1-Introduction to Vulnerability and Risk

.docx

School

King Abdul Aziz University**We aren't endorsed by this school

Course

CS 410

Subject

Information Systems

Date

Dec 21, 2024

Pages

Uploaded by DukeRook4784

Why We Care About VulnerabilitiesSecurity Analysts are responsible for the Prevention, Detection, and Responseto security challenges.Attack Vector- any path that an attacker can take to gain unauthorized access to a network or computer, it can be throughAttack Surface- the sum of all of the attack vectors.Vulnerability- any weakness in a security system.Exploit- an attack on a computer system that takes advantage of a particular vulnerability.To best address the preventioneffort, we must reducethe attack surface by addressing potential vulnerabilities.Vulnerabilities are EVERYWHERE and are ACTIVELY EXPLOITED.According to a 2019 study (Ponemon Institute)of over 3000 IT professionals:60% of data breaches occurred because a patchfor a known vulnerability was notapplied62% of respondents were unawarethat they were vulnerable prior to the breachThe windowof time to patch a vulnerability is decreasingAccording to a 2020 Threat Intelligence reportby FireEye, an industry leader in cybersecurity, it is suggested that the average time between the disclosure of the vulnerability to the time that a patch is available is approximately 9 days.

Business StakeholdersAlthough information security practices affect everyonein an organization, topics related to vulnerability and risk mostly concern the following stakeholder profiles:Security Analyst- is responsible for protecting the organization by detecting, preventing, and responding to potential security challengeswill typically own and administer vulnerability and risk assessment activitiesIT Manager- ensures that network and information systems meet the established Service Level Agreements (SLAs) and any other contractual obligations. Also concerned with risks to the overall business as they relate to maintaining operations.will be the primary target for vulnerability and risk assessment reportsmanages the remediation efforts and resourcesIT Administrator- mostly deals with the operation, configuration, and maintenance of computer systems.may participate in the logistical planning of vulnerability assessmentswill likely execute the remediation effortsOther stakeholders:CSuite- the executive-level managers of a company, denoted with a "Chief" in the titleare primarily concerned with the business riskassociated with vulnerabilities to the security program and with the costof mitigation/remediation effortswill likely approve or deny budgetary requestsVendors- a service provider or seller of goods and servicesmay support applications that require patching/remediationmay provide additional support for the prevention, detection, and recovery effortsAuditor- a person or firm, often certified, that performs compliance auditing functionsmay review vulnerability and risk assessment reports as they pertain to regulatory compliance

Threat Assessment vs. Vulnerability AssessmentVulnerability- any weakness in a security system.Threat- anything that may intentionally or accidentally exploit a vulnerability in order to obtain, damage, or destroy the asset.Asset- the resource that we are securing: property, information, and people.Risk- the potential for loss due to a threat exploiting a vulnerability.Assets + (Vulnerability x Threat) = RiskVulnerability Assessment- identifying and prioritizing vulnerabilities within an organizationComputer and system vulnerabilities are usually determined with automated tools and with various levels of starting knowledgeabout a networkConsidered a test of "how we are doing" against known vulnerabilitiesOften quantified by:severity- the potential for loss vs resources required to exploitexposure- probability of exploitation leading to further compromiseThreat Assessment- identifying the source, credibility, and probability of a threatAttempt to explore risks based on the threat actor/adversary, their tactics and procedures, and the measuring susceptibility of threat to an organizationThreats can be graded according to motivationand capabilityAn insider threat, such as an untrained staff member, may have low motivation, but high-damage capability;A computer hacker may have high motivation and high-capabilityThreats can be characterized as Human(e.g. hackers, theft, non-technical, accidental) or Non-Human(e.g. flood, fire, electrical, or computer virus)Risk Assessment- identifying and quantifying potential negative impact and/or lossInvolves valuation of assets and examines costsassociated with threats and vulnerabilitiesUsed to determine regulatory complianceissues pertaining to specific data typesTypically includes a response to identified threats and vulnerabilities which may include remediationor mitigationefforts

A balancing act between the cost of preventionvs value of assetGlossaryKey TermDefinitionAssetThe resource that we are securing; defined as a company's property, information, and people.Attack Surface The sum of all attack vectors.Attack VectorAny path that an attacker can take to gain unauthorized access to a network or computerAuditorA person or firm, often certified, that performs compliance auditing functionsCSuiteThe executive-level managers of a company, denoted with a "Chief" in the title, primarily concerned with the business risk associated with vulnerabilities to the security program and with the cost of mitigation/remediation efforts.ExploitAn attack on a computer system that takes advantage of a particular vulnerability.IT AdministratorStakeholder who primarily handles the operation, configuration, and maintenance of computer systems; may participate in the planning of vulnerability assessments; and will most likely execute the remediation effort.IT ManagerStakeholder who is primarily concerned with risks to the overall business as they relate tomaintaining operations; the primary target for vulnerability and risk assessment reports; manages the remediation efforts and resources.Kali LinuxA Debian-based Linux distribution designed for vulnerability assessment and penetration testing.RiskThe potential for loss due to a threat exploiting a vulnerability.Security AnalystStakeholder who will typically own and administer the vulnerability and risk assessment activitiesThreatAnything that may intentionally or accidentally exploit a vulnerability in order to obtain, damage, or destroy the asset.VendorA service provider or seller of goods and servicesVulnerabilityAny weakness in a security system.

Further Reading"Costs and Consequences of Gaps in Vulnerability Response"- ServiceNow - Ponemon Institute"Think Fast: Time Between Disclosure, Patch Release and Vulnerability Exploitation — Intelligence for Vulnerability Management, Part Two"- FireEye Blog - Threat Research