Читаем CISSP Practice полностью

Flaws or weaknesses in an information system; system security policies and procedures; hardware, system design, and system implementation procedures; internal controls; technical controls; operational controls; and management controls that could be accidentally triggered or intentionally exploited by a threat-source and result in a violation of the system’s security policy. Note that vulnerabilities lead to threats that, in turn, lead to risks. Vulnerabilities ⇒Threats ⇒Risks.

Vulnerability analysis

The systematic examination of systems in order to determine the adequacy of security measures, to identify security deficiencies, and to provide data from which to predict the effectiveness of proposed security measures. Vulnerability analysis should be performed first followed by threat analysis because vulnerabilities ⇒threats ⇒risks.

Vulnerability assessment

(1) A formal description and evaluation of the vulnerabilities in an information system. (2) It is a systematic examination of the ability of a system or application, including current security procedures and controls to withstand assault. (3) A vulnerability assessment may be used to (i) identify weaknesses that would be exploited, (ii) predict the effectiveness of proposed security measures in protecting information resources from attack, and (iii) confirm the adequacy of such measures after implementation.

Vulnerability audit

The process of identifying and documenting specific vulnerabilities in critical information systems.

Vulnerability database

A security exposure in an operating system or other system software or application software component. A variety of organizations maintain publicly accessible databases of vulnerabilities based on the version number of the software. Each vulnerability can potentially compromise the system or network if exploited.

Vulnerability scanning tool

A technique used to identify hosts and host attributes, and then to identify the associated vulnerabilities.

W

Walk throughs

A project management technique or procedure where the programmer, project team leader, functional users, system analyst, or manager reviews system requirements, design, and programming and test plans and design specifications and program code. The objectives are to (1) prevent errors in logic and misinterpretation of user requirements, design and program specifications and (2) prevent omissions. It is a management and detective control. In a system walkthrough, for example, functional users and IS staff together can review the design or program specifications, program code, test plans, and test cases to detect omissions or errors and to eliminate misinterpretation of system or user requirements. System walkthroughs can also occur within and among colleagues in the IS and system user departments. It costs less to correct omissions and errors in the early stages of system development than it does later. This technique can be applied to both system development and system maintenance.

War dialing

It involves calling a large group of phone numbers to detect active modems or PBXs.

War driving

When attackers and other malicious parties drive around office parks and neighborhoods with laptop computers equipped with wireless network cards in an attempt to connect to open network points is called war driving.

Warez

A term widely used by hackers to denote illegally copied and distributed commercial software from which all copy protection has been removed. Warez often contains viruses, Trojan horses, and other malicious code, and thus is very risky to download and use (legal issues notwithstanding).

Warm-site

An environmentally conditioned workspace that is partially equipped with IT information systems and telecommunications equipment to support relocated IT operations in the event of a significant disruption.

Warm start

A restart that allows reuse of previously initialized input and output work queues. It is synonymous with system restart, initial program load, and quick start.

Waterfall model

A traditional system development model, which takes a linear and sequential view of developing an application system. This model will not bring the operational viewpoint to the requirements phase until the system is completely implemented.

Watermarking

A type of marking that embeds copyright information about the copyright owner.

Wavelength division multiple access (WDMA) protocol

The WDMA protocol is an example of medium/media access control (MAC) sublayer protocol that contains two channels for each station. A narrow channel is provided as a control channel to signal the station, and a wide channel is provided so that the station can output data frames.

Weakly bound credentials