There are many dangers in the IT world, and we are often exposed to them without knowing it. It is important that we are aware of how they can affect us, both personally and in our businesses. To do this, it is necessary to understand the meaning of some key information security concepts.
Vulnerability analysis is the process of identifying weaknesses in different information systems. A number of tools are available for this purpose, and carrying it out requires expertise in the field.
Some definitions
Information
Information is a set of processed data that changes the state of knowledge and is therefore the basis for decision-making.
Information security
By information security we refer mainly to information integrity, availability and confidentiality . The objective of security is to preserve these three pillars.
In the corporate world, it is used to protect the data an organisation collects and manages. Information is a key resource for businesses, so effectively managing its processing, storage and transmission is critical.
Information security is regulated for example by ISO 27001, among other regulations and frameworks. This provision allows for the assurance, confidentiality and integrity of information, as well as of the systems that process it.
For its part, the implementation of the ISO 27001:2013 standard for Information Security Management Systems makes it possible to assess the risk and the necessary controls to mitigate them.
Vulnerability
This is a weakness or flaw in an information system that opens the door for an attacker or unintended situation to compromise the integrity, availability or confidentiality of data.
In other words, they are the conditions and characteristics of an organisation's systems that make it susceptible to threats. Vulnerabilities have different origins, such as configuration errors, design flaws or procedural flaws.
Threat
A threat is an action that exploits a vulnerability to compromise the security of an information system.
Risk
Risk is the likelihood that a threat will exploit the vulnerability of an information asset and thereby damage an organisation.
Thus, managing risks is fundamental to managing information security efficiently and responsibly.
How do we measure vulnerability?
If we do not know the vulnerability, we cannot define its severity, so we must first identify it. To measure the severity of known vulnerabilities, there is the Common Vulnerability Scoring System (CVSS). This metric allows us to calculate the impact that a given vulnerability will have if it is exploited.
The CVSS classifies the vulnerability according to the parameter it affects: privacy, availability, confidentiality, among others. It also considers the access vector, the complexity to carry out the exploitation, whether authentication is required, and so on.
What can we do about vulnerabilities?
As with most information security issues, our best tool is prevention. In this case, my recommendation is to systematise, identify, measure and act.
How can this be done?
- Valuing our information assets: knowing which are the most important.
- Study and analyse the vulnerabilities of our systems.
- Identify threats and how they would impact the business.
- Take action on the basis of the analysis. Accept the risk or make changes to mitigate it.
- Review these steps periodically.
By:
Daniel AlanoProduct Line Analyst at Networking & Security.
Daniel specialises in information security management(UNIT-ISO/IEC 27000 and 27001) and is a certified ethical hacker(EC-Council).
