Ethically Handling Security
Vulnerabilities – Who do You Notify?
You are a network engineer consultant performing diagnostics on a job.You discover
a severe
vulnerability in a firewall
purchased
from
a vendor
solution.
In
response to this vulnerability, you install a new, more secure firewall solution from
another vendor. What do you do with the vulnerability information you have
about the other product?
Conservative Call your coworkers and warn them of the problem.
Immediately notify the Computer Emergency Response Team (CERT) of
the vulnerability so that they can notify the vendor and publish the facts
after the vendor has fixed the problem and disclosed the product weakness
themselves. Avoid directly publishing the vulnerability to protect the
vendor’s reputation and your own, since your business uses the vendor solution
and was
vulnerable.
Liberal Warn everyone you know. Perform a full disclosure, since CERT is
slow in issuing proper warnings and many businesses may experience a dangerous
hack in the meantime.
Find a well-known researcher who is willing
to publish the vulnerability. Full disclosure is the right answer because it
motivates the vendor to provide a timely patch or workaround to a new
vulnerability. If the vendor fails to provide a timely fix and full vulnerability
disclosure is public, the resulting negative media will cause damage to the
vendor’s reputation and revenue. Further, in order to avoid future negative
media, you will force the vendor to produce better software to avoid this
type of media a second time.
SUMMARY
Vulnerability Disclosure • Chapter 3 83
There are two points of view when making the decision to perform a full
disclosure. The first is to follow a chain of command starting with noti-
www.syngress.com
290_Ethics_IT_03.qxd 5/10/04 11:40 AM Page 84
84 Chapter 3 • Vulnerability Disclosure
fying your organization and your clients, then bringing the weakness to
a qualified organization that handles the disclosure process from there,
usually in a limited disclosure manner (discussed later in this chapter).
The second point of view immediately discloses all vulnerability information
since they feel that organizations like CERT are too slow in reporting
vulnerabilities
and clients need to know the full details as soon as possible
to better arm themselves against attack. Whichever means you
adopt,
consider the repercussions of both before acting.
The Game of Disclosure
Vulnerability disclosure is a high stakes game, with much fame going
to the person or team that discovers a vulnerability, and much egg on the
face of the company with the vulnerability. It can be very frustrating to be
an established, legitimate vulnerability discovery team that duly notifies a
company when a vulnerability is found, and then waits for the company
to respond and patch the vulnerability. Many researchers have been
“scooped” by other, less scrupulous individuals who will release a vulnerability
without notifying the affected company,
long after the first
researcher
has discovered and usually well documented the same vulnerability.
Confidentiality and secrecy are often keys to the discovery-patchannouncement
cycle that vulnerability disclosure follows today.
Jens Haeusser
Manager, Information Security Office
University of British Columbia
Performing a Full Disclosure –
How Much do Others Know Already?
You are about to perform a full disclosure including the script code and all other
details on a security weakness within the Internet browser system your business
utilizes.You argue that you must fully disclose all of the information because you
assume organizations like Black Hat already possess the information and you
www.syngress.com
290_Ethics_IT_03.qxd 5/10/04 11:40 AM Page 85
want the vendors and clients to have this information in order to catch any
damage caused by malicious attacks. Are you correct in this assumption?
Conservative While it is true that the talented black hat community
may likely have prior knowledge of an exploit, the hordes of script kiddies
do not. Fully disclosing a vulnerability including exploited code, arms the
script kiddies with weapons. Following the full disclosure, the script kiddies
will possess the automated exploit and may launch attacks upon anyone in
the public who utilizes the browser in question. Even if the script kiddies
are oblivious of any technical knowledge, they probably have what they
need to launch an attack from the disclosure. In addition, if the capable
black hats do not posses prior knowledge of a new vulnerability, full disclosure
drops
this information
in their laps and makes
it significantly easier for
them
to develop
exploited code and automated tools.
Liberal Full disclosure advocates assume that the black hat hacker community
is already
aware
of product
vulnerabilities by
the very
nature
of the
black
hat organization.
By fully disclosing vulnerability information, administrators
of vulnerable
systems obtain the data needed to take
counteraction
and
provide
protective
measures.
Full disclosure is imperative so that administrators
and programmers
fully understand
the vulnerabilities in order
to
prevent
and defend against them.Through
full disclosure
systems,
administrators
and programmers
obtain access to the full technical details of the
vulnerability
and consequently can take
appropriate
defensive
action.
SUMMARY
Vulnerability Disclosure • Chapter 3 85
Although the concept of full disclosure does not preclude vendor notification,
most conservatives point to the lack of a grace period during
which
the vendor can address the flaw as a major disadvantage. In full
disclosure,
the vendor receives notification simultaneous to the time of
disclosure
vulnerability information to all others. Because of this, systems
are
vulnerable during the amount of time it takes the vendor to address
the
vulnerability and the client to put defense measures in place.
However,
from the liberal point of view,
waiting to post full disclosure is
allowing
a time bomb to go off in your organization. Failing
to perform
a
full disclosure deprives systems administrators from the adequate time
required
for effective defensive measures internally.
Ethically Handling Security
Vulnerabilities – Who do You Notify?
You are a network engineer consultant performing diagnostics on a job.You discover
a severe
vulnerability in a firewall
purchased
from
a vendor
solution.
In
response to this vulnerability, you install a new, more secure firewall solution from
another vendor. What do you do with the vulnerability information you have
about the other product?
Conservative Call your coworkers and warn them of the problem.
Immediately notify the Computer Emergency Response Team (CERT) of
the vulnerability so that they can notify the vendor and publish the facts
after the vendor has fixed the problem and disclosed the product weakness
themselves. Avoid directly publishing the vulnerability to protect the
vendor’s reputation and your own, since your business uses the vendor solution
and was
vulnerable.
Liberal Warn everyone you know. Perform a full disclosure, since CERT is
slow in issuing proper warnings and many businesses may experience a dangerous
hack in the meantime.
Find a well-known researcher who is willing
to publish the vulnerability. Full disclosure is the right answer because it
motivates the vendor to provide a timely patch or workaround to a new
vulnerability. If the vendor fails to provide a timely fix and full vulnerability
disclosure is public, the resulting negative media will cause damage to the
vendor’s reputation and revenue. Further, in order to avoid future negative
media, you will force the vendor to produce better software to avoid this
type of media a second time.
SUMMARY
Vulnerability Disclosure • Chapter 3 83
There are two points of view when making the decision to perform a full
disclosure. The first is to follow a chain of command starting with noti-
www.syngress.com
290_Ethics_IT_03.qxd 5/10/04 11:40 AM Page 84
84 Chapter 3 • Vulnerability Disclosure
fying your organization and your clients, then bringing the weakness to
a qualified organization that handles the disclosure process from there,
usually in a limited disclosure manner (discussed later in this chapter).
The second point of view immediately discloses all vulnerability information
since they feel that organizations like CERT are too slow in reporting
vulnerabilities
and clients need to know the full details as soon as possible
to better arm themselves against attack. Whichever means you
adopt,
consider the repercussions of both before acting.
The Game of Disclosure
Vulnerability disclosure is a high stakes game, with much fame going
to the person or team that discovers a vulnerability, and much egg on the
face of the company with the vulnerability. It can be very frustrating to be
an established, legitimate vulnerability discovery team that duly notifies a
company when a vulnerability is found, and then waits for the company
to respond and patch the vulnerability. Many researchers have been
“scooped” by other, less scrupulous individuals who will release a vulnerability
without notifying the affected company,
long after the first
researcher
has discovered and usually well documented the same vulnerability.
Confidentiality and secrecy are often keys to the discovery-patchannouncement
cycle that vulnerability disclosure follows today.
Jens Haeusser
Manager, Information Security Office
University of British Columbia
Performing a Full Disclosure –
How Much do Others Know Already?
You are about to perform a full disclosure including the script code and all other
details on a security weakness within the Internet browser system your business
utilizes.You argue that you must fully disclose all of the information because you
assume organizations like Black Hat already possess the information and you
www.syngress.com
290_Ethics_IT_03.qxd 5/10/04 11:40 AM Page 85
want the vendors and clients to have this information in order to catch any
damage caused by malicious attacks. Are you correct in this assumption?
Conservative While it is true that the talented black hat community
may likely have prior knowledge of an exploit, the hordes of script kiddies
do not. Fully disclosing a vulnerability including exploited code, arms the
script kiddies with weapons. Following the full disclosure, the script kiddies
will possess the automated exploit and may launch attacks upon anyone in
the public who utilizes the browser in question. Even if the script kiddies
are oblivious of any technical knowledge, they probably have what they
need to launch an attack from the disclosure. In addition, if the capable
black hats do not posses prior knowledge of a new vulnerability, full disclosure
drops
this information
in their laps and makes
it significantly easier for
them
to develop
exploited code and automated tools.
Liberal Full disclosure advocates assume that the black hat hacker community
is already
aware
of product
vulnerabilities by
the very
nature
of the
black
hat organization.
By fully disclosing vulnerability information, administrators
of vulnerable
systems obtain the data needed to take
counteraction
and
provide
protective
measures.
Full disclosure is imperative so that administrators
and programmers
fully understand
the vulnerabilities in order
to
prevent
and defend against them.Through
full disclosure
systems,
administrators
and programmers
obtain access to the full technical details of the
vulnerability
and consequently can take
appropriate
defensive
action.
SUMMARY
Vulnerability Disclosure • Chapter 3 85
Although the concept of full disclosure does not preclude vendor notification,
most conservatives point to the lack of a grace period during
which
the vendor can address the flaw as a major disadvantage. In full
disclosure,
the vendor receives notification simultaneous to the time of
disclosure
vulnerability information to all others. Because of this, systems
are
vulnerable during the amount of time it takes the vendor to address
the
vulnerability and the client to put defense measures in place.
However,
from the liberal point of view,
waiting to post full disclosure is
allowing
a time bomb to go off in your organization. Failing
to perform
a
full disclosure deprives systems administrators from the adequate time
required
for effective defensive measures internally.
Tidak ada komentar:
Posting Komentar