From the course: Ethical Hacking: Vulnerability Analysis

Risks threats and vulnerabilities

From the course: Ethical Hacking: Vulnerability Analysis

Start my 1-month free trial

Risks threats and vulnerabilities

- [Instructor] When developing security strategies it's important to understand the following terms. Assets, risks, threats and vulnerabilities. Organizations seek to develop and employ good security practices to protect assets, which are tangible and intangible items that can be assigned a value. Tangible assets include anything that you can touch, such as printers or computers. Intangible assets include trade secrets, databases and company records. Risk is a chance that something unexpected will happen and is a combination of threats and vulnerabilities according to a formula. Risk equals threats times vulnerabilities. Therefore, in order to understand the risk to assets, possible threats and vulnerabilities must be evaluated. Risk Analysis is important for budgeting for security. Managing risk by evaluating and prioritizing and addressing the most immediate challenges first. Risk is a function of a threat exploiting a vulnerability. Threats may exist, but if there is not a vulnerability, there will be no risk. Correspondingly, if there is a vulnerability but no threat, then there won't be a risk. Risk include business disruption, financial loss, or even loss of life. A threat is anything that can exploit a vulnerability, intentionally or accidentally, and obtain, damage or destroy an asset. A threat is something that might happen and can range from innocent mistakes made by employees to natural disasters. It can include disgruntled employees, or even terrorists. Threats, in general, are difficult to control. Threat assessments are performed to determine the best approaches to securing a system against a particular threat. A vulnerability is a security flaw in a system that can be exploit by threats to gain unauthorized access to an asset. Connecting a system to the internet can represent a vulnerability, if the system is unpatched. Vulnerabilities include unpatched systems, human error, or software flaws. To give you an example, we'll tell the story of the three little pigs. Now, there are three little pigs that each built a house and the big bad wolf threatened to huff and puff and blow their houses down. Now I did a Little Piggies Risk Analysis. There's not a lot of math involved, but let's take a look. Now when we take a look at the threat in all three cases the threat is 100% that the wolf will huff and puff and blow their house down. But let's take a look at the three scenarios. We see that the first little piggy built his house out of straw. Now the vulnerability is 90% chance that that house is going to go down. So that little piggy's house has a risk grading of 90%. The second little piggy built his house out of sticks. Now we'll assist this vulnerability at 40%. So his overall risk is 40%. However the third little piggy built his house out of brick. That means that he had a 0% vulnerability that the wolf was able to blow his house down. Therefore his risk grading is 0%. The moral of the story is that, in most cases, a vulnerability can be fixed. Test and address vulnerabilities on an ongoing basis.

Contents