• 04/28/2003
    5:56 PM
  • Network Computing
  • News
  • Connect Directly
  • Rating: 
    0 votes
    Vote up!
    Vote down!

Don't Panic. Plan

Connecting to the Internet means exposing your network to attackers, from script kiddies to skilled black hats. But the situation is not as dire as you might believe. We consulted

• ISS Security Center: Security tools vendor Internet Security Systems' X-Force security intelligence is touted as the No. 1 security advisory, representing 45 percent of all vulnerabilities discovered by commercial research entities.

• Security Focus: Owned by Symantec, the SecurityFocus site hosts the Bugtraq mailing list and a forum for security experts to discuss new IT threats and attacks as well as ways to prevent security breaches. Full disclosure--publicly disclosing the details of vulnerabilities--has long been the subject of heated debate in the security community and remains a double-edged sword.

On the one hand, full disclosure holds a vendor's feet to the fire so it will fix vulnerabilities quickly. The whole movement to full disclosure was in direct response to vendors ignoring security problems, and 62 percent of readers polled for this article say vendors wouldn't fix problems if they weren't exposed. Publishing vulnerabilities with working source code or step-by-step instructions proves that a vulnerability exists and forces vendors to acknowledge the problem while allowing software users to check their systems for holes. Of course, these codes and instructions also land in the hands of any script-kid who can work a browser.

The question is: Does the benefit of full disclosure outweigh the value of nondisclosure or limited disclosure? A move to nondisclosure--for example, making disclosure a criminal offense--would take us back to the bad old days before Bugtraq was started. The underground would have all the tools, and vendors would keep problems quiet. Cynical? No, just realistic. Vendors aren't inherently evil, but they aren't going to spend money where they don't need to, and fixing vulnerabilities costs money. Perhaps the Environmental Protection Agency has the right idea: Companies are forced to properly handle hazardous materials from cradle to grave or face expensive fines, the cost of clean-up and possible criminal prosecution brought about by Superfund legislation.

Partial disclosure sounds feasible. Announce the vulnerability, but don't give out details. Although that initially keeps exploit code out of the hands of script-kiddies, any programmer can use the information in partial disclosure to shorten the development time of a working exploit. That isn't much better. The side effect is that you have to rely on the vendor that created the vulnerability to fix it, and you can't check that the fix worked. And let's not forget that leakage happens.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.

Log in or Register to post comments