Security, whether focused on physical, cyber, operational, or other domains, is an interesting topic that lends itself to considerable debate among practitioners. There are, however, basic concepts and underpinnings that pervade general security theory. One of the most important, yet often misunderstood concepts are those inextricably entwined concepts of vulnerabilities and exploits. These basic underpinnings are critical in all security domains.
What are exploits and vulnerabilities and why are they important to the study of security?
First, security cannot be considered a binary concept such as: “secure” or “not secure”. The appropriateness of any security strategy is relative to the controls implemented to address to identified risks. One cannot say: “my house is secure”. The measure of security is predicated upon the identified risks and the associated controls implemented to address those risks. One can say: “My house has been secured in a manner that is commensurate with the identified risks”. Second, security should be viewed as a function of time and resources. Finally, security, in any domain, can never be ‘assured’ nor can there be a ‘guarantee’ of security. The reason is simple. Technologies change and human threats are adaptive. According to the Department of Homeland Security’s Security Lexicon, Adaptive Threats are defined as:
“…threats intentionally caused by humans.” It further states that Adaptive Threats are: “…caused by people that can change their behavior or characteristics in reaction to prevention, protection, response, and recovery measures taken.” The concept of threat adaptation is directly linked to the defense cycle. In short, as defenses improve, threat actors change their tactics and techniques to adapt to the changing controls. As the threat actor improves their capabilities the defensive actors necessarily have to change their own protections. This cycle continues ad infinitum until there is a disruption.
The US Department of Homeland Security (DHS) lexicon defines a vulnerability as…”…characteristic of design, location, security posture, operation, or any combination thereof, that renders an asset, system, network, or entity susceptible to disruption, destruction, or exploitation” Expanding upon this it can be described as a susceptibility which would allow a single (or combination of) technique(s), tactic(s), or technology(ies) (exploits) to circumvent, bypass, or defeat the protection offered by the technique, tactic, or technology in place as protection (the control) against a(an) anticipated exploit(s). Succinctly, a vulnerability is a susceptibility to a given, identified exploit.
While a given vulnerability in a system may not have been yet been identified, they may exist. Given enough time, effort, and the right tools, any security control can be circumvented. As stated previously, security can be expressed as a function of time and resources (S=f(TR)). It is also important to note that the concepts of exploits and vulnerabilities are inextricably entwined and mutually dependent.
The common security noun “exploit” is adapted from the English verb “to exploit” which means to “use something to one’s advantage. It has been turned into a noun. An exploit is defined as something that…”takes advantage of a bug or vulnerability to cause unintended or unanticipated behavior…” and can be described as a technique(s), tactic(s), or technology(ies) which can be used to circumvent, bypass, or defeat a given technique(s), tactic(s) or technology(ies) designed to provide protection against identified exploits. In short, an exploit is something that can be used to gain advantage of a susceptibility in a control (a vulnerability).
The concepts have been written here in an intentionally circular manner to reinforce a very important concept. As stated previously, exploits and vulnerabilities are inextricably entwined and are not mutually independent. In fact, one can only exist, in theory, without knowledge of the other. At this point, it is likely that there are some readers formulating an argument or debate on semantics. Below is an example of what has been posited.
Consider a modern bank vault with 3 foot thick reinforced concrete walls covered with hardened steel and a Class 3 bank vault door made of 12 inch thick reinforced concrete, hardened steel locks and all of the other features in a UL608 certified vault. A UL608 Class 3 vault door is rated to withstand 120 minutes with “torch and tools”. This means that a person with a cutting torch and appropriate tools (pry bars, cutting saws, electric tools, mechanical tools, etc.) can be expected to circumvent the door’s security in about 2 hours. It is not invulnerable, it is simply resistant based upon ‘resources and time’. Those resources include the exploits (i.e.. torch and tools) and the given vulnerabilities (i.e.. steel’s melting point).
Now consider the same vault being transported back 3 thousand years to the time of the Egyptian empire and the Bronze Age. Would it seem probable that anyone in the Bronze Age would view the vault as ‘vulnerable’ or able to be opened with existing knowledge, tools, and effort? The answer is likely a resounding ‘no’. They could likely not envision an ‘exploit’ that could be used to circumvent an unidentified vulnerability. During the Bronze Age, iron had not yet been discovered and steel was at least 1,000 years away from being smelted. There was no mechanism to create sufficient, focused heat in such a way as to even test the vault. In short, there were no KNOWN exploits and no KNOWN vulnerabilities.
This is a very important concept. It should be noted that whether or not they had been identified does not change the fact that the vulnerability still existed. Someone could have likely said: “I believe that if we can get a flame hot enough and focused enough we can burn through the door.” This is a great example of a previously described concept known as ‘threat adaptation’. As stated, without the vulnerability being known the exploit existed in theory only. In the same way, without knowledge of an exploit, the vulnerability only exists in theory, as well.
The US, and virtually every other country has resources dedicated to trying to crack encryption algorithms. In 1977, IBM developed the Data Encryption Standard (DES) and the US Government adopted it as the ‘approved’ algorithm for protecting sensitive information. At the time DES approached “mathematical impossibility” to be broken by brute force attacks with existing computer technology. It was considered the pinnacle of encryption. In 1997, 20 years after the release of DES, increased computing power allows the DESCHALL PROJECT to break a DES encrypted message for the first time. One year later DES Cracker breaks a DES key in 56 hours. By 2017 an attack using rainbow tables is able to recover a DES key in 25 seconds.
In a more recent, and relevant example, consider Secure Socket Layer version 2 (SSLv2) protocol that was, until recently, used to protect virtually all websites that accept payment data. While this debate is not on the security of SSLv2, it is on a particular vulnerability. Recently, in 2016 a previously unknown “weakness” (vulnerability) was discovered in SSLv2 known as the Beast.
The point being that until there is a weakness discovered, and an exploit discovered or created, they exist in theory only. Once an exploit is created that can gain advantage over a particular control we can say definitively that X is vulnerable to Y. We have identified a vulnerability and exploit. Efforts then can be made to address the vulnerability and attackers will, naturally, adapt their strategies to circumvent the new controls.
As stated before, security can be viewed as a function of time and resources (effort, tools available, etc.). Time can include the time required to actually attempt an exploit as well as the time required for knowledge, and technology to advance to the point of being used as an exploit. Resources can include the effort required to attempt an exploit (using a hammer to break a lock) as well as the effort required to gain the knowledge and develop technology and tools be used as an exploit.
In summary, it is advisable for organizations to focus on the underpinnings of security theory as these basic concepts provide a platform for a more comprehensive understanding of risk and how to implement controls to address such risks. By applying sound theory organizations can save time, money and effort on their security endeavors.