Vulnerabilities

Regardless of the hackers'motivation, they intrude networks by exploiting vulnerabilities, and the consequences can range from embarrassment to significant downtime and revenue losses.

Key Point

Vulnerability is defined as the characteristics of a system that allow someone to use it in a suboptimal manner or allow unauthorized users to take control of the system in part or entirely.

Vulnerabilities usually fall into one of the following categories:

• Design issues

• Human issues

• Implementation issues

Design Issues

Design issues refer to inherent problems with functionality because of operating system, application, or protocol flaws.

Human Issues

The human issues category of vulnerabilities refers to administrator and user errors, such as unsecured user accounts, unsecured devices, or open devices (devices that have not been hardened).

Implementation Issues

Implementation issues deal with creation, configuration, and enforcement of security policies, such as password policies, remote-access policies, Internet usage policies, e-mail policies, and so on.

Because technological advancement usually precedes policy formulation, the organization must promote a secure culture where users know how to extrapolate from current policies to judge actions to be taken when faced with a new networking situation.

For example, an organization might not have had a wireless policy when the first low-cost wireless access point (WAP) became available. Even if it was not specifically detailed in a policy that an employee can't connect his own WAP to the network, he should be able to draw that inference.