আক্রান্তপ্রবণতা (কম্পিউটিং): সংশোধিত সংস্করণের মধ্যে পার্থক্য
বিষয়বস্তু বিয়োগ হয়েছে বিষয়বস্তু যোগ হয়েছে
NahidSultan (আলোচনা | অবদান) অ জঙ্গলবাসী-এর সম্পাদিত সংস্করণ হতে Hasan Rumi-এর সম্পাদিত সর্বশেষ সংস্করণ... |
Hasan Rumi (আলোচনা | অবদান) সম্পাদনা সারাংশ নেই |
||
১৩ নং লাইন:
: ''এক বা একাধিক সম্পদের দুর্বলতা, যা এক বা একাধিক ভীতিপ্রদর্শনে ব্যবহারিত হতে পারে। ''
<span>এক্ষেত্রে</span>'', সেই সম্পত্তির মূল্য থাকে একটি নির্দিষ্ট প্রতিষ্ঠানের, তার ব্যবসা সংক্রান্ত কাজে এবং তাদের ধারাবাহিকতায়, এবং তাদের প্রতিষ্ঠানের লক্ষ্যে এগিয়ে যাওয়ার তথ্যের নিকট। ''<ref>British Standard Institute, Information technology -- Security techniques -- Management of information and communications technology security -- Part 1: Concepts and models for information and communications technology security management BS ISO/IEC 13335-1-2004</ref>
[[IETF]] [[rfc:2828|RFC 2828]] define '''vulnerability''' as:
: ''A flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security policy''
The [[Committee on National Security Systems]] of [[United States|United States of America]] defined '''vulnerability''' in CNSS Instruction No. 4009 dated 26 April 2010 [[National Information Assurance Glossary]]:
: ''Vulnerability — Weakness in an IS, system security procedures, internal controls, or implementation that could be exploited''
Many [[NIST]] publications define '''vulnerability''' in IT contest in different publications: FISMApedia term provide a list. Between them SP 800-30, give a broader one:
: ''A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system's security policy.''
[[ENISA]] defines '''vulnerability''' in as:
: ''The existence of a weakness, design, or implementation error that can lead to an unexpected, undesirable event [G.11] compromising the security of the computer system, network, application, or protocol involved.(ITSEC)''
[[The Open Group]] defines '''vulnerability''' in as:
: ''The probability that threat capability exceeds the ability to resist the threat''.
[[Factor Analysis of Information Risk]] (FAIR) defines '''vulnerability''' as:
: ''The probability that an asset will be unable to resist the actions of a threat agent''
According FAIR vulnerability is related to Control Strength, i.e. the strength of a control as compared to a standard measure of force and the [[Threat (computer)|threat]] Capabilities, i.e. the probable level of force that a threat agent is capable of applying against an asset.
[[ISACA]] defines '''vulnerability''' in [[Risk It]] framework as:
: ''A weakness in design, implementation, operation or internal control''
Data and Computer Security: Dictionary of standards concepts and terms, authors Dennis Longley and Michael Shain, Stockton Press, ISBN 0-935859-17-9, defines '''vulnerability''' as:
: ''1) In computer security, a weakness in automated systems security procedures, administrative controls, Internet controls, etc., that could be exploited by a threat to gain unauthorized access to information or to disrupt critical processing. 2) In computer security, a weakness in the physical layout, organization, procedures, personnel, management, administration, hardware or softwarethat may be exploited to cause harm to the ADP system or activity. 3) In computer security, any weakness or flaw existing in a system. The attack or harmful event, or the opportunity available to a threat agent to mount that attack.''
Matt Bishop and Dave Bailey give the following definition of computer '''vulnerability''':
: ''A computer system is composed of states describing the current configuration of the entities that make up the computer system. The system computes through the application of state transitions that change the state of the system. All states reachable from a given initial state using a set of state transitions fall into the class of authorized or unauthorized, as defined by a security policy. In this paper, the definitions of these classes and transitions is considered axiomatic. A vulnerable state is an authorized state from which an unauthorized state can be reached using authorized state transitions. A compromised state is the state so reached. An attack is a sequence of authorized state transitions which end in a compromised state. By definition, an attack begins in a vulnerable state. A vulnerability is a characterization of a vulnerable state which distinguishes it from all non-vulnerable states. If generic, the vulnerability may characterize many vulnerable states; if specific, it may characterize only one...''
[[National Information Assurance Training and Education Center]] defines '''vulnerability''':
: ''A weakness in automated system security procedures, administrative controls, internal controls, and so forth, that could be exploited by a threat to gain unauthorized access to information or disrupt critical processing. 2. A weakness in system security procedures, hardware design, internal controls, etc. , which could be exploited to gain unauthorized access to classified or sensitive information. 3. A weakness in the physical layout, organization, procedures, personnel, management, administration, hardware, or software that may be exploited to cause harm to the ADP system or activity. The presence of a vulnerability does not in itself cause harm; a vulnerability is merely a condition or set of conditions that may allow the ADP system or activity to be harmed by an attack. 4. An assertion primarily concerning entities of the internal environment (assets); we say that an asset (or class of assets) is vulnerable (in some way, possibly involving an agent or collection of agents); we write: V(i,e) where: e may be an empty set. 5. Susceptibility to various threats. 6. A set of properties of a specific internal entity that, in union with a set of properties of a specific external entity, implies a risk. 7. The characteristics of a system which cause it to suffer a definite degradation (incapability to perform the designated mission) as a result of having been subjected to a certain level of effects in an unnatural (manmade) hostile environment.''
== Vulnerability and risk factor models ==
A resource (either physical or logical) may have one or more vulnerabilities that can be exploited by a threat agent in a threat action. The result can potentially compromise the [[confidentiality]], [[integrity]] or [[availability]] of resources (not necessarily the vulnerable one) belonging to an organization and/or other parties involved (customers, suppliers).
The so-called [[CIA triad]] is the basis of [[Information Security]].
An attack can be ''active'' when it attempts to alter system resources or affect their operation, compromising integrity or availability. A "''passive attack''" attempts to learn or make use of information from the system but does not affect system resources, compromising confidentiality.
[[OWASP]] (see figure) depicts the same phenomenon in slightly different terms: a threat agent through an attack vector exploits a weakness (vulnerability) of the system and the related security controls, causing a technical impact on an IT resource (asset) connected to a business impact.
The overall picture represents the [[Risk factor (computing)|risk factors]] of the risk scenario.
== Information security management system ==
A set of policies concerned with information security management, the [[information security management system]] (ISMS), has been developed to manage, according to [[Risk management]] principles, the [[Countermeasure (computer)|countermeasures]] in order to ensure the security strategy is set up following the rules and regulations applicable in a country. These countermeasures are also called [[Security controls]], but when applied to the transmission of information they are called [[Security service (telecommunication)|security services]].
== Classification ==
Vulnerabilities are classified according to the asset class they are related to:
* hardware
** susceptibility to humidity
** susceptibility to dust
** susceptibility to soiling
** susceptibility to unprotected storage
* software
** insufficient testing
** lack of [[audit trail]]
* network
** unprotected communication lines
** insecure [[network architecture]]
* personnel
** inadequate recruiting process
** inadequate [[security awareness]]
* physical site
** area subject to flood
** unreliable power source
* organizational
** lack of regular audits
** lack of continuity plans
** lack of security
== Causes ==
* Complexity: Large, complex systems increase the probability of flaws and unintended [[File system permissions|access points]]
* Familiarity: Using common, well-known code, software, operating systems, and/or hardware increases the probability an attacker has or can find the knowledge and tools to exploit the flaw
* Connectivity: More physical connections, privileges, ports, protocols, and services and time each of those are accessible increase vulnerability
* Password management flaws: The computer user uses [[Password strength|weak passwords]] that could be discovered by brute force. The computer user stores the password on the computer where a program can access it. Users re-use passwords between many programs and websites.
* Fundamental [[operating system]] design flaws: The operating system designer chooses to enforce suboptimal policies on user/program management. For example, operating systems with policies such as [[default permit]] grant every program and every user full access to the entire computer. This operating system flaw allows viruses and malware to execute commands on behalf of the administrator.
* Internet Website Browsing: Some internet websites may contain harmful [[Spyware]] or [[Adware]] that can be installed automatically on the computer systems. After visiting those websites, the computer systems become infected and personal information will be collected and passed on to third party individuals.
* [[Software bug|Software bugs]]: The programmer leaves an exploitable bug in a software program. The software bug may allow an attacker to misuse an application.
* [[Unchecked user input]]: The program assumes that all user input is safe. Programs that do not check user input can allow unintended direct execution of commands or SQL statements (known as [[Buffer overflow|Buffer overflows]], [[SQL injection]] or other non-validated inputs).
* Not learning from past mistakes: for example most vulnerabilities discovered in [[IPv4]] protocol software were discovered in the new [[IPv6]] implementations.
The research has shown that the most vulnerable point in most information systems is the human user, operator, designer, or other human: so humans should be considered in their different roles as asset, threat, information resources. [[Social engineering (security)|Social engineering]] is an increasing security concern.
== Vulnerability consequences ==
The impact of a security breach can be very high. The fact that IT managers, or upper management, can (easily) know that IT systems and applications have vulnerabilities and do not perform any action to manage the [[IT risk]] is seen as a misconduct in most legislations. [[Privacy law]] forces managers to act to reduce the impact or likelihood of that security risk. [[Information technology security audit]] is a way to let other independent people certify that the IT environment is managed properly and lessen the responsibilities, at least having demonstrated the good faith. [[Penetration test]] is a form of verification of the weakness and countermeasures adopted by an organization: a [[White hat (computer security)|White hat]] hacker tries to attack an organization's information technology assets, to find out how easy or difficult it is to compromise the IT security. The proper way to professionally manage the IT risk is to adopt an [[Information Security Management System]], such as [[ISO/IEC 27002]] or [[Risk IT]] and follow them, according to the security strategy set forth by the upper management.
One of the key concept of information security is the principle of [[defence in depth]]: i.e. to set up a multilayer defence system that can:
* prevent the exploit
* detect and intercept the attack
* find out the threat agents and prosecute them
[[Intrusion detection system]] is an example of a class of systems used to detect [[Attack (computing)|attacks]].
[[Physical security]] is a set of measures to protect physically the information asset: if somebody can get physical access to the information asset, it is quite easy to make resources unavailable to its legitimate users.
Some sets of criteria to be satisfied by a computer, its operating system and applications in order to meet a good security level have been developed: [[ITSEC]] and [[Common criteria]] are two examples.
== Vulnerability disclosure ==
Responsible disclosure (many now refer to it as 'coordinated disclosure' because the first is a biased word) of vulnerabilities is a topic of great debate. As reported by The Tech Herald in August 2010, "[[Google]], [[Microsoft]], [[TippingPoint]], and [[Rapid7]] have recently issued guidelines and statements addressing how they will deal with disclosure going forward."
A [[responsible disclosure]] first alerts the affected vendors confidentially before alerting [[CERT Coordination Center|CERT]] two weeks later, which grants the vendors another 45-day grace period before publishing a security advisory.
[[Full disclosure (computer security)|Full disclosure]] is done when all the details of vulnerability is publicized, perhaps with the intent to put pressure on the software or procedure authors to find a fix urgently.
Well respected authors have published books on vulnerabilities and how to exploit them: [[Hacking: The Art of Exploitation Second Edition]] is a good example.
Security researchers catering to the needs of the [[cyberwarfare]] or [[cybercrime]] industry have stated that this approach does not provide them with adequate income for their efforts. Instead, they offer their exploits privately to enable [[Zero day attack|Zero day attacks]].
The never ending effort to find new vulnerabilities and to fix them is called [[Computer insecurity]].
In January 2014 when Google revealed a Microsoft vulnerability before Microsoft released a patch to fix it, a Microsoft representative called for coordinated practices among software companies in revealing disclosures.
=== Vulnerability inventory ===
[[Mitre Corporation]] maintains a list of disclosed vulnerabilities in a system called [[Common Vulnerabilities and Exposures]], where vulnerability are classified (scored) using [[CVSS|Common Vulnerability Scoring System]] (CVSS).
OWASP collects a list of potential vulnerabilities with the aim of educating system designers and programmers, therefore reducing the likelihood of vulnerabilities being written unintentionally into the software.
== Vulnerability disclosure date ==
The time of disclosure of a vulnerability is defined differently in the security community and industry. It is most commonly referred to as "a kind of public disclosure of security information by a certain party". Usually, vulnerability information is discussed on a mailing list or published on a security web site and results in a security advisory afterward.
The '''time of disclosure''' is the first date a security vulnerability is described on a channel where the disclosed information on the vulnerability has to fulfill the following requirement:
* The information is freely available to the public
* The vulnerability information is published by a trusted and independent channel/source
* The vulnerability has undergone analysis by experts such that risk rating information is included upon disclosure
== Identifying and removing vulnerabilities ==
Many software tools exist that can aid in the discovery (and sometimes removal) of vulnerabilities in a computer system. Though these tools can provide an auditor with a good overview of possible vulnerabilities present, they can not replace human judgment. Relying solely on scanners will yield false positives and a limited-scope view of the problems present in the system.
Vulnerabilities have been found in every major operating system<sup>[''[[উইকিপিডিয়া:Citation needed|citation needed]]'']</sup> including [[Microsoft Windows|Windows]], [[macOS]], various forms of [[Unix]] and [[Linux]], [[OpenVMS]], and others. The only way to reduce the chance of a vulnerability being used against a system is through constant vigilance, including careful system maintenance (e.g. applying software patches), best practices in deployment (e.g. the use of [[Firewall (networking)|firewalls]] and [[Access control|access controls]]) and auditing (both during development and throughout the deployment lifecycle).
== ভালনেরাবিলিটি এর উদাহরণ ==
২৫ ⟶ ১৪৫ নং লাইন:
* যোগাযোগে সরঞ্জাম ও সুবিধা
* এবং তাদের সমন্বয়.
It is evident that a pure technical approach cannot even protect physical assets: one should have administrative procedure to let maintenance personnel to enter the facilities and people with adequate knowledge of the procedures, motivated to follow it with proper care. See [[Social engineering (security)]].
ভালনেরাবিলিটি কাজে লাগানোর চারটি উদাহরণঃ
* একজন আক্রমণকারী একটি উপচে পড়া দুর্বলতা খুঁজে বের করে এবং তা ব্যবহার করে সেখানে একটি ম্যালওয়্যার ইন্সটল করে। সে ম্যালওয়্যার ব্যবহার করে তার সংবেদনশীল তথ্য সে পেতে পারে;
৩১ ⟶ ১৫৩ নং লাইন:
* এক ধরণের বিশেষ বন্যা কারো কম্পিউটার সিস্টেমকে ক্ষতিগ্রস্ত করে।
=== Software vulnerabilities ===
Common types of software flaws that lead to vulnerabilities include:
* [[Memory safety]] violations, such as:
** [[Buffer overflow|Buffer overflows]] and [[Buffer over-read|over-reads]]
** [[Dangling pointer|Dangling pointers]]
* [[Data validation|Input validation]] errors, such as:
** [[Format string attack|Format string attacks]]
** [[SQL injection]]
** [[Code injection]]
** [[E-mail injection]]
** [[Directory traversal]]
** [[Cross-site scripting]] in web applications
** [[HTTP header injection]]
** [[HTTP response splitting]]
* [[Race conditions]], such as:
** [[Time-of-check-to-time-of-use]] bugs
** [[Symlink race|Symlink races]]
* [[Confused deputy problem|Privilege-confusion]] bugs, such as:
** [[Cross-site request forgery]] in web applications
** [[Clickjacking]]
** [[FTP bounce attack]]
* [[Privilege escalation]]
* [[User interface]] failures, such as:
** Warning fatigue or user conditioning.
** [[Victim blaming|Blaming the Victim]] Prompting a user to make a security decision without giving the user enough information to answer it
** [[Race Condition|Race Conditions]]
Some set of coding guidelines have been developed and a large [[List of tools for static code analysis|number of static code analysers]] has been used to verify that the code follows the guidelines.
== আরো দেখুন ==
| |||