Description should include
- defining vulnerability as a flaw in a system that can leave it open to attack; it may also refer to any type of weakness in a computer system, in a set of procedures, or in anything that leaves information security exposed to a threat
- understanding that many technical vulnerabilities historically have occurred due to flaws in software
- describing elements that make a system vulnerable, such as
- human factors (e.g., gullibility, negligence, or malicious intent)
- system susceptibility or flaw
- attacker access to the flaw
- attacker capability to exploit the flaw
- explaining the effect of a vulnerability on a system (e.g., compromised confidentiality, integrity, or availability of resources)
- discussing flaws in software that can lead to vulnerabilities, such as
- buffer overflow or broken authentication and session management
- injection vulnerabilities
- input validation
- privilege confusion
- session handling
- obsolete versions
- evaluating vulnerabilities as they relate to
- physical facilities and the environment of the system or the personnel working with the system
- operational procedures, including security measures
- business operations
- hardware
- software
- communication equipment and network (individually or in combination).
Process/Skill Questions:
- What are the top five cybersecurity vulnerabilities?
- How have historical flaws in software applications been improved to cut down on vulnerability and threat?
- What cryptographic problems could be seen as a vulnerability?