Vulnerability

From MgmtWiki
Revision as of 11:19, 6 November 2023 by Tom (talk | contribs) (Other Material)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Full Title

A Vulnerability is a weakness in a design or implementation that might lead to an Exploit.

Context

There is some ambiguity between the terms:

  • Vulnerability as it is commonly referred to the the STRIDE threat model, and
  • Attack as is commonly referred to the the ATTACK threat model.

Where vulnerability generally is a broader scope (more abstract) that attack.

Reporting

VEX and OpenVEX

A VEX document contains machine-readable statements about the status of software vulnerabilities with respect to a software product. Supported in part by the U.S. Cybersecurity and Infrastructure Security Agency, VEX documents are intended to enable automation of key vulnerability-related tasks, many of which are currently toilsome work for software developers and security engineers.[1]

List

This is basically just a list of some known vulnerabilities of interest to Identity Management. There is no claim this is complete.

  • OWASP Top 10 in the web
  • From ransomware attack to double extortion and ever triple extortion:
    • Ransomware: criminals ask a ransom to give back access to data
    • Double extortion: in addition, criminals threaten to release publicly hijacked data
    • Triple extortion: launch a DDoS attack; inform victim's partners & customers about the stolen data.
  • Smishing:
    • Phishing via text
    • Messages that create a sense of urgency are sent to your phone via text with malicious links attached.
    • The messages are usually framed like a past due payment notice from your bank, an unexpected prize won or an unusual login notice prompting you to login **to verify your identity.
  • QR Code Swapping:
    • Legitimate QR codes at establishments such as restaurants are being swapped out with ones that redirect to malware or malicious phishing sites.
    • Although they are very convenient, it's advisable to type out the exact URL into your browser.

References

  1. Adolfo Veytia _2, VEXed? Then Grype about it: Chainguard and Anchore announce Grype supports OpenVEX (2023-10-23) https://www.chainguard.dev/unchained/vexed-then-grype-about-it-chainguard-and-anchore-announce-grype-supports-openvex

Other Material

Retrieved from "http://tcwiki.azurewebsites.net/index.php?title=Vulnerability&oldid=19015"