Vulnerability

1. Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.

Source: The State and Local Election Cybersecurity Playbook, Defending Digital Democracy Project, Harvard Kennedy School Belfer Center for Science and International Affairs, https://www.belfercenter.org/sites/default/files/files/publication/StateLocalPlaybook%201.1.pdf

2. A characteristic or specific weakness that renders an organization or asset (such as information or an information system) open to exploitation by a given threat or susceptible to a given hazard.

Source: Explore Terms: A Glossary of Common Cybersecurity Terminology, National Initiative for Cybersecurity Careers and Studies (NICCS), https://niccs.us-cert.gov/about-niccs/glossary

3. A flaw or “bug” in a computer system’s construction or configuration that may be used to improperly gain access to, interfere with the functioning of, or otherwise corrupt a computer system. Vulnerabilities may be known, or unknown (so-called zero days). Vulnerabilities, like the term “secure” need to be defined in terms of a particular kind of attacker. For example, a vulnerability may be exploitable by an attacker who can observe network traffic, but not an attacker who can just send messages to the vulnerable computer. Vulnerabilities can also vary in what they will allow the attacker to do. Some vulnerabilities may permit an attacker to read data, some vulnerabilities may permit an attacker to alter data, some may just permit an attacker to disable the computer for other users. Every system or computer program has vulnerabilities and sometimes fixing one vulnerability may unintentionally create another vulnerability.

Source: Election Cybersecurity 101 Field Guide – Glossary, Center for Democracy & Technology, https://cdt.org/insight/election-cybersecurity-101-field-guide-glossary/

4. A defect in a computer system (software or hardware) that weakens the security guarantees about that computer system. A vulnerability does not necessarily provide an attacker a way of controlling the system or seeing what it is doing, but it leaves open “vectors of attack” through which flaws might potentially be exploited. Finding vulnerabilities in both software and hardware is common.

Source: Open Source Voting in San Francisco, City and County of San Francisco, http://civilgrandjury.sfgov.org/2017_2018/2017-18_SFCGJ_Final_Report_Open_Source_Voting_in_San_Francisco.pdf

5. Characteristic of location or security posture or of design, security procedures, internal controls, or the implementation of any of these that permit a threat or hazard to occur. Vulnerability (expressing degree of vulnerability): qualitative or quantitative expression of the level of susceptibility to harm when a threat or hazard is realized.

Source: Explore Terms: A Glossary of Common Cybersecurity Terminology, National Initiative for Cybersecurity Careers and Studies (NICCS), https://niccs.us-cert.gov/about-niccs/glossary

6. An exploitable flaw that can undermine a system’s security. (This term is often used to describe the overall strategic perception of susceptibility to a given threat actor. It should only be used to describe a cyber-system issue.)

Source: Cyber Threats to Elections – A Lexicon, Cyber Threat Intelligence Integration Center & Office of the Director of National Intelligence, https://www.dni.gov/files/CTIIC/documents/CTIIC_2018_Lexicon_without_banner_small_file_for_Post.pdf

7. A loophole or bug in hardware or software through which attackers can access a system.

Source: Information Assurance Situation in Switzerland and Internationally, Reporting and Analysis Centre for Information Assurance MELANI, https://www.newsd.admin.ch/newsd/message/attachments/11945.pdf

8. The susceptibility of a nation or military force to any action by any means through which its war potential or combat effectiveness may be reduced or its will to fight diminished.

9. The characteristics of a system that cause it to suffer a definite degradation (incapability to perform the designated mission) as a result of having been subjected to a certain level of effects in an unnatural (man-made) hostile environment.

10. In information operations, a weakness in information system security design, procedures, implementation, or internal controls that could be exploited to gain unauthorized access to information or an information system. (JP 1-02 & JP 3-60).

11. A situation or circumstance, which left unchanged, may result in the degradation, loss of life, or damage to mission-essential resources. (DoD 5200.08-R, Physical Security Program, 9 Apr 2007).

12. A weakness or susceptibility of an installation, system, asset, application, or its dependencies that could cause it to suffer a degradation or loss (incapacity to perform its designated function) as a result of having been subjected to a certain level of threat or hazard. (DoDD 3020.40, Critical Infrastructure, 14 Jan 2010).

Source: Terms & Definitions of Interest for DoD Counterintelligence Professionals, Office of the National Counterintelligence, https://www.dni.gov/files/NCSC/documents/ci/CI_Glossary.pdf