Ver:
Se dice cuando información sensible queda expuesta al acceso de
entidades no autorizadas. El
hecho puede ser accidental o deliberado.
(I) A type of
threat action whereby sensitive data is directly released to an unauthorized
entity. (See: unauthorized disclosure.)
Usage: This type
of threat action includes the following subtypes:
·
"Deliberate
Exposure": Intentional release of sensitive data to an unauthorized
entity.
·
"Scavenging":
Searching through data residue in a system to gain unauthorized knowledge of
sensitive data.
· "Human error": /exposure/ Human action or inaction that unintentionally results in an entity gaining unauthorized knowledge of sensitive data. (Compare: corruption, incapacitation.)
·
"Hardware
or software error": /exposure/ System failure that unintentionally results
in an entity gaining unauthorized knowledge of sensitive data. (Compare: corruption,
incapacitation.)
[RFC4949:2007]
An information
security "exposure" is a system configuration issue or a mistake in
software that allows access to information or capabilities that can be used by
a hacker as a stepping-stone into a system or network.
CVE considers a
configuration issue or a mistake an exposure if it does not directly allow
compromise but could be an important component of a successful attack, and is a
violation of a reasonable security policy.
http://www.cve.mitre.org/
Temas relacionados