adam's notes

Threats, Vulnerabilities, Risk, and Impact

When you look at how an attack might affect you, you can speak of it in terms of threats, vulnerabilities, and the associated risk.

Threats

A threat is something that has the potential to cause harm to an information system.

  • tend to be specific to certain environments
    • E.g., virus for Windows would be unlikely to have an effect on Linux
  • can be a person or circumstance
  • a threat source carries out a threat or causes it to take place
    • aka threat actor or threat agent
  • can be deliberate or accidental
    • accidental threats are the results of either unintentional actions or inactions
    • deliberate threats are intentional actions taken by attackers
  • the path or tool used by a threat actor is a threat vector

threat actor is a person or group who exploits a vulnerability.

Threat Categories

  • Human
    • threats carried out by people
    • internal vs external attackers
    • good and bad actors
  • Natural
    • uncontrollable events such as earthquakes, tornadoes, fires, and floods
  • Technological and operational
    • threats that operate inside information systems
    • E.g., malicious code, hardware/software failures, improperly running processes
  • Physical and environmental
    • facility-based threats
    • E.g., breach of physical security, loss of heating/cooling, etc.

Vulnerabilities

Vulnerabilities are weaknesses, or flaws, in an information system that threats can exploit to cause harm.

  • Types:
    • People
      • people can be a vulnerability if inadequately trained or otherwise
    • Process
      • flaws in an organization’s procedures
    • Facility
      • weaknesses in physical security
    • Technology
      • improperly designed information systems

Exploits

Exploit is an successful attack against a vulnerability.

  • take place in a window of vulnerability
    • period from when a vulnerability is discovered to being patched

Info

Zero-day is when a vulnerability is exploited before or as soon as it is discovered.

Risk

Risk is the potential of a threat exploiting a vulnerability.

  • To have risk in an environment requires:
    • there is a threat
    • there is a vulnerability the threat can exploit
  • Best strategy is to spend time mitigating the most likely attacks, not every possible attack

Likelihood is probability that a risk event will occur.

Types

  • Financial
    • affect financial resources or financial operations
  • System/Service
    • impact how an organization provides information technology (IT) systems and services
  • Operational
    • affect the normal operation of information systems and services
  • Reputational
    • negatively affect an organization’s reputation or brand
  • Compliance
    • relate to a possible violation of a law, regulation, or organizational policy
  • Strategic
    • may have a lasting impact on an organization’s long-term viability

Risk Analysis

  • risk analysis is the process of reviewing known vulnerabilities and threats
    • risk responses:
      • Risk avoidance
        • process of applying safeguards to avoid a negative impact
      • Risk mitigation
        • reduce, but not eliminate, a negative impact
        • amount of risk left over is residual risk
      • Risk transfer
        • passes its risk to another entity, at which point the risk impact is borne by the other entity
      • Risk acceptance
        • decide to deliberately take no action against an identified risk
        • may choose to accept the risk if the cost of the risk itself is less than the cost to avoid, mitigate, or transfer the risk

Impact

Some organizations, like NSA, add a factor called impact.

Impact is the effect of a threat being realized.

  • takes into account the value of the asset being threatened and uses it to calculate risk

Graph View

Backlinks