In the last article that I wrote, we focused on the language of Cybersecurity. I discussed how important it is for us to use a common language that all (technical and non-technical) can understand. Specifically, I wrote about three terms that get used a LOT and often in the incorrect context: risks, threats, and vulnerabilities. I focused that article on a discussion around vulnerabilities. This month, I would like to re-visit that thread, but instead discuss threats.
We defined vulnerabilities as a flaw or a weakness, so I think it is important to start by defining what a threat is. For this, I went to the Computer Security Resource Center (CSRC) glossary so our definition could be authoritative. The CSRC defines a threat as “Any circumstance or event with the potential to adversely impact organizational operations OR the potential for a threat-source to successfully exploit a particular information system vulnerability.”i Since that might sound a bit technical or challenging, I like
to simplify it a bit and think of vulnerabilities as weaknesses and threats as the ability to exploit weaknesses.
If we look at things through that lens, we can consider that both of those concepts likely involve a human component. If we consider the latest Cyber alerts around SolarWinds (which have filled the news and our inboxes for weeks now), the vulnerability is that software provided by SolarWinds has been manipulated to provide bad guys potential access to networks and information that they would otherwise not have access to. The human component to the vulnerability involved here is the hackers (suspected to be Russian by media accounts) who altered the software that SolarWinds provides to its customers. But the vulnerability only provides opportunity. The threat is that the vulnerability will be exploited. The threat landscape is broad with the SolarWinds attack, because SolarWinds is used by so many organizations. The human component to the threat involved here is what we call threat actors, or “bad guys” who might leverage the vulnerability for gain. That gain could be in gathering information that can be used for financial gain or even for darker efforts (there are some concerns that Russian intelligence gathering could use information harvested from Department of Energy systems, for example, to be able to affect how electric power is provided (or not) throughout the United States).
Being aware that threat levels are heightened can be very important. Consider this as similar to watching the weather. If you watch the weather and are told that its going to rain, you might avoid being caught outside on a long walk in a downpour. Similarly, realizing that threats exist and being aware of the specific threats can help us plan and act accordingly. One easy to digest and review site that I like a lot is the Cybersecurity Threat page hosted by the Center for Internet Security (CIS).ii A quick review of this site (snapshot below) shows the current Alert level, based on the analysis of the folks at CIS:
Information on their site explains why the alert level is set as Guarded now and references the SolarWinds vulnerabilities. Thus, if you are a user of SolarWinds, you can be aware and act appropriately. Cybersecurity can be scary. But if we start to break it into smaller pieces and understand what makes up the ecosystem, we can make strides toward better protecting and defending our use of important technology resources.
So, should you feel threatened? Maybe a little but use that knowledge to better prepare!
Good luck and be safe,
Allen Jenkins, CISO