Que puede ser
herido o recibir lesión, física o moralmente.
DRAE. Diccionario
de la Lengua Española.
Debilidad de
un activo o de un control que puede ser explotada por una o más amenazas. [UNE-ISO/IEC
27000:2014]
Propiedades
intrínsecas de que algo produzca como resultado una sensibilidad a una fuente
de riesgo que puede conducir a un suceso con una consecuencia [UNE Guía
73:2010]
Una debilidad
que puede ser aprovechada por una Amenaza. Por ejemplo un puerto abierto en el
cortafuegos, una clave de acceso que no se cambia, o una alfombra inflamable. También se considera una Vulnerabilidad un
Control perdido. [ITIL:2007]
Debilidad o
falta de control que permitiría o facilitaría que una amenaza actuase contra un
objetivo o recurso del Sistema.
Debilidad de
seguridad de un sistema que le hace susceptible de poder ser dañado al ser
aprovechada por una amenaza. [CCN-STIC-400:2006]
Error en un
programa o un fallo en la configuración que puede permitir a un atacante
obtener acceso no autorizado al sistema. [CCN-STIC-431:2006]
Defecto o
debilidad en el diseño, implementación u operación de un sistema que habilita o
facilita la materialización de una amenaza. [Magerit:2012]
Debilidad de
un activo o grupo de activos que puede ser explotada por una o más amenazas. [UNE-71504:2008]
Error o
debilidad que, de llegar a explotarse, puede ocasionar una exposición a riesgos
del sistema, intencionalmente o no.
http://es.pcisecuritystandards.org
Característica
de una entidad que puede ser una debilidad o una falla desde el punto de vista
de la seguridad de los sistemas de información. [EBIOS:2005]
1. Debilidad
del Objeto de Evaluación (debido a errores en su análisis, diseño,
implementación u operación) (ITSEC).
2. Debilidad
en el sistema de protección de un activo.
3. Susceptibilidad
de un sistema o producto a sufrir daños ante ataques específicos.
[Ribagorda:1997]
Debilidad en
la seguridad de un sistema de información. Puede ser:
·
Explotable: Vulnerabilidad que
puede ser explotada en la práctica para romper un objetivo de seguridad.
·
Potencial: Vulnerabilidad supuesta
que puede ser utilizada para romper un objetivo de seguridad, pero cuya
posibilidad, explotación o existencia no ha sido aún demostrada.
[CESID:1997]
weakness of an asset or
control that can be exploited by one or more threats [ISO/IEC 27000:2014]
A vulnerability refers to a
weakness in a system that can be utilized by an attacker to damage the system.
obtain unauthorized access. execute arbitrary code. or otherwise exploit the
system. [knapp:2014]
The process of scanning
networks to find hosts or assets. and probing those hosts to determine
vulnerabilities. Vulnerability assessment can be automated using a
vulnerability assessment scanner, which will typically examine a host to determine
the version of the operating system and all running applications. which can
then be compared against a repository of known software vulnerabilities to
determine where patches should be applied. [knapp:2014]
Weakness in an information
system, system security procedures, internal controls, or implementation that
could be exploited by a threat source. [CNSSI_4009:2010]
See vulnerability
assessment. [CNSSI_4009:2010]
Systematic examination of an
information system or product to determine the adequacy of security measures,
identify security deficiencies, provide data from which to predict the effectiveness
of proposed security measures, and confirm the adequacy of such measures after
implementation. [CNSSI_4009:2010]
intrinsic properties of
something resulting in susceptibility to a risk source that can lead to an
event with a consequence [ISO Guide 73:2009]
physical feature or
operational attribute that renders an entity open to exploitation or
susceptible to a given hazard
Example: Installation of
vehicle barriers may remove a vulnerability related to attacks using
vehicle-borne improvised explosive devices.
Extended Definition:
characteristic of design, location, security posture, operation, or any
combination thereof, that renders an asset, system, network, or entity
susceptible to disruption, destruction, or exploitation
Annotation: In calculating
risk of an intentional hazard, the common measurement of vulnerability is the
likelihood that an attack is successful, given that it is attempted.
DHS Risk
Lexicon, September 2008
process for identifying
physical features or operational attributes that render an entity, asset,
system, network, or geographic area susceptible or exposed to hazards
Example: The team conducted
a vulnerability assessment on the ship to determine how it might be exploited
or attacked by an adversary.
Annotation: Vulnerability
assessments can produce comparable estimates of vulnerabilities across a
variety of hazards or assets, systems, or networks.
DHS Risk
Lexicon, September 2008
Flaw or weakness which, if
exploited, may result in an intentional or unintentional compromise of a
system..
https://www.pcisecuritystandards.org/security_standards/glossary.php
A weakness in design,
implementation, operation or internal control [RiskIT-PG:2009]
Any event where a material
increase in vulnerability results. Note that this increase in vulnerability can
result from changes in control conditions or from changes in threat
capability/force. [RiskIT-PG:2009]
(I) A flaw or weakness in a
system's design, implementation, or operation and management that could be
exploited to violate the system's security policy. (See: harden.) [RFC4949:2007]
A weakness that could be
exploited by a Threat. For example an open firewall port, a password that is
never changed, or a flammable carpet. A missing Control is also considered to
be a Vulnerability. [ITIL:2007]
Weakness in an information
system, system security procedures, internal controls, or implementation that
could be exploited or triggered by a threat source. [FIPS-200:2006] [NIST-SP800-53:2013]
Flaw, weakness or property
of the design or implementation of an information system (including its
security controls) or its environment
that could be intentionally or unintentionally exploited to adversely effect
an organization's assets or operations. [ISO-19790:2006]
a weakness in the TOE that
can be used to violate the SFRs in some environment.
TOE - Target of Evaluation
SFR - Security Functional
Requirement
[CC:2006]
weakness that cannot be
exploited in the operational environment for the TOE, but that could be used to
violate the SFRs by an attacker with greater attack potential than is
anticipated in the operational environment for the TOE.
TOE - Target of Evaluation
SFR - Security Functional
Requirement
[CC:2006]
A defect or weakness in
system security procedure, design, implementation, or internal control that an
attacker can exploit. A vulnerability can exist in one or more of the
components making up a system, even if those components aren't necessarily
involved with security functionality.
https://buildsecurityin.us-cert.gov/daisy/bsi/articles/best-practices/risk/248-BSI.html
Characteristic of an entity
that can constitute a weakness or flaw in terms of information systems
security. [EBIOS:2005]
A weakness in a system,
application, or network that is subject to exploitation or misuse. [NIST-SP800-61:2004]
A weakness or lack of
controls that would allow or facilitate a threat actuation against a specific
asset or target. [CRAMM:2003]
An information security
"vulnerability" is a mistake in software that can be directly used by
a hacker to gain access to a system or network.
CVE considers a mistake a
vulnerability if it allows an attacker to use it to violate a reasonable
security policy for that system (this excludes excluding entirely
"open" security policies in which all users are trusted, or where
there is no consideration of risk to the system).
http://www.cve.mitre.org/
The susceptibility of
information to exploitation by an adversary.
http://www.ioss.gov/docs/definitions.html
A hardware, firmware,
communication, or software flaw that leaves a computer processing system open
for potential exploitation, either externally or internally, thereby resulting
in risk for the owner, user, or manager of the system. [IRM-5239-8:1995]
A flaw or weakness in the
design or implementation of an information system (including security
procedures and security controls associated with the system) that could be
intentionally or unintentionally exploited to adversely affect an agencys
operations (including missions, functions, and public confidence in the
agency), an agencys assets, or individuals (including privacy) through a loss
of confidentiality, integrity, or availability. [NIST-SP800-60V2:2004]
A weakness in system
security requirements, design, implementation, or operation, that could be
accidentally triggered or intentionally exploited and result in a violation of
the systems security policy. [NIST-SP800-27:2004]
a security weakness in a
Target of Evaluation (for example, due to failures in analysis, design,
implementation or operation). [ITSEC:1991]
a weakness the existence of
which is suspected (by virtue of a postulated attack path), but not confirmed,
to violate the SFRs.
SFR - Security Functional
Requirement
[CC:2006]
potential weakness in the
TOE identified by the evaluator while performing evaluation activities that
could be used to violate the SFRs.
TOE - Target of Evaluation
SFR - Security Functional
Requirement
[CC:2006]
a weakness that cannot be
exploited in the operational environment for the TOE, but that could be used to
violate the SFRs by an attacker with greater attack potential than is
anticipated in the operational environment for the TOE.
TOE - Target of Evaluation
SFR - Security Functional
Requirement
[CC:2006]
a weakness in the TOE that
can be used to violate the SFRs in the operational environment for the TOE.
TOE - Target of Evaluation
SFR - Security Functional
Requirement
[CC:2006]
A weakness in system
security procedures, design, implementation, internal controls, etc., that
could be accidentally triggered or intentionally exploited and result in a
violation of the systems security policy. [NIST-SP800-33:2001]
A security vulnerability is
a flaw or weakness in a systems design, implementation or operation that could
be exploited to violate the systems security (RFC 2828). A security
vulnerability is not a risk, a threat, or an attack.
Vulnerabilities can be of
four types.
·
Threat
Model vulnerabilities originate from the difficulty to foresee future threats
(e.g. Signalling System No.7).
·
Design
& Specification vulnerabilities come from errors or oversights in the
design of the protocol that make it inherently vulnerable (e.g. WEP in IEEE
802.11b a.k.a. WiFi).
·
Implementation
vulnerabilities are vulnerabilities that are introduced by errors in a protocol
implementation.
·
Finally,
Operation and Configuration vulnerabilities originate from improper usage of
options in implementations or weak deployment policies (e.g. not enforcing use
of encryption in a WiFi network, or selection of a weak stream cipher by the network
administrator).
A (universal) vulnerability
is a state in a computing system (or set of systems) which either:
·
Allows an
attacker to execute commands as another user
·
Allows an
attacker to access data that is contrary to the specified access restrictions
for that data
·
Allows an
attacker to pose as another entity
·
Allows an
attacker to conduct a denial of service
http://www.symantec.com/avcenter/refa.html
A flaw or weakness in a
system's design, implementation, or operation and management that could be
exploited to violate the system's security policy.
http://www.sans.org/security-resources/glossary-of-terms/
A vulnerability is a
software weakness that can be exploited by an attacker. Bugs and flaws
collectively form the basis of most software vulnerabilities.
https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/attack/590-BSI.html
An inadequacy related to
security that could increase susceptibility to compromise or injury.
http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=16578
propriétés intrinsèques
de quelque chose entraînant une sensibilité à une source de risque pouvant
induire un événement avec une conséquence
[ISO Guide 73:2009]
Défaut ou faiblesse
qui, s’il est exploité, peuvent compromettre un système, intentionnellement ou
non.
http://fr.pcisecuritystandards.org/
Une faiblesse qui
pourrait être exploitée par une menace. Par exemple, un pare-feu ouvert, un mot
de passe qui n'est jamais changé ou une moquette inflammable. Un contrôle
manquant est également considéré comme une vulnérabilité. [ITIL:2007]
Caractéristique d'un
bien support qui peut constituer une faiblesse ou une faille au regard de la
sécurité des systèmes d'information. [EBIOS:2010]
Insuffisance liée à la
sécurité qui pourrait accroître la susceptibilité à la compromission ou au
préjudice.
http://www.tbs-sct.gc.ca/pol/doc-fra.aspx?id=16578