I noticed the OWASP is trying to define various security terms as well. (Because OWASP means Open Web Application Security Project, I didn't say "OWASP project." Those who say "ATM machine," "NIC card," and "CAC card," please take note.) OWASP has Wiki pages for attack, vulnerability, countermeasure, and, yes, threat.
For an example of a project that is largely not falling for the threat hype, check out the Vulnerability Type Distributions in CVE published last week. It provides research results on publicly reported vulnerabilities.
It might be helpful to look at already published work when thinking about what these terms mean. Good sources include the following.
- Use of A Taxonomy of Security Faults
- Common Vulnerabilities and Exposures (CVE) Terminology
- Cliff Berg's collection
- Fred Cohen's A Preliminary Classification Scheme for Information System Threats, Attacks, and Defenses; A Cause and Effect Model; and Some Analysis Based on That Model
- The Common Weakness Enumeration (CWE) project Classification Tree
The CWE Classification Tree contains a section labelled "Motivation/Intent," with an "Intentional" subsection containing items like "Trojan Horse," "Trapdoor," "Logic/Time Bomb," and "Spyware." Note these are not intended to be considered weaknesses, in the sense of a calling a "Trojan Horse" a "weakness." Rather, it seems the CWE considers the inclusion of such code to be a weakness in and of itself. This might be similar to an "Easter Egg."
While you're busy thinking of these security issues, you might want to download the latest release of Helix. I used it to try a recent version of Brian Carrier's Sleuthkit. I launched the Helix Live CD .iso within VMware, then used NFS on another system to export a dd image from Real Digital Forensics for browsing within Autopsy. I am sad to see the Sguil client is not in Helix anymore, though.