Tuesday, 16 March 2010

The Vulnerability Management Game

I have been asked to speak about IT Security Vulnerability Management at a Security Conference, and it got me thinking. Vulnerability Management is the good practice of finding security weaknesses, which bad guys may exploit (hack) and then fixing them. It’s an endless cycle of finding and fixing, Why? Because software code is extremely complicated and tends to be highly rushed by developers these days. Some code can even be millions of lines long, code is never perfect and so never can be bullet proof secure, it’s just a question of discovering the vulnerabilities which are present. This is the reason why Microsoft release security patches on at least a monthly basis and why Microsoft will continue to release security patches as long as they have software to support.

An interesting vulnerability management game is played by security vulnerability management vendors and security researchers, as it these vendors and security researchers which tend to find the vast majority of the most threatening vulnerabilities. Finding high risk vulnerabilities is good, however they usually announce their findings to the world; what exactly the vulnerability is, and how it could be exploited, so telling the bad guys along with the good guys. There is clear evidence the bad guys wait for these announcements and act on them before the good guys have chance to apply fixes. I'm not sure if anything can be done about this part of game, while it is plain old bad security to assume bad guys do not known about vulnerabilities which the security vendors have to yet to discover. However with mass vulnerability exploitation, more often than not, I am seeing an “IT Security Industry” vulnerability announcement and media coverage which has started the ball rolling.

Worst yet are “zero day” vulnerabilities, which is the term to describe the announcement of a vulnerability which has yet to have a fix available. Remember it can take time to code and test vulnerability fixes. The worst case scenario is to have a vulnerability activity exploited by bad guys without the software provider having a fix ready.  A recent example of a “Zero Day” vulnerability was with Microsoft Internet Explorer - http://news.bbc.co.uk/1/hi/technology/7784908.stm  Announcement of "zero day" vulnerabilities which aren't being actively exploited on mass is particularly shaky ground, why not wait until a patch is ready for release? I know there has been issues in companies not listening to security vulnerability researchers, even threatening to sue them, but I can't see how it can be right to publish a vulnerability which doesn't have a fix.

So let us switch this around another way, last week I took a couple of flights, and despite all security checking at the airports, I thought of several ways I could of successfully bypassed the airport security to get “banned” items onto the plane. So these are airport security vulnerabilities, just like IT vulnerabilities, remember no system can ever be 100% secure. As a society we are all very sensitive about airport security, mainly thanks to media led risk assessment of terrorism- I’ll save that one for another blog post.

My main point is this, I am not going to announce to the world how to bypass airport security, because:

(A) I don’t think it is ethical

(B) I don’t think it would reduce risk and make flying safer, even should someone from the airport security industry be actually willing to listen, I think they would accept the risk (the vulnerabilities)

(C) Just saying them could get me arrested thanks to the UK’s strict anti-terrorism laws

(D) This is the most important reason. I really don’t want to tell bad guys how to bypass airport security.

Again I do not assume terrorists don't already know about weaknesses in airport security, I'm sure airport security authorities know their security weaknesses as well. But even though some terrorist may know about vulnerabilities in the systems, it serves no purpose in telling them all about all possible weakness in our airport's security, it by nature can never be 100% secure, is a question of risk management, so why is the security industry chomping at the bit to tell world about all weaknesses in our IT systems?


Anonymous said...

Dave you are not comparing apples to apples.

Are you responsible for implementing security controls at airports? No.

If you're responsible for implementing security controls in an IT infrastructure, wouldn't you prefer you were told about a vulnerability from a whitehat instead of the whitehat keeping it a secret while in parallel a blackhat discovers the vulnerability?

And, even with that said, if there's a vuln in airport security, you better believe those folks who have the motive to exploit it already know about it, or will find it soon.

avoid bankruptcy said...

thanks for the post it was very nice one

IT security said...

You have posted such a nice article. Thumbs up! Very nice article.