Researchers are busy exploring why software vulnerabilities still exist, as well as creative ways to change users' attitudes about cybersecurity.
Dr. Thomas Holt, associate professor of criminal justice at Michigan State University, is someone to pay attention to when it comes to cybersecurity and the law. He tends to look at things differently, finding worthy tidbits in places overlooked by others. For example, TechRepublic has posted articles about his research into how stolen credit-card data travels through the digital underground, and what happens to stolen data on the dark web.
Recently, Dr. Holt took a stab at explaining software vulnerabilities and assessing why there are so many in his The Conversation article What are software vulnerabilities, and why are there so many of them? He compares hackers to burglars. "I know that both types of miscreants want to find ways into secure places—computers and networks, and homes and businesses. ... Some burglars may choose to simply smash a window or door with a crowbar, while others are stealthier, picking a lock or sneaking in a door that was left open."
In one respect, hackers are more fortunate suggests Holt. They have more points of entry, and there is no need to be anywhere near the scene of the crime. The "points of entry" referred to by Holt are vulnerabilities—flaws in software. "Programs are written by humans, and are inherently imperfect," continues Holt. "Nobody writes software completely free of errors."
SEE: Free ebook: Cybersecurity in an IoT and mobile world (TechRepublic)
What is a vulnerability?
A vulnerability according to Mitre.org's Common Vulnerabilities and Exposures (CVE) website is:
"A weakness in the computational logic (e.g., code) found in software and some hardware components (e.g., firmware) that, when exploited, results in a negative impact on confidentiality, integrity, or availability."
Examples of vulnerabilities include:
- Remote command execution as user "nobody"
- Remote command execution as user "root"
- The modification of system-critical data such as password files
- Remote command execution or access via default passwords
- Denial of service problems that allow attackers to induce a Blue Screen of Death
Mitigation of a vulnerability, for the most part, involves software changes, but could include specification changes or even specification deprecations (i.e., the removal of affected protocols or functionality in their entirety).
SEE: Why bug-free software doesn't matter (TechRepublic)
Exposures are another kind of vulnerability
Mitre.org's CVE website defines an exposure as a configuration issue or a mistake that does not directly cause a compromise but could be an important component of a successful attack, and thus considered a violation of a reasonable security policy. An exposure could:
- Allow an attacker to conduct information gathering activities
- Enable an attacker to hide activities
- Include a capability that behaves as expected, but can be easily compromised
Examples of exposures are:
- Running a service such as Finger—it's useful for cybercriminals to gather information even though the service works as advertised
- Inappropriate enterprise-specific settings for Windows auditing policies
- Attack points such as HTTP, FTP, or SMTP
- Use of applications or services that can be successfully attacked by brute force
WannaCry is a perfect example
There is no better example of what Holt is talking about than the WannaCry ransom malware that recently reared its ugly head. Kaspersky Lab's Global Research & Analysis Team describes the attack on its SecureList webpage:
"Our analysis indicates the attack, dubbed WannaCry, is initiated through an SMBv2 remote code execution in Microsoft Windows. This exploit was made available on the internet through a Shadowbrokers dump on April 14th, 2017 and patched by Microsoft on March 14."
Vulnerabilities exist in other types of software as well. "For instance, the popular open-source web browser Firefox has had more than 100 vulnerabilities identified in its code each year since 2009," mentions Holt. "Fifteen different vulnerabilities have been identified in Microsoft's Internet Explorer browser variants since the start of 2017."
Why do software vulnerabilities exist?
Most IT professionals understand why software vulnerabilities exist; however, it can't hurt to review the reasons. Holt explains that software development is not a perfect process.
"Programmers often work on timelines set by management teams that attempt to set reasonable goals, though it can be a challenge to meet those deadlines," adds Holt. "As a result, developers do their best to design secure products as they progress but may not be able to identify all flaws before an anticipated release date."
Holt identifies several other reasons why vulnerable software exists:
- Delays are costly. Many companies will release an initial version of a product and when they find problems (or get reports from users or researchers), fix them by releasing security updates.
- Software companies can't support their products forever. To stay in business, they have to keep improving programs and selling copies of the updated versions. So after a while, they stop issuing patches for older programs.
- Not every customer buys the latest software, so many users are still running old programs that might have unpatched flaws, giving attackers a chance to find weaknesses in the vulnerable software.
Why don't people update software?
Elissa Redmiles, a Ph.D. student in computer science at the University of Maryland, has been spending lots of her time trying to find an answer to why people are not updating their equipment's software. In her The Conversation article Why installing software updates makes us WannaCry, Redmiles writes, "So computer companies must try to convince us—and we must convince ourselves—that updates are important. My research focuses on doing just this, by producing and evaluating entertaining and informative videos about computer security."
Holt keeps it simple, ending his article by stating, "The best way users can protect themselves is to regularly install software updates, as soon as updates are available."
- Security awareness and training policy (Tech Pro Research)
- Don't be the weak link that brings us all down: Keep your OS patched and up to date (TechRepublic)
- 10 ways to protect your Windows computers against ransomware (TechRepublic)
- 7 ways to protect your Apple computers against ransomware (TechRepublic)
- Why bug-free software doesn't matter (TechRepublic)
- Zero day exploits: The smart person's guide (TechRepublic)
- NIST Cybersecurity Framework: The smart person's guide (TechRepublic)
- Cash isn't everything when bug bounties compete with the black market (ZDNet)