理解IT安全术语“风险”、“威胁”和“漏洞利用”

理解安全术语“风险”、“威胁”和“漏洞利用”

 

作者：Chad Perrin
翻译：endurer，2009-07-21 第1版
分类：策略，风险管理，安全，威胁，漏洞利用
标签：漏洞利用，攻击，渗透测试练习，安全，Chad Perrin

　　像其它技术领域一样，IT安全也发展出自己的特定语言以便让专家们更容易讨论这个主题。在研究安全时需要费点功夫来理解这一行话。

—————————————————————————————
　　许多安全术语在热门科技新闻中几乎可以相互替换地使用，即使实际上不能替换。不同的安全行话具有独特的的含义，以特定方式来使用，是有原因的。例如，“风险评估”和“威胁评估”是两个完全不同的事情，并且每个都因其自身原因和适用于解决不同的问题而有具有价值。

　　这儿是对三个安全术语“风险”、“威胁”和“漏洞利用”的定义和区别：

 

风险

 

　　所谓“风险”是指一个成功的特定攻击中被列为攻击目标，并且通常在特定威胁中暴露的可能性，风险评估是为了确定并尽快解决最重要的潜在的安全漏洞。其中列举了最关键和最有可能的危险，并评估漏洞在费用和可能性相互作用函数中的风险相互关联的程度。

　　分析风险有助于确定一个在时间和金钱上适当的安全预算，并确定实行安全政策的优先顺序，这样才能最迅速地解决最直接的挑战。

 

威胁

 

　　所谓“威胁”是指特定类型攻击的来源和手段。

　　威胁评估是为了确定最佳的办法，确保系统对某一特定威胁，或各类威胁的安全。渗透测试演习基本上是侧重于评估威胁概要，以帮助制定有效的对策来对付特定威胁所代表的各类攻击。如果风险评估更注重分析的潜力和趋势，一个人的资源，以牺牲品各种攻击，威胁评估，更多地侧重于分析攻击者的资源。

　　分析威胁有助于制定具体的安全策略，以利用策略优先权实施在线安全策略，并了解要确保安全的资源的具体执行需求。

 

漏洞利用

 

　　所谓“漏洞利用”是指的是可以攻击成功的系统安全缺陷。漏洞测试，应在现有基础上由各方负责解决这种漏洞，并有助于向需要加以解决的安全提供用于识别意外危险的数据。这种漏洞不是特别的技术-它们也可以适用于社会因素，如个人身份验证和授权的政策。

　　漏洞测试有助于保持持续的安全，允许资源的安全负责人在新的危险产生时作出有效响应。这在政策和技术开发上也是宝贵的，并作为技术选择过程的一个组成部分；提早选择合适的技术可以确保节省大量时间、金钱，进一步降低其他经营成本。

　　理解这些术语的正确用法是重要的，不仅是听起来像你知道你在说些什么，甚至也不只是为了方便交流。此外，它还有助于开发和利用良好的策略。技术行话的特殊性反映了专家们确定专业领域区分的方式，并且甚至能帮助自己澄清应如何应对这些产生的挑战。

 

英文出处：http://blogs.techrepublic.com.com/security/?p=1897&tag=nl.e101

 

Understanding risk, threat, and vulnerability
Author: Chad Perrin
Category: Policy, Risk Management, Security, Threats, vulnerability
Tags: Vulnerability, Attack, Penetration Testing Exercise, Security, Chad Perrin

IT security, like any other technical field, has its own specialized language developed to make it easier for experts to discuss the subject. It pays to understand this jargon when researching security.

A lot of security terms get used almost interchangeably in the popular tech press, even when they shouldn’t. Different security jargon terms have distinct meanings, to be used in specific ways, for a reason. For example, a “risk assessment” and a “threat assessment” are two entirely different things, and each is valuable for its own reasons and applicable to solving different problems.

The three security terms “risk”, “threat”, and “vulnerability” will be defined and differentiated here:

Risk
The term “risk” refers to the likelihood of being targeted by a given attack, of an attack being successful, and general exposure to a given threat. A risk assessment is performed to determine the most important potential security breaches to address now, rather than later. One enumerates the most critical and most likely dangers, and evaluates their levels of risk relative to each other as a function of the interaction between the cost of a breach and the probability of that breach.

Analyzing risk can help one determine appropriate security budgeting — for both time and money — and prioritize security policy implementations so that the most immediate challenges can be resolved the most quickly.

Threat
The term “threat” refers to the source and means of a particular type of attack. A threat assessment is performed to determine the best approaches to securing a system against a particular threat, or class of threat. Penetration testing exercises are substantially focused on assessing threat profiles, to help one develop effective countermeasures against the types of attacks represented by a given threat. Where risk assessments focus more on analyzing the potential and tendency of one’s resources to fall prey to various attacks, threat assessments focus more on analyzing the attacker’s resources.

Analyzing threats can help one develop specific security policies to implement in line with policy priorities and understand the specific implementation needs for securing one’s resources.

Vulnerability
The term “vulnerability” refers to the security flaws in a system that allow an attack to be successful. Vulnerability testing should be performed on an ongoing basis by the parties responsible for resolving such vulnerabilities, and helps to provide data used to identify unexpected dangers to security that need to be addressed. Such vulnerabilities are not particular to technology — they can also apply to social factors such as individual authentication and authorization policies.

Testing for vulnerabilities is useful for maintaining ongoing security, allowing the people responsible for the security of one’s resources to respond effectively to new dangers as they arise. It is also invaluable for policy and technology development, and as part of a technology selection process; selecting the right technology early on can ensure significant savings in time, money, and other business costs further down the line.

Understanding the proper use of such terms is important not only to sound like you know what you’re talking about, nor even just to facilitate communication. It also helps develop and employ good policies. The specificity of technical jargon reflects the way experts have identified clear distinctions between practical realities of their fields of expertise, and can help clarify even for oneself how one should address the challenges that arise.