Before diving into details, and being flooded by huge number of new terms, I found it necessary to set up the base that we will be building upon in the next articles. So, this article is meant to get you familiar with essential principles and terms that you should be aware of. Have a nice reading.
A vulnerability can be defined as a weakness or a hole in a running system that can be exploited to compromise the system’s security. The weakness could be a software bug, a clear text communication channel, an open port through a firewall, a hardware issue, an un-shredded classified document in the trash can, or even a human fault.
A threat is defined as the potential damage or harm that may occur as a result of exploiting an existing vulnerability. Consider the case that somebody has realized either accidentally or intentionally that a certain system is vulnerable in some way. When this person exploits this weakness to cause some kind of damage to the system or the organization, we call this a threat. For example, an intruder that searches the trash and found a classified document could use this document to cause embarrassment to the company and harm its reputation. This is a threat.
Another example is insecure protocol that transmits data in clear text. If an attacker exploits this fact, and could manage to sniff (steal) the data traffic being transmitted through this insecure channel, this could be described as a threat.
The one who exploits the vulnerability to compromise security is called a threat agent.
The risk is the possibility or chance that a threat agent would exploit an identified vulnerability to gain access, compromise security, or cause some sort of damage. Risk is the product of vulnerability and threat:
Risk = Vulnerability x Threat
Being vulnerable or exposed to damage (threat) caused by a threat agent exploiting a weakness in the system is called exposure.
A countermeasure (sometimes referred to as control) is the action taken to eliminate or reduce the risk that a vulnerable system gets exploited by a threat agent to cause a threat.
A countermeasure could be using secure protocols for communications, the installation of antivirus software, deploying a security patch, using strict firewall rules, disabling an unused service, organizing security awareness training for the staff, or installing biometric access control machines at entry points and on the data center doors.
To wrap up all the above terms together, consider the insecure communication channel example: an insecure protocol for communication will transfer data in clear text format. This is the vulnerability. An intruder that sniffs network traffic is a threat agent. The extraction of data out of the captured clear text network packets is the threat. The possibility that the intruder realizes the existence of insecure communication, and uses sniffing software to capture data transmitted in clear text is the risk. Using a secure protocol like ssh, https or sftp for communication will encrypt the network traffic, hence reducing the chance that the intruder extracts the transmitted data. This is the control or countermeasure.
Categories of Countermeasures
There are three main categories of countermeasures, following the three main security areas:
- Technical (Logical) security: this part of security depends on technology to maintain system security.
- Physical Security: aims to prevent unauthorized people from reaching zones where they could breach security by obtaining unauthorized access to data or by causing any sort of damage.
- Administrative Security: this part of security is concerned with the human factor. The human factor is always said to be the weakest ring in the entire security series. A very secure system with strong password policy and strict access control mechanisms will be useless if a user is used to write his password down on a sticky note and put it on the side of his monitor. A weak or non-existing document disposal procedure may cause leakage of company information. This could lead to critical consequences including legal problems, fines, and may be complete throwing out of the market.
So, the following are the three categories of security countermeasures with examples for each:
- Technical Controls:
- Installing Antivirus Software.
- Installing Security patches and fixes.
- Disabling insecure and unneeded services.
- Using Encryption.
- Using Secure Protocols.
- Using Network and Personal Firewalls.
- Using Intrusion Detection Systems.
- Using Intrusion Prevention Systems on the network level NIPS and on the host level HIPS.
- Using File Integrity Monitoring software.
- Physical Controls:
- Video Surveillance using CCTV Closed-Circuit Television.
- Motion Detection Systems.
- Biometric access control machines.
- Employing Security Guards and dogs.
- Using Mantraps.
- Administrative Controls:
- Writing a comprehensive security policy.
- Periodic Security awareness training.
- Awareness email campaigns.
- Data classification.
- NDA signing for new staff hired.
In this article, we have introduced the common terms we are going to encounter during our journey with CISSP.
- Vulnerability is weakness or a hole in the system that when exploited it could cause damage or breach of system’s security.
- Threat is the potential damage or the negative effect that could occur as a result of exploiting the weakness.
- Threat Agent is the one who exploited the weakness to cause a threat.
- Risk is the chance that vulnerability will be exploited by a threat agent to compromise security.
- Exposure is being vulnerable or susceptible to damage caused by vulnerability being exploited.
- A security control or countermeasure is the defensive action taken to remove or reduce the risk that an attacker would exploit an existing vulnerability to cause a damage.
- Three categories of Security controls exists: physical, technical, and administrative.
In the next article, we will classify the security controls according to their functionality. See you.