A security analyst is documenting an incident in which an unpatched web server was compromised. The server software contained a known coding flaw, the attacker used a publicly released piece of code that takes advantage of that flaw, and the result was full remote access. Using standard security terminology, what is the coding flaw itself best classified as?
- AA threat, because it represents the external party who has the intent and capability to cause harm to the server.
- BAn exploit, because it is the mechanism that takes advantage of the weakness to achieve remote access.
- CA vulnerability, because it is a weakness in the system that could be used to compromise it. Correct
- DA mitigation, because identifying the flaw is the control that reduces the overall risk to the server.
Why A is wrong: A threat is the potential danger or the actor that could cause harm, such as the attacker; the coding flaw is the internal weakness being targeted, not the source of danger, so the term is misapplied.
Why B is wrong: The exploit is the piece of code or technique that leverages the weakness; the flaw is what gets leveraged, so calling the flaw itself the exploit confuses the weakness with the tool used against it.
Why C is correct: A vulnerability is a weakness or flaw in a system, such as an unpatched coding defect, that an attacker can leverage; the scenario describes exactly such a flaw, so this classification is correct.
Why D is wrong: A mitigation is a countermeasure such as patching or filtering that reduces risk; the flaw is the problem, not the control, so labelling the weakness a mitigation inverts the relationship between the risk and its remedy.