Slashdot Mirror

← Back to Stories (view on slashdot.org)

Threats vs. Vulnerabilities

Posted by CmdrTaco on from the i'm-scared-either-way dept.

Schneier's blog links to a short paper on the difference between threats and vulnerabilities. It's a little heavy for this early in the morning, but it might be worth your time.

13 of 51 comments (clear)

  1. Priorities! by Anonymous Coward · · Score: 2, Insightful

    Elizabeth Taylor dies and you post this crap? Have some PRIORITIES, man!

    1. Re:Priorities! by Anonymous Coward · · Score: 2

      Elizabeth who?

    2. Re:Priorities! by WrongSizeGlass · · Score: 3, Funny

      Elizabeth who?

      The woman who was married 8 more times than most /.ers

  2. It's afternoon here! by captainpanic · · Score: 2

    It was 14.28 hrs in the afternoon when it was posted, you America-centric insensitive clod!

    1. Re:It's afternoon here! by trollertron3000 · · Score: 3, Funny

      I agree. The world should revolve around you and headlines should take your life into account going forward. I'll make a note of this sire and have the staff writing the Internet to make an adjustment.

      --
      Tiger Blooded Bi-Winning Machine
  3. Summary by cpu6502 · · Score: 4, Interesting

    Difference between "threats" and "vunlerabilities"

    THREAT: A Criminal might break into my house
    Vulnerability: My house has no lock.

    He then goes on to talk about how using Threat Analysis tools is Not sufficient to identify vulnerabilities, because they are not the same thing, and Vulnerabilities are much more difficult to identify.

    --
    My AC stalker: " I personally agree with your posts most of the time, but that won't keep me from modding you troll"
    1. Re:Summary by argStyopa · · Score: 2

      Your summary is spot-on, my issue is with TFA's analysis.

      Vulnerabilities are FAR easier to recognize than threats, insofar as you are aware of capabilities. Threats involve understanding motivations and goals of people with inimical goals, or 'unknown unknowns'.

      It's far easier to recognize that your house has no lock, than to conceptualize that there are thieves out there who want to break in, if that's not a part of your intellectual framework in the first place. To be topically relevant, I'd guess it's easier to look at your nuclear plant and say "ok, we have no backup plan in case the cooling water boils away" than to threat-analyze a richter 9 earthquake and followon tsunami.

      --
      -Styopa
    2. Re:Summary by flaming+error · · Score: 3, Funny

      I was maybe 15 years old, and it was the 5th of July. The fireworks from the night before inspired me to embark on a career of pyrotechnics.

      My best friend came over and we attempted our first batch of gunpowder. I found the composition of gunpowder in the encyclopedia, got together the ingredients, and set up a table in the backyard. We mashed some old charcoal briquets up, measured out the other ingredients, poured them all in a bucket, and immediately cops started swarming into the backyard.

      They came from the back fence over the alley. They came from both neighbors'. They came from the front yard. It was so sudden and so massive there was no chance for us to hide our illegal activity.

      But they totally disregarded us, and in fact waved us away. A few minutes later they came out with a long-haired shirtless white guy in handcuffs.

      He'd escaped from police custody earlier, and had been hiding in our backyard tree watching us make gunpowder the whole time.

      ps- The gunpowder didn't work. Thank God.

  4. Small comment by ifoxtrot · · Score: 2
    FTA " Another sort of related problem commonly found in infrastructure security assessments is confusing features with vulnerabilities. Thus, a public road that travels close to the facility is often considered a Vulnerability. It is not, however; it is only an attribute. Only when coupled with an attack scenario (truck bomb, the road makes visual and electronic surveillance easier for espionage, assets can be thrown over the fence by insiders to the bad guy's parked truck, etc.) does a feature become a Vulnerability".

    I'm not quite sure about the point the author is trying to make here: what's the purpose of differentiating between features/attributes and vulnerabilities? Is it only a vulnerability when it can be exploited? This is actually undermining the definitions the author uses for explaining the difference between threat and vulnerability: if a vulnerability can be "exploited by multiple adversaries having a range of motivations and interest in a lot of different assets", requiring attack scenarios to be specified before allowing an "attribute" to be called a vulnerability feels a bit unnecessary, and could even focus the attention too much onto one kind of attack. Incidentally, neither attribute nor attack scenario is defined anywhere in the paper, which makes the distinction being drawn here weird.

    In my view, a vulnerability is a property of the system that allows an attack; there is a natural overlap between a vulnerability and an attack, but they do exist independently: it is sometimes interesting to think of vulnerabilities that have no known or feasible attack (e.g. crypto ciphers that are seen as weak do not necessarily have feasible attack scenarios). Requiring an attack scenario in order to classify a feature (or attribute) as a vulnerability seems unnecessary: why would you have described the attribute as a vulnerability if you didn't have an attack in mind already?

    1. Re:Small comment by Dracolytch · · Score: 2

      I think what he's getting at is that "Features" are not, by themselves, vulnerabilities. For a feature to become a vulnerability requires context. To a certain degree, you have to frame the conversation a bit. If you frame the conversation "I want to be protected", you can spend days/weeks/lifetimes spinning around in circles. "I want to protect myself against terrorists" is a lot different than "I want to protect myself from dishonest employees", which is a lot different from "I want to protect myself from a foreign invasion force". A road is not something you need to consider for all of these scenarios.

      The real trick lies in tying the micro and macro views together so that nothing slips through the cracks.

      --
      This sig has been enciphered with a one-time pad. It could say almost anything.
  5. OSSTMM by Ken_g6 · · Score: 2

    For much more detail and depth about these kinds of topics, see the free OSSTMM. (Scroll down to the bottom of the page.)

    --
    (T>t && O(n)--) == sqrt(666)
  6. Re:What? by hey! · · Score: 4, Informative

    A threat is a possible action taken against you. A vulnerability is a specific avenue by which that threat can be realized. Threats and vulnerabilities exist in different ways. Threats represent things that *might* happen in the future. What you are worrying about is threats *materializing* as attacks. Vulnerabilities don't materialize -- they're there in the system all along.

    The practical purpose of this distinction is that the actions you take in response to a vulnerability is different than than the actions you take in response to a threat, and the *results* are *vastly* different.

    The response to a vulnerability is to *eliminate it*. Having no lock on a door is a vulnerability you eliminate by putting a lock on the door. Note that eliminating a vulnerability does not eliminate vulnerabilities as a class of concerns; in fact it may introduce a new vulnerability. By installing a lock you've eliminated the vulnerability of somebody simply walking into your house, but you've replaced it with the less serious vulnerability of having the lock picked.

    The response to a threat is to *reduce your exposure to it*. Burglary is a threat; you can reduce your exposure to it by eliminating vulnerabilities (the lockless door, the piles of cash under your mattress), and taking steps to reduce the damage (buying insurance), but *eliminating* burglary is not a feasible goal.

    It's a useful distinction because it separates concerns that you can eliminate with immediate, concrete actions from those you have to keep an eye on.

    --
    Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
  7. Read the whole paper . . . by wrencherd · · Score: 2

    . . . and I still don't know what the definition of "security" is.