Saturday, February 20, 2021

Vulnerability, Threat and Risk (in Information Technology)



1. Vulnerability

Definition 1:
A vulnerability is a weakness or error in a system or device's code that, when exploited, can compromise the confidentiality, availability, and integrity of data stored in them through unauthorized access, elevation of privileges, or denial of service.

Definition 2:
In computer security, a vulnerability is a weakness which can be exploited by a threat actor, such as an attacker, to cross privilege boundaries (i.e. perform unauthorized actions) within a computer system. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerabilities are also known as the attack surface.

Vulnerability management is the cyclical practice that varies in theory but contains common processes which include: 

1. discover all assets 
2. prioritize assets 
3. assess or perform a complete vulnerability scan
4. report on results
5. remediate vulnerabilities 
6. verify remediation 
7. repeat

This practice generally refers to 'software vulnerabilities' in computing systems.

Ref: Vulnerability

Additional note on 'vulnerability':

Some common attacks are: social engineering, spear phishing, malware, RATs, DDoS, Vulnerability Exploits (eg SQL Injection and 0-Days)

A remote access Trojan (RAT) is a malware program that includes a back door for administrative control over the target computer. RATs are usually downloaded invisibly with a user-requested program -- such as a game -- or sent as an email attachment. Capable of deleting, downloading or altering files and file systems.

Motives behind a security breach: 
- Fame
- Political
- Terrorism
- Financial
- Espionage
- Reputation Damage

2. Zero-day vulnerability

A zero-day (also known as 0-day) vulnerability is a computer-software vulnerability that is unknown to those who should be interested in mitigating the vulnerability (including the vendor of the target software). Until the vulnerability is mitigated, hackers can exploit it to adversely affect computer programs, data, additional computers or a network. An exploit directed at a zero-day is called a zero-day exploit, or zero-day attack.

The term "zero-day" originally referred to the number of days since a new piece of software was released to the public, so "zero-day" software was software that had been obtained by hacking into a developer's computer before release. Eventually the term was applied to the vulnerabilities that allowed this hacking, and to the number of days that the vendor has had to fix them. Once the vendor learns of the vulnerability, the vendor will usually create patches or advise workarounds to mitigate it.

The more recently that the vendor has become aware of the vulnerability, the more likely that no fix or mitigation has been developed. Even after a fix is developed, the fewer the days since then, the higher the probability that an attack against the afflicted software will be successful, because not every user of that software will have applied the fix. For zero-day exploits, unless the vulnerability is inadvertently fixed, e.g. by an unrelated update that happens to fix the vulnerability, the probability that a user has applied a vendor-supplied patch that fixes the problem is zero, so the exploit would remain available. Zero-day attacks are a severe threat.

Ref: Zero-day vulnerability

3. Threat 

In computer security, a threat is a potential negative action or event facilitated by a vulnerability that results in an unwanted impact to a computer system or application.

A threat can be either a negative "intentional" event (i.e. hacking: an individual cracker or a criminal organization) or an "accidental" negative event (e.g. the possibility of a computer malfunctioning, or the possibility of a natural disaster event such as an earthquake, a fire, or a tornado) or otherwise a circumstance, capability, action, or event.

Ref: Threat

4. Threat agents or actors

The term Threat Agent is used to indicate an individual or group that can manifest a threat. It is fundamental to identify who would want to exploit the assets of a company, and how they might use them against the company.

Individuals within a threat population; Practically anyone and anything can, under the right circumstances, be a threat agent – the well-intentioned, but inept, computer operator who trashes a daily batch job by typing the wrong command, the regulator performing an audit, or the squirrel that chews through a data cable.

Threat agents can take one or more of the following actions against an asset:

% Access – simple unauthorized access

% Misuse – unauthorized use of assets (e.g., identity theft, setting up a porn distribution service on a compromised server, etc.)

% Disclose – the threat agent illicitly discloses sensitive information

% Modify – unauthorized changes to an asset

% Deny access – includes destruction, theft of a non-data asset, etc.

OWASP collects a list of potential threat agents to prevent system designers, and programmers insert vulnerabilities in the software.

These individuals and groups can be classified as follows:

% Non-Target Specific: Non-Target Specific Threat Agents are computer viruses, worms, trojans and logic bombs.

% Employees: Staff, contractors, operational/maintenance personnel, or security guards who are annoyed with the company.

% Organized Crime and Criminals: Criminals target information that is of value to them, such as bank accounts, credit cards or intellectual property that can be converted into money. Criminals will often make use of insiders to help them.

% Corporations: Corporations are engaged in offensive information warfare or competitive intelligence. Partners and competitors come under this category.

% Human, Unintentional: Accidents, carelessness.

% Human, Intentional: Insider, outsider.

% Natural: Flood, fire, lightning, meteor, earthquakes.

5. Risk

In simple terms, risk is the possibility of something bad happening. Risk involves uncertainty about the effects/implications of an activity with respect to something that humans value (such as health, well-being, wealth, property or the environment), often focusing on negative, undesirable consequences. Many different definitions have been proposed. The international standard definition of risk for common understanding in different applications is “effect of uncertainty on objectives”.

The understanding of risk, the methods of assessment and management, the descriptions of risk and even the definitions of risk differ in different practice areas (business, economics, environment, finance, information technology, health, insurance, safety, security etc). This article provides links to more detailed articles on these areas.

Risk (in information security domain) = Likelihood * Impact = Frequency * Severity

Ref: Risk

When dealing with vulnerability and risk, three registers one should know are:

1. Asset Registers is list of assets.

2. Threat Registers is threats associated with an asset.

3. Vulnerability Registers is vulnerabilities associated with an asset.

6. Exposure belencruz

An exposure is defined by MITRE’s CVE Terminology as a system configuration issue or a mistake in software that allows access to information or capabilities that can be used by a hacker as a stepping-stone into a system or network. An exposure: 

% Allows an attacker to conduct information gathering activities.

% Allows an attacker to hide activities.

% Includes a capability that behaves as expected, but can be easily compromised.

% Is a primary point of entry that an attacker may attempt to use to gain access to the system or data.

% Is considered a problem according to some reasonable security policy.

Revisiting few definitions again:

% A threat is a potential cause of an unwanted impact to a system or organization (ISO 13335-1). Threats fall into two categories: vulnerabilities and exposures.

% A vulnerability, according to MITRE’s CVE Terminology, is a mistake in software that can be used by a hacker to gain access to a system. A vulnerability:

  - Allows an attacker to execute commands as another user.
  
  - Allows an attacker to access data that is contrary to the specified access restrictions for that data.
  
  - Allows an attacker to pose as another entity.
  
  - Allows an attacker to conduct a denial of service

% A risk according to the ISO 31000 definition is the effect of uncertainty upon objectives where an effect is a deviation from the expected, positive or negative. ISO 31000 notes that risk can be regarded in terms of:

  - Likelihood of an event occurring.

  - Impact of the event if it occurs.

7. Countermeasure

In computer security a countermeasure is an action, device, procedure, or technique that reduces a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective action can be taken.

The definition is as IETF RFC 2828 that is the same as CNSS Instruction No. 4009 dated 26 April 2010 by Committee on National Security Systems of United States of America.

According to the Glossary by InfosecToday, the meaning of countermeasure is:

The deployment of a set of security services to protect against a security threat.
A synonym is security control. In telecommunications, communication countermeasures are defined as security services as part of OSI Reference model by ITU-T X.800 Recommendation. X.800 and ISO ISO 7498-2 (Information processing systems – Open systems interconnection – Basic Reference Model – Part 2: Security architecture are technically aligned.

The following picture explain the relationships between these concepts and terms:

+ - - - - - - - - - - - - + + - - - - + + - - - - - - - - - - -+ | An Attack: | |Counter- | | A System Resource: | | i.e., A Threat Action | | measure | | Target of the Attack | | +----------+ | | | | +-----------------+ | | | Attacker |<==================||<========= | | | | i.e., | Passive | | | | | Vulnerability | | | | A Threat |<=================>||<========> | | | | Agent | or Active | | | | +-------|||-------+ | | +----------+ Attack | | | | VVV | | | | | | Threat Consequences | + - - - - - - - - - - - - + + - - - - + + - - - - - - - - - - -+ A resource (both physical or logical) can have one or more vulnerabilities that can be exploited by a threat agent in a threat action. The result can potentially compromises the confidentiality, integrity or availability properties of resources (potentially different that the vulnerable one) of the organization and others involved parties (customers, suppliers). The so-called CIA triad is the basis of information security. The attack can be active when it attempts to alter system resources or affect their operation: so it compromises integrity or availability. A "passive attack" attempts to learn or make use of information from the system but does not affect system resources, compromising confidentiality. A threat is a potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm. That is, a threat is a possible danger enabling the exploitation of a vulnerability. A threat can be either "intentional" (i.e., intelligent; e.g., an individual cracker or a criminal organization) or "accidental" (e.g., the possibility of a computer malfunctioning, or the possibility of an "act of God" such as an earthquake, a fire, or a tornado). A set of policies concerned with information security management, the information security management systems (ISMS), has been developed to manage, according to risk management principles, the countermeasures in order to accomplish to a security strategy set up following rules and regulations applicable in a country. Ref: Countermeasure 8. Four strategies to deal with vulnerability: 8.1. Accepting the risk 8.2. Mitigating the risk 8.3. Avoiding the risk / Preventing the risk 8.4. Transfering the risk Tags: Technology, Cyber Security

No comments:

Post a Comment