What's an Exploit?

If you’ve been reading anything about cybersecurity, a term gets tossed around. Exploit. Sometimes they’ll use the more pedestrian term vulnerability, but c’mon…exploit sounds cooler.Simply put, an exploit is a discovery of a method to compromise some aspect of Information Technology in a way for a party to gain unauthorized access to some (or all) parts of an otherwise protected network (or device).An example of a recently discovered exploit would be the Spectre exploit, which exposed a vulnerability to all systems using most Intel, ARM or AMD processors, allowing malware applications to access data from other applications.

Usually the reading takes on one of two flavors:

1. Incredibly dense techspeak, going into minute details of the exploit, how it was found, what vendors are (or aren’t doing); or…
2. The world is ending, the bad guys are going to hack into all of our networks, take all of our kittens and replace them with cats.

I thought it would be an interesting exercise to walk through the process of the lifecycle of an exploit., moving through these phases:

1. Discovery of the exploit. The person discovering the exploit could be (the 4 primary parties involved):
   1. Neutral party. Someone discovered the exploit, and somehow shared that information publicly.
   2. Vendor. The vendor of the product discovered the exploit themselves.
   3. Cyber Security Providers (ie, Sophos).
   4. Bad Guys (the people creating/distributing/executing malware and other attacks).

The race is on! Here’s what everyone does now:

1. Vendor: Creates a patch/workaround. Informs users of products. Challenge of testing patch (delay) versus getting it out quickly.
2. Cyber Security Providers: Creates discovery/prevention/containment update.
3. Bad Guys: Creates exploit kits. Products that use the exploit for nefarious purposes (one case was 3 hours).

Think about it. You’re potentially using this product, and you’ve got people working to find ways to protect you or attack you, with equal deliberation.By the way, don’t think exploits are limited to hardware and software. Many exploits are of the social engineering or phishing variety. They attack the human beings, often the weakest link in a cyber security strategy.There’s more to this narrative. Join me on July 24th from 2-2:30 pm (eastern) where we’ll spend 30 minutes walking through these processes, explaining it in non-technical terms. Click here for more information and to RSVP!