Tag Archives: exploit

Vulnerabilities, threats, and risk in a chess metaphor

Bookmark This (opens in new window)

Even for security professionals it’s sometimes tricky to properly think about the terms vulnerability, threat, risk, attack, and exploit.  It can be harder yet to describe these concepts to someone who is not a security professional.

In this excerpt from our upcoming book, Biometrics for Dummies, we explain these terms within the metaphor of a game of chess:

“Before we go any further, let’s look at the meaning of the terms threat, vulnerability and risk. Over the years we’ve found these terms to be used interchangeably and incorrectly. As with any industry jargon, these terms are tossed around and used by people who do fully understand their meaning, and by those who think they do — but don’t really.

* Vulnerability: a weakness in a system that may permit an attacker to compromise it.
* Threat: a potential activity that would, if it occurred, harm a system.
* Risk: the potential negative impact if a harmful event were to occur.

The terms vulnerability, threat, and risk can be visualized like this: Imagine a game of chess, where one player has a very weak position, and the other player has a very strong position. The player with the weak position is unable to protect his king — this is a vulnerability. The weak player’s king is vulnerable to attack – a position of high risk. The strong player has powerful pieces (such as a queen, bishops, and rooks) that are in low risk positions to easily capture the weak player’s king — this is a threat.

And while we’re at it, there are some other words we should discuss:

* Attack: the act of carrying out a threat with the intention of harming a system.
* Exploit (verb): the act of carrying out a threat against a specific vulnerability.
* Exploit (noun): a program, tool, or technique that can be used to attack a system.

Using the chess analogy again, the strong player could attack the weak player, exploiting his vulnerability to capture his king. The strong player’s method of attack would be known as his exploit against the weak, high-risk player.”

From Biometrics for Dummies

VoIP exploit permits illicit tapping, recording of VoIP calls

Bookmark This (opens in new window)

A proof of concept program has been developed and demonstrated that allows significant and possibly large-scale exploitation of Session Initiation Protocol (SIP), permitting an individual to tap into corporate VoIP networks. The exploit could also be done at the ISP level, permitting an intruder to eavesdrop on large numbers of VoIP calls, perhaps simultaneously.

voipsecuritycover400×629.pngThis is an extremely dangerous development, one that I have feared could happen once telephony networks are converted to TCP/IP. This is a classic example of technology being developed and implemented without adequate consideration for security and privacy. Other examples of technologies whose early editions were too weak for prime time: WiFi networks, analog cellular networks (remember the clone wars?), e-mail (spam and spoofing are still significant problems), domain name service (significant weaknesses abound), FTP, Telnet… shall I go on?

Organizations that utilize VoIP and SIP trunks to branch offices or service providers need to consider protecting these communications with VPN technology. SIP’s security features alone cannot be relied upon to protect VoIP traffic.

Article here:

http://www.techworld.com/security/news/index.cfm?newsid=10736

More on the risks of new technologies here.

How to protect corporate VoIP networks here.

Disclaimer: this article is posted as a public service, not a book promotion. VoIP Security was a work-for-hire project, which means I won’t make a dime more on this book whether it is read by 10 people or 10 million people.