Lecture 2 Vulnerability.ppt

7/27/2019 Lecture 2 Vulnerability.ppt

http://slidepdf.com/reader/full/lecture-2-vulnerabilityppt 1/24

BIT 3206

VULNERABILITIES



Vulnerabilities

A vulnerability is a weakness or

fault in a system that exposes

information to attack.It allows an attacker to reduce

any system’s Information

Assurance.

7/29/20132 IAS-13



Vulnerabilities

Attackers exploit existing securityvulnerabilities on systems to gain

unauthorized access to systems and

data.

Vulnerabilities can either be of a

technical nature, such as bugs in

software or non-technical, e.g. a user

discloses their password to anunauthorized person.

Keeping on top of information security

vulnerabilities is an essential 7/29/20133 IAS-13



Vulnerability cont’d It is the intersection of three elements:

A system susceptibility or flaw,

Attacker access to the flaw, and

Attacker capab i l ity to exploit the

flaw.

Therefore, understanding your

vulnerabilities is the first step to

managing risk.

7/29/20134 IAS-13





Vulnerability cont’d

To exploit a vulnerability, anattacker must have at least oneapplicable tool or technique that

can connect to a systemweakness. Any Examples?

An exploi t is a method for taking

advantage of a knownvulnerability.

In this frame, vulnerability is also

known as the attack su rface. 7/29/20136 IAS-13



Vulnerability Examples

– An attacker convinces a user toopen an email message withattached malware;

– An insider copies a hardened,encrypted program onto a thumbdrive and cracks it at home;

– A flood damages your computer systems installed at ground floor.

Can you identify the flaws in theseexamples?

7/29/20137 IAS-13



Vulnerability Causes

Complexity: Large, complex systems

increase the probability of flaws and

unintended access points.

Familiarity: Using common, well-

known code, software, operating

systems, and/or hardware.

Connectivity: More physical

connections, privileges, ports,protocols, and services.

7/29/20138 IAS-13




• Fundamental operating systemdesign flaws: Enforcement of

suboptimal policies on

user/program management, suchas grant every program and every

user full access to the entire

computer. This operating systemflaw allows viruses and malware to

execute commands on behalf of

the administrator. 7/29/20139 IAS-13




Internet Website Browsing: Someinternet websites may contain

harmful Spyware or Adware that

can be installed automatically on

the computer systems, which might

infect computer systems and

personal information can easily be

passed on to third party individuals.

7/29/201310 IAS-13




• Password management flaws: Thecomputer user uses weak passwords

that could be discovered by brute

force. The computer user stores the

password on the computer where a

program can access it. Users re-use

passwords between many programs

and websites.

• Software bugs: The programmer

leaves an exploitable bug in a software

program. The software bug may allow 7/29/201311 IAS-13





Vulnerability Classifications

Vulnerabilities are classified accordingto the asset class they are related to:

7/29/201313 IAS-13




EmployeesSocial interactionCustomer interactionDiscussing work in public locations

Taking data out of the office (paper,mobile phones, laptops)Emailing documents and dataMailing and faxing documents Installing unauthorized software and

apps

7/29/201314 IAS-13



Vulnerability ClassificationsRemoving or disabling security tools

Letting unauthorized persons into the

office (tailgating)

Opening spam emails

Connecting personal devices to

company networks

Writing down passwords and

sensitive data

Losing security devices such as id

cards

Lack of information security 7/29/201315 IAS-13



Vulnerability Classifications Former Employees

Former employees working for competitors

Former employees retaining companydata

Former employees discussing companymatters

Technology

Social networkingFile sharing

Rapid technological changes

Storing data on mobile devices such as

mobile phones 7/29/201316 IAS-13



Vulerability Classifications

Hardware

Susceptibility to dust, heat and

humidityHardware design flaws

Out of date hardware

Misconfiguration of hardware

7/29/201317 IAS-13




Software Insufficient testing

Lack of audit trail

Software bugs and design faults

Unchecked user input

Software complexity (bloatware)Software vendors that go out of

busin

7/29/201318 IAS-13




NetworkUnprotected network communications

Open physical connections, IPs and

ports Insecure network architecture

Unused user ids

Excessive privilegesUnnecessary jobs and scripts

executing

Wifi networks 7/29/201319 IAS-13




IT Management

Insufficient IT capacityMissed security patches

Insufficient incident and problem

management

Configuration errors and missed security

notices

System operation errors

Lack of regular audits Improper waste disposal

Insufficient change management

Business process flaws 7/29/201320 IAS-13




Inadequate business controls

Processes that fail to consider human

factors

Overconfidence in security audits

Lack of risk analysis

Rapid business change

Inadequate continuity planning

Lax recruiting processes

7/29/201321 IAS-13




Partners and Suppliers

Disruption of telecom servicesDisruption of utility services such as

electric, gas, water

Hardware failureSoftware failure

Lost mail and courier packages

Supply disruptionsSharing confidential data with

partners and suppliers

7/29/201322 IAS-13



Vulnerability Classifications CustomersCustomers access to secure areasCustomer access to data (ie. customer

portal)

Offices and Data CentersSites that are prone to natural disasters

such as earthquakes Locations that are politically unstable Locations subject to government spyingUnreliable power sources

High crime areasMultiple sites in the same geographical

location

7/29/201323 IAS-13



Vulnerability Management

Having looked at the differentvulnerability classifications, can you

identify and explain ways in which

those vulnerabilities can be

managed?

7/29/201324 IAS-13

Documents

Lecture 2 Vulnerability.ppt