Attack refers to “any kind of malicious activity that attempts to collect, disrupt, deny, degrade, or destroy information system resources or the information itself.” (CNSSI 4009-2015)
Attack vector refers to the “path or means by which an attacker can gain access to a computer or network server in order to deliver a malicious outcome.” (ISO/IEC 27032)
NIST Generic Risk Model
An attack vector can be specifically described using the NIST Generic Risk Model. An attack vector refers to a threat scenario where the threat source initiates a threat event to exploit vulnerabilities.
- The set of points on the boundary of a system, a system component, or an environment where an attacker can try to enter, cause an effect on, or extract data from, that system, component, or environment. (NIST SP 800-53 Rev. 5)
- set of attack points that an attacker can use in order to enter or capture data in an information system. (ISO/TS 12812-2:2017)