This video focuses on the most commonly used vocabulary in the industry. These words are almost always used incorrectly and interchangeably when in fact they each have a distinct meaning and knowing the difference can be quite important.
- [Instructor] This lesson jumps into vocabulary specifically, threats, risks, vulnerabilities, and exploits. Definitions are provided as a baseline to build off of and examples of each vocabulary word are provided as well. Relevant talking points for each word are included to help drive home the meaning and context of each one. We will be covering several new vocabulary words in this section so let's get right to it. Threat, you can think of a threat as a potential for bad things to happen. The National Institute of Standards and Technology, NIST defined a threat as any circumstance or event with the potential to adversely impact organizational operations, organizational assets, or individuals through an informational system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.
Also, the potential for a threat-source to successfully exploit a particular information system vulnerability. Let's look at some examples. Malware, malware is definitely a threat as it can cause harm to the confidentiality, integrity, and availability of a system, software, and business operations in general. Even something like a loss of power would be considered a threat to cyber security as the implications could impact physical security or the availability of systems. Vulnerability, according to ISACA, the Information Systems Audit and Control Association, a vulnerability is a weakness in design, implementation, operation, or internal control.
There is an entire class of security tools dedicated to the identification, classification, and risk rating of vulnerabilities. Specifically for software vulnerabilities, there are scanners that will determine the current patch level of a system and produce reports showing deviations. This report will often show what vulnerabilities are present on a system, how to fix them, and attempt to calculate the overall risk represented by these vulnerabilities. Of course, this only takes into account known vulnerabilities. A zero-day is a term for vulnerability actively being exploited for which no patch currently exists.
Just like humans, vulnerabilities scanners don't know what they don't know and if there's not a way to check for certain vulnerability due to details not being public, then the scanner will have no way to identify that type of potential vulnerability and this is the case with zero-days. Exploits, a software tool designed to take advantage of a flaw in a computer system, typically for malicious purposes such as installing malware, officially. When security professionals speak of exploits and exploitation, we are referring to a known way that an attacker can leverage a vulnerability to cause harm to an asset like a system or software and to a lesser extent, even a human in the case of social engineering.
There are many examples of vulnerabilities with no known exploits meaning that just because there's a known weakness, that does not mean that there's an effective way to take advantage of it. Often times, discovering vulnerabilities is much easier to do in crafting a working exploit that can be used against that vulnerability. Nevertheless, there is risk. ISC2 which is the International Information Systems Security Certification Consortium defines risk in the form of an equation where threat times vulnerability equals risk.
This can be a useful way for management to quantify risk which in turn can help with obtaining adequate funding for a security program. Now take a moment to think about how threats, risks, vulnerabilities, and exploits all fit together and how you would measure the impact when a vulnerability is exploited. Be sure to take into account the sensitivity of the asset being protected.
This course was created and produced by Mentor Source, Inc. We are pleased to host this training in our library.