Originally posted on GlobalRiskInfo February, 2012.
In light of the recent disclosures of breaches of major security technologies and vendors, I felt compelled to write this post. One of my favorite subjects to debate (and argue over) is security theory in general, and specifically the topics of vulnerabilities & exploits. They are concepts that are critical in the fields of information security, risk management and other areas of security. In truth, the concepts extend beyond IS but they are very common in the IS World and easier, in my opinion, to discuss in the context of IS. So what are exploits & vulnerabilities and why are they important?
First, we need to understand that there is no “guaranteed security” and security can never be 100% as there are always vulnerabilities which can be exploited. We may not have identified them yet, but they do exist. Given enough time, effort, and the right tools, any security control can be circumvented. Security should be viewed as a function of time and effort. (this will be discussed below) Second it is important to understand that the concepts of exploits and vulnerabilities are inextricably entwined and are mutually dependent. This is where the debate begins so first lets get a working definition of the terms.
A vulnerability can be described as a susceptibility which would allow a single (or combination of) technique, tactic, or technology (exploits) to circumvent, bypass, or defeat the protection offered by the technique, tactic, or technology in place as protection (the control). In short, a vulnerability is a susceptibility to an exploit.
Conversely, an exploit can be described as a technique, tactic, or technology which can be used to circumvent, bypass, or defeat a given technique, tactic or technology. In short, an exploit is something that can be used to take advantage of a susceptibility in a control (a vulnerability).
The concepts have been written in an intentionally circular manner to reinforce a concept. As stated previously, exploits and vulnerabilities are inextricably entwined and are not mutually independent. In fact, one can only exist in theory without knowledge of the other. At this point, some are likely gearing up for an argument with me. With that in mind, let me use an example.
Consider a modern bank vault with 3 foot thick reinforced concrete walls covered with hardened steel and a Class 3 bank vault door made of 12 inch thick reinforced concrete, hardened steel locks and all of the other features. You can read more about the classes of vault doors here. A Class 3 vault door is rated to withstand 120 minutes with “torch and tools”. This means that a person with a cutting torch and tools (prybars, etc.) can circumvent the door’s security in 2 hours. This is all the company can guarantee and it is rated and certified under the Underwriters Laboratory. We have identified one vulnerability that will allow a person to defeat the control in over 2 hours. (the steel will melt and is vulnerable to cutting) and exploits (extreme, focused heat applied by cutting torch). No consider the same vault being transported back 3 thousand years to the time of the Egyptian empire and the Bronze Age. If you were able to ask anyone during the Bronze Age whether the vault was vulnerable the answer would likely be a resounding ‘No’. During the Bronze Age, iron had not yet been discovered and steel was at least 1,000 years away from being discovered. There was no mechanism to create heat in such a way as to even test the vault. In short, there were no KNOWN exploits and no KNOWN vulnerabilities. This is a very important concept. It should be noted that whether or not they had been identified does not change the fact that they still existed. Someone could have likely said: “I believe that if we can get a flame hot enough and focused enough we can burn through the door.” As stated, without the vulnerability being known the exploit existed in theory only. In the same way, without knowledge, the vulnerability existed in they only.
In a more recent, and relevant example, consider Secure Socket Layer (SSL) that is used to protect virtually all websites that accept payment data. While this debate is not on the security of SSL, it is on a particular vulnerability. Recently, a previously uknown “weakness” (vulnerability) was discovered in SSL/TLS security. You can read more about it here. The point being that until there is a weakness discovered, and an exploit discovered or created, they exist in theory only. Once an exploit is created that can gain advantage over a particular control we can say definitively that X is vulnerable to Y.
What is the purpose and value of this post? As stated before, security should be viewed as a function of time and effort. Time can include the time required to actually attempt an exploit as well as the time required for knowledge, and technology to advance to the point of being used as an exploit. Effort should include the effort required to attempt an exploit (using a hammer to break a lock) as well as the effort required to gain the knowledge and develop technology be used as an exploit. The US, and virtually every other government has peopled dedicated to trying to crack encryption algorithms. In 1977, IBM developed the Data Encryption Standard (DES) and the US Government adopted it as the ‘approved’ algorithm for protecting sensitive information. At the time DES approached “mathematical impossibility” to be broken by brute force attacks. Remember, there is no guaranteed security. Given time and effort any control can be exploited. By 1999 researchers were breaking DES in less than 24 hours using distributed computers. DES is no longer considered ‘secure’ and as such the US Government moved to 3DES with longer keys. The point is relevant however. Once an exploit was discovered we could say definitively that DES was not secure enough for certain types of protection. While today the average person could not easily crack DES, in 25 years it is foreseeable that it can be cracked on most laptops in a few minutes.