New vulnerabilities are discovered and disclosed with alarming frequency these days. Like clockwork, 10 vulnerabilities are found each day to augment the leaks in our already-sinking ships. And we welcome the news with masochistic greed. The reality is that these newest vulnerabilities, regardless of individual identity and characteristics, are comfort food for security professionals, giving us work to do that appears useful and yet contributing to an overall weakening of defenses in our computing infrastructure.
There are two primary reasons that security professionals use to justify the practice of vulnerability seeking:
1) It is better to know about a specific vulnerability than not to be aware of it. This argument also has a corollary that every vulnerability found is one less to worry about. The problem here is that we will never find all of the vulnerabilities, and even if we did we couldn't prove it nor would it be prudent to act as if it were true. Given the strong likelihood (if history is our guide) that there are more vulnerabilities being created every day (by developers) than are being discovered, we are taking one step forward and two steps back.
2) It is better that we find the vulnerability before the bad guys do. This gets even more nefarious when someone throws in the notion of state-sponsored espionage, access to source code, etc. Sure, it is an admirable goal to attempt to find these vulnerabilities but the numbers just don't work. With so many
Once evaluated, neither reason provides a good foundation for continuing the practice of vulnerability seeking, but it gets much worse when we consider the consequences:
- The media has created a virtual crowd yelling "jump" to some unsuspecting script-kiddie on a ledge who is going to make a bad decision and ruin his life. (We know they are script-kiddies because there is little reason for the real bad guys to participate in this circus).
- It distracts us from the true attackers that have bigger targets in mind as they lurk amidst the noisiness of the worm and virus scene, a scene which is turning into nothing more than teenagers playing a high-tech game with real victims. Sometimes I wonder if people really believe that malicious threats exist (I certainly do) given the attention paid to the noise.
- It is a fundamental conflict of interest for any security company that makes and sells security solutions to also instigate their use by creating a higher risk atmosphere on the Net with these discoveries. This is an important point that seems to be generally ignored -- it's one thing to sell fire insurance to those who need it and a whole different ball game to commit arson to perpetuate FUD and generate revenue. With the more recent practice of attacking competing security products this becomes downright scandalous.
Ultimately, it is no big accomplishment to find vulnerabilities. Think of the things that could be done to better characterize and contain the threat. Things like identifying the allowed behaviors of complex software to create "Software Safety Data Sheets" in the same vein as Material Safety Data Sheets in the chemical world. Things like deploying and monitoring honeypots to distract attackers and waste their time. Things like developing technical threat models to protect against attacks regardless of whether vulnerability is known or not. Things like infiltrating the command and control of botnets to weaken the attackers.
The days of vulnerability hunting in support of better security are over. We have unsuccessfully "fought the good fight" for years under the lofty banner of trying to make computing environments more secure. But this failure is no surprise, because we were doomed from the start. With today's threats demonstrating an overwhelming level of power and complexity, the amount and extent of damage are too great to continue on with our traditional process of discovery and disclosure.
About the author
Pete Lindstrom, CISSP, is research director at Spire Security.
Have an opinion on this article? E-mail your letters to Shawna McAlearney, and include your name, title and organization. Letters may be edited for space and clarity.
This was first published in October 2004