There is a never-ending discussion about the terminology around Threat Modeling. In order to have control over data security issues that could potentially impact your business, it is crucial to understand the relationship between four key components: vulnerabilities, cyber threats, threat actors and risks.
This post explains the key differences between vulnerabilities; cyber threats; threat actors and risks within the context of IT security.
Vulnerabilities refer to weaknesses in a system. They make threat outcomes achievable and could sometimes be even more dangerous. A system can be exploited through a single vulnerability, for example, a single SQL Injection attack could give an attacker full control over sensitive data.
An attacker could also link various exploits together, taking advantage of more vulnerabilities to gain even more control. Examples of common vulnerabilities are SQL Injections, XML External Entity, Cross-site Scripting, LFI, server misconfigurations and more.
Cyber threats, or simply just threats, refer to cybersecurity occurrences or events that potentially cause harm by way of their outcome. Threats can become more dangerous because of a vulnerability in a system.
Common threats are:
- – Phishing attacks that result in attackers installing a trojan horse and stealing sensitive information from your applications.
- – An administrator accidentally leaving unprotected data on a production server causing a data breach.
- – DDoS attacks attempting to make your website unavailable by flooding it with unwanted traffic from multiple computers.
And many others…
A Cyber Threat is something negative, such as an accident or an attack that presents a danger to you and you want to be sure to avoid it.
Cybersecurity threats are accomplished by threat actors. They’re simply the entity, person, actor, or organization who initiates a threat. Examples of common threat actors include cybercriminals (usually financially motivated), politically motivated activists (hacktivists), competitors, disgruntled insiders, careless employees, and others…
Cyber threats are more dangerous when threat actors leverage several vulnerabilities to gain full access to a system, often including the operating system.
Risks are most commonly confused with threats, but they’re different in a significant way. A cybersecurity risk in everyday language is a chance of something bad happening combined with how bad it would be if it happens. Essentially, this refers to a combination of the probability of a threat and the impact/loss of that threat being exploited will have. The equation is:
risk = threat probability x impact
Therefore, a risk is a scenario that needs to be avoided combined with the likely impacts that result from that scenario. Here is a hypothetical example of how risks can be constructed:
Vulnerability – SQL Injection
Threat – Sensitive data theft enabled as a result of the SQL Injection
Threat actors – Financially driven cybercriminals that perform the SQL Injection
Impact – Theft of sensitive data causing financial and reputation loss
Threat probability – The probability of this attack is high, given that the website is vulnerable to an SQL Injection
Accordingly, in this scenario, the SQL Injection should be treated as a high-risk vulnerability.