Vulnerability vs Threat vs Risk Re-visited
Awhile back I wrote about this topic, and decided to refresh that post.
How do we differentiate Vulnerabilities, Threats, and Risk in Cybersecurity?
This all comes into play in any risk-based exercise.
What’s important for one individual might not fit the threat model for someone else.
Similarly, what’s important for one company might not be top of mind for another.
Story Time
Let’s step back to fully understand this.
The importance and the difference in Vulnerabilities, Threats, and Risk can be summed up with the story of the 3 little pigs.
Hear me out… turns out, this well known fable can also help us understand this important concept in Cybersecurity.
Remember, in the early parts of your Cybersecurity journey, concepts > details. But this goes for anyone, regardless of their experience level.
Just in case you haven’t read the story, here you go. (Albeit, another alternative ending)
In a previous post, we talked about many topics around Cybersecurity Interviews, one being of differentiating Vulnerabilities, Threats, and Risk, as this is a topic that comes up.
Today, we will go over this in detail with the help of the aforementioned children’s story.
Going with the NIST definition, the 3 concepts can be defined as follows.
Vulnerability: Weakness in an information system, or implementation that could be exploited or triggered by a threat.
Threat: Any circumstance or event with the potential to adversely impact operations, assets, or individuals, via unauthorized access, destruction, disclosure, modification of information.
Risk: the level of impact on operations company assets, or individuals resulting from the potential impact of a threat and the likelihood of that threat occurring.
However, let’s look at these through the lens of the 3 little pigs to tie it to something we already know.
Vulnerability: In the story, the first 2 pigs built their houses using straw and sticks, respectively, which made their homes vulnerable to the wolf's huffing and puffing.
In other words, the building material of straw and sticks were vulnerabilities.
Therefore, a vulnerability refers to a flaw in a system or process that can be exploited by a threat.
For example, outdated software or weak passwords with no 2FA are vulnerabilities (misconfigurations) that can be exploited by hackers to gain unauthorized access to a system.
Threat: In the story, the wolf represents the threat to the pigs' homes.
Similarly, a threat refers to any potential danger or harm to an organization's assets, such as its digital data, reputation, or assets.
For example, cybercriminals, employee theft, or natural disasters are all potential threats that can cause harm to an organization.
Risk: To sum it up, the third pig built his house using bricks, which reduced the risk of the house being blown down by the wolf. Each pig used different materials to build their houses, affecting their risk levels accordingly.
Similarly, risk refers to the likelihood and potential impact of a threat exploiting a vulnerability.
For example, the risk of a cyber attack can be the probability that an attacker will exploit a vulnerability and the potential impact of that attack on the organization.
At the end of the day, you’re trying to reduce your risk as much as is possible.
Putting It All Together
Now let’s dig deeper herein the risk exercise.
The first pig built the house made of Straw, let’s give this a 90% risk.
Even without the hindsight of 20/20, we can say with certainty that a house made of straw cannot withstand much. Whether it be the forces of nature in the form of heavy rain, wind, wear and tear, or a wolf huffing and puffing.
The second pig built their house made of sticks. Marginally better than straw, but not by much. Let’s give this a score of 60% risk.
Here, some light rain probably would be okay, but any serious storm, or extreme weather would cause havoc on the home.
Similarly, in the story this wasn’t enough to withstand the wolf huffing and puffing.
Now the third pig. This house was built with bricks, when it comes to adverse whether this tends to hold up well (also fire-resistant). This strategy reduced the risk of the house being blown down by the wolf. In the end, the wolf could not take the house down.
What I Read This Week
NAACP calls on Memphis officials to halt operations at xAI’s ‘dirty data center’
The Shelby County Health Department has been sent angry letters about their “lackadaisical approach to the operation of this dirty data center”
This raises questions on the greater AI landscape and their data centers
Meta and Yandex are de-anonymizing Android users’ web browsing identifiers
The companies were bypassing sandboxing and tying browsing activity to persistent identities
Another case of covert tracking, are we surprised at this point?
Breaches
Covenant Health is Experiencing a Cyberattack Affecting Three Hospitals
What started as connectivity issues led to the discovery of the breach
The company decided to shut down data systems across the entire network
Security bug at compliance firm Vanta exposed customer data to other users
A reminder that most data leaks or breaches are caused by misconfigurations and bugs, and not an intrusion
Wrapping Up
In conclusion, the story of the 3 little pigs provides a relatable analogy for individuals to model the concepts of vulnerabilities, threats, and risk in Cybersecurity tying it all together.
Understanding the potential vulnerabilities in your own life and the threats that could exploit them can help in taking proactive steps to reduce your risk of a cyber attack.
Understanding this at the company level is crucial for focusing on what’s most important for the business.
See you in the next one.