Home » Topics » Cybersecurity » “The worst thing an IT company can do is to keep its security flaws secret.”

“The worst thing an IT company can do is to keep its security flaws secret.”

Avatar photoby Ben Rossi

Action..

At the Black Hat security conference in Las Vegas in July 2005, one presentation caused unprecedented excitement. A technical researcher promised to reveal details of a vulnerability in Cisco's Internet Operating System (IOS) – the software that powers most of the Internet's routers. Mike Lynn showed delegates how routers could be vulnerable to attack. It was made more contentious as he had discovered the weakness while working for Internet Security Systems (ISS); his employer had instructed him not to reveal the information.

Lynn had found a way to run ‘attack code' on IOS, which controls millions of Cisco routers across the Internet, using a previously known flaw. Such a technique could have widespread uses, and cause widespread damage.

"I'm probably about to be sued to oblivion, (but) the worst thing is to keep this stuff secret," Lynn told his audience. "I had to quit [my job] to give this presentation because ISS and Cisco would rather the world [was] at risk. They had to do what's right for their shareholders."

Cisco imposed an injunction on Lynn following his presentation, banning him from making any further comment on the flaw, and assured its customers that the flaw was well understood and nothing to worry about. Reaction to Lynn's actions was split between those that think he is helping hackers exploit IOS and those that believed that hackers would already be well aware of the vulnerability and that Lynn was simply informing businesses of a serious flaw.

The commotion that followed quickly blew over, but the episode did raise important questions: What obligation are vendors under to publicise security flaws in their products? Does broadcasting the details of vulnerabilities increase or decrease the chance that someone will abuse them?

Representatives of the industry tend to support the argument that full disclosure of security shortcomings would only make a hacker's work a lot easier. On the side of the customers, though, there is a recognition that the more information they have about security risks, the better equipped they are to tackle them.

   
 

Reaction..

In IT, as in any other industry, if something brakes it should be fixed, says Procter & Gamble's security head David McCaskill. These are his personal views.

"So-called ‘security through obscurity' never works. Determined criminal hackers are underestimated and will launch attacks, while the effectiveness of security technologies and protocols are typically overestimated."

"For most industries, if a flaw or danger is discovered in a product that manufacturer typically initiates a product recall in order to either repair or replace it. IT hardware and software vendors should be held to analogous standards and practices. We, the consumers of their products, should demand it from them."

Publicising security flaws only increases the dangers, says Pieter Kasselman, senior researcher at security technology vendor Cybertrust.

"Cybertrust has a long-held position in favour of responsible disclosure of security vulnerabilities and is against full-disclosure. Full disclosure increases the information security risk to organisations, forcing them into rushed or unplanned remedial action and may leave them vulnerable for longer periods than necessary."

"Vendors should have a responsibility to their customers to respond to vulnerabilities, and should not publicise these vulnerabilities until they have assessed the risks they pose along with an appropriate set of countermeasures."

 

 
   

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics

Related Stories

Cybersecurity

What can my organisation do about DDoS threats?

Nick Martindale looks into emerging DDoS attacks, what your organisation can do to reduce the threat, and the role that AI could play

Cybersecurity

CrowdStrike – what your organisation should do now

Nick Martindale explores what your organisation could do to handle another incident similar to CrowdStrike

Cybersecurity

Why the next Ashley Madison is just around the corner

Jason Haworth, Chief Product Officer at Botguard, urges businesses to take steps to avoid falling victim to the next big data breach

Cybersecurity

Fully Homomorphic Encryption (FHE) with silicon photonics – the future of secure computing

Nick New, CEO and founder of Optalysys, walks us through the opportunities and challenges in implementing Fully Homomorphic Encryption (FHE)