A security “threat” is what triggers a loss. A “vulnerability” is the weakness used to generate the loss. Without the trigger, the weakness would remain dormant. Without the weakness, there is nothing to trigger.
Threats
Adversarial threat categories include:
- Advanced Persistent Threats (APTs) – generally linked to nation states
- Criminal syndicates and organised crime – often loosely linked networks of specialized “freelancers”, motivation is financial
- “Script kiddies” – low-skilled individuals running pre-packaged exploits (scripts), generally motivated by the wish to make a personal impact on something (“vandalism”)
- “Hacktivists” – individuals working towards what they see as some social goal, generally not in it for the money.
Threat actors do not normally openly identify themselves. They are identified by common “tactics, techniques and procedures” (TTP). That is successful attacks are analysed and where there is a common “signature” they can be assigned to the same threat actor.
There are public databases of threat actors. For example MITRE’s ATT&CK (Adversary Tactics and Techniques & Common Knowledge) can be found at
The record for APT29 (aka Cozy bear), who have been assigned to the Democratic Party email leaks of 2016 and the SolarWinds attack of 2021, can be found here:
https://attack.mitre.org/groups/G0016/
Vulnerabilities
Vulnerabilities, the weaknesses that lead to “loss”, can be physical (an unlocked door), organisational (poor skills, bad procedures) or human (staff with heavy debts bribed).
Some of the more common system vulnerabilities
- Open network ports & services
- Unsecure root accounts
- Default accounts passwords
- Default service settings
- Unpatched systems
- Configuration errors
- Open permissions (e.g. chmod 777)
- Use of insecure protocols (Telnet / FTP)
- Weak encryption (e.g. 1024 bit RSA, DES)
- Weak passwords
Vulnerability Databases
A specific type of system vulnerability is software vulnerability. That is software that has been found to have some flaw that can be used to produce unintended behaviour. Typically when such a flow has been uncovered, a new version of the software is produced without that flaw and all running instances of the software should be updated to use the new version.
There are databases of software vulnerabilities that can be used to determine if you are running software with a known flaw. What could be considered the master list is the “common vulnerabilities and exposures” (CVE) database, held by MITRE.
For example there is an entry for the log4j vulnerability which had a high impact in 2021 (because its used in so many other software products).
It should be noted that many other open source and commercial threat and vulnerability databases and feeds are available. Typically an organisation would subscribe to more than one of them to avoid any ‘blind spots’ or slow processing.
- https://www.misp-project.org/
- AT&T OTX (formerly AlienVault)