Presentation is loading. Please wait.

Presentation is loading. Please wait.

Miles McQueen, Jason Wright, Lawrence Wellman Idaho National Laboratory and University of Idaho September, 2011 Banff Metrisec Are Vulnerability Disclosure.

Published byMya Yarberry Modified over 9 years ago

Similar presentations

Presentation on theme: "Miles McQueen, Jason Wright, Lawrence Wellman Idaho National Laboratory and University of Idaho September, 2011 Banff Metrisec Are Vulnerability Disclosure."— Presentation transcript:

1 Miles McQueen, Jason Wright, Lawrence Wellman Idaho National Laboratory and University of Idaho September, 2011 Banff Metrisec Are Vulnerability Disclosure Deadlines Justified? Critical Infrastructure and Control Systems Security

2 2 How long should vendors be given? Security firm positions…  “…Rapid7, where HD Moore is Chief Security Officer and Chief Architect of Metasploit, recently revamped their disclosure policy. In short, they will hold a vulnerability for 15 days after contacting the vendor, before sending it to CERT, who will give the vendor another 45 days to address the issue….” ---The Tech Herald, August 2010  “…the Zero Day Initiative (ZDI), part of Hewlett-Packard / TippingPoint, has announced that, with immediate effect, it will limit the period for developing security updates to six months. However, the ZDI says that it will grant extensions to this deadline in special cases….” --- The H Security, August 2010  “Serious bugs should be fixed within a reasonable timescale. Whilst every bug is unique, we would suggest that 60 days is a reasonable upper bound for a genuinely critical issue in widely deployed software. This time scale is only meant to apply to critical issues. “ --Chris Evans etal, Google security Team, July 2010  “All vulnerabilities reported to the CERT/CC will be disclosed to the public 45 days after the initial report, regardless of the existence or availability of patches or workarounds from affected vendors. Extenuating circumstances, ” --CERT/CC 2008  "The best way is to quietly disclose the problem to the vendor and then allow the vendor 30 days to fix the problem. Then go public,“ --Phil Zimmermann 2005

3 3 How long before reported vulnerabilities have patches made available? (1) Pwn2Own 2007-20010  Daniel Veditz (Security Group Moderator, Mozilla Corporation) 2009-03-23 14:17:16 PDT jst said to start with Neil. Since this is a high profile bug (Firefox cracked during a public hacking contest) we need to focus on it. If we had a fix I'd like to shoehorn it into 1.9.0.8 even though we're past code freeze (April release) but May's 1.9.0.9 is more realistic. Needs to make 3.5b4. Table Note: +These vulnerability are not listed in ZDI and each of their NVD descriptions indicate different situations e.g. CVE-2010-1118 indicates “Unspecified Vulnerability in …” while CVE-2010-1117 indicates “Heap-based buffer overflow… via unknown vectors…”. Thus it is not at all clear what is happening with these vulnerabilities. Pwn2Own Lifespan (days)ProductYearCVE 8Apple QuickTime2007CVE-2007-2175 10Firefox2010CVE-2010-1121 11*Firefox2009CVE-2009-1044 19Safari2010CVE-2010-1120 20Safari (WebKit)2008CVE-2008-1026 55Safari (WebKit)2009CVE-2009-0945 55Mac OS X2009CVE-2009-0154 61Adobe Flash Player2008CVE-2007-6019 72Safari (WebKit)2010CVE-2010-1119 83IE82009CVE-2009-1532 310+IE82010CVE-2010-1118 310+IE82010CVE-2010-1117 676+Safari2009CVE-2009-1060 676+Safari2009CVE-2009-1042 676+IE82009CVE-2009-1043 45 60 180 Hmmm

4 4 How long before reported vulnerabilities have patches made available? (3) Summary: Pwn2own---high visibility, few vulnerabilities---quick fix ZDI and iDefense--- some visibility, many vulnerabilities---slower fix Others vulnerabilities---little if any visibility, large number of vulnerabilities---slowest fix?

5 August 4, 2010 ZDI imposes a 6 month Grace Period (1a) What happened to initial pool of unresolved vulnerabilities? August 4, 2010 ZDI announces 6 month grace period, Effective immediately Time February 4, 2011 ~6 months Initial pool of 172 previously reported vulnerabilities Grace period is the amount of time the security researcher allots to the vendor for providing a fix, after which the researcher may independently announce the vulnerability.

6 August 4, 2010 ZDI imposes a 6 month Grace Period (1b) What happened to initial pool of unresolved vulnerabilities?

7 August 4, 2010 ZDI imposes a 6 month Grace Period (2a) Did more vulnerabilities have patches available within 6 months?

8 August 4, 2010 ZDI imposes a 6 month Grace Period (2b) Did more vulnerabilities have patches available within 6 months?

9 August 4, 2010 ZDI imposes a 6 month Grace Period (2c) Did more vulnerabilities have patches available in 6 months?

10 10 Conclusion and future work  Conclusion  The 6 month imposed grace period did impact vendor patch creation time  There may be some end user cost associated with the imposed grace period  45 and 60 day grace periods are problematic  Future Work  Are statistics stable over time  Embracing diversity  Implications to control system disclosure process

Download ppt "Miles McQueen, Jason Wright, Lawrence Wellman Idaho National Laboratory and University of Idaho September, 2011 Banff Metrisec Are Vulnerability Disclosure."

Similar presentations

A Model for When Disclosure Helps Security: What is Different About Computer & Network Security? Peter P. Swire Ohio State University George Mason CII.

A Model for When Disclosure Helps Security: What is Different About Computer & Network Security? Peter P. Swire Ohio State University George Mason CII.
Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.

Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.
On the Privacy of Private Browsing Kiavash Satvat, Matt Forshaw, Feng Hao, Ehsan Toreini Newcastle University DPM’13.

On the Privacy of Private Browsing Kiavash Satvat, Matt Forshaw, Feng Hao, Ehsan Toreini Newcastle University DPM’13.
RBA Securitisation System Technical Delivery Forum

RBA Securitisation System Technical Delivery Forum
USING EMET TO DEFEND AGAINST TARGETED ATTACKS PRESENTED BY ROBERT HENSING – SENIOR CONSULTANT – MICROSOFT CORPORATION MICHAEL MATTES – SENIOR CONSULTANT.

USING EMET TO DEFEND AGAINST TARGETED ATTACKS PRESENTED BY ROBERT HENSING – SENIOR CONSULTANT – MICROSOFT CORPORATION MICHAEL MATTES – SENIOR CONSULTANT.
April 18, 2012. Updates Reminders Other Services.

April 18, Updates Reminders Other Services.
OASIS PKI Action Plan – Overcoming Obstacles to PKI Deployment and Usage Steve Hanna, Co-Chair, OASIS PKI Technical Committee.

OASIS PKI Action Plan – Overcoming Obstacles to PKI Deployment and Usage Steve Hanna, Co-Chair, OASIS PKI Technical Committee.
Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer.

Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer.
Using InCommon Client Certs for eduroam Jeff Hagley and Ryan Martin October 3 rd, 2011 Internet2 Fall Member Meeting.

Using InCommon Client Certs for eduroam Jeff Hagley and Ryan Martin October 3 rd, 2011 Internet2 Fall Member Meeting.
1 An Empirical Analysis of Vendor Response to Vulnerability Disclosure Ashish Arora, Ramayya Krishnan, Rahul Telang, Yubao Yang Carnegie Mellon University.

1 An Empirical Analysis of Vendor Response to Vulnerability Disclosure Ashish Arora, Ramayya Krishnan, Rahul Telang, Yubao Yang Carnegie Mellon University.
P REDICTING ZERO - DAY SOFTWARE VULNERABILITIES THROUGH DATA - MINING --T HIRD P RESENTATION Su Zhang 1.

P REDICTING ZERO - DAY SOFTWARE VULNERABILITIES THROUGH DATA - MINING --T HIRD P RESENTATION Su Zhang 1.
An Empirical Study of Vulnerability Rewards Programs Matthew Finifter, Devdatta Akhawe, David Wagner UC Berkeley.

An Empirical Study of Vulnerability Rewards Programs Matthew Finifter, Devdatta Akhawe, David Wagner UC Berkeley.
Vulnerabilities. flaws in systems that allow them to be exploited provide means for attackers to compromise hosts, servers and networks.

Vulnerabilities. flaws in systems that allow them to be exploited provide means for attackers to compromise hosts, servers and networks.
K E M A, I N C. NERC Cyber Security Standards and August 14 th Blackout Implications OSI PI User Group April 20, 2004 Joe Weiss

K E M A, I N C. NERC Cyber Security Standards and August 14 th Blackout Implications OSI PI User Group April 20, 2004 Joe Weiss
Who Should be Responsible for Software Security? A Comparative Analysis of Liability Policies in Network Environments Terrence August Rady School of Management,

Who Should be Responsible for Software Security? A Comparative Analysis of Liability Policies in Network Environments Terrence August Rady School of Management,
What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:

What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:
A Large Scale Exploratory Analysis of Software Vulnerability Life Cycles Muhammad Shahzad Dept. of Computer Science and Engineering Michigan State University.

A Large Scale Exploratory Analysis of Software Vulnerability Life Cycles Muhammad Shahzad Dept. of Computer Science and Engineering Michigan State University.
OSG Area Coordinators Meeting Security Team Report Kevin Hill 08/14/2013.

OSG Area Coordinators Meeting Security Team Report Kevin Hill 08/14/2013.
Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness Ranran (Monica) Bian UPI: rbia002 Faculty of Science – Computer.

Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness Ranran (Monica) Bian UPI: rbia002 Faculty of Science – Computer.
Adam L. Jacobs, CISSP Principal Program Manager, Oracle 15/16 November 2005 Why is Commercial Software So Vulnerable (and How Can We Fix It)?

Adam L. Jacobs, CISSP Principal Program Manager, Oracle 15/16 November 2005 Why is Commercial Software So Vulnerable (and How Can We Fix It)?

Similar presentations

Ads by Google