Some concepts don't need proving

I will never understand the claim that someone only wrote a virus or other computer attack as a "proof of concept." Authors of a proof of concept virus for cell phones recently claimed they just wanted to demonstrate that it could be done, and say it benefits the computer security field. Another company wanted to prove that you can bypass the security of Windows XP SP2. My response: Please don't do me any favors.

So-called proofs of concept have been around for awhile. While it is otherwise completely legitimate to search for security flaws in products, putting together a proof of concept, then distributing and publicizing it is just plain wrong. Frankly, these people are enablers to criminals and vandals around the world.

Hopefully no one ever assumed that cell phones were immune from viruses. Adding Bluetooth and infrared connectivity to devices containing computer processors and software that were built to freely communicate over public telephone lines is clearly not going to help the situation. Any security professional should be well aware that any computer can eventually be abused.

There is a big difference between responsibly finding and reporting vulnerabilities, and going the extra step to put out proof of concept code. Finding vulnerabilities and getting them fixed is clearly important. When done responsibly, discoverers tend to be acknowledged in the associated vendor alerts and, if significant, tech publications as well.

However, more attention is generated by distributing actual attacks to compromise systems. When someone releases a new attack, especially within the first three months of an available patch, it's due solely to wanting exposure, or to be perceived as being elite.

There are rare exceptions, such as when affected vendors or Web sites ignore multiple communications describing the problems. However, distributing an attack before users have a reasonable time to study the problem and test and implement the fixes is completely irresponsible. This can take upwards of a month after the release of a patch in even some of the most diligent organizations. There is always a veiled claim that distributing the attack allows administrators to better study the issue, but they need to mitigate the problem, not study it.

Anyone who claims that security professionals need access to the attacks so that they can test their clients for susceptibility to the exploit doesn't understand the true job of a security professional. Security professionals need to test for the presence of the underlying vulnerability, but this can be done with a scanning tool or examining the software version and settings -- it doesn't require the exploit.

Some perform penetration testing and may need to legitimately use the attack, but I would contend that these people should be capable of writing their own attack after reviewing the documentation, use commercially available tools, or just use other exploits to accomplish their mission. The benefit provided by one legitimate use does not overcome the large scale malicious use of an attack by hackers around the world. If the attack is incorporated into worms, which happened with the Blaster worm, the damage goes into the billions of dollars.

I like to equate the work of security practitioners to doctors. Most of our work should be preventative. Sadly, like doctors, our patients ignore our advice, and we end up treating diseases. This also means that we should strive to "first, do no harm."

Some horror movies work on the premise that a doctor wants to create a miracle cure, but also creates a terrible disease to "study it." These well-meaning researchers inevitably let the disease escape, or more frequently a lunatic or terrorist purposefully releases the disease, creating havoc. Security professionals should not create horror stories just for the sake of getting the credit.

About the author
Ira Winkler, CISSP, CISM, has almost 20 years of experience in the intelligence and security fields and has consulted to many of the largest corporations in the world. He is also author of the forthcoming book, ,i>Spies Among Us.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Guest Commentary,   Application and Platform Security,   Enterprise Vulnerability Management,   Vulnerability Risk Assessment,   Security Testing and Ethical Hacking,   Wireless Network Security: Setup and Tools,   Wireless Network Protocols and Standards,   Enterprise Network Security,   Security Patch Management,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Guest Commentary Google hacking exposes a world of security flaws Eliminating the threat of spam email attacks Outsourcing IT services: Is it worth the security risk? How permanent is your storage solution? Honeypots can strengthen reconnaissance and lower intrusion noise Freedom of speech or lack of professional responsibility? This year compliance, next year control Senior security member explains his position on Abagnale Computer Security Institute's leader responds to Abagnale flap Spokesman or poster child? Vulnerability Risk Assessment Screencast: How to launch an OpenVAS scan Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat Newest malware threats Are Web application penetration tests still important? PCI compliance requirement 6: Systems and applications Cybercrime and threat management McAfee to acquire Solidcore Systems for whitelisting Vulnerability Risk Assessment Research Security Testing and Ethical Hacking H.D. Moore speaks about Metasploit Project deal, Release 3.3 Could Metasploit popularity erode? Metasploit Project acquired by vulnerability management firm Rapid7 Should management processes change based on a patch release schedule? Does an EULA make it truly illegal to decompile software? Screencast: BackTrack 4 offers an arsenal of penetration testing tools Security testing firm uncovers XML vulnerabilities Screencast: Samurai offers pen-testing nirvana The requirements needed to make an external penetration test legal McAfee to acquire Solidcore Systems for whitelisting RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary gray hat  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.