When I was younger, I often heard an administrator say “Never change a running system”. Today, administrators know that this is no longer true. Reports of new IT vulnerabilities are published every day and they require a response – in some cases even immediate action.

Disclosures of vulnerabilities – a look behind the scenes

In my blog post, I would like to take a closer look at these reports of new security vulnerabilities. How are vulnerabilities discovered in the first place – and how can they be eliminated? You have to keep in mind that there is not just one way to deal with them, but a multitude of different options. The approach outlined in this article can therefore only be taken as an example.

The traditional approach: Before updating or launching a new product – this might be any application, a mobile smartphone app or a smart TV – manufacturers commission an external company to carry out a penetration test. Experts check whether the product contains faults that could make it easy for hackers to view confidential data, penetrate the system or impair the product’s functionality. If such a fault is found, it is called a security vulnerability. After the results are evaluated, measures are taken to eliminate the vulnerability. If the product is already in use, it is now common practice to show this in the version history and, if possible, to clearly identify it with a CVE-ID. CVE stands for Common Vulnerabilities and Exposures and is an industry standard for labelling publicly known vulnerabilities. An example would be “CVE-2020-0001”. The ID consists of the CVE designation followed by the year and a sequential number.

Do uncovered vulnerabilities damage a company’s reputation?

I am often asked why a manufacturer should voluntarily announce that their product is affected by a vulnerability? Isn’t that counterproductive? The answer is complex. Of course, admitting mistakes is not conducive to the reputation of a company at first glance.

Cybersecurity
On the other hand, recent years have shown that even IT companies that invest large sums of money in the security of their own software cannot completely avoid vulnerabilities.

Covering up vulnerabilities is a dangerous mistake

This also shows that a strategy focused purely on avoiding errors cannot be the solution. What is required, instead, is an integrated approach, which also includes the coordinated and responsible handling of existing vulnerabilities – in particular disclosing vulnerabilities in one’s own products via the company website. Especially if the product is used millions or billions of times worldwide, transparent communication of weaknesses can only be beneficial for a company’s reputation in the long term.

Let’s change the perspective from the manufacturer of the product where a vulnerability has been identified to the company using that product. Today, companies run a large number of software applications that require regular maintenance. This also includes updating the software. Anyone who has ever done an update knows that this can entail problems. This is why updates are often carried out in advance on a test system. Patches are therefore rarely applied immediately, but only after a certain amount of time has passed. And not all patches are applied all the time. If, for example, an update only changes the color of an icon, the patch can also be delayed.

Now let’s assume that a software manufacturer is trying to cover up the fact that their software contained a serious security vulnerability. To fix the problem quietly and secretly, they release a patch that adds a feature users want – for example, a new color for the toolbar. At the same time, the vulnerability is eliminated, but without explicitly mentioning this. Ultimately, this could mean that the IT department of the affected company decides not to install the update for several months – or not at all. If a hacker succeeds in their attack because the vulnerability has been covered up, the reputational damage is likely to be significantly greater than the damage that would be caused if a vulnerability was openly discussed.

To be continued…

Author

Dr. Benedikt Westermann

Dr. Benedikt Westermann

Lead Security Analyst / Practice Leader Embedded & Cybersecurity Testing

The topic of Cybersecurity with its various facets has fascinated Dr. Benedikt Westermann since his studies of computer science. At TÜV Rheinland, he and his team regularly slip into the role of a hacker on behalf of customers in order to find security gaps in software, products and systems before a real attacker can exploit them, for example to get hold of customer and company data. Besides Cybersecurity, his hobbies include cooking and cycling.

More Posts

electric mobility

Electric mobility: charging infrastructure getting more extensive

The new decade is all about climate protection – and one of the major challenges we face is climate-friendly (electric) mobility. The new EU emissions target, which comes into force in 2021.

Titles

Cool title – no applicants? Sorting the good ads from the bad

Skills shortages, the talent war and demographic change – all excellent choices for a round of buzzword bingo as played by HR specialists. The job market’s not getting any easier for employers.

Digital trends in 2020: ideas for making businesses more secure

How secure are the smart systems in our homes? How can we ensure that tomorrow’s digital solutions in the logistics, automotive and healthcare industries are secure from cyber attacks?

Comments

0 Comments