The keystone of any information security risk program is Cybersecurity risk analysis. It is vital for Professionals in the field to understand their technology environments and the external threats that jeopardize their information security.
A solid cybersecurity risk assessment blends information from internal and external factors to help professionals recognize the threats facing their organization and then implement appropriate controls to remediate threats.
Before diving into the world of risk assessment, we must begin with the
common vocabulary. You must know three important terms to communicate
clearly with other cybersecurity analysts:
Vulnerabilities, threats, and risks.
A vulnerability is a weakness in a system, device, application, or process that
might allow an attack to take place. Vulnerabilities are factors that can be controlled by cybersecurity professionals. For example, a web server that is running an outdated version of the Apache service may contain a vulnerability that would allow an attacker to conduct a denial-of-service (DoS) attack against the websites hosted on that server, jeopardizing their
Top Cyber security vulnerabilities
There are some cyber security vulnerabilities that are targeted by attackers more often. Below is a list of the top security vulnerabilities that causes most harm to organizations:
Substandard back-up and recovery
Weak authentication management
Poor network monitoring
End-user errors and/or misuses
Inadequate end-point security
A threat is an outside force (person, competitor, organized state ) that may exploit a vulnerability.
For example, a hacker who would like to perform a DoS attack against a website and knows about an Apache vulnerability poses a cybersecurity threat. Though many threats are malicious in nature, this might not always be the case. For example, a hurricane may also disrupt the availability of a website, by damaging the datacenter containing the web servers. In most cases, cybersecurity professionals cannot do much to eliminate a threat but can take precautionary measures to lessen the chances or have procedures in place.
A risk is the combination of a threat and a vulnerability. Both of these factors must be present before a situation poses a risk to the security of an organization. For example, if a hacker targets an organization’s web server with a DoS attack but the server was patched so that it is not vulnerable to that attack, there is no risk because even though a threat is present (the hacker), there is no vulnerability. Similarly, a datacenter may be vulnerable to hurricanes, but it may be located in a region of the world where much hurricanes do not occur. The datacenter may be vulnerable to hurricanes but there is little to no threat of hurricane in its location, so there is a low risk.
The relationship between risks, threats, and vulnerabilities is an important
one, and it is often represented by this equation:
Thank you for reading. Let's continue to enhance our security mindfulness.
Chapple, M., & Seidl, D. (2017). Cybersecurity Objectives. In CompTIA CSA+ Study Guide (pp. 66-68). Hoboken, NJ: John Wiley & Sons.