Recent years have seen the number of reported IT industry vulnerabilities rise at an alarming rate. The European Union Agency for Network and Information Security (ENISA) Good Practice Guide on Vulnerability Disclosure published in December 2015 reports a year-on-year increase of approximately 53 percent between 2013 and 2014. High-profile vulnerabilities to emerge in this period have included Heartbleed, POODLE, Shellshock and Sandworm. Together they have had such far-reaching consequences that the debate surrounding vulnerability disclosure and best practice has re-opened.
One of the consequences is that the EU is striving to achieve more consistency in data protection regulation across Europe as well as help organisations reduce their exposure to data privacy risks. This is reflected in the new EU regulatory framework, agreed in December 2015, which now requires organisations to respond to vulnerabilities more quickly and notify authorities of a data breach within 72 hours. It also requires companies to establish a single national office for handling data protection issues. EU General Data Protection Regulation, or GDPR, is a game-changer for European companies in terms of transparency and accountability. Some of the most notable changes include increased fines for non-compliance, stricter regulations around data consent and the right of individuals to request that their personal data be deleted.
Disclosure of industry-wide vulnerabilities such as Heartbleed is governed by a complex web of often conflicting stakeholder interests from software vendors, security service providers and independent programmers searching for bugs on one side to the general public and the media on the other. As a result, it is extremely challenging to coordinate the entire process. For example, public disclosure of a new vulnerability can land individual whistleblowers in legal hot water – the potential violation of not just civil and criminal laws but also contract, licencing, patent and other types of legislation has to be considered.
Furthermore, mistakes by developers due to market pressures or insufficient testing can lead to flaws being concealed in software unwittingly making vendors and their customers vulnerable to cyber-attack. The threat landscape will continue to evolve, so it becomes extremely important that stakeholders work together to overcome the challenges and adopt vulnerability disclosure practices that help minimise damage and strengthen security. Among the top measures we recommend are:
- Follow existing industry guidelines – There is no need to reinvent the wheel. Official documents, such as Organisation of Internet Safety document (OIS) and ISO standards, often provide a set of useful guidelines on how to carry out responsible disclosure and set up a viable vulnerability disclosure policy. It is essential that key stakeholders are familiar with these documents, especially those charged with creating a vulnerability-handling scheme. At the same time, the wider community needs to put the industry under pressure to adhere to these documents to improve disclosure practices.
- Establish effective lines of communication - This involves three sub-practices. Firstly, vendors should have a clear and reachable point of contact to deal with vulnerability reports to prevent reporters from spending time and resources to find right contact. Secondly, vendors should have a viable disclosure policy in place and ensure it contains information about the primary point of contact, information required from reporters, vulnerability response mechanisms and timeline of the process. Finally, regular communication with key stakeholders will make the disclosure process more transparent and manageable, as well as ensure it does not lead to unexpected outcomes.
- Distribute information about vulnerabilities – It is vital that regular users of products or services are encouraged to spread information about vulnerabilities. Details about the vulnerability and its solution, if available, should be disseminated to inform users of any developments and give them an opportunity to protect themselves. The decision on how much information should be made public should be agreed to by all stakeholders on a case by case basis.
- Address vulnerabilities in a timely manner - There is a consensus among practitioners that timeliness is a vital part of vulnerability disclosure. Without such pressure certain vendors may postpone fixing vulnerabilities indefinitely. Compelling vendors to develop a solution within a short timeframe makes them act more efficiently, for example they cannot opt to just “sit” on a vulnerability for months. To further reduce risks associated with disclosure of unfixed vulnerabilities, the vendor community and reporters need to agree what constitutes a reasonable timeframe for addressing a particular problem.
- Reporting and disclosure should be flexible – There is no “one size fits all” rule when it comes to vulnerability disclosure. It is therefore essential to be flexible about how a problem is reported and subsequently treated. Flexibility ought to be a two-way street to ensure there is common ground for achievement of the ultimate outcome. For example, flexibility is a vital aspect of patching within a critical network infrastructure, which may require more time for vendors to develop a patch due to its complexity.
In conclusion, new EU data protection regulation with its emphasis on consistency, transparency and accountability is a game changer for established vulnerability practices which have traditionally relied on a haphazard mix of goodwill, expedience and bug bounty programmes to keep us all protected. However, in order to meet the new vulnerability disclosure challenge successfully it is incumbent on all stakeholders to work together to disclose flaws in the most effective and timely manner. At the same time there has to be greater clarity in the legal landscape to ensure vulnerability reporting does not fall hostage to the interests of criminal or civil law.
Contributed by Michael Fimin, CEO, Netwrix