Vulnerabilities are weaknesses or flaws that exist within technology. This includes security products such as firewalls, anti-virus, and anti-malware. It also includes normal end point devices such as servers, workstations, laptops, cameras, thermostats, and refrigerators. In addition, it includes network devices such as routers and switches. Vulnerabilities fall into three categories:
- We know about it and have a fix or patch. (n-days)
- We know about it but do not have a fix or patch. (n-days)
- We don’t yet know it exists. (0-days)
Sites such as Mitre record the first two types, and together they are known as the Common Vulnerabilities and Exposures (CVE) list. The National Institute of Standards and Technology (NIST) maintains another site that lists known vulnerabilities called the National Vulnerability Database (NVD).
You find vulnerabilities by running vulnerability scans on your network. Good tools, such as Nessus from Tenable, automatically link discovered software to databases of known vulnerabilities. Vulnerability scans report on suspected vulnerabilities but do not confirm that they are exploitable. The next step is to confirm that they are exploitable on a network and take action to protect the systems.
For example, if there is a Microsoft Windows Server 2019 on your network, the vulnerability scanner should discover Zerologon, a problem that can affect this server. The scanner first discovers that there is a windows server 2019, and then searches the database for known vulnerabilities.
This scan should discover a CVE at NIST called Zerologon that allows improper privileges. This CVE has a Common Vulnerability Severity Score (CVSS) of 10 out of 10, which means it is as bad as it can get and must be addressed immediately. The CVE page has links to advisories, solutions, and tools. It also points to the Common Weakness Enumeration (CWE) page, which provides even more information about an attack.