We have come to a precarious place in security research where the volume of vulnerability disclosures is making it difficult to prioritize not just what to patch first, but also what to prepare for that nerve-wracking five-minute elevator trip with the CEO, who undoubtedly heard about the latest Heartbleed over his or her morning coffee. In the age of designer vulnerabilities that come with catchy names, branded websites and custom logos, how can the security industry stop itself from falling into a trap where the marketing of security vulnerabilities is just as important, if not more so, than the risk they actually represent?
A Vulnerability by Any Other CVE Number
Allow me to put on my Captain Obvious hat when I say that naming things makes them easy to identify. How easy is it to reference a “blue pen” versus a “000F55-colored ink-based writing instrument?” Perhaps I have 10 pens in my desk drawer. If all of them have the same blue color, I need a secondary indicator. If I number the pens in my drawer in order of discovery, I’d get PEN-2015-0001 and so on. These schemata are very handy.
Naming or numbering something, however, doesn’t necessarily brand it. Branding implies the development of surrounding assets, such as websites, pictures, blogs, tweets and webinars. The creation of these assets can help provide additional information and context, which is helpful to have in one place when you’re talking about it.
In the past, the industry has given threats names such as “Melissa” and “I Love You,” or given worms names like “Conficker” and “Blaster.” These names helped raise awareness at a time when Internet threats were in their infancy, and the public was unaware of the potential dangers of opening email attachments. Threats have evolved, and the recent change in naming vulnerabilities seems to be that we are now seeing bundled packages of accessories at the moment of disclosure, not just a suggested name.
The naming trend for malware waned for a while, likely in response to a customer revolt over these slickly named bits of code. Malware naming fatigue set in, in the same way the massive number of personally identifiable information records breached today has dulled consumers’ response to a ho-hum sigh of resentment. Security analysts are beginning to note a new vulnerability marketing release by just adding it to the pile of things they need to address in their networks.
The Perils of Marketing
Security is a competitive market, and technologies rapidly change. The ability to claim discovery of a critical vulnerability is a feather in the cap of any security researcher. With the decline of bug bounty programs, notoriety is one of the benefits a researcher can claim these days, along with the satisfaction of foiling the attackers. Coordinating disclosures between researchers and software vendors is tricky and requires careful planning to maximize protection for the end user. There is an intricate dance of discussion, patch development, testing, rollout and public disclosure that finds equilibrium in the need to raise awareness for end users without raising too much awareness about potential bad actors.
However, the industry needs to balance the desire for media opportunities with potential delays in disclosure if the marketing materials for the vulnerability aren’t ready. Several detailed accounts of the timeline around Heartbleed indicate there was a rush to create marketing materials for the vulnerability. The fear, of course, is that security researchers will focus more on bragging rights than actually protecting end users, which could lead to delays in disclosure if resources are diverted from responsible disclosure to marketing activities.
Naming Vulnerabilities Doesn’t Fix the System
Designer vulnerabilities do nothing to offer better protection for the customer’s ecosystem than one marked only with a CVE number. IBM X-Force reported that three months after the Apache Cordova vulnerability disclosure and associated patches were made available, 59 percent of banking apps were still unpatched. Knowing the name “Heartbleed” didn’t increase the patch rate, either — those were only slightly different than the Cordova instance, with just over half of affected servers patched two months after disclosure.
While naming and branding can smooth the lines of print and digital communication, it can distract from truly fixing problems in the network if resources are directed toward the biggest brands versus the biggest holes in the infrastructure.
By perusing message boards where security analysts and researchers talk, there is clearly a growing distaste for overmarketed designer vulnerability disclosures. The highest recommendation X-Force can provide is to have current and accurate asset inventory for your ecosystem and prioritize patching based on risk impact to critical systems, not on which vulnerabilities have the most attractive logo.