In recent years, there has been an increase in branding campaigns around specific software security issues, one of the most recent ones being called “Badlock”. Before disclosure, it had no substance but it already had a brand.
With so little substance, do these campaigns help or hinder IT professionals in their approach to security?
Collaboration and solving the awareness problem
We are still early in the maturity cycle of the IT security industry and we are currently working on a universally accepted approach to handling security vulnerabilities. Today every software vendor often takes their own approach, which leaves those that discover new vulnerabilities guessing whether they will be thanked or sued for their work.
The closest to a standard that exists is the Common Vulnerabilities and Exposures Identifiers (CVE) database. Since 1999, this list of security issues has provided a repository for descriptions of problems found within software and operating systems. Getting a CVE number for a security issue can be essential to getting that problem listed by security software vendors, as well as enabling other security researchers to track the specific issue over time.
However, getting a CVE is not as simple as it once was. Recently, there have been some complaints from security researchers on the difficulty of getting a CVE for specific issues. Meanwhile, the growth of the Internet of Things (IoT) has led to many more internet-connected products being launched – many of them with questionable approaches to security of the software they contain.
MITRE, the organization behind issuing CVE identifiers, has stated on its website that the sheer number of vulnerabilities and issues present in IoT device software has lengthened the amount of time it takes to issue CVEs.
MITRE is currently working to update the CVE process so that it can deliver faster recognition for issues as they are discovered, as well as meeting the requirements of both researchers and end-user organizations. At the same time, awareness within the IT community around new issues is a significant challenge, particularly for those not running automated tools. There are so many vulnerabilities coming through that spotting relevant updates within the sea of advisories that are published can be difficult.
Branding and awareness
For some specific issues, various organizations have put together specific branding campaigns. This use of branding intends on drawing broader industry attention to how these problems can be fixed. This approach is valuable in terms of raising awareness, but there are also pitfalls that should be considered both by IT professionals and by the organizations undertaking branding activities around vulnerabilities.
The first issue here is that branding can draw the wrong kind of attention to a software problem. Malware creators are always looking for the next potential issue that can be exploited; just as the industry looks to fix security problems for customers, so malware authors will jump to create new viruses and Trojans that can attack these holes. If a branding campaign starts too early, before fixes are available, then there is potential to create a zero-day attack.
The second issue is that IT professionals can be highly sceptical of branding campaigns. Rather than raising awareness and leading to positive action, a poorly conceived branding activity can backfire and lead to cynicism within the very community that is being targeted. This is particularly challenging for issues that might be serious and require fixing, but where exploitation by hackers might not necessarily be easy in their current incarnations. With all the time pressures that exist around IT, they might not be deemed critical or urgent.
The recent Badlock campaign is a good example here. Man-in-the Middle attacks are significant, while the ubiquity of Windows and Samba made this a potentially good candidate for wider awareness. However, the severity of the issue compared to how difficult it may be to exploit led to negative feedback and industry criticism.
Overall I believe that branding of attacks is incredibly helpful – examples like POODLE, Heartbleed and GHOST can show how raising awareness through media activity and a catchy acronym can help raise awareness beyond our own industry. The latest one is ImageTragick – what originally started as a joke on whether the vulnerabilities in the ImageMagick tool were worthy of hype became its own branding and information site. According to the team involved, this act got thousands of IT professionals to the site within minutes of it being launched, giving everyone a better chance at reacting quickly to this critical vulnerability.
Vulnerabilities have a significant worldwide impact. Awareness campaigns in general are positive to get information out to affected parties, but we have to ask ourselves when we will reach a level of saturation. I do not think this has happened yet, and please don’t get me wrong: “Badlock” is a serious vulnerability that deserves expedient patching.
The use of branding is also no guarantee of success in fixing the issue within organizations. Two years after the disclosure of the issue with OpenSSL that’s behind the Heartbleed campaign, servers that are vulnerable are still being discovered during security audits. For such a serious issue – and one where worldwide media attention was used to raise awareness through branding – to still be turning up is a big concern.
Keeping IT systems up to date is a huge part of the IT department’s responsibility to the business. But the sheer number of moving parts that exist across IT can make the update process difficult. Planning ahead is essential, and awareness of issues can help that planning process.
Making use of the efforts of MITRE, and other not-for-profit organisations, is essential, while non-traditional web campaigns can help raise awareness among the wider community of IT professionals that are not IT security specialists continuously looking out for the latest CVE Identifiers.
IT security has to be at the heart of a company’s IT planning, but it seems there is still much more work to be done around vulnerability management on all sides. Risk comes from lack of knowledge – solving this requires more insight into we are right now, as well as looking at the future.