Part 2: Threats, Vulnerabilities, and Attacks

When systems fail or are compromised, it is usually because an attacker has discovered a vulnerability and found a way to exploit it. To understand computer security, we need to distinguish between vulnerabilities, exploits, attacks, and threats. These terms are often used interchangeably in casual conversation but they mean different things in security.

Vulnerabilities

A vulnerability is a flaw or weakness that can be exploited. Vulnerabilities may be caused by software bugs, design flaws, misconfigurations, or even human errors. They are the entry points that allow an attacker to compromise confidentiality, integrity, or availability.

Examples include:

• A buffer overflow in a program that allows an attacker to inject code.
• A default administrator password left unchanged on a router.
• A design flaw in a protocol that lets attackers intercept traffic.
• Weak encryption, such as outdated algorithms that can be cracked with modern computing power.

Some vulnerabilities lie deeper in hardware rather than software.

• Spectre and Meltdown (2018) exploited CPU features like speculative execution and caching to leak data across privilege boundaries.
• Rowhammer (2014) showed that repeatedly accessing certain DRAM rows could cause bit flips in adjacent rows, undermining memory isolation.

These cases revealed that vulnerabilities are not limited to software mistakes but can be rooted in hardware design itself.

One of the most famous software vulnerabilities in recent history was Log4Shell (CVE-2021-44228), disclosed in late 2021. Log4J is a popular Java library for logging. A subtle flaw allowed attackers to insert special text into log messages, which caused the software to execute remote code. Since Log4J was embedded in tens of thousands of software packages, the vulnerability had a global impact and is still being exploited today.

Exploits

An exploit is the tool, code, or technique that takes advantage of a vulnerability. The vulnerability is the unlocked door; the exploit is the crowbar used to break in.

For example:

• SQL injection takes advantage of poor input validation in web applications, allowing attackers to run arbitrary database queries.
• EternalBlue (part of MS17-010) targeted flaws in Microsoft’s SMBv1 implementation. The exploit, later leaked, powered the 2017 WannaCry ransomware outbreak.
• Metasploit is a penetration testing framework that bundles together many known exploits, making it easy for both security professionals and attackers to test vulnerabilities.

The key point is that vulnerabilities and exploits are different. A vulnerability may exist for years before someone develops an exploit to take advantage of it.

Attacks

An attack is the execution of an exploit with the intent to cause harm. Attacks put exploits into action. They may attempt to steal data, alter information, disable services, or gain unauthorized control.

Common types of attacks include:

• Phishing, where emails trick users into giving up credentials.
• Ransomware, where files are encrypted until payment is made.
• Distributed Denial of Service (DDoS), where attackers overwhelm servers with traffic.
• Credential stuffing, where attackers reuse stolen usernames and passwords from one breach to break into other systems.

The Colonial Pipeline attack in 2021 is an example. Attackers used a compromised password to log into the company’s network, then deployed ransomware that forced the company to shut down operations. This was not just a vulnerability but a full attack with real-world consequences: fuel shortages across the U.S. East Coast.

Attack Vectors

An attack vector is the path or method an attacker uses to deliver an exploit. Vectors define how an attack begins.

Examples include:

• Email attachments, which can carry malicious macros.
• Websites, which may host drive-by downloads or exploit browser flaws.
• USB drives, which may contain malware that runs when plugged in.
• Networks, where attackers exploit open ports or unpatched services.

In 2010, the Stuxnet worm reached Iran’s nuclear facilities through removable media, notably USB drives. Because the facilities were isolated from the Internet, attackers relied on physical introduction and multiple zero-day exploits to propagate.

Attack Surface

An attack surface is the total number of possible entry points in a system. The more exposed services, interfaces, and users, the larger the attack surface and the more opportunities an attacker has.

Examples of attack surface include:

• A public website with multiple APIs and login pages.
• A corporate network with many open ports and VPN connections.
• Employees who can be tricked through social engineering.

Reducing the attack surface makes systems harder to compromise. Disabling unused services, limiting access, and educating users all help shrink the number of possible entry points.

The human factor

Not all vulnerabilities are technical. In many attacks, the easiest path in is not through a software flaw but through a person.

Social engineering refers to techniques that manipulate, deceive, or influence people into giving up information or access. Instead of breaking cryptography or bypassing a firewall, an attacker may simply trick a user into opening the door.

Common methods include:

• Phishing: sending emails that appear legitimate, tricking recipients into clicking malicious links or providing credentials.
• Spear phishing: a targeted form of phishing aimed at specific individuals, often using details about them to appear convincing.
• Pretexting: creating a false story or identity to gain trust, such as pretending to be an IT staff member who needs a password.
• Baiting: leaving infected USB drives in public places, hoping someone will pick one up and plug it into a computer.

A classic example was the 2011 RSA breach. Attackers sent a phishing email with the subject line “2011 Recruitment Plan.” The attached Excel file contained a Flash object that exploited a zero-day vulnerability. Once opened, it gave attackers access to RSA’s internal systems and sensitive data related to its SecurID authentication tokens. This attack succeeded not through a technical vulnerability alone, but because an employee trusted and opened the file.

Social engineering underscores that humans are part of the attack surface. Training, awareness, and organizational culture are as important as software patches in reducing risk. We will look at social engineering methods in much more detail later in the course.

Mistakes

Security is not just about protecting systems and data from attacks but also from users. On Microsoft MS-DOS and consumer Windows 95/98/ME, there was effectively no concept of per-user accounts and privilege separation; users commonly ran with full control. This made it trivial to make mistakes such as accidentally deleting or modifying important system files. A security infrastructure should protect users from malicious or accidental reads, deletes, or modifications that they should not be able to perform. Availability matters here too: a user should not be able to write a program that consumes all CPU or file system resources, though bugs can still cause these conditions without proper limits.

Vulnerabilities are tracked and cataloged using systems like CVE and CVSS, which we’ll explore in detail later. We will also explore social engineering and specific vulnerabilities and attack vectors in more detail later in the class.

Threats and Threat Actors

A threat is the possibility of an attack. A threat actor (or agent) is the adversary who may carry it out. Not every threat actor attacks, but the potential exists.

Ross Anderson, in Security Engineering, describes four broad classes of threat:

• Disclosure: unauthorized access to information. Examples: data breaches, eavesdropping.
• Deception: acceptance of false data as true. Examples: forged logs, spoofed identities, tampered sensor readings.
• Disruption: interruption or degradation of correct operation. Examples: DoS, cutting power, corrupting configuration to break availability.
• Usurpation: unauthorized control of a system. Examples: installing malware, privilege escalation, hijacking sessions.

Related terms often used alongside these classes include snooping (eavesdropping), modification (alteration), masquerading (spoofing), repudiation of origin, denial of receipt, and delay.

Classifying threats always rests on assumptions about an attacker’s motivation and skill. A system may be resistant to casual scanning but vulnerable to determined adversaries with custom tools.

Threat Matrix

Another way to classify threats is by capability and focus. A threat matrix distinguishes between:

• Opportunistic attacks, which cast a wide net for vulnerable systems without caring who the victim is.
• Targeted attacks, which focus on specific victims and pursue them persistently.
• Unskilled attackers (often called script kiddies), who rely on pre-packaged tools, tutorials, phishing kits, and automation.
• Skilled attackers, who develop custom exploits and sophisticated campaigns.

Most real-world attacks fall somewhere on this spectrum. Opportunistic automated scanning for weak passwords is very different from a targeted advanced persistent threat, but both fit within the threat matrix.

The Internet as a Risk Amplifier

The design of the Internet makes attacks easier. It was created in the 1970s to interconnect networks, not to provide strong security. Its architecture is open and decentralized, which is powerful but risky.

Features that make the Internet attractive for attackers include:

• Action at a distance: attackers can target systems without being physically present.
• Anonymity and obfuscation: attackers can hide behind proxies, VPNs, Tor, or compromised systems. Tracing them can be extremely difficult.
• Asymmetric force: offense is often easier than defense. A handful of attackers can overwhelm much larger organizations by using botnets or automation.
• Automation at scale: attacks can be scripted and applied to millions of systems at once. Even a tiny success rate yields results.
• Global reach: the Internet has no borders. Traffic flows across countries with inconsistent laws and enforcement, making prosecution difficult.
• Lack of distinction: malicious traffic often looks the same as legitimate traffic until executed. A login attempt by a hacker may appear identical to that of a real user.

These structural properties explain why defending systems is so difficult. The Internet gives attackers opportunities that would not exist in the physical world.

Botnets

A botnet is a network of compromised machines (often called bots or zombies) controlled remotely through a command and control server. Botnets are used for spam, phishing, credential stuffing, cryptocurrency mining, and especially for launching DDoS attacks. The Mirai botnet in 2016 demonstrated the power of millions of insecure IoT devices being turned into a coordinated weapon.

Case Studies

The following incidents illustrate how vulnerabilities, exploits, and attacks play out in practice. Some are classic examples that highlight fundamental concepts, while others are more recent cases showing that these problems remain pressing today.

• Conficker (2008): A worm that infected millions of Windows systems by exploiting a Microsoft flaw and weak passwords. It created one of the largest botnets ever, and its authors were never identified.
• Mirai (2016): A worm that exploited insecure IoT devices like cameras and routers with default passwords. It built a massive botnet that launched a record-breaking DDoS attack, knocking major websites offline.
• WannaCry (2017): Exploited the EternalBlue vulnerability to spread ransomware across 150 countries, hitting hospitals in the UK especially hard.
• NotPetya (2017): Began as a targeted attack on Ukrainian businesses but spread globally, causing an estimated $10 billion in damages. It masqueraded as ransomware but was designed for destruction.
• Target Breach (2013): Attackers entered through a third-party HVAC vendor, stole 40 million credit card numbers, and showed how supply chain partners can be weak links.
• Equifax (2017): A failure to patch a known vulnerability in the Apache Struts framework led to the theft of data on 143 million people, including Social Security numbers.
• SolarWinds (2020): A supply chain attack in which trusted software updates were poisoned, giving attackers access to thousands of organizations, including U.S. government agencies.
• Colonial Pipeline (2021): Ransomware shut down fuel delivery along the U.S. East Coast, showing how a single compromised password can affect critical infrastructure.
• Log4Shell (2021–2022): A flaw in the popular Log4J library allowed attackers to execute code remotely. Because Log4J was embedded in countless applications, the vulnerability continues to be exploited years later.
• MOVEit Breach (2023): Exploitation of a file transfer application allowed the Clop ransomware group to exfiltrate sensitive data from governments and corporations worldwide.
• Okta Breach (2023): Attackers gained access to an identity management provider used by thousands of organizations, showing how compromising a trusted authentication service can ripple across many customers.

Next: Part 3: Adversaries and Cyber Warfare