Difference Between Threat, Vulnerability and Risk

Difference Between Threat, Vulnerability and Risk

Penetration testing are tools that deals with threats, vulnerabilities, risks, and exploits. While many people in the field of information security, internet and computer security throw around these terms interchangeably, usually confusing threats with risk, or vulnerability with exploits. Each one of these terms has a distinct meaning, and these terms should be applied carefully.

What is a Threat?

A threat is an agent that may want to or definitely can result in harm to the target organization. Threats include organized crime, spyware, malware, adware companies, and disgruntled internal employees who start attacking their employer. Worms and viruses also characterize a threat as they could possibly cause harm in your organization even without a human directing them to do so by infecting machines and causing damage automatically. Threats are usually referred to as “attackers” or “bad guys”.

What is a Vulnerability?

Vulnerability is some flaw in our environment that a malicious attacker could use to cause damage in your organization. Vulnerabilities could exist in numerous areas in our environments, including our system design, business operations, installed softwares, and network configurations.

What is a Risk?

Risk is where threat and vulnerability overlap. That is, we get a risk when our systems have a vulnerability that a given threat can attack.

What is an Exploit?

An exploit is the way or tool by which an attacker uses a vulnerability to cause damage to the target system. The exploit could be a package of code which creates packets that overflow a buffer in software running on the target, which is also known as buffer overflows. Alternatively, the exploit could be a social engineering scheme whereby the bad guy talks a user, preferably an employee into revealing sensitive information, such as a password, over the phone.

Your job as a Penetration Tester

If we want to be a successful security professional, we have to work hard to minimize this risk by minimizing vulnerabilities and blocking threats. This is what penetration testing is all about. We have to model the activities of real-world threats to discover vulnerabilities. Then, through controlled exploitation, we attempt to determine the business risk connected with these flaws ad vulnerabilities. We then recommend and encourage suitable defenses. These recommendations must benefit our target organization. If we do this properly, then the security and protection of our target organization will greatly improve.

 THIS IS THE REASON  YOU NEED THIS 

Biometrics , Forensic Computing Computer Security and Cryptography Careers

Computer security is a fast developing area within Forensic Services. The work involves close contact with lawyers, commercial organisations and investigation agencies. Issues may involve fraud, child pornography, terrorism and ID theft.

Both mathematicians and computer scientists are recruited. There is a good market for penetration testing skills in finance, e-commerce and national security organisations.

Organisations involved include:

• Police Forces.
• Government Agencies (Customs and Excise, DTI, Serious Fraud Office)
• Government intelligence services, including GCHQ
• Specialist Forensic Computing firms
• Software developers producing encryption software
• IT security and corporate investigation companies
• Large chartered accountancy firms
• Banks and credit card companies

Where are the jobs?

• Forensic IT
• Computer security
• Cryptology
• Forensic accounting
• Expert decision making systems (e.g. Fair Isaac Co)
• Software development involving data compression and encryption or working with big data sets
• Network software development in the telecoms industry
• The computer games industry

Cryptology

Cryptography (also called cryptology) is the practice of hiding information.

Cryptography is used in:

• Mobile phone companies such as RIM (BlackBerry) encrypt all e-mail messages
• Banking (chip and PIN); secure online payment, security aspects of plastic cards: usually direct entry rather than through the graduate training scheme
• The Internet (protecting transaction details using SSL and SSH)
  
• Corporate computer security
• Home computing (Windows and operating systems such as Linux contain cryptographic algorithms)
• Satellite TV: Sky encrypts all its subscription channels.

The following types of employers recruit cryptographers:

• Government intelligence services including GCHQ
• IT Software developers producing encryption software
• Information security consultancies
• Professional Services firms providing technology security services, e.g. the Technology Assurance and Advisory teams at Deloitte
• Banks and credit card companies for pins and websites and other areas where ncrypted data is needed. Data security is a big issue for many organisations, especially banks. Also electronic signature services such as Verisign.
• IT end-users where encrypted data is needed, e.g. finance companies
• IT consultancies
• Telecommunications firms
• Broadcasting companies.

Further information on cryptography

• International Association for Cryptology www.iacr.org has jobs in cryptology www.iacr.org/jobs
• Maths Careers: Encryption www.mathscareers.org.uk/viewItem.cfm?cit_id=382816
• Career Profile: Cryptologist http://careersthatdontsuck.com/2007/02/24/career-profile-cryptologist
• Careers Using Mathematics: Cryptography www.isg.rhul.ac.uk/cjm/Talks/091014.pdf (pdf file)
• Careers in cryptology http://timesofindia.indiatimes.com/articleshow/3052073.cms

• Cryptology Skill Set and Career Prospects www.govinfosecurity.com/articles.php?art_id=1500
• Cryptography as a career www.studydiscussions.com/cryptography-as-a-career-option
• Career Profile: Cryptologist http://careersthatdontsuck.com/2007/02/24/career-profile-cryptologist

What is biometrics?

Biometrics is the science of identifying humans based on afingerprint, voice pattern, retinal scan or other bodily characteristics. Devices that use biometrics include fingerprint readers, voice pattern recognition, facial recognition and retinal pattern identification systems.

Identity fraud is rapidly increasing, driving forward the biometrics industry. Biometrics identification is inherently more secure than passwords and other identification methods: your password could be hacked, or your credit card stolen, but biometrics allows the system to know with certainty who is using it. Fingerprints have a long standing link with identity protection and are seen as a reliable way of identifying individuals. People are adding biometric readers to computers and theft-prone mobile devices to provide quick and easy system access.

Biometrics is most used in the field of security, to produce effective security networks and is becoming mainstream, proving itself as a convenient and secure method of user identification. It is likely to be a high growth area with a range of well paid new jobs.

Who employs biometricians?

• Banks and other finance companies
• Retailers
• Government
• Security companies

The consumer market has the most potential.

What jobs are available for biometricians?

Biometrics involves many different technologies from optics to algorithms so jobs are available to grads in many IT fields including:

The problem with the Internet is that you cannot always rely on it being accurate. Winston Churchill 1945

• Software engineers
• Security architects
• Artificial intelligence
• Computer vision
• Device drivers
• Mathematics
• Hardware technicians to diagnose and troubleshoot biometrics readers in the field.
• There are also jobs in sales support, marketing, product management and product development.

Employers

Government/Defence

• GCHQ www.gchq-careers.co.uk provides specialist advice to help safeguard government communications systems andhelps counter international terrorism and crime. Information Assurance. Have a well established route for Mathematicians wanting to work in cryptography, case studies for mathematicians on their web site.
  BBC article on GCHQ www.bbc.co.uk/newsbeat/14589956
• Security Service (MI5) https://www.mi5.gov.uk/careers/graduates.aspx Recruit IT Security Specialists
• Secret Intelligence Service (MI6) www.sis.gov.uk/output/careers-1.html
• QinetiQ www.qinetiq.com/home/careers.html
• Serious Fraud Office www.sfo.gov.uk investigates major fraud of all kinds and it employs its own specialist IT staff.
• GCHQ and MI6 are the main employers for mathematical cryptology.
• The Serious Organised Crime Agency www.soca.gov.uk co-ordinates the investigation of crimes against IT systems (e.g. hacking) and crimes involving the use of IT (e.g. fraud, blackmail, pedophilia). SOCA (Serious Organised Crime Agency) now employs people with IT degrees rather than policemen. Relevant qualifications include the EnCE, OCA and MCP
• BAE recruiting nearly 300 graduates with almost half going into cyber and security business (June 2013)

Consulting

• Deloitte http://careers.deloitte.com have Technology Assurance and Advisory teams, plus information & technology risk. Graduate scheme for security and privacy. Also do cryptography.
• PriceWaterhouseCoopers www.pwc.com/uk/careers have a Forensic Technology Solutions section which specialises in the forensic capture and analysis of electronic data. The Forensic Services department investigates financial crime (including fraud, money laundering and false accounting) and provides litigation support to clients involved in commercial disputes. The FTS team gathers, interprets, and provides in-depth analysis on large volumes of data. They capture data using evidentially sound processes, which means that the data can be relied upon in court if necessary. Extensive travel within and outside the UK is often required.
• Logica www.logica-graduates.co.uk/our-programmes/pts-programme-and-technical-services-
• Barclays Graduates - Technology 
  www.barclays-graduates.co.uk/future-leaders-development-programme/technology-product-and-process-development
• Siemens Insight Consulting www.siemens.co.uk/insight security and compliance solutions.part of Siemens Communications
• Accenture www.accenture.com
• IntaForensics www.intaforensics.com UK digital forensic company. provides independent Computer Forensics, Expert Witness, Mobile Phone Forensics, and Forensic Data Recovery to the legal sector, police forces, local authorities and commercial organisations internationally. Regularly features jobs of interest to graduates. Also features blogs by forensics experts.

Data security companies

• Ibas www.storagesearch.com/ibas.html Data Security company
• Kroll www.krollontrack.co.uk/careers Data recovery and security
• Portcullis www.portcullis-security.com   company specialising in computer security
• Sophos www.sophos.com/companyinfo/careers/uk/index.html IT security and control

Other Sources of Information

• Crewe Fox www.crewefox.com recruitment and consultancy firm that specialises in cyber security. Our position as a consultancy firm as well as recruiter means that our insight into the industry is considerable. Recruit graduates from a wide range of disciplines, many of which do come from computer science/cyber security related courses, however as many of the skills required to be a cyber security professional e.g. excellent communication skills, ‘out of the box’ thinking and ability to handle pressure can be developed outside of cyber security related courses and technical expertise can be taught ‘in house’.
• Information Assurance Advisory Council www.iaac.org.uk broad-based group concerned with minimising threats to the UK's IT infrastructure, and its website at lists its member-organisations, which include private companies, government agencies and academic research centres.
• Communication Electronics Security Group (CESG) www.cesg.gov.uk Information assurance arm of the Government Communications Headquarters (GCHQ) and it provides advice on information assurance to government departments and, in certain circumstances, private companies.
• Intellect www.intellectuk.org trade association for the UK IT industry and it provides the secretariat for SAINT; the Security Alliance for Internet and New Technologies.
• Internet Crime Forum www.internetcrimeforum.org.uk brings together organisations concerned with the prevention of criminal use of the internet.
• British Computer Society has an Information Specialists Security Group www.bcs-issg.org.uk/index.html
• Centre for the Protection of National Infrastructure (CPNI) www.cpni.gov.uk government body responsible for coordinating the response to threats to the IT infrastructure.
• IT Jobs Watch www.itjobswatch.co.uk/jobs/england/ethical%20hacking.do ethical hacking page
• Forensic Computing Practice www.appointments-uk.co.uk specialise in recruitment to Information Security, Forensic Computing and Forensic Accounting
• Cyber Security Challenge https://cybersecuritychallenge.org.uk series of national online games and competitions that will test the cyber security abilities of individuals and teams from every walk of life. Designed to excite and inspire
  anyone considering a career in the cyber security industry and identify individuals capable of becoming part of the UK's cyber security profession
  Also has information on cyber security job roles
• Inside Careers Cyber Security The rising demand for cyber security expertise in the UK presents an opportunity for graduates to build a career in an emerging field.
• Wired: How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in History
• Cyber security vacancies double in response to hacking threat

Postgraduate Courses

• University of Kent: Information Security and Biometrics 
  www.kent.ac.uk/courses/postgrad/subjects/computing/information-security-and-biometrics-pdip-msc
• Royal Holloway (London University)  www.isg.rhul.ac.uk MSc in Mathematics of Cryptography and Communications www.isg.rhul.ac.uk long established and a leader in the field.
• University of Bradford www.comp.brad.ac.uk/courses/courses.php/pg/mscfc MSc Forensic Computing
• Dublin City University www.dcu.ie/prospective/deginfo.php?classname=MSSF&mode=full&origina MSc in Security and Forensic Computing
• MSc Advanced Security and Digital Forensics - Napier University by distance learning
  www.courses.napier.ac.uk/advancedsecurityanddigitalforensics_w56736.htm
• Macquarie University in Australia and Chicago University also have courses.