Vulnerability vs. Threat vs. Risk vs… “Other”
In cybersecurity, three key terms are vulnerability, threat and risk. Often they’re tossed around interchangeably, but they have a specific relationship to one another:
- A risk is the potential for loss or damage caused by a threat exploiting a vulnerability.
- In statistical terms, risk is the probability of a negative event occurring and its potential impact or loss.
Expressed as simple equations:
Vulnerability x Threat = Risk
and
Risk = Probability x Impact
That about sums it up, right? As vice president of threat defense and the leader of Frontline, Forescout’s threat-hunting team, my answer is no. Our charter is to identify the vulnerabilities and potential threats that organizations face and provide them with the information needed to assess the risks they face. During our customer engagements, we’re not just looking for active interrogations into a network; we assess every connected asset in their digital terrain. We’re looking for vulnerabilities, threats and anything else that would make the organization a prime candidate for attack.
Because of this approach, we often see things that aren’t quite vulnerabilities or threats. They fall into the large bucket of “other” security gaps and issues that expose organizations to risk.
Let’s run through some definitions.
What is a vulnerability?
A vulnerability is a weakness, bug, flaw or misconfiguration in hardware, software, a system or procedure that can be exploited to gain unauthorized access. The vast majority of vulnerabilities don’t pose a real danger to the organization. Still, many vulnerabilities do pose threats and are easily remediated yet remain in plain sight, ready to be exploited.
In August, Microsoft reported that 80% of ransomware attacks can be traced back to common configuration errors in software and devices. That includes misconfigured security products as well as default/legacy configurations in enterprise applications. Similarly, in its 2022 State of the Internet Report, Censys found that misconfigurations including unencrypted services, weak or missing security controls, and self-signed certificates comprise around 60% of internet-related risks.
Public resources like the Common Vulnerabilities and Exposures (CVEs) list, the Common Vulnerability Scoring System and the Exploit Prediction Scoring System, which are leveraged by vulnerability assessment, risk-based vulnerability management (RBVM) and other security tools, help organizations identify known risks and prioritize remediation efforts based on the likelihood that a vulnerability will be exploited.
Vulnerability data, especially around active exploits, is important, but it doesn’t tell the whole story of risk. The Forescout Continuum Platform calculates a multifactor risk score for each connected asset that considers CVEs, device criticality, open ports, internet posture and IP reputation. The aggregated score helps you prioritize remediation. Instead of identifying 10,000 alerts, it tells you the 10 alerts to pay attention to.
What is a threat?
A cyber threat is anything that could exploit a vulnerability and cause harm. External threats are typically intentional and include malware, ransomware, phishing, denial of service (DoS), Man-in-the-Middle (MitM) attacks, SQL injections and zero-day exploits. Internal threats can be intentional (a data leak or other misuse of information by an authorized user) but are often unintentional and caused by end-user vulnerabilities (AKA human error). Examples include employees mistakenly or negligently clicking on emails or opening attachments that expose devices to threats they wouldn’t otherwise face. The best remediation for end-user vulnerabilities, of course, is repeated security training.
Threats are constantly evolving as cyber criminals devise new ways to exploit vulnerabilities. Vedere Labs and other cybersecurity researchers provide actionable threat intelligence about how current exploits are behaving in the world and if there are known fixes.
What is a risk?
Risk is the potential for loss or damage in the event that a threat successfully exploits a vulnerability. That could be operational disruption, financial or data loss, a damaged reputation or legal consequences. A worst-case scenario may involve patient safety and loss of life. With its R4IoT proof-of-concept ransomware demonstration, Vedere Labs showed what could happen if an adversary were to exploit a vulnerability in an IP camera to gain access and move laterally in an IT network to impact the OT or IoMT networks, which in a hospital could affect life-sustaining equipment.
You can’t eliminate risk, but you can manage it at a level that satisfies your organization’s tolerance for risk. Is the probability of an exploit and its potential impact greater than your risk threshold? Is the cost of mitigation worth the benefit? Many of these are executive-level questions that don’t have quantitative answers. Still, there must be a conscious acknowledgment of the risk and willingness to accept it in pursuit of your business objectives.
And the biggest bucket is… “Other”
The “other” category includes the many security gaps, issues and practices beyond vulnerabilities and threats that also create risk. It includes use of weak, default and blacklisted credentials, insecure authentication and communications, plain-text protocols and so on. Many security teams are so focused on securing the perimeter – even though their attack surface is now edgeless – that they overlook the scores of issues throughout their terrain that present real risk.
Another phrase for “other” may be lax security practices: not updating systems and applications regularly, foregoing regular employee cybersecurity training, failing to enforce security controls, having no process for patching, etc. To be sure, InfoSec teams are stretched and typically must manage dozens of siloed security products. Enter security automation: Forescout Continuum automatically and continuously helps to ensure that your security tools and controls are installed properly, running, up to date and communicating with each other.
Your mission, should you choose to accept it
At the end of a customer engagement, the Frontline team reports the vulnerabilities and risks we observed and leaves you with actionable intelligence to increase your cyber resilience – through patching, firewalls, segmentation and other controls. Based on your organization’s risk tolerance, you may choose to accept some of the risks and mitigate others. But once you have the report in hand, it’s harder to turn a blind eye and, in some cases, continue to ignore the basics.
What are you choosing to ignore in your environment?
Tap our Frontline cyber experts for threat hunting, risk identification and incident response