Monday, May 29, 2006

Threat Term Used Properly in Government Report

It's time once again to talk about threats! Yes, you guessed it. While reading back issues of FCW I encountered good -- and bad -- uses of the term "threat." Mostly, threat was used where vulnerability should have appeared. Let's briefly review the definition I provided in my books:

A threat is a party with the capabilities and intentions to exploit a vulnerability in an asset.

A vulnerability is a weakness in an asset that could lead to exploitation.

For example, an intruder (the threat) exploits a hole (the vulnerability) in Microsoft IIS to gain remote control of a Web server. In other words, threats exploit vulnerabilities.

I've written about proper use of the term threat many times before. Let's look at a few examples from FCW that show why it's important to use the right term when communicating among security professionals.

First, consider the article Cybersecurity research plan identifies threats. The story discusses the Federal Plan for Cyber Security and Information Assurance Research and Development (.pdf).

Using proper terminology, I would expect this article to discuss plans by mostly law enforcement, intelligence, and military groups to investigate organized crime, state-sponsored groups, foreign intelligence services, and so on. Perhaps honeypot operators would also be involved tracking botnet herders and the like. I can't tell from reading the article. Here are two places where "threat" is used:

The report identifies critical threats to the nation’s information technology infrastructure and recommends that the government pay for research that would enable manufacturers to build IT security safeguards into infrastructure systems before they are delivered to power plants or other high-risk facilities.

That sounds like a discussion of vulnerabilities. When the term "safeguard" is used, it's a synonym for "countermeasure."

One of the action points is the following:

Focusing on threats with the greatest potential impact.

Again, I can't tell if the article is correctly referring to malicious parties, or incorrectly referring to the most serious vulnerabilities.

Thankfully, when I read the report, I see proper terminology in play:

Cyber threats are asymmetric, surreptitious, and constantly evolving ­ a single individual or a small group anywhere in the world can inexpensively and secretly attempt to penetrate systems containing vital information or mount damaging attacks on critical infrastructures. Attack tools and resources. (p. ix)

Bravo. Page 5 offers definitions:

A vulnerability is a flaw or weakness in the design or implementation of hardware, software, networks, or computer-based systems, including security procedures and controls associated with the systems. Vulnerabilities can be intentionally or unintentionally exploited to adversely affect an organization's operations (including missions, functions, and public confidence), assets, or personnel.

A threat is any circumstance or event with the potential to intentionally or unintentionally exploit one or more vulnerabilities in a system resulting in a loss of confidentiality, integrity, or availability. Threats are implemented by threat agents. Examples of threat agents are malicious hackers, organized crime, insiders (including system administrators and developers), terrorists, and nation states.

Risk is a combination of the likelihood that a particular vulnerability in an organization's systems will be either intentionally or unintentionally exploited by a particular threat agent and the magnitude of the potential harm to the organization's operations, assets, or personnel that could result from the loss of confidentiality, integrity, or availability.

Notice this report recognizes that vulnerability and threat are not synonyms! The report later names Malicious Hackers, Organized Crime, Terrorists, and Nation States as threats.

Let's close with an example of how not to use the term threat: SCADA on thin ice: Industrial control systems pose little-noticed security threat. "Little-noticed threat"? Maybe SCADA is little noticed as a "threat" because it suffers vulnerabilities.

Elsewhere in the story, however, the term vulnerability is used properly, and threat doesn't make a repeat appearance, save the following. For example:

Control systems security is one of six areas of critical vulnerabilities Borg included in a new cybersecurity checklist released in April by the research group...

Even if a facility has not been attacked, that doesn’t mean it’s secure or the threat isn’t real, said Michael Assante.

What is happening here? Reporters usually don't choose the titles for their stories. My guess is some editor at FCW decided to use the term "threat" where "vulnerability" should have appeared. Threat is shorter (fewer syllables = good) and sexier -- too bad it's wrong in this case.


Anonymous said...

I find inspiration in your blog entry.
A tale of bunnies and kitties.

Anonymous said...

The report did not name "malicious hackers, organized crime, terrorists, and nation states" as threats. It named them as "threat agents." A single threat agent may potentially exploit "one or more vulnerabilities," from which arises one or more threats. You haven't fully defined a threat unless you've defined not only the threat agent but also the vulnerability being exploited and the resulting negative consquence.

"Lightning" is a threat agent, not a threat. From that threat agent may arise several threats (e.g., "lightning exploits the human body's vulnerability to being damaged by electrical current to kill", "lightning exploits a server's vulnerability to a voltage spike to render the server inoperative", etc.)

You're dead on in your criticism of confusing the terms "vulnerability" and "threat." Unfortunately, you misuse the term "threat," yourself.