We all must have heard of WannaCry and NotPetya, which have been around for almost two months. I bet some of us may still be dealing with the aftermath, I wonder if any of us attempted to pause and reflect on what happened in retrospect. When I speak to customers, partners, or security professionals alike, many agree, often discreetly, there is very limited we can do to change the status-quo. Advisories or other so-called expert papers may conclude the best solution is to apply patches released by vendors as soon as possible. Nonetheless, I know many of us can cite traumatic battle stories when routine patch applications have gone haywire.
Looking back at these ransomware, indeed the best solution and prevention mechanism is to keep our systems up-to-date. Current trend seems to suggest threat epidemic now relies less of identifying and exploiting zero-day vulnerabilities. This is probably attributed to better development practices making it more challenging to find high-risk vulnerabilities. Instead, many threats are now exploiting patchable vulnerabilities, and taking advantage of the time-lapse between release and application of a patch. Or else, vendors are capable of releasing patches just-in-time, before a threat reaches pandemic scale.
We have been through a long journey to consolidate our mechanism to discovering and reporting vulnerabilities. Now driven by the bug-bounty ecosystem, many platforms are available as a mechanism for vulnerability coordination. One benefit of these platforms is to quickly identify the vendors affected to accelerate security patch development. Of course, beyond the bounty hunters, we also observe the existence of many state-sponsored hacks. Cyber warfare often leverage unknown vulnerabilities as a weaponization tactic. Though, it is utmost dangerous when information leaks accidentally.
The bottom-line is there are many players in the picture of vulnerability management. To date, there is no standard practice adopted by stakeholders to how a vulnerability should be managed. Part of the reason could be a lack of incentive to standardize such procedure, while there is also a general lack of literature to describe the different derivatives and use-cases to coordinate vulnerability disclosure. Most recently, FIRST announces release of Guidelines and Practices for Multi-Party Vulnerability Coordination and Disclosure. The document is an compelling attempt to describe the different scenarios to engage different players in managing vulnerability disclosure.
Our industry requires a revolution. We need to rethink how shall we manage security in our increasingly information-driven society. There is no silver-bullet. Many companies may promise superior solutions driven by business interest, yet it does not break the cynical cycle of our infrastructure is always foreshadowed by the next WannaCry or Petya.