Ver:
Se dice cuando información sensible queda expuesta
al acceso de entidades no autorizadas. El hecho puede ser accidental o deliberado.
(I) A type of threat action
whereby sensitive data is directly released to an unauthorized entity. (See:
unauthorized disclosure.)
Usage: This type of threat
action includes the following subtypes:
·
"Deliberate
Exposure": Intentional release of sensitive data to an unauthorized
entity.
·
"Scavenging":
Searching through data residue in a system to gain unauthorized knowledge of
sensitive data.
·
"Human
error": /exposure/ Human action or inaction that unintentionally results
in an entity gaining unauthorized knowledge of sensitive data. (Compare: corruption, incapacitation.)
·
"Hardware
or software error": /exposure/ System failure that unintentionally results
in an entity gaining unauthorized knowledge of sensitive data. (Compare: corruption,
incapacitation.)
[RFC4949:2007]
An information security
"exposure" is a system configuration issue or a mistake in software
that allows access to information or capabilities that can be used by a hacker
as a stepping-stone into a system or network.
CVE considers a
configuration issue or a mistake an exposure if it does not directly allow
compromise but could be an important component of a successful attack, and is a
violation of a reasonable security policy.
http://www.cve.mitre.org/