Part 2: Threats, Vulnerabilities, and Attacks
When systems fail or are compromised, it is usually because an attacker has discovered a vulnerability and found a way to exploit it. To understand computer security, we need to distinguish between vulnerabilities, exploits, attacks, and threats. These terms are often used interchangeably in casual conversation but they mean different things in security.
Vulnerabilities
A vulnerability is a flaw or weakness that can be exploited. Vulnerabilities may be caused by software bugs, design flaws, misconfigurations, or even human errors. They are the entry points that allow an attacker to compromise confidentiality, integrity, or availability.
Examples include:
- A buffer overflow in a program that allows an attacker to inject code.
- A default administrator password left unchanged on a router.
- A design flaw in a protocol that lets attackers intercept traffic.
- Weak encryption, such as outdated algorithms that can be cracked with modern computing power.
Some vulnerabilities lie deeper in hardware rather than software.
- Spectre and Meltdown, disclosed in 2018, exploited CPU performance features called speculative execution and caching to leak data across privilege boundaries.
- Rowhammer, discovered in 2014, showed that repeatedly accessing certain memory rows could cause bit flips in adjacent rows, undermining memory isolation.
These cases revealed that vulnerabilities are not limited to software mistakes but can be rooted in hardware design itself.
One of the most famous software vulnerabilities in recent history was Log4J, discovered in late 2021. Log4J is a popular Java library for logging messages. A subtle flaw allowed attackers to insert special text into log messages, which caused the software to execute malicious code. Since Log4J was embedded in tens of thousands of software packages, the vulnerability had a global impact and is still being exploited today.
Exploits
An exploit is the tool, code, or technique that takes advantage of a vulnerability. The vulnerability is the unlocked door; the exploit is the crowbar used to break in.
For example:
- SQL injection is an exploit that takes advantage of poor input validation in web applications, allowing attackers to run arbitrary database queries.
- EternalBlue was an exploit developed by the NSA that took advantage of flaws in Microsoft’s Server Message Block (SMB) protocol. It was later leaked and used in the 2017 WannaCry ransomware attack, which spread worldwide.
- Metasploit is a penetration testing framework that bundles together many known exploits, making it easy for both security professionals and attackers to test vulnerabilities.
The key point is that vulnerabilities and exploits are different. A vulnerability may exist for years before someone develops an exploit to take advantage of it.
Attacks
An attack is the execution of an exploit with the intent to cause harm. Attacks put exploits into action. They may attempt to steal data, alter information, disable services, or gain unauthorized control.
Common types of attacks include:
- Phishing, where emails trick users into giving up credentials.
- Ransomware, where files are encrypted until payment is made.
- Distributed Denial of Service (DDoS), where attackers overwhelm servers with traffic.
- Credential stuffing, where attackers reuse stolen usernames and passwords from one breach to break into other systems.
The Colonial Pipeline attack in 2021 is a clear example. Attackers used a compromised password to log into the company’s network, then deployed ransomware that forced the company to shut down operations. This was not just a vulnerability but a full attack with real-world consequences: fuel shortages across the U.S. East Coast.
Attack Vectors
An attack vector is the path or method an attacker uses to deliver an exploit. Vectors define how an attack begins.
Examples include:
- Email attachments, which can carry malicious macros.
- Websites, which may host drive-by downloads or exploit browser flaws.
- USB drives, which may contain malware that runs when plugged in.
- Networks, where attackers exploit open ports or unpatched services.
In 2010, the Stuxnet worm spread to Iran’s nuclear facilities through USB drives. Since the facilities were not connected to the Internet, attackers had to rely on physical access as the attack vector.
Attack Surface
An attack surface is the total number of possible entry points in a system. The more exposed services, interfaces, and users, the larger the attack surface and the more opportunities an attacker has.
Examples of attack surface include:
- A public website with multiple APIs and login pages.
- A corporate network with many open ports and VPN connections.
- Employees who can be tricked through social engineering.
Reducing the attack surface makes systems harder to compromise. Disabling unused services, limiting access, and educating users all help shrink the number of possible entry points.
Social Engineering
Not all vulnerabilities are technical. In many attacks, the easiest path in is not through a software flaw but through a person. Social engineering refers to techniques that manipulate, deceive, or influence people into giving up information or access. Instead of breaking cryptography or bypassing a firewall, an attacker may simply trick a user into opening the door.
Common methods include:
- Phishing: sending emails that appear legitimate, tricking recipients into clicking malicious links or providing credentials.
- Spear phishing: a targeted form of phishing aimed at specific individuals, often using details about them to appear convincing.
- Pretexting: creating a false story or identity to gain trust, such as pretending to be an IT staff member who needs a password.
- Baiting: leaving infected USB drives in public places, hoping someone will pick one up and plug it into a computer.
A classic example was the 2011 RSA breach. Attackers sent a phishing email with the subject line “2011 Recruitment Plan.” The attached Excel file contained a Flash object that exploited a zero-day vulnerability. Once opened, it gave attackers access to RSA’s internal systems and sensitive data related to its SecurID authentication tokens. This attack succeeded not through a technical vulnerability alone, but because an employee trusted and opened the file.
Social engineering underscores that humans are part of the attack surface. Training, awareness, and organizational culture are as important as software patches in reducing risk. We will look at social engineering methods in much more detail later in the course.
Vulnerabilities are tracked and cataloged using systems like CVE and CVSS, which we’ll explore in detail later.
Threats and Threat Actors
A threat is the possibility of an attack. A threat actor (or agent) is the adversary who may carry it out. Not every threat actor attacks, but the potential exists.
Ross Anderson, in his book Security Engineering, classifies threats into four categories:
- Disclosure: unauthorized access to information. Examples: data breaches, eavesdropping, and surveillance.
- Deception: accepting false data as true. Examples: spoofing emails, falsifying logs, or denying that a message was sent.
- Disruption: interfering with normal operation. Examples: changing program logic, cutting power, or launching a DoS attack.
- Usurpation: taking control of a system. Examples: installing malware, stealing services, or escalating privileges.
Other terms often used in this context include snooping (eavesdropping), modification (alteration), masquerading (spoofing), repudiation of origin, denial of receipt, and delay.
Classifying threats always rests on assumptions about an attacker’s motivation and skill. A system may be resistant to casual scanning but vulnerable to determined adversaries with custom tools.
Threat Matrix
Another way to classify threats is by capability and focus. A threat matrix distinguishes between:
- Opportunistic attacks, which cast a wide net for vulnerable systems without caring who the victim is.
- Targeted attacks, which focus on specific victims and pursue them persistently.
- Unskilled attackers (often called script kiddies), who rely on pre-packaged tools.
- Skilled attackers, who develop custom exploits and sophisticated campaigns.
Most real-world attacks fall somewhere on this spectrum. Opportunistic automated scanning for weak passwords is very different from a targeted advanced persistent threat, but both fit within the threat matrix.
The Internet as a Risk Amplifier
The design of the Internet makes attacks easier. It was created in the 1970s to interconnect networks, not to provide secure communication. Its architecture is open and decentralized, which is powerful but risky.
Features that make the Internet attractive for attackers include:
- Action at a distance: attackers can target systems without being physically present.
- Anonymity and obfuscation: attackers can hide behind proxies, VPNs, Tor, or compromised systems. Tracing them can be extremely difficult.
- Asymmetric force: offense is often easier than defense. A handful of attackers can overwhelm much larger organizations by using botnets or zero-day exploits.
- Scale and automation: attacks can be scripted and applied to millions of systems at once. Even a tiny success rate yields results.
- Global reach: the Internet has no borders. Traffic flows freely across countries with inconsistent laws and enforcement, making prosecution difficult.
- Lack of distinction: malicious traffic often looks the same as legitimate traffic until executed. A login attempt by a hacker may appear identical to that of a real user.
These structural properties explain why defending systems is so difficult. The Internet gives attackers opportunities that would not exist in the physical world.
Botnets
A botnet is a network of compromised machines (often called bots or zombies) controlled remotely through a command and control server. Botnets are used for spam, phishing, cryptocurrency mining, and especially for launching DDoS attacks. The Mirai botnet in 2016 demonstrated the power of millions of insecure IoT devices being turned into a coordinated weapon.
Case Studies
The following incidents illustrate how vulnerabilities, exploits, and attacks play out in practice. Some are classic examples that highlight fundamental concepts, while others are more recent cases showing that these problems remain pressing today.
- Conficker (2008): A worm that infected millions of Windows systems by exploiting a Microsoft flaw and weak passwords. It created one of the largest botnets ever, and its authors were never identified.
- Mirai (2016): A worm that exploited insecure IoT devices like cameras and routers with default passwords. It built a massive botnet that launched a record-breaking DDoS attack, knocking major websites offline.
- WannaCry (2017): Exploited the EternalBlue vulnerability to spread ransomware across 150 countries, hitting hospitals in the UK especially hard.
- NotPetya (2017): Began as a targeted attack on Ukrainian businesses but spread globally, causing an estimated $10 billion in damages. It masqueraded as ransomware but was designed for destruction.
- Target Breach (2013): Attackers entered through a third-party HVAC vendor, stole 40 million credit card numbers, and showed how supply chain partners can be weak links.
- Equifax (2017): A failure to patch a known vulnerability in the Apache Struts framework led to the theft of data on 143 million people, including Social Security numbers.
- SolarWinds (2020): A supply chain attack in which trusted software updates were poisoned, giving attackers access to thousands of organizations, including U.S. government agencies.
- Colonial Pipeline (2021): Ransomware shut down fuel delivery along the U.S. East Coast, showing how a single compromised password can affect critical infrastructure.
- Log4Shell (2021–2022): A flaw in the popular Log4J library allowed attackers to execute code remotely. Because Log4J was embedded in countless applications, the vulnerability continues to be exploited years later.
- MOVEit Breach (2023): Exploitation of a file transfer application allowed the Clop ransomware group to exfiltrate sensitive data from governments and corporations worldwide.
- Okta Breach (2023): Attackers gained access to an identity management provider used by thousands of organizations, showing how compromising a trusted authentication service can ripple across many customers.