nCircle.com >> 360 Security

« Trafficking in non-public exploits *IS* morally reprehensible | Main | SCADAGard SIG To Be Established »

Say what you mean and mean what you say

More than a toothache, more than a flat tire, nothing irritates me more than the improper use of terms when speaking about security at the systems level. Turns out that the dictionary is a wonderful starting point. I'll be the first to admit that I am no scholar, but misuse of terms like Vulnerability, Threat and Proactive by security vendors is unforgivable. Everyone will make grammatical errors now and then but to use the word Threat when you really mean Attack makes me so upset that I need to take minute to 'find my happy place'.

We do live in the generation of "Entertain me or get the heck out of my face!" so I will add a little bit of color to the information given to us by Webster :-)

Vulnerability
Threat
Proactive


Pay close attention to the temporal aspects and relationship of these words. It is where they sit in time and how they relate to each other that is almost always violated.

Vulnerability \Vul`ner*a*bil"i*ty\, n. (a weakness that may or may not be oriented to threat)
The quality or state of being vulnerable
Vulnerability is specific to the target. It is a condition or state that exists prior & independent of the threat, incident, or loss. Exploitation of a Vulnerability can be planned or could occur accidentally. I am careful not to use the word attack here because it exist at time of incident whereas vulnerability and threat can exist independent of attack.

Threat \Threat\ (thr[e^]t), n. (who and what is out to get you)
The expression of an intention to inflict evil or injury on another; the declaration of an evil, loss, or pain to come; menace; threatening.
Threat sits external to the target or victim and is a description of the source of the danger. The key word above is 'intention'. The biggest violation to this word is when it is used in place of exploit or attack. An attack is happening and exists at a specific point in time. Threat is more like energy that is building but is yet to be released.

Threat is counterintelligence: information about the bad guys, their skills and capabilities, and their behavior. When you speak of a program, person or group that could (at some point in the future) bring loss to your system, you are speaking of threat.

Proactive is an adjective and the one that is most violated by the Intrusion Prevention System (IPS) vendors. Webster defines Proactive as "it is controlling a situation by causing something to happen rather than waiting to respond to it after it happens". Until Intrusion Prevention systems stop using the traffic analysis (the IDS function) for their criteria to prevent, they are in fact waiting for attacks or attack patterns to occur before they can prevent the “intrusion”. The passive analysis of traffic is what I have a problem with here since it is passive and not active. To be true to form, maybe they should say that they are Propassive and give up saying Proactive :-) Just kidding. A proactive countermeasure would be able to identify vulnerabilities at the target surface and effectively remove any line-of-sight threat prior to any active attack.

If this industry can’t even use the right language, tell me how we are helping customers?

--Tim "TK" Keanini

Posted on May 10, 2005 6:20 PM |

Search


About

This page contains a single entry from the blog posted on May 10, 2005 6:20 PM.

The previous post in this blog was Trafficking in non-public exploits *IS* morally reprehensible.

The next post in this blog is SCADAGard SIG To Be Established.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]