What is a weakness that could be exploited by a threat called?

In cybersecurity, risk is the potential for loss, damage or destruction of assets or data. Threat is a negative event, such as the exploit of a vulnerability. And a vulnerability is a weakness that exposes you to threats, and therefore increases the likelihood of a negative event. This blog picks apart risk vs. threat vs. vulnerability to help you see how they’re different—and how they’re related.

Words matter, especially in cybersecurity

Like any other industry, cybersecurity has its own vernacular. What separates security jargon from some other types is the preciseness cybersecurity professionals use within their language. To lay people or novices, these terms often blend together and even seem interchangeable. And since cybersecurity has a lot of moving parts, it’s easy for those new to vulnerability management to get them mixed up. 

Three of the most commonly confused terms are risk, threat, and vulnerability. Mixing up these terms clouds your ability to understand how the latest vulnerability management tools and technologies work, and impedes communication with other security (and non-security) professionals. The distinctions may be fundamental, but they’re also important. Here, we’ll explain what they mean and why they’re important.

Risk vs. threat vs. vulnerability

In a nutshell, risk is the potential for loss, damage or destruction of assets or data caused by a cyber threat. Threat is a process that magnifies the likelihood of a negative event, such as the exploit of a vulnerability. And a vulnerability is a weakness in your infrastructure, networks or applications that potentially exposes you to threats.  

So when a threat targets a vulnerability that exists in your IT infrastructure, network or applications, it can result in risk to your assets, data or business. 

That’s the high level. Now let’s dig a bit deeper.

What is Risk? An organization’s risk profile fluctuates depending on internal and external environmental factors. It incorporates not just the potential or probability of a negative event, but the impact that event may have on your infrastructure. And though risk can never be 100% eliminated—cybersecurity is a persistently moving target, after all—it can be managed to a level that satisfies your organization’s tolerance for risk. No matter how you deal with it, the end goal remains the same—to keep your overall risk low, manageable and known. 

Helping businesses manage cybersecurity risk is the job of vulnerability management (VM) solutions. Traditional VM tends to adopt the “everything is a risk” view, which leaves Security and IT teams scrambling to somehow prioritize and remediate an ever-increasing list of vulnerabilities, many of which don’t actually pose a real danger to the organization. This results in wasted time, money, and resources, and very often creates a rift between Security teams struggling to blindly prioritize what’s most important and IT and DevOps teams who have to remediate without context or meaningful prioritization. Ultimately, risk is not lowered and teams cannot provide comprehensive or accurate reports of their efforts. 

Modern vulnerability management flips the traditional model on its head. Instead of using arbitrary prioritization methods, organizations define their acceptable level of risk and tailor their risk prioritization accordingly based on real-time threat intelligence, advanced data science and machine learning-powered prioritization. This matures standard, inefficient, and ineffective vulnerability management into risk-based vulnerability management (RBVM). A risk based approach to vulnerability management helps isolate the organization’s top risks, eliminating the need for guesswork and wasted cycles spent chasing vulns that won’t move the needle on risk. Ultimately, a modern RBVM program helps you make real, significant strides in lowering your risk profile. 

What is a Threat? Today’s cybersecurity landscape roils with an endless stream of potential threats—from malware that plants dangerous executables in your software and ransomware that locks up your systems to specially targeted hacker attacks. All of these threats look for a way in, a vulnerability in your environment that they can exploit. Some threats, however, hold more potential for exploitation than others. The more rich, fresh data you can access and analyze about these threats, the more strategic and impactful decisions you can make regarding your vulnerability management and remediation. 

Real-time threat intelligence can enhance your current efforts to identify the vulnerabilities attackers are discussing, experimenting with or using. These bad actors write exploits that are designed to take advantage of known vulnerabilities, and threat intelligence helps you determine how an exploit is actually behaving in the wild and if there are known fixes. Details like Common Vulnerability Scoring System (CVSS) data, remediation, vulnerability velocity and volume, exploit data, fixes and patch information can all serve to improve your Security and IT response times, more accurately target your remediation efforts on high-risk vulnerabilities, and provide timely and comprehensive updates to leadership. The most advanced solutions even offer predictive modeling, helping you anticipate and annihilate future threats. 

What is a Vulnerability? Vulnerabilities are weak spots within your environment and your assets—weaknesses that open you up to potential threats and increased risk. And unfortunately, an organization can have thousands, often millions of vulnerabilities. Remediating all of them is not feasible, especially when most organizations only have the capacity to patch one out of every ten vulnerabilities. While that may sound like a losing battle, the good news is that only 2%-5% of vulnerabilities are likely to be exploited. And among those, an even smaller percentage are likely to pose an actual risk to your business, because, for instance, many of those vulnerabilities may not be actively exploited within your industry. So much for that old “everything is a risk” approach.

This is where risk-based vulnerability prioritization plays a crucial role. By giving Security and IT teams the tools and insight to hone their remediation efforts on the vulnerabilities that are most likely to be exploited (and that pose the biggest risk to your business), you will not only save time, money and cycles, but you’ll improve collaboration and help lower the organization’s overall cyber risk. Aligning teams around risk means you’ll no longer be wasting resources patching vulnerabilities that don’t pose a real threat to the organization, and instead can dedicate time to more strategic activities. (Some RBVM solutions even allow you to set meaningful remediation SLAs based on the potential risk posed by a vulnerability weighed against your organization’s risk tolerance levels.) 

Where to go from here

Understanding risk vs. threat vs. vulnerability is a good first step toward achieving a stronger, more efficient vulnerability management approach and a culture aligned around managing and lowering risk.

Just beginning your vulnerability management journey? Or interested in shifting gears to a more effective risk-based approach?  No matter where you are, more information will help you make more effective decisions. The on-demand Kenna Katalyst educational series can help you with that. In less than an hour, you can earn one CPE credit through ISC², learn the six key steps to set up your own risk-based program, get real-world knowledge you can implement today, and ultimately learn how to lower your cyber risk.

If you read much about cyberattacks or data breaches, you’ve surely run across the terms vulnerabilities, threats, and exploits. Unfortunately, these terms are often left undefined, used incorrectly or, worse, interchangeably. That’s a problem, because misunderstanding these terms (and a few other key ones) can lead organizations to make incorrect security assumptions, focus on the wrong or irrelevant security issues, deploy unnecessary security controls, take needless actions (or fail to take necessary actions), and leave them either unprotected or with a false sense of security.

It’s important for security professionals to understand these terms explicitly and their relationship to risk. After all, the purpose of information security isn’t just to indiscriminately “protect stuff.” The high-level objective is to help the organization make informed decisions about managing risk to information, yes, but also to the business, its operations, and assets. There’s no point in protecting “stuff” if, in the end, the organization can’t sustain its operations because it failed to successfully manage risk.

What is Risk?

In the context of cybersecurity, risk is often expressed as an “equation”—Threats x Vulnerabilities = Risk—as if vulnerabilities were something you could multiply by threats to arrive at risk. This is a misleading and incomplete representation, as we’ll see shortly. To explain risk, we’ll define its basic components and draw some analogies from the well-known children’s tale of The Three Little Pigs.1

Wait! Don’t decide to bail just because you think a children’s tale is too juvenile to explain the complexities of information security. In the Infosec world where perfect analogies are hard to come by, The Three Little Pigs provides some pretty useful ones. Recall that the hungry Big Bad Wolf threatens to eat the three little pigs by blowing down their houses, the first one built of straw, the third one built of bricks. (We’ll ignore the second pig with his house built of sticks since he’s in pretty much the same boat as the first pig.)

Defining the Components of Risk

A discussion of vulnerabilities, threats, and exploits begs many questions, not the least of which is, what is being threatened? So, let’s start by defining assets.

Asset

An asset is anything of value to an organization. This includes not just systems, software, and data, but also people, infrastructure, facilities, equipment, intellectual property, technologies, and more. In Infosec, the focus is on information systems and the data they transact, share, and store. In the children’s tale, the houses are the pigs’ assets (and, arguably, the pigs themselves are assets since the wolf threatens to eat them).

Inventorying and assessing the value of each asset is a vital first step in risk management. This can be a monumental undertaking for many organizations, especially large ones. But it’s essential in order to accurately assess risk (how do you know what’s at risk if you don’t know what you have?) and then determine what type and level of protection each asset warrants.

Vulnerability

A vulnerability is any weakness (known or unknown) in a system, process, or other entity that could lead to its security being compromised by a threat. In the children’s tale, the first pig’s straw house is inherently vulnerable to the wolf’s mighty breath whereas the third pig’s brick house is not.

In information security, vulnerabilities can exist almost anywhere, from hardware devices and infrastructure to operating systems, firmware, applications, modules, drivers, and application programming interfaces. Tens of thousands of software bugs are discovered every year. Details of these are posted on websites like cve.mitre.org and nvd.nist.gov (and hopefully, the affected vendors’ websites) along with scores that attempt to assess their severity.2, 3

Responsible vendors typically publish patches in a timely way to correct specific known vulnerabilities. However, that doesn’t guarantee that organizations using those vulnerable products will apply the patch. In fact, some of the highest profile attacks and data breaches have occurred in organizations that did not patch vulnerabilities that had been known about for years. (Zero-day refers to a newly discovered vulnerability for which a patch does not yet exist.)

Threat

A threat is any action (event, occurrence, circumstance) that could disrupt, harm, destroy, or otherwise adversely affect an information system (and thus, an organization’s business and operations). Viewed through the lens of the CIA triad, a threat is anything that could compromise confidentiality, integrity, or availability of systems or data. Except in cases of natural disaster such as flood or hurricane, threats are perpetrated by threat agents or threat actors ranging from inexperienced so-called script kiddies to notorious hacker groups like Anonymous and Cozy Bear (also known as APT29). Threats can be intentional or accidental and come from internal or external sources. In The Three Little Pigs, the wolf is the obvious threat actor; the threat is his stated intention to blow down the pigs’ houses and eat them.

Exploit

Used as a verb, exploit means to take advantage of a vulnerability. Used as a noun, an exploit refers to a tool, typically in the form of source or binary code. This code makes it easy for threat actors to take advantage of a specific vulnerability and often gives them unauthorized access to something (a network, system, application, etc.). The payload, chosen by the threat actor and delivered via the exploit, carries out the chosen attack, such as downloading malware, escalating privileges, or exfiltrating data.

In the children’s tale, the analogies aren’t perfect, but the wolf’s mighty breath is the closest thing to an exploit tool and the payload is his destruction of the house. Afterward, he hoped to eat the pig—his “secondary” attack. (Note that many cyberattacks are multi-level attacks.)

Exploit code for many vulnerabilities is readily available publicly (on the open Internet on sites such as exploit-db.com as well as on the dark web) to be purchased, shared, or used by attackers. (Organized attack groups and nations state actors write their own exploit code and keep it to themselves.) It’s important to note that exploit code does not exist for every known vulnerability. Attackers generally take the time to develop exploits for vulnerabilities in widely used products and those that have the greatest potential to result in a successful attack. So, although the term exploit code isn’t included in the Threats x Vulnerabilities = Risk “equation,” it’s an integral part of what makes a threat feasible.

Risk

For now, let’s refine our earlier, incomplete definition and say that risk constitutes a specific vulnerability matched to (not multiplied by) a specific threat. In the story, the pig’s vulnerable straw house matched to the wolf’s threat to blow it down constitutes risk. Similarly, the threat of SQL injection matched to a specific vulnerability found in, for example, a specific SonicWall product (and version) and detailed in CVE-2021-20016,4 constitutes risk. But to fully assess the level of risk, both likelihood and impact also must be considered (more on these two terms in the next section).

Before we go any further, there are two important points to understand:

• If a vulnerability has no matching threat (no exploit code exists), there is no risk. Similarly, if a threat has no matching vulnerability, there is no risk. This is the case for the third pig, whose brick house is invulnerable to the wolf’s threat. If an organization patches the vulnerability described in CVE-2021-20016 in all of its affected systems, the risk no longer exists because that specific vulnerability has been eliminated.
• The second and seemingly contradictory point is that the potential for risk always exists because (1) exploit code for known vulnerabilities could be developed at any time, and (2) new, previously unknown vulnerabilities will eventually be discovered, leading to possible new threats. As we learn late in The Three Little Pigs, the wolf discovers the chimney in the third pig’s brick house and decides to climb down to get to the pigs. Ah-ha! A new vulnerability matched to a new threat constitutes (new) risk. Attackers are always on the lookout for new vulnerabilities to exploit.

Accurately Assessing Risk

Without getting into a deep discussion of risk assessment,5 let’s define the two essential elements of risk calculations that are often overlooked.

Likelihood

Likelihood is the chance or probability that a specific threat will exploit a specific vulnerability. Factors that figure into likelihood include things like a threat actor’s motivation and capabilities, how easily a vulnerability can be exploited, how attractive a vulnerable target is, security controls in place that could hinder a successful attack, and more. If exploit code exists for a specific vulnerability, the attacker is skilled and highly motivated, and the vulnerable target system has few security controls in place, the likelihood of an attack is potentially high. When the opposite of any of these is true, likelihood decreases.

For the first pig, the likelihood of an attack was high because the wolf was hungry (motivated), had opportunity, and a reasonable exploit tool (his mighty breath). However, had the wolf known in advance about the pot of boiling water in the third pig’s fireplace—the “security control” that ultimately killed the wolf and saved the pigs—the likelihood of him climbing down the chimney would probably have been zero. The same is true of skilled, motivated attackers who, in the face of daunting security controls, may choose to move on to easier targets.

If…if…if. There are endless variations in motivation, capability, ease of exploit, security controls, and other factors that affect likelihood.

Impact

Impact describes the damage that could be done to the organization and its assets if a specific threat were to exploit a specific vulnerability. Of course, it’s impossible to accurately gauge impact without first determining asset value, as mentioned earlier. Obviously, some assets are more valuable to the business than others. Compare, for example, the impact of a company losing availability of an ecommerce website that generates 90 percent of its revenue to the impact of losing a seldom-used web app that generates minimal revenue. The first loss could put a faltering company out of business whereas the second loss could be negligible. It’s no different in our children’s tale where the impact was high for the first pig, who was left homeless after the wolf’s attack. Had his straw house been just a makeshift rain shelter that he rarely used, the impact would have been insignificant.

Putting the Risk Jigsaw Pieces Together

Assuming a matched vulnerability and threat exists, it’s essential to consider both likelihood and impact to determine the level of risk. A simple, qualitative (versus quantitative)6 risk matrix like the one shown in Figure 1 illustrates the relationship between the two. (Note that there are many variations of this matrix, some far more granular and detailed.)