Vulnerability is flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.
Notice that the vulnerability can be a flaw or weakness in any aspect of the system. Vulnerabilities are not merely flaws in the technical protections provided by the system. Significant vulnerabilities are often contained in the standard operating procedures that systems administrators perform, the process that the help desk uses to reset passwords or inadequate log review. Another area where vulnerabilities may be identified is at the policy level. For instance, a lack of a clearly defined security testing policy may be directly responsible for the lack of vulnerability scanning.
Here are a few examples of vulnerabilities related to contingency planning/ disaster recovery:
• Inadequate information system recovery procedures, for all processing areas (including networks)
• Not having alternate processing or storage sites
• Not having alternate communication services
• Not having clearly defined contingency directives and procedures
• Lack of a clearly defined, tested contingency plan • The absence of adequate formal contingency training • Lack of information (data and operating system) backups
Saturday, 11 February 2006
Definition of System Vulnerabilities
Vulnerability is flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.
Notice that the vulnerability can be a flaw or weakness in any aspect of the system. Vulnerabilities are not merely flaws in the technical protections provided by the system. Significant vulnerabilities are often contained in the standard operating procedures that systems administrators perform, the process that the help desk uses to reset passwords or inadequate log review. Another area where vulnerabilities may be identified is at the policy level. For instance, a lack of a clearly defined security testing policy may be directly responsible for the lack of vulnerability scanning.
Here are a few examples of vulnerabilities related to contingency planning/ disaster recovery:
• Inadequate information system recovery procedures, for all processing areas (including networks)
• Not having alternate processing or storage sites
• Not having alternate communication services
• Not having clearly defined contingency directives and procedures
• Lack of a clearly defined, tested contingency plan • The absence of adequate formal contingency training • Lack of information (data and operating system) backups
Notice that the vulnerability can be a flaw or weakness in any aspect of the system. Vulnerabilities are not merely flaws in the technical protections provided by the system. Significant vulnerabilities are often contained in the standard operating procedures that systems administrators perform, the process that the help desk uses to reset passwords or inadequate log review. Another area where vulnerabilities may be identified is at the policy level. For instance, a lack of a clearly defined security testing policy may be directly responsible for the lack of vulnerability scanning.
Here are a few examples of vulnerabilities related to contingency planning/ disaster recovery:
• Inadequate information system recovery procedures, for all processing areas (including networks)
• Not having alternate processing or storage sites
• Not having alternate communication services
• Not having clearly defined contingency directives and procedures
• Lack of a clearly defined, tested contingency plan • The absence of adequate formal contingency training • Lack of information (data and operating system) backups
Definition of System Vulnerabilities
Vulnerability is flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.
Notice that the vulnerability can be a flaw or weakness in any aspect of the system. Vulnerabilities are not merely flaws in the technical protections provided by the system. Significant vulnerabilities are often contained in the standard operating procedures that systems administrators perform, the process that the help desk uses to reset passwords or inadequate log review. Another area where vulnerabilities may be identified is at the policy level. For instance, a lack of a clearly defined security testing policy may be directly responsible for the lack of vulnerability scanning.
Here are a few examples of vulnerabilities related to contingency planning/ disaster recovery:
• Inadequate information system recovery procedures, for all processing areas (including networks)
• Not having alternate processing or storage sites
• Not having alternate communication services
• Not having clearly defined contingency directives and procedures
• Lack of a clearly defined, tested contingency plan • The absence of adequate formal contingency training • Lack of information (data and operating system) backups
Notice that the vulnerability can be a flaw or weakness in any aspect of the system. Vulnerabilities are not merely flaws in the technical protections provided by the system. Significant vulnerabilities are often contained in the standard operating procedures that systems administrators perform, the process that the help desk uses to reset passwords or inadequate log review. Another area where vulnerabilities may be identified is at the policy level. For instance, a lack of a clearly defined security testing policy may be directly responsible for the lack of vulnerability scanning.
Here are a few examples of vulnerabilities related to contingency planning/ disaster recovery:
• Inadequate information system recovery procedures, for all processing areas (including networks)
• Not having alternate processing or storage sites
• Not having alternate communication services
• Not having clearly defined contingency directives and procedures
• Lack of a clearly defined, tested contingency plan • The absence of adequate formal contingency training • Lack of information (data and operating system) backups
Friday, 3 February 2006
Research on Network Architecture and IPv6 Technology
Undertake the National High Technology Development 863 Program of China, key projects of National Natural Science Funds and the projects of National Basic Research Program of China collaborating with the Department of Computer Science of Tsinghua University. Develop the research on (1) next generation Internet architecture, and (2) IPv6 Source Address Validation Architecture .
Develop the research on the architecture and key technologies of next generation routers and switches, and high performance IPv4/IPv6 transition and interoperation methods. Developed the first IPv6/IPv4 dual-stack core router (BitEngine 12000 Series) in China, collaborating with the Department of Computer Science of Tsinghua University and Tsinghua Bitway Networking Co. Ltd.
Source : tsinghua.edu
Research on Network Architecture and IPv6 Technology
Undertake the National High Technology Development 863 Program of China, key projects of National Natural Science Funds and the projects of National Basic Research Program of China collaborating with the Department of Computer Science of Tsinghua University. Develop the research on (1) next generation Internet architecture, and (2) IPv6 Source Address Validation Architecture .
Develop the research on the architecture and key technologies of next generation routers and switches, and high performance IPv4/IPv6 transition and interoperation methods. Developed the first IPv6/IPv4 dual-stack core router (BitEngine 12000 Series) in China, collaborating with the Department of Computer Science of Tsinghua University and Tsinghua Bitway Networking Co. Ltd.
Source : tsinghua.edu
Research on Network Architecture and IPv6 Technology
Undertake the National High Technology Development 863 Program of China, key projects of National Natural Science Funds and the projects of National Basic Research Program of China collaborating with the Department of Computer Science of Tsinghua University. Develop the research on (1) next generation Internet architecture, and (2) IPv6 Source Address Validation Architecture .
Develop the research on the architecture and key technologies of next generation routers and switches, and high performance IPv4/IPv6 transition and interoperation methods. Developed the first IPv6/IPv4 dual-stack core router (BitEngine 12000 Series) in China, collaborating with the Department of Computer Science of Tsinghua University and Tsinghua Bitway Networking Co. Ltd.
Source : tsinghua.edu
Saturday, 21 January 2006
Identifying System Vulnerabilities
Vulnerabilities can be identified by numerous means. Different risk management schemes offer different methodologies for identifying vulnerabilities. In general, start with commonly available vulnerability lists or control areas. Then, working with the system owners or other individuals with knowledge of the system or organization, start to identify the vulnerabilities that apply to the system. Specific vulnerabilities can be found by reviewing vendor web sites and public vulnerability archives, such as Common Vulnerabilities and Exposures (CVE - http://cve.mitre.org) or the National Vulnerability Database (NVD - http://nvd.nist.gov). If they exist, previous risk assessments and audit reports are the best place to start.
Additionally, while the following tools and techniques are typically used to evaluate the effectiveness of controls, they can also be used to identify vulnerabilities:
• Vulnerability Scanners – Software that can examine an operating system, network application or code for known flaws by comparing the system (or system responses to known stimuli) to a database of flaw signatures.
• Penetration Testing – An attempt by human security analysts to exercise threats against the system. This includes operational vulnerabilities, such as social engineering
• Audit of Operational and Management Controls – A thorough review of operational and management controls by comparing the current documentation to best practices (such as ISO 17799) and by comparing actual practices against current documented processes.
It is invaluable to have a base list of vulnerabilities that are always considered during every risk assessment in the organization. This practice ensures at least a minimum level of consistency between risk assessments. Moreover, vulnerabilities discovered during past assessments of the system should be included in all future assessments. Doing this allows management to understand that past risk management activities have been effective.
Additionally, while the following tools and techniques are typically used to evaluate the effectiveness of controls, they can also be used to identify vulnerabilities:
• Vulnerability Scanners – Software that can examine an operating system, network application or code for known flaws by comparing the system (or system responses to known stimuli) to a database of flaw signatures.
• Penetration Testing – An attempt by human security analysts to exercise threats against the system. This includes operational vulnerabilities, such as social engineering
• Audit of Operational and Management Controls – A thorough review of operational and management controls by comparing the current documentation to best practices (such as ISO 17799) and by comparing actual practices against current documented processes.
It is invaluable to have a base list of vulnerabilities that are always considered during every risk assessment in the organization. This practice ensures at least a minimum level of consistency between risk assessments. Moreover, vulnerabilities discovered during past assessments of the system should be included in all future assessments. Doing this allows management to understand that past risk management activities have been effective.
Subscribe to:
Posts (Atom)