Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/24/2017
10:00 AM
Lawrence Munro
Lawrence Munro
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

4 Reasons the Vulnerability Disclosure Process Stalls

The relationship between manufacturers and researchers is often strained. Here's why, along with some resources to help.

The relationship between a manufacturer or vendor and security researchers can be filled with tension and unease, and it's most often put to the test during the vulnerability disclosure process. Although their intentions are pure, researchers often feel they are being shut out of the process, while vendors may see disclosure deadlines as a threat from researchers looking to produce headlines.

This difficult relationship is further strained as the Internet of Things (IoT) market continues to grow at a rapid clip. In a market that is expected to increase from $57 billion in 2016 to $158 billion by 2021, more manufacturers are eagerly looking to cash in on this trend. Yet security is often an afterthought in the development of these new smart devices.    

To keep these connected devices and their users secure, security companies are holding manufacturers accountable. Recently, Trustwave's Penetration Testing team within SpiderLabs discovered a backdoor in nearly all devices produced by voice-over-IP specialist DBLTek. When the SpiderLabs team disclosed the discovery, DBLTek responded by further burying the backdoor rather than closing it, then proceeded to cut off contact with Trustwave.

This experience is not uncommon, but, fortunately, the proportion of vulnerabilities disclosed in coordination with third parties rose from 26% in 2012 to 45% percent in 2016, and coordinated disclosures now outnumber uncoordinated ones by a ratio of more than 3 to 1, according to a report by Risk Based Security.

Here are the top four reasons the disclosure process hits roadblocks:

An Unclear Path: As simple as it may sound, one of the biggest issues in the disclosure process is unclear guidelines regarding to whom one should disclose the issue. This is the first step researchers take after a vulnerability is found, but organizations often lack a proper internal path for these types of escalations; and if they do have one, it often isn't easy for researchers to find.

Language Barriers: As a result of low barriers to entry into the IoT market, the number of manufacturers and companies producing and selling IoT devices is rising around the world. As global production rises, the language barrier among vendor, manufacturer, and researcher becomes a greater problem. The breakdown in communication often adds significant delays in the disclosure process, prolonging the life of the exploit and continuing to put the end user at risk.   

Unskilled Personnel: Organizations seeking to cash in on a new IT trend will often hire third-party developers to produce and code their products. However, once their products are up and running, these organizations will let their developer teams go, turning all of their efforts to marketing and sales. Once the developers are gone and a vulnerability is found, there is often no one left on staff well equipped enough to understand the disclosure process, let alone skilled enough to issue a patch.

Research from Trustwave further supports the issue of limited resources on IT teams to ensure proper security measures are in place. A study of 147 IT security decision makers and influencers, "Money, Minds and the Masses: A Study of Cybersecurity Resource Limitations," found 57% of respondents report finding and recruiting IT talent to be their biggest challenge. In fact, only 8% believe three-quarters or more of their IT staff have the specialized skills and training needed to handle complex issues. There's no doubt that this skills shortage becomes a major hindrance on the path of disclosing vulnerabilities.   

Fear of Bad Publicity: One of the biggest fears companies face is becoming the next big (bad) headline, or their small business going under because of negative publicity. 

When contacted from outside sources, vendors are often quick to panic over the possibility that word has gotten out that one of their products contains a vulnerability. This can lead an organization to completely bury the news and, in extreme cases, cease all communication with outside researchers.

It is vital for companies to realize that it's nearly impossible to create products without vulnerabilities; even some of the most reputable firms have released products with severe vulnerabilities, but how they respond is what truly matters. 

Moving Forward
The disclosure process may seem like a gray area to most organizations, but there are several resources available that provide best practices. For example, the National Telecommunications and Information Administration — an agency located within the Commerce Department — has created a provisional draft of "Guidelines and Practices for Multi-Party Vulnerability Coordination" in order to establish a broad, shared understanding of overlapping interests between security researchers and vendors, and to encourage increased collaboration.  

In the continued effort to help move this process forward, the Library of Congress has issued new exemptions to the Digital Millennium Copyright Act (DMCA), creating protections for Americans to hack their own devices without fear that the DMCA's ban on evading protections on copyrighted systems would allow manufacturers to sue them.

The simple act of implementing openness and responsiveness in the vulnerability disclosure processes has allowed people to report things that very well could have had life-altering consequences for those interacting with everyday products. 

Related Content:

 

Lawrence Munro works with Trustwave's elite team of forensic investigators, researchers, and ethical hackers, SpiderLabs, as worldwide vice president of SpiderLabs at Trustwave, responsible for all penetration testing functions within the practice. Lawrence has over 12 years ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
5/24/2017 | 12:18:56 PM
Fear of Bad Publicity
I can understand the fear of bad publicity, but bad publicity will become exponentially worse if some entity outside of the company discloses the vulnerability.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Mobile App Fraud Jumped in Q1 as Attackers Pivot from Browsers
Jai Vijayan, Contributing Writer,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...