In cyber security, specifically for penetration testers, it all comes down to vulnerabilities. The main misconception when reporting these is the connection between the different vulnerabilities and the possible attack vector.
Often we encounter developers who claim that one high-risk vulnerability in a protected page, or multiple low-risks in different locations, do not pose a real threat to the system. Our job as security advisors is to show them how the vulnerability can be exploited (theoretically and practically) using the concept of Single Points of Failure (SPOF) and Cascading Failure.
A single point of failure (SPOF) is a potential risk posed by a flaw in the design, implementation, or configuration of a system. SPOF refers to one fault or one malfunction that can cause an entire system to stop operating.
A cascading failure is a process in a system of interconnected parts in which the failure of one or a few parts can trigger the failure of other parts and so on.
At its core, a penetration test can not cover all the possible vulnerabilities. We try to do our best with a given amount of time (2-4 weeks), to scan all entry points and point in the right direction in terms of loose ends and weak spots, sometimes we are able to explore deeper parts of the systems and other times we are only scratching the surface.
Malicious actors, on the other hand, can gather intel to assemble a full attack vector. These low-risk vulnerabilities create a puzzle of steps after which the attackers reach their goal. Each of these risks contributes to the cascading failure of the system, playing a big role in the final exploit.
Another example of SPOF will be a situation where a high-risk vulnerability resides inside a highly secured environment. From one’s point of view, the risk of exploitation is automatically reduced, but we all know that there is no such thing as “perfect” software. It is highly probable that one day someone will find a bug in the library that you use, or in your authorization process that you consider secure now, and when this occurs, your business immediately becomes exposed to exploits.
In the end, vulnerability assessment is only a tool for cyber specialists to estimate the possible impact on the software, client, or business. But let’s not forget that a security impact of any form still stains the reputation and integrity of the owner, and leaves the developers working extra time on past mistakes instead of future features.
Want to Hear More?
A free consulting meeting included.