Ver:
· Exploit
· Daño
· Evaluación de vulnerabilidad
· Análisis de vulnerabilidades
Que puede ser
herido o recibir lesión, física o moralmente.
DRAE. Diccionario
de la Lengua Española.
Debilidad de
un activo o de un control que puede ser explotada por una o más amenazas. [UNE-ISO/IEC
27000:2014]
Propiedades
intrínsecas de que algo produzca como resultado una sensibilidad a una fuente
de riesgo que puede conducir a un suceso con una consecuencia [UNE Guía
73:2010]
Una debilidad
que puede ser aprovechada por una Amenaza. Por ejemplo un puerto abierto en el
cortafuegos, una clave de acceso que no se cambia, o una alfombra inflamable. También se considera una
Vulnerabilidad un Control perdido. [ITIL:2007]
Debilidad o
falta de control que permitiría o facilitaría que una amenaza actuase contra un
objetivo o recurso del Sistema.
Debilidad de
seguridad de un sistema que le hace susceptible de poder ser dañado al ser
aprovechada por una amenaza. [CCN-STIC-400:2006]
Error en un
programa o un fallo en la configuración que puede permitir a un atacante
obtener acceso no autorizado al sistema. [CCN-STIC-431:2006]
Defecto o
debilidad en el diseño, implementación u operación de un sistema que habilita o
facilita la materialización de una amenaza. [Magerit:2012]
Debilidad de
un activo o grupo de activos que puede ser explotada por una o más amenazas. [UNE-71504:2008]
Error o
debilidad que, de llegar a explotarse, puede ocasionar una exposición a riesgos
del sistema, intencionalmente o no.
http://es.pcisecuritystandards.org
Característica
de una entidad que puede ser una debilidad o una falla desde el punto de vista
de la seguridad de los sistemas de información. [EBIOS:2005]
1. Debilidad
del Objeto de Evaluación (debido a errores en su análisis, diseño,
implementación u operación) (ITSEC).
2. Debilidad
en el sistema de protección de un activo.
3. Susceptibilidad
de un sistema o producto a sufrir daños ante ataques específicos.
[Ribagorda:1997]
Debilidad en
la seguridad de un sistema de información. Puede ser:
· Explotable: Vulnerabilidad que puede ser explotada en la práctica para romper un objetivo de seguridad.
· Potencial: Vulnerabilidad supuesta que puede ser utilizada para romper un objetivo de seguridad, pero cuya posibilidad, explotación o existencia no ha sido aún demostrada.
[CESID:1997]
weakness of an
asset or control that can be exploited by one or more threats [ISO/IEC 27000:2014]
A vulnerability
refers to a weakness in a system that can be utilized by an attacker to damage
the system. obtain unauthorized access. execute arbitrary code. or otherwise exploit
the system. [knapp:2014]
The process of
scanning networks to find hosts or assets. and probing those hosts to determine
vulnerabilities. Vulnerability assessment can be automated using a
vulnerability assessment scanner, which will typically examine a host to determine
the version of the operating system and all running applications. which can
then be compared against a repository of known software vulnerabilities to
determine where patches should be applied. [knapp:2014]
Weakness in an
information system, system security procedures, internal controls, or
implementation that could be exploited by a threat source. [CNSSI_4009:2010]
See vulnerability
assessment. [CNSSI_4009:2010]
Systematic
examination of an information system or product to determine the adequacy of
security measures, identify security deficiencies, provide data from which to
predict the effectiveness of proposed security measures, and confirm the
adequacy of such measures after implementation. [CNSSI_4009:2010]
intrinsic
properties of something resulting in susceptibility to a risk source that can
lead to an event with a consequence [ISO Guide 73:2009]
physical feature
or operational attribute that renders an entity open to exploitation or
susceptible to a given hazard
Example:
Installation of vehicle barriers may remove a vulnerability related to attacks
using vehicle-borne improvised explosive devices.
Extended
Definition: characteristic of design, location, security posture, operation, or
any combination thereof, that renders an asset, system, network, or entity
susceptible to disruption, destruction, or exploitation
Annotation: In
calculating risk of an intentional hazard, the common measurement of
vulnerability is the likelihood that an attack is successful, given that it is
attempted.
DHS Risk
Lexicon, September 2008
process for
identifying physical features or operational attributes that render an entity,
asset, system, network, or geographic area susceptible or exposed to hazards
Example: The team
conducted a vulnerability assessment on the ship to determine how it might be
exploited or attacked by an adversary.
Annotation:
Vulnerability assessments can produce comparable estimates of vulnerabilities
across a variety of hazards or assets, systems, or networks.
DHS Risk
Lexicon, September 2008
Flaw or weakness
which, if exploited, may result in an intentional or unintentional compromise
of a system..
https://www.pcisecuritystandards.org/security_standards/glossary.php
A weakness in
design, implementation, operation or internal control [RiskIT-PG:2009]
Any event where a
material increase in vulnerability results. Note that this increase in
vulnerability can result from changes in control conditions or from changes in
threat capability/force. [RiskIT-PG:2009]
(I) A flaw or
weakness in a system's design, implementation, or operation and management that
could be exploited to violate the system's security policy. (See: harden.) [RFC4949:2007]
A weakness that
could be exploited by a Threat. For example an open firewall port, a password
that is never changed, or a flammable carpet. A missing Control is also
considered to be a Vulnerability. [ITIL:2007]
Weakness in an
information system, system security procedures, internal controls, or
implementation that could be exploited or triggered by a threat source. [FIPS-200:2006] [NIST-SP800-53:2013]
Flaw, weakness or
property of the design or implementation of an information system (including
its security controls) or its
environment that could be intentionally or unintentionally exploited to
adversely effect an organization's
assets or operations. [ISO-19790:2006]
a weakness in the
TOE that can be used to violate the SFRs in some environment.
TOE - Target of
Evaluation
SFR - Security
Functional Requirement
[CC:2006]
weakness that
cannot be exploited in the operational environment for the TOE, but that could
be used to violate the SFRs by an attacker with greater attack potential than
is anticipated in the operational environment for the TOE.
TOE - Target of
Evaluation
SFR - Security
Functional Requirement
[CC:2006]
A defect or
weakness in system security procedure, design, implementation, or internal
control that an attacker can exploit. A vulnerability can exist in one or more
of the components making up a system, even if those components aren't
necessarily involved with security functionality.
https://buildsecurityin.us-cert.gov/daisy/bsi/articles/best-practices/risk/248-BSI.html
Characteristic of
an entity that can constitute a weakness or flaw in terms of information
systems security. [EBIOS:2005]
A weakness in a
system, application, or network that is subject to exploitation or misuse. [NIST-SP800-61:2004]
A weakness or
lack of controls that would allow or facilitate a threat actuation against a specific
asset or target. [CRAMM:2003]
An information
security "vulnerability" is a mistake in software that can be
directly used by a hacker to gain access to a system or network.
CVE considers a
mistake a vulnerability if it allows an attacker to use it to violate a
reasonable security policy for that system (this excludes excluding entirely
"open" security policies in which all users are trusted, or where
there is no consideration of risk to the system).
http://www.cve.mitre.org/
The
susceptibility of information to exploitation by an adversary.
http://www.ioss.gov/docs/definitions.html
A hardware,
firmware, communication, or software flaw that leaves a computer processing
system open for potential exploitation, either externally or internally,
thereby resulting in risk for the owner, user, or manager of the system. [IRM-5239-8:1995]
A flaw or
weakness in the design or implementation of an information system (including security
procedures and security controls associated with the system) that could be
intentionally or unintentionally exploited to adversely affect an agencys
operations (including missions, functions, and public confidence in the
agency), an agencys assets, or individuals (including privacy) through a loss
of confidentiality, integrity, or availability. [NIST-SP800-60V2:2004]
A weakness in
system security requirements, design, implementation, or operation, that could
be accidentally triggered or intentionally exploited and result in a violation
of the systems security policy. [NIST-SP800-27:2004]
a security
weakness in a Target of Evaluation (for example, due to failures in analysis,
design, implementation or operation). [ITSEC:1991]
a weakness the
existence of which is suspected (by virtue of a postulated attack path), but
not confirmed, to violate the SFRs.
SFR - Security
Functional Requirement
[CC:2006]
potential
weakness in the TOE identified by the evaluator while performing evaluation
activities that could be used to violate the SFRs.
TOE - Target of
Evaluation
SFR - Security
Functional Requirement
[CC:2006]
a weakness that
cannot be exploited in the operational environment for the TOE, but that could
be used to violate the SFRs by an attacker with greater attack potential than
is anticipated in the operational environment for the TOE.
TOE - Target of
Evaluation
SFR - Security
Functional Requirement
[CC:2006]
a weakness in the
TOE that can be used to violate the SFRs in the operational environment for the
TOE.
TOE - Target of
Evaluation
SFR - Security
Functional Requirement
[CC:2006]
A weakness in
system security procedures, design, implementation, internal controls, etc.,
that could be accidentally triggered or intentionally exploited and result in a
violation of the systems security policy. [NIST-SP800-33:2001]
A security
vulnerability is a flaw or weakness in a systems design, implementation or
operation that could be exploited to violate the systems security (RFC 2828). A
security vulnerability is not a risk, a threat, or an attack.
Vulnerabilities
can be of four types.
·
Threat
Model vulnerabilities originate from the difficulty to foresee future threats
(e.g. Signalling System No.7).
·
Design
& Specification vulnerabilities come from errors or oversights in the
design of the protocol that make it inherently vulnerable (e.g. WEP in IEEE
802.11b a.k.a. WiFi).
·
Implementation
vulnerabilities are vulnerabilities that are introduced by errors in a protocol
implementation.
·
Finally,
Operation and Configuration vulnerabilities originate from improper usage of
options in implementations or weak deployment policies (e.g. not enforcing use
of encryption in a WiFi network, or selection of a weak stream cipher by the network
administrator).
A (universal)
vulnerability is a state in a computing system (or set of systems) which
either:
·
Allows
an attacker to execute commands as another user
·
Allows
an attacker to access data that is contrary to the specified access
restrictions for that data
·
Allows
an attacker to pose as another entity
·
Allows
an attacker to conduct a denial of service
http://www.symantec.com/avcenter/refa.html
A flaw or
weakness in a system's design, implementation, or operation and management that
could be exploited to violate the system's security policy.
http://www.sans.org/security-resources/glossary-of-terms/
A vulnerability
is a software weakness that can be exploited by an attacker. Bugs and flaws
collectively form the basis of most software vulnerabilities.
https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/attack/590-BSI.html
An inadequacy
related to security that could increase susceptibility to compromise or injury.
http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=16578
propriétés intrinsèques
de quelque chose entraînant une sensibilité à une source de risque pouvant
induire un événement avec une conséquence
[ISO Guide 73:2009]
Défaut ou faiblesse
qui, sil est exploité, peuvent compromettre un système, intentionnellement ou
non.
http://fr.pcisecuritystandards.org/
Une faiblesse qui
pourrait être exploitée par une menace. Par exemple, un pare-feu ouvert, un mot
de passe qui n'est jamais changé ou une moquette inflammable. Un contrôle
manquant est également considéré comme une vulnérabilité. [ITIL:2007]
Caractéristique d'un
bien support qui peut constituer une faiblesse ou une faille au regard de la
sécurité des systèmes d'information. [EBIOS:2010]
Insuffisance liée à la
sécurité qui pourrait accroître la susceptibilité à la compromission ou au
préjudice.
http://www.tbs-sct.gc.ca/pol/doc-fra.aspx?id=16578
Temas relacionados