To Disclose or not to Disclose
…that is the question.
Every time a software vendor experiences a vulnerability or releases patches for a serious security issue, the debate about Full Disclosure or Responsible Disclosure gains a little more steam.
Just how much information should a vendor disclose about the nature of the vulnerability that it has identified, and how that vulnerability can be exploited?
Many vendors take the position that to disclose details about the information puts their customers at risk, as the bad guys can make better use of the details to exploit the vulnerability. On the other hand, many security professionals point out that the bad guys are going to reverse engineer the patch *anyway* and are still in a better place to figure out how to use it in the absence of any other information.
Meanwhile, the vendor’s customers typically lack the time and the skill to analyze the provided patch to the same degree, and without any useful disclosure statements, they are left with no way to properly evaluate the threat that the vulnerability poses to their infrastructure, and thus no real options to mitigate the risks to their business.
Back in March of this year, RSA suffered a breach in which they lost significant data related to the implementation of their SecurID two-factor authentication tokens. Their disclosure statements from that time until now have been notable for how weak, flimsy and generally useless they have been in discussing what actually happened and what exposure this created for users of their SecurID solution.
The recent attacks on Lockheed Martin and Northrop Grumman – both directly facilitated by information obtained via the RSA breach – makes it widely apparent that RSA did not do its customers justice with its original disclosures. Even if we are willing to assume that RSA had additional conversations with sensitive customers like those in the defense industry, it is hard to argue that the information provided was all that useful, given that, at the time of this writing, attacks were successfully made against at least three (3) contractors in that space.
To me, this begs the following question:
Does RSA fully understand what they have lost, and how it could be used?
Yes, the issue of disclosure is a sensitive one, and it is important not to feed more bad guys with more information that will allow them to have greater success against the rest of us, but it is abundantly clear that two months of saying essentially nothing is at least just as bad as saying too much, if not worse.
It is still very amazing to me that so many organizations have poor or useless security practices – even those organizations whose business models are very dependent upon good security.
Appropriate disclosure should include not only what is said, but when it is said, by what means it is communicated, and who it is communicated to. There should be an increasing level of information disclosed as enough time has been given to organizations to implement the initial patches or workarounds, so that the full risk of the threat can be evaluated on a per organization basis.
Disclosure is very much a necessary part of a good security program, and it is clearly lacking by even the most recognized security firms.
What you don’t know *can* hurt you very much, if someone else already knows it…
(Speaking of disclosures, it has just been disclosed that Citigroup suffered a breach in early May that they are only now choosing to disclose. See what I mean about bad security processes by organization’s that should know better?)