Vulnerability in computing language is a system exposure or defect by which a cyber-exploitation is made possible. An exploitable vulnerability is one for which at least one functioning attack or exploiter exists.
To understand the techniques for securing a computer system, it is important to first understand the various types of "attacks" that can be made against it. We have listed below several of such threats, typically classified into one of the following categories.
An unapproved user gaining physical access to a computer is usually able to compromise its security by making several operating system modifications, installing software which works as worms, keyloggers, or covert listening devices. They may be able to easily access & download data. Even when the system is protected by standard security measures, these may be able to be by passed by booting another operating system or tool from a CD-ROM or other bootable media. Disk encryption & Trusted Platform Module (TPM) are aimed at preventing such attacks.
A backdoor in a computer system, an algorithm or a cryptosystem, is any secret method of evading normal authentication methods or security controls deployed on the computer.
Denial of service attacks are intended to make a computer or network resource unavailable to its intended users. Attackers can deny service to individual victims, such as by deliberately entering a wrong password enough consecutive times to cause the victim account to be locked out. They may even overload the capabilities of a computer, server or network to block all users together at once.
An attack from a single IP address can be blocked by adding a new firewall rule. However, many forms of Distributed denial of service (DDoS) attacks are probable, where the attack comes from a large number of points, making defense much more difficult. Such attacks can originate from the zombie computers of a botnet, but a range of other techniques are possible including reflection and amplification assaults, where innocent systems are tricked into sending traffic or data to the victim.
Spoofing of user identity describes a situation in which one person or program successfully pretends as another user by falsifying identification data & information.
Tampering describes a malicious modification of products. Examples of tampering include "Evil Maid" attacks & security services planting of surveillance capability into routers and other network switching devices.
Eavesdropping is the act of sneakily listening to a private conversation, typically between hosts over a network. For example, programs such as Carnivore, NarusInsight etc. have been used by the cyber intelligence agencies to snoop on the systems of internet service providers. Even machines that operate as a closed network (i.e., with no contact to the outside world) can be eavesdropped upon via monitoring the faint electro-magnetic transmissions generated by the hardware.
Privacy breach or data leak & similar information disclosure describes a situation where information, thought to be secure, is disclosed in an untrusted environment.
An exploit is a software tool designed to gain from a flaw in a computer or network system. This often includes gaining control of a computer system, allowing privilege acceleration, or creating a denial of service attack. The code from exploits is frequently reused in Trojan horses and computer viruses. In some cases, vulnerability can lie in certain programs' processing of a specific file type, such as a non-executable media file.
Privilege escalation describes a situation where attackers obtain higher privileges or access to resources that were once restricted to them.
Social engineering and Trojans
Social engineering are forms of cryptographic attacks that aim to convince a user to disclose secrets such as passwords, bank card numbers, etc. by, for example, impersonating a bank, a customer or a contractor.
Repudiation describes a condition in which the legitimacy of a signature is being challenged.
An indirect attack is a planned and systematic attack launched by a third-party’s computer which helps to mask the actual attacker. By using someone else's computer to launch an attack, it becomes far more difficult to trace the actual attacker. There have also been instances where attackers took advantage of public anonymizing systems, to launch indirect or masked attacks.
Computer crime refers to any crime that is carried out involving a computer and a network.
Web sites that accept or store credit card numbers and bank account information always remain prominent hacking targets, due to the potential for immediate financial gain from transferring money, making purchases, or selling the information on the black market. In-store or retail payment systems and ATMs have also been tampered with in order to gather customer account data and PINs.