systems software. Access controls are potentially vulnerable to bypass, failure to correctly
implement the security policy, and ill-defined policies.
Firewalls. A firewall is a trusted computer system that monitors all traffic into and out of a protected
network. it is frequently placed between an origination's internal network and the Internet with the
objective of keeping intruders out and proprietary or sensitive data in. The firewall examines each
incoming or outgoing message to determine whether it should be allowed to pass. Decisions can be
based on protocol, source of destination address or port number, and message contents. Firewalls
are potentially vulnerable to subversion, to malicious code that enter the firewall in a seemingly
legitimate message, and to Ni-defined or incomplete policies.
Audit. Audit logs record security relevant activity, for example, successful and unsuccessful logins,
execution of system commands and applications, and access to files and database records. Auditing
can be performed at both the system level and the application level. Audit mechanisms are
potentially vulnerable to being disabled or bypassed; audit records to tampering or deletion.
Intrusion detection/monitoring. Intrusion detection systems actively monitor a system for Intrusions
and unauthorized activity. They typically inspect audit records, either after the fact or in real-time.
They can look for particular events or event sequences, or for behavior that is abnormal. They are
normally run under the direction of a security officer who specifies the events of interest and
evaluates the results. Monitoring is analogous to the use of guards to keep watch over the physical
premises of a protected site, either through direct surveillance or through video cameras. It is
potentially vulnerable to false positives and false negatives, to being disabled, and to incomplete or
false knowledge about misuse scenarios.
Anti- viral tools. These include scanners, which look for specified patterns; disinfectants, which
remove viruses; and integrity checkers, which check for modifications to files and code. Potential
vulnerabilities include failure to detect unknown viruses or to adequately protect checksums.
Vulnerability assessment tools. These are the same tools described earlier under the attacker's
toolkit. They are potentially vulnerable to failure to detect a weakness or to misuse.