Appendix D: Vulnerabilities

  • Article

Published: October 15, 2004   |   Updated: March 15, 2006

This appendix lists vulnerabilities likely to affect a wide variety of organizations. The list is not comprehensive, and, because it is static, will not remain current. Therefore, it is important that you remove vulnerabilities that are not relevant to your organization and add newly identified ones to it during the Assessing Risk phase of your project. It is provided as a reference list and a starting point to help your organization get underway.

Table D.1: Vulnerabilities

Vulnerability Class Vulnerability Example

High level vulnerability class

Brief description of the vulnerability

Specific example(if applicable)

Physical

Unlocked doors

 

Physical

Unguarded access to computing facilities

 

Physical

Insufficient fire suppression systems

 

Physical

Poorly designed buildings

 

Physical

Poorly constructed buildings

 

Physical

Flammable materials used in construction

 

Physical

Flammable materials used in finishing

 

Physical

Unlocked windows

 

Physical

Walls susceptible to physical assault

 

Physical

Interior walls do not completely seal the room at both the ceiling and floor

 

Natural

Facility located on a fault line

 

Natural

Facility located in a flood zone

 

Natural

Facility located in an avalanche area

 

Hardware

Missing patches

 

Hardware

Outdated firmware

 

Hardware

Misconfigured systems

 

Hardware

Systems not physically secured

 

Hardware

Management protocols allowed over public interfaces

 

Software

Out of date antivirus software

 

Software

Missing patches

 

Software

Poorly written applications

Cross site scripting

Software

Poorly written applications

SQL injection

Software

Poorly written applications

Code weaknesses such as buffer overflows

Software

Deliberately placed weaknesses

Vendor backdoors for management or system recovery

Software

Deliberately placed weaknesses

Spyware such as keyloggers

Software

Deliberately placed weaknesses

Trojan horses

Software

Deliberately placed weaknesses

 

Software

Configuration errors

Manual provisioning leading to inconsistent configurations

Software

Configuration errors

Systems not hardened

Software

Configuration errors

Systems not audited

Software

Configuration errors

Systems not monitored

Media

Electrical interference

 

Communications

Unencrypted network protocols

 

Communications

Connections to multiple networks

 

Communications

Unnecessary protocols allowed

 

Communications

No filtering between network segments

 

Human

Poorly defined procedures

Insufficient incident response preparedness

Human

Poorly defined procedures

Manual provisioning

Human

Poorly defined procedures

Insufficient disaster recovery plans

Human

Poorly defined procedures

Testing on production systems

Human

Poorly defined procedures

Violations not reported

Human

Poorly defined procedures

Poor change control

Human

Stolen credentials

 

This accelerator is part of a larger series of tools and guidance from Solution Accelerators.
Download

Get the Security Risk Management Guide
Solution Accelerator Notifications

Sign up to stay informed
Feedback

Send us your comments or suggestions