- Threat – An action or event that might prejudice security. A threat is a potential violation of security.
- Vulnerability – Existence of a weakness, design, or implementation error that can lead to an unexpected undesirable event compromising the security of the system.
- Target of Evaluation – An IT system, product, or component that is identified/subjected as requiring security evaluation.
- Attack – An assault on system security that derives from an intelligent threat. An attack is any action that attempts to or violates security.
- Exploit – A defined way to breach the security of an IT system through vulnerability.
Threat variously defined in the current context as:
- An action or event that might prejudice security.
- Sequences of circumstances and event that allows a human or other agent to cause an information-related misfortune by exploiting vulnerabilities in an IT product. A threat can be either “intentional” or”accidental”.
- Any circumstances or event with the potential to cause harm to a system in the form of destruction, disclosure, modification of data, or denial of service.
- A potential for violation of security, which exists when there is a circumstances, capability, action, or event that could breach security and cause harm.
- The technical and operational capability of a hostile entity to detect, exploit, or subvert friendly information systems and the demonstrated, presumed, or inferred intent of that entity to conduct such activity.
This brings us to discussing the term ‘vulnerability’.
- A security weakness in a Target of Evaluation.
- Weakness in an information system or components that could be exploited to produce an information-related misfortune.
- Vulnerability is the existence of a weakness,design, or implementation error that can lead to an unexpected, undesirable event comprising the security of the system, network, application, or protocol involved.
Attacks can be broadly classified as active and passive.
- Active attacks are those that modify the target system or message.
- Passive attacks are those that violate the confidentiality without affecting the state of the system.