navigation-background arrow-down-circle Reply Icon Show More Heart Delete Icon wiki-circle wiki-square wiki arrow-up-circle add-circle add-square add arrow-down arrow-left arrow-right arrow-up calendar-circle chat-bubble-2 chat-bubble check-circle check close contact-us credit-card drag menu email embed facebook-circle snapchat-circle facebook-square facebook faq-circle faq film gear google-circle google-square googleplus history home instagram-circle instagram-square instagram linkedin-circle linkedin-square linkedin load monitor Video Player Play Icon person pinterest-circle pinterest-square pinterest play readlist remove-circle remove-square remove search share share2 sign-out star trailer trash twitter-circle twitter-square twitter youtube-circle youtube-square youtube

New study on software vulnerabilities could be resource for policymakers

March 10, 2017 (Photo Credit: Ivan Hafizov/Thinkstock)
Undetected security holes have an average life expectancy of 6.9 years and, once found, can have a fully functioning exploit developed within a median time of 22 days, leaving software users throughout the private and public sectors susceptible to hackers.

These are just some of the findings in “Zero Days, Thousands of Nights,” a new study of real-world unpatched, undisclosed vulnerabilities and their exploits by public policy research organization the Rand Corporation.

The study uses rare access to a rich data set of more than 200 vulnerabilities from 2002 to 2016 (40 percent still unknown to the public) — the type of vulnerabilities governments might be tempted to retain knowledge of to avoid attacks, or to use as back doors for gathering information and compromising adversary programs. 

“Looking at it from the perspective of national governments, if one’s adversaries also know about the vulnerability, then publicly disclosing the flaw would help strengthen one’s own defense by compelling the affected vendor to implement a patch and protect against the adversary using the vulnerability against them,” said Lillian Ablon, lead author of the study and an information scientist with Rand, in a news release. 

“On the other hand, publicly disclosing a vulnerability that isn’t known by one’s adversaries gives them the upper hand, because the adversary could then protect against any attack using that vulnerability, while still keeping an inventory of vulnerabilities of which only it is aware of in reserve. In that case, stockpiling would be the best option.”

Rand sees this research as useful for policymakers making decisions, such as whether to inform of vulnerabilities or stockpile for defensive purposes (e.g., penetration testing) or offensive operations. After all, the group found that for a given stockpile of zero-day vulnerabilities, the average lifespan is 1.5 to 9.5 years and after a year approximately 5.7 percent have been discovered by others. And tagging a vulnerability as “alive” or “dead” is too simplistic, as some may be “immortal” — baked into no longer maintained code — or are “zombies,” because even after patches they persist in older versions of a product. 

In general, Rand found that those on offense have the upper hand when it comes to vulnerabilities, because they are typically concerned with its use in the short-term and can procure an exploit for something specific at some cost. Defenders, meanwhile must be concerned with identifying many vulnerabilities and systems breached so may see more costs for test infrastructure, etc. The study’s baseline metrics can augment other studies of the tradeoffs of addressing zero-day vulnerabilities.

Rand suggests future analysis to examine the longevity of vulnerabilities for Linux compared with other platforms; to con rm the similarity of longevity of vulnerabilities for open and closed source code type; and to investigate any significance of grouping client-side and remote exploits together compared against a grouping of local, mixed and other exploits. 

Next Article