Chapter 4 Identifying Vulnerabilities

weakness or absence of security control that could be exploited by a threat
allow a threat to harm system
most are not discovered until misused

Security advisories from vendors & security organizations (CERT, CIAC), mailing lists

Hardware & firmware (eg. BIOS): only small portion
Software: OS & applications. Most prevalent type of vulnerability, the most exploited.
Infrastructure: power grid, telecom. outside your control
Processes: policies misinterpreted & not properly implemented.

Known vulnerabilites: largest part of successful attacks. Hacker tools available, make vulnerabilites exploitable by anyone. Patches available quickly, but need to be applied diligently.

Most security issues come from SW with poorly designed (or no) security.
single user, unitaksing standalone system (eg. DOS) now multiuser, multitasking networked Windows
Nearly impossible to effectively add security to a system after it's designed.

Need to trust your SW suppliers, if can't inspect source code. SW is liability-free.
SW security testing: unexpected inputs
buffer overflow
race condition: processes run at different times/orders
exception/error handling
interfaces: validate input

Innovative misuse: hard to imagine by developers. tiger team attack system as hacker would
Incorrect implementation:
bad admin
bad documentation
bad mistake
Security dependent on system implementation, installation, administration.
E.g. one wrong permission on one file (weak link) can lose the enterprise.
Minimal security out of the box. security viewed as an add-on (still?), adds to admin burden, reduce admin productivity work.
Admin training important. their errors worse than user errors.
Limited & difficult to locate security documents.

Social engineering: effective persuasion, conning: sympathy, empathy, flattery, intimidation.