Yeah I know, I went for the catchy title to try to draw you into reading this. However, when looking at the topic of vulnerabilities, threats, and risks in my list, the title above is what came to mind. Thinking through it though, that title seems to work. Vulnerabilities, threats, and risks are all scary things we have to consider and account for. Now, depending on where you live, lions, tigers, and bears may not be as applicable in your daily life as vulnerabilities, threats, and risks, but I think you get the idea. Actually, as I write this, I’m going add a fourth scary thing in the world of information security; exploits. Yes, that throws off my title name, but I feel like I’m on a roll here so I am just going to run with it. Let’s equate exploits to spiders just for fun. Those things are terrifying, right? In the rest of the post, I will give some descriptions around these four items.
A vulnerability is really just a weakness in an application, hardware, or system. From a cybersecurity perspective, it is something that can be leveraged for malicious purposes. Another way to put this is that a vulnerability can be exploited.
I think it is easy to not necessarily confuse the concepts of vulnerabilities and exploits, but it is definitely easy to think about them in the same vein. Which makes sense, because they are definitely coupled together, so it’s possible to potentially confuse the meanings. As stated above, while the vulnerability is the weakness or the actual issue with the application or system, the exploit is the tool or method that is used to take advantage of, or attack that vulnerability. For a practical example, you may hear that a vendor has issued a statement that they have a known security flaw in their product (and hopefully also have a patch to fix that flaw). The security flaw itself is the vulnerability. Now, if it is also announced that there is a known attack method in the wild that is able to leverage this vulnerability for malicious purposes, that attack method would be the exploit.
When it comes down to it, threats are potentially bad things that you are trying to avoid or protect against. Further, threats are individuals, groups, actions, or behaviors that could cause harm to the organization. Keep in mind that this list of items could lead to either intentional or unintentional harm. As we all know, accidents happen, and we want to be cognizant of those as well.
How I like to think of this, is that the previous terms vulnerabilities, exploits, and threats are all factors in the calculation of overall risk. To me, a large portion of cybersecurity is risk management. We need to be able to determine which activities pose the most risk to the organization and work toward mitigating and managing that level of risk. Risk is the probability of a vulnerability being exploited by a threat, along with the level of impact that will be caused to the organization.
In my opinion, a big part of cybersecurity is constantly being aware of the potential bad things that can happen so you can put controls in place to mitigate and minimze the risk/impact of those bad things. At least there are clear definitions out there to help us understand and deal with vulnerabilities, exploits, and threats, and use those explanations and concepts to help us calculate the overall risk.
Featured image credit – Rasmus Svinding
One thought on “Security+ Journey – Lions, Tigers, and Bears”