移动安全 - CVE官方关于Vnlnerability和Exposure的定义
2014-12-17 16:57
162 查看
Hanks.Wang - 专注于系统攻防与移动安全研究 byhankswang@163.com
CVE官方关于Vnlnerability和Exposure的定义
Below are the CVE Initiative’s definitions of the terms "Vulnerability"
and "Exposure":
CVE considers a mistake a vulnerability if it allows an attacker to use it to violate a reasonable security policy for that system (this excludes entirely "open" security policies
in which all users are trusted, or where there is no consideration of risk to the system).
For CVE, a vulnerability is a state in a computing system (or set of systems) that either:
allows an attacker to execute commands as another user
allows an attacker to access data that is contrary to the specified access restrictions for that data
allows an attacker to pose as another entity
allows an attacker to conduct a denial of service
Examples of vulnerabilities include:
phf (remote command execution as user "nobody")
rpc.ttdbserverd (remote command execution as root)
world-writeable password file (modification of system-critical data)
default password (remote command execution or other access)
denial of service problems that allow an attacker to cause a Blue Screen of Death
smurf (denial of service by flooding a network)
Review vulnerabilities on the Common Vulnerabilities
and Exposures (CVE) List.
BACK TO TOP
into a system or network.
CVE considers a configuration issue or a mistake an exposure if it does not directly allow compromise but could be an important component of a successful attack, and is a violation
of a reasonable security policy.
An "exposure" describes a state in a computing system (or set of systems) that is not a vulnerability, but either:
allows an attacker to conduct information gathering activities
allows an attacker to hide activities
includes a capability that behaves as expected, but can be easily compromised
is a primary point of entry that an attacker may attempt to use to gain access to the system or data
is considered a problem according to some reasonable security policy
Examples of exposures include:
running services such as finger (useful for information gathering, though it works as advertised)
inappropriate settings for Windows NT auditing policies (where "inappropriate" is enterprise-specific)
running services that are common attack points (e.g., HTTP, FTP, or SMTP)
use of applications or services that can be successfully attacked by brute force methods (e.g., use of trivially broken encryption, or a small key space)
Review exposures on the Common Configuration
Enumeration (CCE) List.
http://www.cve.mitre.org/about/terminology.html
CVE官方关于Vnlnerability和Exposure的定义
Below are the CVE Initiative’s definitions of the terms "Vulnerability"
and "Exposure":
Vulnerability
An information security "vulnerability" is a mistake in software that can be directly used by a hacker to gain access to a system or network.CVE considers a mistake a vulnerability if it allows an attacker to use it to violate a reasonable security policy for that system (this excludes entirely "open" security policies
in which all users are trusted, or where there is no consideration of risk to the system).
For CVE, a vulnerability is a state in a computing system (or set of systems) that either:
allows an attacker to execute commands as another user
allows an attacker to access data that is contrary to the specified access restrictions for that data
allows an attacker to pose as another entity
allows an attacker to conduct a denial of service
Examples of vulnerabilities include:
phf (remote command execution as user "nobody")
rpc.ttdbserverd (remote command execution as root)
world-writeable password file (modification of system-critical data)
default password (remote command execution or other access)
denial of service problems that allow an attacker to cause a Blue Screen of Death
smurf (denial of service by flooding a network)
Review vulnerabilities on the Common Vulnerabilities
and Exposures (CVE) List.
BACK TO TOP
Exposure
An information security "exposure" is a system configuration issue or a mistake in software that allows access to information or capabilities that can be used by a hacker as a stepping-stoneinto a system or network.
CVE considers a configuration issue or a mistake an exposure if it does not directly allow compromise but could be an important component of a successful attack, and is a violation
of a reasonable security policy.
An "exposure" describes a state in a computing system (or set of systems) that is not a vulnerability, but either:
allows an attacker to conduct information gathering activities
allows an attacker to hide activities
includes a capability that behaves as expected, but can be easily compromised
is a primary point of entry that an attacker may attempt to use to gain access to the system or data
is considered a problem according to some reasonable security policy
Examples of exposures include:
running services such as finger (useful for information gathering, though it works as advertised)
inappropriate settings for Windows NT auditing policies (where "inappropriate" is enterprise-specific)
running services that are common attack points (e.g., HTTP, FTP, or SMTP)
use of applications or services that can be successfully attacked by brute force methods (e.g., use of trivially broken encryption, or a small key space)
Review exposures on the Common Configuration
Enumeration (CCE) List.
http://www.cve.mitre.org/about/terminology.html
相关文章推荐
- 关于移动安全
- 一组关于手持移动设备使用安全问题的统计数据
- 关于移动互联网安全的一些总结
- 安天移动安全发布“大脏牛”漏洞分析报告(CVE-2017-1000405)
- asp.net中关于静态变量的生命周期和线程安全以及一些类中的定义静态变量的概念
- 安天移动安全发布“大脏牛”漏洞分析报告(CVE-2017-1000405)
- 200人融资3亿元,重新定义移动安全市场,这家公司是谁?
- 一组关于手持移动设备使用安全问题的统计数据
- 阿里云官方关于数据安全保护的声明
- 关于Linux网络安全的内在限制
- 请各位高手看一下.这是一个关于定义冲突的问题.我应该怎么解决.急,忘各位高手指点!
- 关于865PE主板的前端USB烧毁主板和移动设备的原因
- 全国人民代表大会常务委员会关于维护互联网安全的决定
- 关于xp_cmdshell 。。注意安全!
- CFCA: 关于MD5缺陷以及CFCA提供安全认证不受该缺陷影响的公告
- 关于单机WIN2000安全文章--比较全面
- 关于Access数据库安全
- 关于Angel(安全天使)退学原因
- 关于错误 LNK2005在对象中已定义符号