Relationship among vulnerability threat and control

relationship among vulnerability threat and control

View Notes - text from IST at Wilmington University. 1. Distinguish between vulnerability, threat, and control? Vulnerability: Vulnerability is a. Vulnerability can be in form of weak coding, missing anti-virus, weak access control and other related factors. What is a Risk? Risk= Vulnerability * Threat. Risk is. Computer security is the protection of the items you value, called the assets . In general, we can describe the relationship among threats, controls, and vulnerabilities in this way: A threat is blocked by control of a vulnerability.

Some organizations implement Threat Modelling: It attempts to predict the threats against a system or application along with the likelihood and potential impact from these threats. Once the organization identifies and prioritizes threats, it identifies security controls to protect against the most serious threats.

What Is Computer Security? | Security Blanket or Security Theater? | InformIT

Examples of vulnerabilities include: Lack of malware protection or updated definitions. Lack of organizational policies.

relationship among vulnerability threat and control

Not all vulnerabilities are exploited. For example, a user may install a wireless router using the defaults. The result is a negative impact on the organization. Impact refers to the magnitude of harm that can be caused if a threat exercises a vulnerability.

relationship among vulnerability threat and control

For example, a system without up-to-date antivirus software is vulnerable to malware. Malware written by malicious attackers is the threat. It is that value that makes them assets worthy of protection, and they are the elements we want to protect. Other assets, such as access to data, quality of service, processes, human users, and network connectivity, deserve protection, too; they are affected or enabled by the hardware, software, and data. So in most cases, protecting hardware, software, and data covers these other assets as well.

In this book, unless we specifically distinguish among hardware, software, and data, we refer to all these assets as the computer system, or sometimes as the computer.

relationship among vulnerability threat and control

And because processors are embedded in so many devices, we also need to think about such variations as cell phones, implanted pacemakers, and automobiles.

Even if the primary purpose of the device is not computing, the device's embedded computer can be involved in security incidents and represents an asset worthy of protection. After identifying the assets to protect, we next determine their value. We make value-based decisions frequently, even when we are not aware of them. For example, when you go for a swim you can leave a bottle of water on a towel on the beach, but not your wallet or cell phone.

The difference relates to the value of the assets. The value of an asset depends on the asset owner's or user's perspective, and it may be independent of monetary cost, as shown in Figure Your photo of your sister, worth only a few cents in terms of paper and ink, may have high value to you and no value to your roommate. Other items' value depends on replacement cost; some computer data are difficult or impossible to replace.

For example, that photo of you and your friends at a party may have cost you nothing, but it is invaluable because it can never be replaced. On the other hand, the DVD of your favorite film may have cost a significant portion of your take-home pay, but you can buy another one if the DVD is stolen or corrupted. Similarly, timing has bearing on asset value.

For example, the value of the plans for a company's new product line is very high, especially to competitors. But once the new product is released, the plans' value drops dramatically. To study different ways of protection, we use a framework that describes how assets may be harmed and how to counter or mitigate that harm.

Question 71. What’s the difference between a threat, vulnerability, and a risk?

A vulnerability is a weakness in the system, for example, in procedures, design, or implementation, that might be exploited to cause loss or harm. For instance, a particular system may be vulnerable to unauthorized data manipulation because the system does not verify a user's identity before allowing data access. A threat to a computing system is a set of circumstances that has the potential to cause loss or harm.

To see the difference between a threat and a vulnerability, consider the illustration in Figure Here, a wall is holding water back.

Question What’s the difference between a threat, vulnerability, and a risk?

The water to the left of the wall is a threat to the man on the right of the wall: The water could rise, overflowing onto the man, or it could stay beneath the height of the wall, causing the wall to collapse. So the threat of harm is the potential for the man to get wet, get hurt, or be drowned.

relationship among vulnerability threat and control

For now, the wall is intact, so the threat to the man is unrealized. Figure Threat and Vulnerability However, we can see a small crack in the wall—a vulnerability that threatens the man's security. If the water rises to or beyond the level of the crack, it will exploit the vulnerability and harm the man.