Ever since the first computer bug was recorded in 1947 by Grace Hopper, there has been controversy around how security...
vulnerabilities are handled, which has led to the ongoing debate over responsible disclosure. One relatively recent development has been the emergence of slick marketing for security vulnerabilities announcements.
Part of the disclosure debate has been about raising awareness of vulnerabilities and getting the vulnerabilities patched. As the security industry has matured, more resources have been devoted to marketing the labor-intensive work done in identifying security vulnerabilities and making the infosec industry aware of them. This marketing has spilled over into targeting a broader audience, which has resulted in overhype spreading fear, uncertainty and doubt, regardless of the severity of a vulnerability.
This tip will explore the marketing of branded vulnerabilities, the potential problems it creates and what enterprises can do to ensure they are protected.
Marketing branded vulnerabilities
The most recent branded vulnerability, as of this writing since a new one seems to be produced every couple months, is Badlock. Badlock was marketed by SerNet with its catchy name and a logo. Badlock was preceded by DROWN, Heartbleed, POODLE and other vulnerabilities. It was preannounced three weeks before details were released, which some security experts questioned as move to generate hype for SerNet's final report.
Given Badlock's name and hype, some in the industry assumed it would be a vulnerability in the file locking functionality in Windows networking that allows unauthenticated remote code execution. Windows networking has a long and checkered security track record and Microsoft used to do preannouncements for critical vulnerabilities. Previous vulnerabilities in Windows networking allowed for Windows networking worms and caused enterprises to block Windows networking of the internet, which fueled general concern around vulnerabilities in Windows networking. In actual fact, Badlock is a vulnerability found in implementations of the Server Message Block protocol used for Windows networking that allows for man-in-the-middle attacks. Thus, the marketing name of SerNet's discovery was misleading, which could have led to security teams devoting unnecessary time, energy and resources looking for the vulnerability in the wrong place. In addition, many experts felt SerNet overhyped the importance of the vulnerability to gain more media attention.
Potential problems with marketing branded vulnerabilities
There are several challenges created when vulnerability marketing overhypes a vulnerability. Naming a vulnerability is somewhat useless because most vulnerability scanners will use CVE numbers for identifying a vulnerability and piecing together responses from multiple different software vendors. Being able to effectively track a vulnerability through a large network using a scanning tool is much more important than giving it a catchy name.
Announcing a patch in advance allows enterprises to prepare for a rapid deployment, but should be reserved for critical vulnerabilities that need immediate patching on sensitive systems. Enterprises want to reserve these activities for high risk vulnerabilities because of the impact of disrupting operations. If the vulnerability is not critical, following a predetermined schedule like Microsoft's monthly patch cycle lets enterprises know what to expect and is less stressful for the security professionals responsible for ensuring systems are patched.
The amount of details released in a preannouncement or zero-day notification greatly influences if enterprises can include detection capabilities in their existing tools and if a malicious actor could create an exploit before a patch is released. This is the core of the responsible disclosure debate and the effectiveness of the announcement should be weighed before vulnerabilities are announced without a patch. Enterprises and the information security industry will appreciate preannouncements when there is sufficient reason, like in the case of Heartbleed, and they have the capability to detect the vulnerability using their existing tools.
What enterprises can do to ensure they are protected
Every time the disclosure debate resurfaces -- like the encryption debate -- the infosec industry should double its efforts to evaluate how critical basic hygiene can be disrupted to be performed easier and faster. An enterprise must first have a basic vulnerability management program in place, so that when a vulnerability is announced, assuming detection details are released, an enterprise can identify vulnerable systems. As Heartbleed and many other vulnerabilities have shown, an enterprise needs to scan far and wide to identify vulnerable systems, including the ones outside their data centers. While systems with sensitive data might be prioritized first, the patching needs extend outside the data center to include systems hosted in the cloud.
Creating catchy names for vulnerabilities like Badlock will eventually jump the shark when Betty White does a voiceover announcement for the next vulnerability. The disclosure debate will continue regardless of the other issues going on in information security. The rise of cloud computing adds a new dimension to the disclosure debate. An enterprise that takes a pragmatic approach to information security will ensure it has a plan to execute when a high profile zero-day is dropped. The attention-grabbing announcement will catch the enterprise's notice and the enterprise will feed it into its process without undue concern. This same enterprise will do the hard work of the basic hygiene to ensure its enterprise is protected.
Learn about the responsible disclosure of the ImageTragick bug
Find out what effect the POODLE vulnerability has on SSL/TLS
Read about an Adobe Flash zero-day vulnerability that causes crashes