We often can observe the concepts of threat, vulnerability, and risk in our everyday lives. For example, in the real world, we have malicious people, dangerous animals, and infrastructure problems as threats. Being distracted or forgetting to lock our house before going to another place are, in turn, vulnerabilities. And the combination between threats and vulnerabilities is a risk, for instance, getting injured or stolen.
These concepts, in turn, have a particular place in the digital world also. In such a context, they have specific characteristics and objectives.
In this tutorial, we’ll investigate how threats, vulnerabilities, and risks occur in a computing scenario. First, we’ll examine why these concepts exist in the digital world while understanding what assets are. Thus, we’ll explore some technical definitions of threat, vulnerability, and risk. Then, we’ll discuss some protective measures to avoid dangerous scenarios in computing. Finally, we’ll outline and create relations between these concepts in a systematic summary.
2. Motivations for Digital Threats, Vulnerabilities, and Risks
In recent decades, computing has become crucial for human lives. Furthermore, beyond offline computing, the rising of computer networks enabled people from different places efficiently communicate and exchange data. This phenomenon increased the popularity of the digital world even more.
Due to their efficiency, computer programs got responsible for processing sensitive data and tasks, such as bank transactions, geolocalization references, and medical records. In this way, the digital data, and even the processing routines applied to them, turned into assets for people and organizations that own them.
It is relevant to highlight that, in our context, we define an asset as anything that represents any kind of value for its owner. So, a digital asset is value-added data or process that is executed or stored digitally.
Thus, the existence of digital assets is the reason for the existence of digital threats. These threats aim to exploit vulnerabilities, which creates digital risk scenarios.
Let’s understand, in detail, the definition and relation of threats, vulnerabilities, and risks from the digital world in the following sections.
A computing threat embraces several actions and events, typically enabled by a vulnerability, that may cause undesired effects on particular software or hardware. In general, we have two categories of threats: intentional and non-intentional.
Intentional threats represent malicious entities, hardware, or software that execute actions to deliberately harm a computing system, usually trying to get some advantage by doing that. Hackers and crackers, for example, are intentional threats since they aim to create and execute attacks, such as phishing, SQL injection, and denial of service.
But, beyond the minds behind an attack, the resources developed that enable or automatically execute a malicious action are also intentional threats. Examples of such resources are any kind of malware (such as viruses, worms, and trojans) or adware.
Finally, we also have non-intentional threats which are related to accidental events. For instance, making an online service unavailable due to a broken fiber during a storm is a non-intentional threat: no one moved efforts to deny the service, but the circumstances made it unavailable anyway.
A vulnerability is any weakness of a computing system or shortcomings in a security system. So, threats see vulnerabilities as an easy way to achieve their objectives, turning them into exploits for their malicious actions.
Vulnerabilities can arise in computing systems for several reasons. Some of them are:
- Complexity: the more complex a system, the more challenging to make it holistically secure; thus, the higher is the probability it has a non-identified vulnerability
- Connectivity: the greater the number of applications communicating with other entities, the higher the probability of a system facing threats coming from the network; even with a secure system, the applications executing may represent vulnerabilities
- Maintenance: the lack of maintenance or running outdated software may create vulnerabilities in computing systems. Many patches include vulnerability fixes, so applying them is essential
Furthermore, we can analyze vulnerabilities regarding which aspect of a computing system they relate. Some examples are shown next:
- Hardware: vulnerabilities regarding the physical components of a computing system, such as over-heating, wet or dusty places, and outdated equipment usage
- Software: vulnerabilities in terms of software programs running in a computing system. For example, lack of tests, insecure coding, and software engineering problems
- Network: vulnerabilities that emerge from networked communications. Some examples are the usage of non-encrypted protocols and adopting an insecure network architecture
- Staff: vulnerabilities related to computing systems’ operators, administrators, and developers. They commonly emerge as inadequate recruiting processes and improper security awareness
It is relevant to highlight that avoiding vulnerabilities is as important as protecting our systems from threats. A computing system with few vulnerabilities gives little room for threats acting on them.
In short, we can understand risks as the potential problems caused due to a threat exploiting a vulnerability, such as the destruction, loss, or theft of an asset of a computing system.
Thus, we can see risks as the product of three factors: the existence of assets, exploitable vulnerabilities, and threats that can exploit the available vulnerabilities. The following Venn diagram shows risks in perspective of these three factors:
We should note, however, that being at risk does not mean being attacked. A computing system can be at constant risk and never have a problem or suffer with a concrete consequence, although the probability of it happening is high.
6. Protective Measures
Protective measures for computing systems consider eliminating at least one of the three risk factors described in the previous section. But, we usually can not remove the assets from a computing system since the system itself is considered an asset (taking into account botnets, for example).
Furthermore, threats will exist regardless of our actions. Hackers create malicious programs and attack strategies every day. In this case, the best we can do is try to detect when some threat is allocated or acting in our computing systems and remove it. Executing frequent scans with antivirus software in the computing systems is an efficient way to do that.
So, the best we can do as operators or administrators is moving efforts to detect and remove vulnerabilities in our computing systems. There are multiple manners to do that. Among them, we can cite keeping the software running in our systems updated, following the best practices for deploying security solutions (such as firewalls and antiviruses), and installing only auditable software (or from trusted sources).
Moreover, we can use tools that scan computing systems to find vulnerabilities. These tools are great for getting an overview of our systems. But, they require expert judgment since they typically detect several false-positive vulnerabilities.
7. Systematic Summary
In the modern world, data and services in computing systems have become valuable assets. Due to this fact, malicious entities emerged, generating digital threats that aim to capture assets. These threats, however, take advantage of computing systems’ vulnerabilities, accessing them and executing undesired processes there.
The simple existence of assets, threats, and vulnerabilities let a computing system at risk. Specifically, risks regard the possibility of a system being attacked once all the necessary factors for it exists.
The following table summarizes the concepts and definitions of threats, vulnerabilities, and risks:
In this tutorial, we studied threats, vulnerabilities, and risks. First, we examined which are the primary conditions and motivations for the existence of threats, vulnerabilities, and risks. In the following sections, we in-deep investigated each one of such concepts. So, we saw some protective measures we can adopt for our computing systems. Finally, we reviewed all the studied concepts in a systematic summary.
We can conclude that threats will always exist in a connected digital world. Thus, our responsibility as systems operators and administrators is to reduce the number of vulnerabilities to the minimum possible, thus minimizing the risks of being attacked and losing valuable assets.