Friday, July 08, 2005

Cool Site Unfortunately Miscategorizes Threats

While chatting with Aaron Higbee of the SecureMe Blog yesterday, he mentioned a cool new site: Threats and Countermeasures. A majority of the contributors are Foundstone consultants and parent company McAfee is paying the bills.

Anyone who's been reading my blog for a while knows of my linguistic crusade involving words in the standard risk equation, with risk being a product of threat, vulnerability, and asset value. (See Risk, Threat, and Vulnerability 101, OCTAVE Properly Distinguishes Between Threats and Vulnerabilities, SANS Confuses Threats with Vulnerabilities, and The Dynamic Duo Discuss Digital Risk.)

How does the Threats and Countermeasures site match proper definitions? At left is a screen shot of the site's main knowledge base menu. I don't see the word threat being used correctly here. "Default network appliance passwords" aren't threats; those are vulnerabilities. "Running unnecessary services" is a vulnerability, as is "weak security around scripting extensions."

Perusing T&C, I don't see threat used properly. Most of the content described as "threats" are really attacks. The Cross Site Scripting page is a good example. All of the content listed under "Threats" are attacks or exploits. The content under "Attacks" appear to be specific examples of the material listed under "Threats".

So what is going on here? Obviously the guys who put together Threats and Countermeasures are security experts. Besides their knowledge base, the site offers and impressive collection of blogs that I recommend reading.

I think part of the problem is the warped view of threats promulgated by T&C owner Foundstone. It all began with the announcement of their so-called Threat Correlation Module for the Foundstone "Enterprise Risk Solution" suite. Back in late 2003 when this announcement was made (and I was working for Foundstone), marketing folks realized the terms "vulnerability" and "vulnerability management" were no longer a way to differentiate a company in the market. Vulnerability management was becoming commoditized, so companies began pushing the terms "risk" (e.g., "Enterprise Risk Solution") and "threat."

I was initially interested in being part of Foundstone's new Threat Intelligence team, supporting the Threat Correlation Module. I thought this would be a cool opportunity to deploy honeynets, interact with the "underground," and collect intelligence on the parties that conduct attacks. Instead I was told I would monitor disclosure sites -- BugTraq and the like -- and populate Foundstone's database with that information. At one point I was told that a "hole in OpenSSH" is a "threat," when clearly that is a vulnerability. Shortly after I realized Foundstone's view of "threat" was a new way to market vulnerability data, I left the company.

This is not to say that Foundstone's product is bad. On the contrary, I think it is very powerful. The idea of correlating new vulnerability information against a database of enterprise assets, and measuring the risk to an organization, is excellent. It's just too bad the product and concept are misnamed.

While it is difficult to misuse the term risk (risk being defined as the probability of suffering harm or loss), it is too easy to misuse "threat." As a reminder, a vulnerability is a weakness in an asset which could lead to exploitation. A threat is a party with the capabilities and intentions to exploit a vulnerability in an asset.

With few exceptions, no security vendors deal with threats. There are only two ways to gather information on threats: passive interaction or active interaction. Passive interaction means watching threats as they conduct reconnaissance, exploit targets, and pillage assets. Active interaction means communicating with the threats themselves, through email, voice, and other means.

Two organizations I know that deal with threats in an unclassified environment include The Honeynet Project and iDEFENSE. The former mainly learns about threats by watching them compromise honeynets, while the latter pursues and communicates with threats. Managed security monitoring providers who look for more than worms can also be considered threat-aware; examples include NetSec and LURHQ.

I guess the "threat" concept is just too sexy for most security vendors to avoid. Even people who should know better, like Bruce Schneier, misuse the terms threat and vulnerability. (See my review of Beyond Fear; it's the second on that page.) Although I will probably be seen as stepping on the toes of smart security people, I will not stop pointing out when those important terms are misused.

8 comments:

Anonymous said...

Threat
Vulnerability

Richard Bejtlich said...

The Wikipedia definition of vulnerability looks ok. The threat definition is horrible.

"A threat is an unwanted (deliberate or accidental) event that may result in harm to an asset."

Since when is a threat an event?

"Examples are a robbery, kidnapping, hijacking, extortion, blackmail."

Good grief.

Alice: "I was just robbed. That was quite a threat!"

Bob: "No kidding. I was kidnapped!"

Wikipedia is proof that the quality of thought is not measured by the appearance of a Web interface.

Anonymous said...

... Wikipedia is proof that the quality of thought is not measured by the appearance of a Web interface.

Wikipedia is nothing more (or less) than the result of its contributors' provided info/knowledge. The point I was trying to make, by presenting those definitions to you, was that you could definitely help in improving those terms, in a place much more popular in regards to community access, then any blog ... TIA

Richard Bejtlich said...

I see. I could try, like I did with a few other security-related terms. I could then also watch those changes be undone by people with the spare time needed to "guard" Wiki entries! :)

Anonymous said...

From what I hear, _Microsoft_ is paying the bills; ie, Microsoft is paying Foundstone to set this up. I'll bet you won't find too many unkind words about Microsoft on these blogs ;-)

Richard Bejtlich said...

You are correct. You might even be the person who told me that, and I promptly forgot to mention it! Thank you.

BTW, Microsoft's record on proper terminology is ok, but it could be a lot better.

Mark Curphey said...

This is Mark Curphey at Foundstone, I was invoved in setting up the site. One of the nice things about this being a Wiki is you can come along and suggest changes right there right now. The whole point is to move towards convergence on terms and definitions we would welcome you getting involved, making changes and let the community see what is the best way forward. I agree with your synopisis 100% BTW. I am ANAL about definitions and taxonomies. See my post about the OWASP Top Ten to webappsec this weekend for proof ;-)

Richard Bejtlich said...

Hi Mark,

Thanks for posting here. I appreciate your input and I am honored you consider my opinions worthwhile.