### Definition >A weakness of an asset or control that can be exploited by one or more threats >\ - ([[ISO 27000]]) A vulnerability is some facet of a system that is vulnerable to attack. I think it's poor construction to call it a weakness, though semantics is the masturbation of academia so maybe it's best to leave it be. Nonetheless, sometimes a "weakness" is necessary: a system that nobody can use has no weaknesses, aside from the fact that it's useless. Typical vulnerabilities include: - system-privileged accounts where the default password has not been changed (privilege escalation and/or repudiation, see [[STRIDE]]) - programs with known flaws (who is installing programs with known flaws?! Tell me. I just wanna talk) - weak [[firewall]] configurations ## Categorisation ### General vulnerabilities Weaknesses inherent in a system or process ### Information-specific vulnerabilities A subset of the above that includes: - unsecured computer systems - unpatched/out of date systems - insecure email servers - unlocked filing cabinets (eh??) In short, anything that risks leaking information ## Criticality The criticality of a vulnerability depends on the potential [[impact]] of an [[attacker]] exploiting it. We can score vulnerabilities using the [[Common Vulnerability Scoring System|CVSS]]