What is Threat?
A threat here is anything that can exploit a vulnerability, which has the potential to steal or corrupt data, disrupt business, or create general harm. Threats are divided into 3 categories:
- Intentional threats: Activities or methods bad actors use to compromise a security or software system. Example: malware, ransomware, phishing, malicious code, and wrongfully accessing user login credentials
- Unintentional threats: Threats that may occur due to human error, giving criminals an opening or opportunity to carry out their actions. Example: Software Bugs, Employees or former employees who have sensitive access to the company, employees who are unaware of a threat. (Which is why employee training is so important).
- Natural threats: While acts of nature (floods, hurricanes, tornadoes, earthquakes, etc.) aren’t typically associated with cybersecurity, they are unpredictable and have the potential to damage your assets.
What is Vulnerability?
Weaknesses that may cause a threat or increased risk to the information system, system processes, or internal controls of the organization/company.
The cause of vulnerability can occur when the developer has made a coding logic error. Or, the developer incorrectly applies imperfect validation that makes the application or software vulnerable to being entered by criminals.
Not only that, vulnerabilities can occur in Firmware, Operating Systems, Applications, and Computer Operators (Brainware).
What is Risk?
Cyber risk is the potential for loss, damage, or destruction of assets when threats exploit vulnerabilities. Simply put, a weakness or vulnerability can be exploited by an attacker as a threat that causes risk that can result in financial loss, disruption or damage to an organization’s reputation.
Thread + Vulnerability = Risk
What is Severity?
Severity here is the value of an impact that occurs from a vulnerability, threat, and risk. To calculate the severity itself, there are several factors that need to be considered before we score.
Severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. Below is the severity rating system:
- Severity Level Critical
Vulnerabilities that score in the critical range usually have most of the following characteristics:
a. Exploitation of the vulnerability likely results in root-level compromise of servers or infrastructure devices.
b. Exploitation is usually straightforward, in the sense that the attacker does not need any special authentication credentials or knowledge about individual victims, and does not need to persuade a target user, for example via social engineering, into performing any special functions. - Severity Level High
Vulnerabilities that score in the high range usually have some of the following characteristics:
a. The vulnerability is difficult to exploit.
b. Exploitation could result in elevated privileges.
c. Exploitation could result in a significant data loss or downtime. - Severity Level Medium
Vulnerabilities that score in the medium range usually have some of the following characteristics:
a. Vulnerabilities that require the attacker to manipulate individual victims via social engineering tactics.
b. Denial of service vulnerabilities that are difficult to set up.
c. Exploits that require an attacker to reside on the same local network as the victim.
d. Vulnerabilities where exploitation provides only very limited access.
e. Vulnerabilities that require user privileges for successful exploitation. - Severity Level Low
Vulnerabilities in the low range typically have very little impact on an organization’s business. Exploitation of such vulnerabilities usually requires local or physical system access.
Correlation between a threat, risk, severity and vulnerability.
In short, Threat, Vulnerability, Risk and Severity are correlated. The threat can occur due to vulnerability, from the vulnerability there is a risk that occurs, from all of which can be assessed the severity that occurs by calculating the existing severity.
