Threats Vs Vulnerabilities

Week 3

Someone recently asked me what was the difference between a threat and vulnerability.  That is honestly a good question.  It was mentioned, by the person asking, that they thought they were one in the same.  I asked their rational, but did not get a good explanation as to why they felt that way.  These two topics are not one in the same, but they should be discussed together when looking at the security of your business.

In all my studies, I found one definition that I really enjoyed for the description of the word, threats.  Michael Whitman and Herbert Mattord define a threat as "a category of objects, persons, or other entities that represents a constant danger to an asset (Whitman & Mattord, 2010)."  What this means is that a threat is an actual thing that could cause a danger to something that you own.  Take for example, your house.  Take that definition and determine a threat to your house now.  One of the biggest threats to your house is a natural disaster such as a tornado or flood.  Because this represents a constant danger to your house, it is considered a threat.  Need another example?  Let's use a technology of some sort this time with your computer.  One of the biggest threats to your computer is a hacker.  They are people that love to spend their time trying to access your computer.

When it comes to vulnerabilities, I really haven't found a definition that I absolutely love.  There are so many out there because it encompasses several topics not just technology.  One of the best ones I have found that can be tweaked to help define vulnerability generally is from Tech Republic writer, Chad Perrin.  A vulnerability is a flaw in a resource that will eventually allow an attack or damage to occur to that resource (Perrin, 2009).  Let us look at the example of the house from the previous paragraph.  A vulnerability of a house could be that it was built with cheaper wood than other houses.  That wood could eventually break easier during a storm, thus causing it to collapse.  The cheaper wood is the vulnerability.  When it comes to your computer, there are many types of vulnerabilities, but one of the biggest that a hacker finds often is that a user will use a weak password.  Having a password that is weak enough to let a hacker in is considered a computer vulnerability.

You have to realize that threats and vulnerabilities are every where, but they are also not one in the same.  Threats are the entities that can do the damage, while vulnerabilities are the flaws that help the damage occur.  When looking at your own threats and vulnerabilities, keep that in mind.  Hopefully, if you have had any questions about these two, this blog has helped you understand them a bit better.      


References:

Perrin, C. (2009). Understanding risk, threat and vulnerability.  Retrieved March 29, 2014

from http://www.techrepublic.com/blog/it-security/understanding-risk-threat-and-vulnerability/

Whitman, M & Mattord, H. (2010). Management of Information Security. Boston, MA: Course Technology, Cengage Learning.

Let's Just Use Wikipedia

I hear that many people use Wikipedia as a source to back them up.  In fact, the other day someone was trying to convince me on a given topic and I asked them what their source was.  He actually stated that he read it on Wikipedia.  I had to go into why he shouldn't trust that page fully.  He was unaware that anyone could change the information on the page.  Yes, there are links that people provide at the bottom to help direct you to where they got their information, but is that creditable?  The crazy thing is that in my current class, I am asked to blog about creditable sites within IT security that deal with threats, vulnerabilities and other general IT topics so here I am.

As those who have read my blogs in the past, you are aware that I have been going to school for several years for IT.  There have been many papers written, but where do I get the information that I write about?  For one, I do get them from my text books, but what happens when I need get information off the Internet?  How do I know when a site is creditable?  Over the years, I have grown to trust many sites, but I have also grown to keep away from some others.

Before I go into the creditable sites, I will make a few points about two sites that I do not feel are creditable. 

1. Wikipedia - If you use this site, use it as a base.  Definitions are normally OK but I highly recommend that you search other sites because this site can be changed by anyone!  Yes, you and I can add to the site anything we want.  This makes Wikipedia un-creditable in my eyes.
2. About.com - This site has some very good information, but in my views, some of it is missing information and could cost you valuable information and time having to search around to fill in the missing parts.

There have been several sites that I have grown comfortable with when it comes to the topic of IT and that I know are very creditable:

1. Symantic - http://www.symantec.com/security_response/ - This site is run by the makers of Norton Security.  They continue to update it with IT security information such as threats, vulnerabilities and risks.  This eventually updates the source for the Norton product to help defend your computer against the known threats, vulnerabilities and risks.
2. Homeland Security - http://www.dhs.gov/topic/cybersecurity - This site is maintained by the government's Department of Homeland Security.  How more creditable can you get?  When it comes to the general topic of Cybersecurity, this site has been there for me for the past few years.  They continue to keep up with the topic of Cybersecurity and have many links available for anyone to learn about the topic.
3. Dark Reading - http://www.darkreading.com/ - This site has links to everything you can imagine on all topics of IT.  Professionals in the field have articles linked through this site.  In my opinion, this site is the best site to find general articles for IT.  
4. CSO Online -   http://www.csoonline.com/ - This site has information for the CSO (Chief Security Officer).  Even though the CSO is general to security, this site has many links that merge into the topic of IT; data protection, business continuity and identity and access topics are all covered on this site.  
5. SC Magazine - http://www.scmagazine.com/ - Probably the best magazine site that discusses IT security.  It has blogs about IT security and you can also read many whitepapers written by the leading professionals.  

I could go on and on when it comes to the creditable sites that I use, but these are the ones I keep going back to.  They are linked with professionals in the field and they are maintained by highly creditable businesses.  I honestly recommend these 5 sites to anyone trying to find information out about IT.  The best words of advice that I can give on whether a site is creditable or not; if you recognize the name of the site to be an important business, it is probably a very creditable site.