A quick reminder : Don't stress on both threat and vulnerability

-

 

Threat and vulnerability are two tightly coupled aspects. There is no point to focus on a vulnerability if the threat doesn’t exist, similarly you can’t stress on a threat, if your asset is not concerned with the vulnerability (or weakness).



 

The question one should ask is “What are the risks to my asset ?”, and to answer this we need to run a whole Business Impact Analysis (BIA), which involves qualitative and quantitative risk assessment.

As a general equation:  Risk = Vulnerability x Threat

On the basis of the above equation, we can conclude that if an asset has a Vulnerability and that Vulnerability is exposed to a known Threat, then the asset is at Risk. 

Now that the two elements exist you need to tackle just one of the two not both, to eliminate the risk.


originally posted here

Comments

Post a Comment

What do you think ?

Popular posts from this blog

How to use a Python variable in an external Javascript (Django)

-
2025 Update: Check a security note below! One way to use a Python variable in an external Javascript is to declare the JS variable in the HTML template through context object, then pass this variable to the external script code : <script type="text/javascript"> js_var_from_dj = "{{ django_var }}" </script> <script src="{% static "js/js_file.js" %}" type="text/javascript"></script>   js_file.js : function functionA(){ // using the variable declared outside this js file inner_js_var = js_var_from_dj ; }   What if  instead of using HTML template to pass the Django context variable, we inject the variable directly into the external Javascript code ?  This is actually possible, the trick here is to to wrap the original JS file in a View, and use that view to render the JS file as a Django template. O ur js_file become : function functionA(){    //using the Django context variable    inner_js_var = {{django_var}} ; ...
Keep reading »

Getting the PRINCE2 Practitioner, maybe the cheapest way !

-
Image
Thanks God, I finally got my PRINCE2 practitioner certification. If you have a good grasp of the major aspects surrounding project management, your journey for the certification exam will be less tricky. First off, I have two advises : - You really don't need to pay lot of money for the training. - Don't count on a single resource (that applies to any certification). If your are already searching for the best training, you realize that there are huge amount of online training videos. However, in my opinion, there are two online training that are worth the investment : Mplaza or Projex's Prince2 Masterclass. I liked the Mplaza PRINCE2 foundation training and the instructor has a smart approach to deliver the information, however the Practitioner training was not up to par with what I was expecting, the discussion approach wasn't the right option for me. The Projex's PRINCE2 Masterclass was the option I picked up. It prepares you fo...
Keep reading »

CISSP : My Experience

-
Image
I passed the CISSP exam on the first try at the 125th question, Thanks to GOD. I'm relieved as I don't have take this exam again. This is the most significant experience in my career, acquiring new knowledge in information security while studying for the exam, was a wonderful journey.   https://commons.wikimedia.org/wiki/File:Certified_Information_Systems_Security_Professional_logo.png   This is indeed the most satisfactory personal achievement in my career, as matter of fact I'm more keen then ever before, to springboard my career to new roles in cybersecurity. Study resources I used The CISSP community on Reddit is a gold mine for CISSP exam takers. Used the official study guide OSG (8th edition) as reference, but never read it cover to cover. Multiple videos form "Thor", "Certification destination", "Inside cloud and security" and many others. Boson CISSP, this practice exams goes deeper in details (more technical), which may help to reinfo...
Keep reading »