MD1 Understand risks, threats, and vulnerabilities Flashcards
Risk
Anything that can impact the confidentiality, integrity, or availability of an asset
Threat
Any circumstance or event that can negatively impact assets
Vulnerability
A weakness that can be exploited by a threat
Security risk
One way to interpret risk is to consider the potential effects that negative events can have on a business. Another way to present this idea is with this calculation:
Likelihood x Impact = Risk
For example, you risk being late when you drive a car to work. This negative event is more likely to happen if you get a flat tire along the way. And the impact could be serious, like losing your job. All these factors influence how you approach commuting to work every day. The same is true for how businesses handle security risks.
In general, we calculate risk in this field to help:
Prevent costly and disruptive events
Identify improvements that can be made to systems and processes
Determine which risks can be tolerated
Prioritize the critical assets that require attention
The business impact of a negative event will always depend on the asset and the situation. Your primary focus as a security professional will be to focus on the likelihood side of the equation by dealing with certain factors that increase the odds of a problem.
Risk factors
As you’ll discover throughout this course, there are two broad risk factors that you’ll be concerned with in the field:
- Threats
- Vulnerabilities
The risk of an asset being harmed or damaged depends greatly on whether a threat takes advantage of vulnerabilities.
Let’s apply this to the risk of being late to work. A threat would be a nail puncturing your tire, since tires are vulnerable to running over sharp objects. In terms of security planning, you would want to reduce the likelihood of this risk by driving on a clean road.
Categories of threat
Threats are circumstances or events that can negatively impact assets. There are many different types of threats. However, they are commonly categorized as two types: intentional and unintentional.
Categories of threat
- Intentional
An intentional threat might be a malicious hacker who gains access to sensitive information by targeting a misconfigured application.
Categories of threat
- Unintentional
An unintentional threat might be an employee who holds the door open for an unknown person and grants them access to a restricted area.
Categories of vulnerability
Vulnerabilities are weaknesses that can be exploited by threats. There’s a wide range of vulnerabilities, but they can be grouped into two categories: technical and human.
Categories of vulnerability
- Technical
A technical vulnerability can be misconfigured software that might give an unauthorized person access to important data.
Categories of vulnerability
- Human
A human vulnerability can be a forgetful employee who loses their access card in a parking lot. Either one can lead to risk.
Key takeaways
Risks, threats, and vulnerabilities have very specific meanings in security. Knowing the relationship between them can help you build a strong foundation as you grow essential skills and knowledge as a security analyst. This can help you gain credibility in the industry by demonstrating that you have working knowledge of the field. And it signals to your future colleagues that you’re a member of the global security community.