I'm giving a talk at Metricon next week. One of my more successful pre-talk strategies is to corner whatever non security experts I can find and practice explaining what I am going to talk about. By the time I can successfully explain a concept to my doctor's accountant, a freelance outdoor photographer, and a graphics programmer (this week's semi-randomly selected crew of listeners), I usually have a pretty good idea of which explanations work. Plus, talking to people outside my field is a great way to practice answering unexpected and frequently awkward questions in real-time. Like "why are two security problems worse than one?" "Of course they're worse; there are two of them" is not a satisfying answer. Now that I've had a bit more time to think about the question, I even recall a conversation with another security geek who argued fairly passionately that two similar holes are not worse than one.
For discussion purposes, let's assume the two vulnerabilities are independent (i.e. not caused by the same design problem or line of code), but very similar (e.g. they have identical CVSS vectors), and consider things the second vulnerability might affect:
Discoverability
The second vulnerability will not affect the attack surface (i.e. the area an attacker with no knowledge of the system searches to discover vulnerabilities), but it will affect the number of vulnerabilities an attacker could find. Therefore, it is more likely that an attacker will find one of the vulnerabilities, and two holes are worse than one.
Mitigation costs
If two vulnerabilities allow access to the same target, from the same starting state, one must mitigate both vulnerabilities to prevent access to this target from this starting state. But if they are independent, they must be mitigated separately. Therefore, it will cost more to prevent access to the target, and two vulnerabilities are worse than one.
Throughput
Depending on the vulnerabilities in question, the second vulnerability may allow more attackers to attack simultaneously than the first one alone. If this were the case, two vulnerabilities would be worse than one. In practice, attackers are not usually trying to fully load the system with attacks, so even if it's theoretically worse, it may not be worse in practice.
Reachability
For reachability purposes, it doesn't matter how many ways the attacker can do it, it only matters whether the attacker can do it. Therefore, two holes with identical CVSS vectors are not worse than one. This makes a lot of sense from the perspective of a goal-oriented attacker with knowledge of the first vulnerability, but less sense from the perspective of a defender.
I may have left out some relevant philosophical issues, but for myself, I'm satisfied enough to continue thinking that two vulnerabilities are worse than one.
-- Brenda
Subscribe to:
Post Comments (Atom)
Posts
0 comments:
Post a Comment