Newsletters Welcome, Guest Log In | Register
Blogs:

Carl Weinschenk

Data and Telecom

Companies’ communications strategies must be agile in a rapidly evolving market

About this Blogger RSS

< Previous | Next >

Subscribe

Sign up now and get the best business technology insights direct to your inbox.

  • Daily Edge
  • CTO Edge Update
  • Business Tools & Templates
  • Aligning IT & Business Goals
  • Maximizing IT Investments

0

New Approaches to Disclosure of Vulnerabilities Needed

Posted by Carl Weinschenk Jul 30, 2008 1:39:19 PM

The security vendor and service-provider fraternity should take the X-Force 2008 Midyear Trend Statistics,  released this week, quite seriously. The implication of the report is that events have bypassed the industry's procedure for handling problems.

 

Currently, researchers who find a vulnerability provide the information to the vendors, hoping they will create a patch. After a suitable period of time, the researcher or his or her organization releases an advisory, which includes code related to the flaw.

 

That approach works fine in an era in which there is a significant lag between that disclosure and the time it takes bad folks to do anything with it. With automated tools, however, the period between release of the advisory and emergence of exploits has been reduced essentially to nothing. The report says 94 percent of browser-related attacks occurred within 24 hours of disclosure, making them so-called "zero-day" exploits. This guarantees that there will be many unpatched systems to attack.

 

The release of the X-Force report comes a few weeks after the announcement of a systemic Domain Name System flaw. The news, which was big enough to drag details of the DNS onto the The New York Times, National Public Radio and other mass-media outlets -- threatens to allow crackers to lead surfers to fake sites where all sorts of evil will befall them.

 

Researcher Dan Kaminsky, who found the DNS problem, didn't release details of the flaw when he announced its existence. He also asked those who did figure it out to keep quiet until The Black Hat Briefings conference, which kicks off on Saturday. He is scheduled to make details public at that point. Not everyone agreed, as is noted by this InformationWeek commentary, which, in part, details work done by Halvar Flake to replicate Kaminsky's work. Even if everyone were on the same page, the system seems a bit too informal to stand up now that vulnerabilities and their potential for profit has caught the eye of organized crime.

 

Today, bad guys -- including organized crime -- have access to tools that allow even the inexperienced to launch an attack. The treatment of the DNS flaw and the X-Force report lead to the same conclusion: The way in which newly discovered vulnerabilities are handled must be rethought.

Related Content

Add a comment Leave a comment on this blog post.

There are no comments on this post

Related Content

Browse

Topic: Network Security

Protect and preserve your network, your data and the life of your business

Blog: Communicating E-Commerce Security Efforts with Consumers

Article: NSF Problem Proves Basic Content Filtering No Longer Enough

White Paper: Bullet-Proofing Instant Messaging

Related Topics

Vulnerabilities and Patches

Featured White Papers

Browse

Should You Install Messaging Security Software on Your Exchange Server?

This white paper discusses the detailed results of an Osterman Research survey on messaging security software and conclusions about administrators' attitudes regarding installing third-party software on the Exchange server.

Web Security SaaS: The Next Generation of Web Security

This white paper describes the next generation of Web security and identifies the critical elements that make for lower-cost and easier-to-manage Web security solutions.

Resource Centers

Browse

Data Loss Protection

Data-loss prevention tactics, technologies and best practices to protect your sensitive and valuable company data.

Featured Whitepapers

Realizing Enhanced Productivity and Timely ROI from Your DLP Security Technology

Security Information and Event Management

Best practices, strategies and technologies to help you use security information and event log management efficiently and effectively in order to get business value in terms of increased security, reduced risk, regulatory compliance and increased business agility.

Featured Whitepapers

The Top Ten Insider Threats and How to Prevent Them

Security SaaS Solutions

Hosted security solutions that not only protect your data, but reduce your security management TCO, as well.

Featured Whitepapers

Why Security SaaS Makes Sense Today

Premium Tools

Browse

IT Security Manual Template

Immediately download a customizable set of documents and templates that covers every aspect of IT Security. These templates are compliant with ISO27000, HIPPAA and Sarbanes oxley standards.

Learn more >

The IT Governance and Compliance Toolkit

This Toolkit is a collection of templates and instructional documents that help you assess and establish the crucial policies that you need to operate a secure and compliant IT organization.

Learn more >