No edit summary |
|||
| Line 24: | Line 24: | ||
{{Quote|a potential undesirable event, [[malicious]] or not, of (1) [[compromise]] (i.e., [[theft]] of valuable or [[sensitive information]] or services), (2) [[corruption of information]] or [[information service]]s, or (3) [[denial of service]] by [[degradation]]/[[blocking]] of [[data]], [[data processing|processing]], or [[communication]]s or an entity possessing the capability and [[intent]] to cause the above.<ref>[[Report on the NS/EP Implications of Intrusion Detection Technology Research and Development]], at 6 n.7.</ref>}} |
{{Quote|a potential undesirable event, [[malicious]] or not, of (1) [[compromise]] (i.e., [[theft]] of valuable or [[sensitive information]] or services), (2) [[corruption of information]] or [[information service]]s, or (3) [[denial of service]] by [[degradation]]/[[blocking]] of [[data]], [[data processing|processing]], or [[communication]]s or an entity possessing the capability and [[intent]] to cause the above.<ref>[[Report on the NS/EP Implications of Intrusion Detection Technology Research and Development]], at 6 n.7.</ref>}} |
||
| + | |||
| + | {{Quote|[a]ny circumstance or event with the potential to adversely impact agency operations (including mission, functions, image, or [[reputation]]), agency [[asset]]s, or individuals through an [[information system]] via [[unauthorized access]], [[destruction, [[disclosure]], [[modification]] of [[information]], and/or [[denial of service]].<ref>[[NIST Special Publication 800-82]], at B-8.</ref>}} |
||
== Overview == |
== Overview == |
||
Revision as of 21:33, 29 March 2013
Definitions
Biometrics
A threat is
| “ | [a]n intentional or unintentional potential event that could compromise the security and integrity of the system.[1] | ” |
General
A threat is
| “ | [t]he capability of an adversary coupled with his/her intentions to undertake any actions detrimental to the success of program activities or operations.[2] | ” |
| “ | [a] natural or man-made occurrence, individual, entity, or action that has or indicates the potential to harm life, information, operations, the environment, and/or property.[3] | ” |
Security
| “ | any circumstance or event with the potential to cause harm to a system in the form of destruction, disclosure, modification of data, and/or denial of service.[4] | ” |
| “ | any circumstance or event with the potential to intentionally or unintentionally exploit one or more vulnerabilities in a system resulting in a loss of confidentiality, integrity, or availability.[5] | ” |
| “ | [a] potential cause of an incident, that may result in harm of systems and organization.[6] | ” |
| “ | a potential undesirable event, malicious or not, of (1) compromise (i.e., theft of valuable or sensitive information or services), (2) corruption of information or information services, or (3) denial of service by degradation/blocking of data, processing, or communications or an entity possessing the capability and intent to cause the above.[7] | ” |
{{Quote|[a]ny circumstance or event with the potential to adversely impact agency operations (including mission, functions, image, or reputation), agency assets, or individuals through an information system via unauthorized access, [[destruction, disclosure, modification of information, and/or denial of service.[8]}}
Overview
Threats are implemented by threat agents.
Information systems
Information systems are subject to serious threats that can have adverse effects on organizational operations (including missions, functions, image, or reputation), organizational assets, individuals, other organizations, and the government by compromising the confidentiality, integrity, or availability of information being processed, stored, or transmitted by those systems.
Threats to information systems include environmental disruptions, human errors, and purposeful attacks. Attacks on information systems today are often well-organized, disciplined, aggressive, well-funded, and in a growing number of documented cases, extremely sophisticated. Successful attacks on public and private sector information systems can result in great harm to the national and economic security interests of a country.
Indeed, systems sometimes fail without any external provocation, as a result of design flaws, implementation bugs, misconfiguration, and system aging.
Additional threats arise in the system acquisition and code distribution processes. Serious security problems have also resulted from discarded or stolen systems. For large-scale systems consisting of many independent installations (such as the Domain Name System (DNS)), security updates must reach and be installed in all relevant components throughout the entire life cycle of the systems. This scope of updating has proven to be difficult to achieve.
References
- ↑ NSTC Subcommittee on Biometrics, Biometrics Glossary, at 27 (Sept. 14, 2006) (full-text).
- ↑ DOE Manual 470.4-7, at 60.
- ↑ DHS Risk Lexicon, at 36.
- ↑ National Cyber Incident Response Plan, at M-1.
- ↑ Federal Plan for Cyber Security and Information Assurance Research and Development, at 5.
- ↑ ISO/IEC 27005:2011.
- ↑ Report on the NS/EP Implications of Intrusion Detection Technology Research and Development, at 6 n.7.
- ↑ NIST Special Publication 800-82, at B-8.
See also
- Adaptive threat
- Cyber threat
- Environmental threat
- External threat
- Insider threat
- Intentional threat
- Internal threat
- IO threat
- Local threat
- National security threat
- Physical threat
- Security threat
- Shared threat
- Threat action
- Threat analysis
- Threat and Vulnerability Testing and Assessment
- Threat assessment
- Threat condition
- Threat focus cell
- Threat inventory
- Threat model
- Threat monitoring
- Unintentional threat
- Vulnerability