If organisations are to protect their sensitive data, they need to understand the three core components of information security: threat, vulnerability and risk. Show
Those unfamiliar with the technicalities of information security might assume that these terms are interchangeable, but that’s not true. This blog explains the difference between risks, threats and vulnerabilities, with examples for each. A vulnerability is a known flaw that can be exploited to damage or compromise sensitive information. Vulnerabilities are often associated with software flaws and how they can be exploited to perform tasks they weren’t intended for. For instance, an attacker might exploit a vulnerability to plant malware on the organisation’s systems. But vulnerabilities can also refer to weaknesses in physical security systems and employees. This might be because a malicious actor can take advantage of the vulnerability to gain unauthorised access to sensitive information, or because the employee is liable to make mistakes. Information security vulnerability examplesSoftware vulnerabilities include injection flaws, cross-site scripting flaws, broken access control and misconfigurations. Examples of physical weaknesses are broken locks that let unauthorised parties into a restricted part of your premises and structural flaws in the building, such as a leaky pipe near a power outlet. Other vulnerabilities include inherent human weaknesses, such as our susceptibility to phishing emails or the likelihood that we’ll misplace a sensitive file or send it to the wrong person. See also:
What is an information security threat?An information security threat occurs when a vulnerability is exploited, whether intentionally or accidentally. It includes any event that could negatively affect an asset – for example, if it’s lost, knocked offline or accessed by an unauthorised party. Information security threat examplesThere are three types of threat. The first are unintentional threats, such as an employee sending sensitive files to the wrong person or losing a hard drive. In this instance, an employees’ susceptibility to make a mistake is the vulnerability. Meanwhile, the threat is the event itself that causes that mistake – i.e. the act of sending sensitive files to the wrong person. The second type of threat are natural events, which can be caused by poor weather (such as a hurricane or snowstorm) or infrastructural damage (such as a burst pipe or a fire). Again, the vulnerability is the organisation’s premises being located somewhere that may experience bad weather or infrastructural damage. The threat is the event related to that. Finally, there are intentional threats, which comprise the actions of criminal hackers and malicious insiders. For example, an attacker may knock an organisation offline with a ransomware attack, and a malicious insider may misappropriate sensitive information. What is information security risk?An information security risk is defined as the effects of a threat exploiting a vulnerability. Risks include financial losses, loss of privacy, reputational damage and regulatory action. Information security risk examplesA typical example of a risk is an employee falling for a phishing scam. These are malicious emails that trick people into handing over their login credentials or downloading an attachment containing malware. In this example, the phishing email is the threat and the employee’s susceptibility to be fooled is the vulnerability. If they mistakenly open the attachment, the malware will be released onto their system and cause huge problems. Often, this entails attackers using spyware to monitor what the employee does on that system, thus giving them access to databases and other sensitive files. The other form of phishing involves a more direct attack. The scammer makes the employee think they are logging in to a legitimate service but are instead handing over their username and password. These are the risks associated with phishing scams. Another example of an information security risk is a ransomware attack. In this case, the ransomware is the threat and how they plant it (often a system flaw or a phishing email) is the vulnerability. Once infected, the organisation is locked out of its systems, with the attackers demanding a fee in exchange for the decryption key. Given that cyber security experts warn against paying ransomware attackers, the organisation must resort to manual processes where possible. This will slow down processes and could result in deadlines not being met and contracts not being fulfilled. Planning for vulnerabilities, threats and risksNow that you understand the differences between vulnerabilities, threats and risks, you can see that information security comprises an intricate set of circumstances. You should also be able to see a logical approach to the way risk management works. If you take an asset-based approach, you start with the information or location that could be compromised and then work out the ways it could be damaged (vulnerability) and how that could occur (threat). Once you’ve defined those, you can identify your risks. Of course, that’s only the first part of information security risk management; there’s also the managing aspect. This involves documenting, assessing and prioritising risks, then implementing measures to keep you protected. This can be a labour-intensive task, but with our risk management tool, vsRisk, the hard work has been done for you.  This software package provides a fast and straightforward way to create your risk assessment methodology and deliver repeatable, consistent assessments year after year. Its asset library assigns organisational roles to each asset group, applying relevant threats and risks by default. Meanwhile, its integrated risk, vulnerability and threat databases eliminate the need to compile a list of risks, and the built-in control sets help you comply with multiple frameworks. Try vsRisk today with our free 30-day trial. What is the relationship between vulnerabilities and threats quizlet?vulnerability is a weakness in the system that might be exploited to cause loss or harm. a threat is anything that can exploit a vulnerability and obtain damage or destroy an asset.
Are threats and vulnerabilities the same?A threat and a vulnerability are not one and the same. A threat is a person or event that has the potential for impacting a valuable resource in a negative manner. A vulnerability is that quality of a resource or its environment that allows the threat to be realized. An armed bank robber is an example of a threat.
How are threats vulnerabilities and assets related to one another?That is, Asset + Threat + Vulnerability = Risk. Risk is a function of threats exploiting vulnerabilities to obtain, damage or destroy assets. Thus, threats (actual, conceptual, or inherent) may exist, but if there are no vulnerabilities then there is little/no risk.
What is the relationship between vulnerability and exploit?As we've written before, a vulnerability is a weakness in a software system. And an exploit is an attack that leverages that vulnerability. So while vulnerable means there is theoretically a way to exploit something (i.e., a vulnerability exists), exploitable means that there is a definite path to doing so in the wild.
|
