VN

1.1 Threat, risk, vulnerability, impact _ KEATS

1.1 Threats, Risks, Vulnerabilities, Impact

  • Site: KEATS

  • Course: 7CCSMSEM Security Management (24~25 SEM1 000001)

  • Book: 1.1 Threat, risk, vulnerability, impact

  • Printed by: Victor Nabasu

  • Date: Wednesday, 1 January 2025, 6:16 AM

Table of Contents

  1. Where do threats come from?

  2. Key definitions

  3. An example

1. Where Do Threats Come From?

  • Understanding threats involves considering security decisions and analyzing potential targets.

  • Factors to Consider:

    • Who may want to attack?

    • For what purpose?

  • Types of Threats:

    • Hackers:

      • Example: Albert Gonzalez, leader of a hacking group, stole 40 million credit cards.

      • Consequence: 20 years imprisonment, forfeited $1.65 million in assets.

    • Insider Threat:

      • Example: James Stevenson, an employee at Sainsbury’s, jailed for fraudulent activities regarding customer points.

Viruses and Trojans

  • Virus Example: Stuxnet

    • Targets programmable logic controllers (PLCs) affecting industrial processes.

    • Significant impact on Iran's nuclear program, damaging about 20% of centrifuges.

  • Phishing and Social Engineering:

    • Example: Google Docs phishing campaign targeting a million users with a deceptive link.

    • Quick response from Google limited widespread damage.

2. Key Definitions

  • Threat Agent:

    • An entity capable of causing a threat; can be internal or external.

  • Threat:

    • A potential cause of an incident that could harm a system/organization (ISO 27002).

    • Includes categories like malware, rootkits, and natural disasters.

  • Vulnerability:

    • A weakness in an asset or group of assets that can be exploited (ISO 27002).

    • Examples: procedural flaws, software weaknesses.

  • Risk:

    • The likelihood of a threat exploiting vulnerabilities, resulting in harm (ISO 27002).

  • Impact:

    • The result of a risk materializing due to a threat; examines the cost of exploitation (ISO 27005).

  • Safeguard:

    • Also called risk treatment actions; measures to mitigate/transfer/remove threats.

3. An Example

  • Basic Example: Weather-related Threat

    • Threat: Rain

    • Vulnerability: Not having an umbrella

    • Risk: Likelihood of rain affecting the asset (haircut/shoes)

    • In September, expect approx. 15 rainy days, indicating risk level.

    • Impact:

      • Minor impact: Getting wet (acceptable risk).

      • Major impact: Missing a job interview due to being too wet (risk must be mitigated).

  • Analyze response measures if risks materialize; focus on the relation between threats, vulnerabilities, risks, and impacts.