QUEZON CITY UNIVERSITY

COLLEGE OF COMPUTER STUDIES

IAS101 – FUNDAMENTAL OF INFORMATION ASSURANCE AND SECURITY 1

NAME: Vida, John Paul S.

STUDENT NO: 20-2167
YEAR/SECTION: 3rd Year / SBIT - 3L
DATE: 3-7-23

RISKS AND VULNERABILITIES

Threats, Vulnerability and Risk
Threat - A cyber threat is a malicious act that seeks to steal or damage data or discompose the digital network
or system. Threats can also be defined as the possibility of a successful cyber-attack to get access to the
sensitive data of a system unethically.

Threats could be of three types, which are as follows:

1. Intentional- Malware, phishing, and accessing someone’s account illegally, etc. are examples of intentional
threats.
2. Unintentional- Unintentional threats are considered human errors, for example, forgetting to update the
firewall or the anti- virus could make the system more vulnerable.
3. Natural- Natural disasters can also damage the data, they are known as natural threats.

Vulnerability
- In cybersecurity, a vulnerability is a flaw in a system’s design, security procedures, internal controls, etc., that
can be exploited by cybercriminals.
- In some very rare cases, cyber vulnerabilities are created as a result of cyberattacks, not because of network
misconfigurations. Even it can be caused if any employee anyhow downloads a virus or a social engineering
attack.

Vulnerabilities could be of many types, based on different criteria, some of them are:
1. Network - Network vulnerability is caused when there are some flaws in the network’s hardware or
software.
2. Operating system - When an operating system designer designs an operating system with a policy that
grants every program/user to have full access to the computer, it allows viruses and malware to make changes
on behalf of the administrator.
3. Human- Users’ negligence can cause vulnerabilities in the system.
4. Process- Specific process control can also cause vulnerabilities in the system.

Risk - Cyber risk is a potential consequence of the loss or damage of assets or data caused by a cyber threat.
Risk can never be completely removed, but it can be managed to a level that satisfies an organization’s
tolerance for risk. So, our target is not to have a risk-free system, but to keep the risk as low as possible

Risk = Threat + Vulnerability.

There are two types of cyber risks, which are as follows:
1. External - External cyber risks are those which come from outside an organization, such as cyberattacks,
phishing, ransomware, DDoS attacks, etc.
2. Internal - Internal cyber risks come from insiders. These insiders could have malicious intent or are just not
properly trained.
 QUEZON CITY UNIVERSITY
COLLEGE OF COMPUTER STUDIES

To summarize it all, Risk is the potential for loss, damage or destruction of assets or data caused by a cyber
threat. Threat is a process that magnifies the likelihood of a negative event, such as the exploit of a
vulnerability. And a vulnerability is a weakness in your infrastructure, networks or applications that potentially
exposes you to threats.

How to Manage Risk?

- An organization’s risk profile fluctuates depending on internal and external environmental factors.
- It incorporates not just the potential or probability of a negative event, but the impact that event may have
on your infrastructure. And though risk can never be 100% eliminated—cybersecurity is a persistently moving
target, after all—it can be managed to a level that satisfies your organization’s tolerance for risk.

Information security risk management is the ongoing procedure of:

●discovering,
●correcting,
●and avoiding security issues.

Risk assessment - is an elemental part of an organization's risk management procedure, designed to support
appropriate security levels for its data systems and data.

Types of risk management

●Project risks − Project risks concern multiple forms of budgetary, schedule, personnel, resource, and
user-associated problems.
●Technical risks − Technical risks concern potential issues, implementation, interfacing, testing, and
maintenance problems.
●Business risks − In business risks, it involves risks of building an excellent product that no one required, losing
budgetary or personnel commitments, etc.

Operational Threats/Risk Environments and Mitigation

- The threat environment is thought to become more complex in terms of the number of near-term tangible
threats and mid- to long-term fewer tangible threats.
- That is, the threat is expected to become more difficult to manage in the future due to many negative driving
forces in the natural environment.

“Operational Risks” - is a risk that includes errors because of the system, human intervention, incorrect data,
or because of other technical problems. Every firm or individual has to deal with such an operational risk in
completing any task/delivery.

Types of Operational Risks

1. Human Error - We can also refer to this as a fat finger input error.
2. Technical Error - This includes system glitches.
3. Gap in Flow - Sometimes, information is missing from the source itself because of data lag or restrictions.
4. Uncontrollable Events - These include effects from an external environment like political scenarios, weather
changes, syndromes affecting living beings, outdated technology, etc.
5. Intentional Frauds - There have been cases where intentional conflict of interests has arisen, resulting in an
illegal profit to trade executors.

Barriers to Collecting Operational Threats

●Access:
●Language:
●Too Much Noise:
●Obfuscation Tactics:
 QUEZON CITY UNIVERSITY
COLLEGE OF COMPUTER STUDIES

What is Risk Mitigation?

- The word mitigation means the act of reducing the severity or seriousness of the impact of something on a
situation.
-IT Threat mitigation is therefore defined as the corrective actions, prevention or remedies put in place to
combat or reduce IT threats on a computer, server or network. 'IT threats' is a very
broad term that envelops physical, software, and hardware threats that any IT system may encounter.

General Approaches and Mitigation

1. Preventive - This is when the strategies employ techniques that prohibit the occurrence of a threat on the
weaknesses of the system.
2. Detective - This is when the strategies employ techniques that identify existing system threats.
3. Corrective - This is when the strategies employ techniques that correct or reduce the impact of detected
threats.

Defense Mitigation
1. Authorized Local Network Devices. Ensure that the only devices connected to the organization’s network are
those items provided by the organization.
2. Operating System Patching/Updating. Organizations should have a documented patching policy as well as a
systematic, accountable, and documented set of processes and procedures for handling patches.
3. Operating System Hardening. Operating systems should be hardened to improve the ability to withstand
attacks.
4. Anti-Virus Updating. New viruses are discovered every day. It is therefore recommended to set anti-virus
applications to automatically update signature files and scan engines whenever the vendor publishes updates.
5. Change Control Process. Implement a change control process to document and review firewall and other
network changes before they are implemented.
6. Host-based Firewall. Consider implementing host-based firewalls running on each internal computer and
especially laptops assigned to mobile users.
7. Vulnerability Scanning. Routine vulnerability scanning is a valuable practice for every organization.
8. Use Of Proxy Servers and Web Content Filters. Implement outbound application layer proxy servers and web
content filters to prevent users from inadvertently being directed to malicious websites.
9. Email Attachment Filtering. Filter the following attachment types at your email gateway unless required for
business use.
10. Monitor Logs. Administrators should not rely solely on AV software and email filtering to detect worm
infections.