Manage common threats, risks, and vulnerabilities
管理常見的威脅、風險和漏洞
Previously, you learned that security involves protecting organizations and people from threats, risks, and vulnerabilities. Understanding the current threat landscapes gives organizations the ability to create policies and processes designed to help prevent and mitigate these types of security issues. In this reading, you will further explore how to manage risk and some common threat actor tactics and techniques, so you are better prepared to protect organizations and the people they serve when you enter the cybersecurity field.
之前,你已經了解到安全涉及保護組織和人員免受威脅、風險和漏洞的影響。了解當前的威脅環境使組織能夠制定政策和流程,以幫助預防和減輕這些類型的安全問題。在這篇閱讀中,你將進一步探索如何管理風險以及一些常見的威脅行為者策略和技術,以便在進入網路安全領域時更好地保護組織及其服務的對象。
Risk management 風險管理
A primary goal of organizations is to protect assets. An asset is an item perceived as having value to an organization. Assets can be digital or physical. Examples of digital assets include the personal information of employees, clients, or vendors, such as:
組織的一個主要目標是保護資產。資產是被認為對組織有價值的項目。資產可以是數位的或實體的。數位資產的例子包括員工、客戶或供應商的個人信息,例如:
Social Security Numbers (SSNs), or unique national identification numbers assigned to individuals
社會安全號碼(SSNs),或分配給個人的唯一國家識別號碼Dates of birth 出生日期
Bank account numbers 銀行帳戶號碼
Mailing addresses 郵寄地址
Examples of physical assets include:
實體資產的例子包括:
Payment kiosks 支付自助服務機
Servers 伺服器
Desktop computers 桌上型電腦
Office spaces 辦公空間
Some common strategies used to manage risks include:
一些常見的風險管理策略包括:
Acceptance: Accepting a risk to avoid disrupting business continuity
接受:接受風險以避免中斷業務連續性Avoidance: Creating a plan to avoid the risk altogether
避免:制定計劃以完全避免風險Transference: Transferring risk to a third party to manage
轉移:將風險轉移給第三方管理Mitigation: Lessening the impact of a known risk
緩解:減少已知風險的影響
Additionally, organizations implement risk management processes based on widely accepted frameworks to help protect digital and physical assets from various threats, risks, and vulnerabilities. Examples of frameworks commonly used in the cybersecurity industry include the National Institute of Standards and Technology Risk Management Framework (NIST RMF) and Health Information Trust Alliance (HITRUST).
此外,組織會根據廣泛接受的框架實施風險管理流程,以幫助保護數位和實體資產免受各種威脅、風險和漏洞的影響。網路安全行業中常用的框架範例包括國家標準與技術研究院風險管理框架(NIST RMF)和健康資訊信任聯盟(HITRUST)。
Following are some common types of threats, risks, and vulnerabilities you’ll help organizations manage as a security professional.
以下是一些常見的威脅、風險和漏洞類型,作為安全專業人員,您將協助組織進行管理。
Today’s most common threats, risks, and vulnerabilities
當今最常見的威脅、風險和漏洞
Threats 威脅
A threat is any circumstance or event that can negatively impact assets. As an entry-level security analyst, your job is to help defend the organization’s assets from inside and outside threats. Therefore, understanding common types of threats is important to an analyst’s daily work. As a reminder, common threats include:
威脅是指任何可能對資產產生負面影響的情況或事件。作為一名初級安全分析師,您的工作是協助保護組織的資產免受內部和外部威脅。因此,了解常見的威脅類型對分析師的日常工作非常重要。提醒一下,常見的威脅包括:
Insider threats: Staff members or vendors abuse their authorized access to obtain data that may harm an organization.
內部威脅:員工或供應商濫用其授權訪問權限以獲取可能對組織造成損害的數據。Advanced persistent threats (APTs): A threat actor maintains unauthorized access to a system for an extended period of time.
進階持續性威脅(APTs):威脅行為者在長時間內維持對系統的未經授權存取。
Risks 風險
A risk is anything that can impact the confidentiality, integrity, or availability of an asset. A basic formula for determining the level of risk is that risk equals the likelihood of a threat. One way to think about this is that a risk is being late to work and threats are traffic, an accident, a flat tire, etc.
風險是任何可能影響資產的機密性、完整性或可用性的因素。判斷風險水平的一個基本公式是風險等於威脅的可能性。可以這樣理解,風險就像是上班遲到,而威脅則是交通堵塞、事故、爆胎等。
There are different factors that can affect the likelihood of a risk to an organization’s assets, including:
有多種因素可能影響風險對組織資產的可能性,包括:
External risk: Anything outside the organization that has the potential to harm organizational assets, such as threat actors attempting to gain access to private information
外部風險:指任何在組織外部,具有潛力損害組織資產的因素,例如威脅行為者試圖獲取私人信息Internal risk: A current or former employee, vendor, or trusted partner who poses a security risk
內部風險:現任或前任員工、供應商或受信任的合作夥伴構成的安全風險Legacy systems: Old systems that might not be accounted for or updated, but can still impact assets, such as workstations or old mainframe systems. For example, an organization might have an old vending machine that takes credit card payments or a workstation that is still connected to the legacy accounting system.
舊系統:可能未被考慮或更新的舊系統,但仍可能影響資產,例如工作站或舊大型主機系統。例如,一個組織可能有一台舊的自動販賣機接受信用卡付款,或一台仍連接到舊會計系統的工作站。Multiparty risk: Outsourcing work to third-party vendors can give them access to intellectual property, such as trade secrets, software designs, and inventions.
多方風險:將工作外包給第三方供應商可能會讓他們接觸到智慧財產,例如商業機密、軟體設計和發明。Software compliance/licensing: Software that is not updated or in compliance, or patches that are not installed in a timely manner
軟體合規/授權:未更新或不合規的軟體,或未及時安裝的補丁
There are many resources, such as the NIST, that provide lists of cybersecurity risks. Additionally, the Open Web Application Security Project (OWASP) publishes a standard awareness document about the top 10 most critical security risks to web applications, which is updated regularly.
有許多資源,例如 NIST,提供網路安全風險的清單。此外,開放網頁應用程式安全計畫(OWASP)定期發布關於網頁應用程式十大最嚴重安全風險的標準認識文件。
Note: The OWASP’s common attack types list contains three new risks for the years 2017 to 2021: insecure design, software and data integrity failures, and server-side request forgery. This update emphasizes the fact that security is a constantly evolving field. It also demonstrates the importance of staying up to date on current threat actor tactics and techniques, so you can be better prepared to manage these types of risks.
注意:OWASP 的常見攻擊類型清單在 2017 年至 2021 年間包含三個新風險:不安全設計、軟體和數據完整性失敗,以及伺服器端請求偽造。此更新強調了安全性是一個不斷演變的領域。它也顯示了保持對當前威脅行為者策略和技術的最新了解的重要性,以便更好地準備管理這些類型的風險。
Vulnerabilities 漏洞
A vulnerability is a weakness that can be exploited by a threat. Therefore, organizations need to regularly inspect for vulnerabilities within their systems. Some vulnerabilities include:
漏洞是一種可以被威脅利用的弱點。因此,組織需要定期檢查其系統中的漏洞。一些漏洞包括:
ProxyLogon: A pre-authenticated vulnerability that affects the Microsoft Exchange server. This means a threat actor can complete a user authentication process to deploy malicious code from a remote location.
ProxyLogon:一種影響 Microsoft Exchange 伺服器的預認證漏洞。這意味著威脅行為者可以完成用戶認證過程,從遠端位置部署惡意代碼。ZeroLogon: A vulnerability in Microsoft’s Netlogon authentication protocol. An authentication protocol is a way to verify a person's identity. Netlogon is a service that ensures a user’s identity before allowing access to a website's location.
ZeroLogon:Microsoft 的 Netlogon 認證協議中的一個漏洞。認證協議是一種驗證個人身份的方法。Netlogon 是一項服務,確保用戶的身份在允許訪問網站位置之前得到確認。Log4Shell: Allows attackers to run Java code on someone else’s computer or leak sensitive information. It does this by enabling a remote attacker to take control of devices connected to the internet and run malicious code.
Log4Shell:允許攻擊者在他人電腦上運行 Java 代碼或洩露敏感信息。它通過使遠端攻擊者能夠控制連接到互聯網的設備並運行惡意代碼來實現這一點。PetitPotam: Affects Windows New Technology Local Area Network (LAN) Manager (NTLM). It is a theft technique that allows a LAN-based attacker to initiate an authentication request.
PetitPotam:影響 Windows 新技術區域網路(LAN)管理器(NTLM)。這是一種盜竊技術,允許基於 LAN 的攻擊者發起身份驗證請求。Security logging and monitoring failures: Insufficient logging and monitoring capabilities that result in attackers exploiting vulnerabilities without the organization knowing it
安全日誌記錄和監控失敗:日誌記錄和監控能力不足,導致攻擊者在組織不知情的情況下利用漏洞Server-side request forgery: Allows attackers to manipulate a server-side application into accessing and updating backend resources. It can also allow threat actors to steal data.
伺服器端請求偽造:允許攻擊者操縱伺服器端應用程式以訪問和更新後端資源。它還可以讓威脅行為者竊取數據。
As an entry-level security analyst, you might work in vulnerability management, which is monitoring a system to identify and mitigate vulnerabilities. Although patches and updates may exist, if they are not applied, intrusions can still occur. For this reason, constant monitoring is important. The sooner an organization identifies a vulnerability and addresses it by patching it or updating their systems, the sooner it can be mitigated, reducing the organization’s exposure to the vulnerability.
作為一名入門級安全分析師,你可能會從事漏洞管理工作,即監控系統以識別和減輕漏洞。儘管可能存在補丁和更新,但如果未應用,仍可能發生入侵。因此,持續監控是很重要的。組織越早識別漏洞並通過打補丁或更新系統來解決它,就能越早減輕風險,從而減少組織暴露於漏洞的風險。
To learn more about the vulnerabilities explained in this section of the reading, as well as other vulnerabilities, explore the NIST National Vulnerability Database and CISA Known Exploited Vulnerabilities Catalog
若要深入了解本節中所解釋的漏洞以及其他漏洞,請探索 NIST 國家漏洞數據庫和 CISA 已知被利用漏洞目錄.
Key takeaways 關鍵要點
In this reading, you learned about some risk management strategies and frameworks that can be used to develop organization-wide policies and processes to mitigate threats, risks, and vulnerabilities. You also learned about some of today’s most common threats, risks, and vulnerabilities to business operations. Understanding these concepts can better prepare you to not only protect against, but also mitigate, the types of security-related issues that can harm organizations and people alike.
在這篇閱讀中,您學習了一些風險管理策略和框架,這些策略和框架可用於制定全組織的政策和流程,以減輕威脅、風險和漏洞。您還了解了當今商業運營中最常見的一些威脅、風險和漏洞。理解這些概念可以更好地準備您不僅能夠防範,還能減輕可能對組織和個人造成傷害的安全相關問題。
Resources for more information
更多資訊資源
To learn more, click the linked terms in this reading. Also, consider exploring the following sites:
要了解更多資訊,請點擊本文中的鏈接詞彙。此外,還可以考慮探索以下網站:
OWASP Top Ten OWASP 十大