"The worst thing an IT company can do is to keep its security flaws secret."

Home >
Article Archive

10 February 2012

"The worst thing an IT company can do is to keep its security flaws secret."

25 February 2006

When vulnerabilities are exposed in technology platforms, should vendors keep the details away from prying eyes, or should they forewarn customers?

Action..

At the Black Hat security conference in Las Vegas in July 2005, one presentation caused unprecedented excitement. A technical researcher promised to reveal details of a vulnerability in Cisco's Internet Operating System (IOS) - the software that powers most of the Internet's routers. Mike Lynn showed delegates how routers could be vulnerable to attack. It was made more contentious as he had discovered the weakness while working for Internet Security Systems (ISS); his employer had instructed him not to reveal the information.

Lynn had found a way to run 'attack code' on IOS, which controls millions of Cisco routers across the Internet, using a previously known flaw. Such a technique could have widespread uses, and cause widespread damage.

"I'm probably about to be sued to oblivion, (but) the worst thing is to keep this stuff secret," Lynn told his audience. "I had to quit [my job] to give this presentation because ISS and Cisco would rather the world [was] at risk. They had to do what's right for their shareholders."

Cisco imposed an injunction on Lynn following his presentation, banning him from making any further comment on the flaw, and assured its customers that the flaw was well understood and nothing to worry about. Reaction to Lynn's actions was split between those that think he is helping hackers exploit IOS and those that believed that hackers would already be well aware of the vulnerability and that Lynn was simply informing businesses of a serious flaw.

The commotion that followed quickly blew over, but the episode did raise important questions: What obligation are vendors under to publicise security flaws in their products? Does broadcasting the details of vulnerabilities increase or decrease the chance that someone will abuse them?

Representatives of the industry tend to support the argument that full disclosure of security shortcomings would only make a hacker's work a lot easier. On the side of the customers, though, there is a recognition that the more information they have about security risks, the better equipped they are to tackle them.

Reaction..

In IT, as in any other industry, if something brakes it should be fixed, says Procter & Gamble's security head David McCaskill. These are his personal views.

"So-called 'security through obscurity' never works. Determined criminal hackers are underestimated and will launch attacks, while the effectiveness of security technologies and protocols are typically overestimated."

"For most industries, if a flaw or danger is discovered in a product that manufacturer typically initiates a product recall in order to either repair or replace it. IT hardware and software vendors should be held to analogous standards and practices. We, the consumers of their products, should demand it from them."

Publicising security flaws only increases the dangers, says Pieter Kasselman, senior researcher at security technology vendor Cybertrust.

"Cybertrust has a long-held position in favour of responsible disclosure of security vulnerabilities and is against full-disclosure. Full disclosure increases the information security risk to organisations, forcing them into rushed or unplanned remedial action and may leave them vulnerable for longer periods than necessary."

"Vendors should have a responsibility to their customers to respond to vulnerabilities, and should not publicise these vulnerabilities until they have assessed the risks they pose along with an appropriate set of countermeasures."

Comments

There are currently no comments on this article

Information Age: News, analysis & insight for IT & business leaders