"the median time of 22 days to develop an exploit are incredibly misleading"
Yea the average would have been more useful.
Zero-days? Sexy, sure, but crap passwords and phishing are probably more pressing
A new study from RAND Corporation concluded that zero-day vulnerabilities – security flaws that developers haven't got around to patching or aren't aware of – have an average life expectancy of 6.9 years. The research, based on rare access to a dataset of more than 200 such vulnerabilities, also looked at how frequently the …
-
Thursday 9th March 2017 19:42 GMT John Smith 19
"vulnerabilities can be drastically different in terms of exploitation complexity"
True enough.
But of course it helps if you keep all the patches on a package up to date first.
This just suggests even more strongly defensive and offensive network security operations should be separated. That way there's no "Oh should be reveal it or pass it to the offensive team" b**locks. Everyone knows where they stand.
-
Thursday 9th March 2017 22:15 GMT Anonymous Coward
I wonder how many "Zero Day" security vulnerabilities that we panic about have been known and exploited for months by national security agencies (before zero day).
It would also be interesting to track the money.
So, is it:
Hacker finds vulnerability, agency buys vulnerability, agency writes exploit?
Then,
Agency shares tools with "friendly" hackers (to assist with finding more vulnerabilities). Hacker sells tools to Russia. Russia shares tools/exploits with WikiLeaks (for political reasons)?
-
Thursday 9th March 2017 22:45 GMT Anonymous Coward
It's a vicious cycle, and the product vendor is usually the last to know.
I find it quite telling that the spokesperson for a security tools company finds faults in this report. Considering that their bread and butter is the fear inspired by those wily hackers, or those nasty state actors, not the reality that the most successful hacks are inside jobs. A small time local crim with a USB drive pretending to be a trusted employee is a bigger threat than Igor and his fancy bear. And lest we forget the many many business who just forego any realistic security measures due to the cost and the "they won't attack us" mentality. Or just prop up some new gear and do the security on the ass end of the project. *cough* mongodb, CloudPets *cough* Good times! For hackers. :P
ATH+++
-
Friday 10th March 2017 09:17 GMT Anonymous Coward
If that 5.7% number is correct
Not very many of them. At least of the 0 days we panic over that were discovered by security researchers themselves, rather than via reverse engineering it from forensic evidence of an attack.
It is interesting that some of the CIA's exploit library was purchased, rather than developed in house. I expect they do that because they want to 1) be able to protect themselves against others who purchase the same exploit and 2) using exploits that are already "in the wild" makes it more likely the victims will assume they've been compromised by black hat hackers, rather than the CIA. Consider how we quickly figured out who did the attacking when Stuxnet was found, versus if they had used some standard malware purchased on the dark net.
The exploits they develop in house are probably reserved for an attack that needs to have a long shelf life, because whatever is doing the attacking may not be possible to update later (i.e. if they compromised some hardware before it gets shipped to someone they want to spy on, to use as an attack platform to compromise other devices on its local network)
-
-
Friday 10th March 2017 12:54 GMT Anonymous Coward
Keep in mind that this report is based on:
1. 200 vulns from one entity/company (undisclosed), so it's at best specific for their company / scope / customer base.
2. Some 20-30 vulns were excluded from analysis due to ''operational sensitivity''.
3. The data ranges dates from 2002-2016 (meaning half the time frame was essentially ''pre-mobile''
4. RAND has strong links with USA law/intel community; this report's headlines seem to argue : TLA agencies need not disclose vulns as there is only marginal cross-section with public/CVE vulns as indicated by the long shelflife (7 years) and low independent discovery (5% after 1 year). That's, let's say, convenient.
So lots of reasons not to extrapolate from this limited data set (as qualified in the report - although not very prominent). Interesting though.
-
Saturday 11th March 2017 01:35 GMT Jin
However disliked, passwords are absolutely necessary
However nicely designed and implemented, devices, tokens, cards and phones are easily left behind, lost, stolen and abused. Biometrics brings down security in cyberspace. Then the remembered password would be the last resort.
And, in a world where we live without remembered passwords, say, where our identity is established without our volitional participation, we would be able to have a safe sleep only when we are alone in a firmly locked room. It would be a Utopia for criminals but a Dystopia for most of us.
Are you aware of this?
https://youtu.be/-KEE2VdDnY0
Biting the hand that feeds IT
