Assets, Vulnerabilities, Threats, Exploits, Risk, and Management

The post two weeks ago on contingency planning mentioned risks and threats, but did not go into detail regarding the differences. To elaborate on the subject of risks and threats, other terms need to be introduced and defined, as well. This post will describe and delineate between assets, vulnerabilities, threats, exploits, and risk. By understanding the terms collectively, the risk management process will seem more natural and be easier to understand. Finally, a brief discussion will summarize the relationships and describe the fundamental process of risk management.

Assets will be defined as things that have value to an entity; e.g.: a secret formula, a business process, a physical office space, a web server, a database, etc. Assets bring value to a business and would cause harm if somehow compromised.

Vulnerabilities are weaknesses in assets; e.g.: a broken lock on a door handle, a blind spot in a camera system, a lack of input sanitation in a software application, or an insecure process such as sharing passwords or leaving confidential information in unlocked cabinets (people have vulnerabilities, too).

Threats are actors that can or may cause harm to assets; e.g.: natural disasters, thieves, spies, vandals, hackers, malware, competitors, disgruntled employees.

Exploits represent the process by which threats take advantage of vulnerabilities; e.g.: opening an unlocked door, overflowing a buffer and getting a return pointer, or by someone throwing a chair through a window.

Risks are represented by the area where vulnerabilities and threats overlap; e.g. opening a port is a risk because it increases the likelihood of an attacker (threat) finding a software bug (vulnerability) that can be used for remote code execution through the use of a port scanner and a payload injection (exploit).

Each asset should be ranked by importance. A value ending in dollars is always nice. Things to account for include how important the asset is to the function of the business, how vulnerable the asset is to various threats, how much damage would be done if the asset was compromised under each threat scenario, how much it would cost to mitigate those threats, how much it would cost to recover the asset in case a vulnerability was exploited, and how likely the asset is to be compromised.

After the impact analysis comes times to rank the risks. Ranking assets first helps rank risks now. Because every asset faces several risks, there will be many more risks than assets. Ranking risks relative to assets helps keep the focus on the risks that affect the things that are most valuable. Response planning is done now, mitigation and recovery controls are analyzed and chosen, and their effectiveness is evaluated continually. This is a rudimentary sum of risk management.