A threat agent—or threat actor—is anything that can possibly damage or disrupt the system’s ability to perform as it needs to. This isn’t limited to malicious actors like hackers.
Individuals within a threat population; Practically anyone and anything can, under the right circumstances, be a threat agent – the well-intentioned, but inept, computer operator who trashes a daily batch job by typing the wrong command, the regulator performing an audit, or the squirrel that chews through a data cable. -"An Introduction to Factor Analysis of Information Risk (FAIR)" (PDF). Riskmanagementinsight.com. November 2006
Also includes God (as in “acts of”), “Mother Nature,” and random chance. -http://veriscommunity.net/schema
Non-Human Elements: Floods, Lightning strikes, Plumbing, Viruses, Fire, Electrical, Air (dust), Heat control -SANS: An Overview of Threat and Risk Assessment
>> From a cybersecurity perspective, you are looking to protect assets --things that have value to a company.
>>从网络安全的角度来看,你是在保护资产——对公司有价值的东西。
They could be physical hardware, logical software, data, information,company trade secrets, and even employees.
它们可以是物理硬件、逻辑软件、数据、信息、公司商业机密,甚至是员工。
A threat is a looming danger that can change or damage your assets.
威胁是一种潜在的危险,它可以改变或破坏你的资产。
Think of the actual actions like fires, floods, hackers getting into your network,malware infecting your systems, your server crashing without backups to go to,or even a cleaner accidentally pulling out the plug to an important server.
想想实际的行为,比如火灾、洪水、黑客入侵你的网络、恶意软件感染你的系统、你的服务器在没有备份的情况下崩溃,甚至是清洁工不小心拔掉了重要服务器的插头。
Threat agents or actors are the ones carrying out the threats.
威胁代理人或行动者是实施威胁的人。
Yes, hackers are the first things that come to mind, but Mother Nature through earthquakes,tornadoes, fires, and floods is also a threat agent.
是的,人们首先想到的是黑客,但是自然母亲通过地震、龙卷风、火灾和洪水也是一种威胁因素。
A vulnerability is a weakness, a flaw in a program, device, network, and even a person.
漏洞是一种弱点,是程序、设备、网络甚至一个人的缺陷。
Weak authentication checks, default user name password combinations,incorrectly configured firewalls, and even a gullibleor naive employee are all vulnerabilities.
弱身份验证检查、默认用户名密码组合、配置错误的防火墙,甚至容易受骗或天真的员工都是漏洞。
When threat actors carry out the threat, they exploit the vulnerability.
当威胁行动者实施威胁时,他们利用脆弱性。
Exploit can be a verb meaning penetrating a system to exploit, or a noun meaning the toolor method used to penetrate a system and exploit.
Exploit可以是动词,意思是穿透系统进行Exploit,也可以是名词,意思是用来穿透系统进行Exploit的工具或方法。
Interestingly enough, exploits are usually named after the vulnerability they exploit.
有趣的是,漏洞通常以它们所利用的漏洞命名。
For example, MS08067 is a famous exploit from 2008 that allowed hackers to gain controlof a Windows XP or a Windows Server 2003 system.
例如,MS08067是2008年的一个著名漏洞,它允许黑客控制Windows XP或Windows Server 2003系统。
Any systems running Windows XP today are vulnerable to that exploit.
如今任何运行Windows XP的系统都容易受到这种攻击。
Incredibly enough, Windows XP still has close to 10% market share,even without security updates from Microsoft.
令人难以置信的是,即使没有微软的安全更新,Windows XP的市场份额仍接近10%。
Hackers like to go after the low-hanging fruit first, and this is a prime example.
黑客喜欢先下手为强,这就是最好的例子。
Risk is the combination of the probability of an event or loss from zeroto 100% and its consequence or impact.
风险是事件或损失的概率从零到100%及其后果或影响的组合。
For example, if your users' passwords are stored in plain text, the actual passwordsand not hashed as we'll see a future module, there's a high riskthat a data breach could result in those accounts being hacked.
例如,如果您的用户密码存储为纯文本、实际密码,而不是散列的(我们将在以后的模块中看到),那么数据泄露可能导致这些帐户被黑客攻击的风险很高。
You could suffer loss of reputation and customer goodwill --for some companies that could be fatal.
你可能会遭受声誉和客户信誉的损失——对一些公司来说,这可能是致命的。
There are three things that can be done to risk but eliminate is not one of them.
我们可以做三件事来应对风险,但消除风险不是其中之一。
You could reduce or mitigate the risk.
你可以减少或减轻风险。
We can eliminate some vulnerabilities and block some threats,but nothing is ever going to be 100%.
我们可以消除一些漏洞,阻止一些威胁,但没有什么是100%的。
Encryption, hashing, VPN's, firewalls, intrusion detectionand prevention systems, and more can reduce the risk.
加密、哈希、VPN、防火墙、入侵检测和预防系统等都可以降低风险。
Another thing you can do to risk is transfer it.
你可以做的另一件事是转移风险。
You can purchase cybersecurity insurance, which is a growing industry now,or even use cloud computing and another company's resources.
你可以购买网络安全保险,这是一个正在成长的行业,甚至可以使用云计算和其他公司的资源。
Your cloud provider is now responsible for securing your data.
您的云提供商现在负责保护您的数据。
Last but not least, we can accept the risk.
最后但并非最不重要的,我们可以接受风险。
Does the cost to protect a resource outweigh the cost of losing it or even replacing it?
保护一种资源的成本是否大于失去它甚至替换它的成本?
If so, accepting the risk might make the most sense.
如果是这样,接受风险可能是最有意义的。
Before you spend your time and money, ask yourself the following questions:What are the critical assets; what business processes require these assets;what could interfere with normal operations; what are the risks;which ones present the highest and most negative outcomes and should be prioritized;given a range of solutions, which is the most cost-effective way of reducing the risks?
在你花时间和金钱之前,问自己以下问题:什么是关键资产;哪些业务流程需要这些资产;哪些可能会干扰正常操作;风险是什么?哪些风险会带来最大和最负面的结果,应该予以优先考虑;如果有一系列解决方案,降低风险最具成本效益的方式是什么?
转载于:https://www.cnblogs.com/sec875/articles/10321256.html
相关资源:Cloud.Computing.Security.Foundations.and.Challenges