Wednesday, May 04, 2005

OCTAVE Properly Distinguishes Between Threats and Vulnerabilities

You may have heard of Carnegie Mellon's Software Engineering Institute. Within SEI's Networked Systems Survivability program is the Survivable Enterprise Management group. Members of this group developed the Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) method. OCTAVE is "a self-directed approach for assessing and managing information security risks. OCTAVE allows an enterprise to identify the information assets that are important to the mission of the organization, the threats to those assets, and vulnerabilities that may expose the information assets to the identified threats." Already you should notice that the OCTAVE crew is using the terms risk, asset, threat, and vulnerability properly. In fact, a look at the OCTAVE Threat Profiles (.pdf) document reveals additional understanding of the differences between threats and vulnerabilities:

"Below is an expanded classification of threat actors.

  • non-malicious employees: people within the organization who accidentally abuse or misuse computer systems and their information

  • disgruntled employees: people within the organization who deliberately abuse or misuse computer systems and their information

  • attackers: people who attack computer systems for challenge, status, or thrill

  • spies: people who attack computer systems for political gain

  • terrorists: people who attack computer systems to cause fear for political gain

  • competitors: people who attack computer systems for economic gain

  • criminals: people who attack computer systems for personal financial gain

  • vandals: people who attack computer systems to cause damage"


What, no mention of problems with Microsoft RPC services on port 135 TCP? No Cisco router denial of service condition? OCTAVE and the SEI know the difference between threats and vulnerabilities and they speak authoritatively on the subject. Kudos to them for being rigorous with their terms and work.

4 comments:

Chad Nantais said...

As an information security consultant working out in the field, I am always engaged in an uphill battle against misperceptions that information security is only about technical risks. I also have to fight to get people to understand the difference between threats, vulnerabilities and risks. OCTAVE's clear definitions will surely help as a formal establishment of truly balanced security thinking. I second that kudo!

Anonymous said...

In reference to the FIRST article as well as this one, once again Richard you are assuming that YOUR definition of threat is appropriate, and many information security professionals still disagree with you. OCTAVE is talking about threat actors, which obviously refer to people or organizations. But a threat in general is, as people have pointed out before, not necessarily a person. Go to dictionary.com and you will see threat is generally defined as a noun, "something that is a source of danger". Thus, any THING that can be a "source of danger", is defined a *threat*. You've accused SANS and now FIRST of "confusing" these definitions, yet CERT/CC is "correct" because they agree with you?

Richard, your book is great and I greatly respect your work, but you do not define these terms, nor are you qualified to assume that entire security organizations (whose members have been in this game longer than you) are "confused" because they use the DICTIONARY DEFINITION OF THREAT.

Richard Bejtlich said...

Anonymous,

I devoted an entirely new blog post to you. You're right, I don't define terms. I follow other people who think clearly. Enjoy.

tweedledeetweedledum said...
This comment has been removed by a blog administrator.