An interesting vulnerability management game is played by security vulnerability management vendors and security researchers, as it these vendors and security researchers which tend to find the vast majority of the most threatening vulnerabilities. Finding high risk vulnerabilities is good, however they usually announce their findings to the world; what exactly the vulnerability is, and how it could be exploited, so telling the bad guys along with the good guys. There is clear evidence the bad guys wait for these announcements and act on them before the good guys have chance to apply fixes. I'm not sure if anything can be done about this part of game, while it is plain old bad security to assume bad guys do not known about vulnerabilities which the security vendors have to yet to discover. However with mass vulnerability exploitation, more often than not, I am seeing an “IT Security Industry” vulnerability announcement and media coverage which has started the ball rolling.
So let us switch this around another way, last week I took a couple of flights, and despite all security checking at the airports, I thought of several ways I could of successfully bypassed the airport security to get “banned” items onto the plane. So these are airport security vulnerabilities, just like IT vulnerabilities, remember no system can ever be 100% secure. As a society we are all very sensitive about airport security, mainly thanks to media led risk assessment of terrorism- I’ll save that one for another blog post.
My main point is this, I am not going to announce to the world how to bypass airport security, because:
(A) I don’t think it is ethical
(B) I don’t think it would reduce risk and make flying safer, even should someone from the airport security industry be actually willing to listen, I think they would accept the risk (the vulnerabilities)
(C) Just saying them could get me arrested thanks to the UK’s strict anti-terrorism laws
(D) This is the most important reason. I really don’t want to tell bad guys how to bypass airport security.
Again I do not assume terrorists don't already know about weaknesses in airport security, I'm sure airport security authorities know their security weaknesses as well. But even though some terrorist may know about vulnerabilities in the systems, it serves no purpose in telling them all about all possible weakness in our airport's security, it by nature can never be 100% secure, is a question of risk management, so why is the security industry chomping at the bit to tell world about all weaknesses in our IT systems?
3 comments:
Dave you are not comparing apples to apples.
Are you responsible for implementing security controls at airports? No.
If you're responsible for implementing security controls in an IT infrastructure, wouldn't you prefer you were told about a vulnerability from a whitehat instead of the whitehat keeping it a secret while in parallel a blackhat discovers the vulnerability?
And, even with that said, if there's a vuln in airport security, you better believe those folks who have the motive to exploit it already know about it, or will find it soon.
thanks for the post it was very nice one
You have posted such a nice article. Thumbs up! Very nice article.
Post a Comment