At the Black Hat Briefings and Def Con 10 security conferences last week, the complicated issue of how to prevent and respond to vulnerabilities was a dominant topic.
In many ways the problems facing security experts are similar to those in the medical world. For example, a pernicious disease--in the form of mutant, malicious 1s and 0s--attaches itself to a healthy body (digital device) and uses the host to potentially wreak havoc on millions of others. How do you find a cure and, in lieu of a cure, develop therapies to staunch the spread and deleterious impact of the disease?
In treating diseases, the therapy often involves several approaches simultaneously. It should be no different for dealing with security vulnerabilities. No single approach will make any code base or network invulnerable. You can blame vendors and programmers for writing leaky programs, but even with more scrutiny and better benchmarking tools--such as those offered by the Center for Internet Security--code can be cracked.
One approach borders on the Wild West notion of frontier justice. Tim Mullen hatched a novel hack-back scheme to defend systems against attacks by striking back against the offending machines that propagate a virus or worm. Mullen, who is CIO and chief software architect for AnchorIS, says he isn't advocating vigilantism.
He contends that a "measured strike-back" technology could mitigate the impact of a multi-faceted worm attack. The concept has merit, but the legal issues will make it difficult to gain acceptance as an official government-sanctioned response mechanism. Hacking back is a form of white knight hacking, but what if the wrong machine is hacked-back. On the other hand, having to get a court order or other form of legal authorization to deter an attack using the hack-back methodology would mute its power to stop the attack.
Hacking-back is a critical tool for first response efforts. I would advocate for setting the legal parameters and creating a way to quickly authorize use of the technique if the situation merits such as response.
In addition to the controversy surrounding the hack-back concept, the debate continues to brew over the disclosure of security flaws before remedies are put in place. Richard Clarke, U.S. presidential special adviser for cybersecurity, is adamant about maintaining a veil of silence around know vulnerabilities until a patch is made available. Telling criminal elements where they can exploit a leak before there is a remedy is like giving them the combination to the safe and asking them not to rob the bank.
Often times, vulnerabilities are immediately disclosed by their finders, who enjoy the hunt and showing off their trophy or have some public relations agenda for their company or service to fulfill. On other hand, if your company uses software that has a major vulnerability and you don't know about it or even have the option of doing something about it short of writing a patch, you would be infuriated. It boils down to a question of lesser evils.
For the most troublesome security leaks, I lean on the side of maintaining the veil of silence until patches are in place. But it all sounds like a conspiracy at a time when we are not particularly sanguine about the actions of companies (who have their own self-interest at heart) hiding behind a veil. And, it may be impractical to keep vulnerabilities from being exposed before there is a fix--the loop would include too many people to keep a lid on the information.
Behavior can't be legislated, but setting a voluntary policy to maintain the veil of silence for the really bad vulnerabilities is a reasonable request as long as patches are delivered in the timeliest fashion. There should also be a full accounting of each company's security vulnerabilities, so we can keep score on who is doing the best job of maintaining secure code and environments.
In defense of disclosure, a group of security experts and hackers have created a new service to share information about vulnerabilities and security tools. The Internetworked Security Information Service is a kind of open source information resource, and it claims to be independent from commercial interests.
Exploring new approaches and developing information resources is vital as we try to make our systems more secure, and at the same continue to pioneer new uses for technology. As I said in my last column, now is the time for action, not just awareness. Taking action, however, is not just a matter of finding a single tool or provider to outsource security management. Those companies who want the highest level of security will look for multiple tools and policies that are not doctrinaire, but closely fit the specific needs of the company.
What do you think? Join our TalkBack forum or e-mail me at dan.farber@cnet.com.
