Slashdot Mirror

← Back to Stories (view on slashdot.org)

Threats vs. Vulnerabilities

Posted by CmdrTaco on from the i'm-scared-either-way dept.

Schneier's blog links to a short paper on the difference between threats and vulnerabilities. It's a little heavy for this early in the morning, but it might be worth your time.

35 of 51 comments (clear)

  1. Priorities! by Anonymous Coward · · Score: 2, Insightful

    Elizabeth Taylor dies and you post this crap? Have some PRIORITIES, man!

    1. Re:Priorities! by Anonymous Coward · · Score: 2

      Elizabeth who?

    2. Re:Priorities! by WrongSizeGlass · · Score: 3, Funny

      Elizabeth who?

      The woman who was married 8 more times than most /.ers

    3. Re:Priorities! by Talderas · · Score: 1

      I thought she had 7 husbands.

      --
      "Lack of speed can be overcome. In the worst case by patience." --Znork
    4. Re:Priorities! by antdude · · Score: 1

      Who is that and why should we care? [grin]

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
    5. Re:Priorities! by Anonymous Coward · · Score: 1

      I thought she had 7 husbands.

      And 8 marriages. A quick application of the pigeonhole principle will resolve this paradox for you.

    6. Re:Priorities! by WrongSizeGlass · · Score: 1

      I thought she had 7 husbands.

      She did have 7 husbands but she was married 8 times. She married Richard Burton twice.

  2. It's afternoon here! by captainpanic · · Score: 2

    It was 14.28 hrs in the afternoon when it was posted, you America-centric insensitive clod!

    1. Re:It's afternoon here! by trollertron3000 · · Score: 3, Funny

      I agree. The world should revolve around you and headlines should take your life into account going forward. I'll make a note of this sire and have the staff writing the Internet to make an adjustment.

      --
      Tiger Blooded Bi-Winning Machine
    2. Re:It's afternoon here! by alienzed · · Score: 1

      Hey, that's morning for me!

      --
      Never say never. Ah!! I did it again!
    3. Re:It's afternoon here! by mister_playboy · · Score: 1

      If you don't like the US bias at /., make your own freakin' site like the Japanese did. We're all genius coders here, should be a simple task... right? :)

      --
      Do what thou wilt shall be the whole of the Law ::: Love is the law, love under will
  3. Pass the coffee! by Swaziboy · · Score: 1

    Eish, too early indeed. I kick-started my day with this, and now I have to buy another coffee to reset. That's TWO coffees in 25 mins... I am beginning to suspect I have a vulnerability. No wait, it's a threat, but only if I someone spikes it, then the vulnerability lies with me, but the threat is external. OMG!

    1. Re:Pass the coffee! by antifoidulus · · Score: 1

      After two coffees I would be most worried about your bladder overflow vulnerability.

      --
      Monstar L
  4. Right. Early. by griffo · · Score: 1

    It's way past noon here you timezone-ignoramus. I'm loving it!

  5. Summary by cpu6502 · · Score: 4, Interesting

    Difference between "threats" and "vunlerabilities"

    THREAT: A Criminal might break into my house
    Vulnerability: My house has no lock.

    He then goes on to talk about how using Threat Analysis tools is Not sufficient to identify vulnerabilities, because they are not the same thing, and Vulnerabilities are much more difficult to identify.

    --
    My AC stalker: " I personally agree with your posts most of the time, but that won't keep me from modding you troll"
    1. Re:Summary by flaming+error · · Score: 1

      That's a pretty funny summary. He really does defeat his own point by coupling them so tightly.

      What he should have done to make his point better was to first do his vulnerability assessment:

      1) Windows are not bullet-proof
      2) Doors can be easily kicked in.
      3) Back gate has no lock
      4) Locks to the front doors haven't been changed since last residents moved out.
      5) Comings and goings of residents are obvious and predictable

      Threat Assessment:

      1) Junk mail
      2) Neighbor's dog crap
      3) Random prison escapee hiding in back yard
      4) Daughter's boyfriend sneaking in
      5) Irish Republican Army taking out our shrine of Madonna

    2. Re:Summary by postbigbang · · Score: 1

      It's more like:

      Threat: it's been seen in the wild, hammering something.

      Vulnerability: a conceivable possibility exists if someone is dogged enough to do the wild coding needed, and some happless situation is setup, to cause a problem which may or may not result in something to worry about.

      Threats are alive and transitive, vulnerabilities are conceptual and passive.

      --
      ---- Teach Peace. It's Cheaper Than War.
    3. Re:Summary by Talderas · · Score: 1

      By far #3 is the most dangerous threat.

      --
      "Lack of speed can be overcome. In the worst case by patience." --Znork
    4. Re:Summary by argStyopa · · Score: 2

      Your summary is spot-on, my issue is with TFA's analysis.

      Vulnerabilities are FAR easier to recognize than threats, insofar as you are aware of capabilities. Threats involve understanding motivations and goals of people with inimical goals, or 'unknown unknowns'.

      It's far easier to recognize that your house has no lock, than to conceptualize that there are thieves out there who want to break in, if that's not a part of your intellectual framework in the first place. To be topically relevant, I'd guess it's easier to look at your nuclear plant and say "ok, we have no backup plan in case the cooling water boils away" than to threat-analyze a richter 9 earthquake and followon tsunami.

      --
      -Styopa
    5. Re:Summary by hey! · · Score: 1

      No, no, no! The strength of a window is a *feature* (or perhaps we should say a "property"); a bullet being fired through that window is the *vulnerability", which may or may not exist in all non-bullet proof windows. For example, a window put in an interior swinging door to prevent people from braining each other with the door may have the feature or characteristic of being not strong enough to deflect a bullet, but shots being fired through that window do not present a realistic vulnerability.

      Arguably treats are often tied to features that are not in themselves vulnerabilities. The number of angels that can dance on the head of a pin is a *feature* of the pinhead. The Angel of Death getting pissed because he was left out and going Apocalyptic on your ass is a threat scenario triggered by that feature. The actual vulnerabilities in the scenario do not involve any features of the pin per se. Likewise the inability of some people to distinguish black from white does not mean the color features of a zebra crossing present a fatal vulnerability in themselves.

      --
      Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
    6. Re:Summary by flaming+error · · Score: 3, Funny

      I was maybe 15 years old, and it was the 5th of July. The fireworks from the night before inspired me to embark on a career of pyrotechnics.

      My best friend came over and we attempted our first batch of gunpowder. I found the composition of gunpowder in the encyclopedia, got together the ingredients, and set up a table in the backyard. We mashed some old charcoal briquets up, measured out the other ingredients, poured them all in a bucket, and immediately cops started swarming into the backyard.

      They came from the back fence over the alley. They came from both neighbors'. They came from the front yard. It was so sudden and so massive there was no chance for us to hide our illegal activity.

      But they totally disregarded us, and in fact waved us away. A few minutes later they came out with a long-haired shirtless white guy in handcuffs.

      He'd escaped from police custody earlier, and had been hiding in our backyard tree watching us make gunpowder the whole time.

      ps- The gunpowder didn't work. Thank God.

  6. The difference by Chrisq · · Score: 1

    I like my girls with an ait of vulnerability. My brother likes them with a threatening air. (seriously, at times he has bruises all over him because of his "play acting" with girls)

  7. Small comment by ifoxtrot · · Score: 2
    FTA " Another sort of related problem commonly found in infrastructure security assessments is confusing features with vulnerabilities. Thus, a public road that travels close to the facility is often considered a Vulnerability. It is not, however; it is only an attribute. Only when coupled with an attack scenario (truck bomb, the road makes visual and electronic surveillance easier for espionage, assets can be thrown over the fence by insiders to the bad guy's parked truck, etc.) does a feature become a Vulnerability".

    I'm not quite sure about the point the author is trying to make here: what's the purpose of differentiating between features/attributes and vulnerabilities? Is it only a vulnerability when it can be exploited? This is actually undermining the definitions the author uses for explaining the difference between threat and vulnerability: if a vulnerability can be "exploited by multiple adversaries having a range of motivations and interest in a lot of different assets", requiring attack scenarios to be specified before allowing an "attribute" to be called a vulnerability feels a bit unnecessary, and could even focus the attention too much onto one kind of attack. Incidentally, neither attribute nor attack scenario is defined anywhere in the paper, which makes the distinction being drawn here weird.

    In my view, a vulnerability is a property of the system that allows an attack; there is a natural overlap between a vulnerability and an attack, but they do exist independently: it is sometimes interesting to think of vulnerabilities that have no known or feasible attack (e.g. crypto ciphers that are seen as weak do not necessarily have feasible attack scenarios). Requiring an attack scenario in order to classify a feature (or attribute) as a vulnerability seems unnecessary: why would you have described the attribute as a vulnerability if you didn't have an attack in mind already?

    1. Re:Small comment by Dracolytch · · Score: 2

      I think what he's getting at is that "Features" are not, by themselves, vulnerabilities. For a feature to become a vulnerability requires context. To a certain degree, you have to frame the conversation a bit. If you frame the conversation "I want to be protected", you can spend days/weeks/lifetimes spinning around in circles. "I want to protect myself against terrorists" is a lot different than "I want to protect myself from dishonest employees", which is a lot different from "I want to protect myself from a foreign invasion force". A road is not something you need to consider for all of these scenarios.

      The real trick lies in tying the micro and macro views together so that nothing slips through the cracks.

      --
      This sig has been enciphered with a one-time pad. It could say almost anything.
    2. Re:Small comment by ediron2 · · Score: 1

      You're close to agreement, but the road isn't the vulnerability. Traits of the road can cause (and eliminate) vulnerability, and they'll each come back to the mechanism that'd be exploited, not the road itself.

      A security patrol, barriers, countersurveillance, removing the ability to loiter and eavesdrop and monitoring systems can mitigate or remove vulnerabilities. The road can remain, you just have to mitigate the vulnerabilities it creates.

      Maybe what's snagging you up is that sometimes the best mitigation idea is to close a road. But that's not because of the road, per se. It's because roads are maliciously-useful in so many ways. Some circumstances just create a broad spectrum of overlapping vulnerabilities: roads, unattended bank kiosks (I'm thinking of a bank branch in an unsecured kiosk in a student union), hacker conventions, or other whac-a-mole (that's a technical term) situations. If a black hat hacker's eyes widen with 'oh-sweet-FSM-so-many-choices', you should start to doubt whether it's possible to recognize all the vulnerabilities. Put into a cliche: sometimes the best strategy is to retreat to safer ground, or to reduce the available services to a manageable, crux few.

  8. Semantics by InsertCleverUsername · · Score: 1

    This distinction isn't hard to understand --unless you're a project manager. I made the mistake a few years ago of telling a PM about a vulnerability in one of our web apps. She started sending e-mails CCing everyone from the CEO to the janitor telling them about this "security breach." When I tried to gently correct this misunderstanding, all I got was a lot of diva attitude and "I'll call it whatever I want." I was really happy when I quit that job.

     

    --
    Ask me about my sig!
  9. Screw threats by iMouse · · Score: 1

    ...some have yet to get past the concept of vulnerabilities vs. exploits.

    Vulnerability: The lock on my door can easily be picked using a stick of butter
    Exploit: Someone exploited the butter vulnerability in my lock to gain access to my house

  10. TFA says it all... by introcept · · Score: 1

    I'm not quite sure about the point the author is trying to make here: what's the purpose of differentiating between features/attributes and vulnerabilities? Is it only a vulnerability when it can be exploited? This is actually undermining the definitions the author uses for explaining the difference between threat and vulnerability: if a vulnerability can be "exploited by multiple adversaries having a range of motivations and interest in a lot of different assets", requiring attack scenarios to be specified before allowing an "attribute" to be called a vulnerability feels a bit unnecessary, and could even focus the attention too much onto one kind of attack. Incidentally, neither attribute nor attack scenario is defined anywhere in the paper, which makes the distinction being drawn here weird.

    *Editor’s Note: This paper was not peer-reviewed. This work was performed under the auspices of the
    United States Department of Energy (DOE) under contract DE-AC02-06CH11357. The views expressed
    here are those of the author and should not necessarily be ascribed to Argonne National Laboratory or
    DOE. Jon Warner provided useful suggestions.

  11. This isn't a hard concept to master by Junior+J.+Junior+III · · Score: 1

    Threat: A guy who doesn't like you
    Vulnerability: Getting kicked in the nuts really hurts.

    When a Threat finds a Vulnerability, and exploits it, that's when you have a problem.

    --
    You see? You see? Your stupid minds! Stupid! Stupid!
  12. OSSTMM by Ken_g6 · · Score: 2

    For much more detail and depth about these kinds of topics, see the free OSSTMM. (Scroll down to the bottom of the page.)

    --
    (T>t && O(n)--) == sqrt(666)
  13. Re:What? by hey! · · Score: 4, Informative

    A threat is a possible action taken against you. A vulnerability is a specific avenue by which that threat can be realized. Threats and vulnerabilities exist in different ways. Threats represent things that *might* happen in the future. What you are worrying about is threats *materializing* as attacks. Vulnerabilities don't materialize -- they're there in the system all along.

    The practical purpose of this distinction is that the actions you take in response to a vulnerability is different than than the actions you take in response to a threat, and the *results* are *vastly* different.

    The response to a vulnerability is to *eliminate it*. Having no lock on a door is a vulnerability you eliminate by putting a lock on the door. Note that eliminating a vulnerability does not eliminate vulnerabilities as a class of concerns; in fact it may introduce a new vulnerability. By installing a lock you've eliminated the vulnerability of somebody simply walking into your house, but you've replaced it with the less serious vulnerability of having the lock picked.

    The response to a threat is to *reduce your exposure to it*. Burglary is a threat; you can reduce your exposure to it by eliminating vulnerabilities (the lockless door, the piles of cash under your mattress), and taking steps to reduce the damage (buying insurance), but *eliminating* burglary is not a feasible goal.

    It's a useful distinction because it separates concerns that you can eliminate with immediate, concrete actions from those you have to keep an eye on.

    --
    Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
  14. Interesting. by shadowfaxcrx · · Score: 1

    I was hoping the paper would also go into vulnerabilities-without-threats. I've been having a debate with some people regarding car vulnerabilities - Some universities have done studies and determined that someone could use the tire pressure monitoring systems as a way to hack into the car's computer and screw with some readings. The car guys are generally up in arms about this - "Why wouldn't they secure the systems," while I take the stand that even though the car is technically vulnerable to such an attack, the attack won't materialize because anything you can accomplish by hacking TPMS, for example causing a flat tire readout, making the driver pull over, at which point you steal the car, you can accomplish more efficiently by other methods, such as pointing a gun at them or tapping them from behind and then stealing the car when they get out to check for damage.

    It seems, to me anyway, that a lot of the media scare stories out there are based on these threat-less vulnerabilities. I saw a report a couple of days ago that was trying to imply that an Ohio nuclear plant is dangerous because it doesn't have all the safety features that the Japan plant had - but when you drilled down to what was missing, it turned out to be a tsunami wall. So while technically the Ohio plant would be vulnerable if hit by a tsunami, it will never be hit by one, and so it's a threat-less vulnerability.

    --
    "I disagree with you" does not equal "flamebait."
    1. Re:Interesting. by antifoidulus · · Score: 1

      To a certain extent I would believe it would really depend on the value of the target. Anyone can steal dog poop from a yard, so they are obviously vulnerable, but I doubt many people are particularly worried about losing said dog poop.

      --
      Monstar L
  15. Read the whole paper . . . by wrencherd · · Score: 2

    . . . and I still don't know what the definition of "security" is.

  16. Re:Weak Writing by Stuarticus · · Score: 1

    Naturally I didn't RTFA, but it seems you have, is clicking on random internet links to PDFs a threat or a vulnerability?

    --
    If you think someone isn't free to have a different definition of "freedom" you may be a tyrant.