Vulnerabilities / Threats
5/24/2017
10:00 AM
Lawrence Munro
Lawrence Munro
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

4 Reasons the Vulnerability Disclosure Process Stalls

The relationship between manufacturers and researchers is often strained. Here's why, along with some resources to help.

The relationship between a manufacturer or vendor and security researchers can be filled with tension and unease, and it's most often put to the test during the vulnerability disclosure process. Although their intentions are pure, researchers often feel they are being shut out of the process, while vendors may see disclosure deadlines as a threat from researchers looking to produce headlines.

This difficult relationship is further strained as the Internet of Things (IoT) market continues to grow at a rapid clip. In a market that is expected to increase from $57 billion in 2016 to $158 billion by 2021, more manufacturers are eagerly looking to cash in on this trend. Yet security is often an afterthought in the development of these new smart devices.    

To keep these connected devices and their users secure, security companies are holding manufacturers accountable. Recently, Trustwave's Penetration Testing team within SpiderLabs discovered a backdoor in nearly all devices produced by voice-over-IP specialist DBLTek. When the SpiderLabs team disclosed the discovery, DBLTek responded by further burying the backdoor rather than closing it, then proceeded to cut off contact with Trustwave.

This experience is not uncommon, but, fortunately, the proportion of vulnerabilities disclosed in coordination with third parties rose from 26% in 2012 to 45% percent in 2016, and coordinated disclosures now outnumber uncoordinated ones by a ratio of more than 3 to 1, according to a report by Risk Based Security.

Here are the top four reasons the disclosure process hits roadblocks:

An Unclear Path: As simple as it may sound, one of the biggest issues in the disclosure process is unclear guidelines regarding to whom one should disclose the issue. This is the first step researchers take after a vulnerability is found, but organizations often lack a proper internal path for these types of escalations; and if they do have one, it often isn't easy for researchers to find.

Language Barriers: As a result of low barriers to entry into the IoT market, the number of manufacturers and companies producing and selling IoT devices is rising around the world. As global production rises, the language barrier among vendor, manufacturer, and researcher becomes a greater problem. The breakdown in communication often adds significant delays in the disclosure process, prolonging the life of the exploit and continuing to put the end user at risk.   

Unskilled Personnel: Organizations seeking to cash in on a new IT trend will often hire third-party developers to produce and code their products. However, once their products are up and running, these organizations will let their developer teams go, turning all of their efforts to marketing and sales. Once the developers are gone and a vulnerability is found, there is often no one left on staff well equipped enough to understand the disclosure process, let alone skilled enough to issue a patch.

Research from Trustwave further supports the issue of limited resources on IT teams to ensure proper security measures are in place. A study of 147 IT security decision makers and influencers, "Money, Minds and the Masses: A Study of Cybersecurity Resource Limitations," found 57% of respondents report finding and recruiting IT talent to be their biggest challenge. In fact, only 8% believe three-quarters or more of their IT staff have the specialized skills and training needed to handle complex issues. There's no doubt that this skills shortage becomes a major hindrance on the path of disclosing vulnerabilities.   

Fear of Bad Publicity: One of the biggest fears companies face is becoming the next big (bad) headline, or their small business going under because of negative publicity. 

When contacted from outside sources, vendors are often quick to panic over the possibility that word has gotten out that one of their products contains a vulnerability. This can lead an organization to completely bury the news and, in extreme cases, cease all communication with outside researchers.

It is vital for companies to realize that it's nearly impossible to create products without vulnerabilities; even some of the most reputable firms have released products with severe vulnerabilities, but how they respond is what truly matters. 

Moving Forward
The disclosure process may seem like a gray area to most organizations, but there are several resources available that provide best practices. For example, the National Telecommunications and Information Administration — an agency located within the Commerce Department — has created a provisional draft of "Guidelines and Practices for Multi-Party Vulnerability Coordination" in order to establish a broad, shared understanding of overlapping interests between security researchers and vendors, and to encourage increased collaboration.  

In the continued effort to help move this process forward, the Library of Congress has issued new exemptions to the Digital Millennium Copyright Act (DMCA), creating protections for Americans to hack their own devices without fear that the DMCA's ban on evading protections on copyrighted systems would allow manufacturers to sue them.

The simple act of implementing openness and responsiveness in the vulnerability disclosure processes has allowed people to report things that very well could have had life-altering consequences for those interacting with everyday products. 

Related Content:

 

Lawrence Munro works with Trustwave's elite team of forensic investigators, researchers, and ethical hackers, SpiderLabs, as worldwide vice president of SpiderLabs at Trustwave, responsible for all penetration testing functions within the practice. Lawrence has over 12 years ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
5/24/2017 | 12:18:56 PM
Fear of Bad Publicity
I can understand the fear of bad publicity, but bad publicity will become exponentially worse if some entity outside of the company discloses the vulnerability.
Printers: The Weak Link in Enterprise Security
Kelly Sheridan, Associate Editor, Dark Reading,  10/16/2017
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Why Security Leaders Can't Afford to Be Just 'Left-Brained'
Bill Bradley, SVP, Cyber Engineering and Technical Services, CenturyLink,  10/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.