What do you mean threat?
This is in reply to Richard Bejtlich’s post, “Someone Please Explain Threats to Microsoft.” Richard takes issue with people (especially those who should know better) who misuse defined terms. We say a lot of things with the expectations of those who are listening or reading to understand “what we mean.” I hope this post clarifies some of that and what I believe is the proper definition of threat.
A threat is the mere possibility an attacker will exploit a vulnerability to compromise an asset. The attacker is not a threat by himself, for he needs a vulnerability to exist. Richard uses the term “threat agent” to describe an attacker or malware that can exploit a vulnerability. Threats are dependent on an attacker (or threat agent), the presence of a vulnerability, and the possibility for exploitation. You would not call someone a threat agent who does not have the ability to exploit a vulnerability, and thus, proves no threat to you. In other words, I don’t think an attacker poses a threat if he cannot exploit a vulnerability. Looking back, that first sentence might be a little confusing, but I don’t have any other way of describing it. Maybe a visual, some hand waving and throwing a Shmooball at you will help you understand it. :P
In his book, The Tao of Network Security Monitoring, Richard describes a threat as “a party with the capabilities and intentions to exploit a vulnerability in an asset.” That’s exactly right… a threat is a party! Party as in music, beer, people — like your average birthday or Christmas party. It is comprised of multiple factors that exhibit various characteristics. A party does not imply an individual and therefore, a threat is not individualistic in nature.
Sometimes we say different things because we expect people to understand what we mean (even though we are wrong) and we tend to forget what we had defined them as. It’s what makes us human and what differentiates us from computers. I can’t tell how this differs with Richard’s definition of threat, or if this is what he means. It feels like as of lately, his definition has veered and taken on a slightly different meaning.
Hi Marcin,
I think you might be misinterpreting what I mean. See
http://taosecurity.blogspot.com/2003/10/dynamic-duo-discuss-digital-risk.html
and tell me what you think.
on the matter of terminology, be careful with the use of “vulnerability” as it has, in some circles, taken on the meaning of being the result of a mistake or error in the design/implementation of a system…
i mention this because a threat agent can pose a threat without the existence of such a ‘mistake’…
Very entertaining Richard. Would make a good comic book handout at conferences.
Maybe I’m not being descriptive enough, but I believe the chance of something happening, is the “threat.” It is nothing without all the other factors weighed in, vulnerability, attacker, exploitability.
Or maybe I’m just wrong… I can’t seem to put my thoughts down into words for this one.
Kurt, if there are no vulnerabilities (and I mean that literally, however unrealistic it sounds), I can’t see how a threat agent would pose a threat to you. If there’s no vulnerability to exploit, what’s he going to do?
@marcin, sorry for the late response, apparently even if i subscribe to the comment feed i don’t get notified of new comments - weird…
“Kurt, if there are no vulnerabilities (and I mean that literally, however unrealistic it sounds), I can’t see how a threat agent would pose a threat to you. If there’s no vulnerability to exploit, what’s he going to do?”
the point i was making was that some people (a lot, really) in computer security equate vulnerability with flaw or error… a bullet poses a threat to me, i’m vulnerable to bullets but that’s not because of any flaw or error in my design or construction… this underlines the fact that ‘vulnerability’ as vulnerability researchers see it and ‘vulnerability’ as it’s traditionally understood are 2 different things…
to give you a more computer related example, virus infectability is inherent to the general purpose computing platform rather than being the result of a flaw or error in the construction of a particular brand or computer or operating system…
The following are the base line definitions of the main entities used by the PTA - Practical Threat Analysis model and risk assessment methodology:
- Vulnerability is a weakness, limitation or a defect in one or more of the system’s elements that can be exploited to disrupt the normal function of the system. Vulnerabilities may be in specific modules of the system, its layout, its users and operators, and/or in its associated regulations, operational and business procedures.
- Countermeasure is a procedure, action or mean of mitigating a specific vulnerability. One countermeasure may mitigate several different vulnerabilities. In some standards documentation countermeasures are termed “controls” or “safeguards”.
- Asset is information, capability, an advantage, a feature, a financial or a technical resource that may be damaged, lost or disrupted. Assets may be digital (software sources), physical (a server machine) or commercial (the corporate brand). Damage to an asset may affect the normal function of the system as well as that of individuals and/or organizations involved with the system.
- Threat is a specific scenario or a sequence of actions that exploits a set of vulnerabilities and may cause damage to one or more of the system’s assets.
- Attacker is a person (or group of people) that may perform the steps of a specific threat scenario and attack the system’s assets.
PTA – Practical Threat Analysis - is a quantitative method and a software tool that enables you to model the security perimeter of your business and evaluate the overall risk to the system. The risk level, potential damage and countermeasures required are all presented in real financial values. PTA calculates the level of risk and the available mitigation. It advises on the most cost-effective way to mitigate threats and reduce the risk.
PTA is free-of-charge for students, researchers, software developers and independent security consultants. You are invited to review the latest version’s new features and download a free copy of the software from the following link:
http://www.ptatechnologies.com
Regards,
Zeev Solomonik
R&D - PTA Technologies
http://www.ptatechnologies.com
zeev_at_ptatechnologies_dot_com
@zeev solomonik
“- Vulnerability is a weakness, limitation or a defect in one or more of the system’s elements that can be exploited to disrupt the normal function of the system. Vulnerabilities may be in specific modules of the system, its layout, its users and operators, and/or in its associated regulations, operational and business procedures.”
this is one of the rare usages of ‘vulnerability’ i’ve seen where it isn’t implied that a vulnerability is something that needs to be fixed (and must therefore currently be broken)… usually vulnerability isn’t used in quite so open-ended a way…