Basic security terms
Before we start to implement security policies and mechanisms, we need to define some basic security terms:
- asset – anything valuable to a company that is to be protected. It can include tangible items, such as computers and network devices, or intangible items (intellectual property, data, client information, etc.). Assets need to be protected from unauthorized access, use, disclosure, alteration, destruction, or theft. They can be classified into categories, according to the level of protection they need. For example, assets can be classified as unclassified, sensitive, confidential, secret, and top secret.
- vulnerability – a weakness in a product that allows an attacker to compromise the integrity, availability, or confidentiality of the product. It can can be found in protocols, operating systems, applications, and system designs. A malicious attacker might exploit an vulnerability, or it might be accidentally triggered because of a failure or weakness in the software.
- threat – a potential violation of security that can adversely impact organizational operations or assets .A threat is anything that attempts to gain unauthorized access to, alter, destroy, or steal an asset. Threats are often realized via an attack or exploit that takes advantage of an vulnerability.