Please enable JavaScript.
Coggle requires JavaScript to display documents.
2.2 Weaknesses in relation to security vulnerabilities (Security policy…
2.2 Weaknesses in relation to security vulnerabilities
Technology weaknesses
TCP/IP Protocol weaknesses
HTTP,FTP, and ICMP are inherently insecure.Simple Network Management Protocol (SNMP),simple mail transfer protocol(SMTP) and SYN flood are related to the inherently insecure structure upon which TCP was designed.
operating system
the UNIX,Linux Macintosh Windows NT, 9X,2K,XP and OS/2 operating system all have security problems that must be addressd.These are docummented in the CERT archives at http:/www.cert.org.
Network equipment weaknesses
various types of network equipment ,such as routers,fire-walls and switches ,have security weakneses that must be recognized andprotect again .These wekneses include the following
password protection
lack of authentication
rounting protocol
firewalls holes
Configuration
system account with easily guessed passwords
the common problem is the result of poorly selected and
easily guessed user password
misconfigured internet services
A common problem is to turn on java script in web brownser ,enabling attack by way of hostile java script when accessing unthrusted sites .IIS ,Apache,FTP,and Terminal Services also pose problem
unsecured default setting within products
-many product have default setting that enable security holes
misconfigured network equipment
misconfiguredof the equipment itself can cause significant security problem .For example ,misconfigure accesslistt,rounting protocol,or SNMP community strings can open up large security holes .Misconfigure or lack of encryption and remote access control scan also cause significant security issue ,as can the practice of leaving ports open on a switch (which could allow the introduction of noncompany computing equipment.
Unsecured user account
user account information might be transmitted insecurely across the network ,exposing username and password to snoopers
Security policy weaknesses
Lack of written security policy
an unwritten policy cannot be consistently applied or enforced
politics
political battles and turf wars can make it difficult to implement a consistent security policy
lack of continuity
poorly chosen,easily cracked or default password can allow unauthorized access to the network
logical access controls not applied
inadequate monitoring and auditing allows attacks and unauthorized use to continue ,wasting company resources.this could result in legal action or termination against IT technicians,IT management,or even company leader ship that allow these unsafe condition to persist.Lack of carefull andcontrol auditing can also make it hard to enforce policy tostand up to legal challenges for 'wrongly termination ' and suits against the organization
software and hardware installation and changes do not follow policy
unauthorized changes to the network topology or installation of unapproved application create security holes
disaster recovery plan nonexistent
the lack of a disaster recovery plan allows chaos,panic,and is confusion to occur when someone attacks the enterprice