CyberSec Terminology

Vulnerability

Weaknesses or flaw in a system or network that, when can be exploited by hackers will compromise the integrity and security of a system or network and can lead to unauthorized access and to gain access to computer or any network system.

Exploits

It is a process of breaking into a system through a set of particular vulnerability. It utlizes a payload to perform specific malicious tasks.

Payload

It is a chunk of exploit code whose purpose is to perform a specific takss on the target system or network for example: destroy data, setup backdoor access.

0-day

A zero-day is a vulnerability in a system that has not been patched by a developer. If disclosed until they are not patched then these can be a threat because malicious hackers can exploit them.

Threats

A THREAT is a malicious actor whose objective is to breach the data, stealing data, or causing damage to the data. Threat targets assets.

Assets

Assets are business or service critical systems on a company network that store data, provides services to the running of the company. Assets are the needs that a company requires for functioning of their business. For example: web applicaiton, mail servers, these can store company’s data or the users confidential data.

  • Assets can be employees because employess can have privilege access to company’s server and can be social engineered to gain access to confidential data.

  • During risk assessments/vulnerability assessmnets, assets need to be identified and adequately secured and protected.

Risk

It is the potential impact that a threat or vulnerability can have to an organization. It is used to determine the probability of a potential vulnerability occuring and its affect. For example: Down-time(mostly caused by DDos/Dos attacks)

Difference between Penetration Test and Vulnerability Assessment

  • Vulnerability assessment: To identify the potential weaknesses, hackers could break into it.

  • Penetration test: Now, the pentester will be hired and will attack the machine and this tells the actual vulnerabilites that can lead to future Data Breaches.

Example: You are the owner of a house and you have created a fence to protect your house. A potential theft here, a thief is trying to attack your house(which is an asset because it stores important data) so the owner of the house went for a vulnerability assessment where the tester checks the fence and try to find if any vulnraibilites exists or not. If he found that the material of the fence is not strong enough to resist the attack it will be a potential vulnerability. Now if the owner hires a pentester instead then that pentester will try to attack the house and see if he can gain the access if he can then the actual vulnerability can be found. So this explains the difference between the two.