[ISN] CERT defends vulnerability info restrictions

From: InfoSec News (isnat_private)
Date: Tue Apr 24 2001 - 17:26:14 PDT

  • Next message: InfoSec News: "[ISN] FBI hacked Russian hackers"

    By: Thomas C Greene in Washington
    Posted: 24/04/2001 at 20:08 GMT
    The long-debated question of whether software and network
    vulnerability data should be shared freely and immediately re-surfaced
    recently, as Carnegie Mellon University's CERT Coordination Center
    (CERT/CC), formerly the Computer Emergency Response Team (CERT),
    announced hooking up with a private-industry organization called the
    Internet Security Alliance to make its advance alerts and
    vulnerability database immediately available to members.
    Several press reports have suggested that the publicly-funded CERT/CC
    will be making its database available to those willing to pony up
    anywhere between $2,500 and $50,000 annually for some manner of
    subscription service, but this isn't quite right. CERT/CC won't be
    collecting money directly in exchange for services; the costs cited
    are actually the ISA membership fees, which vary according to the size
    of the company seeking to join.
    ISA member companies, which include NASDAQ, Mellon Financial Services,
    AIG, TRW and VeriSign, will have access to the CERT/CC database, or
    Vulnerability Catalog as it's called, via a secure distribution
    network, so long as they're willing to sign and abide by a
    non-disclosure agreement. Members will also receive advance
    vulnerability reports, and have the opportunity to share such
    information with one another in confidence.
    Previously, CERT had maintained a policy of sharing software
    vulnerabilities immediately with the two US government bodies which
    support it, the US Defense Information Systems Agency (DISA) and the
    US General Services Administration (GSA), and with the software
    companies concerned. After forty-five days, during which the software
    vendor was assumed to be fixing its product, the group typically would
    make abstracts of the vulnerabilities public on its Web site.
    CERT/CC says it will not use its public funding to offer new services
    to private companies, and notes that the cost of making the database
    available to the private sector will come out of the Alliance's
    membership fees.
    Full Disclosure
    That said, CERT still has its detractors among Internet security
    specialists, many of whom question the fairness of making current
    threat information which affects all Net users and systems
    administrators available to a select few, while everyone else must
    wait over a month for the free abstracts.
    "The CERT venture will cost organizations upwards of $2500 per year
    for....services that are available for free or little cost elsewhere,"
    Network Solutions (NSI) former Chief Security Officer Richard Forno
    writes in a nice rant posted at Infowarrior.org.
    "For small companies without dedicated security staffs -- who don't
    know where to look for security vulnerability information elsewhere on
    the Internet and thus rely on CERT advisories as their sole security
    information -- not being able to participate in the ISA means that
    they are at a comparative disadvantage to larger companies that can
    afford such luxuries," Forno observes.
    Indeed, a number of security-oriented sites do offer free
    vulnerability information, often as soon as it's reported. Though many
    make their full database available as a pay service, it's also true
    that essential information gets into the public domain notably faster
    than it does through CERT/CC, and can give a sysadmin a useful
    Those who advocate full and immediate disclosure maintain that by
    concealing a vulnerability long enough to enable the vendor to patch
    it, CERT/CC needlessly exposes the general Net population to
    exploitation through a hole of which they are blissfully ignorant.
    On the other hand, publicizing a vulnerability before a fix is
    available does make it easy for would-be attackers to discover and
    exploit flaws they otherwise wouldn't have learned about.
    "We do know that we usually see a large increase in attacks that
    exploit a particular vulnerability shortly after information about
    that vulnerability becomes public," CERT/CC Director Rich Pethia told
    The Register.
    Pethia says that CERT/CC's own experience suggests that the danger
    from publicizing an un-patched flaw is greater than the danger from
    keeping it under wraps.
    "While there are strong opinions on both sides of the debate, not all
    these opinions are supported by empirical data," he said.
    "We believe, in the absence of data that demonstrates that attacks are
    in progress, that the lower risk approach is to publicly release
    vulnerability data once the technology vendors, or others in the
    technical community, have had at least an opportunity to find
    corrections or work-arounds."
    So for CERT/CC the crucial question is whether it can be proved that
    full, immediate disclosure actually reduces exploitation in the real
    world, on the theory that forewarned is forearmed.
    We don't pretend to know the answer to that one, but we'd be happy to
    hear from readers who think they do.
    ISN is hosted by SecurityFocus.com
    To unsubscribe email LISTSERVat_private with a message body of

    This archive was generated by hypermail 2b30 : Wed Apr 25 2001 - 01:15:15 PDT