Archive

May 2019

Browsing

The terms threat, vulnerability and weakness are often used in cybersecurity. Understanding the difference between these terms is important. It allows organizations to correctly implement, document and assess their cybersecurity activities and controls. Here, we take a closer look at security weaknesses. While threat and vulnerability have rather clear definitions in cybersecurity, this is not the case for a weakness. Commonly used glossaries, such as RFC 4949 and the NIST glossary do not define the term weakness. On the other hand, it is very often used as part of the vulnerability definition. A vulnerability is a weakness that can be exploited by an attacker. Thus, a weakness is an error, typically in the software code, that might lead to a vulnerability. This happens when it can be exploited. Software weaknesses are often discussed and defined in the context of the Common Weaknesses Enumeration (CWE). This is a “community-developed list of…

The terms threat, vulnerability and weakness are often used in cybersecurity. Understanding the difference between these terms is important. It allows organizations to correctly implement, document and assess their cybersecurity activities and controls. Here, we take a closer look at security threats. Defining a security threat Looking in the literature, we can find several definitions of the term. Two rather short and concise can be found in documents from IETF and NIST. In RFC 4949, IETF defines a threat as A potential for violation of security, which exists when there is an entity, circumstance, capability, action, or event that could cause harm.RFC 4949 NIST, in SP800-160, defines it as An event or condition that has the potential for causing asset loss and the undesirable consequences or impact from such loss.NIST SP800-160 Cyber threats are sometimes incorrectly confused with vulnerabilities. Looking at the definitions, the keyword is “potential”. The threat is…

The terms threat, vulnerability and weakness are often used in cybersecurity. Understanding the difference between these terms is important. It allows organizations to correctly implement, document and assess their cybersecurity activities and controls. Here, we take a closer look at vulnerabilities. Defining a vulnerability The United Nations, defines a vulnerability as “…the inability to resist a hazard or to respond when a disaster has occurred”. United Nations This is a very general definition and is not restricted to cybersecurity. We can see it as a property of an asset that makes it susceptible to damage. This property can be inherent in the design. It can also be a result of tradeoffs that have to be made, or it can be the result of actual design mistakes. Let us look at the more specific case of (cyber)security vulnerabilities. There are several different, but often similar, definitions in the literature. We look…