Examples of Vulnerabilities

This document lists typical vulnerabilities in several categories: - Hardware vulnerabilities include insufficient maintenance of storage media, lack of equipment replacement plans, and susceptibility to various environmental factors. - Software vulnerabilities include lack of testing, known flaws, improper configuration, weak authentication, and poor documentation. - Network vulnerabilities involve unprotected communication lines, insecure architectures, and transfer of passwords in the clear. - Personnel vulnerabilities range from lack of security training to poor security awareness.

Uploaded by

Gaba Freire

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

26 views

Examples of Vulnerabilities

Uploaded by

Gaba Freire

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 3

Examples of typical vulnerabilities

(Source ISO/IEC 27005:2022)

Category Vulnerability description

Hardware Insufficient maintenance/ faulty installation of storage media
Insufficient periodic replacement schemes for equipment
Susceptibility to humidity, dust, soiling
Sensitivity to electromagnetic radiation
Insufficient configuration change control
Susceptibility to voltage variations
Susceptibility to temperature variations
Unprotected storage
Lack of care at disposal
Uncontrolled copying
Software No or insufficient software testing
Well-known flaws in the software
No “logout” when leaving the workstation
Disposal or reuse of storage media without proper erasure
Insufficient configuration of logs for audit trail’s purposes
Wrong allocation of access rights
Applying application programs to the wrong data in terms of use
Complicated user interface
Insufficient or lack of documentation
Incorrect parameter set up
Incorrect dates
Insufficient identification and authentication mechanisms
Unprotected password tables
Poor password management
Unnecessary services enabled
Immature or new software
Unclear or incomplete specifications for developers
Ineffective change control
Uncontrolled downloading and use of software
Lack of or incomplete back-up copies
Failure to produce management reports
Network Insufficient mechanisms for the proof of sending or receiving a message
Unprotected communication lines
Unprotected sensitive traffic
Poor joint cabling
Single point of failure
Ineffective or lack of mechanisms for identification and authentication of sender and
receiver
Insecure network architecture
Transfer of passwords in clear
Inadequate network management (resilience or routing)
Unprotected public network connections
Personnel Absence of personnel
Inadequate recruitment procedures
Insufficient security training
Incorrect use of software and hardware
Poor security awareness
Insufficient or lack of monitoring mechanisms
Unsupervised work by outside staff
Ineffective or lack of policies for the correct use of telecommunications media and
messaging
Site Inadequate or careless use of physical access control to buildings and rooms
Location in an area susceptible to flood
Unstable power grid
Insufficient physical protection of the building, doors and windows
Organization Formal procedure for user registration and de-registration not developed, or its
implementation ineffective
Formal process for access rights review not developed, or its implementation is ineffective
Insufficient security provisions in contracts with customers and third parties
Procedure of monitoring of information processing facilities not developed, or its
implementation is ineffective
Audits not conducted on a regular basis
Procedures of risk identification and assessment not developed, or implementation
ineffective
Insufficient or lack of fault reports recorded in administrator and operator logs
Inadequate service maintenance response
Insufficient or lack of SLA
Change control procedures not developed or implementation ineffective
Formal procedure for ISMS documentation control not developed, or implementation
ineffective
Formal process for authorization of publicly available information not developed, or
implementation ineffective
Improper allocation of information security responsibilities
Continuity plans do not exist, or are incomplete or outdated
Email usage policy not developed or implementation ineffective
Procedures for classified information handling not developed, or implementation
ineffective
Information security responsibilities are not present in job descriptions
Insufficient or lack of provisions (regarding information security) in contracts with
employees
Disciplinary process in case of information security incidents not defined, or not
functioning properly
Formal policy on mobile computer usage not developed, or implementation ineffective
Insufficient control of off-premise assets
Insufficient or lack of “clear desk clear screen” policy
Information processing facilities authorization not implemented, or not functioning
properly
Monitoring mechanisms for security breaches not implemented properly
Procedures for reporting security weaknesses not developed, or implementation
ineffective
Procedures for compliance with intellectual property rights not developed, or
implementation ineffective