High level vulnerability class |
Brief description of the vulnerability |
Specific example(if applicable) |
Physical |
Unlocked doors |
|
Physical |
Unguarded access to computing facilities |
|
Physical |
Insufficient fire suppression systems |
|
Physical |
Poorly designed buildings |
|
Physical |
Poorly constructed buildings |
|
Physical |
Flammable materials used in construction |
|
Physical |
Flammable materials used in finishing |
|
Physical |
Unlocked windows |
|
Physical |
Walls susceptible to physical assault |
|
Physical |
Interior walls do not completely seal the room at both the ceiling and floor |
|
Natural |
Facility located on a fault line |
|
Natural |
Facility located in a flood zone |
|
Natural |
Facility located in an avalanche area |
|
Hardware |
Missing patches |
|
Hardware |
Outdated firmware |
|
Hardware |
Misconfigured systems |
|
Hardware |
Systems not physically secured |
|
Hardware |
Management protocols allowed over public interfaces |
|
Software |
Out of date antivirus software |
|
Software |
Missing patches |
|
Software |
Poorly written applications |
Cross site scripting |
Software |
Poorly written applications |
SQL injection |
Software |
Poorly written applications |
Code weaknesses such as buffer overflows |
Software |
Deliberately placed weaknesses |
Vendor backdoors for management or system recovery |
Software |
Deliberately placed weaknesses |
Spyware such as keyloggers |
Software |
Deliberately placed weaknesses |
Trojan horses |
Software |
Deliberately placed weaknesses |
|
Software |
Configuration errors |
Manual provisioning leading to inconsistent configurations |
Software |
Configuration errors |
Systems not hardened |
Software |
Configuration errors |
Systems not audited |
Software |
Configuration errors |
Systems not monitored |
Media |
Electrical interference |
|
Communications |
Unencrypted network protocols |
|
Communications |
Connections to multiple networks |
|
Communications |
Unnecessary protocols allowed |
|
Communications |
No filtering between network segments |
|
Human |
Poorly defined procedures |
Insufficient incident response preparedness |
Human |
Poorly defined procedures |
Manual provisioning |
Human |
Poorly defined procedures |
Insufficient disaster recovery plans |
Human |
Poorly defined procedures |
Testing on production systems |
Human |
Poorly defined procedures |
Violations not reported |
Human |
Poorly defined procedures |
Poor change control |
Human |
Stolen credentials |
|