« Zone access is a TLD abuse mitigation enabler: help your friends help you | Main | Presentation: ICANN IS SSR Team's Roles, Relationships and Remit »

Thursday, 27 October 2016

Threats, Vulnerabilities and Exploits – oh my!

This post originally appeared at ICANN blog on 10 Aug 2015.

Some of the most commonly used security terms are misunderstood or used as if they were synonymous.  Certain of these security terms are so closely related that it's worth examining these together. Today, we'll look at several related terms – threat, vulnerability, and exploit – and learn how security professionals use these to assess or determine risk.


Remember the Objective: Protect Assets

The reason we put security measures in place is to protect assets. Assets are anything that we determine to have value. An asset's value can be tangible; for example, gold and jewelry are tangible assets, as are people. In a corporate network, a database, the server that hosts that database, and the network that provides connections to the server are also tangible assets. Other assets – company or personally sensitive information or reputation – have intangible value but are no less important.

135256283_f8efc29c9d_m
Image by Degan Walters

Threats and Threat Actors

Security considers several kinds of threats. A threat may be an expressed or demonstrated intent to harm an asset or cause it to become unavailable. Hostile acts that target an asset, irrespective of the motive, are considered threats. Acts of nature, human error or negligence are also considered threats. Both of these kinds of threats can cause web service or email interruptions, loss or unintentional disclosure of sensitive information, and in the emerging Internet of Things, both kinds may be determined to pose threats of human harm. Identifying threats is an important but extremely complicated aspect of security management.

Someone or some thing must express or pose a threat. These are threat actors. Some threat actors are individual attackers or state actors. Disgruntled, under-skilled, or overworked employees can also pose threats to an organization's assets and security management must consider all of these.

VulnerabilitiesOver30DaysVulnerabilities

A vulnerability is a flaw in the measures you take to secure an asset. This is a broader interpretation of the traditional definition, which considers only flaws or weaknesses in systems or networks (See RFC 2828). Vulnerabilities expose your organization's assets to harm. They exist in operating systems, applications or hardware you use. For example, if you do not run antivirus and antimalware software, your laptop or mobile device is vulnerable to infections. Similarly, if you fail to routinely update your operating systems or application software, these will remain vulnerable to software problems ("bugs") that have been identified and patched. (These security efforts are called vulnerability mitigation or vulnerability reduction.)

How you configure software, hardware and even email or social media accounts can also create vulnerabilities. How you manage privacy settings, for example, may affect whether pre-release information about a product you intended to share with only your co-workers is instead shared publicly.

User behaviors create opportunities for attackers and are thus vulnerabilities, too. A system administrator who surfs the web from an administrator account on a corporate workstation may become a victim of a "drive-by" infection of malicious software. This behavior creates a vulnerability that is not considered in the RFC2828 definition but is no less a problem in today's Internet than bugs in software.

Lastly, as we discussed in our first security awareness blog, people are vulnerable to social engineering. This vulnerability is proving to be one of the most formidable to mitigate. Raising security awareness is finally achieving recognition as an important component of vulnerability mitigation.

MalwareExploits

The term exploit is commonly used to describe a software program that has been developed to attack an asset by taking advantage of a vulnerability. The objective of many exploits is to gain control over an asset. For example, a successful exploit of a database vulnerability can provide an attacker with the means to collect or exfiltrateall the records from that database.

A successful use of exploits of this kind is called a data breach. Exploits are also developed to attack an operating system or application vulnerability to gain remote administrative or "run" privileges on a laptop or server. (This is a common objective of malware, which we'll examine in a future post.)

Not all exploits involve software, and it's incorrect to classify all exploit-based attacks as hacking. Scams - socially engineering an individual or employee into disclosing personal or sensitive information - are an age-old kind of exploit that does not require hacking skills.

Risk

You'll find many definitions when you search the term risk. One that I find the simplest to understand is "the potential for loss, damage or destruction of an asset as a result of a threat exploiting a vulnerability" [TAG]. This ties the terminology we've reviewed – asset, threat, vulnerability, exploit – together quite neatly. In practice, for every asset, you identify the set of threats that could harm the asset. You then identify the vulnerabilities that threat actors could exploit to harm that asset. This, remarkably, is the simple part. The tricky part comes when you look at mitigation. Eliminating all threats – and thus having no risk – is unachievable, as there will always exist a degree of risk. The prevailing wisdom is to determine the cost of mitigating threats against the benefits. In theory, this effort defines the amount of risk you must tolerate given what you are willing to spend. In practice, it's proving much more challenging in the Internet era than before.

 

Posted at 09:26 AM in All matters security |

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.

Find me on Mastodon and Facebook

Spotlight Posts

  • Interisle Study Reveals Alarming Rise in Online Abuse and Identifies Exploitable Links in Cybercriminal Supply Chains
    My Interisle colleagues and I today published our 2024 Cybercrime Suppy Chain study. We analyzed 16 million cybercrime events to expose a dramatic rise in criminal exploitation of name, address, hosting, and financial supply chains. Our year-over-year findings show that cybercriminals exploit lax policies to easily and cheaply obtain resources for phishing, malware, and spam campaigns. In our report, we provide actionable insights for those aiming to curb cybercrime. Among the major findings in the study, Interisle reports that: The total number of malware, phishing, and spam attacks grew year-over-year by nearly 54%, to nearly 16.3 million attacks. Spam doubled,...
  • Malware quarterly reports for July-September
    Malware quarterly reports for July-September 2024 is now posted at the Cybercrime Information Center. For the period... Malware identified as targeting endpoint devices increased 277% over the prior period. WordPress blog sites used for malware accounted for nearly all the malicious documents reported for this period. We continue to see an uptick in malicious scripts. IPv4 addresses reported for exhibiting characteristics of attackware and traffic injectors increased 38% to just under 1 million. ASNs in China and India again have the most IPv4 addresses reported for hosting malware. More malware trends for the period at https://www.cybercrimeinfocenter.org/malware-trends-july-september-2024. For historical reporting of...
  • Interisle's Phishing Landscape 2024 is here
    Our Interisle team today announced the publication of an industry report, Phishing Landscape 2024, A Study of the Scope and Distribution of Phishing. Interisle’s fourth annual study examines nearly four million phishing reports collected from May 2023 to April 2024 and provides historical measurements using over 15 million phishing reports collected at the Cybercrime Information Center over a four year period. Findings from the study: • The total number of phishing attacks grew to ~1.9 million incidents worldwide. • Phishing attacks hosted at subdomain providers increased by 450,000+ reported names, representing 24% of all phishing attacks. • The use of...
  • Malware Trends, January - March, 2024 posted at the Cybercrime Information Center
    2024 began with a rise in domain names reported for hosting malware unlike any we have seen since we began measuring malware attacks in 2021. The 1Q2024 Top 20 TLDs included 10 new gTLDs, 6 ccTLDs, and 4 legacy gTLDs. Only three TLDs remained in the top 5 TLDs (COM, NET, INFO) from the prior quarter. The ORG and BR TLDs were replaced by SHOP (over 3,000% increase) and TOP (over 700% increase). All but one registrar in 1Q2024’s Top 20 registrar ranking showed increases of 100% or more. Several registrars had 4- and 5-figure percentage increases in domains reported....
  • Malware Trends, January - March, 2024 posted at the Cybercrime Information Center
    2024 began with a rise in domain names reported for hosting malware unlike any we have seen since we began measuring malware attacks in 2021. The 1Q2024 Top 20 TLDs included 10 new gTLDs, 6 ccTLDs, and 4 legacy gTLDs. Only three TLDs remained in the top 5 TLDs (COM, NET, INFO) from the prior quarter. The ORG and BR TLDs were replaced by SHOP (over 3,000% increase) and TOP (over 700% increase). All but one registrar in 1Q2024’s Top 20 registrar ranking showed increases of 100% or more. Several registrars had 4- and 5-figure percentage increases in domains reported....

Search

My Photo

Categories