CASES.LU

Glossary

  1. ▹ Antivirus
  2. ▹ Assets
  3. ▹ Authentication
  4. ▹ Availability
  5. ▹ Basic criteria for risk analysis
  6. ▹ Computer Hacks
  7. ▹ Confidentiality
  8. ▹ Control
  9. ▹ Cryptography
  10. ▹ Cybercrime
  11. ▹ Cybercriminals
  12. ▹ DRP – Disaster Recovery Plan
  13. ▹ Data backups
  14. ▹ Data loss
  15. ▹ Defacement
  16. ▹ Disinfect machine with a live CD
  17. ▹ Disposal
  18. ▹ Email
  19. ▹ Firewall
  20. ▹ Human error
  21. ▹ IDS/IPS
  22. ▹ Image rights
  23. ▹ Impact
  24. ▹ Integrity
  25. ▹ Internet and copyright
  26. ▹ Legal Aspects
  27. ▹ LuxTrust
  28. ▹ Malicious Codes
  29. ▹ Malicious websites
  30. ▹ Network segmentation
  31. ▹ Password
  32. ▹ Patches
  33. ▹ Phishing
  34. ▹ Physical faults
  35. ▹ Securing a fixed workstation
  36. ▹ Physical theft
  37. ▹ Recommendations for securing a file server
  38. ▹ Recommendations to secure a server connected to Internet
  39. ▹ Recommendations to secure a Web server
  40. ▹ Removable devices
  41. ▹ Risk processing
  42. ▹ Spam – unwanted emails
  43. ▹ SSL/TLS – encryption technologies on the web
  44. ▹ Update softwares with Secunia PSI
  45. ▹ Security Charter
  46. ▹ Social engineering
  47. ▹ Threat
  48. ▹ Virtual Private Networks (VPNs)
  49. ▹ Vulnerabilities
  50. ▹ Web of Trust - WOT
  51. ▹ Web filter – Proxy
  52. ▹ Why is it important to protect your computer?

Vulnerabilities

Vulnerabilities are all the flaws in corporate assets that could be exploited by threats, with the aim of compromising them. This exploitation can cause significant impacts. New vulnerabilities are regularly discovered.

It is possible to gather vulnerabilities together into a number of families.

Human vulnerabilities

Human vulnerabilities essentially derive from feelings, behaviours and instincts that have helped humans survive since time immemorial. Unfortunately, these behaviours are so intrinsically linked to human nature that they are very often exploited in various social engineering type scams and attacks. Because of this, we talk about vulnerabilities within the context of data security. (SMEs: [See Threats to people)

Among these vulnerabilities are:

  • fear (often exploited by threats such as scareware)
  • pity
  • curiosity
  • libido
  • greed (often exploited by threats such as fake lotteries and Nigerian 419 scams)

Technical vulnerabilities

This family of vulnerabilities by far the most fluid – it includes all vulnerabilities relating to the use of technology or solutions (hardware, software). Many people actively seek out vulnerabilities, and new flaws appear on a daily basis. (SMEs: see Threats to hardware and Threats to software)

These would include:

  • the presence of vulnerabilities in operating systems or software that could be exploited by malware, simply by visiting malicious websites;
  • the interoperability of IT and communications systems: to enable easy communications between different systems, additional layers of communication are often implemented, which can lead to the appearance of fresh vulnerabilities;
  • the complexity of rules on firewalls and routers: the introduction of filtering and access rules, on request, make it difficult to gain a comprehensive view of this aspect.

Physical vulnerabilities

This family includes all vulnerabilities relating to unforeseeable events such as breakdowns, accidents or even intentional damage to hardware.

It is in response to this family of vulnerabilities that we will analyse all the physical characteristics of a company, including access to the building, computer rooms and equipment, and we will also talk about a “Continuity Plan”. (SMEs: see Threats to infrastructure)

These would include:

  • non-redundancy: be it for reasons relating to computer systems, software or physical conditions (temperature, current, etc.), the unavailability of a server or a database can lead to a service breakdown;
  • lack of access control to physical elements: access to buildings, to computer rooms, connections or other elements should be limited so as to avoid any intentional or unintentional actions which could cause the total loss of the computer room or connections;
  • poor preservation of backup storage media: backup storage media is often stored in the computer room, which renders them useless in the event of an incident;
  • poor management of resources: resources must be correctly sized and closely monitored;
  • absence of cable management: the absence of cable documentation can lead to unwanted disconnections, or even resources being made available on public networks.

Table of Contents