Asset
Asset identification is a crucial phase of the risk analysis process. Organizations would do well to first focus on asset identification for critical information systems.
An Asset is Anything that has value to an organization, including, but not limited to, another organization, person, computing device, information technology (IT) system, IT network, IT circuit, software (both an installed instance and a physical instance), virtual computing platform (common in the cloud and virtualized computing), and related hardware (e.g., locks, cabinets, keyboards).
Vulnerability
A vulnerability is a weakness in an asset (resource) that could be exploited. Without an applicable vulnerability, threats cannot introduce risk.
Type of vulnerabilities:
To properly analyze vulnerabilities, it is helpful to recall that information systems consist of information, processes, and people typically (but not always).
Information Vulnerabilities:
Data at rest (Stored data) Stored data is given to unauthorized parties by an insider, thus compromising its confidentiality.
Data in transit Data is modified by an external actor intercepting it on the network and then relaying the altered version (known as a man-in-the-middle or MitM attack), thus compromising its integrity.
- Data in use Data is deleted by a malicious process exploiting a “time-of-check to time-of-use” (TOC/TOU) or “race condition” vulnerability, thus compromising its availability.
Processes Vulnerabilities:
Organizations implement standardized processes to ensure the consistency and efficiency of their services and products. Also, they encounter a specific attack named business process compromise (BPC), which is commonly targeted at the financial sector, where transaction amounts or other parameters are changed to funnel money to the attackers’ pockets.
People Vulnerabilities:
Many security experts consider humans the weakest link in the security chain. There are three that correspond to the bulk of the attacks:
- Social engineering is getting a person to violate a security procedure or policy, usually involving human interaction or e-mail/text messages.
- Social networks, Informative attackers can use social media directly (e.g., blackmail) or indirectly (e.g., compose an email with a link likely to be clicked) to prey on people.
- Passwords, Weak passwords can be cracked in milliseconds using rainbow tables and are very susceptible to a dictionary or brute-force attacks. Even strong passwords are vulnerable if they are reused across sites and systems.
Threat
A threat is any danger that can damage or steal data, create disruption, or cause harm.
ISO 27000 defines a threat as a “potential cause of an unwanted incident, which can harm a system or organization.”
Threat sources (Threat agents) are what is behind a particular threat. There is always a threat source (threat agent) that serves as the source of the threat. When a threat involves one or more humans, we generally use a threat actor or agent.
Some kinds of threat sources:
- Cybercriminals are the most common threat actors encountered by individuals and organizations. Most cybercriminals are motivated by greed, but some enjoy breaking things.
- Nation-state actors (state actors) use advanced capabilities to compromise systems and establish a persistent presence to allow them to collect intelligence (e.g., sensitive data, intellectual property, etc.)
- Hacktivists use cyberattacks to effect political or social change.
- Internal actors are people within the organization, such as employees, former employees, contractors, or business associates, who have inside information concerning the organization’s security practices, data, and computer systems.
- Nature, the nonhuman threat source (like fire, hurricanes, etc.), can be as important as humans.
![\"\"](\"https://www.riskmetis.com/wp-content/uploads/2022/04/Asset-vulnerability.png\")
