There’s a direct relationship between threats, vulnerabilities, and risks within the context of security. You can’t fully understand one without understanding the others.
1-Threat is a potential danger. It’s any circumstance or event that can compromise the confidentiality, integrity, or availability of data or a system.
Example of Threat
- Malicious Insider Threat: is anyone that has legitimate access to an organization’s internal resources, but exploits this access for personal gain or damage against the company. This person’s actions can compromise confidentiality, integrity, and availability. Because of this, most organizations implement basic controls to prevent potential problems. For example, the principle of least privilege ensures that employees have only the rights and permissions to perform their assigned tasks and functions, but no more. Other policies such as job rotation, separation of duties, and mandatory vacations combined, help prevent damage from malicious insiders.
Some organizations implement
- Threat Modelling : It ‘s a process that helps an organization identify and categorize threats. It attempts to predict the threats against a system or application along with the likelihood and potential impact from these threats. Once the organization identifies and prioritizes threats, it identifies security controls to protect against the most serious threats. Organizations have limited resources so it’s not possible to protect against all threats. However, threat modeling improves the security posture of any system or application by ensuring that the resources aren’t squandered on low-priority threats.
2-Vulnerability is a flaw or weakness in software or hardware, or a weakness in a process that could be exploited, resulting in a security breach. Just because a vulnerability exists doesn’t mean it will be exploited, only that it can be exploited.
Examples of vulnerabilities include:
- Lack of updates. If systems aren’t kept up to date with patches, hotfixes, and service packs, they are vulnerable to bugs and flaws in the software.
- Default configurations. If defaults aren’t changed in hardware and software configurations, they are susceptible to attacks. Similarly, default usernames and passwords are susceptible to attacks if they aren’t changed.
- Lack of malware protection or updated definitions. If antivirus and anti-spyware protection isn’t used and kept up to date, systems are vulnerable to malware attacks.
- No firewall. If personal and network firewalls aren’t enabled or configured properly, systems are more vulnerable to network and Internet-based attacks.
- Lack of organizational policies. If job separation, mandatory vacations, and job rotation policies aren’t implemented, an organization may be more susceptible to fraud and collusion from employees.
Not all vulnerabilities are exploited. For example, a user may install a wireless router using the defaults. It is highly vulnerable to an attack, but that doesn’t mean that an attacker will discover it and attack. In other words, just because the wireless router has never been attacked, it doesn’t mean that it isn’t vulnerable
3-Risk is the likelihood that a threat will exploit a vulnerability. The result is a negative impact on the organization. Impact refers to the magnitude of harm that can be caused if a threat exercises a vulnerability.
For example, a system without up-to-date antivirus software is vulnerable to malware. Malware written by malicious attackers is the threat. The likelihood that the malware will reach a vulnerable system represents the risk. Depending on what the malware does, the impact may be an unbootable computer, loss of data, or a remote-controlled computer that has joined a botnet.
However the likelihood of a risk occurring isn’t 100 percent. An isolated system without Internet access, network connectivity, or USB ports has a low likelihood of malware infection. The likelihood will significantly increase for an Internet-connected system, and it will increase even more if a user visits risky websites and downloads and installs unverified files.
An organization can avoid a risk by not providing a service or not participating in a risky activity. Insurance transfers the risk to another entity. You can mitigate risk by implementing controls. When the cost of the controls exceeds the cost of the risk, many organizations accept the risk.
Remember this : A Risk is the likelihood that a threat will exploit a vulnerability. A vulnerability is a weakness, not all vulnerabilities are exploited, and a threat is a potential danger. It’s not possible to eliminate risk, but you can take steps to manage it.
src: Security+ Study Guide,Darril Gibson.