Slashdot Mirror
Threats vs. Vulnerabilities
Schneier's blog links to a short paper on the difference between threats and vulnerabilities. It's a little heavy for this early in the morning, but it might be worth your time.
← Back to Stories (view on slashdot.org)
A threat is active and a vulnerability is not? Sorry, just going by my english vocabulary knowledge.
Why its a quart past the hour of 1 my good lad. Going to have a good lunch time read of this.
Sure, it looks like an official document (PDF even!). But it's basically a blog post written hastily.
Elizabeth Taylor dies and you post this crap? Have some PRIORITIES, man!
It was 14.28 hrs in the afternoon when it was posted, you America-centric insensitive clod!
the results may have to be securely censored/deleted for unknown reasons. the #'s fail to resolve the whole fauxking 'business' yet.
Eish, too early indeed. I kick-started my day with this, and now I have to buy another coffee to reset. That's TWO coffees in 25 mins... I am beginning to suspect I have a vulnerability. No wait, it's a threat, but only if I someone spikes it, then the vulnerability lies with me, but the threat is external. OMG!
the taylor, mercury, minelli incident proves it?
It's way past noon here you timezone-ignoramus. I'm loving it!
Difference between "threats" and "vunlerabilities"
THREAT: A Criminal might break into my house
Vulnerability: My house has no lock.
He then goes on to talk about how using Threat Analysis tools is Not sufficient to identify vulnerabilities, because they are not the same thing, and Vulnerabilities are much more difficult to identify.
My AC stalker: " I personally agree with your posts most of the time, but that won't keep me from modding you troll"
I like my girls with an ait of vulnerability. My brother likes them with a threatening air. (seriously, at times he has bruises all over him because of his "play acting" with girls)
I'm not quite sure about the point the author is trying to make here: what's the purpose of differentiating between features/attributes and vulnerabilities? Is it only a vulnerability when it can be exploited? This is actually undermining the definitions the author uses for explaining the difference between threat and vulnerability: if a vulnerability can be "exploited by multiple adversaries having a range of motivations and interest in a lot of different assets", requiring attack scenarios to be specified before allowing an "attribute" to be called a vulnerability feels a bit unnecessary, and could even focus the attention too much onto one kind of attack. Incidentally, neither attribute nor attack scenario is defined anywhere in the paper, which makes the distinction being drawn here weird.
In my view, a vulnerability is a property of the system that allows an attack; there is a natural overlap between a vulnerability and an attack, but they do exist independently: it is sometimes interesting to think of vulnerabilities that have no known or feasible attack (e.g. crypto ciphers that are seen as weak do not necessarily have feasible attack scenarios). Requiring an attack scenario in order to classify a feature (or attribute) as a vulnerability seems unnecessary: why would you have described the attribute as a vulnerability if you didn't have an attack in mind already?
This distinction isn't hard to understand --unless you're a project manager. I made the mistake a few years ago of telling a PM about a vulnerability in one of our web apps. She started sending e-mails CCing everyone from the CEO to the janitor telling them about this "security breach." When I tried to gently correct this misunderstanding, all I got was a lot of diva attitude and "I'll call it whatever I want." I was really happy when I quit that job.
Ask me about my sig!
bah, tl;dr.
threat="ima kickya in teh ballz."
vulnerablility="i present thee with my balls for you to kicketh"
probably need a whole new word & symbol to cover the destruction of that formerly perfectly good one? known abuses; sweetener, =should be a neutral sign. people, forget it. 'business', no such thing (=) anymore. more stuff keeps coming in. we could never make this up?
there's a long list of words that have also been abused beyond recognition, or much remaining validity (like kings?), in relation to their original/intended meanings/purpose. that'll (list) be out after the falling romans (kings/#'s) thing is chalked out.
...some have yet to get past the concept of vulnerabilities vs. exploits.
Vulnerability: The lock on my door can easily be picked using a stick of butter
Exploit: Someone exploited the butter vulnerability in my lock to gain access to my house
I'm not quite sure about the point the author is trying to make here: what's the purpose of differentiating between features/attributes and vulnerabilities? Is it only a vulnerability when it can be exploited? This is actually undermining the definitions the author uses for explaining the difference between threat and vulnerability: if a vulnerability can be "exploited by multiple adversaries having a range of motivations and interest in a lot of different assets", requiring attack scenarios to be specified before allowing an "attribute" to be called a vulnerability feels a bit unnecessary, and could even focus the attention too much onto one kind of attack. Incidentally, neither attribute nor attack scenario is defined anywhere in the paper, which makes the distinction being drawn here weird.
*Editor’s Note: This paper was not peer-reviewed. This work was performed under the auspices of the
United States Department of Energy (DOE) under contract DE-AC02-06CH11357. The views expressed
here are those of the author and should not necessarily be ascribed to Argonne National Laboratory or
DOE. Jon Warner provided useful suggestions.
Threat: A guy who doesn't like you
Vulnerability: Getting kicked in the nuts really hurts.
When a Threat finds a Vulnerability, and exploits it, that's when you have a problem.
You see? You see? Your stupid minds! Stupid! Stupid!
For much more detail and depth about these kinds of topics, see the free OSSTMM. (Scroll down to the bottom of the page.)
(T>t && O(n)--) == sqrt(666)
I was hoping the paper would also go into vulnerabilities-without-threats. I've been having a debate with some people regarding car vulnerabilities - Some universities have done studies and determined that someone could use the tire pressure monitoring systems as a way to hack into the car's computer and screw with some readings. The car guys are generally up in arms about this - "Why wouldn't they secure the systems," while I take the stand that even though the car is technically vulnerable to such an attack, the attack won't materialize because anything you can accomplish by hacking TPMS, for example causing a flat tire readout, making the driver pull over, at which point you steal the car, you can accomplish more efficiently by other methods, such as pointing a gun at them or tapping them from behind and then stealing the car when they get out to check for damage.
It seems, to me anyway, that a lot of the media scare stories out there are based on these threat-less vulnerabilities. I saw a report a couple of days ago that was trying to imply that an Ohio nuclear plant is dangerous because it doesn't have all the safety features that the Japan plant had - but when you drilled down to what was missing, it turned out to be a tsunami wall. So while technically the Ohio plant would be vulnerable if hit by a tsunami, it will never be hit by one, and so it's a threat-less vulnerability.
"I disagree with you" does not equal "flamebait."
. . . and I still don't know what the definition of "security" is.