It is no surprise that cyber-attacks over the years have increased significantly, according to a source, more than 4000 ransomware attacks occur every day since 2016. That is not all, cyber-attacks are prophesied to cause over $6 trillion of damage annually by 2021. And with that, the number of news articles and blog posts is also increasing. Every time we hear about cybersecurity or read about cybersecurity, we find words — threat, risk, attack, and vulnerability. These terminologies are also often used interchangeably that ends up confusing a lot of people. This might sound very basic, but there are a significant number of people who actually don’t know what these terms actually mean.
In this article, we are going to take a deep dive into the cybersecurity landscape and also try to understand what is more important for cybersecurity professionals to focus on.
Understanding the difference between Threat, Vulnerability, Exploit & Risk
It is one of the most common terms that we come across on a daily basis. In cybersecurity, a threat is basically a hypothetical event that has the potential to cause some performing damage to an organisation’s business and other processes. For example, social engineering, phishing, DDoS, etc. are typical threats. To explain non-typical threats, one of the best examples would be when you leave your data open on your phone which later gets stolen and used for adversarial events.
Even though most of the threats involve an exploit, they mostly don’t cause any damage unless they are being actualised by threat actors or hackers. Threat actors are basically people with a motive such as cybercriminals (financially motivated hackers), hacktivists (cyber activists with a political motive), competitors, angry employees etc.
Vulnerability simply means flaws, weakness or a gap in a system. One of the major reasons behind vulnerabilities are mistakes made during the development process. These mistakes are usually referred to as a bug that hackers use to compromise systems and computers. Now not all bugs are tagged as vulnerabilities, but the ones that lead to the adverse outcomes of threats are tagged as CVE (common vulnerability and exposure) and registered by MITRE. Furthermore, vulnerabilities are also allotted a specific score, Common Vulnerability Scoring System (CVSS), which determines the severity of the vulnerability.
One of the best examples of vulnerability is SQL injection. If there is a SQL bug in a website, hackers can inject malicious SQL code take control of the website and steal data.
When it comes to vulnerabilities, penetration testing or pen testing is a method of performing some tasks on a system to figure out what are all the bugs that are present and how serious they are. Simply put, it is basically a process of hacking with prior permission and without causing any damage.
Exploit is a step — the next step of a hacker after s/he finds a vulnerability. Simply put, it is the way how hackers leverage vulnerabilities. An exploit could be a software, or command or a piece of code or it could even be a whole kit.
Just like its general definition, in cybersecurity also it has almost the same meaning. It is basically the probability of something bad happening combined with how bad it would be if it did happen. Simply put, it is the intersection of assets, threats, and vulnerabilities.
Risk is something that is in relation to all the above terms. For example, if there is a threat but there are no vulnerabilities, and vice versa, then the chances of bad impact (or risk) is either nil or low.
What Needs More Attention
Before discussing further what is more important for cybersecurity professionals to focus on, let us have a look at a term called “Cyber Kill Chain.”
Originally developed by Lockheed Martin for the military, Kill Chain was used to identify, prepare to attack, engage, and destroy the target. However, with time it evolved and today, we have a cyber kill chain that traces stages of a cyberattack from the early reconnaissance stages to the exfiltration of data.
According to many professionals, threat is something that needs more attention and could cause huge damage. And if we look at the reason, it kind of makes sense.
There was a time when vulnerabilities gained more traction, but with evolving technology and changes in hacking strategies, threats are becoming more serious. Also, vulnerabilities are just a small part of the kill chain and if you look at the role of a vulnerability it is just for exploiting.
Furthermore, if you look at some of the recent instances, most of the hacking events involve phishing, malware, social engineering etc. Simply put, threat actors use humans to compromise or attack. Another reason is when it comes to vulnerability, it is most of the time referred to Zero-day vulnerabilities. Despite the fact that zero-days pose more risk, threat actors turn to use other ways, and the reason is that zero-days are not something that is easy to discover. If the hacking event is time-bound, then zero-days are definitely not the first choice.