As an MSP, Internos helps clients understand cyber security threats and protect their business. With words used interchangeably, it can be hard to pin down what they really mean. So this post will define exploit, vulnerability, hacking, cracking and other cyber security terms.
Hacking vs Cracking
Hacking is what you think it is: an intrusion into computer systems, without authorization, with the intent of gaining access for good or bad purposes. Cracking is similar to hacking but with three big differences:
- Crackers always have criminal intent while not all hackers are criminals.
- Crackers typically don’t have the level of advanced coding knowledge that hackers do.
- Crackers don’t create doors into your systems, they just find ones that have been left open or unguarded and exploit those weaknesses.
Crackers also often find authorized users’ passwords and use that information to crack into a data infrastructure.
What makes a good password? Find out with our Password Management Guide.
Types of Hackers (White Hat, Black Hat and Gray Hat Hackers)
Hackers are intelligent individuals or groups. They know IT code and they know how to change your infrastructure so that their goals are reached and not yours. Not all hackers are intent on wreaking havoc. Some hack to check holes, weaknesses and vulnerabilities in your system and to try to close them up, sometimes for a fee, sometimes because they were sanctioned. There are different types of hackers:
- White hat hackers. They’re the good guys who check their own security system, close any holes they find in it and correct them.
- Black hat hackers. Classic bad guys who take control and destroy, steal and even prevent authorized users from accessing the system.
Grey hat hackers. These are hackers who are not working on their own systems, but don’t have any malicious intent. They range from people who hack in somewhere just to prove they can, to those proactively looking for potential loopholes and weaknesses so they can let system administrators know before the crackers find and exploit them.
The Difference Between Vulnerabilities and Exploits
Vulnerability
You can best define vulnerability as a weak spot in a system. Hackers and crackers gain access to a network through these vulnerabilities. It is virtually impossible to have no weak spots, and not all weak spots are within the code itself. For many companies, their biggest vulnerability is people. Some examples of vulnerabilities include:
- A weakness in the software code of a program
- Human response to phishing emails
- Software that hasn’t been updated or patched
- Weak passwords
Exploit
To define exploit, think of the act of the hacker or cracker using a vulnerability to enter or compromise IT systems or software. Exploits need vulnerabilities to exist, which is why preventing vulnerabilities is so important.
Today, criminals don’t need to be sophisticated coders or computer experts to exploit a vulnerability — especially human-based vulnerabilities. There are automated tools they can buy to attack weaknesses on a grand scale and plenty of data available on the dark web to trick your team into making a mistake and letting them in.
Help your team avoid traps with our Phishing Prevention Cheat Sheet
Zero Day Vulnerabilities and Exploits
A zero day exploit is when a hacker takes advantage of an unknown or unpatched vulnerability for the first time (a zero day vulnerability). Examples of zero day exploits include:
- New or undetected malware
- A known vulnerability that had never been exploited before
- A previously unknown vulnerability that is exploited
Critical vulnerabilities and exposures are tracked by some organizations and websites to distribute to others. They maintain lists of these and then release patches that will fix them. Once the patch is released, it is no longer considered a zero day vulnerability.
Vulnerabilities are sometimes only discovered once people figure out how to exploit them. Other times, the vulnerability is known (theoretically) but it is not known how that vulnerability could possibly be exploited. This is why there is often a gap between a zero day vulnerability and a zero day exploit.
Traditional antivirus and anti-malware software can only look for what they KNOW is out there. Therefore, they do not protect against zero day exploits and vulnerabilities.
CIA Cornerstones of Cyber Security
Now that you know these terms, it’s best to employ the CIA method of protection:
- Confidentiality: All customer info, HR info, passwords, user IDs and all other sensitive data must be kept confidential.
- Integrity: The integrity of your data assets must be stringently maintained in order to avoid hackers manipulating them in any way.
- Availability: Everyone with legitimate access to your systems should always have it. To block hackers from your website or systems, close those front and back doors so no one can compromise your data in any way.
Looking for an MSP? Get our free Choose IT Support Checklist
Block Hackers by Being Less Vulnerable
Don’t be fooled into thinking you don’t have weak spots just because your anti-malware is up to date. Cyber security is much more than just running software, especially since most businesses’ biggest vulnerabilities are people. Get started with a cyber security risk assessment. Then protect your business with a comprehensive cyber security plan that includes training for all your employees on what to look for and traps to avoid. Not sure where to start? Contact us or book a meeting. We’d be happy to support your business.