Patchlink CEO calls BS on zero-days…

According to an article in ITweek, Patrick Clawson, CEO of Patchlink, says “I’m calling bullshit on the whole zero day thing…” basically the problem he says is all the time before a patch or vuln is announced, that is when we are really vulnerable, once a vuln is announced enterprises are apparently no longer under any real threat. Alan over at Still Secure apparently agrees with him, come on Alan you’re smarter than that 🙂

According to the article, Clawson “advised firms to train staff so that they do not fall victim to social engineering hacker attacks. “Social engineering is probably one of the most damaging elements in that one-year time frame,” said Clawson. He added that firms should lock down as many parts of the corporate network as possible: “You have to protect everything. Even your printers have enough memory to be used as a server for a porn site.”

I am calling BS on Patrick’s advice. First off training your staff to not fall victim to social engineering doesn’t work and never will – users are stupid, and you need to place as many controls in place to ensure they are not a vector for attack. Second locking down everything even your printers? It is difficult, if not impossible to implement lock-down in most large enterprises. Telecommuters, mobile users, little gadgets with mobile OS’s on them, contractors, business partners, heavy M&A activity, make lock-down an unrealistic solution for most organizations. As for the whole zero-days are BS thing, here is the response I posted on the still secure website…

A zero-day exploit takes advantage of a vulnerability on the day that it is publicly announced (sometimes before, but not as much as vendors with “we stop zero-day attacks” would lead the public to believe) When that happens it is difficult for organizations to respond quickly since they a. need to obtain updates for their security defenses (new sigs, reconfigurations, and what not) and b. need to obtain the patch (if one is available) and then distribute it to their environment. Even best of breed organizations with mature patch management programs can take weeks or even months to fully patch their environment – this is not due to technology but process and logistics.

I agree that there is a period prior to vulnerability identification or disclosure where malicious 3rd parties may find the vulnerable condition, write exploit code and then then use it as a vector for attack. The most common case is where a vuln is announced at the same time a patch is made available and within hours exploit code is in the wild and attempts are made to attack systems.

I am not sure what you and Patrick are calling BS? Are you actually saying that there is no threat to an organization the day that a vulnerability is released and there is exploit code available within hours? Are you suggesting that once a vuln is announced that a large enterprise just automagicallly patches its entire organization and is defended? What happens when a vuln is announced and no patch exists (can you say wmf or createtextstring?) and then exploit code shows up in the wild. So you guys are off base on this one, there is a real danger facing organizations in that delicate period between vuln and/or patch announcement, with exploit code actively being used to attack organizations and the scramble to defend themselves.

BTW – Rapid-patching as an initial response to a critical vulnerability, especially when exploit code is available in the wild, is a logistically difficult strategy for every organization I have ever spoken with. You absolutely must remove the root cause of a vuln, but the first step should be to shield the environment. That is use network and host-based security products (such as firewalls and IPS, perhaps update some NAC if you have that running) or other network infrastructure (such as routers) to prevent exploit of the vulnerability before you can patch everything. We have been advising organizations to do just that and will continue to do so…

Advertisements

2 thoughts on “Patchlink CEO calls BS on zero-days…

  1. Amrit – On this zero day thing, please don’t give me to much credit for being smart, sometimes I can be pretty thick! But seriously, I do not disagree fundamentally with you at all. I realize there is a very dangerous period between announcing and patching a vulnerability. I also agree that the whole patching thing is like shoveling sand against the tide and is a never ending, thankless job. However, it is also vital unless somehow we can change the rules of the game.

    That being said, what I was referring to though was a different class of zero day attacks, namely those that are really from “unknown” vulnerabilities. These attacks are hard to detect and defend and I see no magic bullet for them. They are best defended by old fashioned best practices. They are the real zero day attacks that we need to concentrate on though. BTW, Rich Mogull has a good post up, agreeing with me here: http://securosis.com/2006/10/13/the-real-definition-of-a-zero-day/

  2. I think we all agree on the “unknown” vulns thing…I had issue with Patrick characterizing the “zero-day” as not really an issue, the zero-day that occurs within hours of a vuln being announced. I actually do not disagree with anything you said, I just disagreed with your agreement of his position.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s