I have a practice question here:
A business is going to determine the dangers to which it is exposed. What do we call a possible event that can have a disruptive effect on the reliability of information:
A) Vulnerability
B) Attack
C) Risk
D) Dependency
E) Threat
I'm getting E) threat for this question but I am a bit confused because vulnerability is what weaknesses there are in a system that make it vulnerable to these attacks.
Can someone clarify if E is correct?
Yes, E is correct.
A vulnerability is a weakness that could lead to harm (whether it be to confidentiality, integrity, or availability.)
A threat is an agent that could expose the vulnerability.
The question is about an "event", which is the threat.
We can start to understand it by looking at the defination of threat generally, not in terms of computer security. As it is written at Cambridge Dictionary, a threat "the possibility that something unwanted will happen, or a person or thing that is likely to cause something unwanted to happen"
From the computer security perspective, ISO 27005 defines it as:
A potential cause of an incident, that may result in harm of systems and organization. National Information Assurance Glossary defines threat as:
From National Information Assurance Glossary defination;
Any circumstance or event with the potential to adversely impact an IS through unauthorized access, destruction, disclosure, modification of data, and/or denial of service.
Therefore, it is simply a potential danger that might happen in the future. For example, we claim the sentence "Ransomwares are getting stronger and wider" . Another example, we can count "Crpytojacking malwares" as a threat. However, we do not discuss about which kind of vulnerability they are exploiting. You can read and search for Threat Reports to understand what is meant by a security threat. Internet Security Threat Report from Symantec is a source which I believe to be beneficial.
I think we again need to refer to what the official and globally accepted communities and standards say;
ISO 27005 definition:
A weakness of an asset or group of assets that can be exploited by one or more threats where an asset is anything that has value to the organization, its business operations and their continuity, including information resources that support the organization's mission
IETF RFC 2828 define vulnerability as;
A flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security policy
From NIST:
A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system's security policy.
Simply, we can analyze what threats can damage to our system. On the other hand, we can look for which vulnerabilities in our system can result in a potential exploit that will cause damage. One threat can include the result of many different vulnerabilities. While one vulnerability can lead to many different kinds of threats.
A threat is the intelligent agent that is likely to exploit the vulnerability of the system/application.
