Three things I’m reading this week:
How Old Is Your Software Vulnerability? With all the focus on the CIA leaks and the possibility of new zero-days (previously undisclosed vulnerabilities) in the wild, it’s important to be reminded how long vulnerabilities live. One of the dirtiest truths about cybersecurity is that most intrusions don’t need zero-days to succeed. They can rely on well-known vulnerabilities with public patches that simply haven’t been patched. But a recent RAND study finds that even zero-days have surprisingly long lives. According to the study, the average life expectancy of an unpatched vulnerability is 6.9 years.
I'm reading: "Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits."
As a side note, there’s been at least one vulnerability patch already released based on the leaks.
Hackback Is Not a Shortcut to Security: It seems like every six months the topic of hackback comes up again – a new study or a new proposal that would enable organizations to “take matters into their own hands” and strike back at their attackers. This time it’s a bill proposed in Congress.
Analogies to pirates and letters of marque aside, hackback is very far from a solution to our security problems. In general, proponents of these approaches seem to hope that by imposing greater cost on attackers, we will reduce the incidence of intrusions in society today. The problem is, I have yet to see a proposal that would make things better rather than worse. Deterrence is important, but that doesn’t mean it’s a shortcut to better security.
I’m reading: “Proposed Bill Will Allow Victims to Hack Their Attackers to Stop Cyber-Attacks.”