Understanding Vulnerability, Threat & Risk

Consider the following two examples:

There is an office building where there are no physical security controls. There is no perimeter wall to surround the building. On entry, you do not find any identification proofs being asked. There is no baggage scanner.

An e-commerce company has around 50 computers in an office through it which it manages its back-end operations. The systems are not connected to the Internet and hence no anti-virus solutions are installed in the systems. Moreover, anyone can log in these systems as there is no authentication (simply stated – no username, password) mechanism to log in the systems.

What do you make of the above scenarios? I sense that you understand that in both the above situations, there is a risk to the building and the company. Let’s understand the definitions of the three most commonly used terms in information security.

Vulnerability – Weakness. In other words, the inability to withstand the effects of a hostile environment. In terms of information security, we refer to a weakness from the aspect of physical security or logical, i.e. it can be hardware, software, human or physical weakness.
Now read the scenarios once again. Can you identify the vulnerabilities in these scenarios? In the first one, one of the weakness can be a lack of the perimeter wall. Here the perimeter wall would be called in as a countermeasure. A countermeasure is a safeguard that is put in place. Hence vulnerability can also be defined as “lack of countermeasure”. Another weakness is that there are no identification proofs being asked which allows anyone to enter the building.

In the 2nd scenario, lack of antivirus solution will be considered as a vulnerability. The lack of any authentication mechanism is also a weakness.

Threat – Potential Danger of the vulnerability being exploited. In the first scenario, there is a threat of a person entering the building and attacking it. In the 2nd scenario, there can be a potential danger of the systems being exposed to viruses or encrypted via a ransomware attack. In both these cases, there is a potential danger of the weaknesses in the systems being exploited by an entity. This entity is known as the threat agent. So simply stated, the threat agent is an entity that can exploit the weaknesses in the system. A threat agent can be a person or a software or a bot.

Risk – Read the above scenarios once again. What is the likelihood here that the building will be attacked or the systems will be hit with a ransomware attack? It is this probability which you calculate or guess via your experience is the risk. The risk in numerical terms will be a multiplication of threat and vulnerability as defined in many books. If the vulnerability gets exploited by a threat agent, damage may occur. Hence, the real potential damage which can happen is Risk.

Let me ask you another question. Do you think the risk would change if I give you additional information that the office building is near a military zone and the systems have the USB ports disabled? If your answer to this is yes, it’s great. This is called as the context in which you talk about Risk. A risk is not something which is calculated once and acted upon or which is common in every context or scenario. With changing scenarios and conditions and countermeasures, risk changes. Unfortunately, many organizations do not understand this fact.

Let’s consider the following scenario to understand these terms better once again.

JJ is the new security manager in a firm. He is asked to review the risk which his organization faces and submit a report. Upon analyzing the company controls, JJ finds that the company does not have an asset inventory in place. The users are also not aware of the policies and procedures of the organization.

1.       What would JJ classify the awareness issue as?
a.       Threat
b.       Threat Agent
c.       Risk
d.       Vulnerability.
2.       How you classify the asset inventory issue?
a.       Threat
b.       Threat Agent
c.       Risk
d.       Vulnerability

Write your answers in the comment section below. 


Post a Comment

You may also like to read...

Access Control Models - DAC, MAC, RBAC , Rule Based & ABAC

Identification, Authentication, Authorization, and Accountability

Understanding Security Modes - Dedicated , System high, Compartmented , Multilevel

How to Pass SSCP Exam in the First Attempt

The Endorsement Process - CISSP, SSCP & other (ISC)2 certifications