Friday, July 08, 2005

Cool Site Unfortunately Miscategorizes Threats

While chatting with Aaron Higbee of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SecureMe Blog yesterday, he mentioned a cool new site: Threats and Countermeasures. A majority of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 contributors are Foundstone consultants and parent company McAfee is paying cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bills.

Anyone who's been reading my blog for a while knows of my linguistic crusade involving words in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 standard risk equation, with risk being a product of threat, vulnerability, and asset value. (See Risk, Threat, and Vulnerability 101, OCTAVE Properly Distinguishes Between Threats and Vulnerabilities, SANS Confuses Threats with Vulnerabilities, and The Dynamic Duo Discuss Digital Risk.)

How does cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Threats and Countermeasures site match proper definitions? At left is a screen shot of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 site's main knowledge base menu. I don't see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 word threat being used correctly here. "Default network appliance passwords" aren't threats; those are vulnerabilities. "Running unnecessary services" is a vulnerability, as is "weak security around scripting extensions."

Perusing T&C, I don't see threat used properly. Most of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 content described as "threats" are really attacks. The Cross Site Scripting page is a good example. All of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 content listed under "Threats" are attacks or exploits. The content under "Attacks" appear to be specific examples of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 material listed under "Threats".

So what is going on here? Obviously cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 guys who put togecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r Threats and Countermeasures are security experts. Besides cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir knowledge base, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 site offers and impressive collection of blogs that I recommend reading.

I think part of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 warped view of threats promulgated by T&C owner Foundstone. It all began with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 announcement of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir so-called Threat Correlation Module for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Foundstone "Enterprise Risk Solution" suite. Back in late 2003 when this announcement was made (and I was working for Foundstone), marketing folks realized cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 terms "vulnerability" and "vulnerability management" were no longer a way to differentiate a company in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 market. Vulnerability management was becoming commoditized, so companies began pushing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 terms "risk" (e.g., "Enterprise Risk Solution") and "threat."

I was initially interested in being part of Foundstone's new Threat Intelligence team, supporting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Threat Correlation Module. I thought this would be a cool opportunity to deploy honeynets, interact with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "underground," and collect intelligence on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 parties that conduct attacks. Instead I was told I would monitor disclosure sites -- BugTraq and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 like -- and populate Foundstone's database with that information. At one point I was told that a "hole in OpenSSH" is a "threat," when clearly that is a vulnerability. Shortly after I realized Foundstone's view of "threat" was a new way to market vulnerability data, I left cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 company.

This is not to say that Foundstone's product is bad. On cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 contrary, I think it is very powerful. The idea of correlating new vulnerability information against a database of enterprise assets, and measuring cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 risk to an organization, is excellent. It's just too bad cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 product and concept are misnamed.

While it is difficult to misuse cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 term risk (risk being defined as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 probability of suffering harm or loss), it is too easy to misuse "threat." As a reminder, a vulnerability is a weakness in an asset which could lead to exploitation. A threat is a party with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 capabilities and intentions to exploit a vulnerability in an asset.

With few exceptions, no security vendors deal with threats. There are only two ways to gacá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r information on threats: passive interaction or active interaction. Passive interaction means watching threats as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y conduct reconnaissance, exploit targets, and pillage assets. Active interaction means communicating with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 threats cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365mselves, through email, voice, and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r means.

Two organizations I know that deal with threats in an unclassified environment include The Honeynet Project and iDEFENSE. The former mainly learns about threats by watching cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m compromise honeynets, while cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 latter pursues and communicates with threats. Managed security monitoring providers who look for more than worms can also be considered threat-aware; examples include NetSec and LURHQ.

I guess cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "threat" concept is just too sexy for most security vendors to avoid. Even people who should know better, like Bruce Schneier, misuse cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 terms threat and vulnerability. (See my review of Beyond Fear; it's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 second on that page.) Although I will probably be seen as stepping on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 toes of smart security people, I will not stop pointing out when those important terms are misused.

8 comments:

Anonymous said...

Threat
Vulnerability

Richard Bejtlich said...

The Wikipedia definition of vulnerability looks ok. The threat definition is horrible.

"A threat is an unwanted (deliberate or accidental) event that may result in harm to an asset."

Since when is a threat an event?

"Examples are a robbery, kidnapping, hijacking, extortion, blackmail."

Good grief.

Alice: "I was just robbed. That was quite a threat!"

Bob: "No kidding. I was kidnapped!"

Wikipedia is proof that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 quality of thought is not measured by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 appearance of a Web interface.

Anonymous said...

... Wikipedia is proof that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 quality of thought is not measured by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 appearance of a Web interface.

Wikipedia is nothing more (or less) than cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 result of its contributors' provided info/knowledge. The point I was trying to make, by presenting those definitions to you, was that you could definitely help in improving those terms, in a place much more popular in regards to community access, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n any blog ... TIA

Richard Bejtlich said...

I see. I could try, like I did with a few ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r security-related terms. I could cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n also watch those changes be undone by people with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 spare time needed to "guard" Wiki entries! :)

Anonymous said...

From what I hear, _Microsoft_ is paying cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bills; ie, Microsoft is paying Foundstone to set this up. I'll bet you won't find too many unkind words about Microsoft on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se blogs ;-)

Richard Bejtlich said...

You are correct. You might even be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 person who told me that, and I promptly forgot to mention it! Thank you.

BTW, Microsoft's record on proper terminology is ok, but it could be a lot better.

Anonymous said...

This is Mark Curphey at Foundstone, I was invoved in setting up cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 site. One of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 nice things about this being a Wiki is you can come along and suggest changes right cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re right now. The whole point is to move towards convergence on terms and definitions we would welcome you getting involved, making changes and let cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 community see what is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best way forward. I agree with your synopisis 100% BTW. I am ANAL about definitions and taxonomies. See my post about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OWASP Top Ten to webappsec this weekend for proof ;-)

Richard Bejtlich said...

Hi Mark,

Thanks for posting here. I appreciate your input and I am honored you consider my opinions worthwhile.