From Twitter came this gem:
This is a cute way of helping people understand the difference between the three concepts. It also helps start to drive conversation around remediation activities and risk assessment.
(Let’s not get too tied down with interpretation; all analogies have holes :-))
What if the door was a bedroom door, rather than a house front door? How does this change the probability of a bear getting in and thus getting mauled? Or does the open bedroom door cause a new threat (room mate seeing you in a position you would find embarrassing)?
Not every risk is identical. An open door leading to a balcony that’s 30 floors up is unlikely to have a bear come through it! If your exposure to the threat is minimal then the risk of exploit is minimal and so your remediation timelines need not be immediate.
When we look at security we tend to have an “attackers will get in” mentality. “Close the door because the bear will get in”. It’s a fair position to take, especially since attackers can chain vulnerabilities together (the front door was open and the bedroom door was open).
So we take a security in depth view; don’t trust a single control (front door was closed, but the kitchen back door was open) but layer controls. More prosaically, don’t assume that firewalls will keep out attackers; there are other ways of getting remote code execution (email client bugs, phishing, desktop vulnerabilities, bad code… or even a simple misconfigured firewall!)
This “in depth” view should use different types of controls that overlap. So you wouldn’t run two different virus scanning tools on your desktop; instead you may run a virus scanner and a firewall (to block outgoing connections to untrusted sites) and a filtering proxy (for trusted outgoing connections) and…; controls that may overlap (the proxy may do virus scanning as well) but do other stuff; if you do get infected then the code can’t reach out to the IRC control channel because of the firewall; it can’t download more payload because of the proxy.
Conclusion
When you identify a vulnerability you should evaluate the threat and the risk to your environment. What’s the worst case scenario of the vulnerability is exploited? What’s the chance that it will be exploited? What mitigations do you have in place to prevent the attack vector from being exploited?
Remember, though, that sometimes you have invited the bear in (insider threat from disgruntled employees). That needs to form part of your risk assessment!