Basic Terminology

Yes, it is boring, but it is essential to understand some basic term. Just bear with it, there are just a few and I have kept it simple and short.


Threat - A potential violation of security.

Vulnerability - Existence of a weakness, design or implementation error that can lead to an unexpected and undesirable event compromising the security of the system, network, application or protocol involved.

Target of Evaluation - An IT system, product or component that is identified/subjected as requiring security evaluation.

Attack - An assault on system security that dervied from intelligent threat, i.e. an intelligent act that is a deliberate attempt to evade security services and violate security policy of a system.

Exploit -A defined way to breach security of an IT system through vulnerability.

Make an analogy, Target of Evaluation is a person who has weakness (vulnerability), because of the weakness he is subject to certain potential dangerous act or event (threat). A thief (cracker) can exploit his weakness to cheat (attack) on him.

It is important to note the difference between threat and vulnerability. Not every threat result sin an attack and not every attack succeeds. Success depends on degree of vulnerability, the strength of attacks and the effectiveness of countermeasures. If the attack needed to exploit the vulnerability is very difficult to carry out, then the vulnerability may be tolerable.

Attack can be classified as active and passive. The difference between these categories is that while an "active attack" attempts to alter system resource or affect operation, a "passive attack" attempts to learn or make use of the information without make any change to the system.

Attack can also be classified as originating from internal or external.

OK, just add a few words to the list.

Security - A state of well-being of information and infrastructure in which the possibility of successful yet undetected theft, tampering, and disruption of information and services is kept low or tolerable.

Confidentiality - Concealment of information or resources.

Authenticity - Identification and assurance of origin of information.

Integrity - Trustworthiness of data or resource in terms of preventing improper and unauthorized change.

Availability - Ability to use information or resource desired.