Chris Wysopal is against hyping vulnerabilities in computer systems. He certainly has a point, but as is the case with most situations where people claim things have gone too far, I want to make sure things don’t go too far…in the other direction.
In security writ large, any event that has a negative impact is treated like the end of the world, or very nearly so. The most common reaction is to over-react, because “we can’t allow this to happen again.”
Until of course it happens again.
“It” happens again for several reasons. The first being that time passes and memories fade. When your trip through airport security is delayed because someone decided wearing ten pounds of costume jewelry was a good idea and she can’t understand what the fuss is all about, that’s what I’m talking about. The further away we get from a bad event, the less the need for precautions seems necessary.
Second, the vast majority of security mechanisms – technical, human, physical – fail in a brittle fashion. A security breach of any sort is bad, period. But it is almost always horrifically bad, particularly when it comes to computers. A breach doesn’t result in a few records lost, it results in ALL records being lost.
Finally, really bad events that require drastic counter-measures are pretty rare. It doesn’t take long to figure out that the cost associated with over-reacting is disproportionate to the impact of the event itself.
So what do you do when the next vulnerability marketing campaign kicks off?
Not every “minor” vulnerability is minor to you. Every vulnerability is important to a degree. If I told you there was a vulnerability in finger you wouldn’t think too much about that, but there was a brief period of time when that was a big deal. Just because expert X thinks the vuln-of-the-month is weak sauce, remember that that guy doesn’t work for you and has no idea what your network looks like.
Not every “critical” vulnerability is critical to you. Heartbleed was a serious problem, but having been involved in an offensive security test during peak Heartbleed hype, I can tell you that in the course of fulfilling our role as a simulated Very Bad Actor ™ Heartbleed wasn’t useful to us at all given the security posture of the customer and the goals we were trying to accomplish.
Understand that just because someone is trying to make a buck, that doesn’t mean they should be ignored. Marketing circuses around vulnerabilities are probably here to stay (sadly). But if you decided you weren’t going to spend money on any vendor who was given to hyperbole, or played fast and loose with the English language, you budget for security products would go unspent (#makingcfohappy).
A certain amount of hype can be healthy. It could be the factor that gets your recalcitrant boss to give you the resources you need to deal with an actual problem. The more and more detailed knowledge you have of your enterprise the better you will be able to suss out what vulnerabilities deserve to be priorities, regardless of they hype.