Vulnerabilities these are weaknesses that you know about and may be subject of an attack or threat. They are attached to assets: each asset has its vulnerabilities, i.e., weaknesses, in how it can be attacked or damaged.
Types of vulnerabilities
- Data vulnerabilities
- Software vulnerabilities
- Vulnerabilities and equipment
- Vulnerabilities of networks and communications
- Physical infrastructure vulnerabilities
- Procedural vulnerabilities
- Vulnerabilities of purchased services
- Human resource vulnerabilities
Basic principles in vulnerability identification
- focus on assets, every asset has its vulnerabilities
- focus on the processes of assigning, changing and removing rights from employees
- vulnerability assessment should be performed by the owner of the asset, who knows its vulnerabilities best
- analyze incidents and problems with the asset from the past, their causes are often due to vulnerabilities
Basic procedure for identifying vulnerabilities
- Carefully analyze each asset and identify and assign potential vulnerabilities to it
- Identify vulnerabilities to each asset
- List these and create a link to the relevant asset
- Keep all information in the relevant catalog of vulnerabilities