{"id":1532,"date":"2020-09-25T14:05:00","date_gmt":"2020-09-25T14:05:00","guid":{"rendered":"https:\/\/sectigostore.com\/blog\/?p=1532"},"modified":"2020-11-20T18:31:38","modified_gmt":"2020-11-20T18:31:38","slug":"exploit-vs-vulnerability-whats-the-difference","status":"publish","type":"post","link":"https:\/\/sectigostore.com\/blog\/exploit-vs-vulnerability-whats-the-difference\/","title":{"rendered":"Exploit vs Vulnerability: What\u2019s the Difference?"},"content":{"rendered":"\n

We\u2019ll take an in-depth look at the difference between vulnerabilities and exploits, why they matter, and how you can use that knowledge to keep your website safe<\/h2>\n\n\n\n

Ever wonder how a hacker actually hacks? Or are you tired of unrealistic movies that are full of endless lines of code and keyboard clacking without any explanation? Seeing as you most likely googled something along the lines of \u201cexploit vs vulnerability\u201d or \u201cvulnerability vs exploit\u201d to get here, then the answer to those questions is yes.<\/p>\n\n\n\n

Exploring what vulnerabilities and exploits are, the differences between them, and how they\u2019re useful to hackers is an excellent way to learn more about how hackers think. More importantly, it can help you better protect yourself and your organization against them.<\/p>\n\n\n\n

So, let\u2019s compare and break down an exploit vs a vulnerability to get a better idea of what they are and how they differ.<\/p>\n\n\n\n

Exploit vs Vulnerability: A Quick Take<\/h2>\n\n\n\n

In a nutshell, a vulnerability is a weakness or opening for hackers to find a way into a website, a system that connects to a website, operating systems, web applications<\/a>, software, networks, and other IT systems. An exploit is a specific code or attack technique that uses a vulnerability to carry out an attack or gain unauthorized access. The vulnerability is the opening and the exploit is something that uses that opening to execute an attack.<\/p>\n\n\n\n

The names are, indeed, apt as hackers look for vulnerabilities to exploit. However, it should be noted that not all vulnerabilities are exploitable. Whether it\u2019s due to a lack of abilities on the hacker\u2019s end or supplemental security tools making it difficult for the hacker to exploit the vulnerability, not all vulnerabilities will be exploited. In fact, a 2019 study<\/a> shows that out of 76,000 vulnerabilities the researchers discovered between 2009 and 2018, only 5.5% had been exploited in the wild.<\/p>\n\n\n\n

That’s the quick answer. Now, let’s look at the topic of exploit vs vulnerability more in depth.<\/p>\n\n\n\n

Exploit vs Vulnerability: A Deeper Dive<\/h2>\n\n\n\n

To understand vulnerabilities and exploits, you first need to understand a hacker. Hackers are usually looking to do one of three things:<\/p>\n\n\n\n

  1. Receive some type of short-term or long-term financial, social or political gain;<\/li>
  2. Wreak havoc for personal satisfaction; or<\/li>
  3. Both of these reasons.<\/li><\/ol>\n\n\n\n

    A hacker\u2019s mindset and methods are very similar to those used by a home burglar. They often scout their target (to some extent), search for a vulnerability and exploit it. For example, a burglar will look for an unlocked window (vulnerability) and then wait until you are away to enter it (how they exploit it) without your permission. Then from there, they are most likely looking to steal valuable things but there are also intruders who just want to vandalize (like a hacker will do with a website at times).<\/p>\n\n\n\n

    So, here’s another way to differentiate exploit vs vulnerability. The big difference between a vulnerability and an exploit is that a vulnerability is a hacker finds an opening in your cyber defenses. An exploit is what occurs if and when they actually take advantage of the vulnerability without your permission. It\u2019s the difference between finding an unguarded entrance to a fort and actually charging through it. But let\u2019s take a few moments to explore each of these terms a little more in depth.<\/p>\n\n\n\n

    \"Exploit
    This illustration represents the lifecycle of a vulnerability and where a cybercriminal could potentially exploit a vulnerability.<\/figcaption><\/figure><\/div>\n\n\n\n

    What Are Vulnerabilities?<\/h3>\n\n\n\n

    As mentioned, a vulnerability is a weak point or channel that hackers could<\/em> use to find a way into your website, operating system, applications, network, or other IT-related systems. (A vulnerability isn\u2019t actually the attack or exploit itself.) Vulnerabilities could be a weakness that exists in your software code. And users can even create some vulnerabilities without even realizing it.<\/p>\n\n\n\n

    For example, outdated or legacy software or system that you haven\u2019t updated yet could be the target of a hacker. Another example of a vulnerability is when a user creates a weak password or reuses a password that gets compromised in a breach. A vulnerability can also be created by a cyber attack, such as a phishing email<\/a> with a link that tricks or manipulates you into downloading files containing malicious software or code.<\/p>\n\n\n\n

    How the vulnerability is created doesn\u2019t change the fact that there is a weakness that hackers could potentially exploit. As for what we mean when say \u201cexploited,\u201d see our next section\u2026<\/p>\n\n\n\n

    What Is an Exploit?<\/h3>\n\n\n\n

    As mentioned, an exploit is the use of a specific code or technique that takes advantage of a vulnerability that exists in a target\u2019s IT systems or software. Essentially, a hacker will exploit the vulnerability in a way that gets them unauthorized access to the system. Exploits need vulnerabilities to exist, which is why preventing vulnerabilities is so important.<\/p>\n\n\n\n

    Looking for vulnerabilities manually would be a laborious way of hacking, which is why hackers use automated tools to attack vulnerabilities at mass scale. For many hackers, exploiting vulnerabilities is very much a numbers game. If a hacker discovers an outdated piece of software in a CMS, they may use an automation tool to crawl thousands of sites that use that CMS looking for the vulnerability so they can collect mass amounts of data, typically from many small websites.<\/p>\n\n\n\n

    Knowing the difference between vulnerabilities and exploits is the first step in knowing how to protect yourself.<\/p>\n\n\n\n

    Zero Day Vulnerabilities and Exploits<\/h3>\n\n\n\n

    So, what happens if there is a vulnerability that you\u2019ve discovered within your own application but haven\u2019t patched yet? Or what if a cybercriminal has created malware<\/a> or another way to exploit your application that no one has seen before? Each of these two examples is known as a zero day vulnerability and a zero day exploit<\/a>, respectively.<\/p>\n\n\n\n

    A zero day vulnerability is an exploit that you may or may not know about but haven\u2019t yet had time to address. There are organizations and websites such MITRE<\/a>, NIST<\/a> and vuldb.com<\/a> that maintain lists of known critical vulnerabilities and exposures. Once a patch is released for the vulnerability, however, it\u2019s no longer considered a zero day vulnerability.<\/p>\n\n\n\n

    A zero day exploit is when a cybercriminal uses an unpatched or unknown vulnerability to their advantage. They can do this by creating new malware that they create or by using phishing techniques to direct users to infected websites. \u201cZero day\u201d attacks are particularly dangerous because they capitalize on unknown or unpatched issues that have yet to be fixed. They\u2019re also typically undetectable because traditional antivirus and anti-malware software aren\u2019t looking for them.<\/p>\n\n\n\n

    Examples of Vulnerabilities and Exploits<\/h3>\n\n\n\n

    So, now that you know what vulnerabilities and exploits are, you\u2019ll probably want a few more examples that you might come across. Here a few examples of how a hacker might use a vulnerability and exploit:<\/p>\n\n\n\n

    Example 1<\/h4>\n\n\n\n

    Vulnerability: <\/em><\/strong>You did not update your WordPress plugin<\/a>, which has a code error.<\/p>\n\n\n\n

    Exploit:<\/em><\/strong> A hacker uses the vulnerability to launch a SQL injection<\/a> attack.<\/p>\n\n\n\n

    Example 2<\/h4>\n\n\n\n

    Vulnerability:<\/em><\/strong> A web admin has a weak password that lacks complexity and doesn\u2019t meet NIST passwords standards. (See NIST SP 800-63B Authentication and Lifecycle Management<\/a>, section 5.1.1.) Some general password creation best practices include using long passwords that include a combination of uppercase and lowercase characters, and at least one special character and number.<\/p>\n\n\n\n

    Exploit:<\/em><\/strong> A hacker uses a \u201ccracker tool\u201d to crack the password and now controls your website. It should be noted should how accessible these \u201ccracker tools\u201d are. There are literally top 10 lists<\/a> that rank password cracking tools that range from ones that assists with brute force attacks to tools that can crack LM and NTLM hashes!<\/p>\n\n\n\n

    Example 3<\/h4>\n\n\n\n

    Vulnerability:<\/em><\/strong> A website has an area that allows users to upload unvalidated files with no filters or limits.<\/p>\n\n\n\n

    Exploit:<\/em><\/strong> A hacker uploads a file that contains executable code and now has access to your website source code and database credentials (basically controlling your website).<\/p>\n\n\n\n

    The CIA Triad: What It Is & Why You Should Use It<\/h2>\n\n\n\n

    So, now that you know the difference between a vulnerability and an exploit, you might be semi-worried that someone is going to use them against you. Don\u2019t worry (or even be semi-worried) \u2014 we got you covered. Let\u2019s start with the CIA triad<\/a>, or what\u2019s sometimes called the AIC triad. This model provides a great starting place for responding to information security threats.<\/p>\n\n\n\n

    No matter which you prefer to call it, the triad is a helpful and accurate way to remember the three cornerstones of a good cybersecurity program:<\/p>\n\n\n\n