Bruce Schneier is wrong. There, I said it. Specifically, he's wrong in one of his recent essays Reacting to Security Vulnerabilities, and he's wrong in the suggestions he makes.
He states there are several reasons to "do nothing. ... Don't panic. Don't change your behavior. Ignore the problem, and let the vendors figure it out." They are:
- It's hard to figure out which vulnerabilities are serious and which are not. ... The press either mentions them or not, somewhat randomly; just because it's in the news doesn't mean it's serious.
- It's hard to figure out if there's anything you can do. ... Some vulnerabilities have surprising consequences. The SSL vulnerability mentioned above could be used to hack Twitter.
- The odds of a particular vulnerability affecting you are small. There are a lot of fish in the Internet, and you're just one of billions.
- Often you can't do anything. These vulnerabilities affect clients and servers, individuals and corporations. A lot of your data isn't under your direct control -- it's ... in a cloud computing application.
He then gives a list of steps you should take to protect yourself client-side: anti-virus, updates, proper configuration, common sense, and backups. Those four points aren't wrong, they're all true. But his conclusion to ignore vulnerability reports is downright careless.
For the elements (servers, people, services, etc) within your sphere of influence - you should be keeping an eye on the vulnerabilities that can affect them.
Consider a recent flaw found in IIS. If you're vulnerable, it's a pretty serious hole you have open - lots of bad things can happen. Fortunately, three things are on your side, two of which Bruce stated: the odds of you meeting the criteria are small and if it does affect you the odds of someone finding and exploiting you are small. Furthermore, good to excellent sysadmins would already be protected from this (it's a subtle/tricky thing to protect against but still oft-advised.)
But none of these things matter after you get hacked. Then it's your data on the internet, it's your ass on the line, and it's you that I want to punch in the face after you leak my credit card. You can't claim "I was waiting for the vendor" - Microsoft isn't going to apologize and make everyone's credit cards come back home. You can't stand in front of the CEO and say "The odds of this happening were so low we didn't think it was worth protecting against."
The fact of the matter is the tradeoff of reviewing vulnerabilities and at the very least being aware of what you're vulnerable to is low-cost/high-reward. Let's take a look at the cost: Add a few firehoses of information into google reader and skim through them in 5 minutes a day while having your coffee.
- Do I use the app/protocol that's vulnerable? That knocks out about 95% of the reports.
- Is it a client app? VLC? Windows Media Player? Don't care. These are all relegated to either social engineering exploits (Click this link! Watch this video!) or fall into the category of things you can't fix (besides trying to bar people from using the app)
- Is it a public-facing service/protocol/app I care about? Go read the damn vulnerability. You're probably at about 5-10 of these a week by now - tops.
- Is it fixed in a new version? Do I use the new version? Since you're hopefully staying on top of updates this will probably knock out a third of them.
- How do you exploit it? E.G.: If it involves uploading a file - do you allow file uploads anywhere? No? Awesome, you're safe! You don't know? Then... how are you managing the server if you don't know what it does? (Seems like you ought to work with your colleagues a little closer.) Or lets say the way to exploit it is really complicated or not explicitly stated, like the HTTPS vulnerability. Well, the fix for it will either be easy with little to no consequences (like disabling HTTPS renegotiation or adding 17 characters in a php file to protect against a Wordpress vulnerability) - so bloody do it and don't worry about it - or it will not be so easy.
- Okay, so it seems to be vulnerable and the fix isn't that easy. This probably comes around like once every 3 months. Send out an email "I think hackers can X our Y" - that'll be sure to either A) Get people to respond that you're wrong and you're safe or B) That this is serious and you're now given the resources to get it investigated and fixed. No one wants to be the guy who says "Yea, I heard we might be vulnerable, but I asked him not to investigate it."
At this point, you're probably spending an hour a week doing this. And let me tell you - there is nothing more impressive to your boss than when he comes to you to ask about something he saw in the paper or in his feedreader and you can say "Yea, I looked at that vulnerability already and [we're not vulnerable/I closed the hole]."
I didn't pull these numbers out of thin air - I manage a half-dozen web apps and a few servers in either a semi-professional or professional capacity. If you're spending significantly more time you're probably doing it in a capacity where it's a formal part of your job in which case there's nothing to complain about. Bruce Schneier is wrong - it's our responsibility to stay on top of vulnerabilities and mitigate them when we can to protect our computers, businesses, and our clients' data.
The most important thing is that it's your job to keep your stuff secure - not anyone else. If it was their responsibility - it'd be their stuff.
required, hidden, gravatared
required, markdown enabled (help)
* item 2
* item 3
are treated like code:
if 1 * 2 < 3:
print "hello, world!"
are treated like code: