----- Original Message ----- From: "Stephen Kent" <kent@xxxxxxx> To: <ietf@xxxxxxxx> Sent: Monday, December 16, 2013 4:56 PM > Christopher, > > > ISO 27000 (Information technology - Security techniques - Information security management systems - Overview and vocabulary) > > defiChristopher,nes both terms, and differently: > > > > 2.4 > > attack > > attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of > > an asset (2.3) > > > > 2.45 > > threat > > potential cause of an unwanted incident, which may result in harm to a system or organization > > > The definition for attack seems appropriate. The definition for threat > is not > bad, but I prefer an older one, commonly used in the military context, > and which > matches with a trio of definitions for understanding security contexts: > > Vulnerability - a flaw in a design of implementation of a security-relevent > protocol or system > > Attack - more of less as above > > Adversary - an entity with a set of motivations and capabilities to > effect an attack > > Threat - a motivated, capable adversary. An adversary who is capable, > but not motivated, is not a threat. An adversary who is motivated, but > not capable, is not a threat. Stephen As you know well, we have published RFCs with definitions of these terms so we could use our own definitions - or we could use someone, anyone, else's:-) Tom Petch PS for those who are not engaged with the IETF view of security, I am referring to RFC2828 and its successor, RFC4949. Sterling works. > A threat model articulates adversaries and often enumerates classes of > attacks, and > then discusses the perceived motivation and ability of adversaries to > effect attacks > against a system of interest. > > We lack a threat model for the Internet. Most of our security protocols > do not > have published threat models (we didn't encourage this until recently) and > what is published typically is an attack model, not a threat model. > > Most aspects of pervasive monitoring are indistinguishable from our > traditional attack > model, since that model already assumes adversaries that can engage in > passive and active wiretapping. If we had a real threat model, either it > would have included a discussion of nation states as adversaries with > the capabilities to do what we have seen that they > do, and a motivation to do so, or not. I'd like to see this document > explicitly discuss this. > > Steve >