05 April 2017
Blogs by author: Bryan K. Fite, Account CISO, BT.
You can patch known bugs in your system, but what about the ones you don’t know about? Here’s why ‘the disclosure game’ is vital to your cyber security.
An eventful trip to Troopers.
I’m just back from Troopers, the best hacker conference in the world. This year, it celebrated ten years of trying to make the world a safer place. I had planned to provide a full post-Troopers report in this blog, but there’s just too much to report for a single blog post.
I enjoyed ‘killer keynotes’, RF, IPv6, Telecosec workshops, general sessions, round tables, an epic Packetwars battle, speaker dinner, surprise presenter (@thegrugq!) and — oddly enough — several incredibly relevant (if esoteric) book suggestions. How could I fit it all in?
So I’ll resist the urge to overload you. Rather, I want to focus on something I call ‘the disclosure game’ — a running theme through much of my interaction with others in attendance.
Finding bugs in a system.
It was great seeing all my friends, fellow researchers and security professionals at Troopers. However, while I was there, it dawned on me that all these people are hackers — whether they identify themselves as hackers or not. And the disclosure game relates to how all of us hackers react when we discover a bug in any system.
The passion, drive and need to understand ‘how’ things work is one of the core characteristics of the hacker psyche. Often, through their journey of discovery, a hacker or security researcher will discover a vulnerability, bug and/or relevant flaw in a system. One that can cause it to operate outside of its intended function, fail or otherwise ‘break’.
Most system vulnerabilities relate to software bugs, which can be patched. And the longer a bug (aka vulnerability) is known about but remains unpatched, the higher the risk to the system.
Why disclosure matters.
This is where privately known bugs (often referred to as ‘0-Day’) can provide adversaries with a dangerous capability should they be weaponised. I often refer to the Exposure Index when talking about these threats.
Exposure of a bug is critical. The more entities that know about the bug, the more likely tools will be developed to detect or exploit the bug. This is where the disclosure game makes all the difference — with different vulnerability disclosures tipping the balance between a security breach and a successful patch.
Cyber defences depend on disclosure stakeholders.
So what is the best form of vulnerability disclosure? As with most questions, the answer is: it depends.
If you’re a nation state, you might horde weaponised versions to build a cyber arsenal. If you’re a glory hound, you might drop all the details in a public forum and watch the world react. If you’re a freelance entrepreneur, you might monetise them via bug-bounty programs or by selling them to the highest bidder in a dark forum.
It’s also important to understand the intended or potential impact of releasing information to various entities. Will it cause harm to humans? Who benefits from the disclosure? Is it legal to disclose? How does it affect your ‘brand’?
I think we’re heading into a period where there’ll be three main types of disclosure:
- Full disclosure — with no or untrustworthy attribution.
- Time-bound ‘escrow disclosure’ — with attribution, but opaque motivation.
- Bug bounties — where vulnerabilities become the property of the purchasing entity.
I won’t pick a favourite as the nature of each one really depends on the stakeholders in question. However, I’m looking forward to continuing the disclosure discourse in this forum. And I can’t wait to discuss my position — and articulate the elements that influence my perspective — at DCXI in September.
If you want to delve further into the disclosure game, our good friends over at ERNW published a thoughtful assessment back in September 2015. The document touches on so many of the big themes, and discusses how security researchers have approached the problem space.
They reference the not-so-successful RFC and the ISO standard (ISO/IEC 29147:2014) that’s gaining a lot of attention. Although this paper might be overly focused on the two primary stakeholders (finder and vendor), I think it’s a great entry or primer for this discussion.
Also, Bruce Schneier recently posted an observation on the subject specific to Google’s Project Zero. Reflecting on his observations, this subject quickly hits on timely topics near and dear to my heart — namely ethics, discretion and transparency within the cyber domain and ecosystem. And, in my opinion, it helps frame the evolving dystopian landscape.