also use nontechnical controls which are based on strategic management and operational controls such as security policies, operational procedures, personal and physical security.
Control categories in accessing vulnerability are important for organizations and they encompass both preventive and detective controls. Stoneburner, Goguen, & Feringa (2001) stated that “preventive controls inhibit attempts to violate vulnerability policy and include such controls as access control enforcement, encryption, and authentication” (p. 20). On the other hand detective controls for organizations should be employed as a means of notifying any infringements of security policy and they included controls such as network audit trails, intrusion detection methods, and also checksums. Stoneburner, Goguen & Feringa (2001) also says that use of an available checklist was helpful in the process of analyzing controls in an efficient and systematic manner. This implies that it is important for organizations to update their vulnerability checklists so that they can mirror the changes in the company’s network security control environment. The importance of establishing the vulnerability controls is that they help the information technology department to mitigate the likelihood of vulnerabilities.
This helps companies to determine the potential adverse impact resulting from a successful exploitation of vulnerability from a given threat. Vellani (2007) noted that while a company engages on an impact analysis the team should understand that “the adverse impact of security event or vulnerability exploitation should be expressed in terms of loss or deterioration of any of the security principles” (p. 145). The basis of this analysis included confidentiality, integrity, and availability.
The first principle in which impact analysis on information system and hardware vulnerability should be conducted is loss of confidentiality. This can be a major weakness in which attackers can gain access to company’s data or information and exploit it. Vellani (2007) says that for the company loss of confidentiality is vulnerability because it implies that unauthorized people have access to certain information or data. Vellani (2007) indicated that the impact of unauthorized disclosure of confidential information ranged from jeopardizing international borders to disclosure of sensitive data such as client credit information. This could result to the company losing its reputation.
Impact analysis on vulnerability also ensures that the company’s information system is always available. Vellani (2007) argues that the reliability and timely access to information by the company employees ensures that loss of the company’s system functionality is not impacting the underlying business transactions or loss of production. Impact analysis on vulnerability can be classified as high, medium, or low. These are dependent on the magnitude of the impact or what the exploitation of the vulnerability could result to.
Vellani, K. H (2007), Strategic security management: a risk assessment guide for decision
Makers, Oxford, UK: Butterworth Heinemann.
Level of Vulnerability
Means that the source of weakness within the network is highly motivated and sufficiently capable and the network controls in place are ineffective.
Vulnerability within the company is motivated and capable and controls and organization should put the controls to impede vulnerability.
The network weakness is not motivated and controls are in place to prevent vulnerability of the company’s network as well as data.
How organizations can best address its potential impacts
Janczewski (2008) says that vulnerability can be addressed through various aspects which include primary units within the organization, cabling and equipment disposal. Through the primary unit the intruder may unplug computer unit’s peripherals and walk away with them. According to Janczewski (2008) once this equipments have been cross examined or modified they can be plugged back into the system and then used for future surveillance and be vulnerable to the organization. This implies that organizations should have better organized facilities and beyond that keep them in restricted, locked rooms and govern the access of their facility by guests and intruders (Janczewski, 2008).
In addition the physical cabling of the organization’s network is another point of vulnerability that must be carefully addressed. Janczewski (2008) further notes that transmissions wires come in different formats which include twisted pair telephone wire, coaxial cable and fibre optic. In many occasions these internal wires traverse through walls and conduits and eventually terminate at wall plugs and or switch racks or hubs. Janczewski (2008) indicated that the ability to tap into these wires is related to their ease of access in the case of these cables and a higher level of skill and equipment in the case of fibre optic. These wires can be encased in conduits but in many other cases they are openly exposed. Janczewski (2008) also says that “these wires eventually must exit a building and as such became susceptible to outside splicing” (p. 22).
Equipment disposal within organization is another source of weakness. Janczewski (2008) indicated that improper disposal of older equipment such hard drives which contain details and configuration settings of a once operational computers. It is important to understand that these retired computers are given away to employees or tossed in a dumpster after their hard drives have been reformatted. Janczewski (2008) says that vulnerability with this approach is that computer forensic techniques that are readily available today can recover lost or formatted data or a hard drive that has been formatted up to six times. The most important is to ensure that all equipments are securely disposed to reduce weakness.
Gaining physical access to facilities and equipment provides a huge advantage in gaining additional access to an organization system. Through transmission media wireless devices are appearing every where a landline and cable. Janczewski (2008) says that wireless devices pose a major vulnerability because they use laser, radio frequencies and infrared technologies to put data on its frequency wave as a means of transmission. Janczewski (2008) continues to say that the basic nature of wireless communications makes this transmission medium accessible from any point within its broadcast range or point to point path. In this context this is the greatest weakness in the transmission media. The reason behind this is based on the fact that when two devices initially wish to connect a handshake protocol establishes the two devices connection and or any security mechanism that will be used throughout the connection (Janczewski, 2008).
The communication link between two communicating devices can be interrupted by environmental conditions that cause signal degradation or data corruption that can result in the retransmission of previously sent data. Janczewski (2008) says that these issues provide intruders with the foundation for piercing such systems and any security that may be present or prevent the communication connection from being maintained. Janczewski (2008) also says that “while there are numerous standards in existence for securing wireless communications, the underlying notion that the transmission can be openly monitored makes this transmission medium vulnerable to eavesdropping.
Another vulnerability of wireless devices has to do with having its source location ascertained. Janczewski (2008) argues that a transmitting device can have its physical location be deduced through a host of detection methods because all such devices have a point of origin for their transmission. It also been noted that while military versions of wireless devices have additional protective security mechanism such as frequency hopping and spread spectrum, most commercial facilities continue to be shown as vulnerable to disruptions, monitoring and intrusion (Janczewski, 2008).
In conclusion, it should be noted that systems vulnerability takes an important part in the running of the organization it should help organizations to determine the weaknesses that may be faced by the company in running its overall business. The management of organizations should realize that globalization brings about tremendous opportunities and therefore the need for competitive vulnerability check technologies should be implemented in order to counter the risks. Software, hardware and network security cannot be 100% because technology is dynamic and new innovations present vulnerabilities to organization data. The most fundamental issue is that the network management and administration team should not overlook any vulnerability.