Why the Disclosure Debate Doesn’t Matter

As the events of recent weeks have shown, there is no better way to start a dumpster fire of an argument among a group of security people than to bring up the hideous, threadbare topic of full disclosure. No one is ambivalent about it; everyone has an opinion, and usually a strong one. But what’s become increasingly clear of late is that, in the era of sophisticated, highly targeted attacks, it just doesn’t matter.

As the events of recent weeks have shown, there is no better way to start a dumpster fire of an argument among a group of security people than to bring up the hideous, threadbare topic of full disclosure. No one is ambivalent about it; everyone has an opinion, and usually a strong one. But what’s become increasingly clear of late is that, in the era of sophisticated, highly targeted attacks, it just doesn’t matter.

In recent discussions I’ve had with both attackers and the folks on enterprise security staffs who are charged with stopping them, the common theme that emerged was this: Even if every vulnerability was “responsibly” disclosed from here on out, attackers would still be owning enterprises and consumers at will. A determined attacker (whatever that term means to you) doesn’t need an 0-day and a two-week window of exposure before a patch is ready to get into a target network. All he needs is one weak spot. A six-year-old flaw in Internet Explorer or a careless employee using an open Wi-Fi hotspot is just as good as a brand-spanking-new hole in an Oracle database.

Case in point: A researcher told me recently about a security assessment he was doing for a very large customer, whose network had undergone somewhere close to 1,000 such tests in recent years. Top-to-bottom penetration tests that looked for any weakness, any soft spot that could provide a way in. The researcher was having no luck with his usual exploits, but he eventually noticed a weakness in the way that the company’s employee log-in page was protected.

It turned out that the CAPTCHA system used to prevent automated log-in attempts had a small enough range of potential solutions that he was able to write a tool to get by the CAPTCHA. And that was that; he was inside the network and had complete access. Game over.

No disclosure policy in the world is going to prevent that from happening.

The old model, in which attackers used worms or other commodity code to exploit one or maybe two vulnerabilities on as many machines as possible, is certainly still in use for things such as drive-by downloads. And people certainly still are getting owned that way, especially with the glut of browser-based exploits available these days.

But the major worry for enterprises, government agencies and other organizations trying to defend their networks is the dedicated, patient attacker who has the time and resources to find the one exploit that will work against a specific target. If his goal is to compromise a machine inside one given network, the odds are with the attacker.

And it’s not the most obvious applications and operating systems that are necessarily the problem. Windows, Office, IE, Firefox and other widely deployed apps have automatic update mechanisms that keep many users protected, particularly consumers who don’t have IT staffs or pay much attention to security. Those also are the applications, along with databases, CRM systems and other vital business systems, that enterprises prioritize for patching.

But what about the browser plugins and add-ons, video players, QuickTime, IM clients and other unsupported software that finds it way onto users’ machines? When, if ever, are those apps patched? Not often. So when and how the vulnerabilities themselves are disclosed is virtually irrelevant. If no one is going to patch the flaws or update their software, it’s a moot point.

IT departments may not manage these applications, but attackers certainly track the vulnerabilities in them and know where to probe.

In the current environment, in which attackers–whether they be solo, part of an organized group or sponsored by a nation state–are after your data. They want corporate intelligence, they want business plans, they want financial information, they want banking credentials, they want military secrets. And they’re not at all picky about how they get it.

After 15 years or more of this debate, reasonable, intelligent people still disagree vehemently on how to handle vulnerabilities. And while the debate likely will continue indefinitely, the attackers just don’t care.

Suggested articles

Discussion

  • netalien on

    Very good reminder and post! I think the full disclosure thing is so hyped because the conflict it creates, everybody like to defend its stand on that, but in the end, it's true that attackers won't care whether responsible disclosure or full disclosure or 0day or six months old provides the way to get in: The end justifies the means.
  • Jason Ross on

    "But what about the browser plugins and add-ons, video players, QuickTime, IM clients and other unsupported software that finds it way onto users' machines?"

    Indeed, it's quite common to find machines running antiquated software and operating systems that are unpatched, or even no longer supported. This isn't just limited to user machines however, often these hosts are vendor specific "black box" devices such as VoIP call managers or network storage array management stations.

    Many times an enterprise is required to leave these devices untouched as part of their contracted support agreements. If they were to patch them, they forfeit technical support from the vendor. When a business is faced with "leave this alone and hope our firewall saves us" or "lose the support we paid many (possibly hundreds of) thousands of dollars for", the former choice is sadly compelling.

  • An Undying Loyal Firefox Fan on

    CULPABILITY...In law this word means accountability ,blameworthy,Punishable by statute and code.Removing the trash from our lives and our business is not enough.There is little remedy other than self satisfaction for this effort,albeit worthy of recognition.It's time we put into law the "user option" to prosecute every incident of internet crime,upon the reporting of such by our internet security companies ,whom without,many would not survive.in  the current day fetish to corrupt the internet by those who abuse the education they have been allowed.

    It Is time to QUIT CAPITALIZING  & START PENALIZING CYBER CRIME..!!! On All Fronts ..I am sure that internet security companies of merit everywhere ,would rather there be set in stone remedies that are paid for by our legal taxes to promote proper adjudication of cyber criminals ,no matter how great or small.Why not ??? It's the LAW isn't it???

    Just for the record...Kaspersky Kicks ___S ...!!!!

  • Randy Grein on

    Good article overall, but please keep in mind this is all a moving target: "But what about the browser plugins and add-ons, video players, QuickTime, IM clients and other unsupported software..." is a good example. Quicktime auto updates, and Mozilla checks for many browser plugins. In fact the increase in auto-updaters may become a stability and security problem of it's own. As we have more and more applications that phone home for updates it becomes difficult to keep track and watch for subversion.

     

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.