Presentation is loading. Please wait.

Presentation is loading. Please wait.

Full Disclosure: Is It Beneficial? Project Based Information Systems Tim Schultz 12/02/02.

Published byReginald Jennings Modified over 8 years ago

Similar presentations

Presentation on theme: "Full Disclosure: Is It Beneficial? Project Based Information Systems Tim Schultz 12/02/02."— Presentation transcript:

1 Full Disclosure: Is It Beneficial? Project Based Information Systems Tim Schultz 12/02/02

2 Agenda n What is Full Disclosure n Pros and Cons of Full Disclosure n Is Full Disclosure Beneficial n Conclusions on Full Disclosure

3 Subject n Is Full Disclosure of vulnerabilities beneficial? –“Full Disclosure” is the act of publishing the existence of a technical vulnerability to the general public –“Full Disclosure” is the act of publishing the existence of a technical vulnerability to the general public. –By definition, this includes technical details on how to exploit the vulnerability. –Sometimes, exploit code is written by the reporter of the vulnerability in order to demonstrate it.

4 Controversy n Full Disclosure Debate: –1st Position (Pro): n Full disclosure forces technology vendors to respond to security issues within their products due to consumer pressure, and it provides users with knowledge, in order to gauge risk and protect their systems. –2nd Position (Con): n The risk of a vulnerability being exploited is high due to the availability of technical details and/or exploit code. Technology vendors argue that they cannot respond with a fix or recommendation before the vulnerability is widely exploited.

5 Position Statement n Full Disclosure is necessary in keeping products secure. n Full Disclosure is necessary in “Open Source” development. n Full Disclosure forces vendors to respond to vulnerabilities that are found. n Users of technology can make informed decisions on the security of their systems. n Limiting disclosure information only benefits technology vendors. n Limiting vulnerability disclosures will hurt technology users.

6 Full Disclosure is necessary for Open-Source development n “Open-source” software is developed in a shared fashion, where the underlying code of the software is published, and anyone is invited to participate in its development. n The public is essentially the “vendor” of open source products. If the public is unaware of the vulnerabilities, then the open source development model fails. n “Freedom, with regard to [open source] software, includes the freedom to know about (and fix) problems.” - http://lwn.net/Articles/2756/, Staff Writer

7 “Full Disclosure” forces vendors to respond n It used to be common for vendors to resist disclosure of any flaw and try to wait for a new release to resolve a problem... n “That attitude would have remained unchanged if not for the threat of the vulnerabilities being disclosed.” - Daniel Kesl, CSO Newmont Mining (http://www.informationweek.com/story/IWK2 0010803S0020, article by George V. Hulme)

8 “Full Disclosure” forces vendors to respond, cont’d n “The time between when a vulnerability is discovered and when it is no longer exploitable can be viewed as a window of opportunity.” - Bruce Schneier

9 “Full Disclosure” forces vendors to respond, cont’d n “The first [method of reducing risk] is to reduce the window [of vulnerability] by limiting the amount of vulnerability information available to the public.” - Bruce Schneier

10 “Full Disclosure” forces vendors to respond, cont’d n “...This might work in theory, but unfortunately it is impossible to enforce in practice. There is a continuous stream of research in security vulnerabilities, and most of this research results in public announcements. Hackers write new attack exploits all the time, and the exploits quickly end up in the hands of malicious attackers.” - Bruce Schneier

11 “Full Disclosure” forces vendors to respond, cont’d n “The second approach is to reduce the window of exposure in time. Since a window remains open until the vendor patches the vulnerability and the network administrator installs the patches, the faster the vendor can issue the patch the faster the window starts closing.” - Bruce Schneier

12 “Full Disclosure” forces vendors to respond, cont’d n “... This also works a lot better in theory than in practice. There are many instances of security-conscious vendors publishing patches in a timely fashion. But there are just as many examples of security vendors ignoring problems, and of network administrators not bothering to install existing patches.” - Bruce Schneier

13 “Full Disclosure” forces vendors to respond, cont’d n “Those advocating full disclosure are right that rapid dissemination of the information benefits everyone, even though some people make ill use of that information. We would be in a much worse position today if vulnerability information were only in the hands of a privileged few.” - Bruce Schneier, Founder and CTO Counterpane Internet Security (http://www.counterpane.com/crypto-gram- 0009.html)

14 Users can make informed choices for securing their systems n Vulnerabilities, patches and “workarounds” must be fully understood to make informed decisions on modifying systems. –“If we as security administrators/designers are to have any chance of being effective, we need access to as many tools and as much information as is available to the attackers.” - posting by “Ben” on SecurityFocus (http://online.securityfocus.com/news/281/comme nt/8743)

15 Users can make informed choices for securing their systems n Users of technology can watch for an attempted exploitation of a vulnerability, prevent the exploitation, or react faster when an exploitation occurs. –“Thank you for the info. We just took a hit from Code Red and using your write-up were able to quickly contain it and fix the hole,” - user “Claymore” to eEye's Marc Maiffret regarding full disclosure of "Code Red" exploit, (http://www.informationweek.com/story/IWK20010803 S0020)

16 Limiting disclosure information only benefits technology vendors n Security software vendors (e.g. Internet Security Systems, Inc. and @Stake) benefit by limiting information disclosure. –“It actually benefits security vendors to have limited vulnerability information, because it makes them look better in the eyes of their customers.” - Elias Levy, CTO SecurityFocus (http://online.securityfocus.com/news/281 article by Kevin Poulsen)

17 Limiting disclosure information only benefits technology vendors n Efforts (the most visible being led by Microsoft) are attempting to limit public availability of vulnerability information by forming industry coalitions to control information dispersal. –“If it becomes hard to release vulnerabilities, that's a good way for Microsoft to get rid of some embarrassment... people [will] have to do it Microsoft's way or they'll have this group telling them that they're acting irresponsibly.” - Marc Maiffret, Co-founder eEye Digital Security (http://online.securityfocus.com/news/281 article by Kevin Poulsen)

18 Limiting vulnerabilitiy disclosures will hurt technology users n Most technology users want to be informed of vulnerabilities in systems that they use, and view it as a type of censorship if this information is "managed". –“The consequences of [controlling information] would force us and others in the industry to go underground. The underground would continue to expose vulnerabilities, but only to the underground, and not to the public, keeping this vital information away from the system administrators who most need it.” - Stuart McClure & Joel Scambray, authors of Hacking Exposed (http://www.infoworld.com/articles/op/xml/00/08/14/00 0814opswatch.xml)

19 Conclusion: Is Full Disclosure of vulnerabilities beneficial? n Full disclosure is necessary in keeping technology products secure. –Full disclosure is required in “open-source” development. –Using full disclosure give vendors an incentive to fix their products. –Users are informed in a timely manner of vulnerabilities in their systems, and may be able to take steps to reduce the risk of exploitation. –Only technology vendors benefit from limited disclosure of vulnerability information. –Efforts to limit vulnerability information only hurt the consumers of technology.

Download ppt "Full Disclosure: Is It Beneficial? Project Based Information Systems Tim Schultz 12/02/02."

Similar presentations

A Model for When Disclosure Helps Security: What is Different About Computer & Network Security? Peter P. Swire Ohio State University George Mason CII.

A Model for When Disclosure Helps Security: What is Different About Computer & Network Security? Peter P. Swire Ohio State University George Mason CII.
Security Through Obscurity: When It Works, When It Doesnt Peter P. Swire The Ohio State University DIMACS, Rutgers January 18, 2007.

Security Through Obscurity: When It Works, When It Doesnt Peter P. Swire The Ohio State University DIMACS, Rutgers January 18, 2007.
Windows XP Tutorial Securing Windows. Introduction This presentation will guide you through basic security principles for Windows XP.

Windows XP Tutorial Securing Windows. Introduction This presentation will guide you through basic security principles for Windows XP.
Vulnerabilities Reporting What works, and what doesn’t Black Hat Briefings, 1999

Vulnerabilities Reporting What works, and what doesn’t Black Hat Briefings, 1999
Security Through Obscurity: When It Works, When It Doesn’t Peter P. Swire The Ohio State University DIMACS, Rutgers January 18, 2007.

Security Through Obscurity: When It Works, When It Doesn’t Peter P. Swire The Ohio State University DIMACS, Rutgers January 18, 2007.
1 Computer Networks: A Systems Approach, 5e Larry L. Peterson and Bruce S. Davie Chapter 8 Network Security Copyright © 2010, Elsevier Inc. All rights.

1 Computer Networks: A Systems Approach, 5e Larry L. Peterson and Bruce S. Davie Chapter 8 Network Security Copyright © 2010, Elsevier Inc. All rights.
Windows 7 Project and Heartbleed Update Sian Shumway Director, IT Customer Service.

Windows 7 Project and Heartbleed Update Sian Shumway Director, IT Customer Service.
1 No Silver Bullet : Inherent Limitations of Computer Security Technologies Jeffrey W. Humphries Texas A&M University.

1 No Silver Bullet : Inherent Limitations of Computer Security Technologies Jeffrey W. Humphries Texas A&M University.
Computer Security Workshops Security 101 - Introduction, Central Principles and Concepts.

Computer Security Workshops Security Introduction, Central Principles and Concepts.
Vote Hacking Kenny Denmark - October 2010 - For an upcoming election, Washington D.C. was preparing a system to allow some voters to send in their ballots.

Vote Hacking Kenny Denmark - October For an upcoming election, Washington D.C. was preparing a system to allow some voters to send in their ballots.
1 CHAPTER 1 POLITICS. 2 Definitions Of The Word Hacker Hacker – someone who has achieved some level of expertise with a computer Hacker – someone who.

1 CHAPTER 1 POLITICS. 2 Definitions Of The Word Hacker Hacker – someone who has achieved some level of expertise with a computer Hacker – someone who.
Computer Security And Computer Crimes. Problem under consideration A software flaw was found in a national bank's web site that allows anyone who knows.

Computer Security And Computer Crimes. Problem under consideration A software flaw was found in a national bank's web site that allows anyone who knows.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
Software Security Threats Threats have been an issue since computers began to be used widely by the general public.

Software Security Threats Threats have been an issue since computers began to be used widely by the general public.
Introducing Computer and Network Security

Introducing Computer and Network Security
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
How To Disclose Software Vulnerabilities Responsibly?* Huseyin Cavusoglu Ph.D., Tulane University Hasan Cavusoglu Ph.D., U. of British Columbia Srinivasan.

How To Disclose Software Vulnerabilities Responsibly?* Huseyin Cavusoglu Ph.D., Tulane University Hasan Cavusoglu Ph.D., U. of British Columbia Srinivasan.
Security in Open Source Software Joe Wilcox. What is Open Source?  Source code is published  Created via collaboration of developers  Many different.

Security in Open Source Software Joe Wilcox. What is Open Source?  Source code is published  Created via collaboration of developers  Many different.
1 An Empirical Analysis of Vendor Response to Vulnerability Disclosure Ashish Arora, Ramayya Krishnan, Rahul Telang, Yubao Yang Carnegie Mellon University.

1 An Empirical Analysis of Vendor Response to Vulnerability Disclosure Ashish Arora, Ramayya Krishnan, Rahul Telang, Yubao Yang Carnegie Mellon University.
IT:Network:Microsoft Applications

IT:Network:Microsoft Applications

Similar presentations

Ads by Google