+1 (208) 254-6996 [email protected]
  

Vulnerability: A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.

The threat statement, or the list of potential threat-sources, should be tailored to the individual organization and its processing environment (e.g., end-user computing habits). In general, information on natural threats (e.g., floods, earthquakes, storms) should be readily available. Known threats have been identified by many government and private sector organizations. Intrusion detection tools also are becoming more prevalent, and government and industry organizations continually collect data on security events, thereby improving the ability to realistically assess threats. Sources of information include, but are not limited to, the following:

Don't use plagiarized sources. Get Your Custom Essay on
Vulnerability: A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.
Just from $13/Page
Order Essay

• Intelligence agencies (for example, the Federal Bureau of Investigation’s National Infrastructure Protection Center)

• Federal Computer Incident Response Center (FedCIRC)

• Mass media, particularly Web-based resources such as SecurityFocus.com, SecurityWatch.com, SecurityPortal.com, and SANS.org.

Output from Step 2A threat statement containing a list of threat-sources that could exploit system vulnerabilities 3.3 STEP 3: VULNERABILITY IDENTIFICATION

The analysis of the threat to an IT system must include an analysis of the vulnerabilities associated with the system environment. The goal of this step is to develop a list of system vulnerabilities (flaws or weaknesses) that could be exploited by the potential threat-sources. Table 3-2 presents examples of vulnerability/threat pairs.

 

Table 3-2. Vulnerability/Threat Pairs

Vulnerability Threat-Source Threat Action

Terminated employees’ system identifiers (ID) are not removed from the system

Terminated employees Dialing into the company’s network and accessing company proprietary data

Company firewall allows inbound telnet, and guest ID is enabled on XYZ server

Unauthorized users (e.g., hackers, terminated employees, computer criminals, terrorists)

Using telnet to XYZ server and browsing system files with the guest ID

The vendor has identified flaws in the security design of the system; however, new patches have not been applied to the system

Unauthorized users (e.g., hackers, disgruntled employees, computer criminals, terrorists)

Obtaining unauthorized access to sensitive system files based on known system vulnerabilities

 

 

SP 800-30 Page 16

Vulnerability Threat-Source Threat Action

Data center uses water sprinklers to suppress fire; tarpaulins to protect hardware and equipment from water damage are not in place

Fire, negligent persons Water sprinklers being turned on in the data center

Recommended methods for identifying system vulnerabilities are the use of vulnerability sources, the performance of system security testing, and the development of a security requirements checklist. It should be noted that the types of vulnerabilities that will exist, and the methodology needed to determine whether the vulnerabilities are present, will usually vary depending on the nature of the IT system and the phase it is in, in the SDLC:

• If the IT system has not yet been designed, the search for vulnerabilities should focus on the organization’s security policies, planned security procedures, and system requirement definitions, and the vendors’ or developers’ security product analyses (e.g., white papers).

• If the IT system is being implemented, the identification of vulnerabilities should be expanded to include more specific information, such as the planned security features described in the security design documentation and the results of system certification test and evaluation.

• If the IT system is operational, the process of identifying vulnerabilities should include an analysis of the IT system security features and the security controls, technical and procedural, used to protect the system.

3.3.1 Vulnerability Sources

The technical and nontechnical vulnerabilities a

Order your essay today and save 10% with the discount code ESSAYHELP