Monday, May 29, 2006

Threat Term Used Properly in Government Report

It's time once again to talk about threats! Yes, you guessed it. While reading back issues of FCW I encountered good -- and bad -- uses of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 term "threat." Mostly, threat was used where vulnerability should have appeared. Let's briefly review cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 definition I provided in my books:

A threat is a party with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 capabilities and intentions to exploit a vulnerability in an asset.

A vulnerability is a weakness in an asset that could lead to exploitation.


For example, an intruder (cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 threat) exploits a hole (cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vulnerability) in Microsoft IIS to gain remote control of a Web server. In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words, threats exploit vulnerabilities.

I've written about proper use of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 term threat many times before. Let's look at a few examples from FCW that show why it's important to use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 right term when communicating among security professionals.

First, consider cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 article Cybersecurity research plan identifies threats. The story discusses cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Federal Plan for Cyber Security and Information Assurance Research and Development (.pdf).

Using proper terminology, I would expect this article to discuss plans by mostly law enforcement, intelligence, and military groups to investigate organized crime, state-sponsored groups, foreign intelligence services, and so on. Perhaps honeypot operators would also be involved tracking botnet herders and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 like. I can't tell from reading cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 article. Here are two places where "threat" is used:

The report identifies critical threats to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 nation’s information technology infrastructure and recommends that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 government pay for research that would enable manufacturers to build IT security safeguards into infrastructure systems before cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are delivered to power plants or ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r high-risk facilities.

That sounds like a discussion of vulnerabilities. When cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 term "safeguard" is used, it's a synonym for "countermeasure."

One of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 action points is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following:

Focusing on threats with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 greatest potential impact.

Again, I can't tell if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 article is correctly referring to malicious parties, or incorrectly referring to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most serious vulnerabilities.

Thankfully, when I read cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 report, I see proper terminology in play:

Cyber threats are asymmetric, surreptitious, and constantly evolving ­ a single individual or a small group anywhere in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 world can inexpensively and secretly attempt to penetrate systems containing vital information or mount damaging attacks on critical infrastructures. Attack tools and resources. (p. ix)

Bravo. Page 5 offers definitions:

A vulnerability is a flaw or weakness in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 design or implementation of hardware, software, networks, or computer-based systems, including security procedures and controls associated with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 systems. Vulnerabilities can be intentionally or unintentionally exploited to adversely affect an organization's operations (including missions, functions, and public confidence), assets, or personnel.

A threat is any circumstance or event with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 potential to intentionally or unintentionally exploit one or more vulnerabilities in a system resulting in a loss of confidentiality, integrity, or availability. Threats are implemented by threat agents. Examples of threat agents are malicious hackers, organized crime, insiders (including system administrators and developers), terrorists, and nation states.

Risk is a combination of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 likelihood that a particular vulnerability in an organization's systems will be eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r intentionally or unintentionally exploited by a particular threat agent and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 magnitude of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 potential harm to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 organization's operations, assets, or personnel that could result from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 loss of confidentiality, integrity, or availability.


Notice this report recognizes that vulnerability and threat are not synonyms! The report later names Malicious Hackers, Organized Crime, Terrorists, and Nation States as threats.

Let's close with an example of how not to use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 term threat: SCADA on thin ice: Industrial control systems pose little-noticed security threat. "Little-noticed threat"? Maybe SCADA is little noticed as a "threat" because it suffers vulnerabilities.

Elsewhere in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 story, however, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 term vulnerability is used properly, and threat doesn't make a repeat appearance, save cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following. For example:

Control systems security is one of six areas of critical vulnerabilities Borg included in a new cybersecurity checklist released in April by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 research group...

Even if a facility has not been attacked, that doesn’t mean it’s secure or cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 threat isn’t real, said Michael Assante.


What is happening here? Reporters usually don't choose cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 titles for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir stories. My guess is some editor at FCW decided to use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 term "threat" where "vulnerability" should have appeared. Threat is shorter (fewer syllables = good) and sexier -- too bad it's wrong in this case.

2 comments:

Anonymous said...

I find inspiration in your blog entry.
A tale of bunnies and kitties.

Anonymous said...

The report did not name "malicious hackers, organized crime, terrorists, and nation states" as threats. It named cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m as "threat agents." A single threat agent may potentially exploit "one or more vulnerabilities," from which arises one or more threats. You haven't fully defined a threat unless you've defined not only cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 threat agent but also cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vulnerability being exploited and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 resulting negative consquence.

"Lightning" is a threat agent, not a threat. From that threat agent may arise several threats (e.g., "lightning exploits cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 human body's vulnerability to being damaged by electrical current to kill", "lightning exploits a server's vulnerability to a voltage spike to render cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 server inoperative", etc.)

You're dead on in your criticism of confusing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 terms "vulnerability" and "threat." Unfortunately, you misuse cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 term "threat," yourself.