The terms I most often see conflated or misused for each other are:
Privacy and Confidentiality
Privacy relates to a person, Confidentiality relates to information about a person. It gets awkward when folks ask for a privacy policy when they really mean confidentiality policy. A privacy policy would talk about how I handle (collect, use, retain and disclose) someone’s data. A confidentiality policy talks about how I protect it.
Vulnerability scan and Penetration test
You can often get a vuln scan as part of a pen-test, but they really aren't the same thing. The tip-off should be the word "penetration" which means someone is actually breaking in instead of just looking at you. One usually costs a lot more than the other as well. Bonus: a port scan is part of a vulnerability scan, but not the whole thing.
Vulnerability/Threat/Impact and Risk
I'm a proud member of SIRA, where a bunch of nerds sit around to argue about different risk models and which fits/works best in what situation. But you know what? I'd be happy if the entire industry just started using the most basic simplistic formula for risk: Risk = Threat × Probability × Impact. Sadly, what I see folks doing is:
- "We need to stop doing this because APTs are dangerous" -> Risk = Threat
- "We need to shut down email because half our messages have malware in them" -> Risk = Probability
- "We need to do something about DDOS because our site could go down." -> Risk = Impact
Disaster Recovery and Business Continuity
Again, the tip-off is in the words themselves. Disaster recovery is about recovering the IT systems after a disaster. Just the IT systems. Business continuity involves recovering the entire business process. BC can include DR but not the other way around.
2 factor and additional authentication
You know when you login to your web banking from a new computer and it suddenly asks you what high school you went to? That's not 2-factor authentication... because that's just more of "something you know." It's layered or risk-based or adaptive authentication. But it's not a different factor so it's not as strong. So stop thinking that it is.
What do you see security professionals mixing up all the time?
2 comments:
I'd be interested in your thoughts on the DoD's decision last March to stop using "information assurance" in favor of "cybersecurity" across the department. Here's my blog post about it as background:
http://multimedia.telos.com/blog/cybersecurity-isnt-the-same-thing-as-information-assurance
Indeed. I haven't seen this one in a while, but mostly because I've been in the corporate banking world for the past half decade. But yeah, Info Assurance > InfoSec.
And anything with the word "cyber" makes me not take the speaker seriously.
Post a Comment