Risks

We can use qualitative or quantitative methods for evaluating risk. Simply put, risk is someone's exposure to loss. It is different from vulnerability, because it depends on the probability of a particular event, attack, or condition and has a strong link to the motivations of an attacker. It also depends on how large the impact is of a single, atomic compromise or a whole campaign of attack/compromise events. Vulnerability does not directly invoke impact or probability, but is the innate weakness itself. It may be easy or hard to exploit, or result in a small or large loss when exploited.

For example, a desktop operating system may have a serious vulnerability in its process isolation logic allowing an untrusted process to access the virtual memory of another application. This vulnerability may be exploitable, and most certainly represents a weakness, but if the system is air-gapped and never connected directly or indirectly to untrusted networks, the vulnerability may invoke little if any risk exposure. If, on the other hand, the platform is connected to the internet, the risk level may jump due to an attacker finding a practical means of injecting a hostile shell code that exploits the vulnerability and allows the attacker to assume ownership of the machine.

Risk can be managed through threat modeling, which helps ascertain the following:

• Impact and overall cost of a compromise
• How valuable the target may be to attackers
• Anticipated skill and motivations of the attackers (based on threat modeling)
• A prior knowledge of a system or the device vulnerabilities (for example, those identified in public advisories, discovered during threat modeling, and penetration testing)

Risk management relies on judicious application of mitigations against the types of vulnerabilities that are known to be present and that may be targeted by the potential exploits (threats). Naturally, not all vulnerabilities will be known ahead of time; these we call zero-days or "O days" (pronounced "oh-days"). We know that certain OS vulnerabilities are in our Windows operating system; therefore, we apply well-selected anti-malware and network monitoring equipment to reduce the exposure. Because mitigating security controls are never perfect, we are still left with some smaller remaining amount of risk, typically called residual risk. Residual risk is often accepted as is or offset by the application of other risk offset mechanisms, such as insurance.