As a definition, a vulnerability is something, anything that an attacker can target and exploit in order to access an application or environment, or possibly a user.
Hackers in most instances are not much more than your garden variety burglar. They just use digital methods of theft, instead of the physical ones. But what they look to target is most often a misconfiguration, which is the same thing as a bank locking their vault door, but keeping the windows open. One just has to crawl through the window to gain entry, game over. All a burglar, be it digital or otherwise, is a way in and then it is a matter of time and movement for the thief to be successful in their operation.
More practically, however, the real difference between a misconfiguration and a vulnerability is that one requires an action to be present, and the other requires the absence of action. A misconfiguration doesn’t really require a patch as a remedy, at least not the way a vulnerability does. Just as an open door used by a burglar doesn’t need to be replaced, it needs to be closed. This means that in reality misconfigurations are incorrect settings enacted by whomever built and deployed the system. They are not inherent weaknesses that are hard coded into system or code.
Consider a Server misconfiguration. Most, if not all servers come with some unnecessary default and sample files, default users and passwords, and a variety of other items that are enacted or deployed by whomever is managing that system. They choose to allow those things to be present, they do not magically happen. Nor are the unavoidable items that are built deep into the asset that cannot be easily removed or remedied. Not eliminating those issues is basically choosing to allow that misconfiguration to remain present and means that the owner of that asset is gambling on the security controls that are in place, hopefully, to conceal that failed technologic implementation.
Sophisticated, sexy attacks get the attention in the news. This is because they are interesting and the old adage for the media “if it bleeds it leads” is true in technology reporting as well as everywhere else. Some hacker that just is found to be logging into a system where the username and password haven’t been changed from the defaults, is not sexy and won’t get coverage, but its just as valid an exploit as the crazy difficult attack on an air gapped system that was the result of an analysis of vibrations of the cooling fan on a server. You should ask yourself though, of these vectors which is more likely to happen.
Did you decide? It was a simple hack right? This is why skipping configuration security and ignoring the issues of configuration is like worrying about a shark attack when you are swimming in a lake and you aren’t even in salt water. There are other risks that are much more likely and inherent to the space you currently occupy, ever hear of an alligator?
What good does a vulnerability assessment do then? A vulnerability, usually a software vulnerability, means that a particular input to a program has something inherently wrong with it that will result in a fault or failure. When that software failure occurs some aspect of the security posture will be immediately invalidated, AKA bad things happen. Vulnerable software will continue to grow over time and it must be addressed, but probably not as quickly as a misconfiguration will. This really means that you would be better off ignoring whatever is on the newest vulnerability issues and instead fixing something that you know immediately provides an adversary a means to exploit your infrastructure.
Vulnerability assessment is a valid issue, but that should come after fixing misconfigurations. One “might” be an issue in the future, the other is a guaranteed issue now. Misconfigurations are more likely to lead to disruption and failure. For pragmatic and security to take place misconfigurations should be the first things that is checked.
Statistically speaking, in 2020, misconfigurations caused 10% of all breaches, according to Verizon’s Data Breach Investigation Report, and 39% of web applications were breached in this manner. Which led to lateral movement and the follow on exploitation of other internal assets. Misconfigurations will cause 99% of all firewall breaches through 2023, according to Gartner. So to be frank, fix those misconfigurations now. Deal with vulnerable software later.