Publishing exploit code does more harm than good, says report

0

Cyber security researchers and ethical hackers may wish to consider easing off on publicly disclosing vulnerability exploit code before patches have been made available, because doing so gives malicious actors a “clear and unequivocal” advantage, according to new data crunched by vulnerability management specialist Kenna Security and Cyentia Institute.

In the research study, Prioritisation to prediction, volume 7: establishing defender advantage, Kenna said that in about one-third of cases, it had found that ethical hackers – whom the industry relies on to some extent to identify new vulnerabilities and write proof-of-concept exploit code – made their code publicly available before the patch.

Loading...

Kenna founder and CTO Ed Bellis said that for years the community has debated whether or not doing this improved overall security by getting patches developed more quickly, or whether it gives attackers an advantage, but that the research should remove any doubt over this.

“Practices that have long been central to the cyber security ecosystem, that many of us thought were beneficial, are in fact harmful to defenders,” said Bellis.

The analysis found that in cases when exploit code goes before a patch, an attacker gains an average 98-day advantage in exploitation.

Loading...

The release of code also drives exploit volume, said the report. Only a tiny number, just 1.3%, of vulnerabilities have been exploited in the wild and have publicly available exploit code, but those vulnerabilities are exploited about 15 times more often than the 98.7% of vulnerabilities where code is not disclosed, and are used against six times as many potential victims.

“What we see is that the availability of exploit code drives both a volume of exploitation and makes it easier for hackers to deploy the types of attack most likely to cause serious damage to an enterprise,” said Wade Baker, partner and co-founder of Cyentia Institute.

“When exploit code is integrated into hacking tools – both legitimate and malicious – it becomes faster and cheaper to find and exploit security weaknesses.”

Loading...

The researchers also uncovered little evidence to suggest that releasing exploit code either facilitated earlier detection of active exploits or pushed development teams to mitigate them faster.

“While there is no shortage of opinion on every side of the disclosure debate,” said Jay Jacobs, partner and co-founder of Cyentia Institute, “very little objective research has been done on both the potential benefits and harm caused by well-intentioned security researchers releasing weaponised exploit code. The data provides clear guidance to the security community: publicly sharing exploit code benefits attackers more than defenders.”

The report, which is based on data collated from Kenna’s own customers, also contains some insight into the preferences of malicious actors – when a published exploit allows for remote code execution (RCE) attacks it tends to be used up to 30 times more frequently than exploits that do not.

Loading...

It also highlights the existence of a major disparity in terms of how long it takes organisations to fix vulnerabilities – up to 40 times longer on Linux-based or SAP software (900 days on average), than on Google or Microsoft products (22 days on average).

Stay connected with us on social media platform for instant update click here to join our  Twitter, & Facebook

We are now on Telegram. Click here to join our channel (@TechiUpdate) and stay updated with the latest Technology headlines.

Loading...

For all the latest Technology News Click Here 

 For the latest news and updates, follow us on Google News

Read original article here

Loading...
Denial of responsibility! TechiLive.in is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.

Leave a comment