https://www.threatanalysis.com/2010/05/03/threat-vulnerability-risk-commonly-mixed-up-terms/ 概念讲的非常清楚了。整理下笔记以免老是忘记。
Threat – Anything that can exploit a vulnerability, intentionally or accidentally, and obtain, damage, or destroy an asset.
A threat is what we’re trying to protect against.
这里的threat理解为外部威胁,最常见的就是一些已知的攻击方式(Attack POC)。Protect的目的是不让这些攻击得逞。
攻击随时都可以发起,事实上在互联网上无时无刻不在,不管是不是会成功,都是威胁。
Vulnerability – Weaknesses or gaps in a security program that can be exploited by threats to gain unauthorized access to an asset.
A vulnerability is a weakness or gap in our protection efforts.
系统自身的漏洞,比如不校验用户输入,比如微软每个月出补丁针对的代码漏洞。
漏洞一直都有,区别只是有没有被发现,有没有被真实利用(另外就是有没有补丁可以补上)。
Risk – The potential for loss, damage or destruction of an asset as a result of a threat exploiting a vulnerability.
Risk is the intersection of assets, threats, and vulnerabilities.
存在T,利用到特定的V,破坏了需要保护的Assert,这个时候就是真正的Risk了。Risk可以是已经发生的,或者有很大可能发生的。Accurately assessing threats and identifying vulnerabilities is critical to understanding the risk to assets. 在和业务部门沟通的时候,最重要的是针对大家在意的assert是否能找出对应的risk并且证明问题的重要性。
T - news and forum
V - mainly industry annoucement
R - familiar to business, then identify