Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/24/2017
10:00 AM
Lawrence Munro
Lawrence Munro
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

4 Reasons the Vulnerability Disclosure Process Stalls

The relationship between manufacturers and researchers is often strained. Here's why, along with some resources to help.

The relationship between a manufacturer or vendor and security researchers can be filled with tension and unease, and it's most often put to the test during the vulnerability disclosure process. Although their intentions are pure, researchers often feel they are being shut out of the process, while vendors may see disclosure deadlines as a threat from researchers looking to produce headlines.

This difficult relationship is further strained as the Internet of Things (IoT) market continues to grow at a rapid clip. In a market that is expected to increase from $57 billion in 2016 to $158 billion by 2021, more manufacturers are eagerly looking to cash in on this trend. Yet security is often an afterthought in the development of these new smart devices.    

To keep these connected devices and their users secure, security companies are holding manufacturers accountable. Recently, Trustwave's Penetration Testing team within SpiderLabs discovered a backdoor in nearly all devices produced by voice-over-IP specialist DBLTek. When the SpiderLabs team disclosed the discovery, DBLTek responded by further burying the backdoor rather than closing it, then proceeded to cut off contact with Trustwave.

This experience is not uncommon, but, fortunately, the proportion of vulnerabilities disclosed in coordination with third parties rose from 26% in 2012 to 45% percent in 2016, and coordinated disclosures now outnumber uncoordinated ones by a ratio of more than 3 to 1, according to a report by Risk Based Security.

Here are the top four reasons the disclosure process hits roadblocks:

An Unclear Path: As simple as it may sound, one of the biggest issues in the disclosure process is unclear guidelines regarding to whom one should disclose the issue. This is the first step researchers take after a vulnerability is found, but organizations often lack a proper internal path for these types of escalations; and if they do have one, it often isn't easy for researchers to find.

Language Barriers: As a result of low barriers to entry into the IoT market, the number of manufacturers and companies producing and selling IoT devices is rising around the world. As global production rises, the language barrier among vendor, manufacturer, and researcher becomes a greater problem. The breakdown in communication often adds significant delays in the disclosure process, prolonging the life of the exploit and continuing to put the end user at risk.   

Unskilled Personnel: Organizations seeking to cash in on a new IT trend will often hire third-party developers to produce and code their products. However, once their products are up and running, these organizations will let their developer teams go, turning all of their efforts to marketing and sales. Once the developers are gone and a vulnerability is found, there is often no one left on staff well equipped enough to understand the disclosure process, let alone skilled enough to issue a patch.

Research from Trustwave further supports the issue of limited resources on IT teams to ensure proper security measures are in place. A study of 147 IT security decision makers and influencers, "Money, Minds and the Masses: A Study of Cybersecurity Resource Limitations," found 57% of respondents report finding and recruiting IT talent to be their biggest challenge. In fact, only 8% believe three-quarters or more of their IT staff have the specialized skills and training needed to handle complex issues. There's no doubt that this skills shortage becomes a major hindrance on the path of disclosing vulnerabilities.   

Fear of Bad Publicity: One of the biggest fears companies face is becoming the next big (bad) headline, or their small business going under because of negative publicity. 

When contacted from outside sources, vendors are often quick to panic over the possibility that word has gotten out that one of their products contains a vulnerability. This can lead an organization to completely bury the news and, in extreme cases, cease all communication with outside researchers.

It is vital for companies to realize that it's nearly impossible to create products without vulnerabilities; even some of the most reputable firms have released products with severe vulnerabilities, but how they respond is what truly matters. 

Moving Forward
The disclosure process may seem like a gray area to most organizations, but there are several resources available that provide best practices. For example, the National Telecommunications and Information Administration — an agency located within the Commerce Department — has created a provisional draft of "Guidelines and Practices for Multi-Party Vulnerability Coordination" in order to establish a broad, shared understanding of overlapping interests between security researchers and vendors, and to encourage increased collaboration.  

In the continued effort to help move this process forward, the Library of Congress has issued new exemptions to the Digital Millennium Copyright Act (DMCA), creating protections for Americans to hack their own devices without fear that the DMCA's ban on evading protections on copyrighted systems would allow manufacturers to sue them.

The simple act of implementing openness and responsiveness in the vulnerability disclosure processes has allowed people to report things that very well could have had life-altering consequences for those interacting with everyday products. 

Related Content:

 

Lawrence Munro works with Trustwave's elite team of forensic investigators, researchers, and ethical hackers, SpiderLabs, as worldwide vice president of SpiderLabs at Trustwave, responsible for all penetration testing functions within the practice. Lawrence has over 12 years ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
5/24/2017 | 12:18:56 PM
Fear of Bad Publicity
I can understand the fear of bad publicity, but bad publicity will become exponentially worse if some entity outside of the company discloses the vulnerability.
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment:   It's a PEN test of our cloud security.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7981
PUBLISHED: 2020-01-25
sql.rb in Geocoder before 1.6.1 allows Boolean-based SQL injection when within_bounding_box is used in conjunction with untrusted sw_lat, sw_lng, ne_lat, or ne_lng data.
CVE-2019-0141
PUBLISHED: 2020-01-25
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2020-7596
PUBLISHED: 2020-01-25
Codecov npm module before 3.6.2 allows remote attackers to execute arbitrary commands via the "gcov-args" argument.
CVE-2020-7980
PUBLISHED: 2020-01-25
Intellian Aptus Web 1.24 allows remote attackers to execute arbitrary OS commands via the Q field within JSON data to the cgi-bin/libagent.cgi URI. NOTE: a valid sid cookie for a login to the intellian default account might be needed.
CVE-2012-6613
PUBLISHED: 2020-01-25
D-Link DSR-250N devices with firmware 1.05B73_WW allow Persistent Root Access because of the admin password for the admin account.