What Hackers Know About Vulnerability Disclosures
Tuesday, 23 July 2019
Let the “good” make noise, otherwise the “bad” definitely will! In line
with this adage, it is important to do all that is within your means to
secure your data and your systems.
And you have a choice here: whether or not to indulge in a detailed vulnerability disclosure to the public at large.
What is Vulnerability Disclosure Policy?
A Vulnerability Disclosure Policy
(VDP) is a document that reports flaws in security that will adversely
affect the working of your computer hardware and software.
Security researchers are ordained to disclose vulnerabilities to the
parties concerned, mentioning the areas in the system that are flawed.
At times, in-house developers and vendors who work with vulnerable systems announce such security imperfections once the change in code takes place.
Once this patch is made available, security experts will be in a position to make the vulnerability public.
However, such an announcement will defeat the actual purpose of data security measures.
So, you may ask as to what is the best form of disclosure.
Here comes the response.
If you wish to tread the path of responsible disclosure, you should
not make a public announcement of the vulnerabilities since you are in
principle making a noise of the adverse effects.
When such claims reach the ears of hackers, they will look out for ways and means to breach the security barriers erected by you.
So the solution is to act without breathing a word about vulnerabilities and silently fix them.
Anything that is against to this basic principle will actually work
in favor of hackers to steal and exploit your systems and data.
The Argument in Favor of a Vulnerability Disclosure Policy
Given the situation when an outsider identifies a potential issue
with your hardware, software or website, you should be the informed of
the same.
But when your vulnerability is known to others but remains unknown to you, it poses a huge risk.
If you have a VDP in place, you can ensure that the outsider or finder of the vulnerability will ring the bell to alert you.
It is then that you can ensure the safety and security of your products.
The Ideological Difference
The above introduction is much against the collective opinion of security experts who feel that it is important to inform the public of vulnerabilities.
This information, according to them is the most promising means to fix a security issue.
However, in line with what has been explained above, you will begin
to understand that vulnerability disclosures actually put the public in a
risky spot.
When you operate through a Vulnerability Disclosure Policy, you will
be actually empowering hackers to trespass your security barriers even
without your knowledge.The Elements of a VDP
A VDP consists of five important elements. They are:
- Promise: An undertaking or assurance given to customers and stakeholders that they will be notified in clear terms about any security vulnerability
- Scope: The span of control, encompassing all the products and properties that come under the purview of a VDP. Additionally, a VDP should also cover all the types of vulnerabilities
- “Safe Harbor”: Shield the reporters of vulnerability from being unduly penalized
- Process: There is a process in place which allows process finders to disclose vulnerabilities
- Preferences: A continuing document that explicitly sets the expectations for priorities and preferences that will be given to vulnerability reports
You can then initiate communication with finders and work around a process which will permit internal teams to validate and lessen the risk while also disclosing the security vulnerability.
Lastly, a VDP finds its place to summarize and report all the activities that were initiated to combat security breaches to decision-makers and stakeholders.
How do Hackers Exploit VDPs and Their After-Effects on Your Business
When a VDP falls in the hands of a hacker, you are heading in the direction of a risky proposition in the following ways.
- Hackers Monetize With Sales to Law Enforcement and Intelligence Agencies
Leaving no scope for detection, it is during such times that a hacker makes the most of the publicly known vulnerabilities which aren’t patched yet.
Hackers are the bad guys who will then resort to selling this flawed information to good guys like the law enforcement internet security software companies.
They will rake in profits by initiating a legal sale which can involve anti-social activities like cyber warfare or child pornography as part of cybercrime activities.
- Inaction Towards Known Vulnerabilities
Since fewer people have knowledge about vulnerabilities, it becomes difficult for them to acknowledge their presence as well.
In such cases only the hackers who are adept at vulnerability research and quality exploit development can make good with a known vulnerability.
If you look at the statistics, a whopping 99% of all breaches stem from the exploitation of known vulnerabilities for which a patch already exists.
- What If You Notify the Vendor and Resort to Silent Patching
That means you should abstain from publicizing your inferences regarding the vulnerabilities.
The vendor will use that information to create and release a silent patch. This way, you will be safeguarding your system from hackers who can gain strength from your VDP.
On the flip side, there were many instances of initiating legal action against all those who conduct security breach and come out in the open about vulnerabilities by vendors.
This fear of facing legal action has prompted security researchers to make public all the vulnerabilities with a guarantee that they will not be taken to task.
Such an act will only jeopardize the goodwill of your company and hence you can steer clear of all such public disclosures.
- Publish Vulnerabilities Upon the Release of a Patch
It is highly impossible for every system to be patched in an instance, soon after the patch is released.
Once patching is in progress, you may experience downtime along with the shutdown of certain critical systems and non-functioning of software applications.
When dealing with critical infrastructure, you just cannot afford to have any sort of interruption.
This is the primary cause for major companies to take long periods before patching vulnerabilities that have been published ages ago.
- Short-Term Gains of Hackers
Driven by an exclusive motive to rake in profits, hackers focus on high-volume security compromises that are conducted on a large scale.
They work with a high level of confidence that once they exploit the vulnerability they are sure that a patch will soon be released.
Hence, they focus on gaining through short-term moves with confidence that their trespassing will not be detected.
- The Public Becomes the Target Audience
According to the notion, the general public upon getting notified of the vulnerabilities will act faster than the hacker who is waiting to exploit their systems.
The public will thus be able to secure their systems. Notwithstanding the fact that you are disclosing your vulnerabilities in good faith, you are actually working against the well-being of your organization.
You may ask, how? When you disclose your VDP to the public, you are getting exposed to an increased risk of hackers trespassing your security barriers.
Conclusion
Hackers are so well accustomed to the way in which organizations function. They know with certainty that businesses do not fix a vulnerability the moment it is detected.
They need not wait for a zero-day exploit to rake in profits. All that they need is the vulnerability disclosure that is made public.
They will work around this document and exploit your systems. Hence the solution to this ongoing issue of data and system security is to have a strong patching procedure in place.
Author: Shubham Yadav ( Certified Ethical Hacker, Forensics Investigator, Penetration Testing Researcher and Bug Bounty Hunter ).
No comments:
Post a Comment