Tuesday, September 11, 2012

Threat or menace?

Sorry to be ranting again, but I am doing a survey that was sent via a certain large certifying organization.  One of the questions for "information security professionals" to answer was:


Thinking about your own organization, please rate the following potential security threats on the degree of concern you have for each.
  • Trusted third parties                   
  • Hacktivists                   
  • Hackers                   
  • Internal employees                   
  • Contractors                   
  • Mobile devices                   
  • Cloud-based services                   
  • Malware                   
  • State sponsored acts                   
  • Cyber terrorism                   
  • Organized crime                   
  • Application vulnerabilities    

Mobile devices are a threat?   Cloud-based services are a threat?    Really?  I think of those two things as technologies.  Neutral technologies.  Now these technologies may be full of vulnerabilities.  And there is a probability that these vulnerabilities may be exploited by threats... which will have impacts

Heck I'd even say malware isn't a threat.  Attackers using malware is.

And this from a survey targeting ccertified professionals who are supposedly tested in the basics of the risk equation.   But maybe different folks have a different way of thinking about threats?   Am I taking crazy pills?

So the question I put to all of you - What is a threat?