Vulnerability

Threat

Probability

Impact

Suggested Mitigation Steps

1

USB DRIVE

The most common way to infect a network from inside a firewall

Implement and enforce policies regarding use of such devices.

2

LAPTOP

Can tap directly into the network and infect with malware allowing others access

Implement and enforce policies regarding portable devices.

3

BLUETOOTH

Identity detection, DOS,

involuntary control and access of data

Implement and enforce policies regarding use of such devices.

4

WI-FI

Clear text data can be captured

Implement and enforce policies regarding use of such devices.

5

FIREWALL

Protects content on desktops and in turn keeps entire network safe

Install and configure firewalls

6

NETWORK PROTOCOLS

Flawed unpatched protocols can cause remote sabotage and DOS

Disable unused protocols and monitor ones being used.

7

SMARTPHONES

Potentially pose the same threats as notebooks and thumb drives

Implement and enforce policies regarding use of such devices.

8

OPTICAL MEDIA

Being able to steal and leaking confidential data

Implement and enforce policies regarding access and use of recordable media.

9

ROUTERS

Exposed ports, Network access

Install and configure routers based on industry standards

10

NETWORK CABLES

Reduce the danger of electronic interference or loss of network connectivity

Install cable in areas to minimize interference. Label cables.

11

PRINTERS

While the print task is in the queue, the data is unencrypted and vulnerable to theft

Update printer firmware and keep an update inventory of all printers and drivers

12

FAX MACHINES

Unsecure faxing will put you at risk for confidential and identity theft

Implement and enforce policies regarding information distribution

13

SAN STORAGE

Network availability

Limit access to data storage based on classification and need to know.

14

EMPLOYEES

Individuals having access to restricted area of the network

Maintain a strict access control policy for restricted areas.

15

SERVERS

Open to brute force attacks, botnets, cross-site scripting and DOS

Harden servers against cyber attacks using industry standard or better.

16

WORKSTATIONS

Can be used by attackers as "slave" machines in coordinated attacks.

Harden workstations against cyber attacks using industry standard or better.

17

VIDEO CONFRENCING

Machines set to auto answer will allow the attacker to essentially gain a front-row seat inside corporate meetings

Should be hardened disable auto answer to prevent eaves dropping.

18

THEFT

Attacker steals privilege information to gain access

Access control and password policy

19

IMPERSONATION

Attacker poses as a service provider or custodial crew to physically gain access

Security awareness training and policy

20

LAPTOPS/TABLETS

Portable and easy to hide and attach to network.

Implement and enforce portable device policy

21

USB DEVICES

MP3 Players, etc

Implement strict policies regarding USB devices.

22

FIRE ALARM

Fire retardant system does not work when needed

Test fire alarm system periodically

23

ELECTRICAL POWER

No backup power in case of public power outage

Backup generators and UPS for critical systems

24

AIR CONDITION SYSTEM

Cooling system fail causing equipment to overheat and fail

Service and maintain heating and cooling system.

25

POOR MAINTENANCE

Do not know when unauthorized equipment is attached to the network

Inventory and label all equipment and document change management

Logical Network Vulnerabilities

1

DATABASE

SQL Injection, DOS Attacks, Database Exposure and Privilege elevation

2

VPN

Confidential information can be inadvertently downloaded. Unobstructed route for Malware.

3

MAN-IN-THE-MIDDLE

Attacker monitors and steals

Information in real time

Use cryptography and Hashed Message Authentication Codes

4

PRIVILEGE ESCALATION

Individual gains access to

network higher functions due to misconfiguration

Check Roles, Use strong ACLs; and use standard encryption

5

PHISHING

Used by an attacker to collect sensitive information to gain access

Segment network and encrypt data

6

FOOTPRINTING

Attacker use default username and weak or blank password to gain access to the network

Strong password, do not use blank password or weak

7

HIJACKING

Attacker can take over your internet browser downloading additional malware

Use session and communication encryption. Apply patch to fix vulnerabilities

8

SOCIAL ENGINEERING

Attackers will trick users into revealing their passwords

Security awareness training.

9

PASSWORDS

Easy guessable passwords, hackers gain initial access to a system. 

Enforce strong password; lock out and audit trails

10

DIGITIAL CERTIFICATE

Attackers hack into certificate authorities and issue false certificates for legitimate websites

Revoke PKI and maintain list of revoked keys to id false certificates.

11

OPERATING SYSTEM

If not patched regularly the network is open to security vulnerabilities

Harden OS

12

TCP/IP

Vulnerable to a variety of attacks ranging from password sniffing to denial of service

Disable unnecessary protocols

13

EMAIL

Spyware, Virus, Phishing, and spam

Conduct cyber security awareness to educate end user of email threats.

14

WEB BROWSERS

Attacker can take over your browser making you vulnerable if the browser plug-ins are not fully patched

Configure secure web permissions; Use .Net Framework access control

15

INSTANT MESSAGING

Vulnerable to firewall tunneling, identity theft, data security leaks, and authentication spoofing

Strong password, do not cache password,

16

SECURITY MISCONFIG

Attackers can access networks virtually without attracting attention

Configure based on industry standard. Avoid custom configuration

17

WEB APPLICATIONS

DOS, Elevation of privilege, Information disclosure, and impersonation

Input validation

Use HTMLEncode and URLEncode functions to encode any output

18

MALWARE

Can infect networked resources and possibly bring down the network

Update definition files and patches.

19

SOFTWARE DEFECT

Allows data to be viewed by unauthorized people

Apply updates and patch vulnerabilities. Or uninstall and replace.

20

SPOOFING

An attacker pretends to be an entity to take over communication between systems

Strong authentication.

Do not store secrets Do not pass credentials in plaintext over the wire.

Protect authentication cookies with SSL.

21

DOS ATTACK

An attack on a network that causes a loss of service to users

Resource and bandwidth throttling techniques.

Validate and filter input.

22

SNIFFER ATTACK

Can read, monitor, and capture network data exchanges

Segment network. Encrypt data.

23

BUFFER OVERFLOW

Exploits poorly written software to allow attackers to take over the target system

Validate input

Inspect API managed code.

Use the /GS flag to compile code

24

REMOTE ACCESS

Without the appropriate security measures (SSL VPN), all communications are being transmitted in clear text 

Configure remote access with the necessary security parameters to ensure secure communication.

25

NO ANTIVIRUS

Not Protected against virus and other malware attacks

Install, configure and update antivirus software.

3

Created a table of 50 vulnerabilities and threat pairs relevant to the organization

0.00

0.70

0.85

1.00

0.85