In fact, some of the highest profile attacks and data breaches have occurred in organizations that did not patch vulnerabilities that had been known about for years. However, that doesn’t guarantee that organizations using those vulnerable products will apply the patch. Responsible vendors typically publish patches in a timely way to correct specific known vulnerabilities. Details of these are posted on websites like and (and hopefully, the affected vendors’ websites) along with scores that attempt to assess their severity. Tens of thousands of software bugs are discovered every year. In information security, vulnerabilities can exist almost anywhere, from hardware devices and infrastructure to operating systems, firmware, applications, modules, drivers, and application programming interfaces. In the children’s tale, the first pig’s straw house is inherently vulnerable to the wolf’s mighty breath whereas the third pig’s brick house is not. But it’s essential in order to accurately assess risk (how do you know what’s at risk if you don’t know what you have?) and then determine what type and level of protection each asset warrants.Ī vulnerability is any weakness (known or unknown) in a system, process, or other entity that could lead to its security being compromised by a threat. This can be a monumental undertaking for many organizations, especially large ones. Inventorying and assessing the value of each asset is a vital first step in risk management. In the children’s tale, the houses are the pigs’ assets (and, arguably, the pigs themselves are assets since the wolf threatens to eat them). In Infosec, the focus is on information systems and the data they transact, share, and store. This includes not just systems, software, and data, but also people, infrastructure, facilities, equipment, intellectual property, technologies, and more. (We’ll ignore the second pig with his house built of sticks since he’s in pretty much the same boat as the first pig.) Defining the Components of RiskĪ discussion of vulnerabilities, threats, and exploits begs many questions, not the least of which is, what is being threatened? So, let’s start by defining assets.Īn asset is anything of value to an organization. Recall that the hungry Big Bad Wolf threatens to eat the three little pigs by blowing down their houses, the first one built of straw, the third one built of bricks. In the Infosec world where perfect analogies are hard to come by, The Three Little Pigs provides some pretty useful ones. Wait! Don’t decide to bail just because you think a children’s tale is too juvenile to explain the complexities of information security. To explain risk, we’ll define its basic components and draw some analogies from the well-known children’s tale of The Three Little Pigs. This is a misleading and incomplete representation, as we’ll see shortly. In the context of cybersecurity, risk is often expressed as an “equation”-Threats x Vulnerabilities = Risk-as if vulnerabilities were something you could multiply by threats to arrive at risk. There’s no point in protecting “stuff” if, in the end, the organization can’t sustain its operations because it failed to successfully manage risk. After all, the purpose of information security isn’t just to indiscriminately “protect stuff.” The high-level objective is to help the organization make informed decisions about managing risk to information, yes, but also to the business, its operations, and assets. It’s important for security professionals to understand these terms explicitly and their relationship to risk. That’s a problem, because misunderstanding these terms (and a few other key ones) can lead organizations to make incorrect security assumptions, focus on the wrong or irrelevant security issues, deploy unnecessary security controls, take needless actions (or fail to take necessary actions), and leave them either unprotected or with a false sense of security. Unfortunately, these terms are often left undefined, used incorrectly or, worse, interchangeably. If you read much about cyberattacks or data breaches, you’ve surely run across the terms vulnerabilities, threats, and exploits.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |