Threats and Vulnerabilities
In the Risk Management Process we have to identify the threats and vulnerabilities of our organization to find out what threats and vulnerabilities can potentially impact the business. Once we know the threats and vulnerabilities we have to treat these risks, which can be avoidance, mitigating them, transferring them or retaining them. Finally, we will have to communicate the risks to stakeholders and senior management, and monitoring them to avoid they are above the allowed risk.
A threat is any event or circumstance that has the potential to cause damage to information resource and it does this by exploiting a vulnerability in our system, in our design or in our infrastructure. Basically, vulnerabilities lead to threats if they are exploited.
Threats are typically categorize in four categories:
- Natural: They will be tornado, hail damage, earthquakes, biological plagues, fire, flood, etc.
- Unintentional: They will be accidents like the loss of utilities services, equipment failure, a damage to a building, unintentional water damage, unintentional fire damage, etc.
- Intentional physical threats: They will be terrorist acts, a bomb, vandalism, etc.
- Intentional non-physical threats: They will be injecting malicious code or malware into our systems, email phishing attacks, a denial of service attack for example against our perimeter routers, fraud, corporate espionage, malicious hacking, identity theft, social engineering, etc.
Once we have identified the threats, we need to look at what the underlying vulnerabilities can be in our systems using scanning technologies that it should be done by expert teams. However, the process vulnerability analysis is a tough task than the actual technological vulnerability but this may need a more careful analysis to uncover, for example the periodic audit is a valuable tool to identify process vulnerabilities. Next some example of vulnerabilities:
- Bad software: Poor written code without secure mechanism built-in into the code.
- Misconfiguration: Bad configurations on servers or networking devices like routers, or even configuration stored in others servers without cryptography techniques like encrypted configuration files.
- Non-compliance: For example, non-compliance to government regulations like LOPD, LSSI, etc.
- Poor network design: For example a switch network using VLAN is a more secure environment than a flat network without Virtual LAN which is vulnerable to a packet sniffing.
- Defective processes: For example the process of firing or terminating an employee can have a defective flow process allowing the employee to cause problems to the company before leaving the facility or allowing him to connect remotely to the organization after firing him.
- Poor management, insufficient staff, lack of end user support, inadequate security functionality, etc.
These are some of the threats and vulnerabilities that we can find in our organization and this is an important step to know and control the risks that can impact seriously the business. Therefore, if you want to manage properly the risk of your business, you should know what threats and vulnerabilities can destroy your business.
Best regards my friend and remember, measure, control and manage your risks.