This appendix lists vulnerabilities likely to affect a wide variety of organizations. The list is not comprehensive, and, because it is static, will not remain current. Therefore, it is important that you remove vulnerabilities that are not relevant to your organization and add newly identified ones to it during the Assessing Risk phase of your project. It is provided as a reference list and a starting point to help your organization get underway.
| Vulnerability Class | Vulnerability | Example |
|---|
High level vulnerability class | Brief description of the vulnerability | Specific example(if applicable) |
Physical | Unlocked doors | |
Physical | Unguarded access to computing facilities | |
Physical | Insufficient fire suppression systems | |
Physical | Poorly designed buildings | |
Physical | Poorly constructed buildings | |
Physical | Flammable materials used in construction | |
Physical | Flammable materials used in finishing | |
Physical | Unlocked windows | |
Physical | Walls susceptible to physical assault | |
Physical | Interior walls do not completely seal the room at both the ceiling and floor | |
Natural | Facility located on a fault line | |
Natural | Facility located in a flood zone | |
Natural | Facility located in an avalanche area | |
Hardware | Missing patches | |
Hardware | Outdated firmware | |
Hardware | Misconfigured systems | |
Hardware | Systems not physically secured | |
Hardware | Management protocols allowed over public interfaces | |
Software | Out of date antivirus software | |
Software | Missing patches | |
Software | Poorly written applications | Cross site scripting |
Software | Poorly written applications | SQL injection |
Software | Poorly written applications | Code weaknesses such as buffer overflows |
Software | Deliberately placed weaknesses | Vendor backdoors for management or system recovery |
Software | Deliberately placed weaknesses | Spyware such as keyloggers |
Software | Deliberately placed weaknesses | Trojan horses |
Software | Deliberately placed weaknesses | |
Software | Configuration errors | Manual provisioning leading to inconsistent configurations |
Software | Configuration errors | Systems not hardened |
Software | Configuration errors | Systems not audited |
Software | Configuration errors | Systems not monitored |
Media | Electrical interference | |
Communications | Unencrypted network protocols | |
Communications | Connections to multiple networks | |
Communications | Unnecessary protocols allowed | |
Communications | No filtering between network segments | |
Human | Poorly defined procedures | Insufficient incident response preparedness |
Human | Poorly defined procedures | Manual provisioning |
Human | Poorly defined procedures | Insufficient disaster recovery plans |
Human | Poorly defined procedures | Testing on production systems |
Human | Poorly defined procedures | Violations not reported |
Human | Poorly defined procedures | Poor change control |
Human | Stolen credentials | |