Watch this episode on YouTube.
Reasonably Accurate 馃馃 Transcript
Morning everybody. How you doing today? Um Obviously a little off today uh based on the time um came through, uh obviously, you know, you can tell from on the vlog here uh in a super, super glamorous um business hotel again.
Um flew up to the West Coast last night had some delays, which is why I'm uh delayed coming at you this morning though, in fairness, if you're counting by west coast time, I'm an hour and 13 minutes early, which is a bonus for me, I guess.
But for those of you on the East Coast, you're probably going late today. Um Anyway, wanted to continue the cybersecurity basics. Um Today I want to talk about a few things and a few key terms that I think people mess up all the time.
Um Vets like myself, do it. Um Everybody does it. Um But I try to give you a layman's terms definitions for these things because they're not that hard. So I want to talk to you about exploits, vulnerability, threats and risk.
Yeah, super exciting. But this is the core of how we figure out whether something's worth taking action on and what I mean, by taking action on is by um is it worth doing something about? Right? So there's a number of things that you have challenges with um in cybersecurity that you're trying to defend against, right?
So we talked about yesterday about the goal um trying to make sure that whatever you build works as you intend and only as you intend, um which is sort of absolutely critical. So one of the things when it comes to defending against actual bad uh malicious actors, um you need to worry about vulnerabilities.
Now, vulnerability means basically a hole or a gap um in what your system is supposed to be doing. So I'll give you a physical security analogy because I think that's a lot easier. So a vulnerability would be um let's say a window uh that's lock is broken.
OK? The vulnerability is a window that has its lock broken. The vulnerability is that broken lock? Ok. That makes sense. There's a possible issue that could be used to get by your security and somebody could come through the window, right?
So a vulnerability is that possibility, it's that possibility that something is not working as expected. An exploit is somebody taking advantage of that vulnerability. So the vulnerability itself is the possibility of you being attacked or there being a data breach or there being some sort of security issue, an exploit would be somebody coming along and maybe sliding something thin and sturdy under that window.
To pop it up so that they can get in. So that exploit is somebody taking that action of, of, you know, taking that tool and popping it under the window to pop in, in the cybersecurity world of vulnerability could be a bug in the software and an exploit is code that takes advantage of that bug.
So it would be a piece of malware. So we have vulnerability possibility for something to go wrong. Like it's a, it's a breach in your system and the exploit is somebody actually taking advantage of that. So we also have the term threat.
Now, threat is the likelihood that some sort of malicious actor is going to use an exploit on your vulnerability. So if you have a broken window and you live on the 20th floor and there are no balconies, there is a very low level of threat here because even though, you know, there's a known exploit, someone could pop the window.
You know, there's a known vulnerability, that window is broken, the threat is relatively low because there's no swath of spider people coming up side of the building to take advantage of it. Right? You're 20 stories up, whereas somebody on the first floor um has a completely different threat um analysis because they're on the first floor, somebody could simply just walk by and take an opportunity to do it or they could be specifically targeted.
So there's a different threat. Um Now in the context of risk. So risk is looking at all of this stuff together as well as consequence. So you have risk in the cyber security or in the security world is threat times, vulnerability, times consequence.
Now times I really hate that because it's implying there's some sort of quantitative method here. But what it is is it's actually looking at the likelihood of all these things happening together. So if we're taking our window analogy and we're looking at the risk for a first floor tenant, we go, we have a known vulnerability.
The window is broken. We have a known exploit. Somebody can use that strong like a thin spatula to pop it up. Um And we have a pretty strong threat because there's uh let's say 250 people walking by the window every day um or somebody could be specifically targeting us.
And what's the consequence? Well, the consequence is they get into the apartment and they could steal our stuff or they could cause physical harm. Um And you know, there's so there's significant consequence here. So the risk is pretty high for somebody on the first floor, take that exam, same set of circumstances and move up to the 20th floor again.
So you look at the 20th floor and you go, we have a known vulnerability. The window is broken. We have a known exploit. Somebody can use that fin specialized tool to pop it up and we have the same level of consequence, somebody could get in, they could cause physical harm, they could steal our stuff.
But the threat is so much lower because we're 20 floors up and it's really unlikely that somebody is going to scale the building because there's no balconies, remember and get in. So our risk is much lower. So risk is looking at all of these things together.
And this applies to physical security, operational, security, cyber, security, information, security, all types of security that we talked about yesterday. So that's in a nutshell, how these terms work together. We have vulnerabilities, exploits threats consequences, these all roll up into risk.
Hope that makes sense. Um This was the second piece in our cybersecurity basics. I will be tightening these up into smaller consumable videos, you know, sort of the sub two minute for targeted terms. So in this case, I would do one for each of the terms and then one overall and be pushing that out on the trend micro handle just to help that wider audience as well.
What do you think? What are your challenges? Let me know online at marknca for those of you on the blog in the comments down below and what platform or channel you're joining us on. And as always for podcasters or anybody, you can hit me up on me@markn.ca um via email, always looking forward to having that conversation.
I really would like to hear from you folks about what kind of basics, what kind of terms you need to find, even if you know what they mean, but put them in better context. Let me know this is very much uh audience driven show.
I hope you are set up for a fantastic day. Um I will talk to you online and see you on the show again tomorrow.
