Wednesday, April 01, 2009

SHOULD YOU PUBLICIZE YOUR SECURITY VULNERABILITIES & BREACHES?

Many local companies experience IT security breaches and keep mum about it. A breach is a rupture, break or gap whose cause has not been determined. It can be more vividly defined as an opening or gap in the wall. Digital walls protect valuable data systems and when they are breached the repercussions are extremely costly to both individuals and companies.

When a tree falls in Mau forest it certainly makes a sound. If a section of a perimeter wall collapses it makes a sound. If there is no on around to hear the tree crashing down or the wall falling apart then the event is not immediately registered or discovered.

What if a computer network is vulnerable or breached and no one knows about, is it insecure? A collapsed section of a wall makes it insecure to those who know about the vulnerability. This also applies to a computer network with a security hole. If no one knows about it, that is the vulnerability has not been discovered, then the computer network or digital wall is secure.

However if someone knows about it, then the IT system is insecure to the discoverer but secure to everyone else. If part of that perimeter wall round your residence is vulnerable and you have no knowledge about it, then that wall is secure to you. But to a robber who knows its vulnerability, it is insecure.

What if you knew that your network was vulnerable? What if you knew if part of that wall round your home was vulnerable? Would you publicize this fact?

The vulnerability exists, whether or not anyone knows about it. Keeping computer breaches and vulnerabilities secret does not guarantee your security.

An attacker can’t exploit a vulnerability he does not know about. A defender, also, cannot protect a vulnerability he does not know about.

In Information Technology, security that is based on publishing breaches and vulnerabilities is more robust. Those companies that suffer hacking attacks and keep them secret undermine the natural flow of information. Instead of fighting this flow, companies should embrace full disclosure which ensures they end up with more security than less.

The internet is still an insecure cyber-world, but it would have been much worse if its software vulnerabilities had been kept secret. Disclosure about its vulnerabilities has resulted in many of them being fixed.

Companies should stop sweeping their vulnerabilities and problems under the rug. They should instead embrace the full disclosure security movement. This will not only enhance their system security but also prevent those holes in their walls being announced in blogs and newspapers.

No comments: