Читать книгу Security Awareness For Dummies - Ira Winkler - Страница 58

Vulnerabilities are an organization’s weaknesses — they allow a threat to exploit your organization. Someone may want to harm your organization, but they can’t act on their intentions unless you provide vulnerabilities that they can exploit. Awareness is a countermeasure that addresses relevant vulnerabilities.

Here are the categories of vulnerabilities as I identify them:

 Technical vulnerabilities: Weaknesses in technology that create loss.

 Physical vulnerabilities: Allow physical access or otherwise allow for damage of physical resources to occur. For example, you can spill water on your computer and cause damage, or someone can walk into your office and steal the computer.

 Personnel vulnerabilities: Involved in the hiring, maintaining, and separation of people. For example, you might hire people who are incapable of performing the job, or who may be criminals. Similarly, if you don’t have the right legal documents in place, you’re placing your organization at risk. Personnel vulnerabilities can involve direct employees or anyone with access to your information. Edward Snowden, for example, was not an NSA employee — but rather an employee of Booz-Allen, which was a contractor to NSA. His access allowed him to steal classified information and download that information onto USB drives that he carried out of the NSA facility.

 Operational vulnerabilities: Involve weaknesses in how processes are designed and implemented. Do people do things that are secure or insecure? Are processes inherently secure or insecure? For example, some companies have posted too much information on websites. The now infamous Twitter hack of July 2020 involved a wide variety of operational weaknesses, where too many employees had access to the administrator tools, where employees gave up their credentials, and where it required only a single employee to reset passwords on accounts with more than 100 million subscribers, among a variety of other weaknesses.

Awareness is useful for addressing all categories of vulnerabilities. Awareness can help people know how to secure their technology and counter technical vulnerabilities. Awareness teaches people how to use and enforce physical protections. Awareness highlights operational procedures to implement policies and otherwise behave.