What you don't know about the security of your information systems can hurt you and probably already has. But how much information about security flaws is too much? Anything you're told about a software vulnerability, the villains surely will pick up, too.
Most people who manage information security say bring it on, subscribing to the belief that the more details they have about vulnerabilities, the better prepared they will be. They count on not only the software vendors' official security advisories, but also on researchers who specialize in analyzing products for flaws.
That's where the controversy heats up. Many researchers bring serious flaws to light, but others are all too willing to cash in on their cleverness by posting information about software vulnerabilities before vendors have a chance to patch their products. This shameless self-promotion of being the first to expose a key vulnerability can bring fame and consulting contracts. Other firms readily open up their checkbooks to pay hackers for dirt on flaws, doling out premiums for the worst flaws--ones that, say, Microsoft ends up rating critical. These disclosures are followed closely by malicious hackers looking for cracks to exploit. They also force IT staffs to drop more strategic projects in order to plug holes in their systems before the next big worm or Trojan strikes.
It's when these researchers also hold elite vendors--like Microsoft and Oracle--accountable that they earn their keep. Software is more secure today in part because the threat of public embarrassment hangs over the vendors, says George Roettger, Internet security specialist for ISP NetLink Services, in an E-mail interview. Researchers also wield a lot of power, he says, because their information can be used by "the bottom-feeder hackers who don't know much and learn from every piece of information available."
Sadler wants to know: What do security companies stand to gain?
The hoopla about Windows Metafile led to some of the most frustrating days of Connie Sadler's career. "There were people predicting dire straits if we didn't do something," says the director of IT security at Brown University. "I had to put days aside from my regular job just to monitor different sites just in case something came up."
While the researchers kicked up dust, companies looking to defend themselves had few options. Microsoft's customers had to either wait for Microsoft's patch or install workaround code written by Ilfak Guilfanov, a senior developer at Belgian software maker DataRescue. Although Guilfanov's code got the approval of the SANS Institute's Internet Storm Center and security research firm F-Secure, it created a dilemma for people like Sadler. "If we ask our users to install that, it tells them it's OK to find and install a third-party patch, and it gave phishers an opportunity to exploit users," says Sadler, a former manager of global infrastructure security at Lockheed Martin.