Feb 27 2023

AppSec Definitons with Dogs

When reading about topics in Information Security you may run into commonly used terms such as: vulnerability, incident, threat, component, etc. In this post, I aim to break down commonly used terms and explain them in a way that is accessible to a wider audience and memorable (hopefully!) through the use of common scenario my dog Dill faces when he plays with my brother’s dog Bennie.

Even if you are a seasoned InfoSec professional, this may be a useful post for you. I often find that it can be helpful to have a ready made scenario to explain important concepts to get a diverse group of stakeholders on the same page.

First Things First

Let’s introduce the main characters of these scenarios: Bennie and Dill. Dill is my dog, a fuzzy labradoodle who seems to only love his toys when other dogs want them. Bennie is a successful fusion power experiment encapsulated in a dog - I have seen him tired exactly once.

DillDill

BennieBennie

The Terms

Two things that I would like to mention before we dive in are:

  1. While these terms may initially sound dry and boring, their usage is very important for understanding the characteristics of issues faced in Information Security - so stick with it, it’ll pay dividends later on!

  2. The differences may seem a bit like splitting hairs, but the differences between what each word means and what it is referring to are key components of what makes them useful and important in establishing a common language between Information Security practitioners.

Alright, let’s get to it!

The Scenario

Dill is asleep on the floor after chewing on his elk antler all morning. Bennie is in an adjacent room, separated by a dog gate, and now he wants a piece of Dill’s elk antler. While Dill’s alseep Bennie makes his move, jumps over the dog gate and dashes to his ill begotten prize, snatching it before Dill can stop him.

Now let’s take a look at some commonly used terms; we will then tie the terms below with the Elk Antler Heist scenario I just outlined.

Component

A component, in the InfoSec context, is a system, application, or piece of a larger information system or process. It is the thing that is leveraged by the attacker to gain access to an asset.

Typically these are servers, web applications, or business processes.

Asset

An asset, in the InfoSec context, is the thing that the attacker is trying to gain some aspect of control over, whether that’s stealing it, altering it, corrupting it, holding it ransom, or deleting it.

Typically these are credit card data, personally identifiable information (PII), or user credentials (username and password).

Vulnerability

A vulnerability, in the InfoSec context, is a weakness in a component that allows an attacker to gain unauthorized access to an asset or to perform some action they should not perform and would not have been able to, had that vulnerability not existed.

Typically these are the result of missing patches, programming errors, weak or default passwords, or security misconfigurations.

Threat

A threat, in the InfoSec context, is a potential negative action, facilitated by a vulnerability, that will result in some negative impact. The important piece here is that threats are the potential negative things that can happen and they always exist, no matter how many protections are in place. Mitigations reduce the impact or likelihood of a threat, and therefore the risk of the threat, but the threat never goes away as long as the thing the threat is tied to, the asset, exists.

Typically these are theft, loss, or damage to an asset - a critical system being taken offline, information being stolen, or important data being altered.

Incident

An incident, in the InfoSec context, is a security event that compromises the confidentiality, integrity, or availability of an information asset.

Breach

An incident that results in the confirmed exposure of information assets to unauthorized parties. Not all incidents are breaches, but all breaches are incidents.

Tying it to the Scenario

You made it! Now back to the dogs -

Let’s tie in the terms we just learned with the Elk Antler Heist scenario outlined earlier. I’d encourage you to take a second to think about each of the questions before reading the answers.

Note: there is always a little flexibility in how the pieces of these situations are dissected and categorized, so it is totally okay to disagree with how I have chosen to break things down. Disagreement, discussion, and learning are what makes this process (and this field) so engaging and interesting!

From Dill’s perspective, what is the asset?

  • The asset is Dill’s elk antler. It is the thing of value that he is afraid of losing and the thing that Dodger is trying to gain unauthorized access to.

From Dill’s perspective, what is the threat?

  • The threat is any actor taking the elk antler away from him. This could be a dog or a human - a threat can be tied to a particular actor doing something, but typically it is more general and would encapsulate all scenarios of theft by anyone.

In the scope of this incident, what is the component we should focus on?

  • The main component, within the scope of this incident, would be the gate that Bennie jumps over.

What are the two main vulnerabilities exploited by Bennie?

  • The first vulnerability would be the height of the gate. It is insufficient for a dog of Bennie’s physical prowess and he can clear it. The gates manage to keep most dogs contained, but here we can see that it isn’t enough for all dogs.

  • The second vulnerability would be Dill’s lack of monitoring of his asset, the elk antler, and his lack of monitoring of the aforementioned gate - which is not a weakness in the gate, but a weakness in Dill’s process of monitoring the gate. Had he employed additional detective controls he would have seen Bennie’s advances.

Does one of these vulnerabilities mean there are two components we should focus on?

  • I think there is a good case to be made that the lack of monitoring employed by Dill means that, for the purposes of this discussion, we should include his security process as a component.

Was this an incident, and if so, why?

  • Yup! Bennie was able to obtain unauthorized access to Dill’s asset.

Was this a breach, and if so, why?

  • Yes, and no. Let’s delve into this: I believe there is a case to be made that it is a breach, because we have a confirmed incident of an external actor gaining unauthorized access to an asset. However, in this scenario, the asset was not something that needed to remain secret, what was lost here was access to the asset. In that case, Bennie may or may not have gotten away with the bone. Had he gotten back to his desk pod with the bone, then I would say it is definitely a breach; had he not, then it is still a bit open to interpretation of whether Bennie’s possession of the elk antler, even though he hadn’t left the domain of Dill’s pod, constituted a breach. Personally, I would err on the side of calling it a breach.

And all at once

Bennie, the bad actor, exploited a vulnerability in the height of the gate (component 1) and Dill’s lack of monitoring process (component 2) to realize a threat (antler theft) and gain unauthorized access to Dill’s elk antler (the asset). This whole event would be the breach incident.

Wrapping it up

And that’s it! (for now). What we have learned:

  • The rough definitions of: Component, Asset, Vulnerability, Threat, Incident, Breach.

  • How those terms work together to describe an Information Security incident.

What about Risk? or the CIA triad?

Don’t fret! I will break down risk related terminology and the CIA triad (plus more) in a similarly themed follow-up posts soon!