Threat - Vulnerability - Exploit - Risk
Threat
A Threat is basically a hypothetical event that has the potential to cause some performing damage to an organization’s business and other processes. For example, social engineering, phishing, DDoS, etc. are typical threats. To explain non-typical threats, one of the best examples would be when you leave your data open on your phone which later gets stolen and used for adversarial events.
Even though most of the threats involve an exploit, they mostly don’t cause any damage unless they are being actualised by threat actors or hackers. Threat actors are basically people with a motive such as cybercriminals (financially motivated hackers), hacktivists (cyber activists with a political motive), competitors, angry employees etc.
Vulnerability
Vulnerability simply means flaws, weakness or a gap in a system. One of the major reasons behind vulnerabilities are mistakes made during the development process. These mistakes are usually referred to as a bug that hackers use to compromise systems and computers. Now not all bugs are tagged as vulnerabilities, but the ones that lead to the adverse outcomes of threats are tagged as CVE (common vulnerability and exposure) and registered by MITRE. Furthermore, vulnerabilities are also allotted a specific score, Common Vulnerability Scoring System (CVSS), which determines the severity of the vulnerability.
One of the best examples of vulnerability is SQL injection. If there is a SQL bug in a website, hackers can inject malicious SQL code take control of the website and steal data.
When it comes to vulnerabilities, penetration testing or pen testing is a method of performing some tasks on a system to figure out what are all the bugs that are present and how serious they are. Simply put, it is basically a process of hacking with prior permission and without causing any damage.
Exploit
Exploit is a step — the next step of a hacker after s/he finds a vulnerability. Simply put, it is the way how hackers leverage vulnerabilities. An exploit could be a software, or command or a piece of code or it could even be a whole kit.
Risk
Just like its general definition, in cybersecurity also it has almost the same meaning. It is basically the probability of something bad happening combined with how bad it would be if it did happen. Simply put, it is the intersection of assets, threats, and vulnerabilities.
Risk is something that is in relation to all the above terms. For example, if there is a threat but there are no vulnerabilities, and vice versa, then the chances of bad impact (or risk) is either nil or low.
Reference
Last updated