To discuss on what are:
How are they inter-related with each other
Asset: It is something that requires to be protected
An Asset is something that is valuable to us and is a potential target for our enemies. Info security these assets turn out to be digital such as functions, data, records and communication.
Throughout the post, we take a real-life situation to explain the terminologies and their interrelation.
Let’s take a hypothetical scenario where the Government hosts a website for it to function. If the site goes down the Government’s operations, including military communication, go down . The availability and proper functioning of the site is an asset to the Government.
Vulnerability: It’s a weakness which is inherently present in a system
Vulnerability is already present in the system; vulnerability is introduced due a weakness in a system. Let me define weakness as the limitation of implementation because of various reasons.
Many say the American border is not fully secured, which gives way for illegal immigrants to cross the border into America.
I would rephrase the sentence as “The American border is vulnerable to illegal immigrants crossing. This vulnerability is due to the weakness arising from technological, financial, and other limitations in patrolling such a huge border.”
If one can see clearly, I utilized weakness and vulnerability differently in the same sentence.
In info-security we have something as:
CVE — Common Vulnerability and Exposures (Public listing of Vulnerabilities found in system) — there is no potential end to the list
CWE — Common Weakness Enumeration (Public listing of Weaknesses found in system) — limited in number
Vulnerability = System + Weakness
There is only a limited number of weaknesses across any system. Vulnerability is an instance of a weakness in a system.
An instance of a system is defined by the system itself. I mean I can have a valid login weakness. And if I have various mobile applications (one for fitness, one for ordering food online and other for e-shopping) then for each application this weakness might be applicable and if it applies then this leads to a vulnerability of that application.
This is higher limit to the applications which can rolled out in the app-store and moreover we get different versions of same application, which should be considered as different instances of a system. So even if weakness in mobile applications are limited there is not limit to the vulnerabilities in mobile applications
Threat: This could be any event or organization or a person which/who wants to damage our asset.
For any nation, a terrorist organization is a threat because they want to kill innocents people to shout out to the world that they exist.
For instance, an favorable event for the U.S would be smuggling drugs, terrorists, and other illegal things into the country — This is a threat to the U.S as it could harm lives of many Americans.
Exploitation: Threat taking advantage of a vulnerability in the system
The terrorists can take advantage of the vulnerability in the border security between U.S-Mexico and smuggle something. The threat group exploits the vulnerability in Border security.
Payload: Contents delivered into the system by a threat using an exploit to cripple the system.
The threat groups use the the exploit to deliver Firearms, terrorists into the U.S who cause a mayhem and disrupt the peace and harmony in the nation.
Payload is something which is delivered into the system to go on deeper into the system and then launch an attack. A payload could be a keyloggers to gain the user’s passwords.
To put all the Jargons together
A threat exploits a vulnerability in the system to deliver a payload. Payload could later on be fired to destroy or disrupt the user’s asset and cause an impact.
Many might wonder, why use such painstakingly complex terminologies just to omit few lines while expressing thoughts.
Well once we understand the role of each word and practice them often while expressing our thoughts it is not so hard after all to talk in this gibberish. It becomes a second nature to talk in such ways.
Other important thing is when we talk is such way while having conservation on information security on a table,the table has to have a common standards and language irrespective of the person’s background.
These jargons keeps the security experts together and also distinctly separate from others.
If one wants enter into the security table knowing these words and their usage can help them quite a lot when reading research papers, coming across articles over internet or following a meeting in a organization on information security.
My personal experience:
I just graduated from college and sat in an information security job, I had on job training by my mentors to make me fit to the position.
Day-0, when I entered the office and read through blogs, posts, and papers suggested by them I was blown out. I didn’t get a word. I understand they are saying something but I couldn’t grasp it. It took some time for me to understand how people juggle these jargons to express their thoughts. The day I understood these words properly it was just icing on the cake for me.