Question

NIST SP 800-30 is a National Institute of Standards and Technology publication that includes the following terms, which relate to the potential harm an organization might sustain when threats exploit vulnerabilities: very high, high, moderate, low, and very low. The terms are defined in the course textbook in section “Threats, Vulnerabilities, and Impact.” Research a well-known company, and identify at least one example for each term.  

Answer 1

The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology
promotes the U.S. economy and public welfare by providing technical leadership for the nation’s
measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof-of-
concept implementations, and technical analyses to advance the development and productive use of
information technology. ITL’s responsibilities include the development of technical, physical,
administrative, and management standards and guidelines for the cost-effective security and privacy of
sensitive unclassified information in federal computer systems. The Special Publication 800-series
reports on ITL’s research, guidance, and outreach efforts in computer security, and its collaborative
activities with industry, government, and academic organizations.

Threat:

A threat is the potential for a particular threat-source to successfully exercise a particular
vulnerability. A vulnerability is a weakness that can
be accidentally triggered or intentionally exploited. A
threat-source does not present a risk when there is no Threat: The potential for a threat-
vulnerability that can be exercised

Common Threat-Sources
Natural Threats—Floods, earthquakes, tornadoes,
landslides, avalanches, electrical storms, and other such
events.
Human Threats—Events that are either enabled by or
caused by human beings, such as unintentional acts
(inadvertent data entry) or deliberate actions (network
based attacks, malicious software upload, unauthorized
access to confidential information).
Environmental Threats—Long-term power failure,
pollution, chemicals, liquid leakage.

Vulnerability:

a vulnerability is a weakness which can be exploited by a threat actor, such as an attacker, to cross privilege boundaries within a computer system. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness

presents examples of vulnerability/threat pairs.

For your home, your vulnerability is that you don't have bars or security screens on your windows. This is a vulnerability, as unscrupulous people can easily break the window and gain entry into your home. It's a gap in your protection.

Other examples of vulnerability include these:

• A weakness in a firewall that lets hackers get into a computer network
• Unlocked doors at businesses, and/or
• Lack of security cameras

All of these represent a weakness that can be used by others to hurt a business or any other asset that you care about. Actually, your business is considered one of your assets. All of your supplies, materials, and finished products for your business are all assets, too.

3. Impact:

The next major step in measuring level of risk is to determine the adverse impact resulting from
a successful threat exercise of a vulnerability. Before beginning the impact analysis, it is
necessary to obtain the following necessary information

Therefore, the adverse impact of a security event can be described in terms of loss or degradation
of any, or a combination of any, of the following three security goals: integrity, availability, and
confidentiality. The following list provides a brief description of each security goal and the
consequence (or impact) of its not being met:
• Loss of Integrity. System and data integrity refers to the requirement that
information be protected from improper modification. Integrity is lost if unauthorized
changes are made to the data or IT system by either intentional or accidental acts. If
the loss of system or data integrity is not corrected, continued use of the contaminated
system or corrupted data could result in inaccuracy, fraud, or erroneous decisions.
Also, violation of integrity may be the first step in a successful attack against system
availability or confidentiality. For all these reasons, loss of integrity reduces the
assurance of an IT system.
• Loss of Availability. If a mission-critical IT system is unavailable to its end users,
the organization’s mission may be affected. Loss of system functionality and
operational effectiveness, for example, may result in loss of productive time, thus
impeding the end users’ performance of their functions in supporting the
organization’s mission.
• Loss of Confidentiality. System and data confidentiality refers to the protection of
information from unauthorized disclosure. The impact of unauthorized disclosure of
confidential information can range from the jeopardizing of national security to the
disclosure of Privacy Act data. Unauthorized, unanticipated, or unintentional
disclosure could result in loss of public confidence, embarrassment, or legal action
against the organization.