Wordconcepts
Basicexplanation
1. [foro; perdita; perdita]: piccoli fori per tappare le perdite.
2. [difetto;punti deboli;buco;scappatoia]: dove le leggi, i decreti, i trattati o gli accordi non sono ben formulati, i difetti dovrebbero colmare le ovvie scappatoie nella legislazione.
Citationexplanation
1.Lacune;piccoli buchi.Ming Lushen's"ExcerptfromStoppingRecords":"ThelefthandGuan hasasslipperyandlowpulse,thefourthlobeoftheliveisleaky,andtheinferiorpartisconnected."
2.Vulnerabilità,punti imprecisi."Frosty LeavesAreRedLikeFebruaryFlowers"5 di MaoDun:"WangBoxhen è anche molto intelligente quando vuole venire.
Informationtechnologymeaning
VulnerabilityreferstotheweaknessordefectofasystemthatattacksorisdangeroustoaspecificthreatThesensitivityoftheincident,orthepossibilityofthethreatofanattack.Vulnerabilitiesmaycomefromdefectsinthedesignofapplicationsoftwareoroperatingsystemsorerrorsincoding,orfromdesigndefectsintheinteractiveprocessingofthebusinessorunreasonablelogicflow.Thesedefects,errorsorunreasonablepointsmaybeintentionallyorunintentionallyexploited,whichwilladverselyaffectanorganization’sassetsoroperations.Forexample,theinformationsystemisattackedorcontrolled,importantinformationisstolen,userdataistamperedwith,andthesystemisusedasAspringboardtoinvadeotherhostsystems.Judgingfromthevulnerabilitiesfoundsofar,therearefarmorevulnerabilitiesinapplicationsoftwarethanvulnerabilitiesinoperatingsystems,andvulnerabilitiesinWEBapplicationsystemsaccountforthevastmajorityofvulnerabilitiesininformationsystems.
1.Therelationshipbetweenthevulnerabilityandthespecificsystemenvironmentanditstime-relatedcharacteristics
Thevulnerabilitywillaffectawiderangeofhardwareandsoftwaredevices,includingTheoperatingsystemitselfanditssupportingsoftware,networkclientandserversoftware,networkroutersandsecurityfirewalls,etc.Inotherwords,theremaybedifferentsecurityvulnerabilitiesinthesedifferenthardwareandsoftwaredevices.Differenttypesofsoftwareandhardwaredevices,differentversionsofthesamedevice,differentsystemscomposedofdifferentdevices,andthesamesystemunderdifferentsettingconditionswillhavetheirowndifferentsecurityvulnerabilities.
Theissueofvulnerabilitiesiscloselyrelatedtotime.Fromthedayasystemisreleased,asusersdeepenitsuse,thevulnerabilitiesinthesystemwillcontinuetobeexposed,andthesevulnerabilitiesdiscoveredearlierwillalsobeconstantlypatchedbythepatchsoftwarereleasedbythesystemvendor,orreleasedinthefuture.Becorrectedinthenewversionofthesystem.Whilethenewversionofthesystemcorrectstheloopholesintheoldversion,itwillalsointroducesomenewloopholesanderrors.Soovertime,oldloopholeswillcontinuetodisappear,andnewloopholeswillcontinuetoappear.Vulnerabilitieswillalsoexistforalongtime.
Therefore,itismeaninglesstodiscussthevulnerabilitieswithoutthespecifictimeandspecificsystemenvironment.Wecanonlydiscussthepossiblevulnerabilitiesandfeasiblesolutionsfortheactualenvironmentsuchastheoperatingsystemversionofthetargetsystem,thesoftwareversionrunningonit,andtheserviceoperationsettings.
Atthesametime,itshouldbenotedthattheresearchonvulnerabilitiesmusttrackthelatestdevelopmentsinthecurrentcomputersystemanditssecurityissues.Thisissimilartotheresearchonthedevelopmentofcomputerviruses.Ifyoucan'tkeeptrackofnewtechnologiesinyourwork,youwon'thavetherighttotalkaboutsystemsecurityvulnerabilities,andeventheworkdonebeforewillgraduallylosevalue.
2.Theharmandpreventionofvulnerabilities
Theexistenceofvulnerabilitiescaneasilyleadtohackers’intrusionandthepresenceofviruses,whichcanleadtodatalossandtampering,Privacydisclosureandevenmonetaryloss,suchas:thewebsiteishackedduetoloopholes,websiteuserdatawillbeleaked,websitefunctionsmaybedisruptedandsuspended,ortheserveritselfiscontrolledbytheintruder.Inthecurrentdevelopmentofdigitalproducts,vulnerabilitieshavebeenextendedfromcomputersascarrierstodigitalplatforms,suchasmobilephoneQRcodevulnerabilities,Androidapplicationvulnerabilities,etc...
Systemvulnerabilities
Overview
Systemvulnerabilitiesrefertoflawsinthelogicdesignofapplicationsoftwareoroperatingsystemsoftwareorerrorsinwriting.ThisflaworerrorcanbeexploitedbycriminalsorcomputerhackersbyplantingTrojanhorsesorviruses.Attackorcontroltheentirecomputerbyothermeans,therebystealingimportantdataandinformationinyourcomputer,orevendestroyingyoursystem.
Principium
Theproblemofwindowssystemvulnerabilitiesiscloselyrelatedtotime.Fromthedayawindowssystemisreleased,asusersdeepenuse,thevulnerabilitiesinthesystemwillcontinuetobeexposed,andthesevulnerabilitiesdiscoveredearlierwillalsobeconstantlypatchedbythesystemvendor:Microsoft’spatchsoftware.Oritwillbecorrectedinanewversionofthesystemthatwillbereleasedlater.Whilethenewversionofthesystemcorrectstheloopholesintheoldversion,itwillalsointroducesomenewloopholesanderrors.
Soovertime,oldsystemvulnerabilitieswillcontinuetodisappear,andnewsystemvulnerabilitieswillcontinuetoappear.Systemvulnerabilitieswillalsoexistforalongtime.
MicrosoftSecurityBulletin
Intheearlymorning ofFebruary12,2014,Microsoftreleased7vulnerabilitypatches,including4"critica" levelpatchesand3"critica" levelvulnerabilities.Fixed multiplevulnerabilities in InternetExplorer,.Net, et Fenestra, et specifica vulnerability in Fenestra VIII.
OnJanuary16,2014,theJanuarysecuritybulletinwasreleased.Thepatchlevelsofthe4vulnerabilitiesareall"important".TheyfixtheMSOfficeWord,Windows7kernelandtheoldversionoftheWindowskerneldriver.Therearemultipleremotecodeexecutionandprivilegeescalationvulnerabilities.AlsopushedaretheversionupdateinstallationpackageofAdobeFlashPlayer12andthesecurityupdateofAdobeReader.
MicrosoftgenerallyreleasessecuritybulletinsonthesecondTuesdayofeachmonth,whichiscalled"PatchTuesday."
Level
Vulnerabilitas in quattuor speciebus secundum suam severitatem classificata est: "Urgente", "Maxima", "Monitio", et "Cautio". Generaliter loquendo, quod definiendum est, quod definiendum est.
Passibilitaterepair
ThesystemautomaticallyupdatesUpdate,orautomaticallyrepairsitwithsecuritysoftwaresuchasComputerManager.
Classification
Fliesdonotstareatseamlesseggs.Intruderscaneasilybreakintothesystemaslongastheyfindacrackinthecomplexcomputernetwork.Soknowingwheretheseseamsarelikelytobeiscrucialtorepairingthem.Usuallycracksaremainlymanifestedinsoftwarecompilationbugs,impropersystemconfiguration,passwordtheft,cleartextcommunicationinformationbeingmonitored,anddefectsintheinitialdesign.
Therearebugsinsoftwarewriting
Whetheritisserverprogram,clientsoftwareoroperatingsystem,aslongasitiswrittenincode,therewillbevariousdegreesofbugs.Bugsaremainlydividedintothefollowingcategories:
(1)Bufferoverflow:Referstotheintruderenteringastringofmorethanthespecifiedlengthintherelevantinputitemsoftheprogram,andtheexcesspartisusuallywhattheintruderwantsTheattackcodetobeexecuted,andtheprogramwriterdidnotchecktheinputlength,whicheventuallycausedtheextraattackcodetooccupythememorybehindtheinputbufferandbeexecuted.Don'tthinkthat200charactersareenoughfortheloginusernameandnolongercheckthelength.Theso-calledanti-littlebutnotgentleman,theintruderwilltryeverymeanstotrytheattack.
(2).Unexpectedjointuseproblem:Aprogramisoftencomposedofmultiplelayersofcodewithdifferentfunctions,eveninvolvingthelowestoperatingsystemlevel.Intrudersusuallyusethisfeaturetoinputdifferentcontentfordifferentlayersinordertoachievethepurposeofstealinginformation.Forexample:ForaprogramwrittenbyPerl,theintrudercanentersomethinglike"mailoperatingsystemtocallthemailprogram,andsendanimportantpasswordfiletotheintruder.Borrowaknifetokillsomeone,borrowaMailtosenda"letter",itistrueHigh!
(3)Noexpectedcheckofinputcontent:Someprogrammersareafraidoftroubleanddonotperformexpectedmatchingcheckoninputcontent,whichmakesthejobofintruderdeliveringbombseasyandsimple.
(4)Raceconditions:Therearemoreandmoremulti-taskingandmulti-threadedprograms.Whileimprovingtheefficiencyofoperation,wemustalsopayattentiontotheproblemsofRaceconditions.Forexample:ProgramAandProgramBareinaccordancewith"Read/Modify/Write"Operateafileintheorderof.WhenAfinishesreadingandmodifying,Bstartstoimmediatelyexecuteallthe“read/modify/write”tasks.Atthistime,Acontinuestoperformthewritingwork,andtheresultisthatB’soperationhasnoperformance!Intrudersmayusethisvulnerabilityintheprocessingsequencetorewritesomeimportantfilestoachievethepurposeofbreakingintothesystem.Therefore,programmersshouldpayattentiontothesequenceoffileoperationsandlockingissues.
Impropersystemconfiguration
(1)Insufficientdefaultconfiguration:Manysystemshavedefaultsecurityconfigurationinformationafterinstallation,whichisusuallycalledeasytouse.Unfortunately,easytousealsomeanseasytobreakin.Therefore,thedefaultconfigurationmustbeabandoned.
(2).Administratorlaziness:Oneofthemanifestationsoflazinessistokeeptheadministratorpasswordemptyafterthesystemisinstalledandnotmodifyitafterwards.Youknow,thefirstthingtheintruderhastodoistosearchthenetworkforsuchmachineswithanemptypasswordfortheadministrator.
(3)Temporaryport:sometimesfortestingpurposes,theadministratorwillOpenatemporaryportonthemachine,butforgottoprohibititafterthetest,thiswillgivetheintruderaholetofindandaleaktodrill.Theusualsolutionis:unlessaportismandatory,itisprohibitedIt!Ingeneral,securityauditdatapacketscanbeusedtodiscoversuchportsandnotifytheadministrator.
(4),trustrelationship:systemsbetweennetworksoftenestablishtrustrelationshipstofacilitateresourcesharing,butthisItalsogivesintrudersthepossibilityofindirectattacks.Forexample,aslongasonemachineinthetrustgroupiscompromised,itispossibletofurtherattackothermachines.Therefore,thetrustrelationshipmustbestrictlyreviewedtoensureatruesecurityalliance.
Passwordtheft
(1) Aweakpassword: cum sit, quamvis verbum inesset, itssosimplere potest quod intrusor.
(2)Dictionaryattack:referstotheintruderusingaprogramthatusesadictionarydatabasecontainingusernamesandpasswordstocontinuouslytrytologintothesystemuntilitsuccessfullyenters.ThereisnodoubtthatthisThekeytothiswayItliesinhavingagooddictionary.
(3)Bruteforceattack:similartodictionaryattack,butthisdictionaryisdynamic,thatis,thedictionarycontainsallpossiblecharactercombinations.Forexample,a4-characterpasswordcontaininguppercaseandlowercasehasabout500,000combinations,anda7-characterpasswordcontaininguppercaseandlowercaseandpunctuationhasabout10trillioncombinations.Forthelatter,ittakesaboutafewmonthsforageneralcomputertotestitagain.Seethebenefitsoflongpasswords,it’sreallyalotofmoney!
Sniffingunencryptedcommunicationdata
(1),sharedmedia:thetraditionalEthernetstructureisveryItisconvenientforanintrudertoplaceasnifferonthenetworktoviewthecommunicationdataonthenetworksegment,butifaswitchedEthernetstructureisadopted,thesniffingbehaviorwillbecomeverydifficult.
(2)Serversniffing:Switchednetworksalsohaveanobviousshortcoming.Intruderscaninstallasniffersoftwareontheserver,especiallytheserverthatservesasaroutingfunction,andthenpassitThecollectedinformationbreaksintoclientmachinesandtrustedmachines.Forexample,althoughtheuser'spasswordisnotknown,whentheuserlogsinusingTelnetsoftware,hecansniffthepasswordheentered.
(3)Remotesniffing:ManydeviceshaveRMON(Remotemonitor,remotemonitoring)functionsothatmanagerscanusepubliccommunitystringsforremotedebugging.Withthecontinuouspopularizationofbroadband,intrudersarebecomingmoreandmoreinterestedinthisbackdoor.
Designflaws
(1),TCP/IPprotocolflaws:TCP/IPprotocolisnowwidelyused,butitwasdesignedtoberampantbyintrudersItwasdesignedlongagotoday.Therefore,therearemanydeficienciesthatcausesecurityvulnerabilities,suchassmurfattacks,ICMPUnreachablepacketdisconnection,IPaddressspoofing,andSYNflood.However,thebiggestproblemisthattheIPprotocolisveryeasyto"trust",thatis,intruderscanforgeandmodifyIPdatapacketsatwillwithoutbeingdiscovered.Ipsecprotocolhasbeendevelopedtoovercomethisshortcoming,butithasnotbeenwidelyused.
Systemattack
Systemattackreferstoaperson'sillegaluseordestructionofresourcesinaninformationsystem,aswellasunauthorizedactsthatcausethesystemtolosepartorallofitsservicefunctions.
Theattackactivitycangenerallyberoughlydividedintotwotypes:remoteattackandinternalattack.NowwiththeprogressoftheInternet,theremoteattacktechnologyamongthemhasbeengreatlydeveloped,andthethreatsaregettingbiggerandbigger,andtherearemoresystemvulnerabilitiesandrelatedknowledgeinvolved,soithasimportantresearchvalue.