Vulnerabilities, Threats, and Risk
Vulnerabilities, threats, and risk are the components that create the need for security, protection, and safety of the valuable assets that are vital to any organization’s production, mission, or objectives. The relationship of vulnerabilities to threats to risk is that each leads to another, and without one, the next may be eliminated. Let’s look at each one:
-
Vulnerabilities—An internet or web vulnerability can be much like a door on your home. If the door is open or ajar or is closed but unlocked, your home is vulnerable to an intrusion and possibly more. A website can have one or more vulnerabilities if there is an exploitable weakness in its coding or a misconfiguration in its deployment. Like an open door, the website is vulnerable because an attacker may be able to take advantage of the weakness to access more than just its HTML coding, perhaps taking control of the site. If an attacker finds a vulnerability, typically using automated tools, the vulnerability can be exploited to capture data, attach malware, or inject malicious, defacing, or misleading content into the site. Vulnerabilities can be eliminated or repaired, and should be, of course. This process is known as mitigation.
-
Threat—A discovered vulnerability creates a threat. A threat is the manner in which a vulnerability could be exploited. Threats are the attacks that could happen to the vulnerabilities of a system. A threat can be malware, ransomware, break-ins and theft, hurricanes, tornadoes, floods, and so on. There is always a threat that something could damage or remove the system or its capabilities by exploiting a vulnerability. Threats are carried out by threat actors.
-
Risk—The loss that may result from a threat being carried out on a vulnerability, risk can have two related meanings in security: a probability or chance that a threat will occur against a vulnerability, typically stated as a percentage, or the anticipated financial loss amount that would result from the exploitation.
To put these terms in perspective: a vulnerability that exposes an asset to exploitation can be the object of a threat. Where these elements intersect, risk is created. Figure 2-1 illustrates this relationship.
In the sections that follow, we look a bit deeper into vulnerabilities, threats, and risk and their role in the security of the internet and web.
FIGURE 2-1 Assets may have vulnerabilities that could exploited by a threat. Where they intersect, risk is possible.