Government Agencies

 

 

https://sm.asisonline.org/Pages/Vulnerability-Rediscovery-Occurs-At-More-Than-Twice-The-Previously-Reported-Rate.aspxVulnerability Rediscovery Occurs At More Than Twice The Previously Reported RateGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a43444652017-07-21T04:00:00Zhttps://adminsm.asisonline.org/pages/megan-gates.aspx, Megan Gates<p>​Multiple researchers—working independently—uncover the same security flaws more consistently than previously believed, according to a new report from Harvard.</p><p><em></em><a href="http://www.belfercenter.org/sites/default/files/files/publication/Vulnerability%20Rediscovery.pdf" target="_blank"><em>Taking Stock: Estimating Vulnerability Rediscovery</em> </a>looked at a dataset of more than 4,300 vulnerabilities discovered between 2014 and 2016 for Android, and the Chrome and Firefox browsers. Vulnerabilities are flaws that allow cyber criminals, as well as intelligence and law enforcement agencies, to gain access to targeted systems.<br></p><p>Researchers Trey Herr, Ph.D., postdoctoral fellow with the Belfer Center’s Cyber Security Project at Harvard Kennedy School; Bruce Schneier, research fellow with the Belfer Center and adjunct lecturer in public policy at Harvard Kennedy School; and Christopher Morris, research assistant at the Harvard School of Engineering and Applied Sciences, found that rediscovery of vulnerabilities happens more than twice as often as previously reported. <br></p><p>Their findings conclude that “rediscovery happens more than twice as often as the 1 to 9 percent range previously reported,” according to the report. “For our dataset, 15 percent to 20 percent of vulnerabilities are discovered independently at least twice within a year.”<br></p><p>Based on their findings, the researchers suggested that the U.S. government rethink its process for not disclosing software vulnerabilities to companies.<br></p><p>“Underlying the choices to pay for a software vulnerability, as well as government decisions to keep some a secret, are assumptions about how often those same software flaws could be discovered by someone else, a process called rediscovery,” the researchers explained.  <br></p><p>“When combined with an estimate of the total count of vulnerabilities in use by the NSA, these rates suggest that rediscovery of vulnerabilities kept secret by the U.S. government may be the source of up to one-third of all zero-day vulnerabilities detected in use each year,” the report said. “These results indicate that the information security community needs to map the impact of rediscovery on the efficacy of bug bounty programs and policymakers should more rigorously evaluate the costs of non-disclosure of software vulnerabilities.”<br></p><p>In a post for <a href="https://lawfareblog.com/rediscovering-vulnerabilities" target="_blank">LawFare</a>, Herr explained that modern government intelligence agencies must maintain some access to software vulnerabilities. </p><p>"However, the WannaCry ransomware and NotPetya attacks have called attention to the perennial flipside of this issue--the same vulnerabilities that the U.S. government uses to conduct this targeting can also be exploited by malicious actors if they go unpatched," he wrote.</p><p>The researchers also suggested that rediscovery rates are likely higher than what their research was able to conclude because they only looked at high to critical-severity vulnerabilities.<br></p><p>For instance, records from a bug bounty company mentioned in the study “indicate that low- and medium-severity vulnerabilities are rediscovered more frequently than high- and critical severity bugs, to which this study is constrained,” the researchers wrote. “As it is, the 15 percent to 20 percent estimate is substantially higher than previously seen.”<br></p><p>The researchers plan to present the paper and discuss its findings at <a href="https://www.blackhat.com/us-17/briefings/schedule/#bug-collisions-meet-government-vulnerability-disclosure-7587" target="_blank">BlackHat USA</a> in Las Vegas next week.</p>

Government Agencies

 

 

https://sm.asisonline.org/Pages/Vulnerability-Rediscovery-Occurs-At-More-Than-Twice-The-Previously-Reported-Rate.aspx2017-07-21T04:00:00ZVulnerability Rediscovery Occurs At More Than Twice The Previously Reported Rate
https://sm.asisonline.org/Pages/DHS-Official-Says-Russia-Tried-to-Hack-21-States-in-2016-Election.aspx2017-06-21T04:00:00ZDHS Official Says Russia Tried to Hack 21 States in 2016 Election
https://sm.asisonline.org/Pages/EU-Needs-Comprehensive-Strategy-To-Address-Cybersecurity-Risks,-Think-Tank-Finds.aspx2017-06-09T04:00:00ZEU Needs Comprehensive Strategy To Address Cybersecurity Risks, Think Tank Finds
https://sm.asisonline.org/Pages/Power-Play---Resilience-and-Infrastructure.aspx2017-06-01T04:00:00ZPower Play: Resilience & Infrastructure
https://sm.asisonline.org/Pages/Book-Review---Resilience-in-Asia.aspx2017-06-01T04:00:00ZBook Review: Resilience in Asia
https://sm.asisonline.org/Pages/Trump’s-Cybersecurity-Executive-Order-Well-Received-by-Experts.aspx2017-05-12T04:00:00ZTrump’s Cybersecurity Executive Order Well Received by Experts
https://sm.asisonline.org/Pages/Solar-Technology-Can-Help-Secure-Military-Grids,-New-Paper-Finds.aspx2017-05-08T04:00:00ZSolar Technology Can Help Secure Military Grids, New Paper Finds
https://sm.asisonline.org/Pages/DHS-Warns-Congress-Of-Security-Threats-to-Government-Mobile-Devices.aspx2017-05-05T04:00:00ZDHS Warns Congress Of Security Threats to Government Mobile Devices
https://sm.asisonline.org/Pages/How-Smugglers-and-High-Risk-Travelers-Enter-the-US.aspx2017-05-04T04:00:00ZHow Smugglers and High Risk Travelers Enter the United States
https://sm.asisonline.org/Pages/Senegal-Steps-Up.aspx2017-05-01T04:00:00ZSenegal Steps Up
https://sm.asisonline.org/Pages/The-Future-of-Background-Checks.aspx2017-04-01T04:00:00ZQ&A: The Future of Background Checks
https://sm.asisonline.org/Pages/A-Conversation-with-the-Director-of-the-U.S.-NBIB.aspx2017-04-01T04:00:00ZA Conversation with the Director of the U.S. NBIB
https://sm.asisonline.org/Pages/Cyber-War-Games.aspx2017-04-01T04:00:00ZCyber War Games
https://sm.asisonline.org/Pages/ASIS-News-February-2017.aspx2017-02-01T05:00:00ZJack Lichtenstein Leaves ASIS, Offers Insights on Trump
https://sm.asisonline.org/Pages/Security-101--What-to-Expect-at-the-U.S.-Presidential-Inauguration.aspx2017-01-18T05:00:00ZSecurity 101: What to Expect at the U.S. Presidential Inauguration
https://sm.asisonline.org/Pages/Brexit,-Employment,-and-the-Law.aspx2017-01-01T05:00:00ZBrexit, Employment, and the Law
https://sm.asisonline.org/Pages/Only-A-(Lonely)-Test.aspx2017-01-01T05:00:00ZOnly A (Lonely) Test
https://sm.asisonline.org/Pages/The-90-Character-Alert.aspx2016-12-01T05:00:00ZThe 90-Character Alert
https://sm.asisonline.org/Pages/Global-Security-Threats-and-Solutions.aspx2016-12-01T05:00:00ZGlobal Security Threats and Solutions
https://sm.asisonline.org/Pages/Operation-Radiation.aspx2016-11-01T04:00:00ZOperation Radiation

 You May Also Like...

 

 

National Securityhttps://sm.asisonline.org/national-security{198ff2c5-db82-48f1-a9b9-8e8950e165de}Your source for the latest security news.
Physical Securityhttps://sm.asisonline.org/physical-security{198ff2c5-db82-48f1-a9b9-8e8950e165de}Your source for the latest security news.
Security by Industryhttps://sm.asisonline.org/security-by-industry{198ff2c5-db82-48f1-a9b9-8e8950e165de}Your source for the latest security news.