As the events of recent weeks have shown, there is no better way to start a dumpster fire of an argument among a group of security people than to bring up the hideous, threadbare topic of full disclosure. No one is ambivalent about it; everyone has an opinion, and usually a strong one. But what’s become increasingly clear of late is that, in the era of sophisticated, highly targeted attacks, it just doesn’t matter.
In recent discussions I’ve had with both attackers and the folks on enterprise security staffs who are charged with stopping them, the common theme that emerged was this: Even if every vulnerability was “responsibly” disclosed from here on out, attackers would still be owning enterprises and consumers at will. A determined attacker (whatever that term means to you) doesn’t need an 0-day and a two-week window of exposure before a patch is ready to get into a target network. All he needs is one weak spot. A six-year-old flaw in Internet Explorer or a careless employee using an open Wi-Fi hotspot is just as good as a brand-spanking-new hole in an Oracle database.
Case in point: A researcher told me recently about a security assessment he was doing for a very large customer, whose network had undergone somewhere close to 1,000 such tests in recent years. Top-to-bottom penetration tests that looked for any weakness, any soft spot that could provide a way in. The researcher was having no luck with his usual exploits, but he eventually noticed a weakness in the way that the company’s employee log-in page was protected.
It turned out that the CAPTCHA system used to prevent automated log-in attempts had a small enough range of potential solutions that he was able to write a tool to get by the CAPTCHA. And that was that; he was inside the network and had complete access. Game over.
No disclosure policy in the world is going to prevent that from happening.
The old model, in which attackers used worms or other commodity code to exploit one or maybe two vulnerabilities on as many machines as possible, is certainly still in use for things such as drive-by downloads. And people certainly still are getting owned that way, especially with the glut of browser-based exploits available these days.
But the major worry for enterprises, government agencies and other organizations trying to defend their networks is the dedicated, patient attacker who has the time and resources to find the one exploit that will work against a specific target. If his goal is to compromise a machine inside one given network, the odds are with the attacker.
And it’s not the most obvious applications and operating systems that are necessarily the problem. Windows, Office, IE, Firefox and other widely deployed apps have automatic update mechanisms that keep many users protected, particularly consumers who don’t have IT staffs or pay much attention to security. Those also are the applications, along with databases, CRM systems and other vital business systems, that enterprises prioritize for patching.
But what about the browser plugins and add-ons, video players, QuickTime, IM clients and other unsupported software that finds it way onto users’ machines? When, if ever, are those apps patched? Not often. So when and how the vulnerabilities themselves are disclosed is virtually irrelevant. If no one is going to patch the flaws or update their software, it’s a moot point.
IT departments may not manage these applications, but attackers certainly track the vulnerabilities in them and know where to probe.
In the current environment, in which attackers–whether they be solo, part of an organized group or sponsored by a nation state–are after your data. They want corporate intelligence, they want business plans, they want financial information, they want banking credentials, they want military secrets. And they’re not at all picky about how they get it.
After 15 years or more of this debate, reasonable, intelligent people still disagree vehemently on how to handle vulnerabilities. And while the debate likely will continue indefinitely, the attackers just don’t care.