The concepts that matter

You don't need a security degree to defend an estate well. You need a working model of three things: how a weakness gets a name and a number, how attackers chain weaknesses into an intrusion, and where in that chain you can cheaply break it. This page builds that model. The glossary has the rest.

1. How a weakness becomes a number

When researchers find a flaw in software, it gets catalogued. Several systems describe different facets of the same flaw — they are complementary, not competing.

CVE — Common Vulnerabilities and Exposures. The identifier. CVE-2024-3400 is the name for one specific flaw, assigned by a CVE Numbering Authority (often the vendor). A CVE ID alone tells you nothing about severity — it's just a stable handle so everyone is talking about the same bug. On this site, any CVE ID resolves at /tag/cve-2024-3400 to a grounded summary.

CVSS — Common Vulnerability Scoring System. The 0–10 severity score. It rolls up "how hard is this to exploit" (attack vector, complexity, privileges/interaction needed) and "how bad is the outcome" (confidentiality/integrity/availability impact). 9.0–10.0 = critical, 7.0–8.9 = high. Useful, but it describes the bug in the abstract — it does not know whether anyone is actually exploiting it, or whether the affected box is exposed in your environment.

EPSS — Exploit Prediction Scoring System. A probability (0–100%) that a given CVE will be exploited in the wild in the next 30 days, derived from observed activity. A CVSS 9.8 with an EPSS of 0.2% is a different bedtime than a CVSS 7.5 with an EPSS of 70%. Use CVSS for how bad if used, EPSS for how likely to be used.

KEV — CISA's Known Exploited Vulnerabilities catalog. The definitive "drop what you're doing" list. KEV lists CVEs that are confirmed exploited in the wild — not predicted, observed. US federal agencies must patch KEV entries on a deadline (under Binding Operational Directive 22-01); for everyone else it's the single best "patch this now" list anyone publishes. On this site, KEV entries are flagged with 🚨 and drive the patch-lag view.

CWE — Common Weakness Enumeration / "vulnerability class". The category of mistake: CWE-78 is OS command injection, CWE-502 is unsafe deserialization, CWE-22 is path traversal. One CWE spawns thousands of CVEs. Knowing the class tells you what kind of defence helps (input validation, sandboxing, dropping a feature) and lets you spot a pattern — "that's the third deserialization bug in this product this year." This site groups CVEs into ~18 classes; browse one at /class/rce, /class/auth-bypass, /class/deserialization, and so on.

MITRE ATT&CK. Not a vulnerability database — a catalogue of what attackers do once they're in: tactics (the goals — Initial Access, Persistence, Privilege Escalation, Lateral Movement, Exfiltration, Impact) and techniques (the specific moves, each with an ID like T1190 — "Exploit Public-Facing Application", or T1486 — "Data Encrypted for Impact"). It's the shared language for describing intrusions and for asking "would we even see this?" Browse a technique on this site at /technique/T1190.

A useful one-liner to keep:

CVE is the what. CWE is the what kind of mistake. CVSS is how bad in theory. EPSS/KEV is how real right now. ATT&CK is what they'll do with it.

2. The cast: threat actors

Not all attackers are the same, and the difference changes your priorities.

• Opportunistic / commodity — automated scanning for known-vulnerable, exposed systems, plus mass phishing. Volume, not precision. Most of what hits a small Icelandic org is this. Defence: patch the edge fast, kill default credentials, MFA everywhere.
• Ransomware crews and their affiliates (RaaS — Ransomware-as-a-Service). A platform model: a core group builds the malware and the leak site; "affiliates" do the break-ins and share the payout. They are not picky — a parts wholesaler is as good as a bank if the data sells or the downtime hurts. Modern crews do double extortion: encrypt and leak. This site tracks their public victim lists in /ransomware.
• APT — Advanced Persistent Threat. State-aligned groups, long-game, quiet, after access or information rather than a quick payout. Less likely to target a mid-size Icelandic shop directly, more likely to reach you through a supplier — which is why supply-chain hygiene matters here more than its reputation suggests.
• Insiders and "accidental adversaries" — a misconfigured bucket, an over-permissioned API, a contractor who kept their VPN account, a forgotten admin panel. No malware, no mastermind — just something left open. The dullest root cause in most breach reports, and the one a checklist actually fixes.

3. How an attack actually unfolds

Pick almost any breach report and it follows the same skeleton. Mapping it to ATT&CK tactics:

1. Reconnaissance — find exposed things. Shodan/Censys-style scanning, certificate transparency logs, leaked credentials, LinkedIn for names. Cheap and constant.
2. Initial Access (TA0001) — get a foothold. In practice this is overwhelmingly one of two doors: a known, unpatched, internet-facing device (VPN gateway, firewall, mail security appliance, file-transfer tool — T1190, "Exploit Public-Facing Application") or a person (phishing, T1566). Valid stolen credentials (T1078) are a third.
3. Execution & Persistence (TA0002/TA0003) — run code, then make sure it survives a reboot: a service, a scheduled task, a web shell, a rogue account.
4. Privilege Escalation (TA0004) — go from "a user" to "admin/SYSTEM/root". Often a second CVE — a local privilege escalation (LPE) — chained behind the first. This is why "low-severity local bug, ignore it" is a trap: it's the second half of someone's chain.
5. Defense Evasion & Credential Access (TA0005/TA0006) — disable the EDR, clear logs, dump credentials from memory (LSASS on Windows), grab the password database.
6. Lateral Movement (TA0008) — hop from the beachhead to the things that matter: domain controller, backup server, hypervisor, finance system. Flat networks make this trivial.
7. Collection & Exfiltration (TA0009/TA0010) — stage and steal the data. (This is the part that makes it a notifiable event under Icelandic data-protection law — see the defender handbook §4.)
8. Impact (TA0040) — encrypt for ransom (T1486), wipe, or just leave with the data and threaten to publish.

Two takeaways an admin can act on:

• The edge is the door. The single highest-leverage habit is patching internet-facing appliances on KEV's clock, not the vendor's quarterly cadence. The patch-lag view exists to make that gap visible for Iceland.
• Attacks are chains; you only have to break one link. MFA on the VPN, network segmentation between the office LAN and the server VLAN, offline backups, an EDR that isn't trivially killable — each one breaks the chain somewhere. You don't need all of them perfect.

4. Where this happens in Iceland — three things to carry into the handbook

1. Iceland's internet is small and concentrated: one peering point (RIX), one .is registry (ISNIC), a handful of hosting operators (1984 ehf, Advania, OrangeWebsite/IceNetworks, the telcos Síminn/Míla, Vodafone, Nova) carrying most of what's reachable. A single operator's bad day is more easily a national-scale incident than elsewhere.
2. The 72-hour clock to Persónuvernd runs from awareness, not from occurrence. Have the runbook before you need it.
3. The acronym soup — CERT-IS (national CSIRT, at the Ministry for Foreign Affairs since Feb 2025), Fjarskiptastofa (telecom + cybersecurity regulator), NIS2 (coming), DORA (lög 78/2025, already in force for the financial sector) — all in the defender handbook with who-calls-whom tables, the laws, the case history, and a 14-item checklist. The dashboard reading guide explains how this site's live IoC view is built.

Next

• Iceland defender handbook → — the local infrastructure, the defenders, the law, the cases, the 14-item checklist.
• Iceland IoC dashboard reading guide → — how the live threat-indicator view is built.
• Glossary → — everything above plus the terms this page didn't have room for.
• Iceland Security Dashboard → — see the concepts above as live data.
• Long-form analysis on the site: digital sovereignty & concentration · supply-chain attack patterns · the patch-lag index.

Drafted with AI assistance, reviewed by a working Icelandic sysadmin. Corrections and requests: admin@1881.is.