Calculating Risk in the Era of Obscurity: Reading Between the Lines of Security Advisories

Flawed vendor practices and incomplete patches are causing a skills gap and costing enterprises money. Enterprises need to be proactive in understanding their assets and patch management, and incentivize vendors to improve their communication and patching policies.

• The security expertise in organizations has moved on to other areas, widening the skills gap.
• Vendors see no benefit in being transparent about the security of their products, causing a lack of clear vendor guidance.
• Enterprises no longer have an easy method to quantify the risk to their systems due to flawed vendor practices.
• Incomplete patches are costing enterprises real money, and can even increase risk.
• Enterprises need to be proactive in understanding their assets and patch management, and monitor for revisions and threat landscape changes.
• Reducing disclosure timelines for bugs resulting from incomplete or faulty patches can incentivize vendors to improve their communication and patching policies.

When analyzing patches, little effort is given to the actual estimate of time to exploit, but it can be as little as 48 hours. Enterprises need to be aware of this and shift their resources to combat the latest threats. For example, when the hacking team breaches occurred several years ago, criminal elements monitored which patches were coming out and which vendors were not good at patching, so they could redevelop tooling to release their exploit kit.

Compliance with industry standards as well as various government regulations also requires a robust servicing and patching strategy. Beyond compliance, you must understand the risk to your resources from poor servicing. To help with this effort, standards exist to help assess risk. However, vendors can manipulate these standards, which can lead to errors when enterprises attempt to accurately gauge risk. Over time, vendors reduced the clarity of language in their advisories to the point where plain language about a bug no longer exists, leaving network defenders to speculate what the real risk from a product may be.There are occasions when vendors release patches that are nothing more than placebos – patches that make no code changes at all and leave administrators with a false sense of security. Similarly, vendors release incomplete patches that do not properly mitigate the vulnerability. Not only does this leave software in a vulnerable state after applying what should be a fix, it doubles the cost of patching, since now another patch must be applied to mitigate the risks incurred from applying the first patch and increases the risk of attack. Our conclusions are based on disclosing over 9,500 vulnerabilities over 17 years. This talk provides examples of systemic problems with security patches and how those problems negatively impact enterprise security. We propose methods to incentivize vendors to improve their servicing habits, including alternative disclosure timelines for failed patches. We encourage others disclosing vulnerabilities to adopt similar timelines and for customers to prioritize purchasing based on how vendors impact their risk through servicing.