Get a free application, infrastructure and malware scan report - Scan Your Website Now

Cyber Threats, Vulnerabilities and Risks

Posted DateFebruary 18, 2020
Posted Time 3   min Read

Debunking Misconceptions and Understanding the True Risk to Your Assets

Cyber threats, Vulnerabilities, and Risks are terms that one hears a lot in conversations about IT or cybersecurity, but they are also the most commonly confused terms and often interchangeably used. We know it is unreasonable to expect those outside the cybersecurity industry to know the difference and use the terms correctly. But understanding what these mean and the differences between them is critical to knowing the true risk that your assets are facing and accordingly taking steps to manage these risks. Proceeding without this foundational understanding of risk assessment and management can be counterproductive and detrimental.

In this article, we will get a detailed understanding of and differences between cyber threats, vulnerabilities, and risks

Assets: What You Are Trying to Protect

Assets significantly vary from business to business, organization to organization. Assets are anything that can be assigned value and so needs protection. Example- infrastructure, network, systems, hardware, software, applications, brand image/ reputation, goodwill, proprietary information, patents, codes, databases, critical company records and so much more.

Cyber Threats: What You Are Trying to Protect Assets Against

An event or a circumstance that has the potential to cause a negative/ undesired outcome such as damage to or theft/ loss/ destruction of assets is a cyber threat.

Examples:

  • DDoS attacks orchestrated by competitors to block legitimate users from accessing your website.
  • Social engineering or phishing attacks where attackers install a Trojan or other malware to steal confidential information.
  • An employee stealing company data and selling on the black market.
  • Fire in your data center, etc.

These cyberthreats are actualized by threat actors (people/ entities/ organizations) who initiate attacks. Threat actors can be crime syndicates, hacktivists, nation-states, cybercriminals, disgruntled employees/ insiders, competitors, careless employees, financially or politically motivated attackers, etc. The impact of Cyberthreats can be more devastating and costly if the threat actors leverage one or more vulnerabilities in the network/ system/ application/ infrastructure to orchestrate attacks.

Vulnerabilities: Gaps/ Weaknesses/ Misconfigurations in Security Efforts

Vulnerabilities are gaps, weaknesses, misconfigurations, and loopholes in your systems/ networks/ applications that make cyberthreats possible and in most cases, very dangerous and costly. The presence of these vulnerabilities undermines your security efforts and weakens your overall security posture. Threat actors may leverage one or more vulnerabilities to orchestrate attacks and breaches.

Vulnerabilities are usually of three kinds – known, business logic-related, and unknown or zero-day. For instance, OWASP Top 10 vulnerabilities (such as SQL injection, Cross-Site Scripting (XSS), CSRF, etc.), failure to encrypt data, authorization failures, universal passwords known to insiders, etc. are known vulnerabilities. Business logic vulnerabilities are specific to each business and not easily identifiable through automated tools such as Web Scanners, Anti-Virus, etc.

Risks = Threat Probability x Potential Impact

Risks/ Cybersecurity risks are the calculated potential damage/ loss/ destruction of an asset in the event of vulnerabilities being exploited by threats causing the level of security to fall.

Risks are a function of threats, vulnerabilities, threat probability, and their potential impact. And this is the key difference between a cyberthreat and a cybersecurity risk. In other words, a threat is an attack or breach or the negative event itself while the risk includes the probability of the threat and the impact it is capable of causing.

So, it is essential to understand both the nature of threats facing the organization, as well as, the vulnerabilities that exist in the systems, networks, and applications. In order to minimize cyber risk, you must fix the vulnerabilities while also securing unfixed ones using an intelligent and managed WAF like AppTrana so that threat actors cannot identify and exploit them.

A Practical Example

  • DDoS attacks are threats facing a business.
  • Competitors who want to block legitimate users from gaining access to the website are one of the threat actors.
  • To accomplish this objective, they use to inject a malicious payload into the website through a comments section that allows unsanitized inputs. (The permission for unsanitized inputs is the vulnerability.)
  • The potential impact of DDoS attacks is that businesses will have to face significant financial and reputational loss.
  • The probability of a DDoS attack is high given that the website does not have multi-layered and always-on protection against such attacks; plus, the WAF is neither intelligent nor does it have a custom workflow.
  • Therefore, the business is at a high risk of facing DDoS attacks, and them allowing unsanitized inputs in the comment section must be treated as a high-risk vulnerability.

Understanding the difference between cyber threats, vulnerabilities and risks enable you to clearly communicate with security teams and other stakeholders. Understanding the difference also enables you to effectively assess risks and understand how threats affect risks, better design security solutions based on threat intelligence, and maintain a robust security posture.

web application security banner

Karthik Krishnamoorthy

Karthik Krishnamoorthy is a senior software professional with 28 years of experience in leadership and individual contributor roles in software development and security. He is currently the Chief Technology Officer at Indusface, where he is responsible for the company's technology strategy and product development. Previously, as Chief Architect, Karthik built the cutting edge, intelligent, Indusface web application scanning solution. Prior to joining Indusface, Karthik was a Datacenter Software Architect at McAfee (Intel Security), and a Storage Security Software Architect at Intel Corporation, in the endpoint storage security team developing security technology in the Windows kernel mode storage driver. Before that, Karthik was the Director of Deep Security Labs at Trend Micro, where he led the Vulnerability Research team for the Deep Security product line, a Host-Based Intrusion Prevention System (HIPS). Karthik started his career as a Senior Software Developer at various companies in Ottawa, Canada including Cognos, Entrust, Bigwords and Corel He holds a Master of Computer Science degree from Savitribai Phule Pune University and a Bachelor of Computer Science degree from Fergusson College. He also has various certifications like in machine learning from Coursera, AWS, etc. from 2014.

Share Article:

Join 51000+ Security Leaders

Get weekly tips on blocking ransomware, DDoS and bot attacks and Zero-day threats.

We're committed to your privacy. indusface uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.

Related Posts

Key Cybersecurity Statistics - 2024
181 Key Cybersecurity Statistics: Vulnerabilities, Exploits, and Their Impact for 2025

As we enter 2025, the cybersecurity statistics from 2024 and previous years reveal a critical landscape of evolving threats, from a surge in vulnerabilities to increasingly sophisticated cyber-attacks. This blog.

Read More
cyber security threats to the financial sector
Protecting Financial Service Sector Against Cyberattacks

Follow the best practices to protect against cybersecurity threats to the financial sector and build cyber resilience.

Read More
Cybersecurity Threats Against Small Businesses
Three Common Cybersecurity Threats Small Businesses Should Be Worried About

No business is ever too small or too obscure to be attacked. Regardless of the size and nature of operations, all businesses are at risk of cybersecurity threats. The fact.

Read More

AppTrana

Fully Managed SaaS-Based Web Application Security Solution

Get free access to Integrated Application Scanner, Web Application Firewall, DDoS & Bot Mitigation, and CDN for 14 days

Get Started for Free Request a Demo

Gartner

Indusface is the only cloud WAAP (WAF) vendor with 100% customer recommendation for 4 consecutive years.

A Customers’ Choice for 2024, 2023 and 2022 - Gartner® Peer Insights™

The reviews and ratings are in!