Government Agencies Rediscovery Occurs At More Than Twice The Previously Reported RateGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a43444652017-07-21T04:00:00Z, Megan Gates<p>​Multiple researchers—working independently—uncover the same security flaws more consistently than previously believed, according to a new report from Harvard.</p><p><em></em><a href="" target="_blank"><em>Taking Stock: Estimating Vulnerability Rediscovery</em> </a>looked at a dataset of more than 4,300 vulnerabilities discovered between 2014 and 2016 for Android, and the Chrome and Firefox browsers. Vulnerabilities are flaws that allow cyber criminals, as well as intelligence and law enforcement agencies, to gain access to targeted systems.<br></p><p>Researchers Trey Herr, Ph.D., postdoctoral fellow with the Belfer Center’s Cyber Security Project at Harvard Kennedy School; Bruce Schneier, research fellow with the Belfer Center and adjunct lecturer in public policy at Harvard Kennedy School; and Christopher Morris, research assistant at the Harvard School of Engineering and Applied Sciences, found that rediscovery of vulnerabilities happens more than twice as often as previously reported. <br></p><p>Their findings conclude that “rediscovery happens more than twice as often as the 1 to 9 percent range previously reported,” according to the report. “For our dataset, 15 percent to 20 percent of vulnerabilities are discovered independently at least twice within a year.”<br></p><p>Based on their findings, the researchers suggested that the U.S. government rethink its process for not disclosing software vulnerabilities to companies.<br></p><p>“Underlying the choices to pay for a software vulnerability, as well as government decisions to keep some a secret, are assumptions about how often those same software flaws could be discovered by someone else, a process called rediscovery,” the researchers explained.  <br></p><p>“When combined with an estimate of the total count of vulnerabilities in use by the NSA, these rates suggest that rediscovery of vulnerabilities kept secret by the U.S. government may be the source of up to one-third of all zero-day vulnerabilities detected in use each year,” the report said. “These results indicate that the information security community needs to map the impact of rediscovery on the efficacy of bug bounty programs and policymakers should more rigorously evaluate the costs of non-disclosure of software vulnerabilities.”<br></p><p>In a post for <a href="" target="_blank">LawFare</a>, Herr explained that modern government intelligence agencies must maintain some access to software vulnerabilities. </p><p>"However, the WannaCry ransomware and NotPetya attacks have called attention to the perennial flipside of this issue--the same vulnerabilities that the U.S. government uses to conduct this targeting can also be exploited by malicious actors if they go unpatched," he wrote.</p><p>The researchers also suggested that rediscovery rates are likely higher than what their research was able to conclude because they only looked at high to critical-severity vulnerabilities.<br></p><p>For instance, records from a bug bounty company mentioned in the study “indicate that low- and medium-severity vulnerabilities are rediscovered more frequently than high- and critical severity bugs, to which this study is constrained,” the researchers wrote. “As it is, the 15 percent to 20 percent estimate is substantially higher than previously seen.”<br></p><p>The researchers plan to present the paper and discuss its findings at <a href="" target="_blank">BlackHat USA</a> in Las Vegas next week.</p>

Government Agencies Rediscovery Occurs At More Than Twice The Previously Reported Rate Official Says Russia Tried to Hack 21 States in 2016 Election,-Think-Tank-Finds.aspx2017-06-09T04:00:00ZEU Needs Comprehensive Strategy To Address Cybersecurity Risks, Think Tank Finds Play: Resilience & Infrastructure Review: Resilience in Asia’s-Cybersecurity-Executive-Order-Well-Received-by-Experts.aspx2017-05-12T04:00:00ZTrump’s Cybersecurity Executive Order Well Received by Experts,-New-Paper-Finds.aspx2017-05-08T04:00:00ZSolar Technology Can Help Secure Military Grids, New Paper Finds Warns Congress Of Security Threats to Government Mobile Devices Smugglers and High Risk Travelers Enter the United States Steps Up The Future of Background Checks Conversation with the Director of the U.S. NBIB War Games Lichtenstein Leaves ASIS, Offers Insights on Trump 101: What to Expect at the U.S. Presidential Inauguration,-Employment,-and-the-Law.aspx2017-01-01T05:00:00ZBrexit, Employment, and the Law A (Lonely) Test 90-Character Alert Security Threats and Solutions Radiation

 You May Also Like...



National Security{198ff2c5-db82-48f1-a9b9-8e8950e165de}Your source for the latest security news.
Physical Security{198ff2c5-db82-48f1-a9b9-8e8950e165de}Your source for the latest security news.
Security by Industry{198ff2c5-db82-48f1-a9b9-8e8950e165de}Your source for the latest security news.