Information assets are collections or pieces of data stored, sent, received, or used in an organization; this data can vary in degrees of sensitivity, confidentiality, importance, and value. For an example of an organization’s information asset, a company’s shared network storage drive would be a highly-valued collection of data. While access to the shared drive would be mainly for the organization’s intranet (internal users), it may be possibly accessed remotely by remote employees or IT/infosec personnel performing maintenance or troubleshooting.
With any information asset, threats, vulnerabilities, and exploits run rampant; the likelihood of potential attacks or dangers vary based on the nature of the data, the systems it is stored on, the organization’s size, funding, or recognition, and the skill and attentiveness of every employee in the organization (not just infosec/IT). Threats, in relation to information assets, are any demonstrated or expressed desire to damage an asset or render it disabled or unavailable. Threats can also come in the form of human error, such as an IT member improperly configuring the organization’s shared network drive’s security settings.
A vulnerability, in relation to an information asset, is a flaw in the steps and procedures of securing an information asset; this often appears in the form of a weakness in the protective measures of a system or network. For example, if the intrusion protection system that alerts (via text message) the shared drive’s sysadmin of any unauthorized attempts to gain access is sent to a specific work cellphone (which possibly isn’t always in the sysadmin’s possession, as whoever is on-call for the weekend gets the phone assigned to them,) then if an unauthorized individual attempts to gain access to the information asset, he/she would have a larger window of time to work in, increasing their ability to successfully penetrate, access, and damage or steal data.
An exploit is a software program or structured system designed to attack an information asset’s vulnerability; by knowing the weak points in the protective layers of an information asset, an individual can carefully build a personalized attack for the information system’s specific defensive measures. While when many hear of an exploit, they think of a hacker furiously typing in code to bypass a system’s firewall, there are several other types of exploits, such as social engineering attacks, leading to the collection of information required to successfully gather or damage data.
Dave, P. (2015, August 10). Threats, Vulnerabilities and Exploits – oh my! Retrieved January 13, 2020, from https://www.icann.org/news/blog/threats-vulnerabilities-and-exploits-oh-my.
Films on Demand. (2009, March 5). Cybercrime: The Invisible Threat. Retrieved January 13, 2020, from https://digital-films-com.ezproxy.bellevue.edu/p_ViewVideo.aspx?xtid=11755.