Miles McQueen, Jason Wright, Lawrence Wellman Idaho National Laboratory and University of Idaho September, 2011 Banff Metrisec Are Vulnerability Disclosure.

Slides:

Advertisements

Similar presentations

A Model for When Disclosure Helps Security: What is Different About Computer & Network Security? Peter P. Swire Ohio State University George Mason CII.

Advertisements

Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.

On the Privacy of Private Browsing Kiavash Satvat, Matt Forshaw, Feng Hao, Ehsan Toreini Newcastle University DPM’13.

RBA Securitisation System Technical Delivery Forum

USING EMET TO DEFEND AGAINST TARGETED ATTACKS PRESENTED BY ROBERT HENSING – SENIOR CONSULTANT – MICROSOFT CORPORATION MICHAEL MATTES – SENIOR CONSULTANT.

April 18, Updates Reminders Other Services.

OASIS PKI Action Plan – Overcoming Obstacles to PKI Deployment and Usage Steve Hanna, Co-Chair, OASIS PKI Technical Committee.

Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer.

Using InCommon Client Certs for eduroam Jeff Hagley and Ryan Martin October 3 rd, 2011 Internet2 Fall Member Meeting.

1 An Empirical Analysis of Vendor Response to Vulnerability Disclosure Ashish Arora, Ramayya Krishnan, Rahul Telang, Yubao Yang Carnegie Mellon University.

P REDICTING ZERO - DAY SOFTWARE VULNERABILITIES THROUGH DATA - MINING --T HIRD P RESENTATION Su Zhang 1.

An Empirical Study of Vulnerability Rewards Programs Matthew Finifter, Devdatta Akhawe, David Wagner UC Berkeley.

Vulnerabilities. flaws in systems that allow them to be exploited provide means for attackers to compromise hosts, servers and networks.

K E M A, I N C. NERC Cyber Security Standards and August 14 th Blackout Implications OSI PI User Group April 20, 2004 Joe Weiss

Who Should be Responsible for Software Security? A Comparative Analysis of Liability Policies in Network Environments Terrence August Rady School of Management,

What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:

A Large Scale Exploratory Analysis of Software Vulnerability Life Cycles Muhammad Shahzad Dept. of Computer Science and Engineering Michigan State University.

OSG Area Coordinators Meeting Security Team Report Kevin Hill 08/14/2013.

Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness Ranran (Monica) Bian UPI: rbia002 Faculty of Science – Computer.

Adam L. Jacobs, CISSP Principal Program Manager, Oracle 15/16 November 2005 Why is Commercial Software So Vulnerable (and How Can We Fix It)?

A Scientific Approach to Software Security Dennis Fisher May 15, 2012 The Kaspersky Lab Security News Service.

Computer Security and Penetration Testing

Security Development Lifecycle: Changing the Software Development Process to build in Security from the start Eric Bidstrup Ellen Cram Kowalczyk Security.

What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:

PREVIOUS GNEWS. 2 Patches / 3 Vulns – 1 Critical Affecting Windows XP, Vista, 7, 2003, 2008 Other updates, MSRT, Defender Definitions, Junk Mail Filter.

Bao Nguyen. Invention of the Web Browser World Wide Web, : Tim Berners-Lee & Robert Cailliau. Not very popular. Netscape Browser, :

Task 1 Research on any 2 of the following: Online shopping Online banking Web broadcasting Social networking sites Discuss the disadvantages and advantages.

CERN IT Department CH-1211 Genève 23 Switzerland t Windows Desktop Applications Life-cycle Management Sebastien Dellabella, Rafal Otto Internet.

September 2015 LCCU Meeting How can you manage the Adobe Flash security risk? How can you keep Flash and other software updated? We’ll answers members’

CSCD 303 Essential Computer Security Spring 2013 Lecture 8 - Desktop Security OS Security Compared Reading: See References.

P  e  i  Gne . 6 Patches, 12 bugs – 3 Critical, Affects Windows, Office Other updates, MSRT, Defender Definitions, Junk Mail Filter –MS

Accessing Extras Portal February 9, Finding Link to Extras Portal -The Extras Portal is accessed via the Expedient Extranet -Via the “Manage Extras”

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks GSVG issues handling Dr Linda Cornwall CCLRC.

CHAPTER 15 Reporting Security Problems. INTRODUCTION There are two choices that can be made when you find a security problem in some software, hardware.

Security measures across the software development process Dr. Holger Peine Slide 1 Security vulnerabilities are clearly.

Presented by Teererai Marange. Background Open SSL Hearbeat extension Heartbleed vulnerability Description of work Methodology Summary of results Vulnerable.

Securing Your Enterprise with Enterprise Manager 10g Amir Najmi Principal Member of Technical Staff System Management Products Oracle Corporation Session.

PREVIOUS GNEWS. –MS Microsoft XML Core Services, Remote Execution –MS Cumulative Security Update for Internet Explorer –MS Microsoft.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

PREVIOUS GNEWS. 4 Patches / 5 Vulns – 3 Critical Affecting Winodow (all of them), Office, IE, SharePoint,.net Other updates, MSRT, Defender Definitions,

CON7403 – ‘Heartbleed’ (CVE ) Case Study II Vulnerability Handling Perspective Bruce Lowenthal – Senior Director, Security Alerts Eric Maurice.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.

+ Moving Targets: Security and Rapid-Release in Firefox Presented by Carlos Bernal-Cárdenas.

Previous Gnews. Patch Tuesday April – 8 Patches (5 high/critical), Windows, Excel, ISA, IE, HTTP Services MS thru MS May – 1 Patch (critical)

ASTRA Update Sunflower Project Statewide Management, Accounting and Reporting Tool (SMART) February 12, 2009.

Chapter 10 Information Systems Development. Learning Objectives Upon successful completion of this chapter, you will be able to: Explain the overall process.

Writing Security Alerts tbird Last modified 2/25/2016 8:55 PM.

Is finding security holes a good idea? Presented By: Jeff Wheeler CSC 682.

Using InCommon Client Certs for eduroam Jeff Hagley and Ryan Martin October 3 rd, 2011 Internet2 Fall Member Meeting.

SMART Fiscal Year End 2016 and Other Updates for SHARP/SMART Presented by OCFO - Statewide Payroll and Accounting Team 1.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Federated Cloud and Software Vulnerabilities Linda Cornwall, STFC 20.

Zero Day Attacks Jason Kephart. Purpose The purpose of this presentation is to describe Zero-Day attacks, stress the danger they pose for computer security.

Vulnerability / Cybersecurity Research Discussion Dwayne Melancon, CISA Chief Technology Officer and VP of Research & Development.

Portal User Group Meeting

THE RISKS OF ‘NOT’ PATCHING…

Overview – SOE PatchTT November 2015.

Overview – SOE PatchTT December 2013.

Update Your Adobe Flash on Mac

Regression testing is a type of software testing that seeks to uncover new software bugs, or regressions, in existing functional and non-functional areas.

Nessus Vulnerability Scanning

CNA Processes CVE Team.

April 28th, 2015 #austinjug Thanks to Mike Perez and Chris Ritchie for the graphic.

Software Vulnerability Group Status update

Safari not working on Mac If your Safari in not working then you need to contact with the support number they can help you manage your.

Release definition & scheduling

Beta releases and Product Management

Exploring Complexity Metrics as Indicators of Software Vulnerability

OWASP Joomla! (CMS) Vulnerability Scanner Project Flyer

Presentation transcript:

Miles McQueen, Jason Wright, Lawrence Wellman Idaho National Laboratory and University of Idaho September, 2011 Banff Metrisec Are Vulnerability Disclosure Deadlines Justified? Critical Infrastructure and Control Systems Security

2 How long should vendors be given? Security firm positions…  “…Rapid7, where HD Moore is Chief Security Officer and Chief Architect of Metasploit, recently revamped their disclosure policy. In short, they will hold a vulnerability for 15 days after contacting the vendor, before sending it to CERT, who will give the vendor another 45 days to address the issue….” ---The Tech Herald, August 2010  “…the Zero Day Initiative (ZDI), part of Hewlett-Packard / TippingPoint, has announced that, with immediate effect, it will limit the period for developing security updates to six months. However, the ZDI says that it will grant extensions to this deadline in special cases….” --- The H Security, August 2010  “Serious bugs should be fixed within a reasonable timescale. Whilst every bug is unique, we would suggest that 60 days is a reasonable upper bound for a genuinely critical issue in widely deployed software. This time scale is only meant to apply to critical issues. “ --Chris Evans etal, Google security Team, July 2010  “All vulnerabilities reported to the CERT/CC will be disclosed to the public 45 days after the initial report, regardless of the existence or availability of patches or workarounds from affected vendors. Extenuating circumstances, ” --CERT/CC 2008  "The best way is to quietly disclose the problem to the vendor and then allow the vendor 30 days to fix the problem. Then go public,“ --Phil Zimmermann 2005

3 How long before reported vulnerabilities have patches made available? (1) Pwn2Own  Daniel Veditz (Security Group Moderator, Mozilla Corporation) :17:16 PDT jst said to start with Neil. Since this is a high profile bug (Firefox cracked during a public hacking contest) we need to focus on it. If we had a fix I'd like to shoehorn it into even though we're past code freeze (April release) but May's is more realistic. Needs to make 3.5b4. Table Note: +These vulnerability are not listed in ZDI and each of their NVD descriptions indicate different situations e.g. CVE indicates “Unspecified Vulnerability in …” while CVE indicates “Heap-based buffer overflow… via unknown vectors…”. Thus it is not at all clear what is happening with these vulnerabilities. Pwn2Own Lifespan (days)ProductYearCVE 8Apple QuickTime2007CVE Firefox2010CVE *Firefox2009CVE Safari2010CVE Safari (WebKit)2008CVE Safari (WebKit)2009CVE Mac OS X2009CVE Adobe Flash Player2008CVE Safari (WebKit)2010CVE IE82009CVE IE82010CVE IE82010CVE Safari2009CVE Safari2009CVE IE82009CVE Hmmm

4 How long before reported vulnerabilities have patches made available? (3) Summary: Pwn2own---high visibility, few vulnerabilities---quick fix ZDI and iDefense--- some visibility, many vulnerabilities---slower fix Others vulnerabilities---little if any visibility, large number of vulnerabilities---slowest fix?

August 4, 2010 ZDI imposes a 6 month Grace Period (1a) What happened to initial pool of unresolved vulnerabilities? August 4, 2010 ZDI announces 6 month grace period, Effective immediately Time February 4, 2011 ~6 months Initial pool of 172 previously reported vulnerabilities Grace period is the amount of time the security researcher allots to the vendor for providing a fix, after which the researcher may independently announce the vulnerability.

August 4, 2010 ZDI imposes a 6 month Grace Period (1b) What happened to initial pool of unresolved vulnerabilities?

August 4, 2010 ZDI imposes a 6 month Grace Period (2a) Did more vulnerabilities have patches available within 6 months?

August 4, 2010 ZDI imposes a 6 month Grace Period (2b) Did more vulnerabilities have patches available within 6 months?

August 4, 2010 ZDI imposes a 6 month Grace Period (2c) Did more vulnerabilities have patches available in 6 months?

10 Conclusion and future work  Conclusion  The 6 month imposed grace period did impact vendor patch creation time  There may be some end user cost associated with the imposed grace period  45 and 60 day grace periods are problematic  Future Work  Are statistics stable over time  Embracing diversity  Implications to control system disclosure process