Vulnerabilities are all the flaws in corporate assets that could be exploited by threats, with the aim of compromising them. This exploitation can cause significant impacts. New vulnerabilities are regularly discovered.
It is possible to gather vulnerabilities together into a number of families.
Human vulnerabilities essentially derive from feelings, behaviours and instincts that have helped humans survive since time immemorial. Unfortunately, these behaviours are so intrinsically linked to human nature that they are very often exploited in various social engineering type scams and attacks. Because of this, we talk about vulnerabilities within the context of data security. (SMEs: [See Threats to people)
Among these vulnerabilities are:
- fear (often exploited by threats such as scareware)
- greed (often exploited by threats such as fake lotteries and Nigerian 419 scams)
This family of vulnerabilities by far the most fluid – it includes all vulnerabilities relating to the use of technology or solutions (hardware, software). Many people actively seek out vulnerabilities, and new flaws appear on a daily basis. (SMEs: see Threats to hardware and Threats to software)
These would include:
- the presence of vulnerabilities in operating systems or software that could be exploited by malware, simply by visiting malicious websites;
- the interoperability of IT and communications systems: to enable easy communications between different systems, additional layers of communication are often implemented, which can lead to the appearance of fresh vulnerabilities;
- the complexity of rules on firewalls and routers: the introduction of filtering and access rules, on request, make it difficult to gain a comprehensive view of this aspect.
This family includes all vulnerabilities relating to unforeseeable events such as breakdowns, accidents or even intentional damage to hardware.
It is in response to this family of vulnerabilities that we will analyse all the physical characteristics of a company, including access to the building, computer rooms and equipment, and we will also talk about a “Continuity Plan”. (SMEs: see Threats to infrastructure)
These would include:
- non-redundancy: be it for reasons relating to computer systems, software or physical conditions (temperature, current, etc.), the unavailability of a server or a database can lead to a service breakdown;
- lack of access control to physical elements: access to buildings, to computer rooms, connections or other elements should be limited so as to avoid any intentional or unintentional actions which could cause the total loss of the computer room or connections;
- poor preservation of backup storage media: backup storage media is often stored in the computer room, which renders them useless in the event of an incident;
- poor management of resources: resources must be correctly sized and closely monitored;
- absence of cable management: the absence of cable documentation can lead to unwanted disconnections, or even resources being made available on public networks.