|
In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance. Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerability is also known as the attack surface. Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities.〔Foreman, P: ''Vulnerability Management'', page 1. Taylor & Francis Group, 2010. ISBN 978-1-4398-0150-5〕 This practice generally refers to software vulnerabilities in computing systems. A security risk may be classified as a vulnerability. The use of vulnerability with the same meaning of risk can lead to confusion. The risk is tied to the potential of a significant loss. Then there are vulnerabilities without risk: for example when the affected asset has no value. A vulnerability with one or more known instances of working and fully implemented attacks is classified as an exploitable vulnerability — a vulnerability for which an exploit exists. The window of vulnerability is the time from when the security hole was introduced or manifested in deployed software, to when access was removed, a security fix was available/deployed, or the attacker was disabled—see zero-day attack. Security bug (security defect) is a narrower concept: there are vulnerabilities that are not related to software: hardware, site, personnel vulnerabilities are examples of vulnerabilities that are not software security bugs. Constructs in programming languages that are difficult to use properly can be a large source of vulnerabilities. ==Definitions== ISO 27005 defines vulnerability as:〔 :''A weakness of an asset or group of assets that can be exploited by one or more threats'' where an ''asset is anything that has value to the organization, its business operations and their continuity, including information resources that support the organization's mission''〔British Standard Institute, Information technology -- Security techniques -- Management of information and communications technology security -- Part 1: Concepts and models for information and communications technology security management BS ISO/IEC 13335-1-2004〕 IETF RFC 2828 define vulnerability as:〔Internet Engineering Task Force RFC 2828 Internet Security Glossary〕 :''A flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security policy'' The Committee on National Security Systems of United States of America defined vulnerability in CNSS Instruction No. 4009 dated 26 April 2010 National Information Assurance Glossary:〔(CNSS Instruction No. 4009 ) dated 26 April 2010〕 :''Vulnerability — Weakness in an IS, system security procedures, internal controls, or implementation that could be exploited'' Many NIST publications define vulnerability in IT contest in different publications: FISMApedia〔(【引用サイトリンク】title=FISMApedia )〕 term〔(【引用サイトリンク】title=Term:Vulnerability )〕 provide a list. Between them SP 800-30,〔(NIST SP 800-30 Risk Management Guide for Information Technology Systems )〕 give a broader one: :''A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system's security policy. '' ENISA defines vulnerability in〔(【引用サイトリンク】title=Glossary )〕 as: :''The existence of a weakness, design, or implementation error that can lead to an unexpected, undesirable event () compromising the security of the computer system, network, application, or protocol involved.(ITSEC)'' The Open Group defines vulnerability in〔Technical Standard Risk Taxonomy ISBN 1-931624-77-1 Document Number: C081 Published by The Open Group, January 2009.〕 as: :''The probability that threat capability exceeds the ability to resist the threat''. Factor Analysis of Information Risk (FAIR) defines vulnerability as:〔("An Introduction to Factor Analysis of Information Risk (FAIR)", Risk Management Insight LLC, November 2006 );〕 :''The probability that an asset will be unable to resist the actions of a threat agent'' According FAIR vulnerability is related to Control Strength, i.e. the strength of a control as compared to a standard measure of force and the threat Capabilities, i.e. the probable level of force that a threat agent is capable of applying against an asset. ISACA defines vulnerability in Risk It framework as: :''A weakness in design, implementation, operation or internal control'' Data and Computer Security: Dictionary of standards concepts and terms, authors Dennis Longley and Michael Shain, Stockton Press, ISBN 0-935859-17-9, defines vulnerability as: :''1) In computer security, a weakness in automated systems security procedures, administrative controls, Internet controls, etc., that could be exploited by a threat to gain unauthorized access to information or to disrupt critical processing. 2) In computer security, a weakness in the physical layout, organization, procedures, personnel, management, administration, hardware or softwarethat may be exploited to cause harm to the ADP system or activity. 3) In computer security, any weakness or flaw existing in a system. The attack or harmful event, or the opportunity available to a threat agent to mount that attack.'' Matt Bishop and Dave Bailey〔Matt Bishop and Dave Bailey. A Critical Analysis of Vulnerability Taxonomies. Technical Report CSE-96-11, Department of Computer Science at the University of California at Davis, September 1996〕 give the following definition of computer vulnerability: :''A computer system is composed of states describing the current configuration of the entities that make up the computer system. The system computes through the application of state transitions that change the state of the system. All states reachable from a given initial state using a set of state transitions fall into the class of authorized or unauthorized, as defined by a security policy. In this paper, the definitions of these classes and transitions is considered axiomatic. A vulnerable state is an authorized state from which an unauthorized state can be reached using authorized state transitions. A compromised state is the state so reached. An attack is a sequence of authorized state transitions which end in a compromised state. By definition, an attack begins in a vulnerable state. A vulnerability is a characterization of a vulnerable state which distinguishes it from all non-vulnerable states. If generic, the vulnerability may characterize many vulnerable states; if specific, it may characterize only one...'' National Information Assurance Training and Education Center defines vulnerability: 〔Schou, Corey (1996). Handbook of INFOSEC Terms, Version 2.0. CD-ROM (Idaho State University & Information Systems Security Organization)〕〔(NIATEC Glossary )〕 :''A weakness in automated system security procedures, administrative controls, internal controls, and so forth, that could be exploited by a threat to gain unauthorized access to information or disrupt critical processing. 2. A weakness in system security procedures, hardware design, internal controls, etc. , which could be exploited to gain unauthorized access to classified or sensitive information. 3. A weakness in the physical layout, organization, procedures, personnel, management, administration, hardware, or software that may be exploited to cause harm to the ADP system or activity. The presence of a vulnerability does not in itself cause harm; a vulnerability is merely a condition or set of conditions that may allow the ADP system or activity to be harmed by an attack. 4. An assertion primarily concerning entities of the internal environment (assets); we say that an asset (or class of assets) is vulnerable (in some way, possibly involving an agent or collection of agents); we write: V(i,e) where: e may be an empty set. 5. Susceptibility to various threats. 6. A set of properties of a specific internal entity that, in union with a set of properties of a specific external entity, implies a risk. 7. The characteristics of a system which cause it to suffer a definite degradation (incapability to perform the designated mission) as a result of having been subjected to a certain level of effects in an unnatural (manmade) hostile environment.'' 抄文引用元・出典: フリー百科事典『 ウィキペディア(Wikipedia)』 ■ウィキペディアで「Vulnerability (computing)」の詳細全文を読む スポンサード リンク
|