Security Terms

BryanZhang -

Asset. An asset is a resource of value. It varies by perspective. To your business, an asset might be the availability of information, or the information itself, such as customer data. It might be intangible, such as your company's reputation.

• Threat. A threat is an undesired event. A potential occurrence, often best described as an effect that might damage or compromise an asset or objective.

• Vulnerability. A vulnerability is a software/ firmware code imperfection at the system, network, or framework level that makes an exploit possible.

• Attack (or exploit). An attack is an action taken that utilizes one or more vulnerabilities to realize a threat.

• Countermeasure. Countermeasures address vulnerabilities to reduce the probability of attacks or the impacts of threats. They do not directly address threats; instead, they address the factors that define the threats.

• Use Case. Functional, as designed function of an application.

• Abuse Case. Deliberate abuse of use case in order to produce unintended results • Attack Vector. Point & channel for which attacks traverse over (card reader, form fields, network proxy)

• Attack Surface. Logical area exposed for threats & underlying attack patterns • Actor. Legit or adverse caller of use or abuse cases.

• Impact. Negative value sustained by successful attack(s)

• Attack Tree. Diagram of relationship amongst asset-actoruse case-abuse case-vuln-exploit-countermeasure

DREAD is part of a system for risk-assessing computer security threats previously used at Microsoft and although currently used by OpenStack and other corporations[citation needed] it was abandoned by its creators [1]. It provides a mnemonic for risk rating security threats using five categories.

The categories are:

  • Damage – how bad would an attack be?
  • Reproducibility – how easy is it to reproduce the attack?
  • Exploitability – how much work is it to launch the attack?
  • Affected users – how many people will be impacted?
  • Discoverability – how easy is it to discover the threat?

The DREAD name comes from the initials of the five categories listed. It was initially proposed for threat modeling, but it was discovered that the ratings are not very consistent and are subject to debate. It was out of use at Microsoft by 2008.[2]