NIST’s Common Misuse Scoring System provides security managers with a systematic way to determine the severity of software feature misuse, such as dangerous or illicit email practices, so that the organization can determine how to handle the problem.
While security manager’s attention is often focused on software flaws, software features also introduce vulnerabilities because intentional or accidental misuses of software features have the potential to leak sensitive information, corrupt data, or reduce system availability, the report observed.
NIST categorizes software vulnerabilities in three general groups: software flaws from coding errors that allow security breaches; configuration vulnerabilities from setting the software up improperly; and software feature misuse from attackers violating the trust assumptions that are inherent in software features to subvert a system's security.
"Two common [email feature] problems are social engineering and insider threats", said Karen Scarfone, one of the publication's authors. When users open up a bad email attachment or link, the hackers who sent the email can access the organization's computer network to steal confidential information or bring down the system. These problems can be expensive, costing a company money, exposing valuable data, and hurting the its reputation, Scarfone explained.
In addition, NIST has updated two guides on network attacks and malware: one on network intrusion detection and prevention systems and the other on malware incident prevention and handling for desktops and laptops. Public comments on the updates are due by Aug. 31.