In my Information Security class this quarter one of the topics we have gone over is the difference between a risk, threat, and a vulnerability in a system. If you are looking to get into Network Security it will be important that you understand the difference between these terms. You do not want to end up misusing these words in conversation because you will sound like the person who doesn’t know their stuff. I will use this time to rant about a term that I hear misused – I have played piano for 10+ years, and I listen to a lot of contemporary piano music, and when someone hears it they say “oh you like classical music?” And I say yes I do like classical music but this isn’t classical, and they just get confused. It is not classical unless the artist transported back to the late 1700’s in the classical era and composes in that time period. Yes the music shares similar qualities as classical music, and popular belief says that it is “classical”, but it technically is not. This is just an example of a misused term and how it sounds off base to me. If you are around security professionals and swap threat, risk, and vulnerability it will probably get under their skin as well.
First off there is a more formal explanation on threats vs. vulnerabilities. Then, I have some funny analogies that I found at various sources on the web. These analogies might help you remember the terms a little better.
“In personal terms, a vulnerability is something that can happen to your system. For instance, your data is vulnerable to fire if you don’t have a protected backup somewhere. Your system may be vulnerable to a virus or Trojan if you don’t have an anti-virus program running. It also might be vulnerable if you don’t maintain security updates offered by your operating system vendor. Your system might be vulnerable to a hacker attack if you don’t run a firewall. Conversely, a hacker is a threat to your system, as is a virus or Trojan. There is a threat of data loss, or to be more specific, you could lose your important information including pictures, files, personal information from a fire, flood, weather, etc. Vulnerabilities and threats don’t have to be purely intrusion-related. A vulnerability can actually be something as simple as someone getting onto your computer that you didn’t plan on. A threat could be the likelihood that someone would get on and get sensitive information or do damage.” – Thomas Williams
“Imagine that you are going on a trip. While packing your suitcase, you realize that you need to bring some shampoo. Your shampoo has a flip top, not a screw top, and so you’re concerned that if you pack your bag too full, the airport baggage handlers might treat your bag roughly, exerting excess pressure on the bottle and popping the top. Shampoo could spurt all over your stuff!
In this scenario, you have a vulnerability (the flip top shampoo bottle which might not survive a good squeeze). The threat is that baggage handlers are not known for being gentle. The risk is that your clothes might get doused with shampoo.” – David Bianco
“Imagine a lush green field of grass and clover, where bunnies frolic and play. These are cute white bunnies, with pink eyes. And the occasional black bunny, which inexplicably costs more. The bunnies in this field have no natural predators. The wolves don’t know about this field.
Now, picture a city cat that roams the streets, getting into fights, disappearing for days at a time. When it comes home, it’s missing a little more of its ear, or occasionally needs to be stitched up. If it gets into a fight, sometimes it wins, sometimes it loses. It will eventually be run over by a car. Its bloated carcass will be poked by children with sticks.
The bunnies are vulnerable. The kitty is vulnerable, and has threats.” – Ryan Russell