4 Reasons the Vulnerability Disclosure Process StallsThe relationship between manufacturers and researchers is often strained. Here's why, along with some resources to help.
The relationship between a manufacturer or vendor and security researchers can be filled with tension and unease, and it's most often put to the test during the vulnerability disclosure process. Although their intentions are pure, researchers often feel they are being shut out of the process, while vendors may see disclosure deadlines as a threat from researchers looking to produce headlines.
This difficult relationship is further strained as the Internet of Things (IoT) market continues to grow at a rapid clip. In a market that is expected to increase from $57 billion in 2016 to $158 billion by 2021, more manufacturers are eagerly looking to cash in on this trend. Yet security is often an afterthought in the development of these new smart devices.
To keep these connected devices and their users secure, security companies are holding manufacturers accountable. Recently, Trustwave's Penetration Testing team within SpiderLabs discovered a backdoor in nearly all devices produced by voice-over-IP specialist DBLTek. When the SpiderLabs team disclosed the discovery, DBLTek responded by further burying the backdoor rather than closing it, then proceeded to cut off contact with Trustwave.
This experience is not uncommon, but, fortunately, the proportion of vulnerabilities disclosed in coordination with third parties rose from 26% in 2012 to 45% percent in 2016, and coordinated disclosures now outnumber uncoordinated ones by a ratio of more than 3 to 1, according to a report by Risk Based Security.
Here are the top four reasons the disclosure process hits roadblocks:
An Unclear Path: As simple as it may sound, one of the biggest issues in the disclosure process is unclear guidelines regarding to whom one should disclose the issue. This is the first step researchers take after a vulnerability is found, but organizations often lack a proper internal path for these types of escalations; and if they do have one, it often isn't easy for researchers to find.
Language Barriers: As a result of low barriers to entry into the IoT market, the number of manufacturers and companies producing and selling IoT devices is rising around the world. As global production rises, the language barrier among vendor, manufacturer, and researcher becomes a greater problem. The breakdown in communication often adds significant delays in the disclosure process, prolonging the life of the exploit and continuing to put the end user at risk.
Unskilled Personnel: Organizations seeking to cash in on a new IT trend will often hire third-party developers to produce and code their products. However, once their products are up and running, these organizations will let their developer teams go, turning all of their efforts to marketing and sales. Once the developers are gone and a vulnerability is found, there is often no one left on staff well equipped enough to understand the disclosure process, let alone skilled enough to issue a patch.
Research from Trustwave further supports the issue of limited resources on IT teams to ensure proper security measures are in place. A study of 147 IT security decision makers and influencers, "Money, Minds and the Masses: A Study of Cybersecurity Resource Limitations," found 57% of respondents report finding and recruiting IT talent to be their biggest challenge. In fact, only 8% believe three-quarters or more of their IT staff have the specialized skills and training needed to handle complex issues. There's no doubt that this skills shortage becomes a major hindrance on the path of disclosing vulnerabilities.
Fear of Bad Publicity: One of the biggest fears companies face is becoming the next big (bad) headline, or their small business going under because of negative publicity.
When contacted from outside sources, vendors are often quick to panic over the possibility that word has gotten out that one of their products contains a vulnerability. This can lead an organization to completely bury the news and, in extreme cases, cease all communication with outside researchers.
It is vital for companies to realize that it's nearly impossible to create products without vulnerabilities; even some of the most reputable firms have released products with severe vulnerabilities, but how they respond is what truly matters.
The disclosure process may seem like a gray area to most organizations, but there are several resources available that provide best practices. For example, the National Telecommunications and Information Administration — an agency located within the Commerce Department — has created a provisional draft of "Guidelines and Practices for Multi-Party Vulnerability Coordination" in order to establish a broad, shared understanding of overlapping interests between security researchers and vendors, and to encourage increased collaboration.
In the continued effort to help move this process forward, the Library of Congress has issued new exemptions to the Digital Millennium Copyright Act (DMCA), creating protections for Americans to hack their own devices without fear that the DMCA's ban on evading protections on copyrighted systems would allow manufacturers to sue them.
The simple act of implementing openness and responsiveness in the vulnerability disclosure processes has allowed people to report things that very well could have had life-altering consequences for those interacting with everyday products.
Lawrence Munro works with Trustwave's elite team of forensic investigators, researchers, and ethical hackers, SpiderLabs, as worldwide vice president of SpiderLabs at Trustwave, responsible for all penetration testing functions within the practice. Lawrence has over 12 years ... View Full Bio