When Donald Rumsfeld spoke of “known knowns”, “known unknowns” and “unknown unknowns” the world laughed. But the concepts he outlined are familiar to risk managers.
Computer security knowns and unknowns correspond to risks within systems. A risk exists when a system has a vulnerability and a mechanism exists to exploit it.
Vulnerabilities that can be exploited are quantifiable risks (known knowns), while for those for which there is no exploitation (known unknowns) the impact is unquantifiable.
Security incidents within companies can seriously impact customer confidence and market valuation. Risks can be controlled by ensuring that vulnerabilities are fixed according to their potential impact.
It is clear that the ability of a company to control its risks effectively is inherently linked to its knowledge of exposed vulnerabilities and exploits and the existence of patches for them.
“Unknown unknowns” remain uncontrollable, unquantifiable risks.
Recent events brought vulnerability disclosure into focus. Michael Lynn, a researcher for the security group ISS, was to give a conference presentation detailing vulnerabilities in Cisco routers.
Cisco and ISS intervened and so Mr Lynn resigned and delivered the presentation.
This was the latest in a series of similar episodes. Vendors have always suppressed information, and researchers have published and often been damned.
This is not simply a bipartite dispute: disclosure ethics affect the wider community. It is instructive to understand what drives the parties.
Companies have a duty to safeguard shareholder value. Studies indicate that announcements of serious vulnerabilities in products damage vendor stock prices. Successful companies are driven by commercial goals and vendors are no exception.
To remain competitive, new functionality must be provided with limited resources. Fixing vulnerabilities generates cost with little advantage, so providing patches rarely a top priority.
Vulnerabilities are discovered by people with a spectrum of intentions from bad (“black hats”) to good (“white hats”).
Black hats include criminals, malicious hackers, and terrorists. They have varying levels of resources and may be aware of both the known and unknown elements in the risk equation.
White hats include vendors, security researchers and system administrators. They disclose information according to a spectrum of policies governed by personal and professional ethics and employer obligations.
Non-disclosure keeps vulnerability information secret, which minimises the risk of leakage to black hats.
Vendors engaging security companies to find vulnerabilities within their products will usually insist on non-disclosure. Without external pressure vendors are able to patch vulnerabilities according to their priorities.
Without full information, risk assessment is impossible and important patches may be ignored by systems administrators. But information has a habit of escaping and black hats frequently reverse-engineer patches to discover vulnerabilities.
This can result in black hats having superior knowledge to white hats.
Black hats, in turn, operate a non-disclosure policy since vulnerabilities are most valuable while unknown.
As information disseminates, vulnerabilities progress from unknown unknown to known known and action can be taken.
Full disclosure aims to publish vulnerability information and exploit code immediately. This gives vendors and black hats access to information simultaneously.
A race then exists between vendors developing patches and black hats developing exploits. System administrators are aware of the risks associated with vulnerabilities and the need to apply patches.
Ethical disclosure is a compromise which minimises risk to the wider community by delaying widespread publication of vulnerability information until patches are available and system vendors have had the opportunity to contact their customers.
Mr Lynn felt that he “had to do what’s right for the country and the critical national infrastructure”.
ISS decided that Mr Lynn had not followed company disclosure rules, while Cisco maintained that he had illegally reverse-engineered their code.
But Mr Lynn did not publish new vulnerabilities. He demonstrated exploitation techniques making it clearer that vulnerabilities were probably more dangerous than previously recognised.
In other words, some risks were no longer “known unknowns”; they were now “known knowns”.
The dust is settling around this case. History suggests similar situations will occur in the future.
When relying on advice from any party about your security, be sure to bear in mind their motivation and obligation – your best interests may not be first and foremost in their minds.
Security Matters is written by experts from Pentest, an IT Security Company focused on providing independent security consultancy services to organisations across Europe and North America. www.pentest.co.uk