Salem Press

Back More

Article Citation
Save this article
Print this Article/Save as PDF
Email this article
Copy Permalink to this Article to Clipboard✓

Privacy Rights in the Digital Age, 2nd Edition

Security flaws, computers

by Gretchen Nobahar

Identification: Computer vulnerabilities, or weaknesses in a computer product that could allow an attacker to compromise the integrity, availability, or confidentiality of that particular computer.

Importance of security flaws

Computer security flaws threaten system security and could exist anywhere in the system. These flaws are considered to be any conditions or circumstances that may result in denial of service, or unauthorized disclosure, destruction, or modification of data.

In our digital world, every organization gathers, maintains, organizes, and stores vast quantities of digitized data, including sensitive personally identifiable information. Organizations cannot function without collecting or holding personally identifying information, such as names and addresses, Social Security numbers, credit card numbers, and other account numbers. While holding this data enables organizations to provide more complete and efficient service to their customers or constituents, such access also opens organizations to significant risk. Every bit of data that enables better and more efficient service may also aid the work of cybercriminals who engage in identity theft, computer hacking, and fraud.

The vulnerability of computer-stored sensitive information has been highlighted by the increasing number of high-profile security breaches, for example, at Target department store, the Department of Defense, the Department of Veterans Affairs, Bank of America, and U.S. Office of Personnel Management. One example helps illustrate both the challenge and the problem. In October 2012, the South Carolina Department of Revenue was informed of a potential cyber-attack that compromised the personal information of taxpayers. The attack was facilitated by a state Department of Revenue employee who clicked on an embedded link in an email and compromised his computer. The subsequent investigation revealed that outdated computers and security flaws at the state’s Department of Revenue allowed international hackers to steal 3.8 million tax records. For example, the state had not encrypted Social Security numbers. Once the outer perimeter security was compromised, the hackers were able to log in as tax officials and steal the data.

Legislatures, regulatory agencies, and all organizations are increasingly concerned about safekeeping confidential data. New statutes are being enacted, regulations are being promulgated, and lawsuits and enforcement actions are being filed, all directed at improving the performance of entities whose poor security practices resulted in the disclosure of sensitive data entrusted to them.

Bugs versus vulnerabilities

Both computer bugs and computer vulnerabilities may result from programming flaws, but vulnerabilities differ from bugs, with the former being much more serious than the latter. Any kind of computer weakness can be described as a bug. The difference is in degree of seriousness. A vulnerability is definitely a bug, but a bug is not necessarily a vulnerability.

Bugs may or may not be dangerous to the computer. They are referred to as security bugs or security defects. One example is an unauthorized additional code: It may be a weakness that causes the product to take longer to respond.

A vulnerability, however, must be patched as soon as possible because unauthorized users may gain access to the system with a computer vulnerability for criminal and destructive purposes. It may not be risky to defer actions to fix a mere bug because inaction or delay will not allow unauthorized users to compromise computer equipment. A vulnerability, however, may allow unauthorized access to the product and then to different parts of a computer network, including the database. Thus, a vulnerability must be fixed immediately to protect the integrity and security of the data and the system.

A normal bug fix can be done easily with service packs. If a vulnerability is discovered, Microsoft and other software manufacturers issue a security bulletin and develop a patch.

The danger of computer vulnerabilities

A security risk may be classified as a vulnerability. The use of the word vulnerability with the same meaning of risk may lead to confusion. The risk is connected to the potential of a significant loss. Some vulnerabilities are without risk, for example, when the affected asset has no value. A vulnerability with one or more known instances of a working and fully implemented attack is classified as an exploitable vulnerability— a vulnerability that can be exploited.

The following are common examples of criminals exploiting a computer vulnerability:

An attacker finds and uses an overflow weakness to install malware to export sensitive data;
an attacker convinces a user to open an email message with attached malware;
an insider copies a hardened, encrypted program onto a thumb drive and cracks it at home; and
a flood damages computer systems installed at ground floor.

Three conditions are required before a computer security problem is considered a computer vulnerability (or computer flaw):

Integrity (i.e., trustworthiness or reliability). If the weakness is serious enough that it allows exploiters to misuse it, the computer lacks sufficiently integrity.

Availability. If an exploiter is able to gain control over the computer and deny access to it for authorized users, then the bug is a vulnerability.

Confidentiality (i.e., maintaining the security of the data). If the bug in the system allows for unauthorized people to access the system’s data, then it is a vulnerability.

Vulnerabilities allows attackers to degrade a system’s information assurance. The seriousness of circumstances involving the flaw involve the confluence of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw. To exploit a computer vulnerability, an attacker must have at least one applicable tool or technique that can exploit a system weakness.

Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities. This practice generally refers to software vulnerabilities in computing systems.

Vulnerabilities are related to (1) the physical environment of the system, (2) the personnel management administration procedures and security measures within the organization, (3) business operation and service delivery, (4) hardware, (5) software, (6) communication equipment and facilities, and (7) their combinations.

A bifurcated approach is necessary in dealing with computer vulnerabilities. This approach entails effective use of technical approaches, and administrative action to allow personnel to enter the facilities and people with adequate knowledge of the procedures who can implement them properly.

The law and computer security flaws

Data privacy laws are intended to promote and enforce several fair information practices that give individuals the ability to determine what personal information is being kept and by whom, opportunities to correct or remove such information, assurances that reasonable measures will be implemented to protect such information from disclosure, and to dispose of such information properly when appropriate and may include remedial.

The United States has no single, comprehensive statute for data privacy. Congress, the state legislatures, and federal and state regulatory agencies have enacted several different laws and regulations to protect specific types of information held by various organizations. Several sector-specific federal laws have been enacted to protect particularly sensitive information that is collected and stored by private companies. Forty states have data breach notification statutes. If the entities covered by these laws and regulations fail to comply with these standards, the results can be disastrous for the company, its shareholders, and its consumers.

The Gramm-Leach-Bliley Act (GLBA), and rules pursuant to it, regulate the collection, use, protection, and disposal of nonpublic personal information by financial institutions. The GLBA data security requirements are in a Federal Trade Commission (FTC) regulation called the safeguarding rule (16 C.F.R. 314). Under this rule, financial institutions are required to protect the security, confidentiality, and integrity of customer information by developing a comprehensive written information security program that has reasonable administrative, technical, and physical safeguards. This security program includes, of course, taking due diligence in monitoring for computer vulnerabilities and taking appropriate action when they discovered. The record to date indicates that dealing with computer vulnerabilities is a serious and continuous challenge that will require organizations to be constantly vigilant and committed to safeguarding the information entrusted to them.

Further Reading

Burnett, Mark, and James C. Foster. Hacking the Code ASP.NET Web Application Security. Rockland, MA: Syngress, 2004.

Foster, James C., and Stephen C. Foster. Programmer’s Ultimate Security Deskref. Rockland, MA: Syngress, 2004. Harrington, Jan L. Network Security: A Practical Approach. Amsterdam: Elsevier, 2005.

Howard, Michael, and David LeBlanc. 24 Deadly Sins of Software Security Programming Flaws and How to Fix Them. New York: McGraw-Hill, 2010.

Osborne, Mark, and Paul M. Summitt. How to Cheat at Managing Information Security. Rockland, MA: Syngress, 2006.

Rittinghouse, John W., and James F. Ransome. Wireless Operational Security. Burlington, MA: Elsevier/Digital Press, 2004.

Stuttard, Dafydd, and Marcus Pinto. The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws, 2nd ed. Indianapolis, IN: Wiley, 2011.

Citation Types

MLA 9th

Nobahar, Gretchen. "Security Flaws, Computers." Privacy Rights in the Digital Age, 2nd Edition, edited by Jane E. Kirtley & Michael Shally-Jensen, Salem Press, 2019. Salem Online, online.salempress.com/articleDetails.do?articleName=PRDA2e_0201.

APA 7th

Nobahar, G. (2019). Security flaws, computers. In J. E. Kirtley & M. Shally-Jensen (Eds.), Privacy Rights in the Digital Age, 2nd Edition. Salem Press. online.salempress.com.

CMOS 17th

Nobahar, Gretchen. "Security Flaws, Computers." Edited by Jane E. Kirtley & Michael Shally-Jensen. Privacy Rights in the Digital Age, 2nd Edition. Hackensack: Salem Press, 2019. Accessed May 30, 2026. online.salempress.com.

	Type	Format
	MLA 9th	Nobahar, Gretchen. "Security Flaws, Computers." Privacy Rights in the Digital Age, 2nd Edition, edited by Jane E. Kirtley & Michael Shally-Jensen, Salem Press, 2019. Salem Online, online.salempress.com/articleDetails.do?articleName=PRDA2e_0201.
	APA 7th	Nobahar, G. (2019). Security flaws, computers. In J. E. Kirtley & M. Shally-Jensen (Eds.), Privacy Rights in the Digital Age, 2nd Edition. Salem Press. online.salempress.com.
	CMOS 17th	Nobahar, Gretchen. "Security Flaws, Computers." Edited by Jane E. Kirtley & Michael Shally-Jensen. Privacy Rights in the Digital Age, 2nd Edition. Hackensack: Salem Press, 2019. Accessed May 30, 2026. online.salempress.com.

Table of Contents