Vulnerabilities
A vulnerability on a SOHO computer is essentially a weakness that may be open to an attack by some evil-doer. However, not all vulnerabilities are hardware-related, many are software bugs or a gap in a process or procedure, or the unsecured storage of controlled documents, like blank checks. Some vulnerabilities can be remedied or mitigated through applying software updates and patches. Some are known only to an attacker (zero day vulnerabilities). Others may need some physically applied solution. Figure 2-2 shows the landing page for the CISA’s “Known Exploited Vulnerabilities Catalog” website. This organization maintains a list of the vulnerabilities being exploited in the US and around the world. Regardless of the nature of a vulnerability, system and network administrators should seek out and regularly review information on system vulnerabilities to be aware that they exist.
FIGURE 2-2 The Cybersecurity & Infrastructure Security Agency (CISA) maintains the “Known Exploited Vulnerabilities Catalog” website.
Courtesy of the Cybersecurity & Infrastructure Security Agency.
A vulnerability exposes a computer, network, or website and its security in one or more of the following areas:
-
Confidentiality—Sensitive data and information should be protected from unauthorized access attempts. Data are categorized by its level of importance or criticality. For example, the military uses a classification system to indicate how critical documents or data are considered to be. Corporations categorize internal communications and intellectual property in a similar way, using classifications like Restricted, Confidential, Internal, and Public with appropriate levels of protection applied at each.
-
Integrity—The consistency, accuracy, and reliability of data should be maintained over its entire life cycle. Data must be protected in transit, at rest, and in use; otherwise, its integrity is vulnerable to threats.
-
Availability—Computer hardware, software, and data resources should be consistently accessible by authorized users, which includes the maintenance of the systems that store data and display information.
Confidentiality, integrity, and availability are the keystones of any security program and are known as the CIA Triad (see Figure 2-3).
FIGURE 2-3 The CIA Triad is the basis for computer security principles.
Not all security vulnerabilities are on a computer system. In fact, some vulnerabilities are environmental, human, physical, or all of these. The most common categories for vulnerabilities are discussed in the following sections.
Human Vulnerabilities and Error
Humans can and often do make errors in judgment. Most of these errors seem innocent at the time, but many can open the door to threat agents. It’s hard to discuss security and the human element without sounding like anything and everything we do will create a vulnerability that an attacker can leverage. Although that’s not the case, knowing human error is common, it should affect the approach we take with security of our assets, especially data.
Common user errors that create vulnerabilities include neglecting to sign off, lock out, or shutdown a computer sitting idle, providing personally identifiable information (PII) to unknown or unfamiliar requesters (“phishing”), allowing someone to look over your shoulder while logging in (“shoulder surfing”), leaving sensitive information open to view, or putting printouts of sensitive or protected information in the trash (“dumpster diving”). There are others, many of which we’ll discuss later. The key here is to keep private as private. Don’t let PEBKAC (“Problem Exists Between the Keyboard And the Chair”) be true.
Weak Passwords
The most commonly used password in the world is “password.” The remainder of the 10 most commonly used passwords are essentially just variations of “password,” with one or two versions of “123456” and “ABCDEF” mixed in. These passwords are used because they are easy to remember. If you’ve ever forgotten a password, and you know you have, you then know the punishment for this misdemeanor is a real bother. The answer, we’re told, is to use strong passwords.
A strong password has entropy, which means that it’s long and its random in both the characters included and their sequence in the string. A variety of websites tell us that long means at least 14 characters, but 16 is better. Random means that the password includes symbols (@, #, $, %, &, *, +), numbers (0–9), lowercase alphabetic characters (a–z), and uppercase alphabetic characters (A–Z). Used in a random pattern, these 69 character choices can be combined into as many as 63,871,405,575,418,700 (sixty-three quadrillion, eight hundred seventy-one trillion, four hundred five billion, five hundred seventy-five million, four hundred eighteen thousand, seven hundred) 16-character passwords, from which you are sure to find one that will work for you.
Creating strong passwords is one thing, but protecting them is where the security comes in. To protect a password against discovery and use, the following are suggested:
-
Passwords should be unique, and a different password should be used for each important account, such as credit card accounts, bank accounts, email, etc.
-
Don’t reuse passwords or use the same password on different important accounts.
-
Use memorable phrases and longer passwords, such as a song lyric, a quote from a movie or book, or an abbreviation or acronym representing the first character of each word in a phrase, like WAOTSTWOTYBR for “We are off to see the wizard on the yellow brick road.”
-
Don’t use PII or personal information about family members, especially birthdates.
-
If you need to write your password down to help with remembering it, because of its length or complexity, make absolutely sure that it is kept somewhere secret, locked, or both.
-
Consider using a password manager application. Many are available for you to research and choose from.