Definition of vulnerability and threat
According to the RAE, the term vulnerable (from Latin: Vulnerabĭlis) means: «adj. That he can be hurt or receive an injury, physically or morally. ” On the contrary, the term threat is defined as: “To imply with actions or words that you want to do some harm to someone.” As we can see, the very definition of each word already establishes a clear differentiation.
One issue is having the possibility of suffering an attack or threat due to one’s deficiencies that are not corrected and externally visible (vulnerability) and another is to suffer a threat or attack regardless of whether or not we are vulnerable. In threat, there is an intention to act by a third party through certain actions, while invulnerability this approach cannot be applied, since it is considered something intrinsic and inherent, to a greater or lesser extent, to the ability of the subject. to solve the deficiencies or deficiencies that it may have.
Differences between both concepts
Transferred to the field of computer systems, we could consider a vulnerable system as one susceptible to receiving a certain degree of damage, generally due to its causes (lack of updates, low protection against viruses, etc.)
It is true that in the computing field, vulnerability and threat often go hand in hand, but the rise of social engineering by cybercriminals means that it is not always necessary to be vulnerable at the system level to be exposed to threats and, therefore both, suffer seizures.
In the business environment, on many occasions, it is the user himself who creates the vulnerability or unintentionally promotes the threat. Cybercriminals know this, considering users the weakest links in the chain, and therefore, the most susceptible to being exposed to threats and receiving attacks.
We could then say that it is the user himself who is vulnerable to the deception of social engineering. But including everyone in the vulnerable characteristic is not a correct approach, since there are no people ‘invulnerable’ to deception, but there are good teams trained and aware that they can avoid them.
We must also bear in mind that a threat can become a vulnerability, if the appropriate security measures are not applied through patches or software updates and adequate protection tools (antivirus, antimalware, etc.)
Example of vulnerability and threat
Nothing better than an example to understand the scope of each concept.
Currently, any web page is exposed to threats on the network. Let’s imagine a bank website or an online store. Both manage confidential information (names, passwords, credit card details, bank accounts, etc.). If the systems of these sites are not up-to-date and do not implement adequate protection measures, we could say that those sites are vulnerable to certain threats, and therefore, susceptible to attack.
On the other hand, if the websites implement the appropriate measures and are up-to-date, they might not be vulnerable to these threats, but they would not be exempt from the risk of suffering an attack, caused, for example, by a cyber attacker who uses social engineering against a company to get inside information.
In other words, the threat is always there.
Sometimes drawing the line that separates a threat from a vulnerability is very complex. For example, if we are talking about an obsolete communications device on a corporate network, we could say that it represents a threat to the company, but … is it also a vulnerability? ? If we consider that the device can cause damage to the company (loss of information, poor performance, etc.) it could be a threat. If, on the other hand, we consider that it may pose a risk because it favors attacks, then it would be more of a vulnerability. In both cases, the common denominator is a risk or damage to the company, one directly and the other indirectly.
How to combat cyber threats
Although there is no infallible method, we can be prevented from possible threats in the company if we make the team aware, instructing them in the safe use of the technologies at their disposal through training and prevention campaigns, letting them know that any strange behavior that they may detect in their day by day, they must communicate it as soon as possible to the personnel in charge of cybersecurity through the internal channels that the company makes available to them.
In addition, establishing an information channel, making the employee participate in possible threats through informative circulars (prevention), emails, or any other means at their disposal, will improve sensitivity to these issues and put staff on guard against risk situations. not foreseen.
On the other hand, regarding the company’s IT teams, its mission, among others, will be to update and keep the systems updated and if they have finished their useful life (end of updates), report the possible risk that they pose for the company and its workers continue in those conditions.
There is no ‘magic bullet’ to avoid a threat, but we can minimize them if we apply prevention as a general rule.