1.1 Threat, risk, vulnerability, impact _ KEATS

1.1 Threats, Risks, Vulnerabilities, Impact

• Site: KEATS

• Course: 7CCSMSEM Security Management (24~25 SEM1 000001)

• Book: 1.1 Threat, risk, vulnerability, impact

• Printed by: Victor Nabasu

• Date: Wednesday, 1 January 2025, 6:16 AM

Table of Contents

1. Where do threats come from?

2. Key definitions

3. An example

1. Where Do Threats Come From?

• Understanding threats involves considering security decisions and analyzing potential targets.

• Factors to Consider:

  • Who may want to attack?

  • For what purpose?

• Types of Threats:

  • Hackers:

    • Example: Albert Gonzalez, leader of a hacking group, stole 40 million credit cards.

    • Consequence: 20 years imprisonment, forfeited $1.65 million in assets.

  • Insider Threat:

    • Example: James Stevenson, an employee at Sainsbury’s, jailed for fraudulent activities regarding customer points.

Viruses and Trojans

• Virus Example: Stuxnet

  • Targets programmable logic controllers (PLCs) affecting industrial processes.

  • Significant impact on Iran's nuclear program, damaging about 20% of centrifuges.

• Phishing and Social Engineering:

  • Example: Google Docs phishing campaign targeting a million users with a deceptive link.

  • Quick response from Google limited widespread damage.

2. Key Definitions

• Threat Agent:

  • An entity capable of causing a threat; can be internal or external.

• Threat:

  • A potential cause of an incident that could harm a system/organization (ISO 27002).

  • Includes categories like malware, rootkits, and natural disasters.

• Vulnerability:

  • A weakness in an asset or group of assets that can be exploited (ISO 27002).

  • Examples: procedural flaws, software weaknesses.

• Risk:

  • The likelihood of a threat exploiting vulnerabilities, resulting in harm (ISO 27002).

• Impact:

  • The result of a risk materializing due to a threat; examines the cost of exploitation (ISO 27005).

• Safeguard:

  • Also called risk treatment actions; measures to mitigate/transfer/remove threats.

3. An Example

• Basic Example: Weather-related Threat

  • Threat: Rain

  • Vulnerability: Not having an umbrella

  • Risk: Likelihood of rain affecting the asset (haircut/shoes)

  • In September, expect approx. 15 rainy days, indicating risk level.

  • Impact:

    • Minor impact: Getting wet (acceptable risk).

    • Major impact: Missing a job interview due to being too wet (risk must be mitigated).

• Analyze response measures if risks materialize; focus on the relation between threats, vulnerabilities, risks, and impacts.