Vulnerabilities and Defenses
Different classes of attacks warrant different defenses. For the discussion that follows, we group attacks into three classes. (We have not tried to prove that these classes cover all possible attacks or that they actually constitute a partition on the space. The analysis in this article, however, depends on neither.) A configuration attack exploits a vulnerability introduced by the vendor-supplied default configuration, system administrator, or user who configures the software. Modern software systems are quite flexible, employing configuration files and global databases to customize each installation. Whether this customization is automated or manual, misconfiguration is a common source of vulnerabilities. Moreover, even when customization is not undertaken, vendor-supplied default configuration files historically have all too often permitted improper access to privileged functionality.