Wednesday, January 26, 2005

SANS Confuses Threats with Vulnerabilities

In late 2003 I published Dynamic Duo Discuss Digital Risk. This was my light-hearted attempt to reinforce the distinction between a threat and a vulnerability. Specifically, a threat is a party with the capabilities and intentions to exploit a vulnerability in an asset. A vulnerability is a weakness in an asset that could lead to exploitation. An intruder (the threat) exploits a hole (the vulnerability) in Microsoft IIS to gain remote control of a Web server. In other words, threats exploit vulnerabilities.

This is a simple concept, yet it is frequently confused by security prophets like Bruce Schneier in Beyond Fear. Now SANS is making the same mistake in the latest Incident Handler's Diary. In a posting to announce work on the upcoming SANS Top 20 List, the Diary calls the new report the "SANS CRITICAL INTERNET THREATS 2005" and says:

"SANS Critical Internet Threats research is undertaken annually and provides the basis for the SANS 'Top 20' report. The 'Top 20' report describes the most serious internet security threats in detail, and provides the steps to identify and mitigate these threats."

So, are we going to read a ranking of identified Romanian intruders, followed by Russian organized crime, Filipino virus writers, and then Zimbabwean foreign intelligence services? Will mitigation include prosecution, incarceration, and the like? Probably not, as the announcement continues:

"The current 'Top 20' is broken into two complimentary yet distinct sections:
- The 10 most critical vulnerabilities for Windows systems.
- The 10 most critical vulnerabilities for UNIX and Linux systems."

So now we're talking about vulnerabilities. That's what last year's "Twenty Most Critical Internet Security Vulnerabilities" addressed. The announcement concludes:

"The 2005 Top 20 will once again create the experts' consensus on threats - the result of a process that brings together security experts, leaders, researchers and visionaries... In addition to the Windows and UNIX vulnerabilities, this year's research will also focus on the 10 most severe vulnerabilities in the Cisco platforms."

I sincerely hope at least one expert will clue in the announcement-writer concerning the difference between a threat and a vulnerability. Words matter!

Update: While doing some research I found a 1999 report by the Navy's Center on Terrorism and Irregular Warfare called Cyberterror: Prospects and Implications. It says in footnote 11:

"Vulnerability is not synonymous with threat. A vulnerability is a weakness in a system that may be exploited. A threat requires an actor with the motivation, resources, and intent to exploit a vulnerability."

20 comments:

Anonymous said...

It seems that YOU are the one misusing the term "threat." If you check a dictionary, you'll find that not only can a threat be a person, it can also be "an indication of impending danger or harm."

http://dictionary.reference.com/search?q=threat

An intruder is a threat. A vulnerability is a threat. To determine the specific use requires context.

Therefore your particular use of the term is narrowly defined in a limited context where you omit a legitimate interpretation of the term.

Richard Bejtlich said...

Thank you for your comment, but your logic is faulty. I see you reference dictionary.com's definition of threat as "an indication of impending danger or harm." What does this have to do with a vulnerability? You cannot jump from the threat definition you cited and equate a vulnerability with a threat. The context I use applies to all security scenarios, whether digital or physical.

Keydet89 said...

Richard,

Frankly, I'm surprised at you! You know as well as anyone else that this sort of thing is going to happen in any self-policing environment, such as the Internet. If you leave it up to people to police themselves, follow RFCs and standards, and just generally play nice, it isn't going to happen.

Is it a virus or is it a worm? An admin sees some activity on a system that he/she isn't familiar with, and immediately calls it a "virus" or a "hacker".

You've moved out of the military, my friend, where you can say "M-16" and everyone knows exactly what you're talking about. This isn't an academic environment where you have to be explicit. Others in the community find it much easier to be lazy and use what ever language and terminology they wish, rather than invest the time and energy to attempt to communicate clearly with others.

Cops, doctors, and lawyers all have explicit terms that mean something in particular. "Stat" means something specific and clear to a doctor. But the difference is, those are professions. The security industry is still too fragmented by marketing, the media, and even those of us within the practice to have any sort of clear, explicit language like that.

Anonymous said...

Umm, I would not include Zimbabwean's in your argument, they are still using tin cans and string for communication :) I used to live down that way, their intelligence service is about as intelligent as box of rocks.

Jason

Anonymous said...

Richard, thanks for the blog entry! The SANS Internet Storm Center is always looking for more ways that we can get folks interested in what we are doing and to contribute to the volunteer effort. Your readers are welcome to participate.

Semantically, you are correct about the difference between the meanings of "threat" and "vulnerability" as they relate to risk. Unfortunately both terms are frequently used interchangeably by people who should know better. That being said, there is no formal taxonomy of Internet security terms that we (the infosec community) have agreed to use. We also have no Standards of Conduct, no common Ethic, no professional license, etc. We've got lots of efforts towards this (SANS, ISC2, etc.) but no agreement yet on one way of doing it. So, just like there are many different definitions of "security" there are also many definitions of "threat" and I think that the use of "threat" in the SANS Top 20 announcement was understood by most people. It depends entirely on how you define "threat" and for many people, faults in software or configurations are a "threat" to the "security" of the Internet.

However, to be consistent with previous years and to be as precise as we can, we will recommend to the editing team that the correct term should be "vulnerability" and not "threat."

Marcus H. Sachs
Director, SANS Internet Storm Center

Richard Bejtlich said...

Regarding the Zimbabwean FIS -- that's a joke. :) Better for me to mention something that probably doesn't exist than for me to be more realistic.

Marcus, I appreciate your comment. SANS is a better organization thanks to your involvement.

Keith Tokash said...

Richard, before Marcus' post I actually assumed that SANS was correct and taking a more holistic view. Vulnerabilties *are* threats ... to the business as a whole. I guess I'm blurring the line here since there is no party involved with a vulnerability, but in the non-tech vernacular it fits.

Richard Bejtlich said...

Keith, you said "Vulnerabilties *are* threats ... to the business as a whole." That mindset is exactly what I'm trying to disentangle. Vulnerabilities are not threats. A vulnerability is a condition. A threat is a party. Threats exploit vulnerabilities.

Consider how a feudal king might mitigate the risk of losing his life via an attack against his castle. Remember that risk = asset X vulnerability X threat.

The king's life is his asset. There isn't much he can do about that.

A vulnerability-centric approach would result in efforts to implement countermeasures to shore up the castle's defenses. The king would see that his west wall is weak, so he strengthens it. He would recognize that thatched roofs inside his perimeter are liable to catch fire from enemy munitions, and so he replaces them with sturdier materials. The king might also see his water source positioned outside the castle wall, so he digs a new well close to his keep.

The king identified three vulnerabilities: (1) a weak west wall; (2) thatched roofs; and (3) outside well subject to enemy control.

A threat-centric approach recognizes the need to focus on parties with the capabilities and intentions to harm the king. He might make a truce with his neighbor to the east, in return for agreeing to attack a mutual enemy to the south. The king might bribe his neighbor to the west with money and pledges of fealty. He might also launch a pre-emptive attack on his neighbor to the north, and destroy that party before it destroys him.

The king identified four threats, neighbors in each direction.

Vulnerabilities and threats are separate concepts. Until we can recognize this, we will continue to not be seen as a profession, as posters have commented.

Anonymous said...

This is all a question of semantics, so you are all correct and wrong and the same time. :)
Richard, you said "A vulnerability is a condition. A threat is a party. Threats exploit vulnerabilities." In reality, that depends on the situation. Threats can be condition as well. Consider AIDS or cancer, for instance; each is both a vulnerability (ie a weakness) AND a threat (to one's health). In the same way, a security vulnerability can be a threat (to the health of an organization) at the same time. Looking further into the dictionary.com listing for "threat" gives the most general meaning of the word:

====================
threat

n 1: something that is a source of danger

Richard Bejtlich said...

This is not a question of semantics. You say "AIDS or cancer... is both a vulnerability (ie a weakness) AND a threat (to one's health)"?

Let's look at AIDS. AIDS is a syndrome, hence the "S" in AIDS. In that sense it is a condition of having a deficient (hence the "D") immune system.

What is the vulnerability? AIDS as a syndrome, a condition, is a vulnerability. What is the threat? AIDS itself is not the threat. The threat is the virus or bacteria that attacks a person suffering AIDS.

Now, people still say AIDS is a threat. That's not quite right. The threat to a normally healthy person (i.e., one without AIDS) is whatever CAUSES the condition of AIDS. Scientists believe the cause is HIV, a virus. So the HIV virus is the threat, because it exploits the human immune system to cause the condition of AIDS to manifest itself.

Once a person suffers AIDS, he is now vulnerable to attack by other threats. Attackers like the common cold or pneumonia are the threats that exploit the vulnerability of having the Acquired Immune Deficiency Syndrome.

Anonymous said...

>> Vulnerabilities and threats are separate
>> concepts. Until we can recognize this, we
>> will continue to not be seen as a profession,
>> as posters have commented.

What a ridiculous idea. Information security work is a profession. If people don't see it as such, the what difference does that make? Or is this really all about going way to far with the desire to control everything? Control info, control the data, control the network, and now taking it to an unwarranted extreme: control language, control perception.

Security work is a profession. It's not a military where people have to do what a commander says.

Anonymous said...

To anonymous,

Semantics count when you have to precisely communicate something to another person. For example, the definition of monopoly from the dictionary is not the same or particuliarly relevent to an economist or lawyer. A monopoly in those professions have criteria not covered by something as broad as "no competition."

From what I have seen, in my admittedly short time in IT security, is communication is enhanced when everybody on the team uses the same framework to discuss an incident or topic.

This is especially important when trying to teach someone. Go from one text in a class which has one way of defining terms and then walk into the next where the same terms are much more fluid and see how much confusion that creates. In most serious disciplines this doesn't happen at the introductory level.

Bill Sharrock

Richard Bejtlich said...

Regarding the last comment, I have to contrast it with what Keydet89 (Harlan) and Marcus said earlier. How can we expect real professions to take us seriously if we cannot agree on common definitions of foundational terms within our own supposed "profession?"

I think this discussion is healthy and I hope no one is getting too upset as a result. This is part of the process of forming consensus. Unfortunately I have yet to see anyone provide a compelling counterpoint to the multiple examples I have posted.

It is definitely not about "the military" even though they, as a true profession, have centuries of security experience. I believe law enforcement and counter-intel / counter-terrorism folks understand these definitions as well.

I have been a civilian for four years now, so I am certainly not following "what my commander says." :)

Richard Bejtlich said...

Bill Sharrock -- my last post would seem to address your comment. You snuck in before my last post. I was addressing 'Anonymous' above you. I agree with you, Bill.

Anonymous said...

Richard,

ITS A DESERT TOPPING AND A FLOOR WAX!!!

In all serious (and in the spirit of good debate), I do believe this is a question of semantics, because we are talking about the meaning of "vulnerability" and "threat" within the context of the English language (specifically in the vernacular of data security). That is the definition of semantics, meaning within language (according to a linguist I know). Interchanging "vulnerability" and "threat" can be logically correct or illogical depending on the situation and more importantly, perspective.

Logicaly, not all threats are vulnerabilities, but some vulnerabilities can certainly be threats...maybe not to an asset but to a process! Consider a Denial of Service vulnerability in a mission critical business application, that in turn is part of a critical business process. The condition (vulnerability) can be exploited either intentionally by a hacker (a party/threat) or by chance from a surge in network traffic (e.g. Cisco router crashes triggered by Slammer). In both cases, a condition (vulnerability) exists in an asset which is also a threat to a critical business process. At the tactical level there is a vulnerability, but it is still a strategic threat. An operations-level firewall technician might see a vulnerability to be fixed, whereas a security strategist sees hundreds of such vulnerable routers in an enterprise as a (potential) threat if certain conditions are met.

In other words, I think most people would agree that the two labels are not necessarily mutually exclusive. I believe Richard's argument is that they are, and I think that entirely depends on point of view (as Obi-Wan once said...).

Regarding my first post, perhaps AIDS is a poor analogy. Lets go with cancer as an example. Cancer is both a party/threat (i.e. a physical entity, a tumor or growth) as well as condition/vulnerability ("I have cancer"). One can die from the cancer itself (a threat to life) or from any one of many opportunistic infections (threats that exploit the condition of having cancer).

Besides, the "profession" of Information Security has never really been itself a profession, and probably shouldn't be because it is simply too broad. Certain subfields within it could be considered professions (e.g. auditing, forensics, intrusion analysis).Information Security itself is an interdiscipinary field and includes everyone from lawyers to device technicians to IT strategists to forensic investigators, all of whom have their own certification paths and vernacular. There are CISSPs who cannot configure firewalls and there are SANS GCFWs who cannot analyze a corporate IT infrastucture for security weaknesses. SANS just seemed to be speaking to them all with a common (or "vulgar", if you will) vernacular. As Marcus even said, " I think that the use of 'threat' in the SANS Top 20 announcement was understood by most people". I agree with him, so either a) most people are wrong (which is doubtful), or b) most people accept the fact that a vulnerability can also be a threat.

Maybe the full title should have been "SANS CRITICAL INTERNET THREATS FROM COMPUTER VULNERABILITIES 2005"...

Anonymous said...

Quote--------------
Regarding the last comment, I have to contrast it with what Keydet89 (Harlan) and Marcus said earlier. How can we expect real professions to take us seriously if we cannot agree on common definitions of foundational terms within our own supposed "profession?"
-------------------

As was already written in other comments, there are already definitions in place. E.g. Dictionary.

I wonder who it was that came up with the idea that we must all disregard various interpretations of the terms in question in favor is finite and limited definitions?

Does any body know? Will somebody admit to it?

Seems to me that sort of process "threatens" to enforce limited use of language.

Shall we contact Merriam-Webster and straighten them out? Someone could write a "vulnerability" report about this and post it to Bugtraq :-)

Affected packages: All dictionaries in all languages

Problem: Malformed definitions of the terms "threat" and "vulnerbility"

Risk factor: People might not take infosec professionals seriously. And dadburnit, that just ain't right.

Vendor status: Not contacted. What, with full disclosure and that jazz...

Workaround: Ignore spurious defintions of "threat" and "vulnerability," applying "threat" only in terms of people, and "vulnerability" only in terms of software flaws.

Example: Never tell your girlfriend that she's vulnerable. That would be the wrong use of the word.

LOL.

Keydet89 said...

Wow...talk about disparate points of view!

Bill said, "Semantics count when you have to precisely communicate something to another person." I agree.

Just prior to that, "Anonymous" (even though you're posting as "Anonymous", nothing prevents you from signing your post...) stated: "Or is this really all about going way to far with the desire to control everything? Control info...and now taking it to an unwarranted extreme: control language, control perception."

Interesting way of looking at it. Is it control of language and perception? Yes, it is...but that's the point. The legal, medical, and law enforcement professions all have terms and phrases that are specific in meaning to that profession, for the very purpose of controlling perception. "Stat" means something very specific to a doctor or nurse. The same holds true with, as Bill stated, "monopoly". And it *is* about precise communications for the purpose of clarity and yes, controllling perception.

If I were to talk to Richard about a situation I had with my computer system, and told him I got infected with a "virus", but quoted the A/V identification of it as a mass-mailing worm, my language is imprecise, and I've given Richard an incorrect perception of what's occurred on my system. When I'm talking to a client or friend about their infected machine, the term "virus" leads to an entirely different approach in thinking about attack surfaces and infection vectors than the term "worm".

In public forums, someone might state that his Windows machine was infected, or that he wants to protect his Windows system from attack on the Internet. When phrasing the response, having the original author be more specific (ie, Windows 98/ME, or 2K, or XP) will lead to specificity of response, as well.

"Security work is a profession. It's not a military where people have to do what a commander says."

You're correct, on both points. However, as a profession, it requires that the professional be able to communicate with peers, bosses, and most importantly, clients.

Regarding another anonymous post:
"Besides, the "profession" of Information Security has never really been itself a profession..."

...and...

"There are CISSPs who cannot configure firewalls and there are SANS GCFWs who cannot analyze a corporate IT infrastucture for security weaknesses."

True, but I don't see the point. There's nothing about the CISSP certification that requires one to be able to configure a firewall. The principles must be understood, for sure, and as a professional, the CISSP would be looking for other things...corporate security policies, necessary training on the particular firewall platform, etc. Also, the SANS GCFW doesn't require the applicatant to be able to analyze an IT structure for weaknesses.

All that aside, I go back and reiterate my agreement with Richard regarding terminology. A vulnerability is simply a vulnerability until a threat comes along.

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com

Anonymous said...

Just wanted to add a minor comment, and it's anonymous only because I don't have time to rig a blog, as the login here seemed to require.

Pretty much agree with what seems to have emerged as the concensus, with one minor cavil. Several people have mentioned the military (generally as a general pejorative), but ignored one possibly significant bit of semantics from that world. In mil-speak, a "capability" *is* a "threat." Most of the cold-war nuclear strategy for both superpowers was based on that notion, and, so far as I'm aware, military intelligence (jokes and puns, especially references to George Carlin, will be ignored here :) ) *still* bases analyses and recommendations on that semantic equation. No comment on whether that's a good approach or not; just tossing it into the mix.

Basically, the idea is that if a potential opponent has a particular capability (whether you want to interpret "capability" as "threat" or "vulnerability" is a separate issue, but the military approach assumes the worst, based on game-theoretic approaches--whatever their flaws), the correct response is to design your response for the worst-case scenario.

About the only remark I'll actually commit myself to is the simple one that vulnerabilities frequently become actual threats--in anyone's sense of the terms--with alarming rapidity, which tends to make the distinction moot--in some time frame, usually a short one.

Richard Bejtlich said...

A capability is not a threat. A capability is one component of a threat. The other component is evil intentions. Someone with a weapon but no intention to do me harm is not a threat. Someone with a weapon and an intention to do me harm is a threat. In my book I say the Brits are no threat to the United States. Although they have the capability to launch nuclear weapons against the US, they have no intention to do so.

tweedledeetweedledum said...
This comment has been removed by a blog administrator.