SecureMe Blog yesterday, he mentioned a cool new site: Threats and Countermeasures. A majority of the contributors are Foundstone consultants and parent company McAfee is paying the bills.
Anyone who's been reading my blog for a while knows of my linguistic crusade involving words in the standard risk equation, with risk being a product of threat, vulnerability, and asset value. (See Risk, Threat, and Vulnerability 101, OCTAVE Properly Distinguishes Between Threats and Vulnerabilities, SANS Confuses Threats with Vulnerabilities, and The Dynamic Duo Discuss Digital Risk.)
How does the Threats and Countermeasures site match proper definitions? At left is a screen shot of the site's main knowledge base menu. I don't see the word threat being used correctly here. "Default network appliance passwords" aren't threats; those are vulnerabilities. "Running unnecessary services" is a vulnerability, as is "weak security around scripting extensions."
Perusing T&C, I don't see threat used properly. Most of the content described as "threats" are really attacks. The Cross Site Scripting page is a good example. All of the content listed under "Threats" are attacks or exploits. The content under "Attacks" appear to be specific examples of the material listed under "Threats".
So what is going on here? Obviously the guys who put together Threats and Countermeasures are security experts. Besides their knowledge base, the site offers and impressive collection of blogs that I recommend reading.
I think part of the problem is the warped view of threats promulgated by T&C owner Foundstone. It all began with the announcement of their so-called Threat Correlation Module for the Foundstone "Enterprise Risk Solution" suite. Back in late 2003 when this announcement was made (and I was working for Foundstone), marketing folks realized the terms "vulnerability" and "vulnerability management" were no longer a way to differentiate a company in the market. Vulnerability management was becoming commoditized, so companies began pushing the terms "risk" (e.g., "Enterprise Risk Solution") and "threat."
I was initially interested in being part of Foundstone's new Threat Intelligence team, supporting the Threat Correlation Module. I thought this would be a cool opportunity to deploy honeynets, interact with the "underground," and collect intelligence on the parties that conduct attacks. Instead I was told I would monitor disclosure sites -- BugTraq and the like -- and populate Foundstone's database with that information. At one point I was told that a "hole in OpenSSH" is a "threat," when clearly that is a vulnerability. Shortly after I realized Foundstone's view of "threat" was a new way to market vulnerability data, I left the company.
This is not to say that Foundstone's product is bad. On the contrary, I think it is very powerful. The idea of correlating new vulnerability information against a database of enterprise assets, and measuring the risk to an organization, is excellent. It's just too bad the product and concept are misnamed.
While it is difficult to misuse the term risk (risk being defined as the probability of suffering harm or loss), it is too easy to misuse "threat." As a reminder, a vulnerability is a weakness in an asset which could lead to exploitation. A threat is a party with the capabilities and intentions to exploit a vulnerability in an asset.
With few exceptions, no security vendors deal with threats. There are only two ways to gather information on threats: passive interaction or active interaction. Passive interaction means watching threats as they conduct reconnaissance, exploit targets, and pillage assets. Active interaction means communicating with the threats themselves, through email, voice, and other means.
Two organizations I know that deal with threats in an unclassified environment include The Honeynet Project and iDEFENSE. The former mainly learns about threats by watching them compromise honeynets, while the latter pursues and communicates with threats. Managed security monitoring providers who look for more than worms can also be considered threat-aware; examples include NetSec and LURHQ.
I guess the "threat" concept is just too sexy for most security vendors to avoid. Even people who should know better, like Bruce Schneier, misuse the terms threat and vulnerability. (See my review of Beyond Fear; it's the second on that page.) Although I will probably be seen as stepping on the toes of smart security people, I will not stop pointing out when those important terms are misused.