Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/24/2017
10:00 AM
Lawrence Munro
Lawrence Munro
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

4 Reasons the Vulnerability Disclosure Process Stalls

The relationship between manufacturers and researchers is often strained. Here's why, along with some resources to help.

The relationship between a manufacturer or vendor and security researchers can be filled with tension and unease, and it's most often put to the test during the vulnerability disclosure process. Although their intentions are pure, researchers often feel they are being shut out of the process, while vendors may see disclosure deadlines as a threat from researchers looking to produce headlines.

This difficult relationship is further strained as the Internet of Things (IoT) market continues to grow at a rapid clip. In a market that is expected to increase from $57 billion in 2016 to $158 billion by 2021, more manufacturers are eagerly looking to cash in on this trend. Yet security is often an afterthought in the development of these new smart devices.    

To keep these connected devices and their users secure, security companies are holding manufacturers accountable. Recently, Trustwave's Penetration Testing team within SpiderLabs discovered a backdoor in nearly all devices produced by voice-over-IP specialist DBLTek. When the SpiderLabs team disclosed the discovery, DBLTek responded by further burying the backdoor rather than closing it, then proceeded to cut off contact with Trustwave.

This experience is not uncommon, but, fortunately, the proportion of vulnerabilities disclosed in coordination with third parties rose from 26% in 2012 to 45% percent in 2016, and coordinated disclosures now outnumber uncoordinated ones by a ratio of more than 3 to 1, according to a report by Risk Based Security.

Here are the top four reasons the disclosure process hits roadblocks:

An Unclear Path: As simple as it may sound, one of the biggest issues in the disclosure process is unclear guidelines regarding to whom one should disclose the issue. This is the first step researchers take after a vulnerability is found, but organizations often lack a proper internal path for these types of escalations; and if they do have one, it often isn't easy for researchers to find.

Language Barriers: As a result of low barriers to entry into the IoT market, the number of manufacturers and companies producing and selling IoT devices is rising around the world. As global production rises, the language barrier among vendor, manufacturer, and researcher becomes a greater problem. The breakdown in communication often adds significant delays in the disclosure process, prolonging the life of the exploit and continuing to put the end user at risk.   

Unskilled Personnel: Organizations seeking to cash in on a new IT trend will often hire third-party developers to produce and code their products. However, once their products are up and running, these organizations will let their developer teams go, turning all of their efforts to marketing and sales. Once the developers are gone and a vulnerability is found, there is often no one left on staff well equipped enough to understand the disclosure process, let alone skilled enough to issue a patch.

Research from Trustwave further supports the issue of limited resources on IT teams to ensure proper security measures are in place. A study of 147 IT security decision makers and influencers, "Money, Minds and the Masses: A Study of Cybersecurity Resource Limitations," found 57% of respondents report finding and recruiting IT talent to be their biggest challenge. In fact, only 8% believe three-quarters or more of their IT staff have the specialized skills and training needed to handle complex issues. There's no doubt that this skills shortage becomes a major hindrance on the path of disclosing vulnerabilities.   

Fear of Bad Publicity: One of the biggest fears companies face is becoming the next big (bad) headline, or their small business going under because of negative publicity. 

When contacted from outside sources, vendors are often quick to panic over the possibility that word has gotten out that one of their products contains a vulnerability. This can lead an organization to completely bury the news and, in extreme cases, cease all communication with outside researchers.

It is vital for companies to realize that it's nearly impossible to create products without vulnerabilities; even some of the most reputable firms have released products with severe vulnerabilities, but how they respond is what truly matters. 

Moving Forward
The disclosure process may seem like a gray area to most organizations, but there are several resources available that provide best practices. For example, the National Telecommunications and Information Administration — an agency located within the Commerce Department — has created a provisional draft of "Guidelines and Practices for Multi-Party Vulnerability Coordination" in order to establish a broad, shared understanding of overlapping interests between security researchers and vendors, and to encourage increased collaboration.  

In the continued effort to help move this process forward, the Library of Congress has issued new exemptions to the Digital Millennium Copyright Act (DMCA), creating protections for Americans to hack their own devices without fear that the DMCA's ban on evading protections on copyrighted systems would allow manufacturers to sue them.

The simple act of implementing openness and responsiveness in the vulnerability disclosure processes has allowed people to report things that very well could have had life-altering consequences for those interacting with everyday products. 

Related Content:

 

Lawrence Munro works with Trustwave's elite team of forensic investigators, researchers, and ethical hackers, SpiderLabs, as worldwide vice president of SpiderLabs at Trustwave, responsible for all penetration testing functions within the practice. Lawrence has over 12 years ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
5/24/2017 | 12:18:56 PM
Fear of Bad Publicity
I can understand the fear of bad publicity, but bad publicity will become exponentially worse if some entity outside of the company discloses the vulnerability.
HackerOne Drops Mobile Voting App Vendor Voatz
Dark Reading Staff 3/30/2020
Limited-Time Free Offers to Secure the Enterprise Amid COVID-19
Curtis Franklin Jr., Senior Editor at Dark Reading,  3/31/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11565
PUBLISHED: 2020-04-06
An issue was discovered in the Linux kernel through 5.6.2. mpol_parse_str in mm/mempolicy.c has a stack-based out-of-bounds write because an empty nodelist is mishandled during mount option parsing, aka CID-aa9f7d5172fa.
CVE-2020-11558
PUBLISHED: 2020-04-05
An issue was discovered in libgpac.a in GPAC 0.8.0, as demonstrated by MP4Box. audio_sample_entry_Read in isomedia/box_code_base.c does not properly decide when to make gf_isom_box_del calls. This leads to various use-after-free outcomes involving mdia_Read, gf_isom_delete_movie, and gf_isom_parse_m...
CVE-2020-11547
PUBLISHED: 2020-04-05
PRTG Network Monitor before 20.1.57.1745 allows remote unauthenticated attackers to obtain information about probes running or the server itself (CPU usage, memory, Windows version, and internal statistics) via an HTTP request, as demonstrated by type=probes to login.htm or index.htm.
CVE-2020-11548
PUBLISHED: 2020-04-05
The Search Meter plugin through 2.13.2 for WordPress allows user input introduced in the search bar to be any formula. The attacker could achieve remote code execution via CSV injection if a wp-admin/index.php?page=search-meter Export is performed.
CVE-2020-11542
PUBLISHED: 2020-04-04
3xLOGIC Infinias eIDC32 2.213 devices with Web 1.107 allow Authentication Bypass via CMD.HTM?CMD= because authentication depends on the client side's interpretation of the <KEY>MYKEY</KEY> substring.