Known vulnerability assessment– evaluating a machine's state for the presence of files, packages, configuration settings, etc. that are known to be exploitable– is a solved problem. There are nationally maintained databases of vulnerabilities and freely available repositories of tests for their presence. Search for "free vulnerability scanner" and you'll see plenty of options. So why are breaches due to known vulnerabilities still so common? Why, according the Verizon Data Breach Investigation Report, were 99.9% of the vulnerabilities exploited in data breaches last year over a year old?
The issue with existing vulnerability assessments isn't in the functionality. It's in the distribution of that functionality. Limited time trials, prohibitive costs, frustrating interfaces– these all add up to dismally high numbers of unprotected assets that provide a vector for data breaches. While companies have long had the resources to buy vulnerability assessments for their key assets, the rise of personal computers, mobile, and BYOD has created a massive attack surface outside of corporate oversight. That long tail of unsecured devices provides the point of initial intrusion from which breaches can escalate toward better protected assets.
We all know that the security paradigms of ten or even five years ago are no longer viable. The way in which vulnerability assessments products are packaged is part of it. Access to free vulnerability assessment should be a basic right in a world where computing is integral to social and economic life. For our part, we're offering our full product, including vulnerability assessment, free forever for a user's first ten machines. That should be enough for individuals, hobbyists, and small businesses, and additional nodes can be added for what we think is a fair price. Known vulnerability assessment is a commodity based on a public good and as such its price should tend toward zero. We're happily accelerating that process.
Known vulnerabilities– those classified with CVEs and detected using frameworks like the Open Vulnerability Assessment Language– are not the only vulnerabilities. There are, of course, unknown vulnerabilities: those that have not been discovered by anyone and "zero day" vulnerabilities that are unpatched or known but kept secret. Unknown vulnerabilities present an intractable problem that needs to be addressed through other means. Ozment and Schecter's "Milk or Wine" study of OpenBSD found that the median time for a vulnerability to be discovered and patched was 961 days. The lesson is simple: you must assume the software you're using has vulnerabilities that you don't know about, a principle that was more amply demonstrated when Kaspersky labs was breached using Duqu 2.
There is no defense against zero days, and if those were the only thing security teams needed to worry about they'd be in a much better situation. More commonly, a known vulnerability is exploited on an unhardened system as a jump point for privilege escalation. An attacker only has to be more sophisticated than the defenses of their immediate target. Whether the method of intrusion could theoretically be stopped is beside the point if in practice it is not.
Networks, whether human or digital, need herd immunity. The true benefit of universally known vulnerability assessment isn't to protect a bunch of $800 Lenovo laptops from getting slowed down by bot nets. It's to protect the transnational banking, commerce, and health institutions where those people work and on whose servers are stored the records that make up digital civilization.
How big of a problem is this? The case of legacy Firefox versions provides some sense of scale. Following the "Milk or Wine" study, Massacci, Neuhaus, and Nguyen analyzed the lifetime of vulnerabilities in Firefox v1 onward. They focused on after-life vulnerabilities– those still present after a version had reached end of life and was no longer being maintained– and found that "after-life vulnerabilities account for at least 30% for Firefox v1.0," meaning 30% of the known vulnerabilities in Firefox v1.0 persisted after maintenance had ended on FFv1.0. While usage of v1.0 declined with later Firefox releases, it did not disappear: "An important observation is that even the "small" fraction of users of older versions (full of after-life vulnerabilities that will never be fixed, as we have just shown) accounts for hundreds of thousands of users. You can imagine wandering in Florence and each and every person that you meet in the city still uses old Firefox v1.0. (201)". The number of vulnerabilities remaining and the number of users was enough to damage global security posture: "the fraction of vulnerable software instances that is globally present may be too high to ever attain herd immunity" (197).
The progress made on known vulnerability assessment in public resources has given the digital world the equivalent of the Salk vaccine. There is a whole class of debilitating diseases that are no longer necessary to suffer. The fact that there are other threats– zero days, insider attacks– is not a reason to ignore the benefit of basic hygiene, not only for the individual but for the networks in which they live. The public sector has held up its end of the bargain with resources like the NVD and OVAL. Vendors have maintained a false scarcity in vulnerability assessment that needs to be removed for the health and prosperity of the digital world. Even if our solution doesn't do that, we can at least set the market rate for vulnerability assessment where it should be in the twenty-first century: free for everyone.
So how do events like 000webhost's massive data breach involving free web hosting providing 000webhost transpire? In a word, negligence. Gross negligence, to be precise.
Read Blog >
Access to free vulnerability assessment should be a basic right in a world where computing is integral to social and economic life. For our part, we're offering our full product, including vulnerability assessment, free forever for a user's first ten machines.
Read Blog >