It’s important to accurately categorize security assessments. In this video, you’ll learn the differences between a security risk, security vulnerability and security threat.
<< Previous Video: Assessment ToolsNext: Assessment Techniques >>
If the assets in your organization can be compromised, it’s probably through something like a security risk. This would be an event that causes those assets to be at risk. This is something that can be a active event where somebody’s trying to break into your organization, or it can simply be a circumstance, perhaps an act of nature that causes a fire or a flood. To be able to properly guard against these security risks, then we need to understand what they are.
We need to create a list of those and find out what would be our first steps at guarding against those risks. If we’re worried about people breaking in stealing things, then maybe we should think about how we prevent that physically. If we’re worried about having an act of nature come through and cause a fire or a flood, then we need to put things in place that would help reduce that security risk.
From a physical perspective then, maybe we want to be sure that everything is behind a locked door. Maybe we want to be sure those door locks are connected to our badging system. Perhaps we put a guard posted in front of those physical doors, and we make sure that all our visitors have badges and they have to also use those badges to go in and out of that particular locked area.
These processes and procedures can also be technical. We want to be sure on our internet connections that we have a firewall that will protect all of the assets inside of our organization. And on every single computer perhaps, we’d also like to have antivirus or anti-malware software running so that the bad guys can’t put a piece of malware on our machine and begin extracting the files off of our computers.
The security risk itself might be a vulnerability. If we’ve managed to put a door in place but we’ve not properly locked that door or maybe we have disabled some firewall rules on our internet connection, then we’ve created a problem that is obviously going to be a big vulnerability in these systems. This is something that you might find out about every month.
Microsoft, for instance, releases an entire set of security patches every month for all of their operating systems. And so they’re advertising to the world, here is every place that there might be a vulnerability inside of our operating systems. And so we want to be very quick about patching those operating systems to prevent the bad guys from taking advantage of those vulnerabilities.
Sometimes the vulnerabilities themselves will never be discovered. You might be running an operating system right now that has a vulnerability that nobody knows about. So obviously, there’s not going to be an announcement about it until somebody discovers that vulnerability. The vulnerability itself, of course, isn’t a problem. If nobody ever discovers the vulnerability, obviously nobody knows to take advantage of it.
If you walk by and the door is closed and you never try the door to see if it’s unlocked, then you’ll never know that the lock is broken and nobody’s ever going to go into the room. But of course, we’re always concerned when a vulnerability exists, whether it’s known or unknown, and we have to plan on protecting our systems regardless of the situation.
The threat is the thing that we’re most concerned about, because that’s what’s going to take advantage of one of these vulnerabilities. If somebody’s walking around and trying every single door, they will eventually find the one that does not have a working lock. The threat may not be intentional. It may be something accidental like a fire or a flood.
So we have to plan for every contingency. We often call the person who’s trying those doorknobs or trying to break into a computer system the threat agent. They’re trying to take advantage of one of those vulnerabilities. And they do this by using a threat action. They’re either trying to perform a buffer overflow to that operating system or they’re simply trying doorknobs.
But those are actions that will ultimately take advantage and exploit those vulnerabilities. The result, of course, is a loss of security. And now someone will have access to a room that was unlocked, or they’ll have access to all of the files on your operating system.
As a security professional, it’s these threats there we’re always mindful of. So it’s always important to understand what the risks are in your environment, know where the vulnerabilities might be, and by doing that, you can help prevent some of these threats from ever occurring.