Difference between revisions of "Vulnerability"
From MgmtWiki
(→Full Title) |
(→Other Material) |
||
| (10 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
==Full Title== | ==Full Title== | ||
| − | A [[Vulnerability]] is a weakness in a design or implementation that might lead to | + | A [[Vulnerability]] is a weakness in a design or implementation that might lead to an [[Exploit]]. |
| + | ==Context== | ||
| + | There is some ambiguity between the terms: | ||
| + | *Vulnerability as it is commonly referred to the the [[STRIDE]] threat model, and | ||
| + | * Attack as is commonly referred to the the ATTACK threat model. | ||
| + | Where vulnerability generally is a broader scope (more abstract) that attack. | ||
| + | |||
| + | ==Reporting== | ||
| + | ===VEX and OpenVEX=== | ||
| + | A VEX document contains machine-readable statements about the status of software vulnerabilities with respect to a software product. Supported in part by the U.S. Cybersecurity and Infrastructure Security Agency, VEX documents are intended to enable automation of key vulnerability-related tasks, many of which are currently toilsome work for software developers and security engineers.<ref>Adolfo Veytia _2, ''VEXed? Then Grype about it: Chainguard and Anchore announce Grype supports OpenVEX'' (2023-10-23) https://www.chainguard.dev/unchained/vexed-then-grype-about-it-chainguard-and-anchore-announce-grype-supports-openvex</ref> | ||
| + | |||
| + | * 2023-11-06 CISA published [https://www.cisa.gov/resources-tools/resources/when-issue-vex-information When to Issue VEX Information] | ||
| + | |||
| + | ==List== | ||
This is basically just a list of some known vulnerabilities of interest to [[Identity Management]]. There is no claim this is complete. | This is basically just a list of some known vulnerabilities of interest to [[Identity Management]]. There is no claim this is complete. | ||
| − | |||
* [https://owasp.org/www-project-top-ten/ OWASP Top 10] in the web | * [https://owasp.org/www-project-top-ten/ OWASP Top 10] in the web | ||
| + | *From ransomware attack to double extortion and ever triple extortion: | ||
| + | **Ransomware: criminals ask a ransom to give back access to data | ||
| + | **Double extortion: in addition, criminals threaten to release publicly hijacked data | ||
| + | ** Triple extortion: launch a DDoS attack; inform victim's partners & customers about the stolen data. | ||
| + | *Smishing: | ||
| + | **Phishing via text | ||
| + | **Messages that create a sense of urgency are sent to your phone via text with malicious links attached. | ||
| + | **The messages are usually framed like a past due payment notice from your bank, an unexpected prize won or an unusual login notice prompting you to login **to verify your identity. | ||
| + | *QR Code Swapping: | ||
| + | **Legitimate QR codes at establishments such as restaurants are being swapped out with ones that redirect to malware or malicious phishing sites. | ||
| + | **Although they are very convenient, it's advisable to type out the exact URL into your browser. | ||
==References== | ==References== | ||
| + | <references /> | ||
| + | ===Other Material=== | ||
| + | * See wiki page on [[Vulnerability Disclosure]]. | ||
| + | [[Category: Glossary]] | ||
[[Category: Vulnerability]] | [[Category: Vulnerability]] | ||
| + | [[Category: Best Practice]] | ||
Latest revision as of 11:19, 6 November 2023
Contents
Full Title
A Vulnerability is a weakness in a design or implementation that might lead to an Exploit.
Context
There is some ambiguity between the terms:
- Vulnerability as it is commonly referred to the the STRIDE threat model, and
- Attack as is commonly referred to the the ATTACK threat model.
Where vulnerability generally is a broader scope (more abstract) that attack.
Reporting
VEX and OpenVEX
A VEX document contains machine-readable statements about the status of software vulnerabilities with respect to a software product. Supported in part by the U.S. Cybersecurity and Infrastructure Security Agency, VEX documents are intended to enable automation of key vulnerability-related tasks, many of which are currently toilsome work for software developers and security engineers.[1]
- 2023-11-06 CISA published When to Issue VEX Information
List
This is basically just a list of some known vulnerabilities of interest to Identity Management. There is no claim this is complete.
- OWASP Top 10 in the web
- From ransomware attack to double extortion and ever triple extortion:
- Ransomware: criminals ask a ransom to give back access to data
- Double extortion: in addition, criminals threaten to release publicly hijacked data
- Triple extortion: launch a DDoS attack; inform victim's partners & customers about the stolen data.
- Smishing:
- Phishing via text
- Messages that create a sense of urgency are sent to your phone via text with malicious links attached.
- The messages are usually framed like a past due payment notice from your bank, an unexpected prize won or an unusual login notice prompting you to login **to verify your identity.
- QR Code Swapping:
- Legitimate QR codes at establishments such as restaurants are being swapped out with ones that redirect to malware or malicious phishing sites.
- Although they are very convenient, it's advisable to type out the exact URL into your browser.
References
- ↑ Adolfo Veytia _2, VEXed? Then Grype about it: Chainguard and Anchore announce Grype supports OpenVEX (2023-10-23) https://www.chainguard.dev/unchained/vexed-then-grype-about-it-chainguard-and-anchore-announce-grype-supports-openvex
Other Material
- See wiki page on Vulnerability Disclosure.
