Welcome to The UltraTech Zone Sign in | Join | Help

Talking Out Loud with ASB

Views on Life, Technology and Everything, by ASB (aka Logik!)...

My Profile

Andrew S. Baker (ASB)


  • Platform: CS v2.1 SP2...

    Get a FREE phishing filter for your domain!

    Who links to my website?

    Pando Pro

To Disclose or not to Disclose

…that is the question.

Every time a software vendor experiences a vulnerability or releases patches for a serious security issue, the debate about Full Disclosure or Responsible Disclosure gains a little more steam.

Full, Responsible or Appropriate DisclosureJust how much information should a vendor disclose about the nature of the vulnerability that it has identified, and how that vulnerability can be exploited?

Many vendors take the position that to disclose details about the information puts their customers at risk, as the bad guys can make better use of the details to exploit the vulnerability.  On the other hand, many security professionals point out that the bad guys are going to reverse engineer the patch *anyway* and are still in a better place to figure out how to use it in the absence of any other information.

Meanwhile, the vendor’s customers typically lack the time and the skill to analyze the provided patch to the same degree, and without any useful disclosure statements, they are left with no way to properly evaluate the threat that the vulnerability poses to their infrastructure, and thus no real options to mitigate the risks to their business.

Back in March of this year, RSA suffered a breach in which they lost significant data related to the implementation of their SecurID two-factor authentication tokens.  Their disclosure statements from that time until now have been notable for how weak, flimsy and generally useless they have been in discussing what actually happened and what exposure this created for users of their SecurID solution.

The recent attacks on Lockheed Martin and Northrop Grumman – both directly facilitated by information obtained via the RSA breach – makes it widely apparent that RSA did not do its customers justice with its original disclosures.  Even if we are willing to assume that RSA had additional conversations with sensitive customers like those in the defense industry, it is hard to argue that the information provided was all that useful, given that, at the time of this writing, attacks were successfully made against at least three (3) contractors in that space.

To me, this begs the following question: 
Does RSA fully understand what they have lost, and how it could be used?

Yes, the issue of disclosure is a sensitive one, and it is important not to feed more bad guys with more information that will allow them to have greater success against the rest of us, but it is abundantly clear that two months of saying essentially nothing is at least just as bad as saying too much, if not worse.

It is still very amazing to me that so many organizations have poor or useless security practices – even those organizations whose business models are very dependent upon good security.

Appropriate disclosure should include not only what is said, but when it is said, by what means it is communicated, and who it is communicated to.  There should be an increasing level of information disclosed as enough time has been given to organizations to implement the initial patches or workarounds, so that the full risk of the threat can be evaluated on a per organization basis.

Disclosure is very much a necessary part of a good security program, and it is clearly lacking by even the most recognized security firms.

What you don’t know *can* hurt you very much, if someone else already knows it…

(Speaking of disclosures, it has just been disclosed that Citigroup suffered a breach in early May that they are only now choosing to disclose. See what I mean about bad security processes by organization’s that should know better?)

Share Post:
Anonymous comments are disabled

About Logik!

Andrew S. Baker aka ASB aka Logik!

Andrew S. Baker is a business-savvy, hands-on IT leader with expertise in mentoring people, mitigating risk, and integrating technology to drive innovation and maximize business results. He creates competitive advantage for organizations through effective IT leadership: implementation of processes and controls, and architecture of robust business solutions.

Mr. Baker has successfully led a number of high-performance technology teams in designing, deploying and maintaining secure, cost-effective computing environments for well-known companies, including Warner Music Group, The Princeton Review, Bear Stearns, About.com, and Lewco Securities.

For over a decade, Andrew has exhibited thought leadership on technology and business topics via mailing lists, technical forums, blogs, and professional networking groups, along with contributions to podcasts, webinars, and over 20 technical/business magazine articles. He also serves on several boards and committees for non-profit organizations, and within the Seventh-day Adventist church.

His personal interests include Astronomy, Basketball, Bible Study, Chess, Comics, Computers, Family Life Ministries, Reading, Strategy/Role Playing games, and Professional Networking...

A summary of Andrew's current résumé is available here, and he can be reached on a variety of social and professional networks, including LinkedIn, Facebook and Twitter.