Reading time : 5 min
It is obvious to say that you can defend yourself better when you know your weaknesses. The same is true when you know your opponents.
This lesson will allow us to better understand the concepts of vulnerability, threat and risk.
These concepts are essential foundations for implementing vulnerability management and risk management processes.
A vulnerability is a weakness in a system, configuration, software or process.
A vulnerability can have several types:
Most existing vulnerabilities are recorded in a single database, called the Common Vulnerabilities and Exposures Database (CVE Database), which is overseen by the MITRE organization. They have a unique number in this database.
The technical details of the vulnerabilities are recorded in other databases, such as the best known, the National Vulnerability Database (NVD) of the NIST organization.
💡 Example: one of the most critical vulnerabilities in recent times, known as Log4Shell, is registered under the identifier "CVE-2021-44228" and is described here.
There are two ways to address a vulnerability:
💡 Workaround example: the web administration interface of a firewall contains a vulnerability. You decide to make this interface unavailable, and administer the firewall only from the command line.
A threat is any event that can harm you. These threats can be of different types, even the ones you least expect:
In order to better understand the threats that affect our digital activities, there is a process in cyber security called "Cyber Threat Intelligence" (CTI).
Many tools and frameworks exist to help understand and model these threats, you can for example read about the so-called "Cyber Kill Chain" as an introduction (a lesson dedicated to the Kill Chain is available in this course).
💡 F or example, if you have computer equipment in the basement (vulnerability), the risk of flooding exists when a storm, heavy rain, or storm occurs (threats).
That's why one of the key processes in cyber security is managing these risks.
Risk management can be broken down into several phases (deliberately simplified here):
Much of the time of cyber security professionals, regardless of their job or specialty, is spent anticipating events that are harmful to the company that employs them.
It is impossible to eliminate all risks, but it is possible to identify them well in order to implement effective action plans. This approach must be done in a cyclical manner in the form of continuous improvement.
Start your cybersecurity training!
Theory & Practice
Customized by level
Start your cybersecurity training
Breathe new life into your career with our cybersecurity training courses