studynotesandtheory

Open full view…

Risk, Threat, Threat Agent and Exposure

Ahmed Khatib
Sun, 06 Nov 2016 18:38:19 GMT

*Quick notes on Risk, Threat, Threat Agent and Exposure* I hope this will be helpful. Risk - Likehood of a threat being realised. When someone says there is a Risk it means there is a (vulnerability and the treat ) Suppose your organisation is using SSLV3. It has become a Risk now. Since it has POODLE vulnerability in it and threats from attacker. It wasn't a Risk in 2011.(Before finding the poodle vulnerability ) Similarly now TLS is Secure. Cos there is No vulnerability has been found in TLS protocol but there exist a threat from attackers. Still it is not considered a Risk cos there is No vulnerability. Hence *Risk = Vulnerability + Threat + Asset*. Asset is anything valuable for an organisation. *Threat* is like a Pending Attack. Anything which can harm your asset is a Threat. It could be natural or Manmade threat. *Threat Agent* Medium used to carry out an attack by a threat. *Exposure* is nothing but a breach. Compromise in any of the CIA triad is an exposure.

Ahmed Khatib
Sun, 06 Nov 2016 18:51:03 GMT

Slight Correct in the forumla: Hence Risk = Vulnerability * Threat * Asset.

kannan30muthiah
Sun, 06 Nov 2016 18:51:58 GMT

Suppose ,if I use Webserver with IIS server 6.0, then threat is attacker, threat agent is iis server, vulnerability is weakness in iis server and risk is compromise of server. Am I getting things right

Ahmed Khatib
Sun, 06 Nov 2016 18:52:42 GMT

> @Ahmed Khatib Slight Correct in the forumla: Hence Risk = Vulnerability x Threat x Asset.

Ahmed Khatib
Sun, 06 Nov 2016 18:55:01 GMT

Threat Agent is not IIS server. It is medium/tool/ technique used to carry out the attack. Threat Agent : How the server was compromised? By the use of SQL Injection Or CSRF or XSS. Hope it is clear

kannan30muthiah
Sun, 06 Nov 2016 18:55:41 GMT

Perfect, got it thanks