Wednesday, October 11, 2006

More Reasons to Discuss Threats

The word "threat" is popular. What used to be Bleeding Edge Snort is now Bleeding Edge Threats. It's a great site but I think it should have avoided using the term "threat." I think "Bleeding Edge Security" would have been better, but apparently that's not cool enough?

I noticed the OWASP is trying to define various security terms as well. (Because OWASP means Open Web Application Security Project, I didn't say "OWASP project." Those who say "ATM machine," "NIC card," and "CAC card," please take note.) OWASP has Wiki pages for attack, vulnerability, countermeasure, and, yes, threat.

For an example of a project that is largely not falling for the threat hype, check out the Vulnerability Type Distributions in CVE published last week. It provides research results on publicly reported vulnerabilities.

It might be helpful to look at already published work when thinking about what these terms mean. Good sources include the following.

The CWE Classification Tree contains a section labelled "Motivation/Intent," with an "Intentional" subsection containing items like "Trojan Horse," "Trapdoor," "Logic/Time Bomb," and "Spyware." Note these are not intended to be considered weaknesses, in the sense of a calling a "Trojan Horse" a "weakness." Rather, it seems the CWE considers the inclusion of such code to be a weakness in and of itself. This might be similar to an "Easter Egg."

While you're busy thinking of these security issues, you might want to download the latest release of Helix. I used it to try a recent version of Brian Carrier's Sleuthkit. I launched the Helix Live CD .iso within VMware, then used NFS on another system to export a dd image from Real Digital Forensics for browsing within Autopsy. I am sad to see the Sguil client is not in Helix anymore, though.


Anonymous said...

"Those who say "ATM machine," "NIC card," and "CAC card," please take note"

I have a personal boycott of "DSW Shoe Warehouse" for this reason.

Anonymous said...

RPM Package Manager
PHP Hypertext Processor
WINE is Not an Emulator

Of course, your examples are better described as RAS:

Anonymous said...

Then there's Windows XP, made with "Windows NT Technology"

Not a backronym - a retired acronym. Marketing decided to unmake it an acronym.

Anonymous said...

If you're that wound up about a simple linguistic convention, you gotta have OCD disorder or something. :^)

Gunnar said...

I believe Fortify donated their taxonomy to OWASP awhile ago

Mark said...

Would you consider the following to be an accurate use of "potential threat"?

I'm trying to explain what a network access control solution is really focused on - mitigation of potential threats thru network exclusion.

In my paper, Potential Threat is used to define as a system that has a known set of vulnerabilities for which there are no network mitigations in place for. A potential threat requires a "threat" such as a worm or malicious user to evolve from a "vulnerability" (potential threat) to an actual threat to the enterprise.


Richard Bejtlich said...

Hi Mark,

First, kudos for actually engaging in a discussion for a paper you're writing.

I always define threats as "parties," which in almost all cases means "people."

It's tough to make a judgement based on what you wrote, but I think you should always remember that a threat is not a vulnerability and a vulnerability is not a threat.

When you think of threat, think attacker - intruder - bad guy.

When you think of vulnerability, think flaw - defect - weakness.

Mark said...

Thx Richard!

I'm looking at actually simplifying why a CIO would purchase a "NAC" solution. I believe there are many security purchases that should be invested in before worrying about a "passive threat" (systems with vulnerabilities in an open environment). I would prefer they first invest in hardening the internal network.

Hardening would be a combination of internal monitoring and network layer controls (elimination of unnecessary protocols). With advanced network h/w (many customers don't use the features though) - it is easy to start to harden the network transport layer by removing unnecessary protocols. My approach is similar to hardening the system - remove what you don't need.

Thx for the advice. I'm really shooting for consistency in technical terms when writing papers. There is far too many terms which are overused or misused out there.



Mark said...


Rethinking how to explain what I wrote.

To better define what I mean by "passive threat":

As a network operator - each system with an unpatched vulnerability, and in which there are no active countermeasures - these systems represent "potential" threat to me, the network operator, if the vulnerability becomes exploited. That is, the effect of the exploit on those systems would have an adverse effect on the internal network (denial of service, theft of data etc).

The NAC market is being overwhelmed with many claims that you can't maintain a secure network without one. My argument is that it is better to "monitor" the network (extrusion and intrusion detection) and put necessary controls in place (network countermeasures) before investing in any type of NAC product.

I'm not against NAC. I think it definitely provides value - but to me NAC is an internal process (asset management) and if you have already deployed network countermeasures you can make the next logical leap if it adds value to your network. In networks where IT doesn't manage the asset (guest networks, colleges) - active NAC (inspect and approve before granting network access) may provide more benefit than the fortune 1000 running SMS or some other asset management product.

With security spending running under more scrutiny, I'm for deploying the right technologies that are going to have a higher "yield" in improving the security posture of my organization.

Thx for the excellent blog and the books (I own them all - support the author!).