The terms threat, vulnerability and weakness are often used in cybersecurity. Understanding the difference between these terms is important. It allows organizations to correctly implement, document and assess their cybersecurity activities and controls. Here, we take a closer look at security threats.
Defining a security threat
Looking in the literature, we can find several definitions of the term. Two rather short and concise can be found in documents from IETF and NIST.
In RFC 4949, IETF defines a threat as
A potential for violation of security, which exists when there is an entity, circumstance, capability, action, or event that could cause harm.RFC 4949
NIST, in SP800-160, defines it as
An event or condition that has the potential for causing asset loss and the undesirable consequences or impact from such loss.NIST SP800-160
Cyber threats are sometimes incorrectly confused with vulnerabilities. Looking at the definitions, the keyword is “potential”. The threat is not a security problem that exists in an implementation or organization. Instead it is something that can violate the security. This can be compared to a vulnerability which is an actual weakness that can be exploited. The threat always exist, regardless of any countermeasures. However, countermeasures can be used to minimize the probability of it being realized.
Types of threats
The NIST definition above states that a threat can be an event or a condition. An event, in this case, also includes natural disasters, fire, and power outage. It is a very general concept. In cybersecurity, it is more common to talk about threats such as viruses, trojan horses, denial of service attacks.
Phishing emails is a social engineering threat that can cause, e.g., loss of passwords, credit card numbers and other sensitive data. Threats to information assets can cause loss of confidentiality, integrity or availability of data. This is also known as the CIA triad.
The CIA triad, together with three other well known security concepts, is the basis for the STRIDE threat model. When listing possible threats, it is convenient to use an existing classification as a starting point. STRIDE is the most well-known classification, proposed by Microsoft in 1999. The name comes from the initial letters of the different categories, which also makes it easier to remember them.
|Threat||Meaning/Example||Related Security Property|
|Spoofing identity||An example is to use someone else’s password and authenticate as that person.||Authentication|
|Tampering with data||This includes e.g., modification of data. Either data at rest or data sent over a network.||Integrity|
|Repudiation||This means that users can deny having performed an action, e.g., sending or receiving data.||Non-repudiation|
|Information disclosure||This includes a user reading data without granted access, or eavesdropping a communication channel.||Confidentiality|
|Denial of service||This relates to the availability of a system||Availability|
|Elevation of privilege||In these types of threats, a less privileged user gets higher privileges. Normal users obtaining root privileges is the most typical and severe form of this||Authorization|
Examples of threats
Recall that a threat is very general. It does not include how to realize it, or even if it is possible in the current system. Here are a few examples.
- A malicious user reads the files of other users.
- An attacker redirects queries made to a web server to his own web server.
- An attacker modifies the database.
- A remote attacker runs commands on the server.
Each of these examples can easily be mapped to a category in STRIDE. Other examples would be malware, trojans and worms.
There are several other terms that are closely related, but that should not be confused by threat.
- Threat actor or threat agent. This is the entity that carries out and realizes the threat. This is often instead called attacker or adversary when it is carried out by a person or a group. In that case it is also a deliberate action.
- Threat action. This is the actual attack, or the realization of a threat. It can take advantage of a vulnerability, but in e.g., the case of natural disaster, it does not have to be an underlying vulnerability that causes the threat to be realized.
- Threat consequence. This is the actual result when the threat is realized. RFC 4949 lists four main categories of consequences, namely “unauthorized disclosure”, “deception”, “disruption”, and “usurpation”.