Thursday, December 01, 2005

Organizations Don't Remediate Threats

I noticed the following in a Qualys press release cited by SC Magazine:

"'The Laws of Vulnerabilities research gives security managers and executives clear, statistical information that helps them make better informed decisions,' said Howard A. Schmidt, former cyber security advisor to the President.

'With automated attacks creating 85 percent of their damage within the first fifteen days, it is even more critical that organizations act quickly to identify and remediate threats.'" (emphasis added)

Mr. Schmidt is not using the term threat properly here. "Organizations" cannot remediate "threats". The definition of remediate is "set straight or right; 'remedy these deficiencies'". The word "deficiencies" in the sample usage is a direct reference to vulnerabilities.

The only way to remediate a threat would be to capture and/or incapacitate the party exploiting an asset. Assuming we can accept this stretch of the term, only law enforcement or the military could act against threats in this manner. Hence, (civilian) organizations don't "remediate threats."

2 comments:

Anonymous said...

Malicious software that doesn't exploit a vulnerability (e.g. a virus) is still considered a threat (an infosec threat can be any malicious *entity*, i.e. a process and not necessarily a person), I think this is what Schmidt meant to say. Perhaps he should have said "identify and mitigate the risk posed by these threats"

Anonymous said...

Yes, well, that's Howard for you. Lots of lofty notions but few concrete and actionable steps.


This opinion is my own.