jump to navigation

New Article: Exploits, Vulnerabilities & Threat Adaptation March 17, 2020

Posted by Chris Mark in cybersecurity, InfoSec & Privacy.
Tags: , , , , , , ,
add a comment

AT&T CyberSecurity published my new blog post.  You can read it here!

“Security, whether focused on physical, cyber, operational, or other domains, is an interesting topic that lends itself to considerable debate among practitioners.  There are, however, basic concepts and underpinnings that pervade general security theory. One of the most important, yet often misunderstood concepts are those inextricably entwined concepts of vulnerabilities and exploits.  These basic underpinnings are critical in all security domains. 

What are exploits and vulnerabilities and why are they important to the study of security?

First, security cannot be considered a binary concept such as: “secure” or “not secure”.  The appropriateness of any security strategy is relative to the controls implemented to address to identified risks.  One cannot say: “my house is secure”.  The measure of security is predicated upon the identified risks and the associated controls implemented to address those risks.  One can say: “My house has been secured in a manner that is commensurate with the identified risks”.  Second, security should be viewed as a function of time and resources.  Finally, security, in any domain, can never be ‘assured’ nor can there be a ‘guarantee’ of security.  The reason is simple.  Technologies change and human threats are adaptive.  According to the Department of Homeland Security’s Security Lexicon, Adaptive Threats are defined as:

“…threats intentionally caused by humans.” It further states that Adaptive Threats are: “…caused by people that can change their behavior or characteristics in reaction to prevention, protection, response, and recovery measures taken.” The concept of threat adaptation is directly linked to the defense cycle.  In short, as defenses improve, threat actors change their tactics and techniques to adapt to the changing controls.  As the threat actor improves their capabilities the defensive actors necessarily have to change their own protections.  This cycle continues ad infinitum until there is a disruption.”  Read the whole article!

Security, Exploits & Vulnerabilities- Security is Never 100% February 16, 2012

Posted by Chris Mark in InfoSec & Privacy, Risk & Risk Management.
Tags: , , , , , , , , ,
add a comment

In light of the recent disclosures of breaches of major security technologies and vendors, I felt compelled to write this post.  One of my favorite subjects to debate (and argue over) is security theory in general, and specifically the topics of vulnerabilities & exploits.  They are concepts that are critical in the fields of information security, risk management and other areas of security.  In truth, the concepts extend beyond IS but they are very common in the IS World and easier, in my opinion, to discuss in the context of IS.  So what are exploits & vulnerabilities and why are they important?

First, we need to understand that there is no “guaranteed security” and security can never be 100% as there are always vulnerabilities which can be exploited. We may not have identified them yet, but they do exist.   Given enough time, effort, and the right tools, any security control can be circumvented.  Security should be viewed as a function of time and effort. (this will be discussed below)  Second it is important to understand that the concepts of exploits and vulnerabilities are inextricably entwined and are mutually dependent. This is where the debate begins so first lets get a working definition of the terms. (more…)

%d bloggers like this: