18 March 2017

Rand finds that unknown ‘zero-day’ flaws hang around a long time

BY DUNCAN RILEY

New research has found that zero-day flaws — that is, holes in software that are unknown to suppliers and can be exploited by hackers — live a long time.

The flaws have an average life expectancy of 6.9 years, according to a new study of more than 200 zero-day flaws obtained from a vulnerability research group by the Rand Corporation. The study also found that, once discovered, they get exploited quickly, on average within 22 days.

The findings also found that 25 percent of zero-day flaws do not survive to 1.51 years, but conversely 25 percent live more than 9.5 years, leaving wide-open holes in software used by corporations and government agencies alike for nearly a decade.

Whether zero-day vulnerabilities should be disclosed or not was also pondered in the study, albeit with no definite recommendation.

“Looking at it from the perspective of national governments, if one’s adversaries also know about the vulnerability, then publicly disclosing the flaw would help strengthen one’s own defense by compelling the affected vendor to implement a patch and protect against the adversary using the vulnerability against them,” the study notes. “On the other hand, publicly disclosing a vulnerability that isn’t known by one’s adversaries gives them the upper hand, because the adversary could then protect against any attack using that vulnerability, while still keeping an inventory of vulnerabilities of which only it is aware of in reserve. In that case, stockpiling would be the best option.”

The focus on government, which comes following the recent publication by Wikileaks of details of the Central Intelligence Agency’s hacking program, is a running theme throughout the study. It’s often governments that first discover zero-day vulnerabilities and exploit them, although as The Intercept points out, the U.S. government has long insisted that it discloses more than 90 percent of the vulnerabilities it finds or purchases. It also says that those it doesn’t disclose initially get reviewed on a regular basis to reevaluate if they should be disclosed.

For all that, the study notes that cybercriminals tend to focus more on known vulnerabilities in software rather than zero-day flaws. “Only a very small portion of the black markets deals with zero-day vulnerabilities and exploits — which have little value for mass market malware, much less ordinary cybercrime,” the study noted.

The advice for software vendors isn’t put gently. The study suggests they will have to take the hard road and get smarter about every aspect of their information security, bug-discovery and remediation practices. In particular, simply trying to spot flaws in their own code before bug hunters come calling isn’t a good strategy, and neither are fallback strategies such as “patch and pray” and “just bolt-on security.”

“Companies might not want to hear that,” the study concludes. “That’s because it’s costly to have to start from scratch and build infrastructure from the ground up, thinking about security every step of the way.”

No comments: