CHAPTER 7:
THREATS AND VULNERABILITIES
Information security threats and vulnerabilities go together.
The difference between ‘threats’ and ‘vulnerabilities’ is not always immediately clear to people new to the subject. It is very important to differentiate clearly between these two attributes of a risk because the existence of the risk itself is dependent on the coexistence of a threat and a vulnerability.
The simple difference is this:
• vulnerabilities are flaws or weaknesses in an asset, whereas
• threats can accidentally trigger or intentionally exploit a vulnerability to compromise some aspect of the asset.
There are very many threats that have absolutely no relevance to many organizations. A simplistic example would be an organization that has no internet connectivity: it can ignore all internet-based threats because there is no vector that those threats can exploit to attack the network and, therefore, it has no exposure to them. The moment that it connects to the internet, it has a possible point of vulnerability and, therefore, an area where controls might be required. Control selection should depend on the organization’s assessment of the likelihood and potential impact of specific threats and should be focused on trying either to reduce the level of the threat or to reduce the extent of the vulnerability.
Threats are external to information assets, and vulnerabilities are typically attributes of the asset – aspects of the asset that the threat can exploit. Whilst threats tend to be external to the assets, they are not necessarily external to the organization. The majority of information security incidents today originate within what the organization believes is its secure perimeter.
The range of threats includes hostile outsiders, such as hackers, non-hostile outsiders, such as suppliers or cleaning contractors, and insiders, both the disaffected and the committed but also the careless or just the poorly trained.
Vulnerabilities are security weaknesses in the existing systems, which can be exploited by threats or which allow damage, accidental or otherwise, to information assets.
For each of the assets within the scope of the ISMS, it is necessary to identify the potential threats and the possible vulnerabilities. The essential relationship, from an information security point of view, between threats and vulnerabilities leads us to think of them as ‘combinations’. We therefore speak of ‘threat-vulnerability combinations’.
There are a number of threat-vulnerability combinations that apply to any one asset, and any one threat typically may have more than one vulnerability that it can exploit. It should also be noted that a threat to one asset is not necessarily a threat to another. For example, a fire in the server room is a threat to a number of systems based there, but is unlikely to be a threat to an organization’s externally-hosted mobile phone network.
Threats
Threats for each of the systems and assets within the ISMS should be considered under the headings of:
• threats to confidentiality,
• threats to integrity, and
• threats to availability.
Some threats will fall under one heading only, others under more than one. It is important to have carried out this analysis systematically and comprehensively, to ensure that no threats are ignored or missed.
Vulnerabilities
Unless there is a vulnerability that can be exploited by a threat, there is no risk to an asset.
You should therefore identify, for every single one of the assets, and for each of the threats that you have listed alongside each of the assets, the vulnerabilities that each threat could exploit. Clearly, a single asset could face a number of threats, and each threat could exploit more than one vulnerability.
A common question is: Should we identify vulnerabilities with or without those controls that are currently in place?
The correct answer is that you should do both.
You should identify the vulnerability that would be exploited by the threat if you didn’t have any controls in place, because you must be assured that those controls which are in place are appropriate for the identified risks (in some cases, implemented controls are in excess of those identified as actually required in the light of the assessed risks and the organization’s risk appetite).
You also want to identify the controls that are currently in place, and you want to be in a position to identify any residual risk, in order to consider whether or not additional controls may be required. Those controls that are already in place will be operated as part of the organization’s ISMS and the confirmation that they are appropriate controls, and are to be retained, must come from this formal risk assessment.