Causa potencial de un incidente no deseado, el cual
puede ocasionar daño a un sistema o a una organización. [UNE-ISO/IEC 27000:2014]
Condición o actividad capaz de ocasionar que,
intencional o accidentalmente, la información o recursos para el procesamiento
de la información se pierdan, modifiquen, queden expuestos o vuelvan
inaccesibles; o que sean afectados de algún otro modo en detrimento de la
organización.
http://es.pcisecuritystandards.org
Cualquier cosa que pueda aprovechar un
Vulnerabilidad. Cualquier causa potencial de un Incidente puede ser considerada
una Amenaza. Por ejemplo un fuego es una Amenaza que puede aprovechar la
Vulnerabilidad de moquetas inflamables. Este término es comúnmente usado en la
Gestión de la Información de Seguridad y la Gestión de Continuidad del Servicio
de TI, pero también aplica a otras áreas tales como Gestión de la
Disponibilidad y Problemas. [ITIL:2007]
Cualquier circunstancia o evento que puede explotar,
intentionadamente o no, una vulnerabilidad específica en un Sistema de las TIC
resultando en una pérdida de confidencialidad, integridad o disponibilidad de
la información manejada o de la integridad o disponibilidad del propio Sistema.
Posible ataque a los bienes por parte de un elemento
peligroso. [EBIOS:2005]
Motivo de un elemento peligroso. Puede tener un
carácter estratégico, ideológico, terrorista, codicioso, lúdico o vengador y
varía según se trate de un acto accidental (curiosidad, aburrimiento) o
deliberado (espionaje, afán de lucro, intención de perjudicar, ideología, juego,
fraude, robo, piratería, desafío intelectual, venganza, chantaje, extorsión
monetaria). [EBIOS:2005]
Acción humana, elemento natural o ambiental que
tiene consecuencias potenciales negativas para el sistema. Puede caracterizarse
por su tipo (natural, humano o ambiental) y por su causa (accidental o
deliberada). Cuando se trata de una causa accidental, puede caracterizarse
también en función de la exposición y los recursos disponibles. Cuando se trata
de una causa deliberada, puede caracterizarse también en función de la pericia,
los recursos disponibles y la motivación. [EBIOS:2005]
Eventos que pueden desencadenar un incidente en la
Organización, produciendo daños materiales o pérdidas inmateriales en sus
activos. [Magerit:2012]
Causa potencial de un incidente que puede causar
daños a un sistema de información o a una organización. [UNE-71504:2008]
1. Acción o acontecimiento que puede atentar contra
la seguridad (ITSEC).
2. Violación potencial de la seguridad del sistema
(ISO-7498-2).
[Ribagorda:1997]
Condición del entorno del sistema de información
que, dada una oportunidad, podría dar lugar a que se produjese una violación de
la seguridad.
Puede ser:
·
Activa: Supone un cambio del
estado del sistema.
·
Pasiva: No varía el estado del
sistema.
[CESID:1997]
Violación potencial de la seguridad.
[ISO-7498-2:1989]
potential cause of an
unwanted incident, which may result in harm to a system or organisation. [ISO/IEC 27000:2014]
Condition or activity that
has the potential to cause information or information processing resources to
be intentionally or accidentally lost, modified, exposed, made inaccessible, or
otherwise affected to the detriment of the organization.
https://www.pcisecuritystandards.org/security_standards/glossary.php
Any circumstance or event
with the potential to adversely impact organizational operations (including
mission, functions, image, or reputation), organizational assets, individuals,
other organizations, or the Nation through an information system via
unauthorized access, destruction, disclosure, modification of information,
and/or denial of service. [CNSSI_4009:2010]
Anything (e.g., object,
substance, human) that is capable of acting against an asset in a manner that
can result in harm. [RiskIT-PG:2009]
Any event where a threat
element/actor acts against an asset in a manner that has the potential to directly
result in harm. [RiskIT-PG:2009]
natural or man-made
occurrence, individual, entity, or action that has or indicates the potential
to harm life, information, operations, the environment and/or property
Annotation: Threat as
defined refers to an individual, entity, action, or occurrence; however, for
the purpose of calculating risk, the threat of an intentional hazard is
generally estimated as the likelihood of an attack (that accounts for both the
intent and capability of the adversary) being attempted by an adversary; for
other hazards, threat is generally estimated as the likelihood that a hazard
will manifest.
DHS Risk
Lexicon, September 2008
1a. (I) A potential for
violation of security, which exists when there is an entity, circumstance,
capability, action, or event that could cause harm. (See: dangling threat,
INFOCON level, threat action, threat agent, threat consequence. Compare:
attack, vulnerability.)
1b. (N) Any circumstance or
event with the potential to adversely affect a system through unauthorized
access, destruction, disclosure, or modification of data, or denial of service.
[C4009] (See: sensitive information.)
Usage: (a) Frequently
misused with the meaning of either "threat action" or
"vulnerability". (b) In some contexts, "threat" is used
more narrowly to refer only to intelligent threats; for example, see definition
2 below. (c) In some contexts, "threat" is used more broadly to cover
both definition 1 and other concepts, such as in definition 3 below.
Tutorial: A threat is a
possible danger that might exploit a vulnerability. Thus,
a threat may be intentional or not:
·
"Intentional
threat": A possibility of an attack by an intelligent entity (e.g., an
individual cracker or a criminal organization).
·
"Accidental
threat": A possibility of human error or omission, unintended equipment
malfunction, or natural disaster (e.g., fire, flood, earthquake, windstorm, and
other causes listed in [FP031]).
The Common Criteria
characterizes a threat in terms of (a) a threat agent, (b) a presumed method of
attack, (c) any vulnerabilities that are the foundation for the attack, and (d)
the system resource that is attacked. That characterization agrees with the
definitions in this Glossary (see: diagram under "attack").
2. (O) The technical and
operational ability of a hostile entity to detect, exploit, or subvert a
friendly system and the demonstrated, presumed, or inferred intent of that
entity to conduct such activity.
Tutorial: To be likely to
launch an attack, an adversary must have (a) a motive to attack, (b) a method
or technical ability to make the attack, and (c) an opportunity to
appropriately access the targeted system.
3. (D) "An indication
of an impending undesirable event." [Park]
Deprecated Definition: IDOCs
SHOULD NOT use this term with definition 3 because the definition is ambiguous;
the definition was intended to include the following three meanings:
·
"Potential
threat": A possible security violation; i.e., the same as definition 1.
·
"Active
threat": An expression of intent to violate security. (Context usually
distinguishes this meaning from the previous one.)
·
"Accomplished
threat" or "actualized threat": That is, a threat action.
Deprecated Usage: IDOCs
SHOULD NOT use the term "threat" with this meaning; instead, use
"threat action".
[RFC4949:2007]
(I) A realization of a
threat, i.e., an occurrence in which system security is assaulted as the result
of either an accidental event or an intentional act. (See: attack, threat,
threat consequence.)
Tutorial: A complete
security architecture deals with both intentional acts (i.e., attacks) and
accidental events [FP031]. (See: various kinds of threat actions defined under
the four kinds of "threat consequence".)
[RFC4949:2007]
(I) A system entity that
performs a threat action, or an event that results in a threat action. [RFC4949:2007]
(I) An analysis of the
threat actions that might affect a system, primarily emphasizing their
probability of occurrence but also considering their resulting threat
consequences. Example: RFC 3833. (Compare: risk analysis.) [RFC4949:2007]
capabilities, intentions and
attack methods of adversaries, or any circumstance or event, whether
originating externally or internally, that has the potential to cause harm to
information or a program or system or cause those to harm others. [ISO-21827:2007]
the originator and/or the
initiator of deliberate or accidental man-m ade threats. [ISO-21827:2007]
Anything that might exploit
a Vulnerability. Any potential cause of an Incident can be considered to be a
Threat. For example a fire is a Threat that could exploit the Vulnerability of
flammable floor coverings. This term is commonly used in Information Security
Management and IT Service Continuity Management, but also applies to other
areas such as Problem and Availability Management. [ITIL:2007]
Any circumstance or event
with the potential to adversely impact organizational operations (including
mission, functions, image, or reputation), organizational assets, or
individuals through an information system via unauthorized access, destruction,
disclosure, modification of information, and/or denial of service. Also, the
potential for a threat-source to successfully exploit a particular information
system vulnerability. [FIPS-200:2006]
Any circumstance or event with
the potential to adversely impact agency operations (including mission,
functions, image, or reputation), agency assets, or individuals through an
information system via unauthorized access, destruction, disclosure,
modification of information, and/or denial of service. [NIST-SP800-53:2013]
Motive of a threat agent. It
may arise from strategy, ideology, terrorism, greed, amusement or revenge and
may be an accidental action (arising from curiosity, boredom, etc.) or a
deliberate action (arising from spying, the lure of gain, the intention to
harm, ideology, amusement, fraud, theft, piracy, intellectual challenge,
revenge, blackmailing, extortion of money, etc.) [EBIOS:2005]
The potential source of an
adverse event. [NIST-SP800-61:2004]
Any circumstance or event
with the potential to intentionally or unintentionally exploit a specific
vulnerability in an information system resulting in a loss of confidentiality,
integrity, or availability. [NIST-SP800-60V2:2004]
An activity, deliberate or
unintentional, with the potential for causing harm to an automated information
system or activity. [TDIR:2003]
The potential for a threat
source (defined below) to exploit (intentional) or trigger (accidental) a
specific vulnerability. [NIST-SP800-33:2001]
Any circumstance or event
that could harm a critical asset through unauthorized access, compromise of
data integrity, denial or disruption of service, or physical destruction or
impairment. [CIAO:2000]
an action or event that
might prejudice security. [ITSEC:1991]
A potential violation of
security. [ISO-7498-2:1989]
An actor or agent who
exploits security vulnerabilities and risks.
https://buildsecurityin.us-cert.gov/daisy/bsi/articles/best-practices/risk/248-BSI.html
A circumstance, event, or
person with the potential to cause harm to a system in the form of destruction,
disclosure, data modification, and/or Denial of Service (DoS).
http://www.symantec.com/avcenter/refa.html
A potential for violation of
security, which exists when there is a circumstance, capability, action, or
event that could breach security and cause harm.
http://www.sans.org/security-resources/glossary-of-terms/
The examination of threat
sources against system vulnerabilities to determine the threats for a
particular system in a particular operational environment. [NIST-SP800-33:2001]
process of identifying or
evaluating entities, actions, or occurrences, whether natural or man-made, that
have or indicate the potential to harm life, information, operations and/or
property
DHS Risk Lexicon, September
2008
A threat assessment is the
identification of types of threats that an organization might be exposed to.
http://www.sans.org/security-resources/glossary-of-terms/
(en) threat source
The intent and method
targeted at the intentional exploitation of a vulnerability or a situation and
method that may accidentally exploit a vulnerability. [CNSSI_4009:2010]
The intent and method
targeted at the intentional exploitation of a vulnerability or a situation and
method that may accidentally trigger a vulnerability. Synonymous with threat
agent. [FIPS-200:2006]
Human action,
natural or environmental element that has potentially negative consequences on
the system. It can be characterised by its type (natural, human or
environmental) and by its cause (accidental or deliberate). In the case of an
accidental cause, it is also characterised by exposure and available resources.
In the case of a deliberate cause, it is also characterised by expertise,
available resources and motivation. [EBIOS:2005]
Either (1) intent and method
targeted at the intentional exploitation of a vulnerability or (2) the
situation and method that may accidentally trigger a vulnerability. [NIST-SP800-33:2001]
A threat model is used to
describe a given threat and the harm it could to do a system if it has a
vulnerability.
http://www.sans.org/security-resources/glossary-of-terms/
The method a threat uses to
get to the target.
http://www.sans.org/security-resources/glossary-of-terms/
A threat is an actor or an
agent that is a source of danger to the system under consideration or the
assets to which it has access. The threat can be a person that abuses the
software, a program running on a compromised system, or even a non-sentient
event such as a hardware failure. A threat exploits a vulnerability in software
to attack it.
https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/attack/590-BSI.html
An event or act, deliberate
or accidental, that could cause injury to people, information, assets or
services.
http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=16578
Situation ouactivité
susceptible d’entraîner la perte, la modification, l’exposition ou l’indisponibilité
intentionnelle ou accidentelle d’informations ou de ressources de traitement
des informations, ou de les affecter au détriment de l’organisation.
http://fr.pcisecuritystandards.org/
Tout ce qui peut
exploiter la vulnérabilité. Toute cause potentielle d’incident peut être
considérée comme une menace. Par exemple, un incendie est une menace pouvant
exploiter la vulnérabilité des revêtements de sol inflammables. Ce terme est
communément utilisé par la Gestion de la Sécurité de l’Information (ISM) et la
Gestion de la continuité du service des TI (ITSCM), mais s’applique aussi à
d’autres domaines tels que la gestion des problèmes et la gestion de la
disponibilité. [ITIL:2007]
Attaque possible d'un
élément menaçant sur des biens. [EBIOS:2005]
Motif d'un élément
menaçant. Elle peut avoir un caractère stratégique, idéologique, terroriste,
cupide, ludique ou vengeur et diffère selon qu'il s'agit d'un acte accidentel
(curiosité, ennui...) ou délibéré (espionnage, appât du gain, volonté de nuire,
idéologie, jeu, fraude, vol, piratage, défi intellectuel, vengeance, chantage,
extorsion de fonds...). [EBIOS:2005]
Action humaine, élément
naturel ou environnemental qui a des conséquences potentielles négatives sur le
système. Elle peut être caractérisée par son type (naturel, humain, ou
environnemental) et par sa cause (accidentelle ou délibérée). Dans le cas d'une
cause accidentelle, elle est aussi caractérisée par une exposition et des
ressources disponibles. Dans le cas d'une cause délibérée, elle est aussi
caractérisée par une expertise, des ressources disponibles et une motivation. [EBIOS:2005]
Violation potentielle
de la sécurité. [ISO-7498-2:1989]
Chose ou personne à
l'origine de menaces. Elle peut être caractérisée par son type (humain ou
environnemental), par sa cause (accidentelle ou délibérée) et selon le cas par
ses ressources disponibles, son expertise, sa motivation... [EBIOS:2010]
Événement ou acte
délibéré ou accidentel qui pourrait porter préjudice aux personnes, à
l'information, aux biens ou aux services.
http://www.tbs-sct.gc.ca/pol/doc-fra.aspx?id=16578