Subtitles of the Movie

As we round out our discussion on basic computer security terms, we need to talk about vulnerabilities, threats, exposure. This will lead us into our next session talking about basics of risk management. Now, every part of a network, computers, network devices, even the cabling that connects them together, has weaknesses and when you think about computers and networks, you can't just think about one part of it. You have to think about every single part of it that connects from end to end; computers, operating systems, network devices, the cabling, applications that run on the computers and, of course, even the people. They're all part of the network. Each of these have weaknesses called vulnerabilities. A vulnerability is a weakness in a system or in a person or in a network device. These vulnerabilities unfortunately can be exploited. That's where a lot of our attacks come from. When we say exploiting a vulnerability in terms of computer security, we're talking about using that weakness to diminish the system security itself. A vulnerability can be exploited. Now, a threat is something that exploits a vulnerability. For example, our operating system may have a particular vulnerability. A threat could exploit that vulnerability and cause that system to be more insecure and allow an attack to take place. A threat is an action that is taken by a threat agent. A threat agent will exercise and exploit against a vulnerability. It's kind of how the terms are laid out and it's kind of important that you understand what these terms are because we'll see them again when we talk about risk. Now, some information that we need to know about threats: threats don't have to be just the hacker that attacks your system. A threat can be man-made for sure or it can be natural. A threat could also be a fire or a tornado for example. Threats can be intentional or accidental. Intentional might mean a disgruntled employee that erases a folder of privileged data or data that would be hard to replace. Accidental might be a threat that would be classified as an employee that simply because they don't know what they're doing, they accidentally erase something that's important. So threats can be humans but they also can be technology. A particular threat may be exercised against a piece of software and cause a buffer overflow for example that will cause the system to be insecure. Threat agents exercise a threat against a vulnerability in order to exploit that vulnerability. And once that vulnerability's exploited, that opens the door for an attack. Now, there's something called an exposure and that is a vulnerability that has been exploited. Normally an exposure can tell you that a system has been attacked, the vulnerability's been exploited, there's an exposure now and we have to figure out how to minimize the damage of that exposure. Exposure can be quantified or measured. There are different ways to measure an exposure and we can say that exposure allowed the system to be insecure for a period of time or allowed X number of systems to be insecure. When we talk about vulnerabilities, threats and exposure, it's going to take us logically to talking about risk. Now, risk is a numbers game to be honest with you. Risk is something we do every day to determine what we need, what protections we need to put in place if a certain threat happened and exposed a or exploited a vulnerability. Risk is essentially the likelihood that a vulnerability will be exploited. Now, risk can be reduced or we say mitigated and most of the time mitigated means to reduce the risk, but it also can mean to transfer the risk or eliminate the risk. A mitigation basically reduces the likelihood that a threat agent is able to carry out an exploit against any particular vulnerability. We can mitigate a vulnerability in a system for example. Let's say that there's a vulnerability in an operating system that might cause the system to be easily attacked. Well, let's say one of the mitigations might be a patch that's applied to that system and once that patch is applied, that risk has been mitigated. Mitigations don't have to be technology-based, although they can be, such as patches and firewalls and so forth. They can also be human-based. A human-based mitigation might be a policy that prohibits a particular action on the network or it can even be training the users to not do things like share passwords. Mitigations can also be physical, such as gates and guards for example. swords. Mitigations can also be physical, such as gates and guards for example.