10 The Basics of Information Security Threats,Vulnerabilities,and Risk In order to be able to speak more specifically on attacks.we need to introduce a few new items of terminology.When we look at the potential for a particular attack to affect us. can sp eak of it in terr the associated risk that might accompany them THREATS When we spoke of the types of attacks we might encounter,in the "Attacks"sec- tion earlier in this chapter.we discussed some of the things that have the poten- tial to cause harm to our assets.ultimately.this is what a threat is-somethins that has the potential to cause us harm.Threats tend to be specific to certain environ men might in the e world of info ation secu nty example, e problemati on a w same virus will be unlikely to have any effect on a Linux operating system. VULNERABILITIES Vulnerabilities are weaknesses that can be used to harm us.In essence.they are holes that can be exploited by threats in order to cause us harm.A vulner- be s erat ng system pplica a physic al location where we ave chos place our of伍 ng,a center that is populated over the capacity of its air-conditioning system,a lack of backup generators,or other factors. RISK Risk is the likelihood that something bad will happen.In order for us to have isk in articular t,w eed to have both a thre it and vulner or exa om wood and ple ve we set 1 it on fire,we have both a threat(the fire) and a vulnerability that matches it (the wood structure).In this case,we most definitely have a risk. Likewise,if we have the same threat of fire,but our structure is made of con- crete,we no longer have a credible risk,because our threat does not have a vul- ability to exploit.We can argue that a sufficiently hot flame could damag the less likely event. We will often have similar discussion sregarding potential risk in computing environments,and potential,but unlikely,attacks that could happen.In such cases,the best strategy is to spend our time mitigating the most likely attacks. If we sink our resources into trying to plan for every possible attack,however unlikely,we will spread ourselves thin and will be lacking in protection where we actually need it the most. IMPACT10 The Basics of Information Security Threats, Vulnerabilities, and Risk In order to be able to speak more specifically on attacks, we need to introduce a few new items of terminology. When we look at the potential for a particular attack to affect us, we can speak of it in terms of threats, vulnerabilities, and the associated risk that might accompany them. Threats When we spoke of the types of attacks we might encounter, in the “Attacks” sec￾tion earlier in this chapter, we discussed some of the things that have the poten￾tial to cause harm to our assets. Ultimately, this is what a threat is—something that has the potential to cause us harm. Threats tend to be specific to certain environments, particularly in the world of information security. For example, although a virus might be problematic on a Windows operating system, the same virus will be unlikely to have any effect on a Linux operating system. Vulnerabilities Vulnerabilities are weaknesses that can be used to harm us. In essence, they are holes that can be exploited by threats in order to cause us harm. A vulner￾ability might be a specific operating system or application that we are running, a physical location where we have chosen to place our office building, a data center that is populated over the capacity of its air-conditioning system, a lack of backup generators, or other factors. Risk Risk is the likelihood that something bad will happen. In order for us to have a risk in a particular environment, we need to have both a threat and a vulner￾ability that the specific threat can exploit. For example, if we have a structure that is made from wood and we set it on fire, we have both a threat (the fire) and a vulnerability that matches it (the wood structure). In this case, we most definitely have a risk. Likewise, if we have the same threat of fire, but our structure is made of con￾crete, we no longer have a credible risk, because our threat does not have a vul￾nerability to exploit. We can argue that a sufficiently hot flame could damage the concrete, but this is a much less likely event. We will often have similar discussions regarding potential risk in computing environments, and potential, but unlikely, attacks that could happen. In such cases, the best strategy is to spend our time mitigating the most likely attacks. If we sink our resources into trying to plan for every possible attack, however unlikely, we will spread ourselves thin and will be lacking in protection where we actually need it the most. Impact Some organizations, such as the U.S. National Security Agency (NSA), add an additional factor to the threat/vulnerability/risk equation, in the form of