Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
Security vendor demonstrates insider attack on VMware ESX
RIM Buys Documents To Go, It Should Have Been Microsoft
Smartphone support challenges enterprise IT teams
Symantec, Trend Micro rivalry heats up over antivirus tests, new products
IT asset tracking system combines RFID, infrared for rack-level identification
Symantec: Most hacking victims blame themselves
Lawsuit shows HP sees Hurd as primal threat
Dell to make a play for Brocade?
Larry Ellison's pay package worth $70 million, down 17% from '09
Red Bend buys VirtualLogix for mobile virtualization
Cisco, Citrix team on desktop virtualization package
Oracle hires Hurd: Who's sorry now?
VMware's plan for the Apple iPad still taking shape
Oracle stock rises 5% on news of Hurd hire
Microsoft investigates two-year-old IE bug
Security /

A call for responsible disclosure in Internet security

By Russ Cooper
Network World, 08/13/01

On July 13 a new worm launched that had the potential to become the biggest threat in Internet history. This worm, named Code Red, infected approximately 300,000 Microsoft Internet Information Servers and then, for good measure, took aim at the White House Web site in a denial-of-service attack on July 20. When this article was written, it appeared some malicious individual or group would relaunch Code Red.

Code Red is the latest example of a malicious-code threat that has been fueled by those who might normally try to contain it. The issue in the information security industry is full disclosure vs. responsible disclosure of these threats. Security companies that practice full disclosure believe releasing information about new software vulnerabilities should be immediate and comprehensive, regardless of the consequences. Those who practice responsible disclosure believe releasing all information to the media immediately is foolhardy and outright hazardous to Internet health.

Forum: Security reporting
How detailed should it be? Join the discussion.

In practicing full disclosure, the discovering security company informs the software vendor that it has found vulnerabilities that will cause headaches for, or harm to, the product's users. After giving the vendor time to create a patch, the discovering company informs the press that it has found the flaw and knows how to protect companies from the vulnerability.

Sometimes, the security company also provides a detailed explanation of how to create what it calls a useful exploit, including code. Usually, shortly after the useful exploit is made public, a worm or virus will propagate based on this code. This was the genesis for Code Red.

The problems with full disclosure are not confined to the ammunition it provides hackers. By feeding the media a security threat story before the threat can be effectively gauged, security vendors have created a "cry wolf" scenario. In the case of Code Red, responsible and comprehensive reporting by the media was warranted due to the potential for widespread damage. But due to the sensationalizing of past security threats by security companies, the media could not report on potential alone, but instead had to wait until hundreds of thousands of companies were infected.

I am calling for disclosure guidelines that would provide a benchmark for how organizations are expected to behave regarding malicious code threats. Called responsible disclosure, these guidelines would provide a code of ethics and enforcement to dissuade anyone who would seek to profit from irresponsible disclosure of security issues, be they media, a computer security product vendor or an individual.

A new body based on these principles, the Responsible Disclosure Forum, would bring together many of the world's leading security professionals to educate the public about security threats. If the forum is effective at promoting its ethics, it is hoped that more individuals would understand that placing the Internet at risk is not something to be done trivially. We can provide a conduit for research and development of the Internet without continuing to leave it at risk of annihilation in the process.

RELATED LINKS

Reaction: Here's what some Fusion users are saying about this issue: What do you think? Add your comments to the thread

Getting Your Data Safely Across the Border 9/7/2010
India said to seek Google, Skype call interception 9/1/2010
Defending the Internet: National Security v. Big Brother 8/27/2010
Powered by Inform

NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.
* HOME    * RESEARCH CENTERS     * NEWS     * EVENTS

Contact us | Terms of Service/Privacy | How to Advertise
Reprints and links | Partnerships | Subscribe to NW
About Network World, Inc.

Copyright, 1994-2006 Network World, Inc. All rights reserved.