INFORMATION SYSTEMS VULNERABILITY
What is vulnerability?
Vulnerability defines a bug, defect, or a weakness present in an information system. Multiple vulnerabilities exist in information systems, operating systems, software, networking protocols, and other information systems components.
In this lesson, you will learn about the most important vulnerabilities present in operating systems and information systems and you will explore ways to keep information systems secure by controlling those vulnerabilities.
Operating systems and software vulnerability
Software vulnerability is a bug or a defect present in software which might allow an unauthorized program or third-party person to obtain access to resources.
Software vulnerability control refers to the means of managing vulnerability of software and minimising the possibility of having the vulnerabilities exploited by malicious intent.
Software vulnerability control is considered to be one of the most important steps in securing computer systems and computer networks, for the following reasons:
- Some software itself can be hostile and cause damage;
- Software vulnerabilities are almost always exploited for malicious purposes by virus programs because they allow for unauthorised access to resources, allow for the spread of viruses, and for all sorts of damages to the computer infected;
- Operating system vulnerabilities can be exploited by attackers, intruders and unauthorised people or programs to gain access and cause damage to the computer or to other computers and resources connected to the network.
Some people believe that viruses would not have existed if software did not have multiple vulnerabilities which could be exploited but even if viruses hadn’t existed, there would still be a couple of tools that allow would be used by malicious third-party to obtain unlawful access to information systems and cause widespread damage, these tools are:
- Network sniffing (explained in lesson one);
- Trojan Horses (explained a bit later in this lesson);
- Man in the middle attacks (explained in lesson one);
- Password cracking (explained a bit later in this lesson).
It is also possible to gain unauthorized access to computer networks if firewalls are not setup or if they are setup but not configured properly. Firewalls will be explained in more detail in lesson six.
To limit the scope of vulnerability for viruses and Trojan horses on computer and information systems, some of the following counter measures can be adopted:
- Ensuring the security patches are kept up to date for all software installed on computers;
- Running virus scan software on all the computers in the organisation and making sure the virus database is kept up to date by regularly downloading virus definition updates;
- Allowing only approved software to run on computers and monitoring what users install on their computers or alternatively locking down the users so that they are not allowed to install software on their computers;
- Running vulnerability scanning on the computer network to locate any computer with vulnerabilities and patching them accordingly.
Running virus protection software
Every organisation should purchase and install virus scan software on all their computers and servers. After installing the software, it is important to set it up and configure it properly, so that any virus that attempts to infiltrate their computer systems can be detected and caught.
Any virus scan software can only detect viruses that are stored in its own database. This means that the software will not be able to detect any new or unknown viruses that haven’t been loaded into its database. For this reason, it is important to constantly apply patches to the software and to keep the virus database updated with automatic updates. Patches will help reduce the vulnerabilities that virus programs try to exploit, and updating the virus database will allow the virus scan software to download the latest virus definition and become aware of any newly discovered viruses.
To maximise the operation efficiency of the virus scanning software, it should be setup to perform the following operations:
- Regularly scanning the local drives on all the computers in an organisation’s network, these scans might be scheduled to run daily, weekly or monthly, as required;
- Scanning of all the files during the virus scan operation and making sure no directories are being skipped, to ensure nothing is being missed;
- Prompting the users for action as soon as a virus is found, as this will allow the users to give more information to the IT staff relating to where the virus came from;
- Scanning all email attachments, at the firewall level or on the client computers. The IT departments in some organisations would choose to perform the scanning at both the firewall and the client computers level.
- Keeping a log of all virus scanning activities for future reference.
Updating security patches for Software
Before you can update the security patches for all software in an organisation, you need to follow a couple of steps, such as:
- Keeping an updated database with information about all the computers and software in the organisation in order to know which security patches are required for each software. Below is a sample of the required information to be stored in the database:
a. the name and location of each computer and what it’s used for;
b. the operating system version installed on every computer;
c. whether or not the computers have any service packs installed for their operating system;
d. the name and version of all the applications installed on every computer;
e. a listing of the services running on every computer;
f. a listing of active ports on computers and servers.
- Evaluating security advisory bulletins because these normally list security vulnerabilities in application software and operating systems. Vulnerabilities can occur in web browser programs (such as Internet Explorer, Firefox, etc.), Microsoft operating systems, or a Unix or Linux platform. It is the job of systems administrators in any organisation to determine whether the vulnerability in question is a security risk to the organisation.
a. The system administrator will first need to determine whether the software, platform or operating system exhibiting the vulnerability is being used in the organisation or not. If the vulnerable component is not being used in the organisation, then the vulnerability does not pose a security risk to the organisation. Otherwise, they will need to determine the amount of risk and any possible damage that may occur from that vulnerability.
b. Depending on the size of the organisation (small, medium or large organisation), the decision process might either be exclusively taken by systems administrators and the IT department, or it may be shared with management. In case the decision making process is shared with management, the IT personnel will need to adopt some methodology in categorising the risk, taking into account the fact that people in management are not necessarily tech savvy.