----- Original Message -----
From: "Stephen Kent" <kent(_at_)bbn(_dot_)com>
To: <ietf(_at_)ietf(_dot_)org>
Sent: Monday, December 16, 2013 4:56 PM
Christopher,
ISO 27000 (Information technology - Security techniques -
Information security management systems - Overview and vocabulary)
defiChristopher,nes both terms, and differently:
2.4
attack
attempt to destroy, expose, alter, disable, steal or gain
unauthorized access to or make unauthorized use of
an asset (2.3)
2.45
threat
potential cause of an unwanted incident, which may result in harm to
a system or organization
The definition for attack seems appropriate. The definition for
threat
is not
bad, but I prefer an older one, commonly used in the military context,
and which
matches with a trio of definitions for understanding security
contexts:
Vulnerability - a flaw in a design of implementation of a
security-relevent
protocol or system
Attack - more of less as above
Adversary - an entity with a set of motivations and capabilities to
effect an attack
Threat - a motivated, capable adversary. An adversary who is capable,
but not motivated, is not a threat. An adversary who is motivated, but
not capable, is not a threat.
Stephen
As you know well, we have published RFCs with definitions of these terms
so we could use our own definitions - or we could use someone, anyone,
else's:-)
Tom Petch
PS for those who are not engaged with the IETF view of security, I am
referring to RFC2828 and its successor, RFC4949. Sterling works.
A threat model articulates adversaries and often enumerates classes of
attacks, and
then discusses the perceived motivation and ability of adversaries to
effect attacks
against a system of interest.
We lack a threat model for the Internet. Most of our security
protocols
do not
have published threat models (we didn't encourage this until recently)
and
what is published typically is an attack model, not a threat model.
Most aspects of pervasive monitoring are indistinguishable from our
traditional attack
model, since that model already assumes adversaries that can engage in
passive and active wiretapping. If we had a real threat model, either
it
would have included a discussion of nation states as adversaries with
the capabilities to do what we have seen that they
do, and a motivation to do so, or not. I'd like to see this document
explicitly discuss this.
Steve