Here we define some of the terminology that you will come across during the course:
An “attacker” is an agent external to the system that targets the assets of the system with the intention of gaining unauthorised access to those assets in order to view them, modify them, or destroy them. Attacks can arise from the direct actions of a person, or through the actions of malicious software installed on the system.
A “threat” is the possibility of a specific attack on a system. For example, the possibility of having your house burgled would be considered a threat. If your house was actually burgled that would be an attack, and the burglar would be the attacker.
A “vulnerability” is a weakness that makes a threat possible. A vulnerability could be a bug in software, or the misconfiguration of a system.
An “attack vector” is the path or means by which an attacker carries out an attack. An attack vector is not the code that exploits a vulnerability, but the means by which that exploit code is delivered. An attack vector may include social engineering tricks like phishing attacks.
The “impact” of an attack is the effect of the attack in terms of the CIA triad. In other words, the effect on the confidentiality, integrity, or availability of the assets controlled by the system, and the consequences of that for the organisation as a whole:
- the loss of confidentiality is the unauthorised disclosure of information 1
- the loss of integrity is the unauthorised modification or destruction of information
- the loss of availability is the disruption of access to or use of information or an information system
© University of Southampton 2017