tssci security

What do you mean threat?

This is in reply to Richard Bejtlich's post, "Someone Please Explain Threats to Microsoft." Richard takes issue with people (especially those who should know better) who misuse defined terms. We say a lot of things with the expectations of those who are listening or reading to understand "what we mean." I hope this post clarifies some of that and what I believe is the proper definition of threat.

A threat is the mere possibility an attacker will exploit a vulnerability to compromise an asset. The attacker is not a threat by himself, for he needs a vulnerability to exist. Richard uses the term "threat agent" to describe an attacker or malware that can exploit a vulnerability. Threats are dependent on an attacker (or threat agent), the presence of a vulnerability, and the possibility for exploitation. You would not call someone a threat agent who does not have the ability to exploit a vulnerability, and thus, proves no threat to you. In other words, I don't think an attacker poses a threat if he cannot exploit a vulnerability. Looking back, that first sentence might be a little confusing, but I don't have any other way of describing it. Maybe a visual, some hand waving and throwing a Shmooball at you will help you understand it. :P

In his book, The Tao of Network Security Monitoring, Richard describes a threat as "a party with the capabilities and intentions to exploit a vulnerability in an asset." That's exactly right... a threat is a party! Party as in music, beer, people -- like your average birthday or Christmas party. It is comprised of multiple factors that exhibit various characteristics. A party does not imply an individual and therefore, a threat is not individualistic in nature.

Sometimes we say different things because we expect people to understand what we mean (even though we are wrong) and we tend to forget what we had defined them as. It's what makes us human and what differentiates us from computers. I can't tell how this differs with Richard's definition of threat, or if this is what he means. It feels like as of lately, his definition has veered and taken on a slightly different meaning.

Posted by Marcin on Wednesday, October 3, 2007 in Security.

blog comments powered by Disqus
blog comments powered by Disqus