Vulnerabilities

A vulnerability in an information system is a weakness that an attacker might leverage to gain unauthorized access to the system or its data. In some cases, after a vulnerability is discovered, attackers write a program intended to take advantage of the vulnerability. This type of malicious program is called an exploit.
However, even if a system has a vulnerability, the likelihood that someone will use that vulnerability to cause damage varies. This likelihood is called risk. For example, a data center might be vulnerable to a fire breaking out in the building. However, if the data center has advanced fire suppression systems and hot standby backups at another physical location, the risk to the data is minimal.
When you make plans to address vulnerabilities, consider the varied types of vulnerabilities. For example, consider the following broad categories of vulnerabilities:
¦ Physical vulnerabilities, such as fire, earthquake, or tornado
¦ Weaknesses in a system’s design
¦ Weaknesses in the protocol(s) used by a system
¦ Weaknesses in the code executed by a system
¦ Suboptimal configuration of system parameters
¦ Malicious software (for example, a virus)
¦ Human vulnerabilities (whether intentional or unintentional)

For example, consider human vulnerabilities. Because most attacks against information systems are launched from people on the “inside,” controls should be set up to prevent the intentional or unintentional misuse of information systems.

Social engineering is an example of unintentional misuse. To illustrate this concept, consider a situation in which an outside attacker calls a receptionist. The attacker pretends to be a member of the company’s IT department, and he convinces the receptionist to tell him her username and password. The attacker then can use those credentials to log into the network.

To prevent a single inside user from accidentally or purposefully launching an attack, some organizations require that two users enter their credentials before a specific act can be carried out, much like two keys being required to launch a missile.

Also, many employees are concerned with accomplishing a particular task. If stringent security procedures seem to stand in their way, the employees might circumnavigate any safeguards to, in their minds, be more productive. Therefore, user education is a critical component of any organizational security policy.