How to attack security issues like Google and Microsoft just did
Experts in the computer security community, which applauded Google and Microsoft for rapidly addressing two significant security vulnerabilities this month, worry that not enough software makers are following in their footsteps.
In Google’s case, a clever phishing attack on Wednesday, May 3, that looked like an email notification from Google Docs was actually a malicious worm designed to steal victims’ contact lists when they clicked on a link in the message. The same day, Google shut down the sites on which the phishing attack relied to steal users’ Google account credentials. It also removed permissions associated with the worm from victims’ accounts to prevent them from being reused in another attack.
Two days later, Google’s Project Zero, a security group dedicated to finding previously unknown flaws, or zero days, in other companies’ software and encouraging them to quickly fix them, notified Microsoft of a security hole in its built-in, default security software, Windows Defender, so severe that the researchers who found it called it the “worst” bug of its kind ever seen in Windows.
By Monday, Microsoft had a patch ready for consumers to install on their Windows computers.
“These are two examples of amazing vendor response,” says Jonathan Cran, vice president of product at Bugcrowd, a security company that helps other companies create and manage systems known as bug bounties for hiring independent hackers to find flaws in their software.
“Most companies are not going to be able to respond that quickly,” adds Chris Eng, vice president of research at software evaluation company Veracode. “They don’t have enough maturity or resources.”
While Cran says programs like penetration testing and bug bounties can help reduce the number of vulnerabilities in software before they get used in an attack, he acknowledges that not every company, and certainly not small startups tight on cash, can create the robust security teams like those at Google and Microsoft.
“The framework tries to address regulating too broadly by providing flexibility. It doesn’t mandate a particular setup or technology for entities that follow it.”—Harley Geiger, director of public policy, Rapid7
But at a growing number of organizations, including hospitals and carmakers, Cran cautions, “if you don’t fix [a vulnerability] fast, people can get killed.”
The businesses themselves can also get killed—figuratively, at least. A 2015 Kaspersky Lab survey of 5,500 companies in 26 countries found that on average, attack recoveries cost enterprise businesses more than $550,000, and small businesses $38,000, per incident.
Smaller companies, including manufacturers of products that use “smart” software, should develop thoughtful security plans to protect their customers from previously unknown vulnerabilities. Toymakers, such as those behind ToyTalk and Hello Barbie, are now setting up vulnerability disclosure programs—but only after suffering breaches that made headline news.
“You don’t have to pay for bugs,” Cran says. “You do have to have a vulnerability disclosure channel, and you have to plan a reasonable response time.”
That pathway, says Harley Geiger, director of public policy at Rapid7, could wind up as part of the U.S. government’s guidelines for how its agencies—including the Office of Personnel Management, which suffered a catastrophic breach in 2015—handle security holes found in its software.
One important change under consideration for the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity would mandate federal agencies to create vulnerability disclosure programs. These programs would be designed to help agency tech experts manage security flaws found by independent security researchers and private companies.
“It would be a significant step forward not only for government agencies, but for private sector entities that follow the framework, whether they manage critical infrastructure or not,” Geiger says. “The framework tries to address regulating too broadly by providing flexibility. It doesn’t mandate a particular setup or technology for entities that follow it.”
The NIST framework, established by the Obama administration in 2013, is important enough to cybersecurity that it was a major part of the cybersecurity executive order that President Donald Trump signed last Thursday.
“Having processes in place to receive and vet vulnerabilities, and coordinating in a way that’s acceptable to both sides, is critical.”—Chris Eng, vice president of research, Veracode
Proposed changes to the framework could help smaller organizations with fewer resources understand the importance of improving their vulnerability disclosure procedures, Geiger says. If approved, those changes could help answer a growing number of calls by hackers for more regulation of security practices.
At a basic level, Eng says, companies need to have a dedicated email address to receive security vulnerability notifications from researchers outside the company—and they need to have somebody to manage that inbox so that the highest-priority issues get to the company’s security team fastest.
“Having processes in place to receive and vet vulnerabilities, and coordinating in a way that’s acceptable to both sides, is critical,” he says. “Every time you have to figure out what to do, you lose time” and put consumers at greater risk.
Organizations also need to reconsider how often they patch vulnerabilities, he says. Take too long to release a security patch, and you expose your users to malicious hackers. Push out an update too fast, and it can wreak havoc on users’ computers and drive them to your competitors.
“You could literally kill your business with an auto-update that goes bad,” Cran says.
Yet another challenge in getting companies to respond faster to vulnerabilities is that there’s no standardized guideline for gauging an appropriate response time. While Google’s Project Zero has determined that vulnerabilities it finds should be patched generally within 90 days of disclosure, that’s not a timeframe accepted by all or even many vendors. Microsoft disputed with Project Zero last year over when Google should publicly reveal a security vulnerability in a competitor’s software.
Forcing companies to improve how they handle vulnerability disclosures for software pieced together from open-source projects and proprietary code, as most modern software is, won’t be easy, says Eng, but is absolutely necessary to ensure that companies get faster at fixing critical security flaws.
“It doesn’t matter who wrote the code. It just matters that my product includes it,” he says. “That’s where companies don’t do well.”