This chapter covers
- Demonstrating the differences between issues, vulnerabilities, threats, and risks
- Enriching our existing model of the three factors of cybersecurity
- Exploring CVE and CVSS scores, learning how to measure the severity of a vulnerability, and learning for yourself how to calculate CVE and CVSS values
- Learning how to apply context to a risk model
- Combining this knowledge to build easy-to-read reports showing the level of risk
As we kick off part 2 of the book, we start looking at things from a purely defensive point of view and dive in at a deeper level to see how to protect ourselves and our organizations from attackers. Although it would be useful for you to have read the first half of the book, this chapter can be treated as a standalone reference that can be read in isolation. You might find it helpful to read chapter 2, where we talk about building a cybersecurity strategy.
One of the biggest areas of confusion in cybersecurity, and one of the biggest barriers to effectively communicating cybersecurity concerns, is the confusion around definitions and key terms. Vendors will often (sometimes deliberately) conflate these terms, using them interchangeably, so let’s lay down some definitions: