Monthly Archives: April 2013

A thought about the essence of vulnerability

 

I would like to offer slightly differently way of thinking about the concept of vulnerability.
Vulnerability, in the context of information security, refers to one or more weaknesses, and following its exploitation, the probability of damaging data or information systems and/or processes.

Vulnerability as a concept, originates from the human life, of human weakness that endangers the body and/or soul/mind, thus increases the risk of injury to the person in question.
Vulnerability is something passive, kind of an existing characteristic, one that a person who has it – will probably wish to strengthen/fix it as soon as possible, to reduce the possibility of damage.

If a “regular” computerized bug hits a calculation or processing of a system, its stability and its performance – the bug is usually realized unintentionally, during the occurrence of certain cases, some originated from a standard human operation of the system and some by an automatic process.

Vulnerability, in my view, is a private case of a bug, but an important one – it would not be a bug nor it will materialize, as many cases of human life, without a malice of a human (except, perhaps, Denial-of-Service actions – which may (barely) be considered as an inability to meet high volume of legitimate operational activities).
Vulnerability is a bug that initiates and realized only when there is a malicious human intent behind it.

Both human and computerized systems can exist for a long time without being damaged when a vulnerability exits within them – if they live in an environment that is not hostile or malicious.
Without a human originated initiative to exploit a vulnerability – we can say that the risk the bug represents does not really exist, because no action was taken to reveal or exploit the vulnerability.

Many times, when thinking of information security, we tend to concentrate on the technology side of it (and therefore also looking for only technological solutions), and ignore/neglect the aspects of human behavior that is essentially inherited in this profession (and also at the parallel occupations of safety and physical security), with whom it is harder for us to deal with, both personally and as an organization – the human malicious intent.

 

(This post is a translation of a post from my Hebrew information security blog, from 10-May-2008)

 

 

Opening post

Well, we have to start somewhere. So let’s start here.
My name is Eitan Caspi, from Israel. You will find more information about me and this blog at the “About” page.

Information Security is my main thing, both at work and as a hobby, for the last, say, 14 years.
Like many things in my life, I found myself in this occupation unintentionally, as I came to know it as part of my work, not as something that I planned for from my early years.
I learned to love it, and (I hope) I became to be good at it – so I kind of grown into it.
You know, I didn’t even touched a computer until I turned 22, so I’m not a born geek (but I am now…).

I guess the initial posts in this blog will be posts translated from my Hebrew IS blog, which I run since 2008, and later on both blogs will run less-or-more synchronized content.

You can stay updated about new content using RSS (new posts and new comments) and/or via email.

I hope we will all have fun in this blog!