Risk: Key terms

Now you're going to explore some key terms. These are essential concepts for understanding cyber security principles. 

• A vulnerability (weakness) in a system can be used to create an incident (an event with negative security consequences). For example, a vulnerability in a firewall that lets hackers get into a computer network. Or a physical vulnerability could be an unlocked door to an office. 
• The way the vulnerability is used is called the exploit. The exploit is often a piece of software (exploit code) designed to compromise the system, but it could also be an action, or sequence of actions carried out by a person. Examples of exploit code include SQL Injection, cross-site scripting, and broken authentication. Examples of an exploit action would be phishing. 
• The potential for an exploit to happen is known as a threat.

The threat is carried-out by a threat agent. If the threat agent is a person (or group of people), the term used is threat actor(s). When the threat agent is not human, e.g., a hurricane or earthquake, the term hazard is often used. In the video, Agent Smith: Information risk management, you saw that Agent Smith is a threat actor, he’s likely one of a group of threat actors.

Threat categories

An external threat actor or agent is one that has no account or authorised access to the target system. A malicious external threat must infiltrate the security system using malware and/or social engineering. The path or tool used by a malicious threat actor can be referred to as the attack vector. Note:  An external actor may perpetrate an attack remotely or on-premises (by breaking into the company's headquarters, for instance). It is the threat actor that is defined as external, rather than the attack method.

Conversely, an internal (or insider) threat actor is one that has been granted permissions on the system. This typically means an employee, but insider threat can also arise from contractors and business partners.

Multiparty risk

Multiparty risk is where an adverse event impacts multiple organisations. Multiparty risk usually arises from supplier relationships. If a critical event disrupts a supplier or customer, then your own organisation will suffer. These are often described as ripple impacts. For example, if one of your top five customers goes out of business because of a data breach, your company will lose substantial revenue. Organisations in these supply chain relationships have an interest in promoting cyber security awareness and capability throughout the chain.

As an illustration of how risk assessments can change in view of multiparty relationship, consider a company that makes wireless adapters, originally for use with laptops. In the original usage, the security of the firmware upgrade process is important, but it has no impact on life or safety. The company, however, earns a new contract to supply the adapters to provide connectivity for in-vehicle electronics systems. Unknown to the company, a weakness in the design of the in-vehicle system allows an adversary to use compromised wireless adapter firmware to affect the car's control systems. The integrity of the upgrade process now has an impact on safety and is much higher risk.

Threat source

A threat source is the origin of the threat, such as a country, an organisation, for example a foreign intelligence group or terrorist cell, or an individual. This is the entity that wants to breach security and benefit from the outcome. As you’ve seen, a threat actor is a specific person, or group of people, who carry out an attack. For example, a hacker is a threat actor and the crime organisation they represent is the threat source. In some situations, the threat actor and the threat source are the same.

Threats must be credible

A threat must be realistic and should have occurred somewhere before. So, an alien invasion isn’t really a threat. However, if a building is located next to a flood plain, then it could easily be impacted by a flood. Threats need to be understood and credible to be worth considering. As well as being categorised as external or internal, threats can be grouped as accidental or deliberate. An example of an external-accidental threat might be a telecoms engineer digging to locate some cables, accidentally cutting through the power supply. If there’s no backup power generator for the data centre, the business will go offline.

Vulnerabilities

Information risk is determined as the likelihood that a threat will exploit a vulnerability, leading to a business impact. The risk depends on the likelihood of the weakness being exploited. A vulnerability is therefore a weakness that could either be in an IT system, its associated procedures or processes, or even a flaw in physical security controls. Vulnerabilities can be categorised as general or information specific.

Some examples of general vulnerabilities are as follows:

• Lack of physical controls, such as adequate locks or security guards for entry to a building
• Lack of pre-employment checking when a new employee starts work. This check can establish whether they can be trusted
• Generally, vulnerabilities occur when there is a LACK of something

Some examples of information specific vulnerabilities are as follows:

• Running a computer system with software that hasn’t been updated recently and doesn’t have the latest patches
• Having a website with a poorly configured firewall. The website could be defaced by a hacktivist group, such as Anonymous
• Running a PC at home without up-to-date anti-virus software. You are exposed to a virus that takes hold on your home network and corrupts your personal accounts

It’s worth noting that vulnerabilities are not static, rather they are constantly changing and evolving. Just because you’re up to date with patches today, does not mean that a new bug in your operating system won’t be discovered tomorrow, therefore leaving you again exposed to hackers.

If you want to see some of the high-profile vulnerabilities that have been discovered recently, use Google to look up the SSL bug known as 'Heartbleed'.  The Heartbleed bug is a vulnerability in open-source software that was first discovered in 2014. Anyone with an Internet connection can exploit this bug, which reads the memory of vulnerable systems, without leaving evidence of a compromised system.

Summary

So, having looked again at risk in a more general sense, you have now also encountered some key terms in cyber protection. You’ve seen that a threat actor/hazard carries out the threat by using an exploit which takes advantage of a vulnerability in the system. You saw an example of this when Agent Smith (threat actor) spotted an unattended computer still logged-in (vulnerability) and executed the exploit of infiltrating the system (by assuming Tanner Holmes' identity). 

Take the time to familiarise yourself with these terms. You will be encountering them over and over again as they make up some of the fundamentals of cyber security and information assurance.

What’s next?

Before you start to look at threat management, you’ll consider business impact and the risk management model.