> For the complete documentation index, see [llms.txt](https://cybersecurity-cloud-and-it-notes.gitbook.io/kyles-cybersecurity-cloud-and-it-gitbook/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://cybersecurity-cloud-and-it-notes.gitbook.io/kyles-cybersecurity-cloud-and-it-gitbook/google-cybersecurity-professional-cert/2.-play-it-safe-manage-security-risks/manage-common-threats-risks-and-vulnerabilities.md).

# Manage common threats, risks, and vulnerabilities

#### Managing Cybersecurity Threats, Risks, and Vulnerabilities: ADHD-Friendly Edition 🚨👾

Alright! Let’s break down this big cybersecurity topic in a way that keeps things fun, clear, and super digestible. Imagine we’re gearing up to defend a digital kingdom (your organization) from all the evil forces (threats, risks, and vulnerabilities) trying to take it down. Ready to jump in? Let’s go!

***

#### **Risk Management – Keeping Your Digital Castle Safe 🏰**

First up, we need to protect the kingdom's treasure, aka **assets**. Assets are anything valuable, whether it’s gold (physical assets like servers) or secret scrolls (digital assets like employee Social Security Numbers).

**Common Assets Include:**

* **Digital assets:** Personal info like Social Security Numbers (SSNs), dates of birth, bank account details—stuff you really don’t want falling into the wrong hands.
* **Physical assets:** Payment kiosks, desktop computers, office spaces—these are like the castle walls, keeping your operations running smoothly.

But there’s always a chance that danger is lurking, and that’s where **risk management** comes into play.

**How to Manage Risk:**

* **Acceptance:** Sometimes, you just live with a risk. It's like saying, "We'll leave the castle drawbridge down, but we’ll keep an eye on it."
* **Avoidance:** You avoid the risk altogether. Like deciding, “Nope, we're filling in the moat so no one can sneak in that way.”
* **Transference:** Handing the risk off to someone else. Think of hiring a knight to guard the treasure for you.
* **Mitigation:** Lessening the impact. If the dragon attacks, you’ve got water buckets ready to go. 🐉💦

**Helpful Tools (Frameworks):**

Risk management pros use special guides (like **NIST RMF** and **HITRUST**) to map out all the ways to protect their castles.

***

#### **Threats – The Digital Monsters We’re Up Against 👹**

A **threat** is anything that could come and mess with your assets. Think of these like digital monsters trying to breach your kingdom.

**Common Threat Monsters:**

* **Insider Threats:** It’s the sneaky guards or vendors who are supposed to help but end up betraying you from the inside. Think: a knight who’s working with the enemy to steal treasure. 🏴‍☠️
* **Advanced Persistent Threats (APTs):** These are spies who get into the castle and stay hidden, slowly stealing secrets over time. They’re like that super sneaky ninja you didn’t notice.

Your job is to be like a super alert scout, constantly watching for signs of these digital monsters!

***

#### **Risks – What Could Go Wrong ⚠️**

Risks are basically the chances that something bad could happen, like an ambush on your castle.

**Types of Risk:**

* **External Risk:** Bandits or invaders from outside trying to break in (like hackers).
* **Internal Risk:** Sometimes, the danger comes from within the kingdom—disgruntled employees or careless partners.
* **Legacy Systems:** These are like old, creaky parts of your castle, like a crumbling tower that hasn’t been repaired in years but is still technically part of your defenses.
* **Multiparty Risk:** If you’ve got third-party vendors helping you out, but they’re not on the ball, your secrets (trade designs, software, etc.) might be in danger.
* **Software Compliance Risk:** Think of it like rusty armor. If your software isn’t up to date or missing important patches, it's like wearing old armor into battle—it’s just asking for trouble.

🔎 Pro Tip: There are resources like **OWASP** and **NIST** that give lists of top risks and threats, so you can stay updated on the latest danger.

### !\[\[Pasted image 20240904223644.png]]

#### **Vulnerabilities – The Cracks in the Walls 🧱**

**Vulnerabilities** are weaknesses in your defenses. They’re like cracks in your castle walls that the bad guys can use to get in. If not patched up, they can be exploited by threats.

**Common Vulnerabilities:**

* **ProxyLogon:** This one is like a magical portal that lets hackers sneak into your castle (the Microsoft Exchange server) without being noticed.
* **ZeroLogon:** A glitch in the system that lets attackers waltz right through the gates (Netlogon protocol).
* **Log4Shell:** This one lets hackers run wild, planting bad spells (malicious code) on your servers.
* **PetitPotam:** Like a sneaky thief who tricks your system into thinking they belong, and then they steal whatever they want (using NTLM).

❗ The trick with vulnerabilities is to **constantly monitor** for new cracks in the walls. Even if you patch things up once, attackers are always coming up with new tricks, so staying on top of updates is critical.

***

#### **Key Takeaways – Your Defense Plan 🔐**

Here’s what you’ve learned about defending the kingdom:

* **Risks** are what could go wrong (flat tire, traffic), while **threats** are the actual monsters attacking (insider traitors, sneaky ninjas).
* Managing risk means **choosing strategies** like accepting, avoiding, or mitigating it.
* **Threats** include bad actors from inside or outside, and they’re always evolving.
* **Vulnerabilities** are the weak spots in your defenses that need constant attention (or the dragons might get in!).

***

#### 🛡️ Next Steps for You – Stay Informed!

Want to dive deeper? Check out:

* **OWASP Top 10:** Like a guidebook for knowing which digital monsters to watch out for.
* **NIST RMF:** Your map for managing risks and defending your kingdom from all angles.

***

Now you're equipped with the knowledge to start building stronger defenses in the digital world! Let me know if you want to dig deeper into any specific threats or vulnerabilities – there’s always more to learn when defending the kingdom.
