Figure 19-1, a fortified wall, will be used as a reference in this discussion of security terms.
Figure 19-1 Security Terminology
Engineers often use the metaphor of a fortified wall, a walled city, or a castle to describe information technology security.
Even though metaphors are rarely perfect, they are often helpful in describing concepts in an easy-to-understand way.
Attack Surface
In a fortified position, the attack surface is the entire set of walls, gates, etc., making up a defensive position. In a network, the attack surface is at every point where the network connects to the Internet, any external system, and any place where the network connects to users. Attack surfaces do more than divide the “inside”—behind the walls or inside the network—from the “outside.” Every access control and every segment boundary is an attack surface, including
• The set of devices connecting the Internet to the internal network.
• The division between the user and kernel spaces in an operating system.
• Interfaces between humans and computers, like web pages and applications.
Every piece of software, hardware, and every point where your network connects to the “outside world,” and any place where people and computers interact, is an attack surface.
Examining a system to find and describe the attack surface is often helpful, especially if you intentionally try to find unexpected holes in your existing defenses. Many walled castles have fallen to enemy forces because of a rough-cut shepherd’s path or an attacker’s ability to attack a city’s water supply.
Vulnerability
A vulnerability is a possible point of attack against a defensive system. In Figure 19-1:
• Doors are vulnerable to being broken down or breached.
• Walls can be climbed or topped; objects can even be vaulted over.
Vulnerabilities in information technology are classified using the Common Vulnerabilities and Exposures (CVE) system developed by MITRE. Each publicly disclosed vulnerability in hardware or software is given a number and then classified by
• The exploitability of the vulnerability, or how easy it is for an attacker to gain control of a system using this vulnerability.
• What kind of access an attacker must have to take advantage of this vulnerability. Does the attacker need to be able to access a piece of hardware (local execution), or can an attacker take advantage of a vulnerability across a network (remote execution)?
• What kind of access an attacker gains by taking advantage of the vulnerability. Does the attacker gain complete control over an entire system? Or do they gain access only to a single piece of software?
• How widely the impacted hardware or software is used. A widely used open-source software vulnerability is much worse than in a custom-built hardware system.
• Whether a patch or easy-to-use workaround is available that would prevent attackers from using this vulnerability.
Each CVE is given a number and rating and published in several online places. Information security professionals spend a lot of time examining new CVEs and evaluating whether they should deploy some defensive mechanism or patch their software.
Zero day was initially used to describe vulnerabilities “built into” an application, especially if the defect resulted from an attacker gaining access to the application’s source code. As with most terms in information technology, the meaning of this term has expanded over time to mean any previously unknown vulnerability for which there is no mitigation.