News that the privacy-rights group Electronic Frontier Foundation (EFF) has instituted another lawsuit against the National Security Agency (NSA) and the Office of the Director of National Intelligence (ODNI) has recently renewed debate on the merits and morality of government agencies keeping schtum about zero-day vulnerabilities of computing and networking systems.
From a certain perspective, this might be seen as a minefield. But to businesses and security professionals who start with the presumption that an arbitrarily large number of 'opponents' — be such opponents hackers or government agencies — may have knowledge of their systems’ vulnerabilities, disclosure of the workings of the NSA’s Vulnerabilities Equities Process will change little.
If you pragmatically presume that others may have knowledge of your systems’ vulnerabilities, you will naturally adopt a security posture that prioritises security principles such as multi-layered security and segregation of duties.
That way, compromise of a single given security measure or product — SSL, say, or database encryption — will not be sufficient for an opponent or attacker to gain unauthorised access to your sensitive information. These principles indeed are behind security measures such as multi-factor authentication. They are also why application security and data security are needed in addition to network security, and why data should be secured at-rest as well as in-flight.
A lucrative market
A 'zero-day vulnerability' is a previously-unknown security vulnerability in a product or service that a researcher has discovered, but the developers have had 'zero days' i.e. no time to fix – hence the term. Zero-day vulnerabilities or ZDVs are still only vulnerabilities, and like all vulnerabilities, have attributes of discoverability and exploitability. A further definition: a threat is a thing that might happen to compromise the security of a system. The more discoverable and exploitable a vulnerability, the more likely it carries a threat.
> See also: How to hack a bank (theoretically)
Governments find ZDVs increasingly useful as sovereign counter-offensive cyber-weapons. As such, there is a thriving market for ZDVs, in which documentation of a given vulnerability can change hands for US$100,000 and indeed as much as US$500,000. On the sell-side of the market are researchers or companies that dedicate their resources to searching out such vulnerabilities. On the buy-side of the market are government agencies, organised-crime syndicates and actual vendors. The market is also replete with shadowy brokers and arbitrageurs. It is said that the technology vendors, who arguably are most 'on the side of the public', can afford the lowest bounties.
The ZDVs are therefore extremely valuable. Researchers have determined that the Stuxnet worm, which was used to cripple the Iranian nuclear-production facility in 2010, exploited four ZDVs.The fact that as many as four ZDVs were deployed in just a single attack is taken to suggest that the US and Israeli governments may have stockpiled hundreds of ZDVs.
Clearly, mistrust has been growing that the NSA uses knowledge of ZDVs not just for sovereign purposes, but also for snooping on citizenry. This is on a par with staff believing security teams and/or management are spying on the staff.
However, the view from across the divide is different. It has never been easier for bad guys to masquerade as your staff (in the case of a company) or your citizens (in the case of a state). So, snooping on your staff is not necessarily an exercise in wilful mistrust, but possibly an exercise in wilful pragmatism. By the same logic, snooping on your citizens may perhaps not be an abuse of powers, but an exercise in sovereign paranoia. In other words, it’s not your innocent and well-intentioned staff or citizens you don’t trust, just others masquerading as such.
To the vast majority of computer-based systems, a given user is practically indistinguishable from someone – anyone — who has logged-in as that user. Back across the table however, in the other direction of the entity-relationship arrow, the view is perfectly complementary: the data that results from snooping activities conducted against you can be used for good purposes or evil ones. To the data, a 'good guy' is indistinguishable from a 'bad guy'.
Meanwhile, the riches on offer have led to some technology vendors deliberately inserting back-doors as ZDVs – either independently (for private profit) or at the behest of government agencies. There are also accusations of government agencies – with or without the collusion of vendors – inserting hardware implants or software implants into routers, hard-disk drives, satellite ‘phones, SIM cards etc. Most recently, there have been allegations that the NSA exploited for up to two years the so-called Heartbleed vulnerability in OpenSSL – software that is widely used to secure communications to online banking, retail, government and many other sensitive services.
The call for transparency
All of this has led to a situation in which privacy-rights organisations and individuals are seeking some form of restraint on – or better visibility of — the government agencies’ activities in this area.
In the most benign interpretation of the situation, unfixed or unpatched ZDVs can be exploited by governments for sovereign defence purposes, or by criminal organisations for nefarious purposes. Even if the government agencies were taken at their word, there are concerns that governments would rather that ZDVs remained unfixed, i.e. available as weapons, than have the ZDVs fixed, to keep the wider public safe.
But if the worst concerns of the privacy activists are borne out, then users of commercial systems – i.e. we in the wider public – are being subject to a zero-day double-whammy: susceptibility to criminal exploits by the so-called bad guys, as well as to snooping exploits by the so-called good guys.
It is in this spirit that the EFF has taken out this Freedom of Information Act lawsuit, seeking to compel US government agencies to become more transparent as to the processes used to determine disclosure (or otherwise) of zero-day vulnerabilities.
> See also: The 'right to be forgotten'
Given the balance of patching benefit – i.e. fixes or patches to ZDVs benefit 'us' as much as 'them' — there is a finite possibility that government agencies may decide to start depending less on ZDVs and more on backdoors, implants and big-data mining. Be that as it may, the need remains for businesses and other non-military organisations to protect their proprietary data and the details of their customers.
Plugging the zero-day gap
This is where a return to first principles serves us well. Starting-point: Trust No-One. Remember the expression: 'even paranoids have enemies'. Presume and assume that others are knowledgeable as to your vulnerabilities. Next one: Defend-In-Depth. Install multiple layers of security, at each of the people, process and technology levels. And don’t just install defences – test them.
Penetration-testing, vulnerability assessments and even plain old audits are all capable of revealing vulnerabilities that can be exploited. Undertake policy reviews, and make sure that there are active, conscious and deliberate decisions being made about information security on an on-going basis. If you don’t have a security steering group to consider security risks and the strategic, top-down approaches to them, establish one. If you don’t have one or more cross-disciplinary security task force to ensure that all products and projects reflect policies and principles, set them up on an ad hoc basis.
So, back to the EFF and its lawsuit. For most organisations, the utility of any information obtained as a result of the EFF's Freedom of Information Act (FOIA) lawsuit has to be debatable, from either a pragmatic or a philosophical standpoint.
Were the EFF’s lawsuit to succeed, the NSA and other agencies might be compelled to divulge their decision-making processes in respect of zero-day disclosures to vendors and the public — in other words, to explain the workings of the Vulnerabilities Equities Process. And then what? What may change – may – is that some governments might alter their levels of activity in ZDV markets. But that will not necessarily make for better security – what it will overtly do is reduce the number of bidders at ZDV auctions. The word 'some' above is instructive: not all governments will make the same judgements as to the balance between commercial resilience and military advantage (and domestic civil-rights).
To those who start with the presumption that an arbitrarily large number of multifarious opponents may have knowledge of their systems’ vulnerabilities, disclosure of the workings of the Vulnerabilities Equities Process should change little.
Such a presumption would fit well into a sound security posture, the underlying principles of which collectively serve as a reference point for all other decisions made in respect of security. Violations of the principles will likely lead to undesirable or unexpected results, so periodic or episodic conformance reviews are vital. Upon such closer scrutiny you may find yourself asking the security team not why they are asking for so much in terms of budget, but why they are asking for so little!
Sourced from Toyin Adelakun, VP of products, Sestus International