Ver:
· Exploit
· Daño
Causa potencial de un incidente no deseado, el cual puede ocasionar daño a un sistema o a una organización. [UNE-ISO/IEC 27000:2014]
Condición o actividad capaz de ocasionar que, intencional o accidentalmente, la información o recursos para el procesamiento de la información se pierdan, modifiquen, queden expuestos o vuelvan inaccesibles; o que sean afectados de algún otro modo en detrimento de la organización.
http://es.pcisecuritystandards.org
Cualquier cosa que pueda aprovechar un Vulnerabilidad. Cualquier causa potencial de un Incidente puede ser considerada una Amenaza. Por ejemplo un fuego es una Amenaza que puede aprovechar la Vulnerabilidad de moquetas inflamables. Este término es comúnmente usado en la Gestión de la Información de Seguridad y la Gestión de Continuidad del Servicio de TI, pero también aplica a otras áreas tales como Gestión de la Disponibilidad y Problemas. [ITIL:2007]
Cualquier circunstancia o evento que puede explotar, intentionadamente o no, una vulnerabilidad específica en un Sistema de las TIC resultando en una pérdida de confidencialidad, integridad o disponibilidad de la información manejada o de la integridad o disponibilidad del propio Sistema.
Posible ataque a los bienes por parte de un elemento peligroso. [EBIOS:2005]
Motivo de un elemento peligroso. Puede tener un carácter estratégico, ideológico, terrorista, codicioso, lúdico o vengador y varía según se trate de un acto accidental (curiosidad, aburrimiento) o deliberado (espionaje, afán de lucro, intención de perjudicar, ideología, juego, fraude, robo, piratería, desafío intelectual, venganza, chantaje, extorsión monetaria). [EBIOS:2005]
Acción humana, elemento natural o ambiental que tiene consecuencias potenciales negativas para el sistema. Puede caracterizarse por su tipo (natural, humano o ambiental) y por su causa (accidental o deliberada). Cuando se trata de una causa accidental, puede caracterizarse también en función de la exposición y los recursos disponibles. Cuando se trata de una causa deliberada, puede caracterizarse también en función de la pericia, los recursos disponibles y la motivación. [EBIOS:2005]
Eventos que pueden desencadenar un incidente en la Organización, produciendo daños materiales o pérdidas inmateriales en sus activos. [Magerit:2012]
Causa potencial de un incidente que puede causar daños a un sistema de información o a una organización. [UNE-71504:2008]
1. Acción o acontecimiento que puede atentar contra la seguridad (ITSEC).
2. Violación potencial de la seguridad del sistema (ISO-7498-2).
[Ribagorda:1997]
Condición del entorno del sistema de información que, dada una oportunidad, podría dar lugar a que se produjese una violación de la seguridad.
Puede ser:
· Activa: Supone un cambio del estado del sistema.
· Pasiva: No varía el estado del sistema.
[CESID:1997]
Violación potencial de la seguridad. [ISO-7498-2:1989]
potential cause of an unwanted incident, which may result in harm to a system or organisation. [ISO/IEC 27000:2014]
Condition or
activity that has the potential to cause information or information processing
resources to be intentionally or accidentally lost, modified, exposed, made
inaccessible, or otherwise affected to the detriment of the organization.
https://www.pcisecuritystandards.org/security_standards/glossary.php
Any circumstance
or event with the potential to adversely impact organizational operations
(including mission, functions, image, or reputation), organizational assets,
individuals, other organizations, or the Nation through an information system
via unauthorized access, destruction, disclosure, modification of information,
and/or denial of service. [CNSSI_4009:2010]
Anything (e.g.,
object, substance, human) that is capable of acting against an asset in a
manner that can result in harm. [RiskIT-PG:2009]
Any event where a threat element/actor acts against an asset in a manner that has the potential to directly result in harm. [RiskIT-PG:2009]
natural or
man-made occurrence, individual, entity, or action that has or indicates the
potential to harm life, information, operations, the environment and/or
property
Annotation:
Threat as defined refers to an individual, entity, action, or occurrence;
however, for the purpose of calculating risk, the threat of an intentional
hazard is generally estimated as the likelihood of an attack (that accounts for
both the intent and capability of the adversary) being attempted by an
adversary; for other hazards, threat is generally estimated as the likelihood
that a hazard will manifest.
DHS Risk
Lexicon, September 2008
1a. (I) A
potential for violation of security, which exists when there is an entity,
circumstance, capability, action, or event that could cause harm. (See:
dangling threat, INFOCON level, threat action, threat agent, threat
consequence. Compare: attack, vulnerability.)
1b. (N) Any
circumstance or event with the potential to adversely affect a system through
unauthorized access, destruction, disclosure, or modification of data, or
denial of service. [C4009] (See: sensitive information.)
Usage: (a)
Frequently misused with the meaning of either "threat action" or
"vulnerability". (b) In some contexts, "threat" is used
more narrowly to refer only to intelligent threats; for example, see definition
2 below. (c) In some contexts, "threat" is used more broadly to cover
both definition 1 and other concepts, such as in definition 3 below.
Tutorial: A threat is a possible danger that might exploit a vulnerability. Thus, a threat may be intentional or not:
·
"Intentional
threat": A possibility of an attack by an intelligent entity (e.g., an
individual cracker or a criminal organization).
·
"Accidental
threat": A possibility of human error or omission, unintended equipment
malfunction, or natural disaster (e.g., fire, flood, earthquake, windstorm, and
other causes listed in [FP031]).
The Common
Criteria characterizes a threat in terms of (a) a threat agent, (b) a presumed
method of attack, (c) any vulnerabilities that are the foundation for the
attack, and (d) the system resource that is attacked. That characterization
agrees with the definitions in this Glossary (see: diagram under
"attack").
2. (O) The
technical and operational ability of a hostile entity to detect, exploit, or
subvert a friendly system and the demonstrated, presumed, or inferred intent of
that entity to conduct such activity.
Tutorial: To be
likely to launch an attack, an adversary must have (a) a motive to attack, (b)
a method or technical ability to make the attack, and (c) an opportunity to
appropriately access the targeted system.
3. (D) "An
indication of an impending undesirable event." [Park]
Deprecated
Definition: IDOCs SHOULD NOT use this term with definition 3 because the
definition is ambiguous; the definition was intended to include the following
three meanings:
·
"Potential
threat": A possible security violation; i.e., the same as definition 1.
·
"Active
threat": An expression of intent to violate security. (Context usually
distinguishes this meaning from the previous one.)
·
"Accomplished
threat" or "actualized threat": That is, a threat action.
Deprecated Usage:
IDOCs SHOULD NOT use the term "threat" with this meaning; instead,
use "threat action".
[RFC4949:2007]
(I) A realization
of a threat, i.e., an occurrence in which system security is assaulted as the
result of either an accidental event or an intentional act. (See: attack, threat,
threat consequence.)
Tutorial: A
complete security architecture deals with both intentional acts (i.e., attacks)
and accidental events [FP031]. (See: various kinds of threat actions defined
under the four kinds of "threat consequence".)
[RFC4949:2007]
(I) A system entity that performs a threat action, or an event that results in a threat action. [RFC4949:2007]
(I) An analysis
of the threat actions that might affect a system, primarily emphasizing their
probability of occurrence but also considering their resulting threat
consequences. Example: RFC 3833. (Compare: risk analysis.) [RFC4949:2007]
capabilities,
intentions and attack methods of adversaries, or any circumstance or event,
whether originating externally or internally, that has the potential to cause
harm to information or a program or system or cause those to harm others. [ISO-21827:2007]
the originator
and/or the initiator of deliberate or accidental man-m ade threats. [ISO-21827:2007]
Anything that might exploit a Vulnerability. Any potential cause of an Incident can be considered to be a Threat. For example a fire is a Threat that could exploit the Vulnerability of flammable floor coverings. This term is commonly used in Information Security Management and IT Service Continuity Management, but also applies to other areas such as Problem and Availability Management. [ITIL:2007]
Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. Also, the potential for a threat-source to successfully exploit a particular information system vulnerability. [FIPS-200:2006]
Any circumstance or event with the potential to adversely impact agency operations (including mission, functions, image, or reputation), agency assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. [NIST-SP800-53:2013]
Motive of a threat agent. It may arise from strategy, ideology, terrorism, greed, amusement or revenge and may be an accidental action (arising from curiosity, boredom, etc.) or a deliberate action (arising from spying, the lure of gain, the intention to harm, ideology, amusement, fraud, theft, piracy, intellectual challenge, revenge, blackmailing, extortion of money, etc.) [EBIOS:2005]
The potential source of an adverse event. [NIST-SP800-61:2004]
Any circumstance or event with the potential to intentionally or unintentionally exploit a specific vulnerability in an information system resulting in a loss of confidentiality, integrity, or availability. [NIST-SP800-60V2:2004]
An activity, deliberate or unintentional, with the potential for causing harm to an automated information system or activity. [TDIR:2003]
The potential for a threat source (defined below) to exploit (intentional) or trigger (accidental) a specific vulnerability. [NIST-SP800-33:2001]
Any circumstance or event that could harm a critical asset through unauthorized access, compromise of data integrity, denial or disruption of service, or physical destruction or impairment. [CIAO:2000]
an action or event that might prejudice security. [ITSEC:1991]
A potential violation of security. [ISO-7498-2:1989]
An actor or agent
who exploits security vulnerabilities and risks.
https://buildsecurityin.us-cert.gov/daisy/bsi/articles/best-practices/risk/248-BSI.html
A circumstance,
event, or person with the potential to cause harm to a system in the form of
destruction, disclosure, data modification, and/or Denial of Service (DoS).
http://www.symantec.com/avcenter/refa.html
A potential for
violation of security, which exists when there is a circumstance, capability,
action, or event that could breach security and cause harm.
http://www.sans.org/security-resources/glossary-of-terms/
The examination of threat sources against system vulnerabilities to determine the threats for a particular system in a particular operational environment. [NIST-SP800-33:2001]
process of
identifying or evaluating entities, actions, or occurrences, whether natural or
man-made, that have or indicate the potential to harm life, information,
operations and/or property
DHS Risk Lexicon,
September 2008
A threat
assessment is the identification of types of threats that an organization might
be exposed to.
http://www.sans.org/security-resources/glossary-of-terms/
(en) threat
source
The intent and
method targeted at the intentional exploitation of a vulnerability or a
situation and method that may accidentally exploit a vulnerability. [CNSSI_4009:2010]
The intent and
method targeted at the intentional exploitation of a vulnerability or a
situation and method that may accidentally trigger a vulnerability. Synonymous
with threat agent. [FIPS-200:2006]
Human action,
natural or environmental element that has potentially negative consequences on
the system. It can be characterised by its type (natural, human or
environmental) and by its cause (accidental or deliberate). In the case of an accidental
cause, it is also characterised by exposure and available resources. In the
case of a deliberate cause, it is also characterised by expertise, available
resources and motivation. [EBIOS:2005]
Either (1) intent and method targeted at the intentional exploitation of a vulnerability or (2) the situation and method that may accidentally trigger a vulnerability. [NIST-SP800-33:2001]
A threat model is
used to describe a given threat and the harm it could to do a system if it has
a vulnerability.
http://www.sans.org/security-resources/glossary-of-terms/
The method a
threat uses to get to the target.
http://www.sans.org/security-resources/glossary-of-terms/
A threat is an
actor or an agent that is a source of danger to the system under consideration
or the assets to which it has access. The threat can be a person that abuses
the software, a program running on a compromised system, or even a non-sentient
event such as a hardware failure. A threat exploits a vulnerability in software
to attack it.
https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/attack/590-BSI.html
An event or act,
deliberate or accidental, that could cause injury to people, information,
assets or services.
http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=16578
Situation ouactivité
susceptible dentraîner la perte, la modification, lexposition ou lindisponibilité
intentionnelle ou accidentelle dinformations ou de ressources de traitement
des informations, ou de les affecter au détriment de lorganisation.
http://fr.pcisecuritystandards.org/
Tout ce qui peut exploiter la vulnérabilité. Toute cause potentielle dincident peut être considérée comme une menace. Par exemple, un incendie est une menace pouvant exploiter la vulnérabilité des revêtements de sol inflammables. Ce terme est communément utilisé par la Gestion de la Sécurité de lInformation (ISM) et la Gestion de la continuité du service des TI (ITSCM), mais sapplique aussi à dautres domaines tels que la gestion des problèmes et la gestion de la disponibilité. [ITIL:2007]
Attaque possible d'un élément menaçant sur des biens. [EBIOS:2005]
Motif d'un élément menaçant. Elle peut avoir un caractère stratégique, idéologique, terroriste, cupide, ludique ou vengeur et diffère selon qu'il s'agit d'un acte accidentel (curiosité, ennui...) ou délibéré (espionnage, appât du gain, volonté de nuire, idéologie, jeu, fraude, vol, piratage, défi intellectuel, vengeance, chantage, extorsion de fonds...). [EBIOS:2005]
Action humaine, élément naturel ou environnemental qui a des conséquences potentielles négatives sur le système. Elle peut être caractérisée par son type (naturel, humain, ou environnemental) et par sa cause (accidentelle ou délibérée). Dans le cas d'une cause accidentelle, elle est aussi caractérisée par une exposition et des ressources disponibles. Dans le cas d'une cause délibérée, elle est aussi caractérisée par une expertise, des ressources disponibles et une motivation. [EBIOS:2005]
Violation potentielle de la sécurité. [ISO-7498-2:1989]
Chose ou personne à
l'origine de menaces. Elle peut être caractérisée par son type (humain ou
environnemental), par sa cause (accidentelle ou délibérée) et selon le cas par
ses ressources disponibles, son expertise, sa motivation... [EBIOS:2010]
Événement ou acte
délibéré ou accidentel qui pourrait porter préjudice aux personnes, à
l'information, aux biens ou aux services.
http://www.tbs-sct.gc.ca/pol/doc-fra.aspx?id=16578
Temas relacionados