| (I) A flaw or weakness in a system's design, implementation, or
operation and management that could be exploited to violate the
system's security policy.
(C) Most systems have vulnerabilities of some sort, but this does
not mean that the systems are too flawed to use. Not every threat
results in an attack, and not every attack succeeds. Success
depends on the degree of vulnerability, the strength of attacks,
and the effectiveness of any countermeasures in use. If the
attacks needed to exploit a vulnerability are very difficult to
carry out, then the vulnerability may be tolerable. If the
perceived benefit to an attacker is small, then even an easily
exploited vulnerability may be tolerable. However, if the attacks
are well understood and easily made, and if the vulnerable system
is employed by a wide range of users, then it is likely that there
will be enough benefit for someone to make an attack.
|
