Thursday, May 05, 2005

Risk, Threat, and Vulnerability 101

In my last entry I took some heat from an anonymous poster who seems to think I invent definitions of security terms. I thought it might be helpful to reference discussions of terms like risk, threat, and vulnerability in various documents readers would recognize.

Let's start with NIST publication SP 800-30: Risk Management Guide for Information Technology Systems. In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 text we read:

"Risk is a function of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 likelihood of a given threat-source's exercising a particular potential vulnerability, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 resulting impact of that adverse event on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 organization. To determine cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 likelihood of a future adverse event, threats to an IT system must be analyzed in conjunction with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 potential vulnerabilities and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 controls in place for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IT system."

The document outlines common threats:

  • Natural Threats: Floods, earthquakes, tornadoes, landslides, avalanches, electrical storms, and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r such events.

  • Human Threats Events that are eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r enabled by or caused by human beings, such as unintentional acts (inadvertent data entry) or deliberate actions (network based attacks, malicious software upload, unauthorized access to confidential information).

  • Environmental Threats: Long-term power failure, pollution, chemicals, liquid leakage.


I see no mention of software weaknesses or coding problems cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re. So how does NIST define a vulnerability?

"Vulnerability: A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 system's security policy."

The NIST pub's threat-vulnerability pairings table makes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 difference between cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 two terms very clear:



SP 800-30 talks about how to perform a risk assessment. Part of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 process is threat identification and vulnerability identification. Sources of threat data include "history of system attack, data from intelligence agencies, NIPC, OIG, FedCIRC, and mass media," while sources of vulnerability data are "reports from prior risk assessments, any audit comments, security requirements, and security test results."

The end of SP 800-30 provides a glossary:


  • Threat: The potential for a threat-source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.

  • Threat-source: Eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r (1) intent and method targeted at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 intentional exploitation of a vulnerability or (2) a situation and method that may accidentally trigger a vulnerability.

  • Threat Analysis: The examination of threat-sources against system vulnerabilities to determine cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 threats for a particular system in a particular operational environment.

  • Vulnerability: A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 system's security policy.


For those of you Microsoft-only shops, consider cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir take on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 The Security Risk Management Guide. Chapter 1 offers cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se definitions:

  • Risk: The combination of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 probability of an event and its consequence. (ISO Guide 73)

  • Risk management: The process of determining an acceptable level of risk, assessing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 current level of risk, taking steps to reduce risk to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 acceptable level, and maintaining that level of risk.

  • Threat: A potential cause of an unwanted impact to a system or organization. (ISO 13335-1)

  • Vulnerability: Any weakness, administrative process, or act or physical exposure that makes an information asset susceptible to exploit by a threat.


Microsoft cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n offers separate appendices with common threats and vulnerabilities. Their threats include catastrophic incidents, mechanical failures, malicious persons, and non-malicious persons, all with examples. Microsoft's vulnerabilities include physical, natural, hardware, software, media, communications, and human. Microsoft clearly delineates between threats and vulnerabilities by breaking out cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se two concepts.

I'd like to add that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 comment on my earlier posting said I should look up "threat" at dictionary.com. I'd racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r not think that "security professionals" use a dictionary as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 source of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir "professional" understanding of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir terms. Still, I'll debate on those grounds. The poster wrote that dictionary.com delivers "something that is a source of danger" as its definition. Here is what that site actually says:

  1. An expression of an intention to inflict pain, injury, evil, or punishment.

  2. An indication of impending danger or harm.

  3. One that is regarded as a possible danger; a menace.


Remember what we are debating here. I am concerned that so-called "security professionals" are mixing and matching cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 terms "threat" and "vulnerability" and "risk" to suit cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir fancy.

Here's vulnerability, or actually "vulnerable":

  1. Susceptible to physical or emotional injury.

  2. Susceptible to attack: “We are vulnerable both by water and land, without eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r fleet or army” (Alexander Hamilton).

  3. Open to censure or criticism; assailable.

  4. Liable to succumb, as to persuasion or temptation.


You'll see both words are nouns. But -- a threat is a party, an actor, and a vulnerability is a condition, a weakness. Threats exploit vulnerabilities.

Finally, risk:

  1. The possibility of suffering harm or loss; danger.


Risk is also a noun, but it is a measure of possibility. These are three distinct terms. It is not my problem that I define cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m properly, in accordance with ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs who think clearly! I am not inventing any new terms. I'm using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m correctly.

I'd like to thank Gunnar Peterson for reminding me of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NIST and Microsoft docs.

5 comments:

Anonymous said...

I just wanted to say thank you for properly educating that anon poster.
-LonerVamp

Anonymous said...

Richard:

Regardless of whecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r Microsoft, NIST, or CERT/CC use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se terms as you do, I think Anonymous was (awkwardly) making a reasonable point.

That point essentially is that information security is an immature discipline that is still forming its own terminology (and taxonomy, for that matter). As cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 field matures, a certain terminological consensus will undoubtedly form, but for now cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re remains cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 potential for different people, each of whom is an acknowledged expert, to disagree. Indeed, some may even be sloppy, or think that ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs are drawing a distinction without a difference. Reacting harshly to such matters, I would argue, is neicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r called for nor productive, in my view.

As a final note, as Dan Geer so often points out, information security currently benefits from hybrid vigor, since cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most knowledgeable in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 field received cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir formal training in something else. I personally find it amusing that in discussing potential bad events and what we can do to manage cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m effectively, we who practice information security have opted to use our own terms for things which cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 insurance world already has perfectly good words for ("peril", "hazard"). Except for Quarterman's, I don't read any insurance blogs, but I suspect cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y aren't chiding us for our terminology, although I suppose by one set of criteria cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y might.

Anonymous said...

LOL! You guys are getting way to serious with this.

vulnerability- being a little guy in prison
threat- lots of big guys hopped up on testosterone
risk- bending over to pick up your soap in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 shower

tweedledeetweedledum said...
This comment has been removed by a blog administrator.
Anonymous said...
This comment has been removed by a blog administrator.