Вы находитесь на странице: 1из 8

Threat vs Vulnerability vs Risk | Digital Threat

http://www.digitalthreat.net/2009/06/threat-vs-vulnerability-vs-risk/

AboutFree CISSP Revision E-Book In the Media Subscribe By RSS

Free CISSP Revision E-BookAbout In the Media Subscribe By RSS or Email Safexpert -

In the MediaAbout Free CISSP Revision E-Book Subscribe By RSS or Email Safexpert - software for

Subscribe By RSS or Email

Revision E-Book In the Media Subscribe By RSS or Email Safexpert - software for www.safexpert.eu/ CE-marking

Safexpert - software for

www.safexpert.eu/ CE-marking and risk assessment following new Machinery Directive

Homeand risk as sessment following new Machinery Directive Risk Management Threat Mitigation Exploits and Malware

Risk Managementand risk as sessment following new Machinery Directive Home Threat Mitigation Exploits and Malware Penetration Testing

Threat Mitigationfollowing new Machinery Directive Home Risk Management Exploits and Malware Penetration Testing Programming Reviews

Exploits and MalwareMachinery Directive Home Risk Management Threat Mitigation Penetration Testing Programming Reviews by Jago Maniscalchi

Penetration TestingHome Risk Management Threat Mitigation Exploits and Malware Programming Reviews by Jago Maniscalchi // June 26,

ProgrammingThreat Mitigation Exploits and Malware Penetration Testing Reviews by Jago Maniscalchi // June 26, 2009 //

ReviewsExploits and Malware Penetration Testing Programming by Jago Maniscalchi // June 26, 2009 // Risk Management

Exploits and Malware Penetration Testing Programming Reviews by Jago Maniscalchi // June 26, 2009 // Risk
Exploits and Malware Penetration Testing Programming Reviews by Jago Maniscalchi // June 26, 2009 // Risk

by Jago Maniscalchi // June 26, 2009 // Risk Management // 6 Comments

There is some debate in the security community surrounding the defintion of Threat, Vulnerability and Risk. ISO, IEC, NIST and ENISA all disagree, and the Information Security industry also offer various defintions. As examples, Richard Bejtlich of TAO Security, International Charter, Eleventh Alliance and Ingenta all differ in their opinions.

The one common theme is that Information Security exists to manage risk, and that risk exists as a function of at least threat and vulnerability. Lets start with the least controversial defintion, Vulnerability.

Vulnerability

vulnerable (adjective) 1 exposed to being attacked or harmed

Vulnerabilty, the least contentious of the Information Security definitions has only a single dictionary defintion – exposure to attack. In Information Security, then, vulnerability could be defined as “a flaw or weakness in hardware, software or process that exposes a system to compromise”.

NIST SP 800-30 – Risk Management Guide for Information Technology Systems – defines a vulnerability similarly:

A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.

The Information Technology Security Evaluation Criteria ( ITSEC ), a standard used by a number of European Countries, defines vulnerability as:

Threat vs Vulnerability vs Risk | Digital Threat

http://www.digitalthreat.net/2009/06/threat-vs-vulnerability-vs-risk/

The existence of a weakness, design, or implementation error that can lead to an unexpected, undesirable event compromising the security of the computer system, network, application, or protocol involved.

Threat

Threat is a more contentious definition. In the Oxford Dictionary:

threat (noun) 1 a stated intention to inflict injury, damage, or other hostile action on someone. 2 a person or thing likely to cause damage or danger. 3 the possibility of trouble or danger.

In Information Security circles, “threat” is defined variously. Usually definition 2 above is used, and thus

“threat” becomes the actor – a “person or thing”. SANS in their Ethical Hacking and Penetration Testing course define “threat” simlarly, as an actor.

Both, NIST SP800-30 and the Common Criteria for Information Technology Security Evaluation (an ISO standard replacing ITSEC) differentiate between a “threat source” or “threat-agent” and a “threat”.

NIST defines “threat-source” as the interaction of an actor and motivation, and “threat” as the interaction between a “threat-source” and a vulnerability.

Threat: The potential for a threat-source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.

A threat then, is either intention/motivation, an actor, a possibility of danger or a combination of a subset of

those. My preferred defintion is that threat is the “interaction of actor, motivation and vulnerability”.

“interaction of actor, motivation and vulnerability”. The European Network and Information Security Agency

The European Network and Information Security Agency (ENISA) offer a broader definition encompassing that offered above:

Any circumstance or event with the potential to adversely impact an asset through unauthorized access, destruction, disclosure, modification of data, and/or denial of service.

It is important to note at this point that no source has defined “threat” as including an element of probability.

Whilst it is clear, thus far, that a threat only occurs where a motivated actor co-exists with a vulnerablity, the chance of that threat leading to an event has not yet been considered.

Risk

Threat vs Vulnerability vs Risk | Digital

Threat

Firstly, from the Oxford dictionary:

http://www.digitalthreat.net/2009/06/threat-vs-vulnerability-vs-risk/

risk (noun) 1 a situation involving exposure to danger. 2 the possibility that something unpleasant will happen. 3 a person or thing causing a risk or regarded in relation to risk: a fire risk

According to the dictionary, Risk is either a 1. circumstance, which we earlier defined with the term “threat”, 3. an actor, which we earlier defined as a component of a “threat”, or 2. the possibility that something unpleasant will happen. SANS aside, who teach that Risk is the interaction of actor and vulnerability, defintion 2. is most common within Information Security.

ISO Guide 73 – Risk Management defines “risk” as:

The combination of the probability of an event and its consequence

ISO 13335 – Information Technology Security Techniques defines “risk” as:

The potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization.

So “risk” contains elements of a threatening circumstance (actor, motivation and vulnerability), probability and business impact. It is important consider semantics here – we are not considering the risk of a threat, we are considering the risk associated with a business suffering an outcome as a result of a threat.

a business suffering an outcome as a result of a threat . Probability of an attack

Probability of an attack is largely affected by the specific vulnerability and the motivation of the actor, though external factors should also be applied when calculating it. For this reason it should always be considered as distinct from the “threat” itself.

Business Impact, often forgotten by technical staff conducting risk assessment or deploying counter measures, is itself also a function of several factors already considered. Outcomes are affected largely by the actor (state / industrial / criminal) and the specific vulnerability. Business impact is an primary element of risk and is usually closely correlated with it.

Conclusion

This article has illustrated the tensions between dictionary, government and industry definitions of well used Information Security terms. Considerable disagreement continues surrounding the defintion of “threat” and “risk”, though the use of “threat” as a circumstance, and “risk” as having elements of “impact” and “probability” are largely agreed.

Though a universally agreed set of definitions is desirable, it is also idealistic. It is perhaps most important, in the short term, that currently used defintions are at least understood by all, before embarking on an attempt at agreement.

About the Author

Threat vs Vulnerability vs Risk | Digital Threat

Threat vs Vulnerability vs Risk | Digital Threat http://www.digitalthreat.net/2009/06/threat-vs-vulnerability-vs-risk/

http://www.digitalthreat.net/2009/06/threat-vs-vulnerability-vs-risk/

Jago Maniscalchi is a Cyber security consultant, though he tries to avoid the word "Cyber" at all costs. He has spent 15 years working with Information Systems and has experience in website hosting, software engineering, infrastructure management, data analysis and security assessment. Jago lives in London with his family, enough pets to start a small zooalogical society, and a Samsung NaviBot Robotic Vacuum Cleaner. Despite an aptitude for learning computer languages, his repeated attempts to learn Italian have resulted in spectacular failure.

6 Comments on "Threat vs Vulnerability vs Risk"

1.

1.

Kelly November 9, 2009 at 741 ·

Thanks Lets keep our security people from scanning for known vulnerabilities and sending it to management as a measuremebt if risk by itself.

2.

2.

Dave June 28, 2010 at 1029 ·

Defining threat in terms of vulnerability has the disadvantage of dismissing threats once vulnerabilities are eliminated. The CISSP CBK defines:

Threat: The potential danger that a vulerability may be exploited intentionally, triggered accidentally, or otherwise exercised.

Threat Agent: A means or method used to exploit a vulnerability in a system, operation or facility.

If one builds a fireproof structure that can withstand continuous exposure to very high temperatures for an indefinite amount of time with no damage, then it has no vulnerability to fire. But should that mean that fire is not considered a threat? If perfect armor could be developed, does that mean that IEDs are not a threat? And if a perfectly secure IT system is developed (i.e., one that is disconnected and powered down), should that mean that network attacks are not a threat?

The three-circle diagram only makes sense if “Vulnerability (flaw, weakness)” is interpreted to mean “potential or hypothetical weakness”, not “weakness that actually exists in a specific system”.

3.

3.

James Maniscalchi October 10, 2010 at 1108 ·

Threat vs Vulnerability vs Risk | Digital

Dave, I agree.

Threat

http://www.digitalthreat.net/2009/06/threat-vs-vulnerability-vs-risk/

When calculating risk, I always start with all possible vulnerabilities. There are a number of ways to try to enumerate them – perhaps the subject of a future article?

If, for a particular vulnerability, there is no motivated threat actor, or there is a working counter- measure in place, then there is no threat posed to the system. In reality, of course, most counter- measures can be evaded, and there is almost always a motivated actor. There threat therefore remains, if only at a low level.

4.

There threat therefore remains, if only at a low level. 4. shipra December 9, 2010 at

shipra December 9, 2010 at 111 ·

Thanks!

This article helped me clear out many of my confusions.

Trackbacks for this post

1. Digital Threat » Blog Archive » Information Security Risk Analysis

2. Quora

Leave a Comment

Information Security Risk Analysis 2. Quora Leave a Comment Name (required) Email (required) Website 5 of
Information Security Risk Analysis 2. Quora Leave a Comment Name (required) Email (required) Website 5 of
Information Security Risk Analysis 2. Quora Leave a Comment Name (required) Email (required) Website 5 of

Name (required)

Email (required)

Website

Security Risk Analysis 2. Quora Leave a Comment Name (required) Email (required) Website 5 of 8

Threat vs Vulnerability vs Risk | Digital Threat

Unable to connect Firefox can't establish a Latest Tweets
Unable
to
connect
Firefox can't
establish a
Latest Tweets

http://www.digitalthreat.net/2009/06/threat-vs-vulnerability-vs-risk/

Threat vs Vulnerability vs Risk | Digital Threat

Follow on Twitter

// Contact Us Contact Us

Back to top

http://www.digitalthreat.net/2009/06/threat-vs-vulnerability-vs-risk/

Digital Threat brings you up to the minute commentary and analysis on all aspects of digital security. Posts cover common vulnerabilities, assessments of zero day exploits, viruses, worms and threat forecasts. All that, alongside informed commentary on day-to-day security issues.

Contributors to Digital Threat are drawn from all sectors of the security industry.

Recent Articles

Guessing banking PINs using statisticsfrom all sectors of the security industry. Recent Articles Phishers using e-mail attachments to evade anti-virus

Phishers using e-mail attachments to evade anti-virusRecent Articles Guessing banking PINs using statistics Anti-virus evasion – 2. Using custom shellcode Anti-virus

Anti-virus evasion – 2. Using custom shellcodePhishers using e-mail attachments to evade anti-virus Anti-virus evasion – 1. Choosing a payload Code 2600

Anti-virus evasion – 1. Choosing a payloadanti-virus Anti-virus evasion – 2. Using custom shellcode Code 2600 documentary to explore Information Security What

Code 2600 documentary to explore Information Securityshellcode Anti-virus evasion – 1. Choosing a payload What is your password worth? O2 apologise to

What is your password worth?Code 2600 documentary to explore Information Security O2 apologise to 3G customers for breach Podcasts Digital

O2 apologise to 3G customers for breachto explore Information Security What is your password worth? Podcasts Digital Underground Paul Dot Com Security

Podcasts

Digital Undergroundworth? O2 apologise to 3G customers for breach Podcasts Paul Dot Com Security Justice Reading List

Paul Dot Comto 3G customers for breach Podcasts Digital Underground Security Justice Reading List Bruce Schneier Dark Reading

Security Justicefor breach Podcasts Digital Underground Paul Dot Com Reading List Bruce Schneier Dark Reading Darknet DoxPara

Reading List

Bruce SchneierUnderground Paul Dot Com Security Justice Reading List Dark Reading Darknet DoxPara Research F-Secure Blog Internet

Dark ReadingPaul Dot Com Security Justice Reading List Bruce Schneier Darknet DoxPara Research F-Secure Blog Internet Storm

DarknetSecurity Justice Reading List Bruce Schneier Dark Reading DoxPara Research F-Secure Blog Internet Storm Center SANS

DoxPara ResearchJustice Reading List Bruce Schneier Dark Reading Darknet F-Secure Blog Internet Storm Center SANS Security Laboratory

F-Secure BlogList Bruce Schneier Dark Reading Darknet DoxPara Research Internet Storm Center SANS Security Laboratory Security

Internet Storm CenterSchneier Dark Reading Darknet DoxPara Research F-Secure Blog SANS Security Laboratory Security Focus Shadowserver

SANS Security LaboratoryDarknet DoxPara Research F-Secure Blog Internet Storm Center Security Focus Shadowserver Threatpost Security Bloggers

Security FocusF-Secure Blog Internet Storm Center SANS Security Laboratory Shadowserver Threatpost Security Bloggers Network SBN

ShadowserverStorm Center SANS Security Laboratory Security Focus Threatpost Security Bloggers Network SBN Sponsor Post Kevin

ThreatpostCenter SANS Security Laboratory Security Focus Shadowserver Security Bloggers Network SBN Sponsor Post Kevin Riggins

Security Laboratory Security Focus Shadowserver Threatpost Security Bloggers Network SBN Sponsor Post Kevin Riggins

Security Bloggers Network

SBN Sponsor Post Kevin Riggins Kevin Riggins

Missed OWASP AppSecUSA? Videos Online Now Michael Coates Michael Coates

Mitigating Attacks On Industrial Control Systems (ICS); The New Guide From EU Agency ENISA Dark Reading Dark Reading

SBN Sponsor Post Kevin Riggins Kevin Riggins

Sunday Circle Share of Awesome… Richi Jennings Richi Jennings

This Week In Application Security News: December 2 – 8 Sarah Vonnegut Sarah Vonnegut

Threat vs Vulnerability vs Risk | Digital Threat

Threat vs Vulnerability vs Risk | Digital Threat Symantec BugTraq

Symantec BugTraq

http://www.digitalthreat.net/2009/06/threat-vs-vulnerability-vs-risk/

Vuln: HawtJNI CVE-2013-2035 Local Privilege Escalation Vulnerability ility

Vuln: Jamroom Search Module 'search_string' Parameter Cross Site Scripting Vulnerability ility

Vuln: GIMP XWD File Handling Buffer Overflow Vulnerability'search_string' Parameter Cross Site Scripting Vulnerab ility © 2013 Digital Threat 8 of 8 12/9/2013 11:08

© 2013 Digital Threat