You may often hear these terms being used interchangeably in the InfoSec field. There is, however, a big difference between each term. In this post, we will cover each of these terms, what they mean, and how they play a role in Risk Management sphere of InfoSec. While you may hear about
What is a Threat?
A threat is any natural event, human action, or human inaction, that can exploit a weakness (a vulnerability) in a system. Let’s break this down a little simpler. Let’s say you own a home along the Florida coast. A threat to your home would be a hurricane. Now, let’s say that you ride a really expensive bicycle to work in New York and often leave it chained outside. A threat in this situation would be a bike thief. Now that we have an understanding of what a threat is, let’s apply that to InfoSec. Threats in InfoSec can range from hackers, nation-state actors, malware, viruses, and even natural disasters.
- Natural disasters such as floods, fires, tornados, and hurricanes
- Hackers or malicious actors
- Unintentional acts such as accidents, or mistakes that can expose data
What is a Vulnerability?
A vulnerability is a flaw, or a weakness, that a threat can exploit to damage, steal, corrupt, or otherwise violate the three tenets of the CIA triad (Confidentiality, Integrity, Availability). A vulnerability for a home could be that it wasn’t built to withstand hurricane force winds. A vulnerability in a computer system can be any number of missing patches or even misconfigured settings such as having telnet enabled. Hackers can exploit a vulnerability on a system to gain access to sensitive information, modify data, or otherwise cause denial of service attacks. Bad guys are always on the lookout for vulnerabilities, as should you so that you can remediate them before the bad guys can exploit them.
- Non-redundant systems
- Sub-par building design – not built to withstand natural threats
- Open, unused ports on a computer system
- Clear text transmission of sensitive data
- Unpatched systems
What is a Risk?
Finally, we come to risk. Risk can be best summed up as the potential damage, loss, or destruction from a threat exploiting a vulnerability. Remember the home you own along the Florida coast? The risk to that home is complete loss due to hurricane damage. Risks can be hard to gauge in some cases. How do you gauge customer trust? As a company, you risk reputation loss if you are breached and customer data is stolen. How may customers will want to continue doing business with your company? These are very real questions that every company must answer.
- Monetary loss
- Physical asset loss or damage – building destruction due to natural disaster
- Reputation loss
- Legal concerns
- Loss of life
What is an Asset?
Assets are what you are trying to protect. This could be your home, car, computer, passwords, money, or even your life. Applying this to a company can be done the same way. What assets are valuable to the company? What does it want to protect? Assets are what threats impact the most. Again, a threat will exploit a vulnerability of an asset and then poses that risk. For example, a hurricane (threat), can level a poorly built home (vulnerability), and cause total loss (risk) of the asset (home). Make sense?
- Finances – Money
- Physical assets – Home, car, building
- Human life
- Passwords or other sensitive data
Final thoughts
We have covered the definitions of each of these terms to better understand their importance. We also reviewed several examples of each term to better help you solidify this knowledge. Understanding the definition of each of these terms is important. They each play a pivotal role in how they impact each other and the overall business.
Reducing overall risk is a major goal of any vulnerability/risk management program. Understanding the threats that your company faces, the vulnerabilities that it has, and the risks that they pose will greatly improve your ability to provide for effective risk reduction in the environment. These terms are not static as well. Threats, Vulnerabilities, and Risks change all the time, so it is important to keep up-to-date with new threats, new vulnerabilities and identify what risks your company faces.
I hope that this information is helpful for you. Best of luck to you on your journey!
Helpful references for continued reading:
NIST SP 800-40 Creating a Patch and Vulnerability Management Program (Section 2) – https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-40ver2.pdf
US-CERT Vulnerability Management – https://us-cert.cisa.gov/sites/default/files/c3vp/crr_resources_guides/CRR_Resource_Guide-VM.pdf
CISecurity – Vulnerability Management – https://www.cisecurity.org/wp-content/uploads/2018/07/Cybersecurity-Tech-Basics-Vulnerability-Management-Overview.pdf