1 / 29

The Politics of Vulnerabilities

Scott Blake, CISSP Vice President of Information Security BindView Corporation/RAZOR Research. The Politics of Vulnerabilities. Agenda. Introduction What is Politics? What is a Vulnerability? The Past and Present Ideologies, Actors, and Initiatives The Future Trends and Probabilities.

cerise
Download Presentation

The Politics of Vulnerabilities

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Scott Blake, CISSP Vice President of Information Security BindView Corporation/RAZOR Research The Politics of Vulnerabilities

  2. Agenda • Introduction • What is Politics? • What is a Vulnerability? • The Past and Present • Ideologies, Actors, and Initiatives • The Future • Trends and Probabilities

  3. What is Politics? • The study of power • Power is the ability to make one do what one would not otherwise do. • Important Terms • Actor: One who uses or is subject to power • Ideology: A set of beliefs or ideas • Legitimacy: In accordance with established standards or patterns • Authority: Legitimate power

  4. What is a Vulnerability? • Experts do not agree • Flaws in Software • Misconfigurations • What do vulnerabilities do? • Change user context • Crash systems or services • Execute arbitrary code • …

  5. Ideologies • Full disclosure • Responsible Disclosure • Zero disclosure • Limited Disclosure

  6. Full Disclosure • Tenets • Information wants to be free • Use the power of public opinion to make vendors improve code • Exploit code is more useful than destructive • Adherents • Most non-profit researchers • Very few commercial researchers

  7. Responsible Disclosure • Tenets • Exploit code causes more problems than it solves • Broad dissemination of vulnerability information is required to improve security awareness • Use the power of public opinion to make vendors improve code • Adherents • Most commercial researchers • Some notable software vendors

  8. Zero Disclosure • Tenets • Responsibility for fixing vulnerabilities lies with software vendor • Authors of software should control information relating to that software • There is no public good in broad availability of vulnerability information • Adherents • Many software vendors • Many government actors • Much of the Public

  9. Limited Disclosure • A variant of Zero Disclosure • Same Tenets and Adherents • But supports complete information sharing on a Need-to-Know basis within peer groups • Implemented in US Information Sharing and Analysis Centers (ISAC) and others

  10. Disclosure Ideologies Summary

  11. The Actors • Vendors • Researchers • The Underground • Governments • Media • The Public

  12. Vendors • Motivators • Shareholder value • Financing • Software Sales • Interests • Limit damage to brand value • Limit vulnerability of customers • Sell more software • Power Relations • Often try to prevent public disclosure of vulnerability information through legal action, market leverage, lobbying

  13. Researchers • Motivators • Advance state of the art • Build more security • Build name recognition/peer respect • Financing • Day Job • Customers (Grant, Contract) • Software sales

  14. Researchers (2) • Interests • Continue financing source • Maintain/extend reputation • Power Relations • Hobbyists are largely free from external influence providing the day job does not interfere • Academic and consultative researchers are largely beholden to their funding source, but different funders set different restrictions • Commercially-sponsored researchers are beholden to the parent company’s interests

  15. Researchers: The Underground • Same as other researchers, plus: • Motivators • Control, knowing something that other don’t • Financing • Some organized crime or other illegal sources • Interests • Maintaining the status quo • Power Relations • Wield little power except to cause fear among other Actors

  16. Governments • Motivators • Technocratic perception of public good • Financing • Taxes • Campaign Contributions • Interests • Economic growth • Public Safety • Power Relations • Prosecution of criminal or negligent behavior • Large purchaser of information technology

  17. The Media • Motivators • “All the news that’s fit to print” • Financing • Advertisements • Subscribers • Interests • More readers • Power Relations • Very powerful creators of brand, image • Influencers of public perception

  18. The Public • Motivators • Too chaotic to be relevant • Financing • Too chaotic to be relevant • Interests • Stable, secure software • Whiz-Bang Features • Power Relations • Wields tremendous power, but very difficult to direct in any specific direction

  19. Policy Initiatives • Council of Europe’s Cybercrime Treaty • US Information Sharing Policies • Disclosure Forums • Organization for Internet Safety • Various US Legislation

  20. Council of Europe’s Cybercrime Treaty • Intended Outcomes • Harmonize and update European computer crime laws • Unintended Outcomes • Potential for mis-implementation of tools provisions may have chilling effect on research • Language pertaining to intent may lead to certification requirements for security practitioners

  21. US Information Sharing Policies • Intended Outcomes • Stay one step ahead of the bad guys • Facilitate movement of information among legitimate parties: Government and ISACs • Better intelligence on attacks • Unintended Outcomes • Chilling effect on public discussion • Creates information haves and have-nots

  22. Disclosure Forums • Intended Outcomes • Get information to those who need it • Unintended Outcomes • Puts information in the hands of the “bad guys” • Examples • Bugtraq • NTBugtraq • Win2KSecAdvice • Cypherpunks • Vuln-Dev • And many more

  23. Organization for Internet Safety • Intended Outcomes • Limit availability of information to “bad guys” • Unintended Outcomes • Limit availability of information to everyone • “Chilling Effect” on research in general

  24. Various US legislation • FOIA and Anti-Trust exemptions for security-related information sharing • Increasing funding for NIST and NSF sponsored research • Single “Gold Standard” for US government system security configurations • FISMA: Revised reporting regulations for government agencies • DMCA and PATRIOT Act

  25. Trends • Increasing legislation • More clear definitions of cybercrime • Will the definitions be correct? • Improving communication channels • Information is being shared better among the “good guys” and the “bad guys” • More and more research being done • Rate of new vulnerability announcements has been increasing at ~90% per year since 1992

  26. Trends (2) • More vicious attacks • Nimda was the most aggressive worm yet, though still not terribly damaging, but very expensive to clean up • Continuing penetration of Internet access • The number of devices has topped 100 million and the rate is set to skyrocket with wireless Internet devices

  27. Probabilities • Will the public demand security? • Probably not • Who will pay for security? • Consumers? Government? Vendors? • Lessons from recent events • HP DMCA threat • Security for the people? • Personal firewalls, privacy regulation (HIPAA, GLBA), NCSA • Will liability laws change? • Probably not

  28. Conclusions / Predictions • No major changes are imminent • Continued harmonization of laws • Continued creation and discovery of flaws • Continued mismanagement of flaws • Continued small-scale exploitation • Absent a catastrophe, no major changes will occur at all • Software drifts toward being more secure, but the progress is offset by increasing complexity

  29. Questions? • blake@bindview.com • Slides will be on razor.bindview.com next week and on blackhat.com in several weeks

More Related