If you read a lot about cyberattacks or data breaches, you've certainly come across the terms.vulnerabilities,threats, youexplode. Unfortunately, these terms are often left undefined, misused, or worse, interchanged. This is a problem, because misunderstanding these terms (and some other important ones) can lead organizations to make incorrect security assumptions, focus on incorrect or irrelevant security issues, deploysecurity controls, taking unnecessary actions (or failing to take necessary actions) and leaving them unprotected or with a false sense of security.
It is important for security professionals to understand these terms explicitly and their relationship to risk. After all, the goal of information security is not just to “protect things” indiscriminately. The high-level objective is to help the organization make informed decisions aboutRisk managementto information, yes, but also to the business, its operations and assets. It makes no sense to protect "things" if, in the end, the organization cannot sustain its operations because it failed to successfully manage risk.
What's the risk?
In the context of cybersecurity, risk is often expressed as an "equation": Threats x Vulnerabilities = Risk, as if vulnerabilities were something you couldmultiplyby threats to achieve the risk. This is a misleading and incomplete representation, as we will see shortly. To explain risk, we will define its basic components and draw some analogies with the well-known children's tale ofThe three Little Pigs.1
Wait! Don't decide to give up just because you think a children's story is too juvenile to explain the complexities of information security. In the world of Infosec, where perfect analogies are hard to come by,The three Little Pigsprovides some very useful. Remember that the hungry big bad wolf threatens to eat the three little pigs by pulling down their houses, the first built of straw, the third built of bricks. (We'll ignore the second pig with his house built out of sticks, since he's pretty much in the same boat as the first pig.)
Definition of risk components
A discussion of vulnerabilities, threats, and exploits raises many questions, one of which is the following:What is being threatened?So let's start by defining assets.
An asset is anything of value to an organization. This includes not just systems, software and data, but also people, infrastructure, facilities, equipment, intellectual property, technologies and much more. At Infosec, the focus is on information systems and the data that is traded, shared and stored. In the children's story, the houses are the property of the pigs (and possibly the pigs themselves are property, as the wolf threatens to eat them).
Inventorying and assessing the value of each asset is a critical first step in risk management. This can be a monumental undertaking for many organizations, especially large ones. But it's critical to accurately assess risk (how do you know what's at risk if you don't know what you have?) and then determine what type and level of protection each asset provides.
A vulnerability is any weakness (known or unknown) in a system, process, or other entity that could cause its security to be compromised by a threat. In the children's story, the first pig's straw house is inherently vulnerable to the wolf's powerful breath, while the third pig's brick house is not.
In information security, vulnerabilities can exist almost anywhere, from hardware devices and infrastructure to operating systems, firmware, applications, modules, drivers andapplication programming interfaces. Tens of thousands of software bugs are discovered every year. Details about this are posted on sites like cve.mitre.org and nvd.nist.gov (and hopefully on affected vendor sites), along with scores that attempt to assess its severity.2,3
Responsible vendors typically release patches in a timely manner to address specific known vulnerabilities. However, this does not guarantee that organizations using these vulnerable products will apply the patch. In fact, some of the most high-profile attacks and data breaches have taken place in organizations thatdid not fix vulnerabilities that were known for years. (he is zerorefers to a newly discovered vulnerability for which there is no patch yet).
A threat is any action (event, occurrence, circumstance) that could interrupt, damage, destroy, or adversely affect an information system (and therefore an organization's business and operations). Seen through the lens ofCIA triad, a threat is anything that could compromise the confidentiality, integrity, or availability of systems or data. Except in cases of natural disasters such as floods or hurricanes, threats are perpetrated bythreat agentsothreat actorsranging from inexperienced so-called script kiddies to notorious hacker groups like Anonymous and Cozy Bear (aka APT29). Threats can be intentional or accidental and come from internal or external sources. At theThe three Little Pigs, the wolf is the obvious threat agent; the threat is the stated intention to tear down the pigs' homes and eat them.
Used as a verb,coupmeans exploiting a vulnerability. Used as a noun, an exploit refers to a tool, usually in source code or binary form. This code makes it easier for attackers to take advantage of a specific vulnerability, often giving them unauthorized access to something (a network, a system, an application, etc.). Himuseful load, chosen by the threat actor and delivered via the exploit, performs the chosen attack, such as malware download, privilege escalation, or data exfiltration.
In the children's story, the analogies aren't perfect, but the wolf's mighty breath is the closest thing to an exploration tool, and the payload is home destruction. Afterwards, he hoped to eat the pig, his "secondary" attack. (Note that many cyberattacks are multilayered attacks.)
Exploit code for many vulnerabilities is publicly available (on the open internet at sites like exploit-db.com, as well as on the dark web) for attackers to buy, share, or use. (Organized strike groups and nation-state actors write their own exploit code and keep it to themselves.) It is important to note that there is not exploit code for every known vulnerabilities. Attackers often take the time to develop vulnerabilities in widely used products and those with the greatest potential to result in a successful attack. Therefore, although the termexploit codeit is not included in the Threats x Vulnerabilities = Risk "equation", it is an integral part of what makes a threat possible.
For now, let's refine our incomplete definition above and say that risk constitutes a specific vulnerability.paired with(not multiplied by) a specific threat. In the story, the pig's vulnerable straw house together with the wolf's threat to tear it down constitute a risk. Likewise, the threat ofsql injectionmatched to a specific vulnerability found, for example, in a specific SonicWall product (and version) and detailed in CVE-2021-20016,4constitutes a risk. But to fully assess the level of risk, bothprobabilityyimpactshould also be considered (more on these two terms in the next section).
Before we continue, there are two important points to understand:
- If a vulnerability has no corresponding threat (no exploit code exists),without risk. Likewise, if a threat does not have a corresponding vulnerability, there is no risk. This is the case with the third pig, whose brick house is invulnerable to the threat of the wolf. If an organization fixes the vulnerability described in CVE-2021-20016 on all of its affected systems, the risk no longer exists because that specific vulnerability has been removed.
- The second point, apparently contradictory, is thatthe potential for risk always existsbecause (1) exploit code for known vulnerabilities can be developed at any time, and (2) new previously unknown vulnerabilities will eventually be discovered, leading to potential new threats. How did we learn in the endThe three Little Pigs, the wolf discovers the chimney in the third pig's brick house and decides to go down to get the pigs. AHA! A new vulnerability associated with a new threat constitutes a (new) risk. Attackers are always looking for new vulnerabilities to exploit.
accurate risk assessment
Without going into an in-depth discussion of risk assessment,5Let's define the two essential elements of risk calculations that are often overlooked.
Probability is the chance or likelihood that a specific threat will exploit a specific vulnerability. Factors that influence probability include things like a threat actor's motivation and capabilities, the ease with which a vulnerability can be exploited, the attractiveness of a vulnerable target,security controlsin place that could prevent a successful attack, and much more. If exploit code exists for a specific vulnerability, the attacker is skilled and highly motivated, and the vulnerable target system has few security controls, the likelihood of an attack is potentially high. When the opposite of either is true, the probability decreases.
For the first pig, the attack probability was high because the wolf was hungry (motivated), had the opportunity, and had a reasonable tool of exploration (its powerful breath). However, if the wolf had known in advance about the pot of boiling water in the third pig's chimney, the "safety check" that ended up killing the wolf and saving the pigs, the probability that it would fall down the chimney would likely be zero. . The same goes for skilled and motivated attackers who, faced with overwhelming security controls, may choose to move on to easier targets.
Yes Yes Yes. There are endless variations in motivation, skill, ease of exploitation, security controls, and other factors that affect probability.
Impact describes the damage that could be done to the organization and its assets if a specific threat were to exploit a specific vulnerability. Of course, it's impossible to accurately measure the impact without first determining the value of the assets, as mentioned above. Obviously, some assets are more valuable to the business than others. Compare, for example, the impact of a company losing availability of an e-commerce site that generates 90% of its revenue to the impact of losing an infrequently used web application that generates minimal revenue. The first loss could put a shaky company out of business, while the second loss could be insignificant. It is no different in our children's history where the shock was high for the first pig, homeless after the wolf attack. If his straw house was just a makeshift rain shelter that he rarely used, the impact would have been negligible.
Putting the Risk Puzzle Pieces Together
Assuming that there is a match between vulnerability and threat, it is essential to considerbothprobability and impact to determine the level of risk. A simple, qualitative (versus quantitative)6A risk matrix like the one shown in Figure 1 illustrates the relationship between the two. (Note that there are many variations of this matrix, some much more granular and detailed.)
Using our example above, yes, the loss of a company's main e-commerce siteit couldhave a significant impact on revenue, but what is theprobabilityfor this to happen? If it is low, the risk level is medium. Likewise, if an attack on a web application that is rarely used and generates little revenue is highly likely, the risk level is also medium. Therefore, statements such as: “If this machine is hacked, all our data will be owned!” or "The length of our passwords is too short and that's risky!" they are incomplete and only marginally useful because neither address probability as well as impact.7
So where do these definitions and explanations leave us? Hopefully with a better high-level understanding of risk and a more accurate understanding of its components and their relationships to one another. Given the number of new threats, vulnerabilities and exploits exposed daily, understanding these terms is essential to avoid misunderstandings, miscommunications and misguided approaches. Security professionals need to be able to ask and answer the right questions, such as: Are our systems and applications vulnerable? If so, which ones and what are the specific vulnerabilities? Threats? What is the value of these systems and the data they contain? How should we prioritize protecting these systems? What would be the impact of a major data breach or attack? What is the probability of a successful attack? Do we have effective security controls? If not, which ones do we need? What policies and procedures should we implement or update? And so on and so on.
You get the idea. The point is that information security is a complex discipline (with many sub-disciplines) and the risk of failing in it can be very high. That's why it's so important for security professionals to understand these concepts so they can accurately assess risk.
For more information on security fundamentals, readWhat is the CIA triad?,What are security controls?, youWhat is the Least Privilege Principle?, all from the F5 Labs Learning Center.
How are threats vulnerabilities and exploits related? ›
A threat refers to the hypothetical event wherein an attacker uses the vulnerability. The threat itself will normally have an exploit involved, as it's a common way hackers will make their move. A hacker may use multiple exploits at the same time after assessing what will bring the most reward.What is the relationship between threat vulnerability and risk? ›
In short, we can see them as a spectrum: First, a vulnerability exposes your organization to threats. A threat is a malicious or negative event that takes advantage of a vulnerability. Finally, the risk is the potential for loss and damage when the threat does occur.What are the 4 main types of security vulnerability? ›
- Network Vulnerabilities. These are issues with a network's hardware or software that expose it to possible intrusion by an outside party. ...
- Operating System Vulnerabilities. ...
- Human Vulnerabilities. ...
- Process Vulnerabilities.
Threats and vulnerabilities are paired together, and without either, there can be no risk for a given circumstance.What's the difference between exploits and vulnerabilities? ›
Vulnerability is a weakness in a system that can be exploited. Exploit is a tool that can be used to take advantage of a vulnerability.What are the 3 types of vulnerability? ›
The different types of vulnerability
According to the different types of losses, the vulnerability can be defined as physical vulnerability, economic vulnerability, social vulnerability and environmental vulnerability.
- Underlying causes. Poverty.
- Dynamic pressures. Lack of.
- Unsafe conditions. Fragile physical environment.
- Trigger event. Earthquake.
A threat and a vulnerability are not one and the same. A threat is a person or event that has the potential for impacting a valuable resource in a negative manner. A vulnerability is that quality of a resource or its environment that allows the threat to be realized. An armed bank robber is an example of a threat.What is vulnerability and why is it important to relationships? ›
Being vulnerable in a relationship means taking a risk. There's a chance of getting hurt, but there's also a chance for connection and growth. Opening up to someone isn't always an easy thing to do.What are the 6 types of vulnerability? ›
In a list that is intended to be exhaustively applicable to research subjects, six discrete types of vulnerability will be distinguished—cognitive, juridic, deferential, medical, allocational, and infrastructural.
What are the top 10 vulnerabilities? ›
- Broken Access Control.
- Cryptographic Failures.
- Insecure Design.
- Security Misconfiguration.
- Vulnerable and Outdated Components.
- Identification and Authentication Failures.
- Software and Data Integrity Failures.
- Distributed denial of service (DDoS) attacks.
- Spam and Phishing.
- Corporate Account Takeover (CATO)
- Automated Teller Machine (ATM) Cash Out.
- Injection. Injection occurs when an attacker exploits insecure code to insert (or inject) their own code into a program. ...
- Broken Authentication. ...
- Sensitive Data Exposure. ...
- XML External Entities. ...
- Broken Access Control. ...
- Security Misconfiguration. ...
- Cross-Site Scripting. ...
- Insecure Deserialization.
Cyber threats may be launched to create disruption, cause damage, or to steal data, money, intellectual property, or other sensitive information. Vulnerabilities are gaps or weaknesses in an IT environment that can be exploited by attackers.What is an exploit in cyber security? ›
An exploit is a code that takes advantage of a software vulnerability or security flaw. It is written either by security researchers as a proof-of-concept threat or by malicious actors for use in their operations.What is considered an exploit? ›
In the specific context of computing and especially software, an exploit is a bug or flaw in a system that makes it vulnerable to attack. A piece of software that takes advantage of such a flaw can also be called an exploit. In video games, players who've found an exploit can use it to take advantage of other players.How many types of exploits are there? ›
Types of Exploits
There are two principal classes of exploits found in the present digital local area. They are known as known weaknesses and zero-day weaknesses.
- Identifying Vulnerabilities.
- Evaluating Vulnerabilities.
- Treating Vulnerabilities.
- Reporting Vulnerabilities.
The three dimensions of vulnerability we will explore are exposure, sensitivity, and adaptive capacity.What are the 4 factors of risk? ›
- The size of the sale.
- The number of people who will be affected by the buying decision.
- The length of life of the product.
- The customer's unfamiliarity with you, your company, and your product or service.
What is the causes of vulnerability? ›
Vulnerability is most often associated with poverty, but it can also arise when people are isolated, insecure and defenseless in the face of risk, shock or stress. People differ in their contact to risk as a result of their social group, gender, ethnic or other individuality, age and other factor.What's the relationship between a vulnerability and an exploit quizlet? ›
What is the difference between a vulnerability and an exploit? A weakness of a system, process, or architecture that could lead to compromised information or unauthorized access is known as a vulnerability. The act of taking advantage of a vulnerability is known as an exploit.What is the relationship between vulnerabilities and threats quizlet? ›
vulnerability is a weakness in the system that might be exploited to cause loss or harm. a threat is anything that can exploit a vulnerability and obtain damage or destroy an asset.Does the threats and vulnerabilities are same thing? ›
A threat and a vulnerability are not one and the same. A threat is a person or event that has the potential for impacting a valuable resource in a negative manner. A vulnerability is that quality of a resource or its environment that allows the threat to be realized. An armed bank robber is an example of a threat.How are vulnerabilities exploits and payloads related? ›
An exploit is a piece of code written to take advantage of a particular vulnerability. A payload is a piece of code to be executed through said exploit. Have a look at the Metasploit Framework. It is simply a collection of exploits and payloads.What is a vulnerability and how is it exploited? ›
A vulnerability is a weakness that can be exploited by cybercriminals to gain unauthorized access to a computer system. After exploiting a vulnerability, a cyberattack can run malicious code, install malware, and even steal sensitive data.What are vulnerabilities in a relationship? ›
"Being vulnerable in a relationship is letting your guard down to connect in a raw and open manner," Sommerfeldt notes. "It means putting your heart on the line, even if that means heartache." That might sound like an ouch, but vulnerability encourages the most authentic version of yourself to come to the forefront.