A race conditions is a situation in which two entities access concurently the same resource. The result (or impact) of a race condition are unexpected results of the computation, that may generate inconsistent results or even exceptions that, if not handled, could make an application crash.
End-of-life systems
An end-of-life system is one that has carried out its function and it's going to be dismissed. It's important to apply data sanitization techniques, to ensure it won't be possible to recover confidential data from the system after its disposal.
Embedded systems
An embedded system is a computer system that has a dedicated function within a larger system. As an example, a smart thermostat that control the temperature (and possibly the humidity) of an environment is an example of an embedded system. Other examples of embedded systems are wearable devices, like a smart watch. Embedded systems are always more connected to the internet. This allows, for instance, to remotely start the fancoils at home to find a comfortable place when coming back home. Anyway, these devices are often less-frequently patched than traditional IT systems. The impact of a vulnerability on an embedded system may be severe, because it can affect the physical world. Example: an hacked thermostat may keep an intolerable high temperature in an environment.
Lack of vendor support
A system which lacks vendor support should not be used anymore because any vulnerability that will be discovered will remain unpatched.
Input handling means to check that the provided input is compliant with the expected input. As an example, if a field expects a ZIP code, only numeric characters should be allowed. The consequences of an unchecked input may vary from an error/exception in the computation to actual attacks (like SQL or command injections). Input handling may be done either client-side or server-side. Client-side input handling basically guarantees that a non malicious user doesn't send invalid data to the server, thus lowering the number of (invalid) requests that the server has to manage. Anyway, client-side input validation may be bypassed (in a web browser it may be as simple as doing right click -> inspect and then avoiding that the Javascript function performing the check is executed). Server-side input validation is the real input validation one has to rely on. It is done on the server, and may be heavy because it could be done on lots of requests. Example: some of the checks to carry out are allowing only certain characters (like numeric characters), verify the length of the provided input (want to avoid very long inputs that may be used in a buffer overflow attack) and blocking all those characters that are used to perform attacks (like HTML tags, or characters like '-' or ' '=' used in injection attacks). Countermeasures: use standard libraries and framework to deal with input handling, like OWASP Enterprise Security API (ESAPI) library.
Sometimes during the execution of an application exceptions arise. These may be caused by unexpected conditions that the developers didn't foresee or test. If these exceptions are not managed, the impact may be high because it can lead to an interruption of the service (the application may crash).
A misconfigured system is one which exhibits vulnerabilities due to a wrong configuration. Example: a Web Server that should handle only http/s traffic but that that has TCP ports 20 and 21 opened (FTP ports).
A system has a default configuration vulnerability if it is used in production with the factory configuration. This vulnerability may be have a high impact, because an attacker can easily discover the fabric configuration and use it to take control of the system.
DoS and DDoS attacks cause resource exhaustion on the attacked machine, by forcing its NIC, CPU, memory or other devices to work at their maximum capability to process invalid requests. Resource exhaustion implies that legitimate users can only get a slow, low-quality service or no service at all, because the server is wasting time and resources to process the attacker's requests.
Untrained users may constitute a serious vulnerability because they can be an easy target of attacks such as social engineering and phishing. Countermeasures: organize security trainings for the users, to raise their security awareness.
An improperly configured account is one that doesn't follow the best practises for account management. This practises are discussed in section 4.4. Example: an account that does not follow the least privilege principle is improperly configured and constitutes a system vulnerability: giving a guest account full rights could allow the guest to access confidential information.
The Business Impact Analysis (BIA) is the process of identifying critical processes in an organization and evaluating the impact associated to a disruption of the associated services. Vulnerable business processes are identified in the BIA, and are mission-critical processes that an organization has to protect with proper planning. The impact of an interruption of service of a mission-critical business process may be very high.Example: for an online reseller, its ecommerce website is a vulnerable business process.
A cipher suite is a collection of algorithms designed to secure connections using TLS or SSL (SSL is deprecated nowadays). When two parties decide to communicate via TLS, they exchange a prioritized list of cipher suites, and then choose the top cipher suite which is common to both parties. Each set of algorithms comprising a cipher suite includes a key exchange algorithm, a bulk encryption algorithm, and a message authentication code (MAC) algorithm. The key exchange algorithm is used to negotiate the symmetric key to be used to encrypt and decrypt traffic; the bulk encryption algorithm is used to encrypt the data being sent; the MAC algorithm is used to guarantee the integrity of the message. Example: an example of cipher suite name is TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS is the protocol to which the cipher suite applies
ECDHE_RSA tells that keys are exchanged using ECDHE and that the messages are signed (authenticated) with RSA
WITH_AES_128_GCM tells that encryption algorithm employed is AES with Galois/Counter Mode
SHA256 tells which is the algorithm used for message integrity.
Choosing a weak cipher suite may allow downgrade attacks (see 1.2).
Memory leak
A memory leak is an improper memory management that causes an application to use a lot of memory. This is tipically due to the allocation of locations of memory that are never released, even when they are no more needed by the application. An application that suffers of memory leak may cause significative system slowdown or even system crash.
Integer overflow
An integer overflow is a low-level vulnerability that deals with computer arithmetics and programming languages. Programming languages often store an integer using a word of memory, for instance 32 bits. This means that an unsigned (i.e. positive) integer variable can store a value in the range 0 - 2^32 - 1. This means that if an application tries to store a value bigger than 2^32 - 1 in an integer variable, that value will be truncated and the overall computation will produce a wrong result. This vulnerability is called Integer Overflow. Countermeasure: input validation.
Buffer overflow
A Buffer overflow is a vulnerability in which an application, while writing data into a memory buffer, crosses the boundaries of the buffer and overwrites also adjacent memory locations. An attacker may exploit this kind of vulnerability by providing data to the application that are much bigger of what the application expects. If the application does not check the boundaries, the provided data can overwrite other memory locations, possibly resulting in an effective attack. Examples: An attacker may provide a big amount of data to the application, including malicious code. If she manages to overwrite the return address of the current function, she may force the CPU to run the instructions contained in the malicious code. Guessing the exact memory location of the return address to be overwritten may be too hard for an attacker. A slightly different technique to overcome this issue is called NOP sled. In this attack, the attacker manages to inject malicious code in a known memory location. Then, the attacker sends to the application a very long sequence of NOP instructions (NOP is an instruction that does nothing), and at the end a JUMP instruction to make the CPU continue the execution at the memory location where the malicious code is placed. This way the malicious code gets executed. Countermeasures: input validation, boundary checking, canary, randomized memory allocation, ...
Pointer dereference
A pointer is a structure used in some programming languages to reference a memory location. Pointer dereference is the process of accessing the data stored in the memory location pointed by the pointer. A pointer dereference exception happens when the pointer points to an invalid memory location. It may result in application error or crash.
DLL injection
A Dynamic Link Library (DLL) is a compiled piece of code that is used by an application to perform certain tasks. The application loads the DLL at execution time. DLL injection is an attack where the legitimate DLL is replaced with a malicious library by the attacker. The attacker manages to have executed its malicious functions .
The assets of an organization should be carefully tracked and managed with an asset management process. When this does not happen, an organization may acquire and put in operation IT devices which are not under the control of any security policy. They may expand the attack surface of an organization, especially if they are not updated or not patched.
An IT infrastucture may have been designed in a weak way. Or maybe it was robust at the beginning, buth successive additions of network devices, subnets, services and so on made this network weak. A weak architecture may facilitate the attacker in carrying out its attack. Example: a network not implementing defense-in-depth is an example of weak architecture.
A zero day vulnerability is one that has not been disclosed to public and that the vendor has not patched yet. Anyway, an attacker could have discovered an exploited that vulnerability. The impact of such vulnerability may vary. Countermeasures: defense-in-depth, vendor diversity (if all your firewalls are equal, they are all vulnerable), anomaly-based IDS/IPS (there is no signature for a zero-day attack)
Certificates are discussed in section 6.4. As a brief anticipation, a certificate is a digital file that holds some information on a subject together with its public key. That public key is matched with a corresponding private key which is property of the subject and that should be kept secret. This pair of public and private keys is used in asymmetric encryption. Thanks to asymmetric encryption it is possible to guarantee the authenticity, the confidentiality and the integrity of the messages sent by the subject. Anyway, these three very important features are only possible if the private key is kept secret. If the subject discloses its private key, none of them may be guarenteed anymore.