As organisations grapple with data breaches and cyber-attacks, questions arise about who carries the responsibility and financial burden when vulnerabilities are discovered. Should companies be compelled to foot the bill for security flaws in vendor software, or is there a more equitable and proactive approach that benefits all parties involved? asks Ian Burge, Product Management, at the anti-virus and email security software firm VIPRE Security Group.
The concept of ‘responsible disclosure’ has emerged as a realistic and practical practice in cybersecurity, in this context. It embodies the principles of transparency, collaboration, and shared responsibility, to help address security vulnerabilities in vendor software in a manner that benefits companies, security software vendors, and perhaps even the security community at large.
Fundamental to this kind of cooperative approach is timely communication. Companies and security researchers (often referred to as White Hat Hackers) accept the responsibility of disclosing the uncovered vulnerabilities to the software vendors, who are then obliged to promptly address the issues reported with patches or security updates – which must then also be immediately and diligently applied to strengthen their defenses by companies.
The benefits of this approach are clear to see, but execution can be challenging. Foremost, the IT in organisations is interconnected and complex. A single change in one piece of software can impact other programs in the environment. While larger enterprises may be better placed to embrace Responsible disclosure, for small and mid-sized businesses, due to limited time, budget, and resources, merely trying to safely “keep the lights on” in an ever-evolving technology environment is hard enough. Adding Responsible Disclosure to the mix and adopting the concept to its fullest scope, can frequently be a step too far.
Embedding a practical, best-practice approach
There are, however, ways in which smaller organisations can embed best practices to embrace this kind of collaborative approach to security actively.
Optimal, vendor-advised configuration of security systems such as vulnerability and patch management is important. This ensures the visibility of security vulnerabilities to both parties so they can be assessed, prioritised, and remediated. The responsibility sits equally across the company and the software vendors, including security systems providers. The security vendor/company/White Hat Researcher identifies the vulnerability, the software vendor quickly generates the fix, and the company deploys the update or patch with the same level of urgency.
Timely and assured action plays a major role in shared responsibility. Take the example of an intrusion detection system (IDS). A company can have the best IDS in the world, but if in the company environment, a critical feature or functionality option isn’t ticked, the solution potentially wouldn’t prevent malicious activity on the network or a vulnerability from being weaponised.
Many times in companies, IT teams opt not to activate certain features in security systems due to the impact they may have on other programs. Their reasons may or may not be valid within the wider context of IT. Regardless, such situations drive a hole through the shared responsibility principles. Rather than risk security, a better approach is to take advantage of free services such as deployment services, annual reviews, and routine health checks, that vendors offer. These services ensure that software is properly installed, and actively maintained to deliver functionality while safeguarding the organisation. In fact, for software vendors, it should be a matter of ethics to help companies deploy their software optimally, free of charge – and for companies, a best practice that should never be compromised.
Responsible disclosure also breaks down if there’s no trust between the company and the vendor. When companies select software, a key criterion must also be the quality of support services provided by the vendor. Quick and easy access to support helps to build trust which in turn garners open communication and collaboration.
Striking the balance
This said, the security landscape isn’t easy to navigate. Due to the numerous software applications and systems that are deployed, IT teams wrestle with vulnerability overload. Identifying which vulnerabilities to patch first, and how quickly isn’t an easy decision to make, given that cybercriminals are masters at not only finding security loopholes but also reverse-engineering patches and public vulnerability disclosures. Sometimes, the time between a fix becoming available and the exploits appearing is literally a matter of hours.
To genuinely commit to this practice, establishing a clear Responsible Disclosure policy, is a good way of striking the balance between the actions needed by the company and its vendors. It provides clarity on expectations and processes such as how companies should report vulnerabilities, what the expected vendor response times are, how much time should be allowed for the company to deploy the patch before the vendor goes public with the fix, and so forth.
This level of clarity ensures transparency, commitment, and a proactive approach to security. Last but not least, Responsible Disclosure practices can go a long way in enabling companies to demonstrate compliance with a whole host of regulations, such as GDPR, HIPAA, and PCI DSS; thereby mitigating the risk of regulatory fines and legal penalties. Done right, shared responsibility can indeed be a win-win for all parties.
