Security Vulnerabilities: Keeping a Strong Defense
Created December 2017
Software vulnerabilities cause critical problems for government and industry, and other software users. To reduce cybersecurity risk, CERT researchers conduct and promote coordinated vulnerability disclosure, research and publish vulnerability discovery methods and tools, work to improve vulnerability data and information systems, model vulnerability in technology ecosystems, research vulnerability presented by complicated supply chains, and model adversary behavior—all with the goal of helping themselves and other defenders improve their knowledge and skills.
Interconnection Increases Vulnerability
Software users must be constantly alert to vulnerabilities that might affect them. Enabling such awareness demands increasing effort as devices in the environment interconnect at a breakneck pace. More software is embedded in more products but often with little knowledge of the potential security risk, increasing the threat of intrusion and malfunction.
For example, one data issue is supply chain/inventory. Modern systems have complex supply chains that frequently contain multiple layers of software into which the user and vendor have limited insight. When a newly discovered vulnerability is announced, the user may not know what software or software version is buried in the product and whether it requires patching.
In addition, in many safety-critical and embedded systems, security updates often don’t occur regularly as they do in the traditional computing world. The WannaCry ransomware incident in May 2017 showed how this can affect hospitals, where, due to contractual issues, the people who operate the system don’t necessarily own the support for it. The result was hospitals having to close and send patients elsewhere because their software was compromised by ransomware.
Technical vulnerability is also now complicated by public policy and contractual factors, compounded by security issues of the Internet of Things. Today’s environment presents plentiful low-hanging fruit to adversaries and an increased need for intense focus on awareness, detection, and prevention of vulnerabilities.
Addressing Risk on Multiple Fronts
We collaborate with vendors, researchers, and standards organizations to promote reporting and public awareness of vulnerabilities and provide the best mitigation guidance. To proactively identify, assess, and resolve new risks, we work to constantly advance tools and methodologies. We also anticipate the potential for harm to safety-critical embedded systems and their users by researching the capabilities of adversaries, who find new opportunities for intrusion as more products interconnect.
Alerting the Public to Vulnerabilities
Our work in coordinated vulnerability disclosure (CVD) begins with the vulnerability reports we receive through the CERT Coordination Center. Upon receiving a report, we consult with the software vendor, allowing the vendor time to provide a fix or patch. We then notify the public, providing detailed technical information and mitigation strategies via CERT Vulnerability Notes, which propagate to the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD). We’ve done this for almost 30 years; the first CERT advisory, published in 1988, was the result of a CVD process involving vulnerabilities exploited by the Morris Worm. Currently, we’re very involved in standards and policy development, process engineering, and outreach—transferring CVD work to the Department of Defense and others.
Improving Vulnerability Data Systems
Effective CVD requires well-functioning vulnerability information systems. CERT researchers analyze vulnerability data, collaborate with others to improve information exchange, and interface with external standards groups such as the NIST, NVD, and Common Vulnerability and Exposures (CVE) system to enhance data formats or exchange protocols.
Discovering Vulnerabilities During Development
Beyond our work with security defects in deployed software, we also perform vulnerability discovery to catch defects early in the development lifecycle and develop downloadable vulnerability discovery and analysis tools. For example, our researchers have created tools that perform fuzz testing (feeding large volumes of random code into a program to detect failure) and have researched improving and optimizing fuzz testing algorithms.
Studying Adversary Behavior
Effective defense against vulnerabilities also involves knowing the adversary’s mindset and capabilities. To see what attackers do, we practice adversary modeling—a version of threat modeling (taking on a hypothetical adversary’s point of view to identify potential threats). Adversary modeling is about what can happen in software-reliant systems—including cars, implanted medical devices, airplanes, industrial control systems, and emerging domains—due to physical impact caused by connected systems.
We’ve focused on safety-critical connected systems, such as vehicles and medical devices. For example, it’s been demonstrated that a car can be controlled through a laptop, potentially by an adversary, as reported by Andy Greenberg in WIRED in July 2015. Likewise, a person with an implanted insulin pump may present potential for someone outside his house to interfere with its function, causing patient harm, as reported by Todd Beardsley in the RAPID7 Blog in October 2014.
August 15, 2017 Special Report
This guide provides an introduction to the key concepts, principles, and roles necessary to establish a successful Coordinated Vulnerability Disclosure process. It also provides insights into how CVD can go awry and how to respond when it does so.read
August 15, 2017 Blog Post
We are happy to announce the release of the CERT® Guide to Coordinated Vulnerability Disclosure (CVD). The guide provides an introduction to the key concepts, principles, and roles necessary to establish a successful CVD process. It also provides insights into...read