this is one of the rare usages of ‘vulnerability’ i’ve seen where it isn’t implied that a vulnerability is something that needs to be fixed (and must therefore currently be broken)… usually vulnerability isn’t used in quite so open-ended a way…

- Vulnerability is a weakness, limitation or a defect in one or more of the system’s elements that can be exploited to disrupt the normal function of the system. Vulnerabilities may be in specific modules of the system, its layout, its users and operators, and/or in its associated regulations, operational and business procedures.

- Countermeasure is a procedure, action or mean of mitigating a specific vulnerability. One countermeasure may mitigate several different vulnerabilities. In some standards documentation countermeasures are termed “controls” or “safeguards”.

- Asset is information, capability, an advantage, a feature, a financial or a technical resource that may be damaged, lost or disrupted. Assets may be digital (software sources), physical (a server machine) or commercial (the corporate brand). Damage to an asset may affect the normal function of the system as well as that of individuals and/or organizations involved with the system.

- Threat is a specific scenario or a sequence of actions that exploits a set of vulnerabilities and may cause damage to one or more of the system’s assets.

- Attacker is a person (or group of people) that may perform the steps of a specific threat scenario and attack the system’s assets.

PTA – Practical Threat Analysis - is a quantitative method and a software tool that enables you to model the security perimeter of your business and evaluate the overall risk to the system. The risk level, potential damage and countermeasures required are all presented in real financial values. PTA calculates the level of risk and the available mitigation. It advises on the most cost-effective way to mitigate threats and reduce the risk.

PTA is free-of-charge for students, researchers, software developers and independent security consultants. You are invited to review the latest version’s new features and download a free copy of the software from the following link:

http://www.ptatechnologies.com

Regards,

Zeev Solomonik
R&D - PTA Technologies
http://www.ptatechnologies.com
zeev_at_ptatechnologies_dot_com

“Kurt, if there are no vulnerabilities (and I mean that literally, however unrealistic it sounds), I can’t see how a threat agent would pose a threat to you. If there’s no vulnerability to exploit, what’s he going to do?”

the point i was making was that some people (a lot, really) in computer security equate vulnerability with flaw or error… a bullet poses a threat to me, i’m vulnerable to bullets but that’s not because of any flaw or error in my design or construction… this underlines the fact that ‘vulnerability’ as vulnerability researchers see it and ‘vulnerability’ as it’s traditionally understood are 2 different things…

to give you a more computer related example, virus infectability is inherent to the general purpose computing platform rather than being the result of a flaw or error in the construction of a particular brand or computer or operating system…

Maybe I’m not being descriptive enough, but I believe the chance of something happening, is the “threat.” It is nothing without all the other factors weighed in, vulnerability, attacker, exploitability.

Or maybe I’m just wrong… I can’t seem to put my thoughts down into words for this one.

Kurt, if there are no vulnerabilities (and I mean that literally, however unrealistic it sounds), I can’t see how a threat agent would pose a threat to you. If there’s no vulnerability to exploit, what’s he going to do?

i mention this because a threat agent can pose a threat without the existence of such a ‘mistake’…

I think you might be misinterpreting what I mean. See

http://taosecurity.blogspot.com/2003/10/dynamic-duo-discuss-digital-risk.html

and tell me what you think.