http://www.theregister.co.uk/content/8/18493.html
By: Thomas C Greene in Washington
Posted: 24/04/2001 at 20:08 GMT
The long-debated question of whether software and network
vulnerability data should be shared freely and immediately re-surfaced
recently, as Carnegie Mellon University's CERT Coordination Center
(CERT/CC), formerly the Computer Emergency Response Team (CERT),
announced hooking up with a private-industry organization called the
Internet Security Alliance to make its advance alerts and
vulnerability database immediately available to members.
Several press reports have suggested that the publicly-funded CERT/CC
will be making its database available to those willing to pony up
anywhere between $2,500 and $50,000 annually for some manner of
subscription service, but this isn't quite right. CERT/CC won't be
collecting money directly in exchange for services; the costs cited
are actually the ISA membership fees, which vary according to the size
of the company seeking to join.
ISA member companies, which include NASDAQ, Mellon Financial Services,
AIG, TRW and VeriSign, will have access to the CERT/CC database, or
Vulnerability Catalog as it's called, via a secure distribution
network, so long as they're willing to sign and abide by a
non-disclosure agreement. Members will also receive advance
vulnerability reports, and have the opportunity to share such
information with one another in confidence.
Previously, CERT had maintained a policy of sharing software
vulnerabilities immediately with the two US government bodies which
support it, the US Defense Information Systems Agency (DISA) and the
US General Services Administration (GSA), and with the software
companies concerned. After forty-five days, during which the software
vendor was assumed to be fixing its product, the group typically would
make abstracts of the vulnerabilities public on its Web site.
CERT/CC says it will not use its public funding to offer new services
to private companies, and notes that the cost of making the database
available to the private sector will come out of the Alliance's
membership fees.
Full Disclosure
That said, CERT still has its detractors among Internet security
specialists, many of whom question the fairness of making current
threat information which affects all Net users and systems
administrators available to a select few, while everyone else must
wait over a month for the free abstracts.
"The CERT venture will cost organizations upwards of $2500 per year
for....services that are available for free or little cost elsewhere,"
Network Solutions (NSI) former Chief Security Officer Richard Forno
writes in a nice rant posted at Infowarrior.org.
"For small companies without dedicated security staffs -- who don't
know where to look for security vulnerability information elsewhere on
the Internet and thus rely on CERT advisories as their sole security
information -- not being able to participate in the ISA means that
they are at a comparative disadvantage to larger companies that can
afford such luxuries," Forno observes.
Indeed, a number of security-oriented sites do offer free
vulnerability information, often as soon as it's reported. Though many
make their full database available as a pay service, it's also true
that essential information gets into the public domain notably faster
than it does through CERT/CC, and can give a sysadmin a useful
heads-up.
Those who advocate full and immediate disclosure maintain that by
concealing a vulnerability long enough to enable the vendor to patch
it, CERT/CC needlessly exposes the general Net population to
exploitation through a hole of which they are blissfully ignorant.
On the other hand, publicizing a vulnerability before a fix is
available does make it easy for would-be attackers to discover and
exploit flaws they otherwise wouldn't have learned about.
"We do know that we usually see a large increase in attacks that
exploit a particular vulnerability shortly after information about
that vulnerability becomes public," CERT/CC Director Rich Pethia told
The Register.
Pethia says that CERT/CC's own experience suggests that the danger
from publicizing an un-patched flaw is greater than the danger from
keeping it under wraps.
"While there are strong opinions on both sides of the debate, not all
these opinions are supported by empirical data," he said.
"We believe, in the absence of data that demonstrates that attacks are
in progress, that the lower risk approach is to publicly release
vulnerability data once the technology vendors, or others in the
technical community, have had at least an opportunity to find
corrections or work-arounds."
So for CERT/CC the crucial question is whether it can be proved that
full, immediate disclosure actually reduces exploitation in the real
world, on the theory that forewarned is forearmed.
We don't pretend to know the answer to that one, but we'd be happy to
hear from readers who think they do.
ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV@SecurityFocus.com with a message body of
"SIGNOFF ISN".
Received on Wed Apr 25 03:17 CDT 2001