Category Archives: Vocabulary

Vocabulary – Vulnerability

Dictionary defines: vulnerability – open to attack, harm, or damage

CIS RAM defines: vulnerability – A weakness that could permit a threat to compromise the security of information assets.

Not simple.

ISO/IEC 27000 defines: vulnerability – weakness of an asset or control that can be exploited by one or more threats

Not simple

PCI DSS defines: vulnerability – Flaw or weakness which, if exploited, may result in an intentional or unintentional compromise of a system.

Not simple

CNSS defines: vulnerability – Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited.

Not simple and relies on specialized terms

O-TTPS defines: Vulnerability – A weakness in the design, implementation, or operation of an asset, artifact, system, or network that can be exploited.

Not simple and relies on specialized terms

CVE defines a vulnerability – A weakness in the computational logic (e.g., code) found in software and hardware components that, when exploited, results in a negative impact to confidentiality, integrity, or availability.

Not simple and relies on specialized terms

EAS defines: vulnerability – A weakness in system security procedures, design, implementation, internal controls, etc. that could be accidentally triggered or intentionally exploited and could result in a violation of the system’s security policy

Not simple and relies on specialized terms

ISACA defines: vulnerability – A weakness in the design, implementation, operation or internal control of a process that could expose the system to adverse threats from threat events

Not simple and relies on specialized terms

NIST 800-53 defines: vulnerability – Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.

Not simple and relies on specialized terms

OWASP describes: vulnerability – a hole or a weakness in the application, which can be a design flaw or an implementation bug, that allows an attacker to cause harm to the stakeholders of an application.

Not simple and relies on specialized terms

STIX defines: vulnerability – a mistake in software that can be directly used by a hacker to gain access to a system or network

Not simple and relies on specialized terms

FAIR defines: vulnerability – The probability that a threat event will become a loss event (which occurs when a threat agent acts against an asset)

Describes how to measure vulnerability rather than defining what it is.

SDL defines: threat – an attacker’s objective

This definition is related to definitions of vulnerability rather than threat, assuming the reader understand that “objective” refers to the vulnerability the attacker seeks to exploit.

Vocabulary – Threat

Dictionary defines: threat – someone or something that could cause trouble, harm, etc.

Note that the definition has a subject and an object

FAIR defines: threat – Anything that is capable of acting in a manner resulting in harm to an asset and/or organization

Slightly more specific than the dictionary

ISACA defines: threat – Anything (e.g., object, substance, human) that is capable of acting against an asset in a manner that can result in harm.

Slightly more specific than FAIR

ESA defines: threat – the potential for a “threat source” to exploit (intentionally) or trigger (accidental) a specific vulnerability.

Complicated by use of threat source and specialized term vulnerability. Lacks an object.

O-TTPS defines: Threat – The intention and capability of an adversary to undertake actions that would be detrimental through disruption of processes or subversion of knowledge.

Complicated by thoroughly describing the nature of a threat.

CIS defines: threat – A potential or foreseeable event that could compromise the security of information assets.

Complicated by suggestion that threats should be foreseeable and extraneous description of harm

CNSS defines: threat – Any circumstance or event with the potential to adversely impact an IS through unauthorized access, destruction, disclosure, modification of data, and/or denial of service.

Complicated definition.

ISO/IEC 27000 defines: threat – potential cause of an unwanted incident, which can result in harm to a system or organization

Complicated by ambiguous word incident.

NIST 800-53 defines: threat – Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.

Overly specific for a definition.

OWASP contains a Category: threat – A threat that plague a product. While known threats are identified based on signatures, files copied onto the hard drive upon installation, registry keys, protocol analysis and others.

Circular and uses specialized terms and concepts.

PCI DSS defines: threat – Condition or activity that has the potential to cause information or information processing resources to be intentionally or accidentally lost, modified, exposed, made inaccessible, or otherwise affected to the detriment of the organization

Overly specific for a definition

STIX defines: threat actors – actual individuals, groups, or organizations believed to be operating with malicious intent.

Identifies a who but no what.

SDL defines: threat – an attacker’s objective

Identifies a what but no who.

Vocabulary – Risk

Dictionary defines: risk – possibility of loss

FAIR defines: risk – the probable frequency and probable magnitude of future loss.

More complete than the dictionary

COBIT and ISACA defines: risk – the combination of the probability of an event and its consequence

The term “event” is ambiguous introducing complexity

O-TTPS defines: Risk – An event or condition that has a potentially negative impact and the possibility that such an event will occur and adversely affect an entity’s assets and artifacts, activities, and operations.

Complete but verbose.

OWASP defines: risk – Risk is the possibility of a negative or undesirable occurrence. There are two independent parts of risk: Impact and Likelihood.

Relies on context for specialized terms.

CIS defines: risk – an estimation of the likelihood that a threat will create an undesirable impact.

Relies on context for specialized terms.

CNSS defines: risk – possibility that a particular threat will adversely impact an IS by exploiting a particular vulnerability

Relies on context for specialized terms

NIST CSF and 800-53 defines: risk – a measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.

Not simple. Relies on context for specialized terms

PCI DSS defines: risk assessment – Process that identifies valuable system resources and threats; quantifies loss exposures (that is, loss potential) based on estimated frequencies and costs of occurrence; and (optionally) recommends how to allocate resources to countermeasures so as to minimize total exposure.

Not simple. Provides a description rather than a definition.

ESA defines: IT-related risk – the net mission/business impact (probability of occurrence combined with impact) from a particular thereat source exploiting, or triggering, a particular information technology vulnerability.

Not simple. Relies on context for specialized terms

ISO 27000 defines: risk – effect of uncertainty on objectives

Unclear by choice of defining terms.

Vocabulary – Policy

Dictionary defines: policy – a high-level overall plan embracing the general goals and acceptable procedures especially of a governmental body

COBIT defines: policy – Overall intention and direction as formally expressed by management

A good definition

ISO/IEC 27000 defines: policy – intentions and direction of an organization as formally expressed by its top management

A good definition almost identical to COBIT

ISACA defines: policy – 1. Generally, a document that records a high-level principle or course of action that has been decided on. 2. Overall intention and direction as formally expressed by management.

Not simple.

ESA defines: policy – A broad statement authorizing a course of action to enforce the organization’s guiding principles for a particular control domain.

Relies on specialized terms

NIST 800-53 defines: Information Security Policy – Aggregate of directives, regulations, rules, and practices that prescribes how an organization manages, protects, and distributes information.

Provides examples of policy rather than a definition, with specialized actions listed

O-TTPS defines: Framework – a set of best practices identified by a cross-industry forum which, if used by a technology vendor, may allow a government or commercial enterprise customer to consider the vendor’s products as more secure and trusted.

Verbose description rather than a definition.

Vocabulary – Control

Dictionary defines: control – to exercise restraining or directing influence over

ISO/IEC 27000 defines: control – measure that is modifying risk

A good definition assuming the reader understands that the dictionary defines “measure” as a step planned or taken as a means to an end

COBIT and ISACA define: control – The means of managing risk, including policies, procedures, guidelines, practices or organizational structures, which can be of an administrative, technical, management or legal nature.

A good definition up to the 5^th word.

CIS RAM defines: control – A documented method for protecting information assets using technical, physical, or procedural safeguards.

A good definition up to the 7^th word.

O-TTPS defines: mitigation – Any action, device, procedure, technique, or any other measure that reduces the vulnerability or risk.

Skip the first 8 words for a good definition.

STIX defines: A Course of Action – an action taken either to prevent an attack or to respond to an attack that is in progress.

This definition uses the security jargon “attack”, but otherwise aligns well with the dictionary definition.

FAIR defines: control – Any person, policy, process, or technology that has the potential to reduce the Loss Event Frequency (LEF) and/or Loss Magnitude (LM).

Provides categories and factors impacted rather than a definition.

NIST 800-53 defines: Countermeasures – Actions, devices, procedures, techniques, or other measures that reduce the vulnerability of an information system. Synonymous with security controls and safeguards.

Provides examples rather than a definition.

PCI DSS defines: Compensating Controls – Compensating controls may be considered when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other controls.

No definition of “controls” is provided, and this is an explanation rather than a definition.

Vocabulary – Asset

Dictionary defines: asset – an item of value owned

O-TTPS defines: asset – anything you can use that is considered a thing of value (e.g., tool).

A verbose variation of the dictionary definition

FAIR defines: asset – Anything that may be affected in a manner whereby its value is diminished or the act introduces liability to the owner.

Describes what can happen to an asset rather than what it is.

ISACA defines: asset – Something of either tangible or intangible value that is worth protecting, including people, information, infrastructure, finances and reputation.

A good definition up to the 7^th word.

CIS defines: Asset Class – A group of information assets that are evaluated as one set based on their similarity. “Servers,” “end-user computers,” “network devices” are examples, as are “email servers,” “web servers” and “authentication servers.”

No definition provided for “asset”, so a person has to infer that an asset is a type of information system component.

Vocabulary – Introduction

The words risk, threat, and vulnerability are the vocabulary of security professionals, but the are not used consistently. This series of blogs will explore common information security vocabulary starting with a dictionary definition, then listing other definitions with a brief analysis. Often the dictionary provides multiple meanings, so I have selected the one that best fits security.

The vocabulary includes:

Asset
Control
Policy
Risk
Threat
Vulnerability

I have evaluated the definitions using the following basic principles:

Keep it simple
Avoid complicated terms
Avoid specialized terms
Avoid circularity

Sources referenced include:

Dictionary https://www.merriam-webster.com/
The Center for Internet Security® (CIS) Risk Assessment Method Version 1.0 For Reasonable Implementation and Evaluation of Controls (2018) https://www.cisecurity.org/
The National Information Assurance (IA) Glossary CNSS (2003) https://www.ecs.csus.edu/csc/iac/cnssi_4009.pdf
COBIT https://cobitonline.isaca.org/l3-main?book=framework#framework-glossary01
Common Vulnerabilities and Exposures (CVE) http://cve.mitre.org/
The Open Enterprise Security Architecture (ESA) (C02, ISBN 978-90-8753-672-5), 2011
The Open Technical Standard: Risk Taxonomy (FAIR) (C081, ISBN: 1-931624-77-1), January 2009, published by The Open Group.
ISACA https://www.isaca.org/Pages/Glossary.aspx?tid=2011&char=C
The International Standards Organization’s Information technology – Security techniques – Information security management systems – Overview and vocabulary (ISO 27000 – 2018) http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html
The NIST Framework for Improving Critical Infrastructure Cybersecurity (CSF) Version 1.1, 2018 https://www.nist.gov/cyberframework
The Security and Privacy Controls for Federal Information Systems and Organizations (NIST 800-53) Revision 4, 2013
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
Open Trusted Technology Provider™ Standard (O-TTPS) Version 1.1 Mitigating Maliciously Tainted and Counterfeit Products https://publications.opengroup.org/c147
OWASP https://www.owasp.org/index.php/Glossary
The Payment Card Industry (PCI) Data Security Standard (DSS) and Payment Application Data Security Standard (PA-DSS) Glossary of Terms, Abbreviations, and Acronyms Version 3.2, 2016 https://www.pcisecuritystandards.org/document_library
The Security Development Lifecycle (SDL), Michael Howard and Steve Lipner, Microsoft Press, 2006, ISBN 978-07356-2214-0
STIX™ Version 2.0. Part 2: STIX Objects, Committee Specification 01, 19 July 2017 https://oasis-open.github.io/cti-documentation/resources#stix-20-specification

What does Cybersecurity Mean?

Everybody's talking at me 
I don't hear a word they're saying 
Only the echoes of my mind

Harry Nilsson

The first known use of the word cyber:

Cybernetics – the science of communication and control theory that is concerned especially with the comparative study of automatic control systems (such as the nervous system and brain and mechanical-electrical communication systems). First known use: 1948. https://www.merriam-webster.com

Around 1992 the word reemerged, apparently with a new meaning

Cyber – of, relating to, or involving computers or computer networks (such as the Internet) the cyber marketplace https://www.merriam-webster.com/ [cyber = computers or computer networks]

Cyberspace is our interconnected technology. The word became popular in the 1990s when the uses of the Internet, networking, and digital communication were all growing dramatically and the term “cyberspace” was able to represent the many new ideas and phenomena that were emerging. https://en.wikipedia.org/wiki/Cyberspace [cyber = internet]

Cyber Security – Computer security, also known as cyber security or IT security, is the protection of computer systems from the theft and damage to their hardware, software or information, as well as from disruption or misdirection of the services they provide. https://en.wikipedia.org/wiki/Computer_security [cyber = computer]

Cyber Warfare – Cyberwarfare involves the battlespace use and targeting of computers and networks in warfare. It involves both offensive and defensive operations pertaining to the threat of cyberattacks, espionage and sabotage. There has been controversy over whether such operations can duly be called “war”. Nevertheless, nations have been developing their capabilities and engaged in cyberwarfare either as an aggressor, defendant, or both. https://en.wikipedia.org/wiki/Cyberwarfare [cyber = computers and networks]

The US Congress uses the term cybersecurity widely in the National Defense Authorization Act for Fiscal Year 2018:

The term `cybersecurity risk’ means threats to and vulnerabilities of information or information systems and any related consequences caused by or resulting from unauthorized access, use, disclosure, degradation, disruption, modification, or destruction of such information or information systems, including such related consequences caused by an act of terrorism. [cyber = information or information systems]

And then this cool new word was grabbed to mean whatever the advertiser wanted it to mean:

Cyber Monday – Cyber Monday is a marketing term for the Monday after the Thanksgiving holiday in the United States. The term “Cyber Monday” was created by marketing companies to persuade people to shop online. https://en.wikipedia.org/wiki/Cyber_Monday [cyber = online or internet]

CyberKnife – Stereotactic Body Radiation Therapy (SBRT) delivers large doses of radiation to exact areas, such as the prostate, with advanced imaging. The entire course of treatment is given over a shorter period, for just a few days. SBRT is often known by the names of machines that deliver the radiation, such as Gamma Knife®, X-Knife®, CyberKnife® and Clinac®. http://www.urologyhealth.org/urologic-conditions/prostate-cancer/treatment/radiation-therapy [cyber = radiation therapy]

So, the popular word cyber is used as a substitute for a variety of different words. But why not simply use the words whose meaning is clear?

And there’s more. In February 2018, the US Security and Exchange Commission issued a Statement and Guidance on Public Company Cybersecurity Disclosures. It referenced a U.S. Computer Emergency Readiness Team defininition:

Cybersecurity – the activity or process, ability or capability, or state whereby information and communications systems and the information contained therein are protected from and/or defended against damage, unauthorized use or modification, or exploitation. https://niccs.us-cert.gov/glossary#C [cyber = information and communications systems]