Cyber Threats, Vulnerabilities and Risks

“Debunking Misconceptions and Understanding the True Risk to Your Assets“

Cyber threats, Vulnerabilities, and Risks are terms that one hears a lot in conversations about IT or cybersecurity, but they are also the most commonly confused terms and often interchangeably used. We know it is unreasonable to expect those outside the cybersecurity industry to know the difference and use the terms correctly. But understanding what these mean and the differences between them is critical to knowing the true risk that your assets are facing and accordingly taking steps to manage these risks. Proceeding without this foundational understanding of risk assessment and management can be counterproductive and detrimental.

In this article, we will get a detailed understanding of and differences between cyber threats, vulnerabilities, and risks

Assets: What You Are Trying to Protect

Assets significantly vary from business to business, organization to organization. Assets are anything that can be assigned value and so needs protection. Example- infrastructure, network, systems, hardware, software, applications, brand image/ reputation, goodwill, proprietary information, patents, codes, databases, critical company records and so much more.

Cyber Threats: What You Are Trying to Protect Assets Against

An event or a circumstance that has the potential to cause a negative/ undesired outcome such as damage to or theft/ loss/ destruction of assets is a cyber threat.

Examples:

• DDoS attacks orchestrated by competitors to block legitimate users from accessing your website.
• Social engineering or phishing attacks where attackers install a Trojan or other malware to steal confidential information.
• An employee stealing company data and selling on the black market.
• Fire in your data center, etc.

These cyberthreats are actualized by threat actors (people/ entities/ organizations) who initiate attacks. Threat actors can be crime syndicates, hacktivists, nation-states, cybercriminals, disgruntled employees/ insiders, competitors, careless employees, financially or politically motivated attackers, etc. The impact of Cyberthreats can be more devastating and costly if the threat actors leverage one or more vulnerabilities in the network/ system/ application/ infrastructure to orchestrate attacks.

Vulnerabilities: Gaps/ Weaknesses/ Misconfigurations in Security Efforts

Vulnerabilities are gaps, weaknesses, misconfigurations, and loopholes in your systems/ networks/ applications that make cyberthreats possible and in most cases, very dangerous and costly. The presence of these vulnerabilities undermines your security efforts and weakens your overall security posture. Threat actors may leverage one or more vulnerabilities to orchestrate attacks and breaches.

Vulnerabilities are usually of three kinds – known, business logic-related, and unknown or zero-day. For instance, OWASP Top 10 vulnerabilities (such as SQL injection, Cross-Site Scripting (XSS), CSRF, etc.), failure to encrypt data, authorization failures, universal passwords known to insiders, etc. are known vulnerabilities. Business logic vulnerabilities are specific to each business and not easily identifiable through automated tools such as Web Scanners, Anti-Virus, etc.

Risks = Threat Probability x Potential Impact

Risks/ Cybersecurity risks are the calculated potential damage/ loss/ destruction of an asset in the event of vulnerabilities being exploited by threats causing the level of security to fall.

Risks are a function of threats, vulnerabilities, threat probability, and their potential impact. And this is the key difference between a cyberthreat and a cybersecurity risk. In other words, a threat is an attack or breach or the negative event itself while the risk includes the probability of the threat and the impact it is capable of causing.

So, it is essential to understand both the nature of threats facing the organization, as well as, the vulnerabilities that exist in the systems, networks, and applications. In order to minimize cyber risk, you must fix the vulnerabilities while also securing unfixed ones using an intelligent and managed WAF like AppTrana so that threat actors cannot identify and exploit them.

A Practical Example

• DDoS attacks are threats facing a business.
• Competitors who want to block legitimate users from gaining access to the website are one of the threat actors.
• To accomplish this objective, they use to inject a malicious payload into the website through a comments section that allows unsanitized inputs. (The permission for unsanitized inputs is the vulnerability.)
• The potential impact of DDoS attacks is that businesses will have to face significant financial and reputational loss.
• The probability of a DDoS attack is high given that the website does not have multi-layered and always-on protection against such attacks; plus, the WAF is neither intelligent nor does it have a custom workflow.
• Therefore, the business is at a high risk of facing DDoS attacks, and them allowing unsanitized inputs in the comment section must be treated as a high-risk vulnerability.

Understanding the difference between cyber threats, vulnerabilities and risks enable you to clearly communicate with security teams and other stakeholders. Understanding the difference also enables you to effectively assess risks and understand how threats affect risks, better design security solutions based on threat intelligence, and maintain a robust security posture.