Hello friends
I'll just try to explain few teminology from Chapter 1 ISCA, in layman language
Definations
1) Threats : An action or event that could have a negative impact on the Assets
eg. Realworld asset threats like theft/ modification /distruction of assets etc + Cyberworld asset threats like Denial of service/Hacking etc
2) Attack : Exploitation of a vulnerablity by a threat agent
eg. realworld example - a thief robbing aritcles from house. what does he do? he tries to exploit a vulnerability by threat agent (eg. watchman asleep / windows open etc)
in simple words Attack = Motive + Method + Vulnerability.
3) Vulnerability : Weaknes in the system safeguards that potentailly allows threats to exploit the system.
eg. Continuing our previous example Vulnerability is Whatchman falling asleep / Windows remaing open which invites the attention of threat agents(Thiefs) to exploit(theft) of systen (i.e. House)
4) Risk : Likelihood that a particular threat will exploit a particular vulnerability to cause harm to an asset.
eg. Probability that Watchman will be asleep or window might remain open during paricular time period under consideration (i.e. suppose watchman was asleep for 3-4 days during last 6 months, therefore probability will be 4/180)
5) Assets (layman laguage motive) : Tangible or intangible thing of value to the organisation. i.e existence/smooth fuctioning of enterpise depend on the Assets.
eg. Asset in our example is Article, Value of which depends on Importance to the owner of article (i.e. Vintage with highvalue or Artistic piece with moderate vale as compared to other articles.)
6) Exposure : Extent of loss ( both Financial as well as Loss of time) that will result if risk materialises
eg. Exposure is when Whatchman was asleep/ Window was open & Thief taking note of this Robbed the article.
7) Safeguard / Countermeasure : Anything which removes the vulnerability &/ protects against one or more specific Threats
eg. employing two watchman or appointing a caretaker to see if windows are closed etc
8) Residual risk : Any risk still remaining after the countermeasure are applied ( same concept as in Auditing)
9) Exploit : Defined way to breach the security through Vulnerability.
Was it usefull in understanding the concepts?
Any Query Relating to above?
Any request for simlification of any topic from any chapter of ISCA ( Max 3 Topics Cumulatively based on demand)
(Kindly Let me Know in Comments below)
CAclubindia
