• United States




What if we gave nontechnical security issues vulnerability logos and names?

Nov 22, 20175 mins

Which is worse: Pork Explosion and Dirty Cow or Invader and Stutter?

What could do more damage to your business: CVE-2017-8759 or Epic Banana? CVE-2017-0262 or Extra Bacon?

Funny exploit names are all the rage: This year we’ve had WannaCry (powered by EternalBlue), NotPetya, Krack, and Pork Explosion. In years gone by we’ve had Heartbleed, StageFright, Shellshock, Dirty Cow, Poodle, and Freak. Many come with a nice logo so media outlets don’t have to those terrible stock photos of hacking (even cyber criminals get branding these days).

But there’s also been hundreds, if not thousands, of other vulnerabilities, exploits, and problems, most of which probably didn’t come with fun names or logos, just technical names. While the fun ones grab the attention, are they all as equally bad?

“It’s actually driving the wrong behaviour, because when we see these vulnerabilities come up suddenly it drives a knee-jerk, ‘go patch all the things’ reaction,” Gavin Millard, technical director at Tenable Security, told IDG Connect last year.

His argument is that the addition of a logo and catchy name mask the seriousness of the vulnerability; where Heartbleed and Shellshock were very dangerous, Freak and Poodle weren’t as bad, something which is impossible to tell without the right background knowledge, yet all create similar levels of “Are we adequately protected?” hysteria.

Case in point: Krack is serious, affects almost all Wi-Fi connections and needs fixing now. Pork Explosion, meanwhile, was only a problem for Android-based phone companies that used Foxconn’s app bootloader.

“Instead of us having these knee-jerk reactions to the latest, greatest zero-day, let’s actually take a step back and say: ‘What security issues that we’re facing actually deserve a logo, which actually deserve the press, which deserve the focus from organisations to address?’”

In an effort to drive better behaviours and avoid what he called the “go patch all the things” mentality, Millard has created his own logo vulnerabilities:

The first new one is Glimpse: The lack of visibility within infrastructures due to increased compound annual growth rates. “One of the biggest issues organisations face today is not zero-day, it’s not these latest, greatest threats, it’s the fact they have no idea what their infrastructure looks like because they’ve grown exponentially over the last few years.

Another of Millard’s new logo vulnerabilities is Shakespeare. A password-based riff on the idea that an infinite number of monkeys on typewriters will produce the writings of the great Bard, Millard’s mantra is “give a chimp a keyboard and a few bashes and he’ll be able to guess your password.”

“We have fostered this view in security that creating a complex recipe for a password is the right way to solve the problem, which is total bullshit.” He explains that aside from the danger of organisations keeping users’ passwords in clear/plain text—something which happens alarmingly often – people are very bad at making up and remembering complex passwords, and inevitably use the same ones for multiple accounts.

Subversion is about insider threats. In a blog about the issue, Millard says that “Insider threat is a well-known problem that many professionals face, but is often seen as less of a priority with the mindset of border defence and defending against outsider threat still getting more focus.” To protect against it, he recommends continuous behavioural monitoring, paper shredding and clean desk policies, and the adequate silo-ing of data to ensure only those who should have access to data actually do have access.

Eagerbeavers, meanwhile, is about the reckless abandon with which users end up clicking on questionable links. In a blog on the issue, Millard says; “Rather than treating users with disdain for falling victim to a convincing phishing email, ransomware infection or malware, we need to treat each one as a control failure.”

“The best defence in reducing the risk of infection is to continuously identify weaknesses on the endpoints that are favoured by exploit kits—Flash or other insecure plugins—and patch or disable as appropriate.”

There are others; Bandit is about spending too much on poor fixes, while Invader focuses on the inability to identify attack paths in the event of a breach. But one of the most important is Stutter; the inability to communicate with other areas of the business.

“Security can sit in this echo chamber shouting the right things, but they lack the ability to communicate effectively with other parts of the business what needs to be done to solve security issues,” he says. “Instead of security trying to teach the business ‘the business of security’ security should be using business language. Bits and bytes don’t belong in the boardroom, basically.”

Instead of answering questions over security with “We’ve just deployed Palo Alto with AS356-bit encryption and an IPS,” Millard suggests security should be using metrics, KPIs, and the things that business people understand.

“Communication is one of the most important tools in the InfoSec person’s toolkit. If you can’t communicate, then you’re always going to fail.”