Believe it or not, not everything is perfect. We know, crazy right? There are vulnerabilities in both software and hardware which can compromise your network. These vulnerabilities may lead to annoyances while trying to work, a complete network outage, or even having to pay to regain access to your files (learn more about Ransomware in our article “What is Ransomware and Why You Should be Aware of It.”).
In this article, we are going to discuss vulnerabilities to help improve all of our awareness. Many vulnerabilities, such as phishing, can be combated by awareness.
Software Vulnerabilities
In today’s workplace, all of our computers and devices are connected to a network, whether that network is secured or unsecured. With the push for remote work over the past year, we are more likely to connect to an unsecured network. When we don’t have certain protocols in place to prevent intruders, we open ourselves up for any vulnerabilities to be exploited.
When developers and manufacturers find vulnerabilities, they may correct the vulnerability by patching it through an update. When we forget to update our software, we fail to correct these vulnerabilities. Often when software is developed, there are vulnerabilities inherently in it until these bugs are worked out. There may also be some unresolved developer issues that intruders can exploit.
These vulnerabilities leave networks susceptible to many different threats such as:
- Malware
- Botnets
- Spam
- Spyware
- Proxies
- Adware
- Phishing
Common Weakness Enumeration (CWE) “is a community-developed list of common software and hardware weakness types that have security ramifications. “Weaknesses” are flaws, faults, bugs, or other errors in software or hardware implementation, code, design, or architecture that if left unaddressed could result in systems, networks, or hardware being vulnerable to attack. The CWE List and associated classification taxonomy serve as a language that can be used to identify and describe these weaknesses in terms of CWEs (CWE).”
You may view a list of CWE’s Top 25 Most Dangerous Software Weakness on their website here: https://cwe.mitre.org/top25/archive/2021/2021_cwe_top25.html
Hardware Vulnerabilities
What is a hardware vulnerability? WhatIs.com defines a hardware vulnerability as “an exploitable weakness in a computer system that enables attack through remote or physical access to system hardware(https://whatis.techtarget.com/definition/hardware-vulnerability).” Many hardware vulnerabilities are still software-based.
Let’s start by taking a look at older devices. Many older devices do not have built-in security features, such as:
- Unified Extensible Firmware Interface (UEFI)
- Self-healing basic input/output system (BIOS)
- Preboot Authentication
- Self-encrypting drives
Older BIOS cannot run Secure Boot, which helps prevent malware from loading onto a computer during the booting process. Pre-boot authentication (PBA) prevents the operating system (OS) from loading until the user inputs authentication information. Old routers often do not have security updates, especially routers manufactured before 2011. Newer devices are not risk-free either. Take a look at CVE-2021-20090, which was recently exploited, just two days after its discovery.
Self-encrypting drives (SEDs) are a must when working remotely. If you’re using drives that do not self-encrypt, you are not protecting yourself. SEDs automatically encrypt and decrypt the data on the drive, requiring a password in addition to the OS login password.