Impact Associated with Types of Vulnerabilities

Race Conditions

A race condition attack happens when a computing system that's designed to handle tasks in a specific sequence is forced to perform two or more operations simultaneously.

End-of-Life System

With End-of-Life technology, patches, bug fixes and security upgrades automatically stop. As a result, your product security is essentially at a dead halt.

Embedded Systems

An embedded system is a computer system with a dedicated function within a larger mechanical or electrical system. Embedded systems are vulnerable to a range of abuses that can aim at stealing private information, draining the power supply, destroying the system, or hijacking the system for other than its intended purpose.

Lack of Vendor Support

This term is typically used along side End-of-Life systems. When a product is EoL vendors stop providing support and patches which leaves your system vulnerable. Vendors will often stop providing support and EoL a device to push customers to buy a new version.

Improper Input Handling

Improper Input Handling is the term used to describe functions such as validation, sanitization, filtering, or encoding and/or decoding of input data. Improper Input Handling is a leading cause of critical vulnerabilities that exist in today's systems and applications.

Improper Error Handling

Improper error handling results when security mechanisms fail to deny access until it's specifically granted. This may occur as a result of a mismatch in policy and coding practice. It may also result from code that lacks appropriate error handling logic. For example, a system may grant access until it's denied.

Misconfiguration/Weak Configuration

An incorrect or subobtimal configuration of an information system or system component that may lead to vulnerabilities.

Default Configuration

According to the principle of default configuration, controls should default to the most secure condition. Modifications to the strength of a control should require a formal acceptance of the associated risk. Therefore, a less secure configuration is an unacceptable default for any control.

Resource Exhaustion

Resource exhaustion is a simple denial of service condition that happens when the resources required to execute an action are entirely expended, preventing that action from occurring. The most common outcome of resource exhaustion is denial of service.

Untrained Users

With out proper commitment to training, your employees will do more harm to your reputation than a horde of hackers. As famed hacker Kevin Mitnik observed recently, "You can have the best technology, firewalls, intrusion-detection systems, biometric devices. All it takes is a call to an unsuspecting employee, and that's all she wrote, baby. They got everything."

Improperly Configured Accounts

More likely a process rather than technical issue, improperly configured accounts can give users much higher access privileges than their jobs require. Problems can also result when accounts aren’t reconfigured after a user changes roles, or aren’t deleted at all.

Vulnerable Business Processes

Business processes that have not been secured properly.

Weak Cipher Suits and Implementations

A weak cipher is defined as an encryption/decryption algorithm that uses a key of insufficient length.

Memory/Buffer Vulnerabilities

-Memory Leak -Integer Overflow -Buffer Overflow -Pointer Dereference -DLL Injection

Memory Leak

A failure in a program to release discarded memory, causing impaired performance or failure. -dictionary

Integer Overflow

Integer overflow is the result of trying to place into computer memory an integer (whole number) that is too large for the integer data type in a given system.

Buffer Overflow

A condition at an interface under which more input can be placed into a buffer or data holding area than the capacity allocated, overwriting other information. Adversaries exploit such a condition to crash a system or to insert specially crafted code that allows them to gain control of the system.

Pointer Dereference

Lorem ipsum dolor sit amet consectetur adipiscing elit dolor

DLL Injection

A technique used for running code within the address space of another process by forcing it to load a dynamic-link library.

System Sprawl/ Undocumented Assets

System sprawl refers to the expansion of systems over time where the growth exceeds the documentation and understanding. Undocumented assets are parts of the system that aren't documented or otherwise known by the whole team.

Architecture/ Design Weaknesses

Software design weaknesses such as misunderstanding architecturally significant requirements, poor architectural implementation, violation of design principles in the source code and degradations of the security architecture. Weaknesses in the architecture of a software system can have a greater impact on various security concerns in the system and, as a result, give more space and flexibility for malicious users. -G. McGraw. Software security: building security in, volume 1. AddisonWesley Professional, 2006.

New Threats/Zero Day

A computer-software vulnerability that is unknown to, or unaddressed by, those who should be interested in mitigating the vulnerability.

Improper Certificate

Lorem ipsum dolor sit amet consectetur adipiscing elit dolor

Key Management

The activities involving the handling of cryptographic keys and other related security parameters (e.g. passwords) during the entire life cycle of the keys, including their generation, storage, establishment, entry and output, and destruction.