You will remember that a threat is a party with the capabilities and intentions to exploit a vulnerability in an asset. A vulnerability is a weakness in an asset that could lead to exploitation. An intruder (the threat) exploits a hole (the vulnerability) in Microsoft IIS to gain remote control of a Web server. In other words, threats exploit vulnerabilities.
Today, version 6 of the Top 20 was released. I'll start with "the good." I believe the majority of the 2005 content is much better than the 2004 edition. The 2004 list, and previous lists, displayed 10 Windows vulnerabilities and 10 (often dubious) Unix vulnerabilities. The 2005 list, in contrast, displays the following vulnerabilities:
Top Vulnerabilities in Windows Systems
* W1. Windows Services
* W2. Internet Explorer
* W3. Windows Libraries
* W4. Microsoft Office and Outlook Express
* W5. Windows Configuration Weaknesses
Top Vulnerabilities in Cross-Platform Applications
* C1. Backup Software
* C2. Anti-virus Software
* C3. PHP-based Applications
* C4. Database Software
* C5. File Sharing Applications
* C6. DNS Software
* C7. Media Players
* C8. Instant Messaging Applications
* C9. Mozilla and Firefox Browsers
* C10. Other Cross-platform Applications
Top Vulnerabilities in UNIX Systems
* U1. UNIX Configuration Weaknesses
* U2. Mac OS X
Top Vulnerabilities in Networking Products
* N1. Cisco IOS and non-IOS Products
* N2. Juniper, CheckPoint and Symantec Products
* N3. Cisco Devices Configuration Weaknesses
Bravo. I think that is a significant step towards realizing the scope of the problem at hand. To be fair to Microsoft, I believe there could have been "Unix services" and "Unix libraries" sections. I applaud the addition of network products and other applications. Content-wise, this is a great resource.
Now, "the bad." The top of the page has this link: -----Jump To Index of Top 20 Threats -----. For Pete's sake, the title of the document is "The Twenty Most Critical Internet Security Vulnerabilities." These are not threats.
Let's see other terms in use:
In the introduction we see:
"In addition to Windows and UNIX categories, we have also included Cross-Platform Applications and Networking Products. The change reflects the dynamic nature of the evolving threat landscape."
I can accept this use of the term threat, if the intent is to refer to parties who exploit vulnerabilities.
"We will update the list and the instructions as more critical threats and more current or convenient methods of protection are identified, and we welcome your input along the way."
Here, threats should be "vulnerabilities".
"Compromising a gateway could potentially cause a much larger impact since the gateway is the outer layer of protection and the only protection for some threats in many small organizations."
This should either replace "threats" with "vulnerabilities", or "for some" with "from some".
"The main threats arising from P2P software are:"
I think threats should be "risks" here, although the list is a muddle of different issues.
Later in that section:
"The number of threats using P2P, IM, IRC, and CIFS within Symantec's top 50 malicious code reports has increased by 39% over the previous six-month period."
Here, I can accept the use of the term as long as the intent is to describe parties abusing P2P, IM, etc.
"These applications provide an increasing security threat to an organization. The major threats are the following:"
Here's a simple rule of thumb: applications can never be "threats." Again, I suggest replacing the second "threats" here with "risks".
One final note: I am not a lone voice speaking on this subject. The Financial Times, of all people, is linked from the SANS page with a story Hackers pose new threat to desktop software. That's the proper use of the term threat, since a hacker is a "party."
Security will not be taken seriously as a "profession" until its "thought leaders" use basic terms properly.