In: Computer Science
NIST SP 800-30 is a National Institute of Standards and Technology publication that includes the following terms, which relate to the potential harm an organization might sustain when threats exploit vulnerabilities: very high, high, moderate, low, and very low. The terms are defined in the course textbook in section “Threats, Vulnerabilities, and Impact.” Research a well-known company, and identify at least one example for each term.
The Information Technology Laboratory (ITL) at the National
Institute of Standards and Technology
promotes the U.S. economy and public welfare by providing technical
leadership for the nation’s
measurement and standards infrastructure. ITL develops tests, test
methods, reference data, proof-of-
concept implementations, and technical analyses to advance the
development and productive use of
information technology. ITL’s responsibilities include the
development of technical, physical,
administrative, and management standards and guidelines for the
cost-effective security and privacy of
sensitive unclassified information in federal computer systems. The
Special Publication 800-series
reports on ITL’s research, guidance, and outreach efforts in
computer security, and its collaborative
activities with industry, government, and academic
organizations.
Threat:
A threat is the potential for a particular threat-source to
successfully exercise a particular
vulnerability. A vulnerability is a weakness that can
be accidentally triggered or intentionally exploited. A
threat-source does not present a risk when there is no Threat: The
potential for a threat-
vulnerability that can be exercised
Common Threat-Sources
Natural Threats—Floods, earthquakes, tornadoes,
landslides, avalanches, electrical storms, and other such
events.
Human Threats—Events that are either enabled by or
caused by human beings, such as unintentional acts
(inadvertent data entry) or deliberate actions (network
based attacks, malicious software upload, unauthorized
access to confidential information).
Environmental Threats—Long-term power failure,
pollution, chemicals, liquid leakage.
Vulnerability:
a vulnerability is a weakness which can be exploited by a threat actor, such as an attacker, to cross privilege boundaries within a computer system. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness
presents examples of vulnerability/threat pairs.
For your home, your vulnerability is that you don't have bars or security screens on your windows. This is a vulnerability, as unscrupulous people can easily break the window and gain entry into your home. It's a gap in your protection.
Other examples of vulnerability include these:
All of these represent a weakness that can be used by others to hurt a business or any other asset that you care about. Actually, your business is considered one of your assets. All of your supplies, materials, and finished products for your business are all assets, too.
3. Impact:
The next major step in measuring level of risk is to determine
the adverse impact resulting from
a successful threat exercise of a vulnerability. Before beginning
the impact analysis, it is
necessary to obtain the following necessary information
Therefore, the adverse impact of a security event can be
described in terms of loss or degradation
of any, or a combination of any, of the following three security
goals: integrity, availability, and
confidentiality. The following list provides a brief description of
each security goal and the
consequence (or impact) of its not being met:
• Loss of Integrity. System and data integrity refers to the
requirement that
information be protected from improper modification. Integrity is
lost if unauthorized
changes are made to the data or IT system by either intentional or
accidental acts. If
the loss of system or data integrity is not corrected, continued
use of the contaminated
system or corrupted data could result in inaccuracy, fraud, or
erroneous decisions.
Also, violation of integrity may be the first step in a successful
attack against system
availability or confidentiality. For all these reasons, loss of
integrity reduces the
assurance of an IT system.
• Loss of Availability. If a mission-critical IT system is
unavailable to its end users,
the organization’s mission may be affected. Loss of system
functionality and
operational effectiveness, for example, may result in loss of
productive time, thus
impeding the end users’ performance of their functions in
supporting the
organization’s mission.
• Loss of Confidentiality. System and data confidentiality refers
to the protection of
information from unauthorized disclosure. The impact of
unauthorized disclosure of
confidential information can range from the jeopardizing of
national security to the
disclosure of Privacy Act data. Unauthorized, unanticipated, or
unintentional
disclosure could result in loss of public confidence,
embarrassment, or legal action
against the organization.