tag:blogger.com,1999:blog-4088979.post114894997466817641..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: Three ThreatsRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger5125tag:blogger.com,1999:blog-4088979.post-1149002546691425502006-05-30T11:22:00.000-04:002006-05-30T11:22:00.000-04:00If I am tasked with eliminateing threats, in the c...If I am tasked with eliminateing threats, in the case of The Karate Kid, I don't think Daniel would be very appreciative if I eliminated his head, his ankle, or his nuts. Now if I eliminated the risk of him getting kicked in any of those places by eliminating the threat (Johnny), he might actually get some bass in his voice.<BR/><BR/>While the Computer Security example Mango suggests makes sense, I would be careful as defining a threat as a "circumstance or event" because that gets very close to a type of vulnerability. For example, race conditions are circumstances in which events occur out of sequence, which is a type of vulnerability, not a threat. The system runs the risk of exploitation via the vulnerability. All it would require is a person or persons with the capability or intent to do so, hence the threat.<BR/><BR/>I would say that a attacker/threat agent is an instance of a threat, in the same relationship as a superclass (threat) is to an instantiated sub-class. <BR/><BR/>Just my 2 cents...John Wardhttps://www.blogger.com/profile/10741149622435353727noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1148997544752246292006-05-30T09:59:00.000-04:002006-05-30T09:59:00.000-04:00I agree with you about vulnerability, so this is r...I agree with you about vulnerability, so this is really a side point to your main argument.<BR/><BR/>Perhaps you just explained the disconnect: threat is used differently in different communities.<BR/><BR/>In computer security, a threat is a circumstance or event. A threat is that an attacker might own my box. A vulnerability is a buffer overrun in a network-exposed service. We don't say the threat exploits something. We say the [attacker|threat agent|malicious hacker] exploits the [vulnerability|flaw] to [realize|implement] the threat.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1148990542490889432006-05-30T08:02:00.000-04:002006-05-30T08:02:00.000-04:00Last two posts -- as long as you don't say that Da...Last two posts -- as long as you don't say that Daniel's injured leg, head, or FJs are "threats," then I can accept your reasoning. I choose not to separate "threat" and "threat agent," since that is not done in intelligence circles. Even the language in the definitions above (which is not unique to this report) is awkward, due to separation of threat and threat agent. How can a "circumstance or event" "exploit" something?Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1148960338798732102006-05-29T23:38:00.000-04:002006-05-29T23:38:00.000-04:00I must agree with Mango. Put it this way - in the ...I must agree with Mango. <BR/><BR/>Put it this way - in the Karate Kid example, Johnny Lawrence could also deprive Daniel-san of his fighting ability by kicking him in the head, the right ankle (injured leg is left) or the family jewels. Three threats, one threat agent.<BR/><BR/>The injured leg is a more exploitable vulnerability, which makes it a more pressing risk to address (by hanging it in the air via the well known "Fighting Italian Crane" manoeuvre).Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1148958003676724852006-05-29T23:00:00.000-04:002006-05-29T23:00:00.000-04:00I'm going to dispute this a little bit. Your defi...I'm going to dispute this a little bit. Your definition of 'vulnerability' is correct, and you're right that 'threat' should not be used where 'vulnerability' is intended, but I find your definition of 'threat' wanting. In common use of the word, it is not a person or group of people.<BR/><BR/>The government report you quoted in your last blog entry had it right: a threat is a circumstance or event. They used the term 'threat agent' to denote the person who might attempt to implement the threat.<BR/><BR/>If a threat is an entity, then 'Threat Modeling', a widely used term in network and application security, doesn't really make any sense.<BR/><BR/>Actually, based on your examples, you are calling a 'risk' what is conventionally called a 'threat'. Risk, which is really only a concern to CISSP-types (in my experience), is quantitative: usually the product of some formula having to do with damage potential and likelihood of threat realization.Anonymousnoreply@blogger.com