Topic 1.3 shifts to security. Before you can protect a device you have to identify what could go wrong: the threats it faces, the vulnerabilities it has, and the data worth protecting. This is the identification half of the Secure skill.
Threats, Vulnerabilities, and Risk
These three words are often used loosely, but AP Networking treats them as distinct ideas, and questions often hinge on the difference.
| Term |
Meaning |
Example |
| Threat |
Something that could cause harm |
An attacker trying stolen passwords |
| Vulnerability |
A weakness a threat can exploit |
A device with no screen lock |
| Risk |
The chance and impact of a threat meeting a vulnerability |
Likely account takeover on an unlocked, unattended device |
A threat with no matching vulnerability is low risk, and a vulnerability with no realistic threat is low risk. Risk lives where the two overlap. Good security spends effort where that overlap is largest.
Common Threats to a Single Device
-
Unauthorized physical access: someone picking up an unlocked, unattended device.
-
Malicious software: programs that steal data, encrypt files for ransom, or hand control to an attacker.
-
Credential attacks: guessing, stealing, or reusing passwords to log in as you.
-
Deceptive messages: tricking a user into revealing information or installing something harmful.
-
Data interception: capturing information as it leaves the device over an untrusted network.
Identifying What Is Worth Protecting
Not all data carries the same weight. Part of identifying security needs is recognizing which information demands stronger protection.
-
Personal information that could identify or harm someone if exposed.
-
Credentials that unlock other accounts and systems.
-
Financial data, which may also be governed by regulations.
-
Work or school data entrusted to you by an organization.
Classifying data by sensitivity tells you where to concentrate the protective controls you will apply in Topic 1.4.
The CIA Triad
Security goals are commonly organized around three ideas you will see throughout the course.
-
Confidentiality: only authorized people can read the data.
-
Integrity: the data is accurate and has not been tampered with.
-
Availability: the data and device are usable when needed.
Every control you choose serves one or more of these goals, and strong security balances all three rather than maximizing one at the expense of the others.
Practice Questions
A laptop has no screen lock. In security terms, the missing lock is BEST described as which of the following?
- A. A threat
- B. A vulnerability
- C. A risk reduction
- D. An availability control
Answer: B. The missing lock is a weakness that a threat (unauthorized physical access) can exploit. A weakness that can be exploited is a vulnerability; the threat is the actor or event, and risk is the overlap of the two.
Which goal of the CIA triad is MOST directly harmed when ransomware encrypts a user's files so they cannot open them?
- A. Confidentiality
- B. Integrity
- C. Availability
- D. Authentication
Answer: C. Ransomware that blocks access to files primarily harms availability, the data is no longer usable when needed. It may also touch confidentiality, but the defining harm here is loss of access.
Frequently Asked Questions
What is the difference between a threat and a vulnerability?
A threat is something that could cause harm; a vulnerability is a weakness it can exploit. Risk is the overlap, the chance and impact of a threat meeting a vulnerability.
What is the CIA triad?
Confidentiality, integrity, and availability, the three goals of security. Strong security balances all three rather than maximizing one.
Why classify data by sensitivity?
Because not all data carries the same weight. Identifying which data is most sensitive tells you where to concentrate your protective controls.