SANS Confuses Threats with Vulnerabilities

In late 2003 I published Dynamic Duo Discuss Digital Risk. This was my light-hearted attempt to reinforce the distinction between a threat and a vulnerability. Specifically, a threat is a party with the capabilities and intentions to exploit a vulnerability in an asset. A vulnerability is a weakness in an asset that could lead to exploitation. An intruder (the threat) exploits a hole (the vulnerability) in Microsoft IIS to gain remote control of a Web server. In other words, threats exploit vulnerabilities.

This is a simple concept, yet it is frequently confused by security prophets like Bruce Schneier in Beyond Fear. Now SANS is making the same mistake in the latest Incident Handler's Diary. In a posting to announce work on the upcoming SANS Top 20 List, the Diary calls the new report the "SANS CRITICAL INTERNET THREATS 2005" and says:

"SANS Critical Internet Threats research is undertaken annually and provides the basis for the SANS 'Top 20' report. The 'Top 20' report describes the most serious internet security threats in detail, and provides the steps to identify and mitigate these threats."

So, are we going to read a ranking of identified Romanian intruders, followed by Russian organized crime, Filipino virus writers, and then Zimbabwean foreign intelligence services? Will mitigation include prosecution, incarceration, and the like? Probably not, as the announcement continues:

"The current 'Top 20' is broken into two complimentary yet distinct sections:
- The 10 most critical vulnerabilities for Windows systems.
- The 10 most critical vulnerabilities for UNIX and Linux systems."

So now we're talking about vulnerabilities. That's what last year's "Twenty Most Critical Internet Security Vulnerabilities" addressed. The announcement concludes:

"The 2005 Top 20 will once again create the experts' consensus on threats - the result of a process that brings together security experts, leaders, researchers and visionaries... In addition to the Windows and UNIX vulnerabilities, this year's research will also focus on the 10 most severe vulnerabilities in the Cisco platforms."

I sincerely hope at least one expert will clue in the announcement-writer concerning the difference between a threat and a vulnerability. Words matter!

Update: While doing some research I found a 1999 report by the Navy's Center on Terrorism and Irregular Warfare called Cyberterror: Prospects and Implications. It says in footnote 11:

"Vulnerability is not synonymous with threat. A vulnerability is a weakness in a system that may be exploited. A threat requires an actor with the motivation, resources, and intent to exploit a vulnerability."