×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

51 comments

What? (0)

Anonymous Coward | about 3 years ago | (#35585356)

A threat is active and a vulnerability is not? Sorry, just going by my english vocabulary knowledge.

Re:What? (4, Informative)

hey! (33014) | about 3 years ago | (#35588816)

A threat is a possible action taken against you. A vulnerability is a specific avenue by which that threat can be realized. Threats and vulnerabilities exist in different ways. Threats represent things that *might* happen in the future. What you are worrying about is threats *materializing* as attacks. Vulnerabilities don't materialize -- they're there in the system all along.

The practical purpose of this distinction is that the actions you take in response to a vulnerability is different than than the actions you take in response to a threat, and the *results* are *vastly* different.

The response to a vulnerability is to *eliminate it*. Having no lock on a door is a vulnerability you eliminate by putting a lock on the door. Note that eliminating a vulnerability does not eliminate vulnerabilities as a class of concerns; in fact it may introduce a new vulnerability. By installing a lock you've eliminated the vulnerability of somebody simply walking into your house, but you've replaced it with the less serious vulnerability of having the lock picked.

The response to a threat is to *reduce your exposure to it*. Burglary is a threat; you can reduce your exposure to it by eliminating vulnerabilities (the lockless door, the piles of cash under your mattress), and taking steps to reduce the damage (buying insurance), but *eliminating* burglary is not a feasible goal.

It's a useful distinction because it separates concerns that you can eliminate with immediate, concrete actions from those you have to keep an eye on.

Early in the morning? (0)

Anonymous Coward | about 3 years ago | (#35585376)

Why its a quart past the hour of 1 my good lad. Going to have a good lunch time read of this.

Weak Writing (0)

Anonymous Coward | about 3 years ago | (#35585400)

Sure, it looks like an official document (PDF even!). But it's basically a blog post written hastily.

Re:Weak Writing (0)

Anonymous Coward | about 3 years ago | (#35585646)

It also makes statements which it then does not explain when it could have been explained earlier by referring back.

It also keeps coming back to the same thing over and over again.

Re:Weak Writing (1)

Stuarticus (1205322) | about 3 years ago | (#35597830)

Naturally I didn't RTFA, but it seems you have, is clicking on random internet links to PDFs a threat or a vulnerability?

Priorities! (2, Insightful)

Anonymous Coward | about 3 years ago | (#35585412)

Elizabeth Taylor dies and you post this crap? Have some PRIORITIES, man!

Re:Priorities! (2)

Anonymous Coward | about 3 years ago | (#35585654)

Elizabeth who?

Re:Priorities! (3, Funny)

WrongSizeGlass (838941) | about 3 years ago | (#35585672)

Elizabeth who?

The woman who was married 8 more times than most /.ers

Re:Priorities! (1)

Talderas (1212466) | about 3 years ago | (#35585864)

I thought she had 7 husbands.

Re:Priorities! (0)

Anonymous Coward | about 3 years ago | (#35586142)

Exactly.

Re:Priorities! (1)

Anonymous Coward | about 3 years ago | (#35588612)

I thought she had 7 husbands.

And 8 marriages. A quick application of the pigeonhole principle will resolve this paradox for you.

Re:Priorities! (1)

antdude (79039) | about 3 years ago | (#35588000)

Who is that and why should we care? [grin]

Re:Priorities! (0)

Anonymous Coward | about 3 years ago | (#35588852)

Dude, if you don't see the application of the side thread to the Pigeonhole Principle then you need to turn in your Geek Card.

It's afternoon here! (2)

captainpanic (1173915) | about 3 years ago | (#35585462)

It was 14.28 hrs in the afternoon when it was posted, you America-centric insensitive clod!

Re:It's afternoon here! (3, Funny)

trollertron3000 (1940942) | about 3 years ago | (#35585762)

I agree. The world should revolve around you and headlines should take your life into account going forward. I'll make a note of this sire and have the staff writing the Internet to make an adjustment.

Re:It's afternoon here! (0)

Anonymous Coward | about 3 years ago | (#35588580)

Now that's easy: client-side scripting. You're welcome ;)

strung out roman equation estimates coming in (0)

Anonymous Coward | about 3 years ago | (#35585528)

the results may have to be securely censored/deleted for unknown reasons. the #'s fail to resolve the whole fauxking 'business' yet.

possible life after, AND BEFORE, death (0)

Anonymous Coward | about 3 years ago | (#35585594)

the taylor, mercury, minelli incident proves it?

more buggered 'math'; equal(=) invalid by abuse (0)

Anonymous Coward | about 3 years ago | (#35585926)

probably need a whole new word & symbol to cover the destruction of that formerly perfectly good one? known abuses; sweetener, =should be a neutral sign. people, forget it. 'business', no such thing (=) anymore. more stuff keeps coming in. we could never make this up?

there's a long list of words that have also been abused beyond recognition, or much remaining validity (like kings?), in relation to their original/intended meanings/purpose. that'll (list) be out after the falling romans (kings/#'s) thing is chalked out.

Pass the coffee! (1)

Swaziboy (1457667) | about 3 years ago | (#35585532)

Eish, too early indeed. I kick-started my day with this, and now I have to buy another coffee to reset. That's TWO coffees in 25 mins... I am beginning to suspect I have a vulnerability. No wait, it's a threat, but only if I someone spikes it, then the vulnerability lies with me, but the threat is external. OMG!

Summary (4, Interesting)

cpu6502 (1960974) | about 3 years ago | (#35585608)

Difference between "threats" and "vunlerabilities"

THREAT: A Criminal might break into my house
Vulnerability: My house has no lock.

He then goes on to talk about how using Threat Analysis tools is Not sufficient to identify vulnerabilities, because they are not the same thing, and Vulnerabilities are much more difficult to identify.

Re:Summary (1)

flaming error (1041742) | about 3 years ago | (#35585696)

That's a pretty funny summary. He really does defeat his own point by coupling them so tightly.

What he should have done to make his point better was to first do his vulnerability assessment:

1) Windows are not bullet-proof
2) Doors can be easily kicked in.
3) Back gate has no lock
4) Locks to the front doors haven't been changed since last residents moved out.
5) Comings and goings of residents are obvious and predictable

Threat Assessment:

1) Junk mail
2) Neighbor's dog crap
3) Random prison escapee hiding in back yard
4) Daughter's boyfriend sneaking in
5) Irish Republican Army taking out our shrine of Madonna

Re:Summary (1)

Talderas (1212466) | about 3 years ago | (#35585848)

By far #3 is the most dangerous threat.

Re:Summary (0)

Anonymous Coward | about 3 years ago | (#35586688)

Possibly, but the probability of that threat is very small. On the other hand the probability of #1 is basically 100%, and thus even though its individual danger is less, the actual danger (prob x threat) is likely much greater.

Re:Summary (3, Funny)

flaming error (1041742) | about 3 years ago | (#35588614)

I was maybe 15 years old, and it was the 5th of July. The fireworks from the night before inspired me to embark on a career of pyrotechnics.

My best friend came over and we attempted our first batch of gunpowder. I found the composition of gunpowder in the encyclopedia, got together the ingredients, and set up a table in the backyard. We mashed some old charcoal briquets up, measured out the other ingredients, poured them all in a bucket, and immediately cops started swarming into the backyard.

They came from the back fence over the alley. They came from both neighbors'. They came from the front yard. It was so sudden and so massive there was no chance for us to hide our illegal activity.

But they totally disregarded us, and in fact waved us away. A few minutes later they came out with a long-haired shirtless white guy in handcuffs.

He'd escaped from police custody earlier, and had been hiding in our backyard tree watching us make gunpowder the whole time.

ps- The gunpowder didn't work. Thank God.

Re:Summary (1)

hey! (33014) | about 3 years ago | (#35588518)

No, no, no! The strength of a window is a *feature* (or perhaps we should say a "property"); a bullet being fired through that window is the *vulnerability", which may or may not exist in all non-bullet proof windows. For example, a window put in an interior swinging door to prevent people from braining each other with the door may have the feature or characteristic of being not strong enough to deflect a bullet, but shots being fired through that window do not present a realistic vulnerability.

Arguably treats are often tied to features that are not in themselves vulnerabilities. The number of angels that can dance on the head of a pin is a *feature* of the pinhead. The Angel of Death getting pissed because he was left out and going Apocalyptic on your ass is a threat scenario triggered by that feature. The actual vulnerabilities in the scenario do not involve any features of the pin per se. Likewise the inability of some people to distinguish black from white does not mean the color features of a zebra crossing present a fatal vulnerability in themselves.

Re:Summary (1)

postbigbang (761081) | about 3 years ago | (#35585718)

It's more like:

Threat: it's been seen in the wild, hammering something.

Vulnerability: a conceivable possibility exists if someone is dogged enough to do the wild coding needed, and some happless situation is setup, to cause a problem which may or may not result in something to worry about.

Threats are alive and transitive, vulnerabilities are conceptual and passive.

Re:Summary (0)

Anonymous Coward | about 3 years ago | (#35585724)

Well yes this paper does everything you should not do.

He starts off with telling something thats is not true, spent one sentence saying this is not important yet fille dpage with unimportant stuff. Bad, its a vulnerability, if you scan quickly you get the wrong impression. Then he spends yet another page on stuff he thinks is of moderate interest. In fact he says its bad form later that anybody who does this is probably hack.

Not to mention the language used. Keep it simple stupid.

Re:Summary (2)

argStyopa (232550) | about 3 years ago | (#35586476)

Your summary is spot-on, my issue is with TFA's analysis.

Vulnerabilities are FAR easier to recognize than threats, insofar as you are aware of capabilities. Threats involve understanding motivations and goals of people with inimical goals, or 'unknown unknowns'.

It's far easier to recognize that your house has no lock, than to conceptualize that there are thieves out there who want to break in, if that's not a part of your intellectual framework in the first place. To be topically relevant, I'd guess it's easier to look at your nuclear plant and say "ok, we have no backup plan in case the cooling water boils away" than to threat-analyze a richter 9 earthquake and followon tsunami.

The difference (1)

Chrisq (894406) | about 3 years ago | (#35585640)

I like my girls with an ait of vulnerability. My brother likes them with a threatening air. (seriously, at times he has bruises all over him because of his "play acting" with girls)

Re:The difference (0)

Anonymous Coward | about 3 years ago | (#35587150)

So your ideal woman is Natalie Portman, naked and petrified, while your brother's is Natalie Portman, clothed and attacking?

Small comment (2)

ifoxtrot (529292) | about 3 years ago | (#35585770)

FTA " Another sort of related problem commonly found in infrastructure security assessments is confusing features with vulnerabilities. Thus, a public road that travels close to the facility is often considered a Vulnerability. It is not, however; it is only an attribute. Only when coupled with an attack scenario (truck bomb, the road makes visual and electronic surveillance easier for espionage, assets can be thrown over the fence by insiders to the bad guy's parked truck, etc.) does a feature become a Vulnerability".

I'm not quite sure about the point the author is trying to make here: what's the purpose of differentiating between features/attributes and vulnerabilities? Is it only a vulnerability when it can be exploited? This is actually undermining the definitions the author uses for explaining the difference between threat and vulnerability: if a vulnerability can be "exploited by multiple adversaries having a range of motivations and interest in a lot of different assets", requiring attack scenarios to be specified before allowing an "attribute" to be called a vulnerability feels a bit unnecessary, and could even focus the attention too much onto one kind of attack. Incidentally, neither attribute nor attack scenario is defined anywhere in the paper, which makes the distinction being drawn here weird.

In my view, a vulnerability is a property of the system that allows an attack; there is a natural overlap between a vulnerability and an attack, but they do exist independently: it is sometimes interesting to think of vulnerabilities that have no known or feasible attack (e.g. crypto ciphers that are seen as weak do not necessarily have feasible attack scenarios). Requiring an attack scenario in order to classify a feature (or attribute) as a vulnerability seems unnecessary: why would you have described the attribute as a vulnerability if you didn't have an attack in mind already?

Re:Small comment (2)

Dracolytch (714699) | about 3 years ago | (#35586324)

I think what he's getting at is that "Features" are not, by themselves, vulnerabilities. For a feature to become a vulnerability requires context. To a certain degree, you have to frame the conversation a bit. If you frame the conversation "I want to be protected", you can spend days/weeks/lifetimes spinning around in circles. "I want to protect myself against terrorists" is a lot different than "I want to protect myself from dishonest employees", which is a lot different from "I want to protect myself from a foreign invasion force". A road is not something you need to consider for all of these scenarios.

The real trick lies in tying the micro and macro views together so that nothing slips through the cracks.

TFA says it all... (1)

introcept (1381101) | about 3 years ago | (#35586482)

I'm not quite sure about the point the author is trying to make here: what's the purpose of differentiating between features/attributes and vulnerabilities? Is it only a vulnerability when it can be exploited? This is actually undermining the definitions the author uses for explaining the difference between threat and vulnerability: if a vulnerability can be "exploited by multiple adversaries having a range of motivations and interest in a lot of different assets", requiring attack scenarios to be specified before allowing an "attribute" to be called a vulnerability feels a bit unnecessary, and could even focus the attention too much onto one kind of attack. Incidentally, neither attribute nor attack scenario is defined anywhere in the paper, which makes the distinction being drawn here weird.

*Editor’s Note: This paper was not peer-reviewed. This work was performed under the auspices of the
United States Department of Energy (DOE) under contract DE-AC02-06CH11357. The views expressed
here are those of the author and should not necessarily be ascribed to Argonne National Laboratory or
DOE. Jon Warner provided useful suggestions.

Re:Small comment (1)

ediron2 (246908) | about 3 years ago | (#35593062)

You're close to agreement, but the road isn't the vulnerability. Traits of the road can cause (and eliminate) vulnerability, and they'll each come back to the mechanism that'd be exploited, not the road itself.

A security patrol, barriers, countersurveillance, removing the ability to loiter and eavesdrop and monitoring systems can mitigate or remove vulnerabilities. The road can remain, you just have to mitigate the vulnerabilities it creates.

Maybe what's snagging you up is that sometimes the best mitigation idea is to close a road. But that's not because of the road, per se. It's because roads are maliciously-useful in so many ways. Some circumstances just create a broad spectrum of overlapping vulnerabilities: roads, unattended bank kiosks (I'm thinking of a bank branch in an unsecured kiosk in a student union), hacker conventions, or other whac-a-mole (that's a technical term) situations. If a black hat hacker's eyes widen with 'oh-sweet-FSM-so-many-choices', you should start to doubt whether it's possible to recognize all the vulnerabilities. Put into a cliche: sometimes the best strategy is to retreat to safer ground, or to reduce the available services to a manageable, crux few.

Semantics (1)

InsertCleverUsername (950130) | about 3 years ago | (#35585806)

This distinction isn't hard to understand --unless you're a project manager. I made the mistake a few years ago of telling a PM about a vulnerability in one of our web apps. She started sending e-mails CCing everyone from the CEO to the janitor telling them about this "security breach." When I tried to gently correct this misunderstanding, all I got was a lot of diva attitude and "I'll call it whatever I want." I was really happy when I quit that job.

 

tl;dr (0)

antivoid (751399) | about 3 years ago | (#35585832)

bah, tl;dr.

threat="ima kickya in teh ballz."

vulnerablility="i present thee with my balls for you to kicketh"

Screw threats (1)

iMouse (963104) | about 3 years ago | (#35586268)

...some have yet to get past the concept of vulnerabilities vs. exploits.

Vulnerability: The lock on my door can easily be picked using a stick of butter
Exploit: Someone exploited the butter vulnerability in my lock to gain access to my house

This isn't a hard concept to master (1)

Junior J. Junior III (192702) | about 3 years ago | (#35586640)

Threat: A guy who doesn't like you
Vulnerability: Getting kicked in the nuts really hurts.

When a Threat finds a Vulnerability, and exploits it, that's when you have a problem.

Re:This isn't a hard concept to master (0)

Anonymous Coward | about 3 years ago | (#35587708)

When a Threat finds a Vulnerability, and exploits it, that's when you have a problem.

That's called an "exposure"

Interesting. (1)

shadowfaxcrx (1736978) | about 3 years ago | (#35589120)

I was hoping the paper would also go into vulnerabilities-without-threats. I've been having a debate with some people regarding car vulnerabilities - Some universities have done studies and determined that someone could use the tire pressure monitoring systems as a way to hack into the car's computer and screw with some readings. The car guys are generally up in arms about this - "Why wouldn't they secure the systems," while I take the stand that even though the car is technically vulnerable to such an attack, the attack won't materialize because anything you can accomplish by hacking TPMS, for example causing a flat tire readout, making the driver pull over, at which point you steal the car, you can accomplish more efficiently by other methods, such as pointing a gun at them or tapping them from behind and then stealing the car when they get out to check for damage.

It seems, to me anyway, that a lot of the media scare stories out there are based on these threat-less vulnerabilities. I saw a report a couple of days ago that was trying to imply that an Ohio nuclear plant is dangerous because it doesn't have all the safety features that the Japan plant had - but when you drilled down to what was missing, it turned out to be a tsunami wall. So while technically the Ohio plant would be vulnerable if hit by a tsunami, it will never be hit by one, and so it's a threat-less vulnerability.

Re:Interesting. (1)

antifoidulus (807088) | about 3 years ago | (#35589880)

To a certain extent I would believe it would really depend on the value of the target. Anyone can steal dog poop from a yard, so they are obviously vulnerable, but I doubt many people are particularly worried about losing said dog poop.

Yawn, more front page garbage. (-1)

Anonymous Coward | about 3 years ago | (#35593156)

Yawn, what a pointless article and I work in IT Security. There are much better definitions, examples and descriptions in most Introduction to CompSec books for first year uni students.
Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...